AuditXYZ

Lesson 2 of 5

SOX Section 302 and 906: Executive Certifications Explained

9 min readIntermediate

SOX Section 302 and 906 Certifications

Sections 302 and 906 require the CEO and CFO to personally certify the accuracy of financial reports filed with the SEC. These certifications create personal accountability at the highest level of the organization.

Section 302: Quarterly Certification

Section 302 requires the CEO and CFO to certify in each quarterly (10-Q) and annual (10-K) filing that they have reviewed the report, the report does not contain material misstatements or omissions, the financial statements fairly present the company's financial condition, they are responsible for establishing and maintaining internal controls, they have evaluated the effectiveness of disclosure controls within 90 days, and they have disclosed any significant changes in internal controls.

Section 906: Criminal Certification

Section 906 adds criminal liability. The CEO and CFO must certify that the periodic report fully complies with SEC requirements and that the information fairly presents the company's financial condition and results. Willful false certification under Section 906 carries fines up to $5 million and imprisonment up to 20 years.

Supporting the Certification Process

Executives cannot personally verify every transaction. Organizations implement sub-certification processes where department heads and key managers provide written representations that information within their area of responsibility is accurate and complete. These sub-certifications roll up to support the executive certification.

Disclosure Controls and Procedures

Section 302 specifically requires evaluation of disclosure controls — the processes ensuring that information required in SEC filings is recorded, processed, summarized, and reported within required timeframes. This goes beyond financial controls to include any information material to investors.

Practical Implications

The certification requirement fundamentally changed executive accountability. CEOs and CFOs take SOX certifications seriously because the consequences are personal. Support them by maintaining robust internal controls, implementing sub-certification processes, documenting control activities, and escalating issues promptly.

In the next lesson, we will cover Section 404 internal controls in detail.