Funding

SOX Section 109’s funding requirement means your public company must pay PCAOB accounting support fees that are assessed annually and allocated based on your relative average monthly equity market capitalization. To operationalize it, assign ownership (Finance with CCO oversight), confirm issuer status, implement a repeatable fee notice-to-payment workflow, and retain evidence that the fee was calculated, approved, paid, and reconciled. ¹

Key takeaways:

• The obligation applies to issuers; it is an annual fee assessed to fund the PCAOB. ¹
• Your core control is a documented, on-time payment process with reconciliation to the general ledger and governance oversight.
• Examiners look for clear ownership, complete documentation, and proof of timely payment tied to the company’s market-cap-based assessment.

SOX Section 109 is not a “policy drafting” requirement. It is a pay-and-prove requirement: the PCAOB is funded through annual accounting support fees assessed on issuers, with each issuer’s portion based on relative average monthly equity market capitalization. ¹ For a CCO, GRC lead, or compliance officer, the practical goal is simple: prevent late or missed fees, prevent misrouting or miscoding payments, and be able to evidence the end-to-end process during audit or disclosure controls testing.

Operationalizing this requirement typically sits at the intersection of Finance (AP/Treasury), Legal/Compliance (issuer obligations oversight), and sometimes SEC Reporting (issuer status and corporate actions). The most common breakdowns are mundane: fee notices go to an unattended inbox, the approver is out, payment instructions are not validated, or the fee is booked incorrectly and cannot be tied back to the assessment. This page gives you a requirement-level playbook: who owns what, how to build a lightweight control, which artifacts to retain, and what auditors usually ask.

Regulatory text

SOX Section 109 (Funding): “The Board shall be funded through annual accounting support fees assessed upon issuers based on relative average monthly equity market capitalization.” ¹

What this means for operators

• There is an annual fee assessment. You should expect a recurring obligation to pay an accounting support fee. ¹
• It applies to issuers (public companies). If your organization is an issuer, you are in scope. ¹
• Allocation is market-cap relative. The assessment methodology depends on relative average monthly equity market capitalization, so you should treat the fee notice as a calculated assessment rather than a negotiable invoice. ¹

Your operational requirement: establish a controlled process to receive, validate, approve, pay, record, and retain evidence of PCAOB support fee payments consistent with the assessment.

Plain-English interpretation of the funding requirement

If you are a public company, you must pay your share of the PCAOB’s annual funding. Your share is derived from your market capitalization relative to other issuers, measured as a relative average monthly equity market capitalization. ¹ Practically, you do not need to build the market-cap model yourself to comply; you do need to (1) ensure the assessment is received by the right team, (2) confirm it is the correct legal entity, and (3) pay it on time with an auditable trail.

Who it applies to (entity and operational context)

In-scope entities

• Public companies (issuers). ¹

Typical operational contexts where control ownership gets messy

• Multiple registrants / multiple legal entities under a holding company.
• Recent IPO, spin-off, or de-SPAC transition where issuer status and corporate identifiers change.
• Shared services AP where payments are processed centrally and compliance visibility is limited.
• Outsourced accounting function (third party) that processes AP while Legal/Compliance retains accountability.

What you actually need to do (step-by-step)

Step 1: Assign clear ownership and backup coverage

• Process owner: Controller or AP lead (execution).
• Accountable executive: CFO (payment obligation).
• Oversight: CCO/GRC (compliance assurance and evidence readiness).
• Backup owner: Named individual for periods of absence.

Document this in a simple RACI in your compliance calendar or close calendar.

Step 2: Build an “issuer obligation intake” channel

Set up a controlled intake so PCAOB fee communications do not land in personal inboxes:

• A shared mailbox (Finance/AP + Compliance visibility).
• A ticketing queue (AP service desk or GRC workflow).
• A documented rule: “All PCAOB support fee notices are logged within the business’s obligation register.”

If you use Daydream to track compliance obligations, map “PCAOB accounting support fee” as a recurring obligation with assigned owners, required evidence, and an annual task.

Step 3: Validate the assessment before payment

Create a short validation checklist that must be completed and retained:

• Correct entity: legal name, issuer identity, and remit-from entity match your corporate structure.
• Correct period: assessment year aligns to the notice.
• Payment instructions: verify payee and remittance details using your standard vendor/payee validation process.
• Reasonableness review: confirm the amount is consistent with expectations (for example, large corporate actions or significant market cap changes may drive variance). This is not a recalculation, it is an anomaly check tied to your disclosure controls mindset.

Step 4: Run approvals under an established financial control

Route payment through your standard AP/Treasury approval workflow:

• Require at least one finance approver with authority.
• If your organization uses a payment run, mark this as a controlled, non-discretionary regulatory fee.
• Ensure segregation of duties between requestor and approver consistent with your AP controls.

Step 5: Pay, record, and reconcile

Operationally, “done” means:

• Payment executed (wire/ACH/check per instructions).
• Booked correctly to a dedicated GL account or a clearly labeled regulatory-fee account.
• Reconciled: payment reference ties to the assessment notice and appears on the bank statement and GL detail.

Step 6: Retain evidence in an audit-ready package

Build a single “PCAOB Fee Packet” per cycle (PDF bundle or GRC record) containing the artifacts listed below. Store it in your control repository with retention aligned to your organization’s recordkeeping standards.

Step 7: Monitor exceptions and escalate

Define triggers that require escalation to CFO and CCO:

• Missed intake (notice discovered late).
• Payment failed or returned.
• Entity mismatch (notice addressed to an unexpected subsidiary).
• Large unexplained variance that raises disclosure controls questions.

Required evidence and artifacts to retain

Maintain an audit-ready set of documents that shows the obligation was received, processed, approved, paid, and recorded:

1. Fee notice / assessment communication showing the assessed amount and assessed entity.
2. Intake log entry (ticket ID, obligation register entry, or compliance calendar task) showing when it was received and who owned it.
3. Validation checklist (entity match, period, payee verification, basic reasonableness check).
4. Approval evidence (AP workflow approval screenshot/export, sign-off email stored in the record, or payment request approval).
5. Proof of payment (bank confirmation, payment reference, remittance advice).
6. Accounting evidence (journal entry or AP posting detail; GL account mapping).
7. Reconciliation support tying the bank line item to the GL entry and to the fee notice.
8. Exception documentation (if applicable): root cause, corrective action, and evidence of completion.

Common exam/audit questions and hangups

Auditors and control testers tend to probe the operational basics:

• “Who owns the PCAOB fee process, and where is it documented?”
• “Show me the last assessment notice and evidence of payment.”
• “How do you ensure the fee notice is received and not missed?”
• “How do you validate the payee and prevent misdirected funds?”
• “How is the payment recorded, and how do you reconcile it?”
• “What happens if the amount is materially different year over year?”

Hangups typically arise when evidence is spread across email, AP tools, and bank portals with no single packet, or when the payment is coded into a generic “other fees” GL line with no linkage to the assessment.

Frequent implementation mistakes and how to avoid them

Mistake 1: Treating it as a “once-a-year invoice” with no control owner

Avoidance: Assign a named owner and backup; put it on the compliance and close calendars.

Mistake 2: No formal intake path

Avoidance: Use a shared mailbox or ticketing queue and require logging upon receipt.

Mistake 3: Weak payee validation

Avoidance: Apply the same payee-controls you use for any high-trust payment. Do not rely on forwarded emails as “verification.”

Mistake 4: No reconciliation trail

Avoidance: Require a simple tie-out: notice → payment confirmation → bank statement line → GL entry.

Mistake 5: Evidence lives only in personal email

Avoidance: Store the fee packet in a controlled repository (GRC system, compliance evidence folder with access controls, or Daydream record).

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite enforcement outcomes. The risk is still concrete: a missed or poorly evidenced statutory fee payment creates audit friction, indicates weak compliance operations, and can trigger broader questions about how the company manages issuer obligations under SOX. ¹

Practical 30/60/90-day execution plan

First 30 days (Immediate stabilization)

• Identify the process owner, approver, and backup; document RACI.
• Locate the most recent fee payment evidence and build a sample “fee packet” from what you already have.
• Stand up the intake channel (shared mailbox or ticket queue) and decide where evidence will live.
• Draft the one-page procedure: receive → validate → approve → pay → record → reconcile → retain.

Next 60 days (Control hardening)

• Implement a standard validation checklist and make it mandatory for each cycle.
• Add the fee to your issuer obligation register and close calendar.
• Confirm GL mapping and reconciliation responsibility with Accounting.
• Run a tabletop exercise: “What if the notice goes to the wrong entity?” Document escalation steps.

By 90 days (Audit-ready and repeatable)

• Complete a dry-run audit package: last cycle fee packet plus your procedure and RACI.
• Add exception tracking (late notices, payment failures, entity mismatches) and define who reviews exceptions.
• If you use Daydream, configure the obligation record with required evidence fields and task ownership so next cycle is push-button, not tribal knowledge.

Frequently Asked Questions

Does SOX Section 109 require me to calculate the PCAOB fee myself?

The statute describes that fees are assessed on issuers and allocated based on relative average monthly equity market capitalization. ¹ Operationally, your compliance need is to control intake, validation, approval, payment, and evidence of the assessed amount.

Who should own this requirement: Compliance or Finance?

Finance should own execution because it is a payment and accounting workflow, while Compliance should oversee it as part of issuer obligations and evidence readiness. The clean split is Finance as process owner and CCO/GRC as second-line assurance.

What evidence is “enough” for an auditor?

Keep a fee packet that ties the assessment notice to approvals, proof of payment, and the GL entry plus reconciliation. If you can show that chain in a single record, most testing becomes straightforward.

How do we handle this if AP is outsourced to a third party?

Treat the outsourcer as a third party performing a regulated operational process. Require SLA-level expectations for intake logging, payment confirmation, and evidence delivery, and keep the final packet in your company’s repository.

Our company has multiple legal entities. Which one pays?

The requirement applies to issuers, so confirm which legal entity is the issuer for the assessment notice and ensure the remit-from entity and accounting entry match that structure. ¹ If the notice looks misaddressed, escalate before paying.

Where should this sit in our SOX program?

Place it under issuer compliance obligations with a financial operations control: documented procedure, defined owners, and retained evidence. It often fits naturally alongside disclosure controls and AP payment controls.

Footnotes

1. Public Law 107-204