Authority to Prohibit Officers and Directors

SOX Section 1105 gives the SEC authority to bar individuals who violated securities laws from serving as an officer or director of a public company. To operationalize it, you need a repeatable screening and governance process that identifies disqualifying SEC orders, blocks appointments or continued service, triggers escalation to Legal/Board committees, and preserves evidence for auditors and disclosure support. (Public Law 107-204)

Key takeaways:

• SOX 1105 is not a “program” requirement; it is an eligibility risk you must control through hiring, onboarding, and governance gates. (Public Law 107-204)
• Your control objective: prevent barred individuals from serving, and detect promptly if an existing leader becomes barred. (Public Law 107-204)
• Evidence matters: keep role-based screening results, attestations, escalation records, and board actions tied to officer/director rosters.

“Authority to Prohibit Officers and Directors” is a statutory power, but it drives a concrete operational requirement for public companies and their compliance leaders: you must prevent an SEC-barred individual from serving as an officer or director, and you must be able to prove you took reasonable steps to do so. This intersects with corporate governance, HR, Legal, Securities compliance, and Board operations.

Most failures here are basic execution gaps, not legal misinterpretations: incomplete population scoping (missing certain “officers”), checks that happen only at hire but not ongoing, unclear ownership between HR and Legal, or no documented escalation path when screening returns a potential match. If your organization uses third parties for executive search, background checks, or board administration, the risk extends to those processes as well.

This page translates SOX Section 1105 into requirement-level steps you can implement fast: define who is in scope, embed screening into appointment workflows, set ongoing monitoring expectations, align Board/committee governance, and retain audit-ready artifacts. The goal is practical: make it hard for a barred person to get in, and fast to act if someone becomes barred. (Public Law 107-204)

Regulatory text

Excerpt (SOX Section 1105): “The Commission may issue an order prohibiting any person who violated securities laws from acting as an officer or director.” (Public Law 107-204)

What this means for operators

SOX 1105 authorizes the SEC to issue officer-and-director bars for securities law violations. Your operational obligation is not to predict SEC actions; it is to run governance controls so that:

• you do not appoint a person who is subject to an SEC order prohibiting officer/director service, and
• you can detect and respond if a currently serving officer or director becomes subject to such an order. (Public Law 107-204)

Treat this as an eligibility control within your governance, risk, and compliance program. The exam/audit lens is straightforward: show how you prevent disqualified leadership from serving and how you would react if it happens.

Plain-English interpretation of the requirement

If the SEC bars someone from being an officer or director, that person cannot serve in those roles at a public company. Your company should have a documented process that checks for these bars at the time of appointment and periodically after, with a clear escalation path to Legal and the Board. (Public Law 107-204)

Who it applies to

In-scope entities

• Public companies (issuer context) that appoint or retain officers and directors, because the SEC’s bar pertains to service at public companies. (Public Law 107-204)

In-scope roles (practical scoping)

• Directors (Board members, including committee members).
• Officers: at minimum, roles your organization treats as corporate officers for governance and securities purposes. If your company uses “Section 16 officer” designations or an internal officer roster for filings and governance, align the control population to that roster so you can prove completeness.

Operational contexts where this shows up

• Board nominations and annual director re-elections
• Executive hiring, promotion into officer roles, interim appointments
• M&A leadership transitions where officers/directors change
• Third-party executive search and background screening workflows
• Periodic governance certifications and D&O questionnaires

What you actually need to do (step-by-step)

Use this as a build checklist. Each step should have an owner and a record.

1) Define the control objective and owner

• Control objective: prevent and detect officer/director service that is prohibited by SEC order under SOX 1105. (Public Law 107-204)
• Typical owner: Corporate Secretary or Legal (primary), with HR and Compliance as workflow partners.

Write this into a short control statement in your governance control library (even if you do not call it “SOX control,” it often supports SOX/scoping narratives).

2) Lock down the population (your “who” list)

Create and maintain two authoritative lists:

• Director roster: current directors, nominees, committee assignments, term dates.
• Officer roster: corporate officers (and any additional officer designation used for governance/filing).

Operational tip: tie the roster to a system of record (board portal, HRIS, or Legal entity management tool). If the roster lives in email, auditors will treat it as unstable.

3) Build a screening gate for new appointments

Before a person becomes an officer or director (including interim appointments), require:

• Identity data collection: legal name, aliases, date of birth (as allowed), jurisdictional info needed for accurate matching.
• Screening check: search for SEC orders that bar officer/director service (the “disqualifying event” aligned to SOX 1105 authority). (Public Law 107-204)
• Candidate attestation: “I am not subject to an SEC order prohibiting service as an officer or director of a public company,” plus a duty-to-update clause.

If you use a third party for background checks, define in the statement of work that the check must cover SEC officer/director bars and provide a report you can retain.

4) Add ongoing monitoring for sitting officers/directors

Appointments are not enough. Add an ongoing control that detects changes:

• Periodic re-screening of the rosters on a set cadence determined by your risk appetite and governance calendar.
• Event-driven re-screening when you learn of an investigation, enforcement development, or material allegation involving a sitting officer/director, coordinated with Legal.

Avoid overpromising. Commit to what you can execute and evidence consistently.

5) Define match handling and escalation (make it operational)

Document a short playbook for a potential match:

• Triage: confirm identity match vs false positive (name-only matches are common).
• Escalation: route to Legal and the Corporate Secretary for determination.
• Containment: pause appointment/vote pending resolution; restrict effective date until cleared.
• Board/committee notification: if confirmed, engage the right forum (often Nominating & Governance Committee and/or the full Board) for action steps, consistent with bylaws and governance documents.

Your documentation should show who decides, who is informed, and how quickly the workflow moves once a credible match appears.

6) Decide and act (and document the decision)

If an SEC bar is confirmed:

• Do not appoint the individual to an officer/director role.
• If already serving, coordinate with Legal/Corporate Secretary on removal/resignation processes and any related disclosure considerations.
• Preserve the decision record: what was found, who reviewed it, what action was taken, and when. (Public Law 107-204)

7) Map to disclosure and governance touchpoints

Even though SOX 1105 is an authority provision, the operational response often triggers:

• Board minutes and resolutions
• D&O questionnaires and annual certifications
• Executive onboarding packets
• Communications plans (internal need-to-know)

Keep these aligned so your story is consistent across governance, HR, and SEC reporting support.

8) Run it as a workflow (where Daydream fits)

If you manage this in spreadsheets and email, evidence retrieval becomes the pain point. Daydream can centralize:

• officer/director rosters (system of record or integrated source),
• screening tasks and approvals,
• evidence attachments (reports, attestations, minutes),
• exception management and escalation logs.

The goal is simple: any time an auditor asks “show me you screened every officer and director,” you can produce the population, the checks, and the outcomes without reconstructing history.

Required evidence and artifacts to retain

Keep artifacts that prove population completeness, screening performance, and governance response:

Population and governance artifacts

• Current officer roster and director roster (dated, with change history if possible)
• Role definitions or governance documents showing who is treated as an “officer” internally
• Board/committee calendars and nomination/appointment workflow documentation

Screening and eligibility artifacts

• Screening policy/procedure describing what you check and when (aligned to SEC bar risk under SOX 1105) (Public Law 107-204)
• Screening results/reports (or third-party reports) for each in-scope person
• Candidate/officer/director attestations and duty-to-update language
• Evidence of periodic re-screening execution (run logs, task completion records)

Exception and escalation artifacts

• Triage notes for potential matches
• Legal determinations or memos (as appropriate)
• Board/committee minutes or resolutions documenting decisions (where applicable)
• Corrective actions taken and closure evidence

Common exam/audit questions and hangups

Auditors and regulators tend to probe these points:

1. “Who is in scope?”
   They will test whether your officer definition is complete and consistent across governance and reporting.

2. “Is screening a gate, or just a check?”
   If someone can start serving before the check is complete, the control is weak.

3. “How do you handle name matches?”
   They will want to see documented triage and sign-off, not informal email judgment.

4. “Do you re-check existing leadership?”
   A one-time background check does not address later SEC actions. (Public Law 107-204)

5. “Show me evidence for the full population.”
   Sampling often expands if they find population gaps or missing records.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails in practice	Fix
No authoritative officer roster	You cannot prove completeness	Establish a controlled roster owned by Corporate Secretary/Legal
Screening happens after the person starts	You can temporarily place a barred person in role	Make screening a hard gate before effective date
Overreliance on self-attestation	Attestations do not detect undisclosed enforcement actions	Combine attestation with independent screening
No documented match triage	False positives lead to inconsistent decisions	Write a triage SOP and require Legal sign-off
Third-party search firm “handles it” with no evidence	You still own the outcome	Contract for reports and retain them in your GRC system

Enforcement context and risk implications

SOX 1105 increases the SEC’s administrative ability to bar unfit individuals from public company leadership. The operational risk for your organization is governance failure: appointing or retaining someone subject to such an order can trigger rapid Board action, disclosure work, reputational damage, and internal control scrutiny. Anchor your program on prevention and fast detection, because remediation after appointment is messy and highly visible. (Public Law 107-204)

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and ownership)

• Assign an accountable owner (Legal/Corporate Secretary) and document the control objective. (Public Law 107-204)
• Establish the authoritative officer and director rosters; reconcile discrepancies across HR, Legal, and SEC reporting support.
• Draft a one-page procedure: pre-appointment screening gate, attestation requirement, and escalation path.

Next 60 days (embed into workflows)

• Integrate the screening gate into: director nomination workflow, executive offer/promotion workflow, and interim appointment workflow.
• Stand up a match triage process with clear Legal sign-off.
• Implement evidence retention in a controlled repository (GRC tool or secured governance folder with access control).

By 90 days (operationalize ongoing monitoring)

• Launch periodic re-screening for the full population and document completion.
• Add event-driven triggers (investigation/enforcement awareness) and define who can invoke them.
• Run a tabletop exercise: “Confirmed SEC officer/director bar for a sitting officer.” Capture lessons learned and update the playbook.

Frequently Asked Questions

Does SOX 1105 require us to run a specific type of background check?

SOX 1105 provides SEC authority to issue officer/director bars; it does not prescribe a specific screening method. Your control should reliably identify SEC orders that prohibit service and block appointments or continued service. (Public Law 107-204)

Who should own this control: HR, Legal, Compliance, or the Corporate Secretary?

Legal or the Corporate Secretary typically owns it because it affects corporate governance and Board processes. HR and Compliance usually run workflow steps (data collection, task management, evidence retention) under Legal’s decision authority.

Are directors and officers both in scope?

Yes. The SEC authority referenced in SOX 1105 applies to prohibiting a person from acting as an officer or director, so your process should cover both populations. (Public Law 107-204)

If we use a third party for executive search or background screening, can we outsource the requirement?

You can outsource activities, but not accountability. Contract for the specific check coverage you need, require deliverable reports, and retain evidence that the checks were completed for every in-scope person.

What do we do if we get a possible match with limited information?

Pause the appointment or re-election step until triage is complete. Use a documented process to confirm identity (aliases, date of birth where permitted, other identifiers) and require Legal sign-off on the determination.

How should we document ongoing monitoring without overcommitting?

Document what you can execute consistently: a defined cadence for re-screening and a clear event-driven trigger for ad hoc checks. Evidence of consistent execution matters more than an aggressive schedule you cannot sustain.