Appearance and Practice Before the Commission

SOX Section 602 requires the SEC to set and enforce minimum professional conduct standards for attorneys, accountants, and other professionals who appear or practice before the Commission. To operationalize it, you need a documented escalation-and-reporting process for SEC-facing work, clear role expectations for internal teams and third parties, and evidence that you supervise, document, and remediate professional conduct issues. (Public Law 107-204)

Key takeaways:

• Treat “appearance and practice before the Commission” as an operational scope trigger for heightened supervision, documentation, and escalation. (Public Law 107-204)
• Build a repeatable workflow for SEC-facing matters: intake, controls, review/approval, issue escalation, and remediation tracking.
• Contractually bind and monitor third parties (outside counsel, auditors, experts) to your standards and reporting expectations when they act in SEC-facing contexts.

“Appearance and practice before the Commission” sounds like a legal ethics rule, but for a CCO or GRC lead it translates into an execution requirement: SEC-facing work must run through tighter governance than routine legal or finance activity. SOX Section 602 authorizes the SEC to issue rules that set minimum standards of professional conduct for attorneys, accountants, and other professionals who appear or practice before the SEC, and it gives the SEC power to censure or deny the privilege of appearing or practicing. (Public Law 107-204)

You cannot “comply with Section 602” by writing a policy alone. You operationalize it by identifying where your organization (and your third parties) engage the SEC, defining who is allowed to do that work, and implementing a documented escalation path when professionals identify misconduct or material issues. This page focuses on practical steps: scoping, controls, evidence, oversight of outside counsel and accounting firms, and exam-ready artifacts. If you already run SOX and disclosure controls, the goal is to connect those controls to the people doing SEC-facing work and prove you supervise that work with rigor and records.

Regulatory text

Statutory excerpt: “The Commission shall issue rules for professional conduct of accountants, attorneys, and professionals appearing before it.” (Public Law 107-204)

Operator interpretation (what this means for you):

• Section 602 is a delegation and enforcement hook: it empowers the SEC to define and police minimum professional conduct for the people who represent issuers or provide professional services in SEC-facing matters. (Public Law 107-204)
• In practice, your compliance obligation is to ensure SEC-facing professional activity is governed, supervised, and documented, and that conduct issues are identified, escalated, and addressed in a controlled way. (Public Law 107-204)
• Your program should also assume the SEC can act directly against professionals (internal or external) by censure or denial of the privilege to appear or practice, which creates operational, reputational, and continuity risk for the issuer if key professionals become unavailable. (Public Law 107-204)

Plain-English requirement: what “appearance and practice before the commission” means operationally

For a public company, “appearance and practice before the Commission” should be treated as a scope label for activities that touch SEC submissions, representations to SEC staff, or professional work that is intended to influence SEC filings or SEC action. You want a control point that answers two questions:

1. Is this matter SEC-facing?
   Examples: drafting or reviewing disclosures; preparing exhibits; responding to SEC comments; preparing certifications, support, or analyses that are incorporated into filings; communications with SEC staff.

2. Who is acting in an SEC-facing professional capacity?
   This includes internal legal and finance professionals and third parties such as outside counsel, registered public accounting firms, expert consultants, and specialists who prepare work that is used in SEC-facing contexts.

Your control environment should treat SEC-facing work as heightened-risk professional activity and apply stronger review, documentation, and escalation requirements than business-as-usual.

Who it applies to

Entity scope (from provided applicability):

• Public companies (issuers).
• Registered public accounting firms.

Operational scope (how this shows up in a real operating model):

• Legal: securities counsel, disclosure counsel, litigation/regulatory counsel handling SEC inquiries.
• Finance: controller organization, SEC reporting team, technical accounting, FP&A (when their analyses feed disclosures).
• Internal audit and SOX: evidence owners for disclosure controls; investigation support.
• Third parties: outside counsel, registered public accounting firms, valuation firms, expert witnesses, consultants preparing disclosure support, and any other third party producing materials used in SEC interactions.

What you actually need to do (step-by-step)

1) Define “SEC-facing work” and make it a routing rule

• Create a short internal standard (one page is fine) defining SEC-facing work for your business.
• Add a routing requirement: any SEC-facing work must be logged and assigned an internal owner (typically Securities Counsel or Head of SEC Reporting).
• Configure intake channels (email alias, matter management, ticketing, or GRC workflow) so teams do not handle SEC-facing requests ad hoc.

Deliverable: “SEC-Facing Work Definition & Routing Standard” approved by Legal and Compliance.

2) Establish ownership and decision rights

Set clear RACI for:

• Who can communicate with the SEC.
• Who approves submissions or formal positions.
• Who signs off on disclosure language and supporting memos.
• Who manages third-party professionals in SEC-facing matters.

A common pattern:

• Accountable: General Counsel or Chief Legal Officer for SEC communications; CFO for filings; CCO for conduct program governance.
• Responsible: Securities Counsel and Head of SEC Reporting for execution.
• Consulted: Controller, Internal Audit, external auditors, subject matter experts.
• Informed: Audit Committee, CEO, key executives (as needed).

Deliverable: RACI matrix for SEC-facing matters, maintained as part of your disclosure controls documentation.

3) Implement an escalation path for professional conduct and “red flags”

Section 602’s core risk is that professionals see an issue and it never reaches the right decision-makers. Build a written escalation path that is easy to follow under pressure.

Minimum elements:

• What qualifies as a reportable red flag (misstatement risk, missing support, pressure to omit facts, inconsistent records, suspected fraud, obstruction, retaliation).
• Escalation sequence (for example: matter owner → General Counsel/CCO → Disclosure Committee/Audit Committee depending on severity).
• Non-retaliation statement and reporting options for internal staff and third parties.
• Documentation requirements for the concern, the analysis, the decision, and remediation actions.

Deliverable: “SEC-Facing Professional Conduct Escalation Procedure” mapped to your hotline/investigation process.

4) Tighten third-party onboarding and supervision for SEC-facing professionals

Most issuers rely on third parties for SEC-facing work. Your controls should show supervision, not just procurement.

Contract and oversight checklist for SEC-facing third parties:

• Engagement letter includes a requirement to follow applicable professional standards and to notify the company promptly of conduct concerns or material issues affecting SEC-facing work. (Public Law 107-204)
• Independence and conflicts checks documented (especially for accounting and expert services).
• Clear instruction on document retention, workpaper ownership/access, and confidentiality.
• Defined review checkpoints (draft reviews, management representation expectations, escalation triggers).

Deliverable: SEC-facing addendum for engagement letters and a supervision checklist for matter owners.

5) Embed review/approval controls into your disclosure and SEC response workflows

Operational controls that examiners and auditors can understand:

• Pre-filing disclosure review checklist tied to owners (Legal, Finance, IR, relevant business).
• Evidence that key judgments have supporting memos and are reviewed.
• Comment letter response governance: draft, review, approval, and retained correspondence file.

Deliverable: Filing and comment-response playbooks with approval evidence (sign-off logs, committee minutes, version control).

6) Train the right population with role-based expectations

Do not train “everyone” on SEC appearance/practice. Train:

• SEC reporting and technical accounting teams.
• Legal teams handling securities matters.
• Executives who participate in disclosure committee or sign certifications.
• Third parties, via onboarding briefings and engagement kickoffs.

Training content should focus on:

• What counts as SEC-facing work.
• Escalation triggers and where to report.
• Documentation and recordkeeping expectations.

Deliverable: Training materials and attendance records for in-scope roles.

7) Prove it works: test and remediate

Add targeted testing to your compliance monitoring plan:

• Sample an SEC-facing matter and verify intake, approvals, supporting memos, and retention.
• Review one third-party engagement file for required clauses and supervision artifacts.
• Confirm escalations (if any) were documented and closed with remediation steps.

Deliverable: Monitoring test plan, results, and remediation tracker.

Required evidence and artifacts to retain

Use this as your “exam binder” checklist:

• SEC-facing work definition and routing standard.
• RACI matrix and decision-rights documentation.
• Escalation procedure for conduct issues and material concerns. (Public Law 107-204)
• Disclosure committee charter/materials and minutes (as applicable).
• Filing checklists, approval logs, and version history for key disclosures.
• SEC correspondence log (comment letters, responses, meeting notes).
• Third-party engagement letters/addenda, conflicts checks, and supervision checklists.
• Training records for in-scope personnel.
• Monitoring/testing results and remediation evidence.
• Document retention schedule section covering SEC-facing work and supporting documentation.

Common exam/audit questions and hangups

Expect variations of these:

• “Show me how you determine whether work is SEC-facing and who must be involved.”
• “Who is authorized to communicate with the SEC, and where is that documented?”
• “How do attorneys/accountants escalate concerns, and how do you prevent suppression of issues?” (Public Law 107-204)
• “How do you supervise outside counsel and other third parties in SEC-facing matters?”
• “Provide evidence for one filing cycle: drafts, reviews, approvals, and support for key judgments.”
• “How do you retain records for SEC correspondence and supporting analyses?”

Hangups that slow teams down:

• Over-reliance on informal email approvals.
• Third-party workpapers not accessible when needed.
• No single inventory of SEC-facing matters, so you cannot prove consistent governance.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating this as a generic Code of Conduct topic.
   Fix: Make “SEC-facing work” a separate governance lane with routing, approvals, and escalation artifacts.

2. Mistake: Assuming outside counsel/auditors “own” professional conduct.
   Fix: They have their own obligations, but you need issuer-side supervision and documentation that you managed the engagement and escalated issues appropriately. (Public Law 107-204)

3. Mistake: No defined threshold for Audit Committee involvement.
   Fix: Predefine escalation tiers (routine, elevated, critical) and map each to required notifications and approvers.

4. Mistake: Weak recordkeeping for SEC communications.
   Fix: Centralize SEC correspondence and preserve drafts and supporting memos under a retention rule that is easy for teams to follow.

Enforcement context and risk implications

Section 602 authorizes the SEC to issue professional conduct rules and to censure or deny the privilege of appearing or practicing before the Commission. (Public Law 107-204) For an issuer, the practical risk is operational: if a key professional (internal or third party) becomes subject to SEC action, you may lose critical capability during filings, responses to inquiries, or transactions. Build redundancy in authorized roles, maintain complete matter files, and treat escalations as a control requirement, not an optional ethics step.

Practical execution plan (30/60/90)

First 30 days (Immediate)

• Appoint owners for SEC-facing governance (Legal + SEC Reporting + Compliance).
• Publish the SEC-facing work definition and routing rule.
• Stand up a central log for SEC-facing matters and SEC communications.
• Draft the escalation procedure and align it to hotline/investigations.

Days 31–60 (Near-term)

• Finalize RACI and implement approval checkpoints for filings and SEC responses.
• Update third-party engagement templates with SEC-facing conduct and notification expectations. (Public Law 107-204)
• Roll out role-based training to in-scope teams; document completion.
• Pilot the process on an active matter or a recent filing cycle.

Days 61–90 (Operationalize)

• Execute monitoring tests on at least one matter file and one third-party engagement file.
• Close gaps: missing approvals, weak retention, unclear escalation notes.
• Package an “evidence binder” set of artifacts so you can respond quickly to auditors or regulators.
• If you use Daydream, map these controls to owners, automate evidence requests for matter files, and track remediation items in one place without chasing email threads.

Frequently Asked Questions

Does SOX Section 602 impose direct obligations on the company, or only on professionals?

The text directs the SEC to issue professional conduct rules for people who appear or practice before it. (Public Law 107-204) As an issuer, you operationalize the requirement by governing and supervising SEC-facing work so conduct issues surface and get addressed with documentation.

Who counts as a “professional appearing before the Commission” in practice?

Treat any internal or third-party professional whose work product is intended for SEC filings, SEC responses, or representations to the SEC as in scope. Keep the definition in your internal routing standard so teams make consistent calls.

How do we control SEC communications without blocking the business?

Set a narrow list of authorized SEC communicators and require all other SEC-facing contacts to route through them. Pair it with a fast intake and review workflow so routine comment letter responses and clarifications do not stall.

What evidence do auditors usually want to see?

They typically ask for proof of governance and repeatability: routing, approvals, escalation records when issues occur, and retention of correspondence and supporting memos. Keep one end-to-end matter file packaged as a reference example.

How should we handle third parties like outside counsel and consultants?

Contractually define expectations for SEC-facing work, add supervision checkpoints, and retain engagement and review artifacts. Your file should show you directed the work, reviewed outputs, and had a path to escalate concerns. (Public Law 107-204)

We already have disclosure controls. Is that enough?

Disclosure controls are the right foundation, but Section 602’s operational gap is often professional conduct escalation and supervision of SEC-facing professionals. Tie disclosure controls to named roles, third-party oversight, and documented escalation steps. (Public Law 107-204)