What is the SEC's three-year review cycle

Every public company in the United States has its homework checked by the SEC at least once every three years, whether it wants the visit or not. The mandate sits in Section 408 of the Sarbanes-Oxley Act of 2002, a response to the Enron and WorldCom failures that made Congress stop trusting disclosure to audit alone. The Division of Corporation Finance runs the program, and "some level of review" is the statutory floor, not the ceiling.

The practical consequence is boring until it isn't. A company can go years without hearing from the staff, then receive a comment letter on its 10-K that forces a restated risk factor, a rewritten MD&A section, or a footnote that rewires how investors read the financials. That letter becomes public roughly 20 business days after the review closes.

The Statutory Floor

Where the Three-Year Rule Comes From

Section 408 of Sarbanes-Oxley directs the SEC to conduct "regular and systematic" reviews of disclosures filed by issuers under Section 13(a) of the Securities Exchange Act of 1934. The minimum cadence written into the statute is once every three years. Congress did not pick three years by accident. It wanted a floor low enough to catch recurring bad actors and high enough to be feasible across thousands of reporting companies.

The Division of Corporation Finance is the unit that carries this out. It is organized into roughly a dozen industry-specific offices staffed by accountants and attorneys who specialize in the accounting quirks of their assigned sectors. An oil and gas reviewer reads reserve disclosures for a living. A software reviewer lives inside ASC 606.

What "Review" Actually Means

"Review" is a flexible word here. The statute does not require a full audit, a restatement, or even a comment letter. It requires "some level of review," and in practice that can be as light as a preliminary screening where staff decides nothing further is needed. If nothing looks off, the review ends quietly and the company never learns it happened.

That is the part most people miss. A clean three-year review can be invisible.

How Companies Get Picked

The Six Factors in Section 408(b)

Section 408(b) lists six factors the SEC must consider when scheduling reviews:

1. Issuers that have issued material restatements of financial results

2. Issuers that experience significant stock price volatility compared to other issuers

3. Issuers with the largest market capitalization

4. Emerging companies with disparities in price-to-earnings ratios

5. Issuers whose operations significantly affect any material sector of the economy

6. Any other factors the Commission considers relevant

Read the list carefully and you can see the ghosts of 2001 and 2002 in it. Restatements, volatility, and sector impact are all Enron-era tells. Factor six is the catch-all that lets the staff respond to new risks without waiting for Congress to rewrite the statute.

Why Some Companies Get Reviewed More Often

The three-year rule is the minimum. Large accelerated filers, companies with recent restatements, and issuers in hot-button sectors tend to draw attention far more frequently. The Division does not publish its selection criteria, and that is deliberate. If companies knew the exact triggers, they could manage around them, which would defeat the point of a risk-based program.

A first-time IPO filer gets a full review almost by default. A mature, boring, well-behaved registrant with consistent disclosures might get the lightest possible touch at the three-year mark and nothing in between.

What Happens Inside a Review

The Three Scopes of Review

When the staff decides a filing warrants further work, it picks a scope. There are three.

A full cover-to-cover review examines the entire filing for compliance with accounting standards and federal securities disclosure rules. This is common for first-time issuers and for registrants with serious red flags.

A financial statement review focuses on the financials themselves plus related disclosure, most notably MD&A. This is the workhorse scope for seasoned filers.

A targeted issue review looks at one or more specific items, say, revenue recognition under a new contract structure, or cybersecurity disclosure, or segment reporting. Targeted reviews are often driven by a theme the staff is tracking across an industry.

Comment Letters and Responses

If the review surfaces problems, the staff issues a comment letter. The letter asks the company to revise disclosure, add new disclosure, or commit to changes in future filings. Companies typically respond within 10 business days through EDGAR, and extensions are granted when warranted. The back and forth can run several rounds before the staff closes the review.

Most comments are not accusations of fraud. They are requests to make something clearer, more consistent, or more useful to an investor reading the document cold.

When Correspondence Becomes Public

The Division makes comment letters and company responses public no earlier than 20 business days after it closes a review of a periodic or current report, or declares a registration statement effective. Investors, short sellers, competitors, and journalists read this correspondence carefully. A well-handled comment exchange barely registers. A messy one can move a stock.

The 2025 Inspector General Audit

In August 2025, the SEC's Office of Inspector General published an audit of the disclosure review program. The report found that Corp Fin had met its statutory three-year requirement for reviewing filers' financial statements. It also found problems with how the Division documented its selections and scoping decisions. Internal guidance had been sitting in draft form since May 2017, and that draft did not address five of the six risk factors listed in Section 408(b).

The IG recommended finalizing the Section 408 guidance in coordination with the Office of the General Counsel, documenting selection rationales more thoroughly, planning for staffing shocks, and considering automation and IT consolidation for the review program.

What It Means for Filers

The takeaway is not that the three-year rule is broken. The statutory floor is being met. The takeaway is that how the SEC chooses whom to review between those three-year touchpoints is about to get more rigorous and better documented. Expect selection criteria to tighten, expect more consistent scoping, and expect the staff to lean harder on risk factors that were previously underweighted.

The three-year cycle is a floor, not a schedule. Treating it like a schedule is how filers get caught flat-footed when a comment letter shows up in year two.