What Are the SOX Section 404 Requirements?

The Sarbanes-Oxley Act (SOX) emerged in 2002 as a legislative response to corporate accounting scandals that had eroded investor trust. The U.S. Congress established stricter standards for corporate governance and financial reporting for publicly traded companies to enhance the accuracy and reliability of corporate financial disclosures. Section 404 is a provision that mandates how public companies must report on the effectiveness of their internal controls. This rule requires companies to establish, maintain, and annually assess an adequate internal control structure for their financial reporting processes, with the goal of increasing transparency and accountability in financial practices.

Management’s Assessment of Internal Controls

Section 404(a) of the Sarbanes-Oxley Act places direct responsibility on a company’s management to assess the effectiveness of its internal controls over financial reporting (ICFR). ICFR is a set of processes designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements. These controls aim to prevent or detect errors and fraud in a company’s financial records.

The assessment process involves a top-down, risk-based approach where management identifies financial reporting risks and the controls in place to mitigate them. Management must document the design of these controls and then test them to ensure they are operating effectively throughout the year.

During the evaluation, any identified issues with internal controls are categorized based on their severity. A “control deficiency” exists if the design or operation of a control does not allow for the timely prevention or detection of misstatements. A “significant deficiency” is a control deficiency that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight.

The most serious classification is a “material weakness,” which is a deficiency in ICFR such that there is a reasonable possibility that a material misstatement of the company’s financial statements will not be prevented or detected on a timely basis. The identification of even one material weakness means management cannot conclude that its ICFR is effective. Management’s annual report on ICFR is included in the company’s annual Form 10-K filing. This report must contain a statement of management’s responsibility for ICFR, identify the framework used for the assessment, and state management’s conclusion on the effectiveness of the company’s ICFR.

The External Auditor’s Attestation

For many public companies, Section 404 includes a second layer of assurance through subsection (b), which requires an independent external auditor to attest to management’s assessment of internal controls. This requirement leads to an integrated audit, where the auditor examines both the company’s financial statements and its ICFR in a single process. The auditor’s objective is to form an independent opinion on the effectiveness of the company’s internal controls.

The auditor’s work is separate from management’s assessment and is guided by standards set by the Public Company Accounting Oversight Board (PCAOB). They plan and perform their audit to obtain reasonable assurance about whether the company maintained effective ICFR, which involves their own testing of the design and operating effectiveness of controls.

Upon completion of the audit, the external auditor issues a report containing their opinion. An “unqualified” or “clean” opinion indicates that the auditor believes the company’s ICFR is effective. If the auditor identifies one or more material weaknesses, they must issue an “adverse” opinion, stating that the company’s ICFR is not effective. This opinion is included in the audit report section of the company’s annual Form 10-K filing.

Key Frameworks and Documentation

To meet the requirements of Section 404, companies rely on established frameworks to design and evaluate their internal controls. The most widely used framework in the United States is the Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO framework is recommended by the PCAOB and provides a structured approach organized around five interconnected components:

• Control Environment: This sets the tone of the organization, influencing the control consciousness of its people.
• Risk Assessment: This involves the identification and analysis of relevant risks to achieving objectives.
• Control Activities: These are the policies and procedures that help ensure management directives are carried out.
• Information and Communication: This pertains to the systems that support the identification, capture, and exchange of information.
• Monitoring Activities: These are processes used to assess the quality of internal control performance over time.

To support their assessment and provide evidence for the external audit, management must create and maintain thorough documentation. Process narratives are written descriptions that explain how a particular accounting process works from start to finish. Another common tool is a flowchart, which provides a visual representation of a process, making it easier to understand complex workflows. A Risk and Control Matrix (RCM) is a spreadsheet that formally documents the risks within a process, the controls in place to mitigate those risks, and the testing performed.

Applicability and Exemptions

The requirements of SOX Section 404 apply to most publicly traded companies in the U.S., including foreign companies listed on U.S. stock exchanges. The specific obligations depend on the company’s filer status as defined by the SEC, which is based on public float—the market value of shares held by non-affiliates.

Large Accelerated Filers, with a public float of $700 million or more, must comply with both Section 404(a) and Section 404(b), meaning they must complete management’s assessment and undergo an external auditor’s attestation. Accelerated Filers, which have a public float between $75 million and $700 million, must also comply with both parts unless their annual revenues are below $100 million. If revenues are below that threshold, they are exempt from the Section 404(b) auditor attestation but must still perform the management assessment.

Non-Accelerated Filers—companies with a public float of less than $75 million—are permanently exempt from the Section 404(b) requirement but must still comply with Section 404(a). Another exemption is provided to Emerging Growth Companies (EGCs) under the Jumpstart Our Business Startups Act. An EGC, a company with total annual gross revenues of less than $1.235 billion, is exempt from the Section 404(b) auditor attestation requirement for up to five years after its initial public offering.