SOX 404 Explained: What You Need to Know

SOX 404 Explained: What You Need to Know

Why are executives often confused and challenged by the complexities of SOX compliance? Why is the development of an internal control framework a difficult and arduous task for privately held businesses planning an initial public offering (IPO)? 

This article simplifies the SOX 404 compliance requirements, examines the challenges companies face when implementing an internal control framework, and looks at cost-effective solutions to become SOX 404 compliant.

What Is Sarbanes-Oxley ACT (SOX) Section 404?

In 2002 Congress enacted the Sarbanes-Oxley Act (SOX) into federal law to improve the financial reporting of Securities and Exchange Commission (SEC) issuers. This was in response to numerous accounting scandals that occurred in the early 2000s, including Enron and WorldCom. An organization qualifies as an SEC Issuer if it has securities registered under section 12 of the Securities Exchange Act of 1934 or under section 15(d) of the 1934 Act. All public companies are considered an SEC Issuer.

The SOX act includes various sections, such as Section 302, Section 404, and Section 906. This article focuses primarily on SOX section 404; however, it is important to highlight that Sections 302 and 906 require the CEO and CFO to provide certain certifications about their company’s quarterly, annual, and periodic reporting based on their company’s internal control performance.

Section 404 of SOX consists of Section (a), Section (b), and Section (c). The primary purpose of section 404 requires management to assess the effectiveness of their company’s internal controls over financial reporting to improve the accuracy of a company’s financial reporting. Let’s discuss the details of each section.

Section 404(a)

All public issuers are subject to this provision. There are no exemptions. This section requires management to conduct an evaluation of the operational effectiveness of the company’s internal controls over financial reporting. The company’s internal controls must be documented and evaluated annually. The results of the management’s annual assessment of internal controls are then reported in the company’s Form 10-K.

Section 404(b)

Requires public issuers to obtain an external auditor to attest to, and report on, management’s assessment of its internal controls. Remember that section 404(a) mandates management performs an internal assessment, while section 404(b) requires an independent auditor to evaluate whether management’s assessment of the company’s internal controls is accurate. The auditor’s opinion on the company’s internal controls is reported in the audit report section of the Form 10-K. The Public Company Accounting Oversight Board (PCAOB) establishes standards that the independent auditors must comply with regarding their report on the company’s internal controls. The AICPA provides additional information and background on this section.

Section 404(c)

Certain organizations are exempt from Section 404(b). Specifically, organizations that are not an accelerated filer or a large-accelerated filer are exempt. This group of companies is also referred to as non-accelerated filers. Emerging growth companies (EGC) are also exempt. To qualify as a non-accelerated filer, an organization must have less than $75 million in public float, otherwise known as the value of shares held by the public. The SEC provides EGC status to companies for the first five years after their IPO if they do not exceed certain thresholds. The current EGC thresholds are:

  • Annual gross revenue of less than $1.235 billion in the most recently completed fiscal year.
  • Issuance of nonconvertible debt less than $1 billion in the past three fiscal years.

Key Point: EGC thresholds are revised periodically, and it is important to check the current thresholds before assuming a company qualifies as an EGC.

Below is a simplified roadmap to understanding if a company must adhere to SOX 404, and if so, which sections of SOX 404.

SOX 404: Who Needs to Comply?

Challenges of SOX 404 Compliance

Having now reviewed the requirements Section 404(b), let us explore why compliance with SOX 404 and developing an internal control environment may be challenging. The costs and added resources needed to transition a company to become SOX 404-ready can be overwhelming. Subject matter experts on internal controls are needed to assist with the documentation, implementation, and monitoring of an internal control framework. These added employees’ costs, contractor costs, or fees to engage a public accounting firm can add up quickly.

In addition to the costs, developing a SOX 404-compliant internal control framework takes a considerable amount of time. The following four steps should be completed before an organization considers themselves in compliance with SOX 404(a), or is prepared for an external auditor’s review:

  • identification  
  • design and documentation
  • implementation
  • monitoring

Identification 

A company should identify all key processes that impact its financial reporting, perform a risk assessment of each process, and develop a risk matrix detailing the list of internal controls included in each process. Processes such as revenue, procurement, related-party transactions, financial reporting, etc. should all have separate control matrices.

Key Point: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has developed a framework to help organizations identify key processes and build an internal controls environment. They are sponsored by the AICPA and their framework is accepted by the SEC.

Design and Documentation

After identifying the necessary internal controls, each must be designed and documented. Details such as who performs the control, how often the control is performed, documentation reviewed during the performance of the control, and precision of the control (i.e., the monetary threshold that triggers a review) need to be determined and documented. Precision is a critical, but often overlooked, component of financial controls to ensure they function efficiently and effectively. If the precision is set too low, the internal control is not efficient. If the precision threshold is too high, the internal control is not effective.

Take the following example:

  • Company A and Company B both set a $500,000 variance threshold on an account reconciliation (i.e., only variances about this amount will be investigated)
  • Company A consistently generates net revenues above $3 billion annually; Company B consistently generates $25 million annually in net revenue.
  • When the control is performed for the most recent fiscal year the account reconciliation shows a $280,000 variance for both companies. Neither company investigates the variance because the control only requires an investigation and re-reconciliation of the account if the variance exceeds $500,000.
  • Company A’s external auditors do not consider the $280,000 variance to be material to the company’s financial statements and they conclude the control is designed appropriately and is operating effectively.
  • Company B’s external auditors have set their audit materiality at $100,000. While the control was performed correctly, it still results in a material misstatement of the financial statements. Therefore, the auditors conclude this is a material weakness in the internal control framework and is documented in their audit findings.

While this is a very oversimplified example, it illustrates why setting the correct precision is critical. Another common mistake made is setting a $1 variance threshold for all financial controls. This commonly occurs because management does not have the time to determine the correct precision for each control listed in the risk matrix. While setting a $1 threshold will always be below the materiality, many employees may not investigate a $2 variance because they know it is clearly immaterial. However, if the $2 variance is not remediated, then the control was not performed correctly, and an independent auditor could consider this a control failure. 

To recap, each control needs to be individually designed to determine who is performing the control, how often the control is performed, how the control is documented to provide evidence it was performed, and a level of precision that is logical. Internal controls are tailored to each company and for each specific control. Management needs to consider how the failure of each individual control could impact their financial reporting to design a control framework.

Implementation

After controls are identified in the risk matrix and documented, the company must implement them. This will require added time from employees because they are not only performing the control, but they also need to properly document the control to retain evidence the control was performed. Companies need to consider the added people costs as the workload will increase after the internal control framework is implemented.

Monitoring

The internal control framework must be continuously reviewed and updated. As an organization grows, management review controls will be added, and the precision of controls will change. Additionally, new processes will become material and require new controls and more documentation. Also, an internal audit function may be needed to assess the effectiveness of internal controls, perform control testing, ensure control activities are performed properly, and manage the remediation of control deficiencies.

Key Point: Management must be cautious and take the 404(a) requirements seriously or face the possibility of criminal penalties. Just because a company is exempt from 404(b) and an external auditor is not assessing the performance of their internal controls, does not mean the company can issue a boilerplate report in their Form 10-K. This would misrepresent management’s compliance with section 404(a), would be considered a violation of federal securities law, and constitutes securities fraud.

Risk in Focus 2025: North America

How Does SOX 404 Impact Financial Reporting Processes?

Implementing an internal controls framework will dramatically improve a company’s financial reporting. It will identify weaknesses in the financial reporting process, mitigate the chances of a material error going undetected, and provide additional confidence to investors that financial statements are free from material errors. Added benefits include:

  • More thoroughly define employees’ roles and responsibilities to improve their work performance and reduce employee turnover.
  • Increase both management and employees’ understanding of business operations.
  • Creation of an independent audit committee to oversee financial reporting and control activities.
  • Reduce the number of audit adjustments from external auditors.
  • Reduce the risk of fraudulent related-party transactions.
  • Improved corporate governance and reduces corporate fraud.
  • Reduce overall fraud, waste, and abuse across a company’s operations.
  • Provides additional transparency to the board of directors regarding financial reporting.
  • Improve an organization’s data integrity and cybersecurity to minimize the threat of cyber and ransomware attacks.
  • Standardize accounting and finance procedures for multi-national organizations, such as customer invoicing.
  • Reduce human error through the automation of internal controls.

Automating SOX 404 Compliance With AuditBoard

As discussed earlier, implementing an internal control framework is a time-consuming and expensive process. However, there are software platforms such as AuditBoard’s SOX management software that can help reduce the time and costs of implementation, documentation, and monitoring. Automated platforms can aid in building and scaling an organization’s internal controls framework and remove many of the challenges associated with SOX 404 compliance. By getting the right technology in place, your organization will be well equipped to tackle SOX and other internal control compliance with ease and precision.

Frequently Asked Questions About SOX 404

What is the Sarbanes-Oxley Act (SOX) Section 404?

Section 404 of SOX consists of Section (a), Section (b), and Section (c). The primary purpose of SOX 404 requires management to assess the effectiveness of their company’s internal controls over financial reporting to improve the accuracy of a company’s financial reporting. 

How does SOX 404 impact financial reporting processes?

Implementing an internal controls framework will dramatically improve a company’s financial reporting. It will identify weaknesses in the financial reporting process, mitigate the chances of a material error going undetected, and provide additional confidence to investors that financial statements are free from material errors.

Cannon

Cannon Nikzad, CPA, is an Account Executive at AuditBoard. Prior to joining AuditBoard, Cannon spent 10 years at EY, serving in their Los Angeles and London offices where he led audit teams conducting integrated audits of U.S. public companies. Connect with Cannon on LinkedIn.