Section 404 of the Sarbanes-Oxley Act requires an entitys annual report to include a statement that

Last updated

SOX Section 404:Management Assessment of Internal Controls

Section 404 is the most complicated, most contested, and most expensive to implement of all the Sarbanes Oxley Act sections for compliance. All annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management assertion that internal accounting controls are in place, operational and effective.

A direct excerpt from the Sarbanes-Oxley Act of 2002 report for section 404:

(a) Rules Required. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall--
   (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
   (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) Internal Control Evaluation and Reporting. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Implementing SOX 404 Controls

SOX 404 controls can be implemented using a modern ERP software system.

Testing and Auditing SOX 404

For information on testing and auditing SOX section 404 for compliance, see Sarbanes-Oxley Compliance Checklist and Sarbanes-Oxley Auditing Requirements.

Throughout the business world, there remains a constant level of mysticism surrounding the Sarbanes-Oxley Act of 2002 and its accompanying compliance requirements. Since its inception almost two decades ago, new/growing companies have scrambled to determine if they need to be compliant, identified the information needed to meet reporting requirements, and completed preparations before deadlines hit. By asking some basic, important questions, companies can set themselves up for a successful reporting year with minimal complications and limited interruptions to normal business operations.

What is the Sarbanes-Oxley Act of 2002?

Compliance becomes more difficult when you don’t know what you are complying with. The Sarbanes-Oxley Act of 2002 was enacted in response to several major corporate scandals including Enron and WorldCom. The act established the requirements that:

1. Upper management of public organizations individually certify the accuracy of financial information reported by the entity
2. Increase the oversight of the entity’s board of directors
3. Tighten independence requirements of the independent auditors who review the entity’s financial statements
4. Establish more stringent penalties for fraudulent financial activity[1]

Section 404 establishes the requirement that management and the external auditor report on the design and operating effectiveness of the company’s internal controls over financial reporting. In order to accomplish this, companies have adopted a top-down risk-based approach to evaluate their control environment for a given reporting year. The control environment is evaluated based on the risks mitigated, with emphasis being placed on high-risk process areas determined through materiality assessments of financial statement accounts.

Section 404(a) requires all companies, regardless of filing status, that file an annual report pursuant to Section 13(a) or 15(d) of the Securities and Exchange Act of 1934 (Exchange Act) to include a report on internal controls that states the responsibility of management for establishing and maintaining adequate internal controls and financial reporting procedures, and contains an assessment, as of the end of the most recent fiscal year, of the effectiveness of internal controls and financial reporting procedures.

Section 404(b) specifically requires a public company’s external auditor to attest to management’s assessment of its internal controls. However, not all companies must comply with Section 404(b).

Section 404(c) creates an exemption for small issuers, stating that any company that does not meet the qualifications of an accelerated filer or large accelerated filer does not need to comply with Section 404(b).

Does your company need to comply?

It has long been encouraged that all public entities strive to comply with Section 404(b) of the Sarbanes-Oxley Act of 2002. However, based on their filing status, not all public companies are required to comply. So what are the various statuses a company can hold?

Small Issuer: Public companies with a market capitalization of less than $75 million that do not have to accelerate their periodic reporting deadlines. Small issuers are not required to comply with Section 404(b).

Emerging Growth Company[2]: Newly public companies with total annual gross revenues of less than $1.07 billion[3] during their most recent fiscal year that have not previously sold common equity securities under a registration statement are considered emerging growth companies. Companies remain an emerging growth company for the first five years after their initial public offering (IPO) or until they meet one of the following criteria:

• Total annual gross revenues are $1.07 billion or greater
• The company has issued non-convertible debt in the past three years over $1 billion
• The company is designated as a large accelerated filer

Similar to non-accelerated filers, emerging growth companies are not required to comply with Section 404(b).

Accelerated Filer[4]: Public companies with market capitalization between $75 million and $700 million (as of the last business day of the most recently completed second fiscal quarter), that have filed at least one annual report pursuant to Section 13(a) or Section 15(d) of the Exchange Act, and have been subject to the requirements of Section 13(a) or 15(d) for a period of at least twelve months. Accelerated filers are required to comply with Section 404(b) and must have the external auditor attest to management’s assessment of internal controls.

Large Accelerated Filer: Public companies with a market capitalization greater than $700 million (as of the last business day of the most recently completed second fiscal quarter), that have filed at least one annual report pursuant to Section 13(a) or Section 15(d) of the Exchange Act, and have been subject to the requirements of Section 13(a) or 15(d) for a period of at least twelve months. Large accelerated filers are required to comply with Section 404(b).

Knowing your company’s filing status is the first step towards ensuring SOX compliance. Companies should regularly review their filing status and be thinking about growth and how their status will change in the coming years. Non-accelerated filers and emerging growth companies are able to prepare for status changes and develop and implement strong compliance procedures prior to their external auditors having to attest to the strength of their internal control structure. They also have the time to assess if completing compliance work can be accomplished utilizing in-house staff or utilizing the expertise of outsourced/ co-sourced professionals.

Is outsourcing/co-sourcing right for you?

Regardless of filing status, companies must determine how best to perform their annual assessment of internal controls. One of the most prevalent factors on the minds of management is cost. Unfortunately, the cost of compliance can be very high for public companies. Many have reported the cost of completing SOX compliance testing to be upwards of $2 million in a given year. As reporting requirements become more stringent and external auditors increase their scrutiny of supporting documentation and testing procedures, companies can likely expect costs to rise.

Public companies, especially those with limited personnel who may be available and qualified to complete SOX compliance activities, may consider outsourcing or co-sourcing their SOX compliance activities. Over time, these companies can see a lower cost and benefit from the knowledge and resources of experienced professionals that specialize in Section 404 compliance, using established, proven procedures for meeting compliance requirements year over year.

Outsourcing or co-sourcing compliance activities offers many benefits to an organization. Chief among these benefits is an increased level of transparency between the external auditor and management. This openness streamlines the compliance process so that management can remain focused on the day-to-day operations of their company, while at the same time minimizing organizational risk and ensuring full reliance by the external team attesting to the effectiveness of internal controls.

What’s next?

• Part 2: Sarbanes-Oxley 404(b) Compliance: Determining the Control Environment

If your organization is required to be SOX compliant, and you think that outsourcing or co-sourcing internal control assessment activities may be the right choice, we encourage you to reach out to our team to learn more about the benefits of third party SOX readiness.

[1] “Sarbanes-Oxley Act of 2002,” Section 404, copyright 2002. Full text of the document available here: https://pcaobus.org/About/History/Documents/PDFs/Sarbanes_Oxley_Act_of_2002.pdf

[2] “Securities Exchange Act of 1934,” Section 3, copyright 1934. Full text of the document available here: http://legcounsel.house.gov/Comps/Securities%20Exchange%20Act%20Of%201934.pdf

[3] As of December 8, 2011, the total annual gross revenues was increased to $1.07 billion. For more information, visit: https://www.sec.gov/smallbusiness/goingpublic/EGC

[4] Title 17 of the Code of Federal Regulations, Chapter II. Securities and Exchange Commission, §240.12b-2. Full text available here: https://www.law.cornell.edu/cfr/text/17/240.12b-2

What is the SOX Section 404 report?

What does Section 404 of the Sarbanes

Which of the following must be included in management's report internal control under Section 404 of the Sarbanes

What is the focus of Section 404 of the Sarbanes