While the entire Sarbanes Oxley Act (SOX) was established for accounting and responsibility, with 11 different titles to focus on various requirements, the most complex and costly part for businesses is Section 404. It focuses on internal controls over financial reporting.

In this article, we will focus on the complexity of compliance requirements, look at challenges companies can face, the cost of implementation of internal controls, and time and cost-saving solutions.

What is SOX Section 404?

Sarbanes Oxley Act Section (SOX) 404 requires companies to set up and maintain internal controls over financial reporting and ensure the effectiveness of those controls.

Section 404 of SOX has been broken down into three further parts below:

• SOX 404(a): Higher or internal management must evaluate the effectiveness of the annual reports on their internal controls over financial reporting and publish them with the Securities and Exchange Commission (SEC) annually.

• SOX 404(b): Independent attestation of the external auditors must be done by assessing and confirming higher management’s evaluation of internal controls.

• SOX 404(c): This section focuses on the exemption of auditor attestation for smaller companies to comply with Section 404(b), but they still must maintain and assess their internal controls to comply with Section 404(a).

These are the highlights of the subsection requirements. Let’s dig deeper into them in the following section.

SOX 404 Sub-sections

To understand SOX Section 404 compliance, start by understanding the core requirements of each sub-section, focus on early planning and documentation, and build strong internal controls before going public.

The primary difference between Section 404 (a) and 404 (b) is that 404 (a) dictates management for internal controls assessment, and Section 404 (b) requires an independent external audit of internal controls by evaluating the assessment of internal management of those SOX 404 controls.

Section 404(a): Management’s Assessment

Under SOX 404(a), management is entirely responsible for the assessment of internal controls over financial reporting, which includes:

• Annual assessments of the design and effectiveness of operations of the controls,
• Finding key risks that can harm the company’s financial reports,
• Reviewing the transaction processes affecting financial reports,
• Ensuring that controls are working as intended by testing them and
• Identifying deficiencies or weaknesses in those controls.

Documentation is vital to prove that internal control processes are working flawlessly. The documentation should include:

• Identification of the framework used
• Internal controls description
• Testing methods and results,
• Conclusions on the effectiveness of the controls by management.

These assessment results must be reported annually to the SEC and filed in Form 10-K. If any material deficiencies are found, they must be reported along with management’s rectification plans. All publicly traded companies must comply with Section 404(a) with no exceptions, and there is no need for an independent auditor attestation under this Section.

Section 404(b): External Auditor Attestation

Section 404 of the Sarbanes-Oxley Act requires larger public companies to hire an independent external auditor to assess, attest, and file reports on management assessments regarding internal controls. This means that external auditors should evaluate the effectiveness of internal controls and provide their unbiased opinions independently. These opinions should be included in the audit report section of Form 10-K. These requirements are governed by the auditing standard board (ASB) 2201 and issued by PCAOB (Public Company Accounting Oversight Board).

The American Institute of Certified Public Accountants (AICPA) provides further information and resources for this Section. Organizations should not wait to establish further documentation until the transition from Section 404(a) to 404(b). They should build the foundation as early as possible to avoid compliance gaps when an external SOX 404 audit becomes necessary, as the documentation is required for both sections.

Section 404(c): Exemptions

Certain smaller companies are exempt from Section 404(b) (auditor attestation) due to their status as non-accelerated filers or Emerging Growth Companies (EGCs).

• non-accelerated filers have a public float of less than $75 million,
• EGCs get their status from the SEC and get exemption up to the first five years after their initial public offering and qualifying under one of the following criteria:
  • Gross revenue should be less than $1.235 billion in the most recent fiscal year.
  • Declaration of their non-convertible debt of less than $1 billion in the past three fiscal years.

The SEC could revise the EGC status threshold, so organizations should check for the latest regulations before filing annual reports. They must comply with Section 404(b) if the threshold is exceeded.

Challenges of SOX 404 Compliance

Compliance uncertainty

While SOX primarily applies to publicly traded companies, private companies that intend to list in public exchanges using an initial public offering (IPO) must ensure compliance in advance. However, executives often struggle to determine when the right time is to roll out their compliance efforts. Because private companies usually operate with fewer budgets and staff, allocating the required resources to comply with SOX 404 Compliance is challenging. Determining whether existing internal controls are sufficient according to SOX 404 requirements or need to be restructured is also a challenge.

Increased direct and indirect costs

Compliance costs may increase as the specific knowledge or expertise related to internal controls design and implementation, documentation and testing, risk management, IT Systems, and security knowledge, or project management often requires subject matter experts in these areas.

Specialized expertise is required

Compliance costs may increase as the specific knowledge or expertise related to internal controls design and implementation, documentation and testing, risk management, IT Systems, and security knowledge, or project management often requires subject matter experts in these areas.

Time commitment challenge

This is another concern in developing and implementing an internal controls framework, which requires planning and scoping, testing and remediation, ongoing maintenance and monitoring, and documentation of controls.

Evolving regulations and business complexity

As SOX regulations constantly evolve and business operations become more complex, keeping up with these changes and maintaining internal controls is difficult.

Investing into ineffective compliance solutions

To keep up with these challenges, companies might implement ineffective solutions due to insufficient testing, improper documentation, or failure to identify deficiencies and address capabilities, leading to significant internal and external auditing issues.

SOX 404 Costs and PCAOB Scrutiny

The cost of SOX 404 is a significant expense, especially for first-time filers or emerging growth companies (EGCs). This cost includes thousands of staff hours annually and affects IT, internal audit teams, and financial departments.

The Public Company Accounting Oversight Board (PCAOB) has increased scrutiny for providing audit evidence required by SOX Section 404, which made compliance more challenging.

Here’s what is required as audit evidence:

• More detailed data integrity checks and documentation,
• Evidence for IT controls and cybersecurity risks affecting financial reporting,
• Proper oversight from executives or internal management reviews for internal controls.

In several cases, PCAOB has identified:

• Inadequate documentation to support the effectiveness of internal controls,
• Improper testing of IT systems, leading to unreliable assessments,
• Failures in proper identification and disclosure of material weaknesses.

By providing clear and concise documentation for improved IT general controls, working closely with external auditors, and providing clear auditing trails, companies can prepare for increased PCAOB scrutiny.

Four Steps to SOX 404 Compliance

SOX 404 compliance requires a structured approach to ensure the integrity of financial reporting and maintain a balance between cost and efficiency.

Below are the four key processes to follow:

• Identification: Finding out key financial processes and related risks.
• Design and Documentation: Designing and documenting internal controls framework.
• Implementation: Execution and maintenance of control procedures.
• Monitoring: Assessment and improvement of internal controls by monitoring.

Each step plays a key role by implementing strong internal controls that meet the SOX Section 404 regulations and external audit scrutiny.

Identification

The first step is to identify key business processes that have a crucial impact on financial reporting. This process may include accounts payable, inventory management, revenue recognition, or payroll.

• Perform risk assessments. Conduct a thorough risk assessment for each identified process for key areas of misstatement. This could be done by creating a risk assessment matrix for detailed specific controls to address and resolve risks.
• Implement well-known frameworks. PCAOB recommends considering the COSO (Committee of Sponsoring Organization by Treadway Commission) framework for designing, implementing, and assessing the internal controls over financial reporting. Using COSO helps organizations develop a structured approach to comply with SOX Section 404.

Design and Documentation

After determining the critical business processes:

• Clearly define internal controls. Design well-documented and clear internal controls for those processes, clearly outlining the responsibilities, frequency, and expected outcomes.
• Establish proper documentation. Establish detailed documentation for those controls defining who performs the control (Control Owner) and how frequently the control is performed, e.g., daily, monthly, or quarterly. Define what documentation is needed for review, e.g., bank statements, invoices, or reports.
• Set appropriate control precision. Define acceptable variance thresholds based on financial impact. Precision is essential but often overlooked when determining whether control is effective. For example:
  • Avoid setting a $1 threshold for review of materiality when the revenue exceeds $500 million, which should reflect actual financial risk.
  • Instead, companies should investigate discrepancies above 1% of total revenue, which is a reasonable control.
• Tailor internal controls to business size and risk. Tailored controls should be implemented according to the size of the business and its financial risks.

Implementation

Once the initial structure of controls is identified and documented, it is time to implement them consistently and effectively across the organization. This process involves:

• Increased resource allocation. Employees will require time to execute these controls and report the results for internal assessments and external audits. This may increase the workload and require additional staff hiring or reallocating responsibilities.
• Automation considerations. Because manual processes are time-consuming, many companies consider implementing automation tools. Third-party solutions like Pathlock can help streamline the processes and minimize manual efforts.

Monitoring

Internal controls are dynamic. If an organization grows, controls must be monitored and updated as required. Over time, processes can change and expand, and new risks can emerge. Precision controls should also be adjusted to align with these updates.

Management must take the requirements of SOX Section 404 seriously to provide precise assessments of internal controls, even if the company is exempted from Section 404(b). For example, a $10,000 control threshold for a small company may need to be updated to $100,000 if the company expands.

To strengthen the oversight, organizations must establish an internal audit function body that will:

• Monitor the effectiveness of internal controls
• Perform internal controls testing
• Resolve the deficiencies identified.

These assessments should be based on thorough testing and evaluation of the controls, avoiding boilerplate reports (Generic or copy-paste SOX reports) for providing meaningless analysis. This can result in criminal penalties by the SEC for executives knowingly attesting those false reports.

SOX 404 Impact on Financial Reporting

SOX Section 404 regulations enable companies to improve financial reporting processes by determining weaknesses in internal controls over financial reporting. This reduced the number of errors and fraudulent activities, leading to increased investor confidence. SOX 404 has also improved organizations’ governance, risk management, and operational efficiency.

SOX added benefits include:

• Role clarity and accountability. Documenting internal controls provides clear responsibilities and roles for employees within the organization, reducing confusion. This leads to improved performance, increased accountability, and reduced employee turnover. An example of this could be clearly defined approval to prevent unauthorized transactions for procurement.
• Process understanding and improved decision-making. Management and employees require a deeper understanding of business processes and the internal flow of financial information for better performance and improved decision-making. For example, a CFO with a better understanding of business processes can better understand how revenue is recognized in different business units.
• Governance and oversight. To improve governance and provide an extra layer of oversight, PCAOB requires the establishment of an independent audit committee to review a company’s financial reports and internal control activities. For example, the audit committee could question management about unusual financial adjustments, requiring more transparency.
• Improved audit efficiency. SOX 404 can lead to fewer adjustments external auditors require if the company has adequate internal controls over financial reporting. An example would be automating processes to minimize discrepancies.
• Improved fraud prevention and risk reduction. Fraudulent activities can be reduced by implementing strong internal controls in light of SOX 404 rules and regulations by detecting and preventing financial manipulation or misconduct. An example could be implementing segregation of duties to ensure no single person controls approval processes or cash dealings.
• Improved corporate governance and investor trust. By increasing accountability and transparency, SOX 404 establishes better corporate governance and provides additional insight to the board of directors. Regulatory bodies and investors would trust a company with transparent financial disclosures more.
• Enhanced data security and data integrity. Provides improved data integrity by maintaining adequate internal controls, precisely IT general control, which can extend to reduce ransomware attacks and cybersecurity breaches. For example, using multi-factor authentication or role-based access controls enables better protection of sensitive financial data.
• Process standardization and consistency. SOX 404 compliance can drive standardization of accounting practices for multinational organizations to improve consistency and efficiency in financial reporting. For example, a US-based company with subsidiaries in Asia and Europe should follow standardized internal controls to ensure financial reporting.
• Automation and error reduction. Internal control automation is often part of implementing a system that can reduce human error risk in financial reporting. For example, automating journal entry approvals will reduce errors in financial closing processes.  

SOX 404 Top-Down Risk Assessment (TDRA) and Testing Framework

The Top-Down Risk Assessment (TDRA) is a structured internal controls framework based on prioritized compliance efforts on critical financial risks. It starts by evaluating high-level risks impacting financial reporting and drills down to specific transactions and controls that address those risks.

By employing this framework, organizations ensure that management effectively tests the internal controls environment, aligning with auditing standard No. 5 of PCAOB and SEC interpretive guidance (Release 33-8810/34-55929). This helps the external auditors perform an audit and assess the management’s findings.

Hierarchical framework for identifying financial risks

TDRA, as a hierarchical framework, focuses on high-risk areas such as revenue recognition as the risk of overstatement, inventory valuation as the risk of misstatement, and risk of bad debt misclassification for allowances and accounts receivables. It also:

• Identifies material financial statement risks within those accounts.
• Determines transaction level and entity level controls addressing these risks
• Determines timing, nature, and extent of gathered evidence, such as inquiry of controls with employees, observation of controls and documentation related to policies, logs, and invoices, and re-execution of controls in case of deficiencies found.

TDRA also focuses on management’s judgment and testing decisions as part of SOX 404 compliance requirements, so management should focus on high-level assessment instead of testing each petty cash transaction as an example of poor judgment.

Based on the TDRA assessment, external auditors may find the audit evidence obtained by management sufficient and reliable and could pass their assessment on to annual financial reports.

Automating SOX 404 Compliance

When internal controls are implemented manually, that can be highly time-consuming and costly. This includes preparing documentation, testing, and monitoring those controls, which requires significant effort and could lead to human errors such as mistakes and inaccuracies and hundreds of hours spent on compliance.

Third-party software solutions like Pathlock are specifically designed to reduce the time and cost associated with documenting, implementing, and monitoring internal controls. Solutions like Pathlock can automate many of these tasks.

Automation tools ease building and scaling internal controls, removing many challenges associated with SOX 404 compliance. For example, they eliminate repetitive tasks, provide real-time control testing instead of periodic manual assessments, and reduce non-compliance risk by detecting weaknesses and anomalies early. These solutions also reduce reliance on spreadsheets and standard documentation in different business units, provide automated collection of audit evidence, track real-time compliance gaps, and provide real-time dashboards for compliance progress and reports for faster audits.

How Pathlock Helps in SOX 404 Compliance

Pathlock is a Governance, Risk, and Compliance (GRC) solution. It offers many helpful features designed explicitly for SOX 404 compliance:

• Access control. It helps companies determine who has access to what within their systems, which is critical for preventing fraud and errors, especially in segregation of duties (SoD) conflicts.
• Streamlined user provisioning so employees only get the necessary system access.
• Automated regular access reviews. Pathlock allows more effective monitoring and control of privileged users with extra access. It also simplifies managing user roles.
• Continuous control monitoring. It gives real-time insights into transactions and user activity, helping organizations detect potential problems early on.
• Compliance reports. Plus, during audit time, Pathlock generates the reports you need to prove you are compliant, saving you from many last-minute modifications.

Pathlock automates many of the key tasks involved in SOX 404, from managing internal controls over financial reporting (ICFR) and IT general controls (ITGCs) to entity-level controls (ELCs) and disclosure controls. The result is smoother compliance, lower costs, and a clearer picture of who is doing what in your systems.

Conclusion

SOX 404 compliance is a compulsory requirement for publicly traded companies to ensure transparency, accountability, and accuracy of financial reporting. It requires establishing and maintaining internal controls, which can be established by adopting the COSO framework recommended by PCAOB and trusted by most external auditing companies when evaluating the assessment of internal reports from higher management.

Using third-party solutions for automation can improve the efficiency of internal controls, testing, and monitoring practices. Compliance with Section 404 of SOX can increase an organization’s security posture.

Frequently Asked Questions About SOX 404