While the entire Sarbanes Oxley Act (SOX) was established for accounting and responsibility, with 11 different titles to focus on various requirements, the most complex and costly part for businesses is Section 404. It focuses on internal controls over financial reporting.

In this article, we will focus on the complexity of compliance requirements, look at challenges companies can face, the cost of implementation of internal controls, and time and cost-saving solutions.

What is SOX 404?

Sarbanes Oxley Act Section 404 requires companies to set up and maintain internal controls over financial reporting and ensure the effectiveness of those controls.

Section 404 of SOX has been broken down into three further parts below:

• SOX 404(a): Higher or internal management must evaluate the effectiveness of the annual reports on their internal controls over financial reporting and publish them with the Securities and Exchange Commission (SEC) annually.
• SOX 404(b): Independent attestation of the external auditors must be done by assessing and confirming higher management’s evaluation of internal controls.
• SOX 404(c): This section focuses on the exemption of auditor attestation for smaller companies to comply with Section 404(b), but they still must maintain and assess their internal controls to comply with Section 404(a).

These are the highlights of the subsection requirements. Let’s dig deeper into them in the following section.

SOX 404 Sub-sections

To understand SOX Section 404 compliance, start by understanding the core requirements of each sub-section, focus on early planning and documentation, and build strong internal controls before going public.

The primary difference between Section 404 (a) and 404 (b) is that 404 (a) dictates management for internal controls assessment, and Section 404 (b) requires an independent external audit of internal controls by evaluating the assessment of internal management of those SOX 404 controls.

Section 404(a): Management’s Assessment

Under SOX 404(a), management is entirely responsible for the assessment of internal controls over financial reporting, which includes:

• Annual assessments of the design and effectiveness of operations of the controls,
• Finding key risks that can harm the company’s financial reports,
• Reviewing the transaction processes affecting financial reports,
• Ensuring that controls are working as intended by testing them and
• Identifying deficiencies or weaknesses in those controls.

Documentation is vital to prove that internal control processes are working flawlessly. The documentation should include:

• Identification of the framework used
• Internal controls description
• Testing methods and results,
• Conclusions on the effectiveness of the controls by management.

These assessment results must be reported annually to the SEC and filed in Form 10-K. If any material deficiencies are found, they must be reported along with management’s rectification plans. All publicly traded companies must comply with Section 404(a) with no exceptions, and there is no need for an independent auditor attestation under this Section.

Section 404(b): External Auditor Attestation

Section 404 of the Sarbanes-Oxley Act requires larger public companies to hire an independent external auditor to assess, attest, and file reports on management assessments regarding internal controls. This means that external auditors should evaluate the effectiveness of internal controls and provide their unbiased opinions independently. These opinions should be included in the audit report section of Form 10-K. These requirements are governed by the auditing standard board (ASB) 2201 and issued by PCAOB (Public Company Accounting Oversight Board).

The American Institute of Certified Public Accountants (AICPA) provides further information and resources for this Section. Organizations should not wait to establish further documentation until the transition from Section 404(a) to 404(b). They should build the foundation as early as possible to avoid compliance gaps when an external SOX 404 audit becomes necessary, as the documentation is required for both sections.

Section 404(c): Exemptions

Certain smaller companies are exempt from Section 404(b) (auditor attestation) due to their status as non-accelerated filers or Emerging Growth Companies (EGCs).

• non-accelerated filers have a public float of less than $75 million,
• EGCs get their status from the SEC and get exemption up to the first five years after their initial public offering and qualifying under one of the following criteria:
  • Gross revenue should be less than $1.235 billion in the most recent fiscal year.
  • Declaration of their non-convertible debt of less than $1 billion in the past three fiscal years.

The SEC could revise the EGC status threshold, so organizations should check for the latest regulations before filing annual reports. They must comply with Section 404(b) if the threshold is exceeded.

Challenges of SOX 404 Compliance

• Compliance uncertainty. While SOX primarily applies to publicly traded companies, private companies that intend to list in public exchanges using an initial public offering (IPO) must ensure compliance in advance. However, executives often struggle to determine when the right time is to roll out their compliance efforts. Because private companies usually operate with fewer budgets and staff, allocating the required resources to comply with SOX 404 Compliance is challenging. Determining whether existing internal controls are sufficient according to SOX 404 requirements or need to be restructured is also a challenge.
• Increased direct and indirect costs. Companies transitioning to SOX 404 compliance can face increased financial costs, specifically those preparing for an IPO or smaller companies that cannot afford this financial burden. Direct costs include auditor fees, employee training, consultant fees, or software implementation. Indirect costs include employees’ time spent on those activities, which can disrupt their everyday operations.
• Specialized expertise is required. Compliance costs may increase as the specific knowledge or expertise related to internal controls design and implementation, documentation and testing, risk management, IT Systems, and security knowledge, or project management often requires subject matter experts in these areas.
• Time commitment challenge. This is another concern in developing and implementing an internal controls framework, which requires planning and scoping, testing and remediation, ongoing maintenance and monitoring, and documentation of controls.
• Evolving regulations and business complexity. As SOX regulations constantly evolve and business operations become more complex, keeping up with these changes and maintaining internal controls is difficult.
• Investing into ineffective compliance solutions. To keep up with these challenges, companies might implement ineffective solutions due to insufficient testing, improper documentation, or failure to identify deficiencies and address capabilities, leading to significant internal and external auditing issues.

SOX 404 Costs and PCAOB Scrutiny

The cost of SOX 404 is a significant expense, especially for first-time filers or emerging growth companies (EGCs). This cost includes thousands of staff hours annually and affects IT, internal audit teams, and financial departments.

The Public Company Accounting Oversight Board (PCAOB) has increased scrutiny for providing audit evidence required by SOX Section 404, which made compliance more challenging.

Here’s what is required as audit evidence:

• More detailed data integrity checks and documentation,
• Evidence for IT controls and cybersecurity risks affecting financial reporting,
• Proper oversight from executives or internal management reviews for internal controls.

In several cases, PCAOB has identified:

• Inadequate documentation to support the effectiveness of internal controls,
• Improper testing of IT systems, leading to unreliable assessments,
• Failures in proper identification and disclosure of material weaknesses.

By providing clear and concise documentation for improved IT general controls, working closely with external auditors, and providing clear auditing trails, companies can prepare for increased PCAOB scrutiny.

Four Steps to SOX 404 Compliance

SOX 404 compliance requires a structured approach to ensure the integrity of financial reporting and maintain a balance between cost and efficiency.

Below are the four key processes to follow:

• Identification: Finding out key financial processes and related risks.
• Design and Documentation: Designing and documenting internal controls framework.
• Implementation: Execution and maintenance of control procedures.
• Monitoring: Assessment and improvement of internal controls by monitoring.

Each step plays a key role by implementing strong internal controls that meet the SOX Section 404 regulations and external audit scrutiny.

Identification

The first step is to identify key business processes that have a crucial impact on financial reporting. This process may include accounts payable, inventory management, revenue recognition, or payroll.

• Perform risk assessments. Conduct a thorough risk assessment for each identified process for key areas of misstatement. This could be done by creating a risk assessment matrix for detailed specific controls to address and resolve risks.
• Implement well-known frameworks. PCAOB recommends considering the COSO (Committee of Sponsoring Organization by Treadway Commission) framework for designing, implementing, and assessing the internal controls over financial reporting. Using COSO helps organizations develop a structured approach to comply with SOX Section 404.

Design and Documentation

After determining the critical business processes:

• Clearly define internal controls. Design well-documented and clear internal controls for those processes, clearly outlining the responsibilities, frequency, and expected outcomes.
• Establish proper documentation. Establish detailed documentation for those controls defining who performs the control (Control Owner) and how frequently the control is performed, e.g., daily, monthly, or quarterly. Define what documentation is needed for review, e.g., bank statements, invoices, or reports.
• Set appropriate control precision. Define acceptable variance thresholds based on financial impact. Precision is essential but often overlooked when determining whether control is effective. For example:
  • Avoid setting a $1 threshold for review of materiality when the revenue exceeds $500 million, which should reflect actual financial risk.
  • Instead, companies should investigate discrepancies above 1% of total revenue, which is a reasonable control.
• Tailor internal controls to business size and risk. Tailored controls should be implemented according to the size of the business and its financial risks.

Implementation

Once the initial structure of controls is identified and documented, it is time to implement them consistently and effectively across the organization. This process involves:

• Increased resource allocation. Employees will require time to execute these controls and report the results for internal assessments and external audits. This may increase the workload and require additional staff hiring or reallocating responsibilities.
• Automation considerations. Because manual processes are time-consuming, many companies consider implementing automation tools. Third-party solutions like Pathlock can help streamline the processes and minimize manual efforts.

Monitoring

Internal controls are dynamic. If an organization grows, controls must be monitored and updated as required. Over time, processes can change and expand, and new risks can emerge. Precision controls should also be adjusted to align with these updates.

Management must take the requirements of SOX Section 404 seriously to provide precise assessments of internal controls, even if the company is exempted from Section 404(b). For example, a $10,000 control threshold for a small company may need to be updated to $100,000 if the company expands.

To strengthen the oversight, organizations must establish an internal audit function body that will:

• Monitor the effectiveness of internal controls
• Perform internal controls testing
• Resolve the deficiencies identified.

These assessments should be based on thorough testing and evaluation of the controls, avoiding boilerplate reports (Generic or copy-paste SOX reports) for providing meaningless analysis. This can result in criminal penalties by the SEC for executives knowingly attesting those false reports.

SOX 404 Impact on Financial Reporting

SOX Section 404 regulations enable companies to improve financial reporting processes by determining weaknesses in internal controls over financial reporting. This reduced the number of errors and fraudulent activities, leading to increased investor confidence. SOX 404 has also improved organizations’ governance, risk management, and operational efficiency.

SOX added benefits include:

• Role clarity and accountability. Documenting internal controls provides clear responsibilities and roles for employees within the organization, reducing confusion. This leads to improved performance, increased accountability, and reduced employee turnover. An example of this could be clearly defined approval to prevent unauthorized transactions for procurement.
• Process understanding and improved decision-making. Management and employees require a deeper understanding of business processes and the internal flow of financial information for better performance and improved decision-making. For example, a CFO with a better understanding of business processes can better understand how revenue is recognized in different business units.
• Governance and oversight. To improve governance and provide an extra layer of oversight, PCAOB requires the establishment of an independent audit committee to review a company’s financial reports and internal control activities. For example, the audit committee could question management about unusual financial adjustments, requiring more transparency.
• Improved audit efficiency. SOX 404 can lead to fewer adjustments external auditors require if the company has adequate internal controls over financial reporting. An example would be automating processes to minimize discrepancies.
• Improved fraud prevention and risk reduction. Fraudulent activities can be reduced by implementing strong internal controls in light of SOX 404 rules and regulations by detecting and preventing financial manipulation or misconduct. An example could be implementing segregation of duties to ensure no single person controls approval processes or cash dealings.
• Improved corporate governance and investor trust. By increasing accountability and transparency, SOX 404 establishes better corporate governance and provides additional insight to the board of directors. Regulatory bodies and investors would trust a company with transparent financial disclosures more.
• Enhanced data security and data integrity. Provides improved data integrity by maintaining adequate internal controls, precisely IT general control, which can extend to reduce ransomware attacks and cybersecurity breaches. For example, using multi-factor authentication or role-based access controls enables better protection of sensitive financial data.
• Process standardization and consistency. SOX 404 compliance can drive standardization of accounting practices for multinational organizations to improve consistency and efficiency in financial reporting. For example, a US-based company with subsidiaries in Asia and Europe should follow standardized internal controls to ensure financial reporting.
• Automation and error reduction. Internal control automation is often part of implementing a system that can reduce human error risk in financial reporting. For example, automating journal entry approvals will reduce errors in financial closing processes.

SOX 404 Compliance with the COSO Framework

SOX Section 404 is a key provision that requires companies to implement, maintain, and test internal controls that impact their financial reporting. Implementing an internal controls framework helps ensure the accuracy and reliability of financial information. All publicly traded companies registered in the SEC, their major subsidiaries in the US or outside the US, and all foreign companies conducting business in the United States must comply with Section 404 of SOX.

Why Use COSO?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a widely accepted framework for designing, implementing, and assessing internal controls for financial reporting. It is considered the best practice to use the COSO framework to avoid potential violations of federal law for failure to implement and maintain internal controls.

Suppose the COSO framework is used to implement internal controls. In that case, it provides added benefits in the external audit process, as external auditors often rely on the COSO framework to evaluate a company’s internal controls.

COSO Framework: 17 principles within five components

The COSO Framework combines five interconnected components, which help organizations design and maintain adequate internal controls. Each has its principles, as mentioned below.

Control Environment

The control environment component lists the standard processes to create the foundation for regulated and transparent internal controls over the financial reporting environment. This will lead to the company’s commitment to ethical business practices, financial integrity, and compliance. It starts with executive management and the board of directors, providing leadership-driven governance.

Internal controls must support financial reporting objectives that prove the company’s vision and mission alignment. Roles, responsibilities, and reporting lines should be clearly defined to show transparency and accountability. Employees should understand the expectations of internal controls and compliance.

A perfect example of a code of ethics could be establishing a whistleblower policy to encourage ethical behavior internally for financial reporting.

Risk Assessment

This component primarily aims to identify and manage financial risks and develop mitigation strategies. A risk is any event in internal controls that can disrupt business reporting objectives. Management should analyze and adjust internal controls based on evolving risks, as fraud risk assessment is essential to the COSO framework.

Common SOX 404 risks include:

• Revenue manipulation,
• Inaccurate procedures for financial close,
• Weak IT control links, which could lead to unauthorized access to sensitive data,
• Manual processes causing material misstatements.

An example is the common mistake of discovering that manual journal entries can cause errors in the financial close process; hence, the process should be automated to avoid these risks.

Control Activities

According to management directives, control activities are procedures and policies for specific actions to resolve identified risks. Control activities that can be designed to prevent fraud or errors from occurring in the first place are called preventive measures, and the activities designed to detect errors or fraud after they have occurred are called detective measures. Examples could be:

• Segregation of duties between payroll approvals and payroll processing (Preventive).
• System access restrictions to prevent unauthorized financial data (Preventive).
• Bank reconciliations every month to identify any illegal transactions (Detective).
• Automated variance analysis for variations in revenue (Detective).

Information & Communications

Strong internal control systems require effective communication and reliable and accurate financial information flow. Information should be shared across different departments, both up and down, throughout the organization. Clear and timely communication can help determine fraudulent reporting internally, which allows every employee to understand their financial reporting responsibilities and role related to internal controls, and external entities like regulators, auditors, and investors should receive accurate financial information.

For example, implementing a real-time financial dashboard to track revenue-related information and its accuracy can improve transparency between departments like accounting and IT.

Monitoring

This component aims to establish an ongoing assessment and testing of internal controls and ensure they function as they should. Management should evaluate the results and take corrective measures when evaluating control effectiveness and reporting deficiencies. Control monitoring failures can lead to financial restatements and material weaknesses. A lack of auditor trust could increase audit fees.

A prime example of monitoring is when an organization conducts quarterly control testing and detects a payroll control system failure; the issue can then be reported, investigated, and corrected before financial statements are released to external auditors.

Implement COSO Framework for SOX 404 Compliance

Organizations can begin by analyzing the gaps in their current internal controls in light of the five components and 17 principles of the COSO framework and determining any gaps or areas where existing controls lack. This assessment is critical to understanding the scope of work required by the COSO framework and the SOX audit required by Section 404.

This can be achieved in three stages:

• Planning and Scoping
• Execution
• Analysis and Reporting

Planning and Scoping

Key stakeholders, including management, IT, finance, and internal auditors, should be engaged and collaborate throughout the organization to identify the critical financial processes that have a material impact on financial statements, such as inventory management, payroll, revenue recognition, accounts payable, or fixed assets.

Planning and scoping activities should include:

• Setting the materiality thresholds where any error could be significant enough to impact the investor’s decision.
• Determining and setting the specific business units and high-risk financial accounts in the SOX 404 compliance checklist, which should be based on risk and materiality assessment.
• Determining and setting the IT general control systems on SOX 404 compliance checklist, e.g., access control, system security, data integrity, and change management; systems like SAP, Oracle, or NetSuite are subject to SOX ITGC assessments.

Execution

This phase requires testing the design and effectiveness of each internal control, conducting risk assessments, and identifying deficiencies.

Process and Control Documentation Updates and Control Design Assessment

Make sure that process documentation aligns with actual controls. Any controls, procedures, or policy updates should reflect the changes made during implementation. Control design assessment should be documented to ensure control effectively detects and resolves risks. Documentation should contain a clear and concise process narrative, description, flow charts, and testing procedures. Assess if there is a need for optimization and rationalization of the control to reduce redundancy and improve efficiency.

Operating Effectiveness Testing

• Perform testing to assess the operating effectiveness of the controls by determining the nature of testing, e.g., inquiry, observation, inspection of documents, and performance of controls.
• Determine the timing of the testing, e.g., some testing can be done throughout the year, called interim testing; other testing can be done at the end of the year, called roll forward testing.
• Evaluate the extent of testing based on the nature of the control or risk assessment, e.g., high-risk processes or the frequency and volume of tested transactions.

Companies often make the mistake of testing controls too late, which leads to last-minute remediation.

Deficiency Evaluation and ICFR Assessment

Once control testing is completed, higher management must evaluate it for deficiencies and their impact on internal controls over financial reporting (ICFR). They should look for high-risk shortcomings that could lead to financial restatements, moderate risks that do not result in restatements, or low-risk issues with minimal impact on financial reports. Any material risks or weaknesses must be disclosed to the SEC.

Analysis and Reporting

After completing the control testing and verification of internal controls over financial reporting internally, companies should prepare the required audit reports, including the management assessment of ICFR reports (Section 404(a)) attested by internal auditors.

Attestation reports by an independent external auditor (Section 404(b)) for internal controls assessment by the company’s higher management must be filed with the SEC in Form 10-K. These reports must include all the material weaknesses and remediation plans to fix any gaps in controls that require retesting those controls with deficiencies.

Top-Down Risk Assessment (TDRA) and Testing Framework

The Top-Down Risk Assessment (TDRA) is a structured internal controls framework based on prioritized compliance efforts on critical financial risks. It starts by evaluating high-level risks impacting financial reporting and drills down to specific transactions and controls that address those risks.

By employing this framework, organizations ensure that management effectively tests the internal controls environment, aligning with auditing standard No. 5 of PCAOB and SEC interpretive guidance (Release 33-8810/34-55929). This helps the external auditors perform an audit and assess the management’s findings.

Hierarchical framework for identifying financial risks

TDRA, as a hierarchical framework, focuses on high-risk areas such as revenue recognition as the risk of overstatement, inventory valuation as the risk of misstatement, and risk of bad debt misclassification for allowances and accounts receivables. It also:

• Identifies material financial statement risks within those accounts.
• Determines transaction level and entity level controls addressing these risks
• Determines timing, nature, and extent of gathered evidence, such as inquiry of controls with employees, observation of controls and documentation related to policies, logs, and invoices, and re-execution of controls in case of deficiencies found.

TDRA also focuses on management’s judgment and testing decisions as part of SOX 404 compliance requirements, so management should focus on high-level assessment instead of testing each petty cash transaction as an example of poor judgment.

Based on the TDRA assessment, external auditors may find the audit evidence obtained by management sufficient and reliable and could pass their assessment on to annual financial reports.

Automating SOX 404 Compliance

When internal controls are implemented manually, that can be highly time-consuming and costly. This includes preparing documentation, testing, and monitoring those controls, which requires significant effort and could lead to human errors such as mistakes and inaccuracies and hundreds of hours spent on compliance.

Third-party software solutions like Pathlock are specifically designed to reduce the time and cost associated with documenting, implementing, and monitoring internal controls. Solutions like Pathlock can automate many of these tasks.

Automation tools ease building and scaling internal controls, removing many challenges associated with SOX 404 compliance. For example, they eliminate repetitive tasks, provide real-time control testing instead of periodic manual assessments, and reduce non-compliance risk by detecting weaknesses and anomalies early. These solutions also reduce reliance on spreadsheets and standard documentation in different business units, provide automated collection of audit evidence, track real-time compliance gaps, and provide real-time dashboards for compliance progress and reports for faster audits.

How Pathlock Helps in SOX 404 Compliance

Pathlock is a Governance, Risk, and Compliance (GRC) solution. It offers many helpful features designed explicitly for SOX 404 compliance:

• Access control. It helps companies determine who has access to what within their systems, which is critical for preventing fraud and errors, especially in segregation of duties (SoD) conflicts.
• Streamlined user provisioning so employees only get the necessary system access.
• Automated regular access reviews. Pathlock allows more effective monitoring and control of privileged users with extra access. It also simplifies managing user roles.
• Continuous control monitoring. It gives real-time insights into transactions and user activity, helping organizations detect potential problems early on.
• Compliance reports. Plus, during audit time, Pathlock generates the reports you need to prove you are compliant, saving you from many last-minute modifications.

Pathlock automates many of the key tasks involved in SOX 404, from managing internal controls over financial reporting (ICFR) and IT general controls (ITGCs) to entity-level controls (ELCs) and disclosure controls. The result is smoother compliance, lower costs, and a clearer picture of who is doing what in your systems.

Conclusion

SOX 404 compliance is a compulsory requirement for publicly traded companies to ensure transparency, accountability, and accuracy of financial reporting. It requires establishing and maintaining internal controls, which can be established by adopting the COSO framework recommended by PCAOB and trusted by most external auditing companies when evaluating the assessment of internal reports from higher management.

Using third-party solutions for automation can improve the efficiency of internal controls, testing, and monitoring practices. Compliance with Section 404 of SOX can increase an organization’s security posture.

Frequently Asked Questions About SOX 404