SOX 404 is the section of the Sarbanes-Oxley Act of 2002 that requires publicly traded companies to evaluate and report on the effectiveness of their internal controls over financial reporting. It has two parts: Section 404(a) requires company management to perform this assessment annually, and Section 404(b) requires an independent auditor to verify that assessment. Together, these rules are designed to catch errors or fraud in financial statements before investors ever see them.
If you work at a public company, are preparing for an IPO, or are studying for an accounting or compliance role, SOX 404 is one of the most consequential pieces of corporate regulation you’ll encounter.
What SOX 404 Actually Requires
Section 404 splits its mandate into two distinct obligations. Section 404(a) tells management: you must assess how well your internal controls over financial reporting (often abbreviated ICFR) are working, then include that assessment in your annual report. If management discovers a material weakness, meaning a flaw serious enough that it could lead to a significant error in the company’s financial statements, the company must disclose it.
Section 404(b) adds a second layer. An independent outside auditor must separately evaluate management’s assessment and issue its own opinion on whether those internal controls are effective. This is called an “auditor attestation.” The auditor isn’t just reviewing management’s homework. The auditor performs its own testing and reaches its own conclusion about whether the controls work.
The practical result is that every large public company produces two opinions on internal controls each year: one from management and one from an external audit firm.
Which Companies Must Comply
All publicly traded companies must comply with Section 404(a), the management assessment. The more expensive requirement, Section 404(b)’s auditor attestation, applies based on company size.
Large accelerated filers and accelerated filers, generally companies with a public float (the market value of shares held by outside investors) above certain thresholds, must have the independent auditor attestation. Non-accelerated filers and certain smaller reporting companies are exempt from 404(b). Emerging growth companies, a classification created by the JOBS Act for newly public firms, also get a five-year exemption from the auditor attestation requirement.
The SEC has not updated the dollar thresholds that determine these filing categories since 2005, which means a company with a $250 million public float faces the same disclosure obligations as one with a $250 billion float. There has been ongoing discussion about raising those thresholds, but as of now the original cutoffs remain in place.
What “Internal Controls” Means in Practice
Internal controls over financial reporting are the policies, procedures, and systems a company uses to make sure its financial statements are accurate and complete. These aren’t abstract concepts. They’re specific, testable processes like:
- Segregation of duties: The person who approves a payment shouldn’t be the same person who records it in the books.
- Access controls: Only authorized employees can modify data in accounting systems.
- Reconciliations: Bank statements are matched against internal records on a set schedule.
- Approval workflows: Journal entries above a certain dollar amount require a manager’s sign-off.
- IT controls: Changes to financial software go through formal testing and approval before going live.
Most companies organize their controls around the COSO Internal Control framework, published by the Committee of Sponsoring Organizations of the Treadway Commission. COSO’s framework, last updated in 2013, breaks internal control into five components: control environment, risk assessment, control activities, information and communication, and monitoring activities. The SEC and PCAOB (Public Company Accounting Oversight Board) treat COSO as the de facto standard for evaluating whether a company’s controls meet SOX 404 requirements.
How Companies Build a Compliance Program
SOX 404 compliance is not a one-time project. It’s an annual cycle that typically takes 12 to 18 months to establish for the first time, ideally beginning about 18 months before a company’s first fiscal year-end as a public entity. After the initial setup, the cycle repeats each year with updates and retesting.
The process follows a general sequence:
Planning and scoping. A SOX project leader, usually from internal audit or the controller’s office, builds a cross-functional team. They calculate materiality, which is the dollar threshold above which an error would matter to investors. Then they map the company’s financial reporting processes to specific financial statement line items, identifying which business cycles matter most: revenue, procurement, payroll, inventory, treasury, tax, and the financial close process. IT systems are cataloged, including ERP platforms, spreadsheets used for financial data, and access management systems.
Documenting controls. For each significant process, the team documents what controls exist, who performs them, how often, and what evidence is generated. A typical midsize public company might document hundreds of individual controls across its operations. Each control is linked to a specific risk, such as “revenue could be overstated if sales are recorded before goods ship.”
Testing. Controls are tested to confirm they actually work as described. Testing might involve selecting a sample of transactions and checking that the required approval was obtained, or verifying that system access logs show only authorized users made changes. The SEC’s 2007 management guidance encourages a top-down, risk-based approach, meaning companies should focus their heaviest testing on the areas that pose the greatest risk of material misstatement rather than testing everything equally.
Remediation. When testing reveals a control that isn’t working, the company must fix it. If the deficiency is severe enough to qualify as a material weakness, it must be disclosed in the annual report. Lesser deficiencies, called significant deficiencies or control deficiencies, are reported to the audit committee but may not require public disclosure.
Reporting. Management includes its assessment in the annual report filed with the SEC. For companies subject to 404(b), the external auditor issues a separate report on ICFR effectiveness alongside its opinion on the financial statements.
The Auditor’s Role Under 404(b)
The PCAOB’s Auditing Standard No. 5 (AS5), approved by the SEC in 2007, governs how auditors conduct the 404(b) attestation. AS5 replaced an earlier, more rigid standard and was designed to give auditors more flexibility. Key principles include allowing auditors to exercise professional judgment, scaling the level of testing to match the company’s size and complexity, eliminating unnecessary procedures, and letting auditors rely partly on work management has already done under 404(a) rather than duplicating every test.
In practice, the external audit of internal controls is a significant engagement. Auditors interview employees, observe processes, reperform control activities, and test IT system configurations. For large companies, the 404(b) audit can involve dozens of auditors working across multiple locations over several months.
What Happens When Controls Fail
When a company discloses a material weakness, the consequences are immediate and tangible. The company’s stock price often drops because investors interpret the disclosure as a sign that financial statements may not be reliable. The company may face increased regulatory scrutiny from the SEC, and its audit fees typically rise as auditors expand their testing in subsequent years.
Beyond the market reaction, SOX carries real legal teeth. The broader Sarbanes-Oxley Act requires the CEO and CFO to personally certify the accuracy of financial reports. If those certifications turn out to be false, executives face potential civil and criminal liability, including fines and imprisonment under other sections of the Act. While Section 404 itself is primarily a reporting requirement, failures in internal controls that lead to fraudulent financial statements can trigger enforcement actions under the full range of securities laws.
Why SOX 404 Costs Are Controversial
SOX 404 compliance is expensive. Companies spend heavily on internal staff, external consultants, and audit fees to maintain their programs. For smaller public companies, these costs can represent a meaningful percentage of revenue, which is why Congress and the SEC have carved out exemptions for non-accelerated filers and emerging growth companies.
The 2007 reforms, including the SEC’s risk-based management guidance and AS5, were specifically designed to reduce compliance costs without weakening investor protections. Before those changes, many companies were documenting and testing every control with equal rigor regardless of risk, driving up costs unnecessarily. The revised approach lets companies and auditors concentrate resources on the controls that matter most to financial statement accuracy.
Despite the expense, supporters argue that SOX 404 has materially improved the reliability of financial reporting at public companies. The requirement forces companies to find and fix control weaknesses before they lead to restatements or fraud, which protects investors and supports market confidence in reported financial results.