Section 404 of the Sarbanes-Oxley Act (SOX) mandates that all publicly traded (with a few exceptions) companies must implement internal controls and procedures for financial reporting. Each of the internal controls set forth by SOX 404 must be documented, tested, maintained, and certified by a third-party audit to confirm their effectiveness, reliability, and accuracy. The objective of SOX 404 is to eliminate vectors for corporate fraud.
Organizations exempt from SOX 404 compliance |
-Non-accelerated filers or companies with a public float of less than $75 million -Emerging growth companies or companies with total annual gross revenues of less than $1 billion in the most recent fiscal year for up to a five-year period |
In publicly traded companies, the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) are directly responsible for any financial report filed with the Securities Exchange Commission (SEC). Each year, the organization’s CEO and CFO are required to file an annual report that assesses the establishment, maintenance, and efficacy testing of internal controls over financial reporting.
The CEO and CFO are held personally responsible and face potentially severe criminal penalties for violations, including prison time and millions of dollars in fines. Included in the SOX 404 internal controls report must be:
- A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting
- A statement identifying the framework used by management to evaluate the effectiveness of internal control
- Management’s assessment of the effectiveness of internal control as of the end of the company’s most recent fiscal year-end
- A statement that the company’s external auditor has issued an attestation report on management’s assessment
Implementing SOX 404 controls
What does “internal controls” mean?
SOX internal controls, also known as SOX 404 internal controls, are rules that prevent and detect errors in an organization’s financial reporting process. SOX 404 internal controls must be applied to all processes and systems associated with the organization’s financial reporting. These include:
- Environment control
Set of standards and processes that are the foundation for carrying out internal control across an organization - Risk assessment
Process for identifying and assessing risks that can disrupt an organization’s objectives - Control activities
Steps taken to mitigate identified risks - Information and communication
Flow of information that’s required to support internal control functions - Monitoring
Ongoing evaluation of the performance of internal controls
The following are the five key steps for implementing SOX 404 internal controls.
- Plan
- Create a project plan.
- Develop timelines.
- Assess materiality and risk.
- Scope the accounts, systems, and processes.
- Outline the SOX 404 compliance approach.
- Document
- Interview key owners of existing processes and internal controls.
- Identify key controls.
- Perform a gap analysis.
- Recommend process and system improvements.
- Test
- Conduct sample tests of key internal controls.
- Evaluate the tests’ effectiveness.
- Document methodologies and findings.
- Test controls to measure performance.
- Remediate
- Design solutions for gaps and deficiencies.
- Implement solutions.
- Assess
- Document conclusions.
- Reassess materiality and risk.
- Document any outstanding issues
Testing and auditing SOX 404
The testing and auditing of SOX 404 internal controls can be complex and time-consuming, because it includes all of an organization’s IT assets and any devices that have access to financial data.
SOX 404 audit areas of focus
A SOX 404 internal controls audit focuses on four key areas.
- Access control
This area of a SOX 404 audit evaluates the systems and processes that are used to restrict access to sensitive information to ensure that only authorized users have physical and digital access. Digital controls include digital access barriers, such as identity and access management, authentication, and encryption. Physical access controls include badges, locks, and video surveillance. - IT Security
IT security controls considered for a SOX 404 internal controls audit include the measures taken to identify and protect sensitive data from cyber attacks. This area covers activities performed to monitor and detect cyber attacks as well as response plans to mitigate damage and recover in a timely manner. - Data backup
A SOX 404 audit evaluates data backup and recovery systems and plans to determine how effective they are for minimizing downtime and data loss in the event of a disaster. SOX 404 compliance requires that both the production and backup systems that handle financial data meet the standards. - Change management
How an organization manages changes to its IT environment is assessed as part of a SOX 404 internal controls audit. This includes employee onboarding, new infrastructure installation, hardware and software updates, and configuration changes. Any changes must be recorded, and any changes deemed sensitive must be monitored to detect any vulnerabilities.
SOX 404 testing
The process for SOX 404 internal controls testing consists of four rounds. Many of these occur throughout the year, with some internal controls performed throughout the year.
- Initial assessment
- Interim testing
- Year-end testing
- Testing by independent auditors
What is the COSO framework?
The most commonly used framework for SOX 404 internal control implementations is the Internal Control Integrated Framework, which was developed in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in conjunction with five private sector organizations.
- Financial Executives International (FEI)
- The American Accounting Association (AAA)
- The American Institute of Certified Public Accountants (AICPA)
- The Institute of Internal Auditors (IIA)
- The Institute of Management Accountants (IMA)
This comprehensive framework details the internal controls that must be implemented for SOX 404 compliance. Most of these are mandatory, and failure to implement them can leave an organization in violation of SOX 404 requirements.
Although the COSO internal control framework is voluntary, its SOX 404 compliance guidelines ensure that organizations have the required security infrastructure and systems or identify overlooked gaps that must be fixed to maintain compliance. In addition, a majority of auditors base their reviews of organizations’ internal control capabilities against the COSO framework.
The COSO framework is based on 17 principles that align with the five internal control components mandated by SOX 404. These detail what is required to demonstrate compliance with SOX 404 requirements to a third-party auditor.
17 Principles of the COSO Framework
SOX 404 Internal Control Components | COSO Principles |
Control environment | 1. Demonstrate a commitment to integrity and ethical values 2. Ensure that the board is independent and exercises oversight responsibility 3. Establish structure, authority, reporting lines, and responsibility 4. Demonstrate commitment to attracting, developing, and retaining a competent workforce 5. Enforce accountability across the organization |
Risk assessment | 6. Specify appropriate, specific objectives 7. Identify and analyze risks 8. Assess fraud risk 9. Identify and analyze significant changes that could impact internal controls |
Control activities | 10. Select and develop internal control activities that help mitigate risks 11. Select and develop controls over technology 12. Maintain and enforce internal controls with thorough policies and procedures |
Information and communication | 13. Use relevant, high-quality information to support the execution of internal controls 14. Communicate internal control information internally 15. Communicate internal control information externally |
Monitoring | 16. Conduct ongoing and/or periodic evaluations of internal controls 17. Evaluate and communicate internal control deficiencies |
SOX 404: An opportunity to improve financial reporting
SOX 404 compliance can be cumbersome and tedious; however, it does not have to be difficult. Implementing and following the right processes and best practices helps relieve the burden of SOX 404 compliance and delivers improved financial reports.