Understanding which statute your company falls within is important as a significant impact on the level of effort management and the external auditor must incur to comply.
On this episode of the Risk & Accounting Advisory’s Risk in Review podcast, we honor the 20th anniversary of the Sarbanes-Oxley Act (“SOX”) and explore the differences between two parts of Section 404, SOX 404a and 404b, outline the nuances and exceptions for companies to comply with the second year 404b attestation requirements, as well as examine 404a through management’s perspective. Finally, our SOX leaders touch on IT general controls and companies involved in a SPAC deal and the distinctions relating to this unique situation.
For more information on the SOX 404 a or 404b approaches, visit cbh.com/risk and also check out our published articles on the 2022 Sarbanes-Oxley SOX Compliance Considerations for Public Companies, Filing Status and ICFR Compliance Considerations for SPAC and IPO Transactions and the Are You Ready For Enhanced Cybersecurity SEC Reporting Requirements? podcast.
Related Podcasts in the Risk In Review Series
- 2022 SOX Section 404 Considerations & Summer Planning
- Third-Party Risk Management and How It Can Add Value and Drive Success Within Your Organization
- What is Risk Analytics and Why Is It Important?
- Taking a Closer Look at the New SEC Cybersecurity Proposed Rule Changes and its Potential Impact on Companies
HOST: Hello and welcome to the Risk and Accounting Advisory podcast. I'm Neil Begging, firm leader of Cherry Bekaert's Risk Advisory practice. Today we will outline the differences between SOX 404(a) and 404(b) and how management might approach them differently. Joining me are Gareth Monu Smith and Payton Black, leaders in Cherry Bekaert's SOX practice.
GARETH: At a very high level, Section 404(a) requires management to report on the effectiveness of internal control over financial reporting, whereas Section 404(b) requires an auditor attestation with respect to an issuer's internal control over financial reporting.
GARETH: Section 404(a) applies to every public company; companies must update or attest to their internal controls in their Form 10-K Item 4 and in their Form 10-Qs. On a macro level, and ignoring some nuances or exceptions, large accelerated filers—which are determined by revenue and/or market capitalization—will have to obtain an auditor attestation under Section 404(b) in their second year as a public company.
PAYTON: There are several benchmarks, including revenue and market-cap rules, that determine when a company is subject to Section 404(a) or 404(b). There are additional complexities around Emerging Growth Companies, where depending on certain metrics a company might not be required to have an ICFR attestation for up to five years after going public.
PAYTON: In March 2020 the SEC adopted amendments to filing-status rules that affect SOX requirements. We published a white paper last year titled "Filing Status and ICFR Compliance Considerations for SPAC and IPO Transactions," available on our external web page at cb.com under Guidance. That white paper includes a table summarizing filing-status and ICFR disclosure criteria, which is useful given the amendments. We recommend reviewing that guidance if you are moving from one filing status to another, because filing status can significantly impact the level of effort management and the external auditor must incur to comply.
GARETH: Regardless of whether a company is under Section 404(a) or 404(b), the external auditor still must conduct procedures over processes—typically walkthroughs—to fully understand and identify likely sources of material misstatement or situations where a necessary control is missing or ineffectively designed.
PAYTON: One point related to SPACs and opinions: when a SPAC completes a business combination, the internal controls of the SPAC acquirer may be supplanted by those of the private operating company. The previously private company may not yet have appropriate controls in place. The SEC has indicated it may not object to management of the combined company omitting its assessment of ICFR in the next annual Form 10-K. This relief is similar to that provided in the year of an acquisition for a newly acquired company, where controls can be scoped out in a statement in the Form 10-K disclosure.
HOST: Payton, can you help us understand from management's perspective what they must do under Section 404(a)?
PAYTON: Relief from the external auditor's Section 404(b) attestation requirement does not relieve management of performing its own assessment of ICFR. Management has flexibility regarding the nature, timing, and extent of testing, which could differ significantly from an auditor's approach.
PAYTON: The SEC has released guidance stating that because management is responsible for maintaining reasonable evidential support for its assessment—based on daily interaction with controls and ongoing direct involvement and supervision of execution—management's knowledge could provide sufficient basis to assess ICFR. The external auditor, not knowing the business as well and having a different objective, is unlikely to have the same flexibility. In other words, the burden of evidence can be different for management under Section 404(a) than for auditors under Section 404(b). Management's approach should be based on its specific circumstances and risk appetite.
HOST: Gareth, are there situations in which an auditor might still want to do more than a walkthrough under Section 404(a)?
GARETH: Absolutely. If the auditor determines they cannot obtain sufficient appropriate audit evidence through substantive procedures alone, they may test internal controls for operating effectiveness even if an integrated opinion is not required under PCAOB standards. It may also be more efficient to test controls to reduce the level of substantive testing.
GARETH: One common area is ITGC—information technology general controls—where testing often provides a more efficient and effective approach to obtain evidence for information-dependent assertions, such as completeness and accuracy of spreadsheets and reports.
PAYTON: Early and frequent discussion with your auditor regarding their audit approach is important. Filing status determinations are assessed annually, generally as of a company's second fiscal quarter. Depending on where your company is in its life cycle, you could move between Section 404(a) and 404(b) from year to year, which can materially affect management's and the external auditor's time commitments, level of effort, and costs. Consult the SEC guidance and your SEC counsel and stay ahead of filing-status changes to avoid surprises.
HOST: It is hard to believe it's been 20 years since the Sarbanes-Oxley Act was passed, and SOX remains relevant today. If you have questions about which approach your company should take or the appropriate level of involvement and overall approach, reach out to your financial adviser or SEC counsel. You can also reach out to Cherry Bekaert with any questions; visit cb.com/risk for more information on SOX compliance and internal controls.
GARETH: Thank you.
PAYTON: Thank you.
