Introduction to SOX 404 Compliance

Transparency and accountability are paramount to maintaining trust and fostering relationships with stakeholders. One of the key regulations that allows this to happen is the Sarbanes-Oxley Act of 2002 (SOX). Specifically, SOX 404 is a critical component for companies, especially those that are publicly traded or registered with the U.S. Securities and Exchange Commission (SEC).

But what exactly is SOX 404 compliance, and why is it so important?

What Is Sarbanes-Oxley Section 404 (SOX 404)?

Section 404 of SOX mandates that companies must establish and maintain an adequate internal control structure for financial reporting. This is in addition to the financial audits that a company registered with the SEC is already required to issue. The goal of SOX 404 is to ensure that a company’s financial statements are accurate and reliable, thereby protecting investors and the public from fraudulent activities and financial misstatements.

SOX 404 compliance is a vital aspect of corporate governance that ensures the accuracy and reliability of a company's financial reporting. By understanding the high-level compliance requirements, the distinction between SOX 404(a) and 404(b), and the implications for companies, businesses can better navigate the complexities of this regulation. Achieving SOX 404 compliance not only enhances financial accuracy and accountability but also promotes investor confidence and long-term success.

SOX 404(a) vs. 404(b): What Are the Differences? 

SOX 404 compliance is divided into two subsections: 404(a) and 404(b). Understanding the distinction between these two is crucial for companies aiming to achieve compliance.

• SOX 404(a): Requires management to annually assess and report on the effectiveness of the company's internal controls over financial reporting. Management must provide a written report that includes their assessment of the internal controls and any identified deficiencies.
• SOX 404(b): Goes a step further by requiring an independent external auditor to attest to the effectiveness of the company's internal controls. The auditor's report is included in the company's annual financial statements and provides an additional level of assurance to investors and stakeholders. As a rule of thumb, SOX 404(b) compliance is much more stringent and has more significant impacts when it is applied.

Click to play video

What Are SOX Internal Controls?

Under SOX 404, companies must design and implement internal controls to detect, prevent and mitigate potential errors and fraud in financial statements. Internal controls are policies, procedures and systems that ensure the accuracy and reliability of financial reporting.

These controls typically include:

• Segregation of Duties
• Management Review Controls
• Entity Level Controls
• Access Controls
• Audit Trails
• Change Management Protocols
• Cybersecurity Solutions 

SOX 404 doesn’t include specific internal controls processes or recommendations; however, there are common frameworks companies can use to meet SOX compliance. The most common is the COSO framework.

The COSO Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a widely accepted framework for internal controls, which is built on five key components:

1. Control Environment: Sets the tone at the top, emphasizing integrity, ethical values and accountability.
2. Risk Assessments: Helps identify and evaluate risks that could impact financial reporting, allowing companies to tailor controls accordingly.
3. Control Activities: These are the specific actions, such as approvals, verifications and reconciliations, taken to mitigate identified risks.
4. Information and Communication: Ensures that relevant internal control information is shared across departments and with stakeholders to support compliance.
5. Monitoring Activities: Involves ongoing evaluations and audits to ensure controls remain effective and are updated as needed.

The COSO Framework is an effective tool to incorporate to support a strong opinion over the efficacy of the internal control environment.

SOX 404 External Audits & Attestation 

Once an organization has implemented and internally evaluated its controls — ideally aligned with the COSO framework — it must also undergo an independent, third-party or external audit if subject to SOX 404(b). Most auditors will base their assessment on the COSO framework.

The audit process is both comprehensive and exhaustive as external auditors rigorously test the effectiveness of internal controls over financial reporting, including IT assets and any systems with access to financial data. Most organizations experience several rounds of internal testing throughout the year, culminating in the official annual external audit.

Subscribe and stay on top of it all.

Join our mailing list and be the first to receive alerts, newsletters and webinar invitations by email.

Subscribe

SOX 404 Compliance Requirements: Who Must Comply?

SOX 404 requirements apply to any company registered with the SEC, and the section is determined based on their filing status. The minimum requirement for all public companies registered with the SEC is SOX 404(a). These filing statuses are summarized below:

The main driver for the change of filing status is the market value of publicly owned stock, commonly called “public float”. The secondary driver is revenue. 

Who Is Exempt From SOX 404 Requirements? 

While SOX 404(a) compliance is required for all publicly traded companies registered with the SEC, certain organizations are exempt from the more rigorous 404(b) requirements. Specifically:

• Non-accelerated filers or companies with less than $75 million in public float are typically exempt from the SOX 404(b) attestation requirement.
• Emerging Growth Companies (EGCs) or companies in their first five years after their initial public offering (IPO) are exempt from 404(b) unless they exceed the threshold. This threshold is currently $1.235 billion in total annual gross revenues, according to the SEC. When EGCs lose this status, they must comply with SOX 404(b).
• Private companies are not subject to any SOX 404, unless they are preparing for an IPO or are acquired by a public company.

These exemptions are designed to reduce the regulatory burden on smaller businesses while still maintaining a baseline of financial accountability.

Why Is SOX 404 Compliance Important?

SOX 404 compliance not only matters because it’s a legal requirement, but also because it’s a strategic advantage to achieve:

• Improved Internal Controls: The process of achieving SOX 404 compliance often leads to the improvement of internal controls and procedures. Companies may identify and rectify weaknesses in their financial reporting processes, leading to more efficient and effective operations.
• Reduced Legal and Regulatory Risks: Non-compliance with SOX 404 can result in legal and regulatory risks. Companies may face penalties, fines and reputational damage if they fail to meet SOX 404 audit requirements. Therefore, it is crucial for companies to prioritize SOX 404 compliance and strong internal controls to detect and mitigate these risks.
• Enhanced Financial Accuracy and Investor Confidence: Compliance with SOX 404 ensures that a company's financial statements are accurate and reliable. This can boost investor confidence and enhance the company's reputation in the market. Reliable financial reporting reassures investors that the company is operating with integrity and transparency.
• Increased Accountability: SOX 404 compliance promotes accountability within the organization. Management is required to take responsibility for the effectiveness of internal controls, and the external audit provides an additional layer of oversight.

Achieving SOX 404 compliance can be resource-intensive. Companies may need to invest in new systems, hire additional staff, and allocate significant time and effort to meet the compliance requirements. However, the long-term return on investment — reduced risk exposure, enhanced financial accuracy and improved decision-making — often outweighs the initial costs. Ultimately, SOX 404 plays a pivotal role in strengthening corporate governance and financial transparency.

SOX 404 Compliance Checklist 

Depending on the specific SOX 404 compliance requirements applicable to an organization, various actions must be completed to prepare for the audit and meet those standards. Organizations can use the following SOX compliance checklist to prepare for either a section 404(a) or 404(b) audit — clarifying which items are required, recommended, low priority and/or not applicable.

Generally, the checklist covers activities surrounding:

• Establishing robust internal controls
• Thoroughly documenting control procedures
• Maintaining clear segregation of duties
• Regularly performing risk assessments and control testing
• Collecting sufficient evidence
• Monitoring control effectiveness
• Ensuring timely quarterly and year-end evaluations

Supporting these efforts, ongoing staff training and secure data management are crucial. Engaging with external auditors early and maintaining a comprehensive audit trail further strengthens compliance and accountability.

Your Guide to SOX 404 Compliance

Cherry Bekaert’s Risk Advisory practice can assess your SOX program and strengthen internal controls through our SOX Compliance Services. From SOX audits to financial reporting and regulatory challenges, our professionals work closely with you to tailor solutions that meet your needs. Our experienced professionals can also assist with SOC for private companies, internal audit co-sourcing and accounting advisory services.

Connect With Us

Related Insights

• Article: SOX Compliance: Everything You Need To Know
• Article: Six Steps To Creating Efficiencies and a Well-planned SOX Program
• Article: SOX Compliance Checklist: Comprehensive Audit Preparedness
• Article: 2025 SEC Filing Deadlines & Financial Statement Staleness Dates
• Case Study: SOX 404(b) Compliance for a Growing Consumer Brand