AuditXYZ

Lesson 3 of 5

SOX Section 404: Internal Controls Over Financial Reporting

13 min readIntermediate

SOX Section 404: Internal Controls

Section 404 is the most significant and resource-intensive SOX requirement. It requires management to assess the effectiveness of internal controls over financial reporting (ICFR) and, for larger companies, requires the external auditor to attest to that assessment.

Section 404(a): Management Assessment

Section 404(a) requires management to include in the annual report an assessment of the effectiveness of ICFR. Management must establish and maintain adequate internal controls, identify and document key controls, test the design and operating effectiveness of controls, and conclude whether ICFR is effective as of the fiscal year-end.

Section 404(b): Auditor Attestation

Section 404(b) requires the external auditor to independently attest to management's assessment of ICFR effectiveness. This is required for accelerated filers and large accelerated filers. Smaller reporting companies and emerging growth companies are exempt from 404(b).

The COSO Framework

Most organizations use the COSO Internal Control — Integrated Framework as the basis for their ICFR assessment. COSO defines five components: control environment, risk assessment, control activities, information and communication, and monitoring activities. These components and their 17 principles provide the structure for identifying and evaluating controls.

Identifying Key Controls

Key controls are those that, if they fail, could result in a material misstatement of financial statements. Identifying them requires understanding your significant accounts, transaction classes, and the processes that affect them. Walk through each process from transaction initiation to financial statement line item.

Testing Controls

Controls are tested for design effectiveness (is the control designed to prevent or detect material misstatements?) and operating effectiveness (did the control operate as designed throughout the period?). Testing methods include inquiry, observation, inspection of documentation, and re-performance.

Material Weaknesses

A material weakness is a deficiency in ICFR that creates a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis. Identifying a material weakness means management must conclude that ICFR is not effective. Material weaknesses must be disclosed and remediated.

In the next lesson, we will cover IT general controls.