SOX Section 404
SOX Section 404 requires U.S. public company management to include in its annual report an assessment of the effectiveness of internal control over financial reporting as of fiscal year-end, and for accelerated filers, requires the company's external auditor to separately attest to and report on management's assessment of ICFR effectiveness.
Section 404 of the Sarbanes-Oxley Act of 2002 is widely regarded as the most consequential and most costly provision of the Act. Implemented through SEC Rules 13a-15 and 15d-15 and PCAOB Auditing Standard AS 2201 (An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements), Section 404 transformed internal controls from a back-office concern into a front-and-center public reporting obligation.
Section 404(a) applies to all U.S. public companies filing annual reports with the SEC. It requires that the annual report contain a statement of management's responsibility for establishing and maintaining adequate ICFR and management's assessment of ICFR effectiveness as of the end of the fiscal year, based on a suitable, recognized control framework — most commonly the COSO Internal Control — Integrated Framework. If any material weaknesses are identified during the assessment, they must be disclosed, and management cannot conclude that ICFR is effective if any material weakness exists.
Section 404(b) applies to accelerated filers and large accelerated filers (generally, companies with public float above $75 million) and requires the registered public accounting firm to attest to and report on management's ICFR assessment. This is a separate, additional engagement beyond the financial statement audit, though PCAOB AS 2201 integrates the two engagements to improve efficiency. Non-accelerated filers and smaller reporting companies are permanently exempt from 404(b) following the Dodd-Frank Act of 2010.
The auditor's attestation under 404(b) is an independent assessment of ICFR effectiveness — not merely an evaluation of whether management followed proper assessment procedures. The auditor tests internal controls directly, identifies control deficiencies independently, and issues an opinion on whether ICFR is effective based on criteria established in the COSO framework. An adverse opinion on ICFR is issued when the auditor identifies one or more material weaknesses.
For investors, the 404(b) auditor attestation is a significantly more reliable indicator of internal control quality than management's own 404(a) assessment standing alone. Academic research has documented that material weaknesses are identified earlier and disclosed more completely when auditor attestation is required, that companies subject to 404(b) have lower restatement rates, and that earnings quality metrics are superior for 404(b) filers compared to similarly sized exempt companies. The presence or absence of 404(b) coverage is therefore a meaningful input to assessing reporting risk, particularly for smaller-cap companies.