Sarbanes-Oxley Act (SOX) Section 404

What is Sarbanes-Oxley Act (SOX) Section 404?

Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test, and maintain those controls and procedures to ensure their effectiveness.

The purpose of SOX is to reduce the possibilities of corporate fraud by increasing the stringency of procedures and requirements for financial reporting.

SOX 404 top-down risk assessment (TDRA) is a risk assessment procedure in financial auditing of public companies in the United States. Congress enacted SOX to enforce strict procedures and increase the rigor of financial reporting methods and regulations in order to limit the risk of corporate fraud through management assessment.

SOX Section 404 financial reporting requirements

As per Section 13A and 15D of the Securities Exchange Act of 1934, the Securities and Exchange Commission prescribes rules regarding each annual report of a company. To ensure SOX compliance, such an annual report should contain a report on the company's internal control over financial reporting.

The management is responsible for setting up an adequate internal control structure and procedures for preparing financial statements. At the end of each fiscal year, the management is required to assess the effectiveness of the issuer's internal control structure and financial reporting procedure.

Such assessment of internal controls should be established by following due process and using a suitable and recognized control framework.

sox compliance, data retention

SOX Section 404 auditor's attestation

The board of directors is required to hire an external auditor to ensure compliance with the act. Such an external or independent auditor should not be a part of the audit committee responsible for the internal audit of the company.

Sarbanes-Oxley Section 404 mandates that the internal control assessment report should have auditor's attestation.

SOX 404 exemption

Ensuring SOX compliance by assessing the effectiveness of internal control and auditing the internal control report is a difficult task, especially for smaller companies. Recognizing this, SOX provides certain expectations:

  1. nonaccelerated filers or companies with a public float of less than $75 million; and
  2. emerging growth companies or companies with total annual gross revenues of less than $1 billion in the most recent fiscal year.

See also four steps to remain compliant with SOX data retention policies.

This was last updated in March 2022

Continue Reading About Sarbanes-Oxley Act (SOX) Section 404

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG