Section 404 of the Sarbanes-Oxley Act is one of the more complicated parts of the legislation. Section 404(a) requires that the management of publicly-held companies assess the effectiveness of their internal control over financial reporting (ICFR). Section 404(b) requires a publicly-held company’s independent auditors to attest to, and report on, the company’s internal control over financial reporting. But what exactly are the differences between 404(a) and 404(b) with regards to requirements and the extent of the effort necessary for compliance?
Requirements of SOX 404(a)
Under Section 404(a), management is required to maintain sufficient evidence to support their internal control design adequacy and operating effectiveness conclusions. The SEC realizes that what constitutes sufficient documentation for management may be very different than what constitutes sufficient documentation for their auditors. The SEC has not prescribed a methodology or a standard on the level of documentation and testing for management’s assessment but it does require the use of an accepted framework (e.g., COSO – Committee of Sponsoring Organizations of the Treadway Commission) in evaluating ICFR. One of the key differences between management and the auditors is that management has ongoing access to their documentation and procedures, and they are presumed to understand how everything fits together, including how the transactions flow (initiation through reporting) and how the controls are performed.
Although management is required to maintain sufficient documentation, they are not required to organize it in a manner that facilitates a third party review (e.g., the auditors review). So, with certain enhancements, the company’s on-going operating documentation may be sufficient to support management’s internal control structure and ICFR assessment conclusions.
Additional Effort Required for SOX 404(b)
Under Section 404(b), the auditor is required to give a second and different auditor opinion which significantly increases the audit effort throughout the year. The auditor as an independent third party is presumed not to understand management’s internal control structure and procedures. In order to independently evaluate and report on the effectiveness of the company’s ICFR, the auditor must obtain and document an understanding of the internal control structure, including transaction flows and review procedures, as well as perform detailed testing of key internal controls in order to make their attestation and report.
This results in management having to organize and enhance their documentation in order to facilitate the work of auditors. Auditors must gather and retain sufficient documentation and evidence to support their assessment without the ability to have subsequent access to the company’s documents and procedures. The standards used by the auditors (not required for management) are prescribed by the Public Company Accounting Oversight Board (PCAOB). Therefore, documentation and evaluation procedures are very different resulting in a substantial increase in the level of effort and documentation required for management to support the design and operating effectiveness of their ICFR for examination by a third party.
Areas of Expanded Focus under SOX 404(b)
The primary areas of expanded auditor focus under 404(b) include the following:
- Enhanced transaction flow analysis and documentation
- Enhanced key control descriptions and operating evidence
- Incremental evidence of the execution of controls (i.e., more than just sign-offs needed)
- Increased documentation of evaluation of completeness and accuracy of spreadsheets and critical system-generated reports
- Incremental procedures to validate the design adequacy and operating effectiveness of internal controls at Third Party Service Providers
- Management review controls including documentation of review procedures, level of precision and results
- Monitoring and resolution of segregation of duties conflicts, including the IT environment
- Security and user access provisioning and de-provisioning to systems and applications as well as the performance of periodic user access reviews
- Monitoring of privileged/administrative access rights to systems and applications
- Population and sample sizes for operating effectiveness testing to achieve auditors level of assurance
Allowable Exemptions and Delays for SOX 404(b)
As of this writing there is one exemption from and three implementation delays granted in the application of section 404(b) as follows:
- While required to comply with 404(a), an exemption from Section 404(b) was enacted for non-accelerated filers (companies with less than $75 million in public float). Public Debt filers and Smaller Reporting Companies are also considered non-accelerated filers.
- Newly public companies can delay the application of both 404(a) and 404(b) until the filing of their second Form 10K (could be up to two years)
- Companies can delay the application of 404(a) and 404(b) for newly acquired companies up to a year after the acquisition with proper disclosure
- The JOBS Act (Jumpstart our Business Startups Act) increases the current two year delay (described in 1 above) for compliance with 404(b) to 5 years for new public companies with annual revenues of less than $1 billion as long as they do not exceed the following market capitalization or revenue thresholds:
- The company’s revenue grows to more than $1 billion
- The company issues more than $1 billion in nonconvertible debt over a three-year period
- The company’s worldwide public float exceeds $700 million
The separate opinion required by auditors under Section 404(b) can significantly increase the audit effort throughout the year. Most believe that Section 404(b) has led to improved financial reporting and greater transparency because of the mandatory involvement of the external auditors. While many organizations feel that all companies should benefit from the Section 404(b) requirement, some small companies have argued that the regulatory cost and burden of having the auditor assessment outweighs the benefit to investors.
This cost-benefit concern is what led to the exemption and most of the delays discussed above. Obviously companies that meet the exemption won’t have to worry about 404(b) but management must still certify under 404(a) that their internal controls over financial reporting are operating effectively. This means that management must document and test their controls. If you are an organization that can delay the auditor attestation, again, you must still comply with 404(a), but the delay allows management to take a more gradual approach to Section 404(b) compliance. As it is with most regulations, the earlier you get started, the more likely you are to ensure proper compliance and minimize the associated costs.
Bill Dawson, CPA is a Principal and the service line leader for AC Lordi’s Risk & Compliance practice. He has a diverse background in accounting and reporting, tax, audit and business consulting with public and privately held domestic and multinational corporations. He served as VP of Internal Audit, and later as the VP of Corporate Income Tax for a $2+ billion specialty apparel retailer. He also has 18+ years of Big 4 experience with PricewaterhouseCoopers, including as an Audit Partner managing a portfolio of public and privately held consumer product, chemical manufacturing, aerospace and retail clients. Bill can be reached at firstname.lastname@example.org or 610-738-0100.
Jeff Flynn, CPA is a Principal for AC Lordi’s Risk & Compliance practice. He plans global and single site Sarbanes-Oxley compliance efforts, ensuring proper scope for cost effective compliance and coordinating with management, audit committees, and external auditors. He co-developed the firm’s proprietary SOX methodology and has led initial implementation efforts and control optimization efforts for more than 50 clients. He can be reached at email@example.com or 610-738-0100.