What is Section 404 of the SOX Act?
Show
If this is your situation
How PwC can help youFor all Securities & Exchange Commission (SEC) registered organisations — whether subsidiaries of US domestic registrants or foreign private issuers — that need to comply with the requirements of section 404 of the Sarbanes-Oxley Act, PwC provides a range of services to help you achieve compliance. Our advisory services include project management assistance, technical support, determining the risk assessment and scoping activities, assisting in documentation and evaluation efforts, training, quality assurance, and review. For non-audit clients, we provide direct assistance in the evaluation and remediation of controls.
Auditing laws cover various topics and industries from social media privacy to financial transactions. Each auditing process targets different weaknesses in order to tackle the risks that accompany technological advancements. In particular, the multi-faceted Sarbanes-Oxley Act (SOX) deals with corporate operations and publicly traded companies. The 404 section requirement addresses financial documentation. Are you aware of the SOX 404 requirements? Find out everything you need to know about compliance with our comprehensive guide. An Overview of SOXThe SOX Act, passed in 2002, affects all companies, regardless of industry. It addresses corporate governance and financial practices with a particular focus on records. SOX includes 11 titles with the primary audit-related sections being 302, 401, 404, 409, and 802. Although this article mainly covers section 404, below is a brief summary of each main section:
SOX and Security ProceduresWhile all of the above sections review financial operations and documentation, companies should already have strong security procedures in place. The goal of audits like SOX is to assess these controls; however, if a company lacks major internal controls, the audit process will be less beneficial. Furthermore, if overall company security is weak, financial operations will also be weakened. Good security controls will maintain data integrity in collection, transfer, and storage. Utilizing systems that categorize and tag data will help regulate and organize internal and consumer data. Assess your SOX 404 compliance What Are Internal Controls?According to the Federal Deposit Insurance Corporation (FDIC), internal controls: Include the policies and procedures that financial institutions establish to reduce risks and ensure they meet operating, reporting, and compliance objectives. But why are they so important? Internal controls safeguard company assets, maintain the integrity of financial data/transactions, ensure compliance, support daily operations, and assist companies in achieving their objectives. The controls may be electronic or physical in nature. For example, physical controls may be the segregation of duties. The fewer people/processes involved in a financial transaction, the lower the risk level. Electronic controls range from simple two-factor authentication to complex algorithms monitoring computer systems for suspicious activity. For more information, the FDIC provides a comprehensive list of internal routines and controls. Sox 404 SpecificationsThis section requires that: “All annual financial reports must include an Internal Control Report stating that management is responsible for an ‘adequate’ internal control structure, and an assessment by management of the effectiveness of the control structure.” Basically, the section addresses auditor attestation or verifying the auditing process was completed thoroughly. Section 404 of the act requires an auditor to attest and report on a company’s assessment of its internal controls. This process allows an “outsider” to look at internal operations/reviews from an objective perspective. The 404 clause increases transparency, particularly regarding financial reporting. Furthermore, it focuses on the likelihood of material misstatements. Although SOX 404 increases auditing costs, many experts believe the information and insights the audit provides for investors is well worth the extra expense. ExemptionsRealizing the cost of auditing is too much for some companies, the SEC does not require non-accelerated filers or companies with less than USD 75 million in public float [i.e., the portion of shares held by public investors] to comply with section 404. The exemption also encompasses Emerging Growth Companies (EGCs) for up to a five year period. Although not yet passed, in early 2019, a group of senators proposed a new bill focusing on Emerging Growth Companies (EGCs). The new bill relates to companies that have issued an IPO but are still earning low revenues. If passed, the bill would provide another five-year extension for companies that “earn annual average revenue of less than USD 50 million and less than USD 700 million in public float.” Control ManagementOut of all the SOX specifications, the control testing process will likely cost the most in terms of both time and money, but in the end, it is well worth it. The following points summarize a skeletal structure for assessing controls, but each company will have to adapt them to its particular needs.
These control assessments must be done on a yearly basis and completed prior to the end of a company’s fiscal year. The Five Components of Internal ControlWhen conducting risk assessments, companies should use the five components of internal control as a baseline framework. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) created the five-layer model in 1992 (later updated), and it is now widely accepted as a good starting point for evaluating internal controls.
Image Source: University of North Carolina at Chapel Hill Sox Compliance Testing & TDRAAs briefly mentioned above, a major part of the Sox 404 attestation includes a Top-Down Risk Assessment (TDRA). But what exactly is a TDRA? The TDRA approach is a step-by-step process designed to address past omission/oversights in the auditing process and prevent such oversights in the future. More formally, the U.S. Public Company Accounting Oversight Board (PCAOB) defines [in Auditing Standard No. 5] the TDRA process as follows: A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor’s attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company’s processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion. Common SOX 404 Audit MistakesIt’s easy to become overwhelmed or distracted by various tasks during the audit process. This can lead to what Norman Marks, a risk management expert, calls “scope creep” or when distractions cause management to lose focus on the two key questions of risk management: What is the risk? and Where is the risk? Marks goes on to note five common mistakes companies make when conducting SOX audits.
Avoiding these five mistakes, while by no means the only ones, will help reduce costs, provide more constructive results, and improve the likelihood of obtaining SOX compliance. If the concept of risk analysis frameworks is still a bit unclear, check out COSO’s 2013 integrated-framework suggestions. Principles to Determine the Extent of RelianceAs noted in Marks’ top five SOX mistakes, companies tend to overlook the importance of reliance. Financial experts define audit reliance as reducing the volume or extent of internal audit work when the work performed by others meets certain standards. While reliance isn’t always considered a positive quality, in the auditing world, reliance can significantly reduce the costs of obtaining compliance, particularly if a company must adhere to numerous compliance policies. The Institute of Internal Auditors (IIA) outlines five principles for determining the extent of reliance:
Since each unique case will likely require a different level of reliance, creating a ranking system will prove beneficial. When it’s time to audit, a company will review the criteria listed for a specific case and choose the reliance level that fits the best within the context. Need Help?There are numerous resources out there for achieving SOX compliance. Many experts in the financial industry offer constructive insight that will help when it comes to SOX auditing. For additional assistance with SOX compliance, contact RSI Security today. Speak with a Cybersecurity expert today – Schedule a free consultationRSI SecurityRSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA). What is the SOX section 404?Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test, and maintain those controls and procedures to ensure their effectiveness.
Why is Section 404 of SOX important?The shocking series of accounting scandals and auditing failures that led to the enactment of SOX seriously eroded that confidence. Section 404 aims to rebuild public trust by bolstering the internal controls that under-pin the accuracy and reliability of published financial information.
What is the difference between SOX 302 and 404?SOX 302 involves a survey and review of related reporting before top officers certify financial reporting, financial controls and fraud activity. SOX 404 includes processes and procedures for setup as well as risk management through monitoring and measuring to control risks associated with financial reporting.
Who must comply with SOX 404?SOX 404 compliance is a necessity for all publicly-traded companies in the United States, in addition to whole-owned subsidiaries and publicly-traded foreign companies that do business in the US.
|