Article

SOX Section 404: Management Assessment of Internal Controls

Compliance
Time to read: 6 minutes

Section 404 of the Sarbanes-Oxley Act (SOX) mandates that all publicly traded (with a few exceptions) companies must implement internal controls and procedures for financial reporting. Each of the internal controls set forth by SOX 404 must be documented, tested, maintained, and certified by a third-party audit to confirm their effectiveness, reliability, and accuracy. The objective of SOX 404 is to eliminate vectors for corporate fraud.

In publicly traded companies, the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) are directly responsible for any financial report filed with the Securities Exchange Commission (SEC). Each year, the organization’s CEO and CFO are required to file an annual report that assesses the establishment, maintenance, and efficacy testing of internal controls over financial reporting.

The CEO and CFO are held personally responsible and face potentially severe criminal penalties for violations, including prison time and millions of dollars in fines. Included in the SOX 404 internal controls report must be:

  1. A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting
  2. A statement identifying the framework used by management to evaluate the effectiveness of internal control
  3. Management’s assessment of the effectiveness of internal control as of the end of the company’s most recent fiscal year-end
  4. A statement that the company’s external auditor has issued an attestation report on management’s assessment

Implementing SOX 404 controls

What does “internal controls” mean?

SOX internal controls, also known as SOX 404 internal controls, are rules that prevent and detect errors in an organization’s financial reporting process. SOX 404 internal controls must be applied to all processes and systems associated with the organization’s financial reporting. These include:

  1. Environment control
    Set of standards and processes that are the foundation for carrying out internal control across an organization
  2. Risk assessment
    Process for identifying and assessing risks that can disrupt an organization’s objectives
  3. Control activities
    Steps taken to mitigate identified risks
  4. Information and communication
    Flow of information that’s required to support internal control functions
  5. Monitoring
    Ongoing evaluation of the performance of internal controls

The following are the five key steps for implementing SOX 404 internal controls.

  1. Plan
  2. Document
  3. Test
  4. Remediate
  5. Assess
  6. Create a project plan.
  7. Develop timelines.
  8. Assess materiality and risk.
  9. Scope the accounts, systems, and processes.
  10. Outline the SOX 404 compliance approach.
  11. Interview key owners of existing processes and internal controls.
  12. Identify key controls.
  13. Perform a gap analysis.
  14. Recommend process and system improvements.
  15. Conduct sample tests of key internal controls.
  16. Evaluate the tests’ effectiveness.
  17. Document methodologies and findings.
  18. Test controls to measure performance.
  19. Design solutions for gaps and deficiencies.
  20. Implement solutions.
  21. Document conclusions.
  22. Reassess materiality and risk.
  23. Document any outstanding issues

Testing and auditing SOX 404

The testing and auditing of SOX 404 internal controls can be complex and time-consuming, because it includes all of an organization’s IT assets and any devices that have access to financial data.

SOX 404 audit areas of focus

A SOX 404 internal controls audit focuses on four key areas.

  1. Access control
    This area of a SOX 404 audit evaluates the systems and processes that are used to restrict access to sensitive information to ensure that only authorized users have physical and digital access. Digital controls include digital access barriers, such as identity and access management, authentication, and encryption. Physical access controls include badges, locks, and video surveillance.
  2. IT Security
    IT security controls considered for a SOX 404 internal controls audit include the measures taken to identify and protect sensitive data from cyber attacks. This area covers activities performed to monitor and detect cyber attacks as well as response plans to mitigate damage and recover in a timely manner.
  3. Data backup
    A SOX 404 audit evaluates data backup and recovery systems and plans to determine how effective they are for minimizing downtime and data loss in the event of a disaster. SOX 404 compliance requires that both the production and backup systems that handle financial data meet the standards.
  4. Change management
    How an organization manages changes to its IT environment is assessed as part of a SOX 404 internal controls audit. This includes employee onboarding, new infrastructure installation, hardware and software updates, and configuration changes. Any changes must be recorded, and any changes deemed sensitive must be monitored to detect any vulnerabilities.

SOX 404 testing

The process for SOX 404 internal controls testing consists of four rounds. Many of these occur throughout the year, with some internal controls performed throughout the year.

  1. Initial assessment
  2. Interim testing
  3. Year-end testing
  4. Testing by independent auditors

What is the COSO framework?

The most commonly used framework for SOX 404 internal control implementations is the Internal Control Integrated Framework, which was developed in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in conjunction with five private sector organizations.

  1. Financial Executives International (FEI)
  2. The American Accounting Association (AAA)
  3. The American Institute of Certified Public Accountants (AICPA)
  4. The Institute of Internal Auditors (IIA)
  5. The Institute of Management Accountants (IMA)

This comprehensive framework details the internal controls that must be implemented for SOX 404 compliance. Most of these are mandatory, and failure to implement them can leave an organization in violation of SOX 404 requirements.

Although the COSO internal control framework is voluntary, its SOX 404 compliance guidelines ensure that organizations have the required security infrastructure and systems or identify overlooked gaps that must be fixed to maintain compliance. In addition, a majority of auditors base their reviews of organizations’ internal control capabilities against the COSO framework.

The COSO framework is based on 17 principles that align with the five internal control components mandated by SOX 404. These detail what is required to demonstrate compliance with SOX 404 requirements to a third-party auditor.

17 Principles of the COSO Framework

SOX 404: An opportunity to improve financial reporting

SOX 404 compliance can be cumbersome and tedious; however, it does not have to be difficult. Implementing and following the right processes and best practices helps relieve the burden of SOX 404 compliance and delivers improved financial reports.

Smart, scalable, seamless identity security

Trusted by 48% of the Fortune 500

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief