Section 404(b) of the Sarbanes’ Oxley Act (often referred to as “SOX”) requires a publicly traded company’s auditor to attest to, and report on, management’s assessment of its internal controls. Section 404(b) applies to publicly traded companies that are considered accelerated filers and large accelerated filers, with non-accelerated filers being exempt.
Amongst other provisions, companies meet accelerated filer and large accelerated filer status under the following:
Accelerated Filer – The organization has a public float (the portion of a company’s outstanding shares that is held by the public, and not by company officers, directors, or stockholders that hold controlling interest) between $75 million and $700 million as of the last day of the most recently completed second fiscal quarter.
Large Accelerated Filer – The organization has a public float greater than $700 million as of the last day of the most recently completed second fiscal quarter.
Under 404(b), company management is required to perform the following:
- Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks
- Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise
- Evaluate company-level (entity-level) controls, which correspond to the components of the Committee of Sponsering Organizations of the Treadway Commision (COSO) 2013 framework
- Perform a fraud risk assessment
- Evaluate controls designed to prevent or detect fraud, including management override of controls
- Evaluate controls over the period-end financial reporting process
Additionally, the organization’s CEO and CFO are required to sign a certification, which accompanies the organization’s 10-K and states, “based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report.” The organization’s CEO and CFO face significant penalties if they certify that the company’s books are accurate when they are not. These penalties include, but are not limited to, five-year prison sentences, fines, and other disciplinary action such as civil and criminal litigation, as well as being barred by the SEC from ever serving as a corporate officer or director.
As part of the external audit of the organization’s financial statements, key internal controls are evaluated by the external auditor for design effectiveness, and are tested for operating effectiveness. Controls need to be operating effectively as of the fiscal year end. Due to the penalties associated with this certification, an organization’s management may use the services of a CPA firm, independent from its external auditor, to test internal controls on its behalf and provide an assessment of the design and operating effectiveness of the organization’s internal controls.
What Does a SOX Audit Entail?
A SOX audit is an evaluation of an organization’s internal controls over financial reporting. This generally involves the following:
- Interviewing of key management personnel to understand the environment and processes of the organization
- Understanding the organization’s processes through techniques such as flowcharting and development of process narratives
- Identifying gaps in processes that require remediation to address associated risks
- Assessing the design effectiveness of the key controls identified
- Testing the operating effectiveness of key controls identified
- Assessing the organization’s overall alignment with COSO 2013 framework
- Providing recommendations to management to assist remediation efforts prior to issuance of the 10-K