In the Internet world, a “404 error” indicates that the page you wanted on a website could not be found. In the Weekly Words of Wisdom world, 404 stands for something very different—the provision of the Sarbanes-Oxley Act of 2002 dealing with internal control.

This week, we explain SOX 404, and what the 2010 Dodd-Frank financial reform legislation added to the mix.

SOX 404—Background

Section 404 of SOX originally contained two related requirements. Section 404(a) dealt with management’s assessment of internal control, while Section 404(b) covered the auditor’s attestation report on management’s assessment. Dodd-Frank added a new Section 404(c), which we explain below.

In its rulemaking under Section 404, the SEC chose the term “internal control over financial reporting,” or ICFR.1  We will spare you the considerable complexity underlying the ICFR definition, but if you ever need to dig into this topic, have a look at the discussion starting at FN 35 in Release No. 33-8238.

Section 404(a)—Management’s Assessment

The SEC has implemented Section 404(a) via Exchange Act Rules 13a-15(c) and (d) (Rules 15d-15(c) and (d) for Section 15(d) reporting companies such as debt-only filers). Those rules require public companies to evaluate, with the participation of the CEO and CFO:

  • the effectiveness of ICFR as of the end of the fiscal year; and
  • any change in its ICFR that occurred during the fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company’s ICFR.2

(Newly public companies are exempt from these requirements—more about that in a minute.)

Form 10-K and Form 10-Q flesh out these requirements. First, each annual report on Form 10-K must include a report on internal control that contains:

  • a statement of management’s responsibility for establishing and maintaining adequate ICFR;
  • a statement identifying the framework used by management to evaluate the effectiveness of ICFR;
  • management’s assessment of the effectiveness of ICFR as of the end of the most recent fiscal year, including a statement whether ICFR is effective. The statement must also include disclosure of any material weakness in ICFR identified by management. Management is not permitted to conclude that the issuer’s ICFR is effective if there are one or more material weaknesses; and
  • a statement that the auditor has issued an attestation report on management’s assessment.

See Item 9A of Form 10-K, referring to Reg S-K Item 308.

Second, each Form 10-K and Form 10-Q must disclose any change in ICFR identified in connection with management’s assessment that occurred during the last fiscal quarter (the fourth fiscal quarter in the case of a 10-K) that has materially affected, or is likely to materially affect, ICFR. See Form 10-K, Item 9A and Form 10-Q, Item 4, both of which refer to Reg S-K Item 308(c).

So, to recap, public companies need:

  • an annual assessment of ICFR; and
  • a quarterly assessment of changes in ICFR.

Section 404(b)—auditor’s attestation

Each Form 10-K must also include an auditor’s attestation report, unless the company benefits from one of the exemptions we discuss below. See Item 9A of Form 10-K, referring to Reg S-K Item 308. No auditor’s attestation is needed for a quarterly report. The PCAOB has provided the ground rules for the 404(b) attestation report in Auditing Standard No. 5.

Are there any exemptions from Sections 404(a) and 404(b)?

Yes. Newly public companies get a pass from the SEC’s rules implementing SOX 404(a) and 404(b) until they have filed one annual report on Form 10-K. This exemption is baked into the text of Rules 13a-15(c) and 15d-15(c), as well as Reg S-K Item 308 (see Instruction (a)). Bear in mind that the company will have to include a specific statement in its first 10-K in lieu of the management’s assessment.

In addition, the Dodd-Frank Act gave permanent relief from SOX 404(b) to smaller public companies. Section 989G of Dodd-Frank added a new Section 404(c) to Sarbanes-Oxley, exempting companies that are not large accelerated filers or accelerated filers from the requirement to provide a Section 404(b) auditor’s attestation.  See also the SEC’s rule implementing 989G.

The terms “large accelerated filer” and “accelerated filer” are defined in Exchange Act Rule 12b-2. For these purposes, a large accelerated filer is a company that, as of the end of its fiscal year:

  • has an aggregate worldwide market value of voting and non-voting common equity held by non-affiliates (i.e, market capitalization) of $700 million or more (measured as of the last business day of its most recently completed second fiscal quarter);
  • has been subject to SEC reporting under the Exchange Act for a period of at least 12 calendar months;
  • has filed at least one annual report under the Exchange Act with the SEC; and
  • is not eligible to use the requirements for smaller reporting companies in Regulation S-K.

An accelerated filer is a company meeting the same conditions, except that it has a market capitalization of $75 million or more but less than $700 million (measured as of the last business day of its most recently completed second fiscal quarter).

 The definition is contained in Rules 13a-15(f)/15d-15(f).
2   Foreign private issuers need only make this evaluation yearly.