What Is SOX 404 Compliance and How Can You Achieve It?
SOX 404 compliance is a necessity for all publicly-traded companies in the United States, in addition to whole-owned subsidiaries and publicly-traded foreign companies that do business in the US.
It was created after a number of high-profile corporate scandals during the early 2000s and was put in place to better protect shareholders and increase transparency through consistent and accurate corporate disclosures.
There are a number of sections within SOX’s 11 titles, but some will be more pertinent to businesses because of their scope and cost—specifically SOX 404, which concerns the assessment of internal controls regarding financial reporting.
SOX 404 compliance can be very costly, but through modern technology and document management, many previously manual processes can be automated, reducing risk and cost.
In this blog post, we’re going to take a look at SOX 404, including what’s required and what organizations can do to be compliant.
What Is SOX Section 404?
Section 404 of the SOX Act is the most costly and complex aspect of SOX compliance and concerns annual financial reporting.
Section 404 requires that annual reports include the company’s own assessment of their internal controls on financial reporting, as well as an auditor attesting and reporting on the company’s assessment.
This auditor must be a third-party, and is required to demonstrate the reliability and accuracy of a company’s internal controls.
Under Section 404, SEC registrants will be required to include with their annual filing:
- A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting
- A statement identifying the framework used by management to evaluate the effectiveness of internal control
- Management’s assessment of the effectiveness of internal control as of the end of the company’s most recent fiscal year end
- A statement that the company’s external auditor has issued an attestation report on management’s assessment
What Does Internal Controls Mean?
In any company, no matter their size, top management personnel must maintain a set of standards to ensure the accuracy of their financial statements.
The legislation itself does not specify exactly what companies must do to meet their standards for internal controls—this has led to many interpreting what “internal controls” actually means.
Fortunately, there are existing frameworks, notably the COSO Internal Control Framework, developed as a joint initiative between five organizations: Institute of Internal Auditors (IIA), American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Association of Accountants and Financial Professionals in Business (IMA), and American Accounting Association (AAA).
The controls outlined in the COSO Controls Framework are appropriate to adopt for companies looking to ensure SOX 404 compliance.
The COSO Framework
The COSO framework contains 17 principles within five subsections that should be followed in order to demonstrate to a third-party auditor that the company is in compliance with SOX cybersecurity requirements.
The control environment lays out the set of standards and processes that are the foundation for carrying out internal control across a company.
An effective system of internal control is predicated on the control environment, and should be driven by the strategic goals of:
- Providing reliable financial reporting to internal and external stakeholders
- Operating the business efficiently and effectively
- Complying with all applicable laws and regulations
- Safeguarding assets and sensitive information
- Demonstrate commitment to integrity and ethical values
- Ensure that the board exercises oversight responsibility
- Establish structures, reporting lines, authorities, and responsibilities
- Demonstrate commitment to a competent workforce
- Hold people accountable
Risk assessment for SOX
A risk assessment for SOX is crucial for determining what a company’s risk factors are and how they will be managed.
In this case, “risk” is defined as the probability that an event will occur that will disrupt business objectives.
Risk assessment requires top management to consider the implications of changes in the control environment and to take action where appropriate to manage risk.
- Specify appropriate objectives
- Identify and analyze risks
- Evaluate fraud risks
- Identify and analyze changes that could significantly affect internal controls
Control activities refers to actions that are taken that help mitigate risks determined in the risk assessment.
These activities may be preventive or detective and can be performed at all levels within an organization.
- Select and develop control activities that mitigate risks
- Select and develop technology controls
- Deploy control activities through policies and procedures
Information & communications
Information and communications flowing up, down, and across organizations is shared effectively and efficiently.
Information systems and repositories must provide the appropriate stakeholders with information that is relevant to their established objectives in a timely and sufficiently understandable manner.
The same is also necessary for stakeholders outside the organization.
- Use relevant, quality information to support the internal control function
- Communicate internal control information internally
- Communicate internal control information externally
Ongoing evaluations of internal controls should be adopted by the organization in order to ensure internal control functions are operating correctly.
When deficiencies are found, these should be evaluated and communicated in a timely manner to senior management and the board of directors (if necessary) so that they can be corrected quickly.
- Perform ongoing or periodic evaluations of internal controls (or a combination of the two)
- Communicate internal control deficiencies
Why Should You Establish the COSO framework In Your Business?
If an organization fails to implement the controls of the COSO framework, they may very well be in violation of SOX 404 requirements mandated under federal law for financial reporting.
Auditors will judge a company’s internal control capabilities against the COSO framework, so it’s best for companies to hold themselves to that standard in order to abide by SOX.
How to Implement the COSO Framework
Related Post: What Happens During a Cybersecurity Risk Audit?
COSO implementation involves assessing where an organization currently is among its five subsections and understanding what’s needed in order to get up to standard.
This will comprise a SOX audit, which should incorporate the COSO framework and an assessment of the 17 principles referred to earlier, typically in four distinct stages.
Planning and scope
Implementation starts at the beginning: key stakeholders will be engaged and the cybersecurity auditors will designate the correct stakeholders for each of the principles.
For example, c-suite executives will be engaged for many of the Control Environment activities, while IT personnel may be engaged for technology policy and procedure principles, and a compliance may be engaged as the key stakeholder for monitoring principles.
Auditors will need to have a complete picture of where all business data is stored, including in third-party applications operating under the company network.
The auditors will conduct penetration testing and vulnerability scanning in order to establish clearly where the business stands with its current model within the COSO framework.
Analysis and reporting
These results will then be reported to the key stakeholders and recommendations will be made to help get the business in compliance with the COSO framework, at which point the organization can be confident they are SOX 404 compliant.
The Bottom Line
SOX 404 compliance is a necessary but frankly rather complex form of compliance for publicly-traded companies.
The requirements of SOX 404 mean adherence to the COSO framework. Its 17 principles offer a solid foundation and means for an organization to be SOX 404 compliant, and it’s a good idea for companies to follow this standard to get their internal controls up to standard.
To implement the COSO framework, businesses should consider hiring a managed security service provider to audit their systems and provide recommendations on which solutions, policies, and procedures should be adopted to get in compliance.
If you need to be compliant with SOX 404 but are unsure where to start, consider having a risk assessment for SOX done by Impact. Get in touch today to get the ball rolling on securing your future.