Section 404 of the Sarbanes-Oxley Act (SOX), a federal law enacted in 2002, requires every public company to report its internal control procedures for the company’s financial statements in its annual report.
Not only does this information benefits investors; it also demonstrates that the chief executive officer, chief financial officer, and other senior executives are committed to the accuracy of an organization’s financial statements. They are committed to maintaining effective internal controls and an internal control structure that provides valid, reliable financial data.
SOX was passed in response to numerous large corporate fraud scandals in the early 2000s. The law states that its purpose is “to protect investors by improving the accuracy and reliability of corporate disclosures.”
SOX does this by strengthening corporate governance, specifically broadening the powers and responsibilities of the audit committee of the board of directors. The law increases the audit committee’s oversight of financial information and reporting processes; and management’s personal accountability for the reliability of financial statements published to investors.
Section 404 of the law has two main parts. Section 404(a) applies to all publicly traded companies; it requires management to assert whether its internal controls and procedures are effective — and if not, to outline what weaknesses exist. Section 404(b) applies only to larger publicly traded firms and requires an external audit firm to audit and report on those internal controls.
What is the purpose of reporting control procedures?
By requiring businesses to disclose the effectiveness of their controls and procedures, Section 404 aims to prevent fraud and errors in financial statements and records.
As the U.S. Securities and Exchange Commission said in a piece of guidance published in 2007: “Management is responsible for maintaining a system of internal control over financial reporting (ICFR) that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.”
Internal controls are an essential part of risk management, helping an organization to avoid financial fraud and related problems. Internal controls can include such tasks as reconciling bank statements or performing internal audits, which both can help a company determine whether management or employees are stealing its money.
When a company has strong internal control procedures—and especially when those internal controls have been reviewed by an independent auditor—investors can then have more assurance that the company’s reported financial statements are reliable.
COSO and Internal Controls
When the SEC first adopted rules for Section 404 compliance in the mid-2000s, the agency said companies should use an internal controls framework to assess the effectiveness of their controls and to make necessary improvements.
Searching for an example framework that companies might use, the SEC pointed to the Committee of Sponsoring Organizations (COSO) and its Integrated Framework for Internal Control. Companies don’t need to use the COSO framework; it is not required by law. Most companies flocked to it anyway, and today using the COSO internal control framework to achieve Section 404 compliance is standard practice.
The COSO framework has five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities.
To achieve Section 404 compliance, then, management should assess the effectiveness of its internal controls over financial reporting, usually according to the standards of the COSO internal control framework. Then management must disclose whether, in its judgment, the company’s internal controls and procedures are effective. If the controls and procedures aren’t, management must also disclose whatever material weaknesses exist.
For large companies subject to Section 404(b), their external audit firm must also do the same: review the controls and procedures, identify any material weaknesses, and disclose an opinion on whether the controls and procedures are effective.