Sarbanes-Oxley 404(b) Compliance: A Refresher of the Initial Questions You Should Be Asking
July 2, 2019
Throughout the business world, there remains a constant level of mysticism surrounding the Sarbanes-Oxley Act of 2002 and its accompanying compliance requirements. Since its inception almost two decades ago, new/growing companies have scrambled to determine if they need to be compliant, identified the information needed to meet reporting requirements, and completed preparations before deadlines hit. By asking some basic, important questions, companies can set themselves up for a successful reporting year with minimal complications and limited interruptions to normal business operations.
What is the Sarbanes-Oxley Act of 2002?
Compliance becomes more difficult when you don’t know what you are complying with. The Sarbanes-Oxley Act of 2002 was enacted in response to several major corporate scandals including Enron and WorldCom. The act established the requirements that:
- Upper management of public organizations individually certify the accuracy of financial information reported by the entity
- Increase the oversight of the entity’s board of directors
- Tighten independence requirements of the independent auditors who review the entity’s financial statements
- Establish more stringent penalties for fraudulent financial activity
Section 404 establishes the requirement that management and the external auditor report on the design and operating effectiveness of the company’s internal controls over financial reporting. In order to accomplish this, companies have adopted a top-down risk-based approach to evaluate their control environment for a given reporting year. The control environment is evaluated based on the risks mitigated, with emphasis being placed on high-risk process areas determined through materiality assessments of financial statement accounts.
Section 404(a) requires all companies, regardless of filing status, that file an annual report pursuant to Section 13(a) or 15(d) of the Securities and Exchange Act of 1934 (Exchange Act) to include a report on internal controls that states the responsibility of management for establishing and maintaining adequate internal controls and financial reporting procedures, and contains an assessment, as of the end of the most recent fiscal year, of the effectiveness of internal controls and financial reporting procedures.
Section 404(b) specifically requires a public company’s external auditor to attest to management’s assessment of its internal controls. However, not all companies must comply with Section 404(b).
Section 404(c) creates an exemption for small issuers, stating that any company that does not meet the qualifications of an accelerated filer or large accelerated filer does not need to comply with Section 404(b).
Does your company need to comply?
It has long been encouraged that all public entities strive to comply with Section 404(b) of the Sarbanes-Oxley Act of 2002. However, based on their filing status, not all public companies are required to comply. So what are the various statuses a company can hold?
Small Issuer: Public companies with a market capitalization of less than $75 million that do not have to accelerate their periodic reporting deadlines. Small issuers are not required to comply with Section 404(b).
Emerging Growth Company: Newly public companies with total annual gross revenues of less than $1.07 billion during their most recent fiscal year that have not previously sold common equity securities under a registration statement are considered emerging growth companies. Companies remain an emerging growth company for the first five years after their initial public offering (IPO) or until they meet one of the following criteria:
- Total annual gross revenues are $1.07 billion or greater
- The company has issued non-convertible debt in the past three years over $1 billion
- The company is designated as a large accelerated filer
Similar to non-accelerated filers, emerging growth companies are not required to comply with Section 404(b).
Accelerated Filer: Public companies with market capitalization between $75 million and $700 million (as of the last business day of the most recently completed second fiscal quarter), that have filed at least one annual report pursuant to Section 13(a) or Section 15(d) of the Exchange Act, and have been subject to the requirements of Section 13(a) or 15(d) for a period of at least twelve months. Accelerated filers are required to comply with Section 404(b) and must have the external auditor attest to management’s assessment of internal controls.
Large Accelerated Filer: Public companies with a market capitalization greater than $700 million (as of the last business day of the most recently completed second fiscal quarter), that have filed at least one annual report pursuant to Section 13(a) or Section 15(d) of the Exchange Act, and have been subject to the requirements of Section 13(a) or 15(d) for a period of at least twelve months. Large accelerated filers are required to comply with Section 404(b).
Knowing your company’s filing status is the first step towards ensuring SOX compliance. Companies should regularly review their filing status and be thinking about growth and how their status will change in the coming years. Non-accelerated filers and emerging growth companies are able to prepare for status changes and develop and implement strong compliance procedures prior to their external auditors having to attest to the strength of their internal control structure. They also have the time to assess if completing compliance work can be accomplished utilizing in-house staff or utilizing the expertise of outsourced/ co-sourced professionals.
Is outsourcing/co-sourcing right for you?
Regardless of filing status, companies must determine how best to perform their annual assessment of internal controls. One of the most prevalent factors on the minds of management is cost. Unfortunately, the cost of compliance can be very high for public companies. Many have reported the cost of completing SOX compliance testing to be upwards of $2 million in a given year. As reporting requirements become more stringent and external auditors increase their scrutiny of supporting documentation and testing procedures, companies can likely expect costs to rise.
Public companies, especially those with limited personnel who may be available and qualified to complete SOX compliance activities, may consider outsourcing or co-sourcing their SOX compliance activities. Over time, these companies can see a lower cost and benefit from the knowledge and resources of experienced professionals that specialize in Section 404 compliance, using established, proven procedures for meeting compliance requirements year over year.
Outsourcing or co-sourcing compliance activities offers many benefits to an organization. Chief among these benefits is an increased level of transparency between the external auditor and management. This openness streamlines the compliance process so that management can remain focused on the day-to-day operations of their company, while at the same time minimizing organizational risk and ensuring full reliance by the external team attesting to the effectiveness of internal controls.
If your organization is required to be SOX compliant, and you think that outsourcing or co-sourcing internal control assessment activities may be the right choice, we encourage you to reach out to our team to learn more about the benefits of third party SOX readiness.
 “Sarbanes-Oxley Act of 2002,” Section 404, copyright 2002. Full text of the document available here: https://pcaobus.org/About/History/Documents/PDFs/Sarbanes_Oxley_Act_of_2002.pdf
 “Securities Exchange Act of 1934,” Section 3, copyright 1934. Full text of the document available here: http://legcounsel.house.gov/Comps/Securities%20Exchange%20Act%20Of%201934.pdf