SOX 404 compliance is a necessity for all publicly-traded companies in the United States, in addition to whole-owned subsidiaries and publicly-traded foreign companies that do business in the US.
It was created after a number of high-profile corporate scandals during the early 2000s and was put in place to better protect shareholders and increase transparency through consistent and accurate corporate disclosures.
There are a number of sections within SOX’s 11 titles, but some will be more pertinent to businesses because of their scope and cost—specifically SOX 404, which concerns the assessment of internal controls regarding financial reporting.
SOX 404 compliance can be very costly, but through modern technology and document management, many previously manual processes can be automated, reducing risk and cost.
In this blog post, we’re going to take a look at SOX 404, including what’s required and what organizations can do to be compliant.
Section 404 of the SOX Act is the most costly and complex aspect of SOX compliance and concerns annual financial reporting.
Section 404 requires that annual reports include the company’s own assessment of their internal controls on financial reporting, as well as an auditor attesting and reporting on the company’s assessment.
This auditor must be a third-party, and is required to demonstrate the reliability and accuracy of a company’s internal controls.
Under Section 404, SEC registrants will be required to include with their annual filing:
In any company, no matter their size, top management personnel must maintain a set of standards to ensure the accuracy of their financial statements.
The legislation itself does not specify exactly what companies must do to meet their standards for internal controls—this has led to many interpreting what “internal controls” actually means.
Fortunately, there are existing frameworks, notably the COSO Internal Control Framework, developed as a joint initiative between five organizations: Institute of Internal Auditors (IIA), American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Association of Accountants and Financial Professionals in Business (IMA), and American Accounting Association (AAA).
The controls outlined in the COSO Controls Framework are appropriate to adopt for companies looking to ensure SOX 404 compliance.
The COSO framework contains 17 principles within five subsections that should be followed in order to demonstrate to a third-party auditor that the company is in compliance with SOX cybersecurity requirements.
The control environment lays out the set of standards and processes that are the foundation for carrying out internal control across a company.
An effective system of internal control is predicated on the control environment, and should be driven by the strategic goals of:
Associated principles
A risk assessment for SOX is crucial for determining what a company’s risk factors are and how they will be managed.
In this case, “risk” is defined as the probability that an event will occur that will disrupt business objectives.
Risk assessment requires top management to consider the implications of changes in the control environment and to take action where appropriate to manage risk.
Associated principles
Control activities refers to actions that are taken that help mitigate risks determined in the risk assessment.
These activities may be preventive or detective and can be performed at all levels within an organization.
Associated principles
Information and communications flowing up, down, and across organizations is shared effectively and efficiently.
Information systems and repositories must provide the appropriate stakeholders with information that is relevant to their established objectives in a timely and sufficiently understandable manner.
The same is also necessary for stakeholders outside the organization.
Associated principles
Ongoing evaluations of internal controls should be adopted by the organization in order to ensure internal control functions are operating correctly.
When deficiencies are found, these should be evaluated and communicated in a timely manner to senior management and the board of directors (if necessary) so that they can be corrected quickly.
Associated principles
If an organization fails to implement the controls of the COSO framework, they may very well be in violation of SOX 404 requirements mandated under federal law for financial reporting.
Auditors will judge a company’s internal control capabilities against the COSO framework, so it’s best for companies to hold themselves to that standard in order to abide by SOX.
Related Post: What Happens During a Cybersecurity Risk Audit?
COSO implementation involves assessing where an organization currently is among its five subsections and understanding what’s needed in order to get up to standard.
This will comprise a SOX audit, which should incorporate the COSO framework and an assessment of the 17 principles referred to earlier, typically in four distinct stages.
Implementation starts at the beginning: key stakeholders will be engaged and the cybersecurity auditors will designate the correct stakeholders for each of the principles.
For example, c-suite executives will be engaged for many of the Control Environment activities, while IT personnel may be engaged for technology policy and procedure principles, and a compliance may be engaged as the key stakeholder for monitoring principles.
Auditors will need to have a complete picture of where all business data is stored, including in third-party applications operating under the company network.
The auditors will conduct penetration testing and vulnerability scanning in order to establish clearly where the business stands with its current model within the COSO framework.
These results will then be reported to the key stakeholders and recommendations will be made to help get the business in compliance with the COSO framework, at which point the organization can be confident they are SOX 404 compliant.
SOX 404 compliance is a necessary but frankly rather complex form of compliance for publicly-traded companies.
The requirements of SOX 404 mean adherence to the COSO framework. Its 17 principles offer a solid foundation and means for an organization to be SOX 404 compliant, and it’s a good idea for companies to follow this standard to get their internal controls up to standard.
To implement the COSO framework, businesses should consider hiring a managed security service provider to audit their systems and provide recommendations on which solutions, policies, and procedures should be adopted to get in compliance.
If you need to be compliant with SOX 404 but are unsure where to start, consider having a risk assessment for SOX done by Impact. Get in touch today to get the ball rolling on securing your future.