The Sarbanes-Oxley Act (SOX) Section 404 is one of the most impactful—and often misunderstood—U.S. regulatory requirements for public companies. At its core, SOX 404 is about accountability for internal controls over financial reporting (ICFR). But not every company, and not every filer, is subject to the same level of scrutiny.
This guide explains exactly who must comply with SOX 404, what level of compliance applies, and how expectations differ based on company size, filer status, and lifecycle stage (including IPOs). It is written for CFOs, Controllers, SOX Managers, Internal Audit leaders, IT Audit teams, and Audit Committee members who need clear, audit-defensible guidance.
What Is SOX 404? (Quick Refresher)
SOX Section 404 requires public companies to establish, maintain, and evaluate internal controls over financial reporting (ICFR).
- 404(a) – Management must assess and report on the effectiveness of ICFR.
- 404(b) – External auditors must independently attest to management’s ICFR assessment (for certain filers).
Not all companies are subject to both requirements—and that distinction matters.
Who Does SOX 404 Apply To? (Executive Summary)
SOX 404 applies to all U.S. public companies, but the scope of compliance depends on filer status:
| Company Type | SOX 404(a) – Management Assessment | SOX 404(b) – Auditor Attestation |
|---|---|---|
| Large Accelerated Filers | ✅ Required | ✅ Required |
| Accelerated Filers | ✅ Required | ✅ Required |
| Non-Accelerated Filers | ✅ Required | ❌ Exempt |
| Emerging Growth Companies (EGCs) | ✅ Required | ❌ Exempt (while EGC) |
| Foreign Private Issuers | ✅ Required | ✅/❌ Depends on filer status |
In short:
- All public companies must perform management’s ICFR assessment.
- Only larger filers must obtain an external auditor’s ICFR opinion.
The Legal Basis: SOX and SEC Rules
SOX 404 was enacted in 2002 and implemented through rules issued by the U.S. Securities and Exchange Commission. The auditing standards governing 404(b) are issued and enforced by the Public Company Accounting Oversight Board.
Management typically evaluates ICFR using the COSO Internal Control – Integrated Framework.
SOX 404(a): Who Must Comply?
Definition (Featured Snippet Style)
SOX 404(a) requires management of every public company to evaluate the design and operating effectiveness of internal controls over financial reporting and disclose the results annually.
Who Is Covered?
SOX 404(a) applies to:
- All U.S. public companies listed on U.S. exchanges
- All SEC registrants required to file Form 10-K
- Foreign private issuers filing Form 20-F
There are no size-based exemptions from management’s responsibility to assess ICFR.
What Management Must Do
Under 404(a), management is responsible for:
- Designing controls to address financial reporting risks
- Implementing and executing controls throughout the year
- Evaluating design effectiveness (are controls appropriately designed?)
- Testing operating effectiveness (did controls operate as intended?)
- Concluding on ICFR effectiveness
- Disclosing material weaknesses, if any, in the annual report
🔎 Why auditors care: Management’s assessment sets the foundation for audit reliance. Weak documentation or unclear conclusions often lead to expanded audit procedures—even for 404(b)-exempt companies.
SOX 404(b): Who Must Comply?
Definition (Featured Snippet Style)
SOX 404(b) requires a company’s external auditor to independently attest to and report on management’s assessment of internal controls over financial reporting.
Filers Subject to 404(b)
SOX 404(b) applies to:
1. Large Accelerated Filers
- Public float ≥ $700 million
- Timely SEC filers
- Not eligible for EGC status
2. Accelerated Filers
- Public float between $75 million and $700 million
- Timely SEC filers
These companies must obtain an auditor-issued ICFR opinion as part of the integrated audit.
Companies Exempt from SOX 404(b)
The following companies are exempt from auditor attestation but not from management’s responsibilities under 404(a):
Non-Accelerated Filers
- Public float < $75 million
Emerging Growth Companies (EGCs)
- Qualify under the JOBS Act
- Remain exempt until losing EGC status (earliest of revenue, market cap, or time thresholds)
⚠️ Common misconception: 404(b)-exempt does not mean “SOX-lite.” Management is still expected to maintain effective ICFR and withstand financial statement audits.
What About IPO Companies?
When Does SOX 404 Start for IPOs?
IPO companies typically follow this timeline:
| Year | Requirement |
|---|---|
| IPO Year (Year 0) | No SOX 404 reporting |
| First Annual Filing (Year 1) | SOX 404(a) required |
| Later Years | 404(b) required once filer thresholds are met |
Most IPO companies qualify as EGCs, delaying 404(b) compliance for up to five years—but only if they remain below EGC thresholds.
First-Year SOX Filers: Common Challenges
First-year SOX 404(a) compliance is where most companies struggle.
Common Pitfalls
- Incomplete risk assessment
- Overreliance on informal or manual controls
- Poor documentation of control execution
- Weak IT general controls (ITGCs)
- Treating SOX as a “year-end exercise”
Auditor Perspective
Auditors typically focus on:
- Whether controls are precisely defined
- Clear linkage between risks and controls
- Evidence quality and consistency of execution
- Management’s ability to identify deficiencies independently
Foreign Private Issuers (FPIs)
Foreign private issuers listed in the U.S. are also subject to SOX 404.
- 404(a): Required
- 404(b): Required or exempt depending on filer status
FPIs file Form 20-F, but ICFR expectations are generally aligned with U.S. domestic issuers.
Subsidiaries and Private Companies: Are They Covered?
Private Companies
- Not directly subject to SOX 404
- May still need SOX-like controls if:
- They are acquired by a public company
- They provide financially significant information
- They support SOX-scoped processes (shared services, IT)
Subsidiaries of Public Companies
- Included in the SOX scope based on:
- Financial significance
- Risk profile
- Nature of operations
Management vs. Auditor Responsibilities (Clarity Matters)
Management Owns:
- Control design
- Control execution
- Risk assessment
- ICFR conclusion
- Remediation of deficiencies
Auditors:
- Evaluate management’s assessment
- Test controls (for 404(b) filers)
- Issue an ICFR opinion
- Do not design or operate controls
🚫 Common mistake: Expecting auditors to “tell you what controls to have.” That is a management responsibility.
Material Weaknesses and Disclosure Obligations
If a company identifies a material weakness, it must:
- Disclose it in the Form 10-K
- State that ICFR is not effective
- Describe remediation plans (commonly)
Both 404(a) and 404(b) filers face this requirement.
Practical SOX 404 Applicability Checklist
Ask these questions:
- Are we publicly listed in the U.S.?
- What is our public float?
- Do we qualify as an EGC?
- Are we filing Form 10-K or 20-F?
- Are we in our first year of SOX?
If the answer to #1 is “yes,” SOX 404(a) applies.
How SOX Freelancer Support Can Help
As a SOX freelancer supporting public and pre-IPO companies, I typically help with:
- SOX 404 applicability assessments
- First-year SOX roadmaps
- ICFR risk and scoping workshops
- Control design and documentation
- Audit-ready testing and remediation support
This is especially valuable for lean finance teams, IPO companies, and organizations transitioning from advisory-led SOX programs to in-house ownership.
Key Takeaways for Executives
- All public companies must comply with SOX 404(a).
- Only accelerated filers must comply with SOX 404(b).
- Exemption from 404(b) does not reduce management accountability.
- Early planning prevents audit surprises—especially for IPOs.
- Clear ownership and documentation are critical to defensible compliance.