New SOX 404 FAQs

News Brief

By: Cydney Posner

The SEC and PCAOB have issued several new FAQs on SOX 404, Internal Controls.


  • Although some exceptions are permitted, management’s annual report on internal control over financial reporting is not allowed to have a scope limitation, for example, because management has been unable to obtain a SAS 70 report from a service organization performing outsourcing. Therefore, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in their report that internal control is not effective.
  • While management is not required to use any specific language in their report, the staff would generally expect that, for management to provide full disclosure relating to any material weakness identified by management, management would use the term "material weakness" in their disclosures.
  • If a Form 10-K or Form 10-KSB is incorporated into a 1933 Act filing, a consent is required related to the auditor’s report on management’s assessment of internal control. In addition, a new consent for the auditor’s report on management’s assessment of internal control is required in an amendment to the registration statement
    • whenever a change, other than typographical, is made to the audited annual financial statements and
    • when facts are discovered that may impact the auditor’s report.
  • An annual report to shareholders under Rule 14a-3 or 14c-3 should, the staff believes, include management’s report on internal control and the auditor’s report on management’s assessment. The staff intends to recommend rules to include that requirement specifically, and, in the interim, encourages issuers to include both reports in the annual report to shareholders when their audited financial statements are included. If the reports are not clean, then the staff believes that there could be an issue with respect to omission of material information if the reports are not included.
  • Although the adopting release does not specifically address this point, the staff believes that management's assessment of internal control should cover required supplementary information, such as financial statement schedules required by Reg S-X as well as any supplementary disclosures required by the FASB. The staff is considering this question for possible rule-making. As a result, internal control over the preparation of this supplementary information need not be encompassed in management’s assessment of internal control until the SEC has completed its evaluation of this area and issues new rules addressing these requirements. Until then, "registrants are reminded that they must fulfill their responsibilities under current requirements including Section 13(b)(2) of the Exchange Act and Exchange Act Rules 13a-14, 13a-15, 15d-14, and 15d-15."


  • Scope of testing. Internal control over financial reporting includes operations and compliance with laws directly related to the presentation of and required disclosures in financial statements. This standard is broader than that in AU 317, which requires a direct and material effect on the determination of financial statement amounts, and may include circumstances that have only indirect effects. For example, a possible accrual for a contingency under FAS 5 related to violation of laws could have a material effect on the reliability of financial reporting, but an indirect effect on the financial statements.
  • Evaluating Deficiencies. If management's assessment and the auditor's procedures do not encompass certain controls because they do not have the ability to evaluate those controls, that would involve a control deficiency, and if the transaction or event is material , it would usually result in a material weakness. The auditor would also need to determine if management had fulfilled its responsibilities in completing its evaluation. If not, the auditors must disclaim an opinion.
  • Service Organizations. if the services of the organization involve the processing of a major class of transactions, the company's auditors should perform walkthroughs at the service organization unless the auditor is able to obtain sufficient evidence by other means, such as through a service auditor's report.
Related Practices & Industries

Public Companies