10 Tips for Managing 404 Compliance

The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.

Under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” 15 U.S.C. § 7262(a). The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” To do this, managers are generally adopting an internal control framework such as that described in COSO.

Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. Both the PCAOB and SEC recently issued guidance on this topic to help alleviate the significant costs of compliance and better focus the assessment on the most critical risk areas.

Tips for complying with this are;

• Get educated.
• Make sure you’re all on the same page.
• Be sure to leverage documentation you have in place. 
• Be sure you design your program to fit your business needs.
• Be sure to hire advisors that understand both IT management and SOX 404.
• Inform the executive team.
• Modify your standardized procedures.
• Don’t try to take on too much at once.
• Get feedback early in the process.
• Stay flexible.

I hope that these will help you in meeting 404, for your organisation.