No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Internal Audit

The (a)(b)(c)s of Sarbanes-Oxley 404

by Ron Kral
March 9, 2018
in Internal Audit
The (a)(b)(c)s of Sarbanes-Oxley 404

Updated, March 2018

We found expert accountant Ron Kral to provide the latest landscape on SOX 404 and break down the recent study.

Section 404 of the Sarbanes-Oxley Act (SOX) continues to be in the news and be a challenge for some companies. We now have Section 404(c), as well as a recently issued SEC Staff Study, thanks to Dodd-Frank.

What does this mean for public companies? Did you know that the management’s report on internal control over financial reporting (ICFR) per Section 404(a) is now considered “filed” rather than “furnished” for all non-accelerated filers? This is a higher level of liability than in previous years.

Did you know that new public issuers are the only filers who are not required to provide management reports on the effectiveness of ICFR since they have an option to not include one in their first 10-K report? This article answers these and other questions to provide the latest landscape on SOX 404.

SEC Staff Study on 404(b)

The workload triggered by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) is enormous – over 450 rules, 40 reports to Congress and 70 studies. One of these studies is the Study and Recommendations on Section 404(b) of the Sarbanes-Oxley Act of 2002 For Issuers with Public Float Between $75 and $250 Million (SEC Staff Study on 404(b), or Study) released on April 22, 2011 by SEC staff.

The study was triggered by Section 989G(b) of the Dodd-Frank Act and calls for the SEC staff to report on methods for reducing the compliance burden, as well as thoughts if a complete exemption for such companies from Section 404(b) compliance would encourage companies to list on exchanges in the United States in their initial public offerings (IPOs).

For clarity purposes:

  • Section 404(a) requires management to report on the effectiveness of ICFR.
  • Section 404(b) requires an auditor attestation with respect to an issuer‘s ICFR.
  • Section 404(c) provides that Section 404(b) does not apply for an issuer that is neither an accelerated filer nor a large accelerated filer. This group of issuers is commonly referred to as ‘non-accelerated’ filers.

Yes that’s right, there is now a Section 404(c), which is a newly enacted statute of SOX, as amended by the Dodd-Frank Act. Of the 9,092 unique issuers[1] that filed annual reports with the SEC on Forms 10-K or 20-F for fiscal years ending anytime in 2009, over 60% (5,518) were nonaccelerated filers according to SEC Staff Study on 404(b).

Findings of the SEC Staff Study on 404(b)

  • The 2007 reforms of the SEC’s June 2007 interpretive release and the PCAOB’s (Public Company Accounting Oversight Board) adoption of AS 5 had the intended effect of reducing the compliance burden and improving implementation of Section 404.
  • The costs of Section 404(b) have declined since the SEC first implemented the requirements of Section 404, particularly in response to the 2007 reforms.
  • Investors generally view the auditor‘s attestation on ICFR as beneficial.
  • Financial reporting is more reliable when the auditor is involved with ICFR assessments.
  • There is not conclusive evidence linking the requirements of Section 404(b) to listing decisions of the studied range of issuers.

2 recommendations of SEC Staff Study on 404(b)

  1. Maintain existing investor protections of Section 404(b) for accelerated filers, which have been in place since 2004 for domestic issuers and 2007 for foreign private issuers. The Study states, “There is strong evidence that the auditor‘s role in auditing the effectiveness of ICFR improves the reliability of internal control disclosures and financial reporting overall and is useful to investors.”
  2. Encourage activities that have potential to further improve both effectiveness and efficiency of Section 404(b) implementation. Specifically, SEC staff cites PCAOB monitoring activities to better assist auditors in performing top-down, risk based audits of ICFR. In addition, they cite COSO’s (The Committee of Sponsoring Organizations of the Treadway Commission) current project to review and update its internal control framework to help contribute to effective and efficient audits by providing management and auditors with improved internal control guidance that reflects today’s operating and regulatory environment to enhance the ability to design, implement, and assess internal controls.

To sum up the SEC Staff Study on 404(b), not much was learned from what previous surveys and reports had already concluded. Clearly, the SEC staff sides with preserving Section 404(b). However, it is not their decision or even the decision of the SEC commissioners. Similar to the passage of 404(c), it would take an act of the U.S. Congress and the president’s signature to exempt further groups from the ICFR external audit requirement.

The study does highlight evidence that issuers with the auditor attestation on ICFR requirement generally had a lower rate of restatement than issuers that did not have such a requirement.

In addition, the study states: “For all accelerated filers in the EDGAR[2] population with a management report on ICFR, approximately 4.5% reported ineffective ICFR. For all non-accelerated filers in the EDGAR population with a management report on ICFR, approximately 28% reported ineffective ICFR.” Indeed, SEC staff suggests that an auditor attestation on ICFR contributes positively to the maintenance of effective controls and therefore provides a valuable investor protection.

While there are benefits of Section 404(b), as evidenced by a lower rate of restatements and ICFR material weaknesses, what is the cost? The study does not shed significant new light on this topic as SEC staff heavily referenced their 2009 SEC Staff Study on Section 404.

Audit fees are obviously one major component of total 404(b) compliance costs, but there are also internal costs associated with preparing for and responding to external audit requests. Total SOX 404 compliance costs typically increase as issuer size increases and decrease as issuers gain compliance experience.

However, SOX 404 expenses as a percentage of total revenue is usually significantly higher for smaller companies. This was one of the main arguments for the passage of Section 404(c).

The strong recommendation for controlling SOX 404 costs is for management to periodically challenge costs to confirm if they are getting the most “bang for the buck.” This includes leveraging entity-level and automated controls, especially continuous monitoring.

If the external auditor is comfortable with the company’s culture and control owners’ competency, this should go a long-way in supporting their opinion. Likewise, if they can more efficiently test automated controls as opposed to larger sample sizes that manual controls typically warrant, it should serve as a downward dynamic on their fees.

Other key SOX-404 considerations

Here are some important developments and reminders as you walk, or think about walking, down the SOX 404 path:

  • All issuers, including nonaccelerated filers, continue to be subject to Section 404(a) requiring management’s report on ICFR. This is not likely to change, so accept it and strive for efficiencies.
  • All issuers must maintain documentation as “evidential matter” to support management’s assessment of the effectiveness of ICFR (per Item 308 of SEC Regulation S-K). This means that complying with Section 404(a) is far greater than simply inserting a report into the annual report.
  • New public issuers continue to be the only filers that are not required to provide a management report on the effectiveness of ICFR. They have the option to not provide this report for their first 10-K filed according to Item 308 of Regulation S-K. However they must comply with SOX 404(a) by submitting such a report beginning with their second 10-K filing. If they take advantage of this relief in their first 10-K report they must state that management’s and the auditor’s report on ICFR were not provided due to the first-year exemption allowed by the SEC.
  • Management’s Report on ICFR for all nonaccelerated filers will be considered “filed” rather than “furnished” under the Securities Exchange Act of 1934 for fiscal years ending on or after June 15, 2010. This is a higher level of liability.
  • Nonaccelerated filers are no longer required to provide a statement within their management’s report that an auditor’s report on ICFR has not been provided, if indeed this is the case. However, nonaccelerated filers may continue to voluntarily submit audit reports on their ICFR. The SEC Staff Study on 404(b) reported that 60 non-accelerated filers voluntarily included such an attestation in their 2009 10-K filing.

Concluding thought

Compliance complacency can be dangerous, especially with regards to SOX 404 considering the liability and reputational exposures. Know the applicable SEC rules and strive for an effective and efficient compliance process to stay within the good graces of your investors and regulators.

———

[1] According to the SEC Staff Study on 404(b): “The number of unique issuers excludes investment companies, asset backed securities issuers that file annual reports on Form 10-K but are not required to file audited financial statements or management‘s assessment of internal control over financial reporting, issuers that file annual reports on Form 10-K but are not required to file audited financial statements or management‘s assessment of internal control over financial reporting because they are considered inactive under Rule 3-11 of Regulation S-X [17 CFR 210.3-11], certain Canadian issuers that file annual reports on Form 40-F, guarantors that are issuers for purposes of the federal securities laws but for which there is not separate reporting under Rule 3-10 of Regulation S-X [17 CFR 210.3-10], and certain financial institutions that report to other regulators pursuant to Section 12(i) of the Exchange Act. The number of unique filers also excludes filers that were delinquent with their 2009 annual report as of January 4, 2011.“

[2] EDGAR (Electronic Data-Gathering, Analysis, and Retrieval) is the SEC’s automated system for the collection, validation, indexing, acceptance, and forwarding of submissions of required forms to the SEC.

This is an article reprint from the Governance Issues™ Newsletter, Volume 2011, Number 2, published on April 27, 2011. © 2011 Candela Solutions LLC, 110 East Main Street, Suite 718, Madison, WI 53703. Copyright: The Governance Issues™ Newsletter is meant to be distributed freely to interested parties. However, any use of this article must credit the respective author and Candela Solutions LLC as the publisher. All rights reserved. Use of the newsletter article constitutes acceptance of our Terms of Use and Privacy Policy. To automatically receive the newsletter, go towww.CandelaSolutions.com and register. Or, send a request to newsletter@CandelaSolutions.com and we will register on your behalf.

**********

About the Author

Ron Kral is the Managing Partner of Candela Solutions. He educates and advises public and private companies on risk and control matters relating to compliance strategies.

Candela Solutions LLC is a new breed of CPA firm building value for clients through strong governance, risk management and compliance services. Visit our website at www.CandelaSolutions.com for more information.

 


Tags: Dodd-Frank ActSECSOX Compliance
Previous Post

“Antifragility” and an Evolutionary Perspective on Risk

Next Post

Protiviti: Data Analytics Is a Game Changer, But Internal Audit Groups Are Lagging

Ron Kral

Ron Kral

Ron Kral is a partner of Kral Ussery LLC, a public accounting firm delivering advisory services, litigation support and internal audits. Ron is a highly rated speaker, trainer and advisor. He is a member of 4 of the 5 COSO sponsoring organizations; the AICPA, FEI, IIA, and IMA. Contact Ron at Rkral@KralUssery.com or www.linkedin.com/in/ronkral.    

Related Posts

esg sec clawback confusion

Unpacking the SEC’s Executive Compensation Clawback Rule

by John Peiserich
January 4, 2023

The SEC has finalized its long-awaited clawback policy mandated by the Dodd-Frank Act, issuing final rules that are scheduled to...

hottest takes

The Hottest Compliance Takes of 2022

by Staff and Wire Reports
December 14, 2022

Nobody was canceled for anything they wrote for our pages in 2022 — at least that we know of. But...

cci top 10 stories collage

Top 10 Compliance Stories of 2022

by Jennifer L. Gaskin
December 7, 2022

The more things change, the more they stay the same. This time last year, we summarized the top 10 ESG...

Fox Oracle FCPA Enforcement Action wp_f

Oracle: FCPA Recidivist

by Corporate Compliance Insights
October 20, 2022

Breaking down the FCPA allegations against technology company Oracle Corp. Unpacking Oracle FCPA Enforcement Action Oracle: FCPA Recidivist What’s in...

Next Post
Protiviti: Data Analytics Is a Game Changer, But Internal Audit Groups Are Lagging

Protiviti: Data Analytics Is a Game Changer, But Internal Audit Groups Are Lagging

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT