Article
Successfully navigating SOX 404(b): Key considerations for growing and established public companies
Aug. 21, 2025 · Authored by Chad Miller
Loading...
Article
Aug. 21, 2025 · Authored by Chad Miller
In the early 2000s, a wave of high-profile corporate scandals – Enron and others – shook investor confidence and raised urgent questions about the integrity of financial reporting in U.S. capital markets. The response was swift and sweeping: the enactment of the Sarbanes-Oxley Act of 2002 (commonly referred to as SOX), designed to assist in improving transparency, restoring investor confidence and rebuilding trust with the investing community.
Among the most impactful provisions of SOX is Section 404, which focuses specifically on internal controls over financial reporting (ICFR). Section 404 requires company management – and, in many cases, their external auditors – to assess and report on the effectiveness of those internal controls. It’s this provision that drives much of the critical advisory and compliance work that Baker Tilly provides, particularly for emerging growth companies (EGCs) preparing to transition from SOX 404(a) to 404(b), as well as for larger companies already subject to 404(b) that are seeking better outcomes due to the continued reporting of control deficiencies or a new provider that can assist in challenging risk assessments and consult on controls needed pertaining to new systems or applications introduced. Oftentimes an outside provider is needed in order to proactively address new expectations and guidance that external audit firms are requiring under 404(b).
In either case, the 404(b) process brings a new level of complexity, scrutiny and risk – topics we’ll explore in the sections ahead.
At a high level, the difference between SOX 404(a) and 404(b) comes down to who is responsible for evaluating internal controls over financial reporting. Under SOX 404(a), it is management’s responsibility to assess and report on ICFR. SOX 404(b) takes things a step further – requiring that an independent auditor also provide an attestation of management’s assessment. This additional layer of assurance introduces stricter requirements, greater scrutiny and more documentation.
At its core, SOX is designed to protect investors by improving the accuracy and reliability of corporate financial statements and disclosures. Yet, there are key differences as it relates to expectations between the two:
The shift to 404(b) also represents a deeper change in accountability. Under 404(a), management’s judgment and proximity to day-to-day operations, with limited testing of controls, are often sufficient to support conclusions. But under 404(b), it’s not enough for management to believe controls are effective. Instead, external auditors must independently validate those conclusions through formal procedures. The compliance burden increases, requiring companies to defend their controls with objective evidence and meet auditor standards that can be more rigorous than internal benchmarks.
As part of its role under the Sarbanes-Oxley Act, the Public Company Accounting Oversight Board (PCAOB) regularly inspects audit firms to assess their compliance with auditing standards, including how they support their SOX 404(b) opinions over ICFR. Because inspection results are public, audit firms are highly motivated to address any findings disclosed by the PCAOB. These publicly disclosed findings often result in increased expectations for their clients accordingly.
Control deficiencies identified during audits can lead to material weaknesses, which signal a reasonable possibility that a material misstatement could go undetected or prevented timely in a company’s annual or quarterly financial statements. While the term may sound severe, material weaknesses are often due to insufficient documentation, unclear control ownership, or lack of review evidence – not necessarily fraud. Recognizing this nuance helps companies respond more effectively.
Having effective IT controls and appropriate segregation of duties are among the most commonly reported material weaknesses. These trends reflect the PCAOB priorities and underscore the need for companies to align more closely with auditor expectations to avoid future deficiencies.
Successful 404(b) compliance marks a turning point in a company’s control environment maturity as with 404(b), management’s assessment is subject to independent audit – introducing a new level of scrutiny. External auditors, influenced by PCAOB inspection findings, often "push down" their evolving expectations to clients, and many companies find themselves navigating increased documentation demands, higher control precision thresholds, and shifting interpretations of what constitutes “effective” control design. The most common (and most challenging) areas of focus include management review controls (MRC), IT application and general controls, and addressing information produced by the entity (IPE).
MRCs involve oversight activities that rely on assumptions and sometimes judgment, such as journal entry reviews, account reconciliations, reviews of financial results comparing to budget or prior periods along with the development of key estimates. These controls are inherently subjective and have long been a focus of PCAOB inspection findings, particularly when there’s a lack of precision, insufficient documentation, or unclear rationale related to the review. In response, auditors now expect to see robust evidence of what the reviewer did, how exceptions were analyzed and how conclusions were reached.
If an MRC involves a high-risk area – such as revenue recognition or impairment testing – it’s especially important to document both the process and the professional judgment applied. A reviewer’s initials alone are no longer sufficient. Companies must ensure these controls are executed with a defined level of precision, supported by evidence and aligned with the risk being addressed. In some cases, management may need to consider whether a judgment-based control is even appropriate, or whether additional automated or detective controls are needed. Expectations from external audit firms of the control owner when performing the management review control include documenting descriptions of control objectives and procedures, capturing and retaining screenshots of key reports utilized to complete the control procedures and defining variances thresholds one would expect to see for the period and then providing explanations for variances that exceed those thresholds.
Nearly all financial reporting today depends on IT systems, making strong access, change management and governance controls essential. Common deficiencies include inappropriate user access provisioned, inadequate segregation of duties, poor system inventory practices and weak controls around system changes – especially in cloud-based or shared environments. Fast-growing companies often lack visibility into all financially relevant systems, leading to gaps in control coverage.
Successful 404(b) compliance is more than a regulatory milestone – it’s a cultural shift in how a company approaches internal controls, accountability and audit readiness. The increased rigor and scrutiny associated with auditor attestation under 404(b) demands early preparation, clear communication, and a shared understanding among management, control owners, and the external audit team. Getting in front of high-risk areas like management review controls, IT systems, and key reports can significantly reduce friction and improve the outcome of your 404(b) audit cycle.
The companies that succeed – whether transitioning into 404(b) or seeking to improve their current compliance program – are those that promote strong leadership engagement, foster cross-functional alignment, and create a continuous feedback loop between risk, control and documentation efforts.
At Baker Tilly, our SOX and internal controls professionals help companies navigate the challenges of 404(b) with a proactive, practical approach tailored to your risk profile, team structure and growth stage. Whether you need a readiness assessment, documentation support, or guidance on aligning with audit firm expectations, our team is ready to support you every step of the way.
As DevOps and agile methods blur the lines between development and deployment, some companies inadvertently bypass established change control processes. Without proper audit trails or controls over privileged access, financial data integrity is at risk. A strong IT control environment includes standardized policies, proactive user access reviews, ongoing training, and a clear understanding of how system risks can ripple across financial reporting.
Information Produced by the Entity (IPE) refers to the reports, spreadsheets and datasets used by management in executing controls. Even if a control is performed correctly, it can fail if the underlying information is incomplete or inaccurate or if there is not clear evidence that the control owner confirmed that the IPE utilized was complete and accurate. As a result, 404(b) auditors are required to obtain evidence that management followed the appropriate documentation steps to verify that key reports are complete, accurate, and appropriately governed.
For many EGCs, this requires a cultural shift: reports often evolve informally and lack version control or documentation. Companies need to establish and formalize procedures for validating the integrity of key reports – such as source data checks, formula reviews and preservation of parameters used. Without clear controls around IPE, organizations risk audit findings not because the decision-making was flawed, but because the inputs to those decisions were unreliable or not fully documented.
