Successfully navigating SOX 404(b): Key considerations for growing and established public companies 

In the early 2000s, a wave of high-profile corporate scandals – Enron and others – shook investor confidence and raised urgent questions about the integrity of financial reporting in U.S. capital markets. The response was swift and sweeping: the enactment of the Sarbanes-Oxley Act of 2002 (commonly referred to as SOX), designed to assist in improving transparency, restoring investor confidence and rebuilding trust with the investing community. 

Among the most impactful provisions of SOX is Section 404, which focuses specifically on internal controls over financial reporting (ICFR). Section 404 requires company management – and, in many cases, their external auditors – to assess and report on the effectiveness of those internal controls. It’s this provision that drives much of the critical advisory and compliance work that Baker Tilly provides, particularly for emerging growth companies (EGCs) preparing to transition from SOX 404(a) to 404(b), as well as for larger companies already subject to 404(b) that are seeking better outcomes due to the continued reporting of control deficiencies or a new provider that can assist in challenging risk assessments and consult on controls needed pertaining to new systems or applications introduced. Oftentimes an outside provider is needed in order to proactively address new expectations and guidance that external audit firms are requiring under 404(b).  

In either case, the 404(b) process brings a new level of complexity, scrutiny and risk – topics we’ll explore in the sections ahead. 

SOX 404(a) vs. 404(b): Understanding the key differences 

At a high level, the difference between SOX 404(a) and 404(b) comes down to who is responsible for evaluating internal controls over financial reporting. Under SOX 404(a), it is management’s responsibility to assess and report on ICFR. SOX 404(b) takes things a step further – requiring that an independent auditor also provide an attestation of management’s assessment. This additional layer of assurance introduces stricter requirements, greater scrutiny and more documentation. 

At its core, SOX is designed to protect investors by improving the accuracy and reliability of corporate financial statements and disclosures. Yet, there are key differences as it relates to expectations between the two: 

SOX 404(a) compliance: