SOX 404 explained: Requirements, costs, and compliance roadmap

Key Takeaway: SOX Section 404 requires management to assess Internal Control over Financial Reporting (ICFR) annually, with accelerated filers also subject to external auditor attestation under 404(b). Per the KPMG 2025 SOX Survey, the average program now costs $2.3 million and 15,581 hours as in-scope systems more than doubled to 40. Rationalizing controls and automating evidence are the two highest-impact responses.

SOX 404 compliance has reached an inflection point. Average key controls grew 18% to 546 between FY22 and FY24, automated controls fell from 21% to 17%, and 45% of organizations reported year-over-year cost increases per the 2025 SOX Survey from KPMG. For SOX leads, controls owners, and CAEs, the practical question is no longer what 404 requires — it is how to meet the requirement at a defensible cost while integrating new PCAOB standards, cybersecurity disclosure rules, and emerging ESG controls.

What is Sarbanes-Oxley Act (SOX) Section 404?

Future-proof your SOX program from day one

Explore the system of action

Section 404 of the Sarbanes-Oxley Act requires management to assess the effectiveness of Internal Control over Financial Reporting (ICFR) annually and, for accelerated and large-accelerated filers, requires an independent external auditor to attest to that assessment. Its purpose is to improve the accuracy and reliability of public company financial reporting.

In 2002, Congress enacted the Sarbanes-Oxley Act (SOX) into federal law to improve the financial reporting of Securities and Exchange Commission (SEC) issuers. This was in response to accounting scandals in the early 2000s, including Enron and WorldCom. An organization qualifies as an SEC Issuer if it has securities registered under section 12 of the Securities Exchange Act of 1934 or under section 15(d) of the 1934 Act. All public companies are considered an SEC Issuer.

The SOX act includes several sections, notably Section 302, Section 404, and Section 906. This article focuses on Section 404. Sections 302 and 906 require the CEO and CFO to provide certifications about their company's quarterly, annual, and periodic reporting based on internal control performance.

Section 404 consists of three subsections: 404(a), 404(b), and 404(c). The core requirement of Section 404 is that management assess the effectiveness of ICFR to improve the accuracy of financial reporting.

Section 404(a): Management's assessment of ICFR

All public issuers are subject to this provision. There are no exemptions. Section 404(a) requires management to evaluate the operating effectiveness of the company's ICFR. The company's internal controls must be documented and evaluated annually. Management's assessment is documented in the Internal Control Report, which is included in the company's annual Form 10-K.

Section 404(b): External auditor attestation

Section 404(b) requires public issuers to engage an external auditor to attest to, and report on, management's assessment of ICFR. Section 404(a) mandates the management assessment; 404(b) requires an independent auditor to evaluate whether that assessment is accurate. The auditor's opinion appears in the audit report section of the Form 10-K. The Public Company Accounting Oversight Board (PCAOB) sets the standards auditors must follow — primarily PCAOB AS 2201 (formerly AS 5), which prescribes a top-down risk assessment (TDRA) approach to scoping controls.

Section 404(c): Exemptions for non-accelerated filers and EGCs

Section 404(c) exempts certain organizations from Section 404(b). Non-accelerated filers — organizations that are not accelerated or large-accelerated filers — are exempt, as are Emerging Growth Companies (EGCs). To qualify as a non-accelerated filer, an organization must have less than $75 million in public float (the value of shares held by the public). The SEC grants EGC status for the first five years after IPO if the company does not exceed certain thresholds. Current EGC thresholds are:

• Annual gross revenue of less than $1.235 billion in the most recently completed fiscal year.
• Issuance of nonconvertible debt of less than $1 billion in the past three fiscal years.

Key Point: EGC thresholds are revised periodically. Check the current thresholds before assuming a company qualifies as an EGC.

Below is a simplified roadmap to understanding whether a company must comply with SOX 404, and if so, which subsections apply.

How SOX 302 and SOX 404 differ

SOX Section 302 requires the CEO and CFO to personally certify the accuracy of financial statements and the effectiveness of disclosure controls in every quarterly (10-Q) and annual (10-K) filing. SOX Section 404 is broader and operational: 404(a) requires management's annual ICFR assessment, and 404(b) requires the external auditor's attestation for accelerated and large-accelerated filers. In short, 302 is a quarterly executive certification of disclosures; 404 is an annual control-effectiveness assessment of ICFR.

What SOX 404 compliance costs in 2026

Per the KPMG 2025 SOX Survey, the average SOX program now costs $2.3 million annually and consumes 15,581 hours, with 45% of organizations reporting year-over-year cost increases. The primary driver is scope expansion: average in-scope systems more than doubled from 17 in FY22 to 40 in FY24, and average key controls grew 18% to 546. Compounding the problem, automated controls fell from 21% to 17%, leaving 45% of controls fully manual.

Subject matter experts on internal controls are needed to document, implement, and monitor the framework. Employee costs, contractor costs, and public accounting firm fees add up quickly. Beyond cost, building a SOX 404-compliant control environment takes considerable time. The four steps below should be completed before an organization considers itself compliant with SOX 404(a) or ready for external auditor review.

SOX 404 compliance checklist: 4 steps to implement ICFR

1. Identification — inventory key processes and risks affecting financial reporting.
2. Design and documentation — define each control's owner, frequency, evidence, and precision.
3. Implementation — operate the controls and capture evidence consistently.
4. Monitoring — test, remediate, and update controls as the business changes.

Identification

A company should identify all key processes that impact financial reporting, perform a risk assessment of each process, and develop a risk matrix detailing the internal controls in each process. Processes such as revenue, procurement, related-party transactions, and financial reporting should each have a separate control matrix. This scoping exercise is commonly known as a top-down risk assessment (TDRA), the PCAOB-endorsed methodology under Auditing Standard 2201. TDRA starts at the financial statement level, traces material accounts and disclosures down to relevant business processes and assertions, and only then selects the key controls that address "what could go wrong" risks. Using TDRA defensibly matters because 56% of organizations report their external auditors test fewer in-scope controls than management does, per the KPMG 2025 SOX Survey.

Key Point: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has developed a framework to help organizations identify key processes and build a control environment. COSO is sponsored by the AICPA, and its framework is accepted by the SEC.

Design and documentation

After identifying the necessary internal controls, each must be designed and documented. Details such as who performs the control, how often it runs, the documentation reviewed during performance, and the precision of the control (the monetary threshold that triggers a review) need to be determined and documented. Precision is a critical but often overlooked component of financial controls. If precision is set too low, the control is not efficient. If precision is too high, the control is not effective.

Take the following example:

• Company A and Company B both set a $500,000 variance threshold on an account reconciliation (only variances above this amount are investigated).
• Company A consistently generates net revenues above $3 billion annually; Company B consistently generates $25 million annually in net revenue.
• When the control is performed for the most recent fiscal year, the account reconciliation shows a $280,000 variance for both companies. Neither investigates, because the control only requires investigation if the variance exceeds $500,000.
• Company A's external auditors do not consider the $280,000 variance material and conclude the control is designed appropriately and operating effectively.
• Company B's external auditors set audit materiality at $100,000. While the control was performed correctly, it results in a material misstatement. The auditors conclude this is a material weakness in the control framework and document it in their audit findings.

While oversimplified, the example illustrates why correct precision is critical. Another common mistake is setting a $1 variance threshold for all financial controls. This usually happens when management does not have the time to determine the correct precision for each control. A $1 threshold will always be below materiality, but many employees may not investigate a $2 variance because they know it is clearly immaterial. If the $2 variance is not remediated, the control was not performed correctly, and an independent auditor could consider this a control failure.

To recap, each control needs to be individually designed to determine who performs it, how often, how it is documented to evidence performance, and a level of precision that is logical. Internal controls are tailored to each company and each specific control. Management needs to consider how the failure of each individual control could impact financial reporting when designing the framework.

Implementation

After controls are identified in the risk matrix and documented, the company must implement them. This requires added time from employees, because they are not only performing the control but also documenting it to retain evidence. Organizations should plan for the added headcount cost as workload increases once the control framework goes live.

Monitoring

The internal control framework must be continuously reviewed and updated. As an organization grows, management review controls will be added and the precision of controls will change. New processes will become material and require new controls and documentation. An internal audit function may be needed to assess control effectiveness, perform control testing, ensure activities are performed properly, and manage the remediation of deficiencies. KPMG's analysis of material weakness trends shows material weaknesses rose in 2024 across Financial Close, Control Environment, and Non-Routine/Complex Transactions — prioritizing those areas in monitoring activities is the highest-ROI remediation move.

Key Point: Management must take 404(a) seriously or face the possibility of criminal penalties. Even if a company is exempt from 404(b), it cannot issue a boilerplate Internal Control Report in its Form 10-K. Under SOX Section 906, willful false certification of financial reports by a CEO or CFO carries criminal penalties of up to $5 million in fines and up to 20 years imprisonment; knowing (but not willful) false certification can result in up to $1 million and 10 years. The SEC can also bar individuals from serving as officers or directors of public companies.

Where PCAOB inspections find SOX 404 deficiencies

PCAOB inspection findings from 2024 show recurring ICFR deficiencies cluster in three AS 2201 areas: testing controls with a review element (AS 2201.42–.45), identifying and selecting the right controls to test (AS 2201.39–.41), and aligning the nature and extent of audit evidence with assessed risk. Issuers should document reviewer judgment and precision thresholds on management review controls, map each key control back to a specific financial reporting risk, and adopt the PCAOB's April 2024 Root Cause Analysis guidance to remediate gaps before the external audit.

SOX teams should also prepare for new PCAOB standards. AS 2310, The Auditor's Use of Confirmation, is effective for audits of fiscal years ending on or after June 15, 2025. Amendments to AS 1105 (Audit Evidence) and AS 2301 (Responses to Risks of Material Misstatement) take effect for fiscal years beginning on or after December 15, 2025, addressing technology-assisted audit evidence. Expect external auditors to request more granular evidence around system-generated reports, information produced by the entity (IPE), and the controls supporting confirmation processes.

How SOX 404 impacts financial reporting processes

Implementing an ICFR framework improves financial reporting quality. It identifies weaknesses in the reporting process, reduces the chance of a material error going undetected, and gives investors greater confidence that financial statements are free from material misstatement. Added benefits include:

• More clearly defined employee roles and responsibilities, improving work performance and reducing turnover.
• Better understanding of business operations across management and staff.
• An independent audit committee overseeing financial reporting and control activities.
• Fewer audit adjustments from external auditors.
• Lower risk of fraudulent related-party transactions.
• Improved corporate governance and reduced corporate fraud.
• Less fraud, waste, and abuse across operations.
• Greater transparency to the board of directors regarding financial reporting.
• Improved data integrity and cybersecurity, reducing exposure to cyberattacks and ransomware.
• Standardized accounting and finance procedures for multinational organizations, such as customer invoicing.
• Reduced human error through control automation.

Extending SOX 404 to cyber and ESG disclosures

The SEC cybersecurity rule requires material cyber incidents to be reported on Form 8-K within four business days, and Item 106 of Regulation S-K requires annual disclosure of cyber risk management, strategy, and governance. SOX practitioners should tie ITGCs (access management, change management, incident detection) directly to the materiality determination process and disclosure controls and procedures (DCPs). Per the KPMG 2025 SOX Survey, 73% of organizations expanding their SOX control environment to non-financial risks are focused on cyber/IT. Mapping ITGCs to NIST CSF 2.0 helps demonstrate a defensible governance structure to both the SEC and external auditors.

ESG is a slower-moving extension. COSO's 2023 supplemental guidance on Internal Control over Sustainability Reporting (ICSR) maps the 17 principles of the 2013 ICIF directly to ESG data, providing a defensible framework as the SEC climate rule (currently stayed pending judicial review) or analogous global mandates take effect. Only 23% of organizations have expanded their SOX control environment to include non-financial risks. Practitioners should start by inventorying ESG data sources and applying ICFR-equivalent controls (data integrity, review, reconciliation) to climate disclosures that sit within the financial statements.

Automating SOX 404 compliance with Optro

Implementing an ICFR framework is time-consuming and expensive. Software platforms such as Optro's SOX management software can reduce the time and cost of implementation, documentation, and monitoring. Early AI adoption in SOX programs focuses on evidence retrieval, control-to-risk mapping, and narrative documentation — Protiviti reports a 60% cost reduction in one SOX program using Azure AI-based intelligent retrieval. With the right technology in place, your team is better equipped to tackle SOX and adjacent internal control compliance with precision.

Unlock your SOX automation potential

BOOK A DEMO

Frequently asked questions

What is the difference between SOX 302 and SOX 404?

SOX Section 302 requires the CEO and CFO to personally certify the accuracy of financial statements and the effectiveness of disclosure controls in every 10-Q and 10-K filing. SOX Section 404 is broader: 404(a) requires management's annual ICFR assessment, and 404(b) requires external auditor attestation for accelerated and large-accelerated filers. In short, 302 is a quarterly executive certification of disclosures; 404 is an annual control-effectiveness assessment of ICFR.

What is the difference between SOX 404(a) and SOX 404(b)?

SOX 404(a) applies to all public issuers with no exemptions and requires management to perform and document its own annual evaluation of ICFR, reported in the Form 10-K's Internal Control Report. SOX 404(b) layers on a requirement that an independent external auditor — operating under PCAOB standards, primarily AS 2201 — issue an attestation opinion on the effectiveness of ICFR. Non-accelerated filers (public float under $75 million) and Emerging Growth Companies are exempt from 404(b) under Section 404(c), but never from 404(a).

What is SOX 404 certification, and who signs it?

"SOX 404 certification" colloquially refers to management's annual assertion on ICFR effectiveness — signed by the CEO and CFO and included as the Internal Control Report within the Form 10-K. For accelerated and large-accelerated filers, this is accompanied by the external auditor's independent attestation under 404(b). It is distinct from the SOX 302 quarterly certification, which covers the accuracy of financial statements and disclosure controls in each periodic filing.

What does SOX 404 compliance cost in 2026?

Per the KPMG 2025 SOX Survey, the average SOX program costs $2.3 million annually and consumes 15,581 hours, with 45% of organizations reporting year-over-year cost increases. The main driver is scope expansion: in-scope systems more than doubled from 17 in FY22 to 40 in FY24, and average key controls grew 18% to 546. Automated controls fell from 21% to 17%, leaving 45% of controls fully manual.

What is a top-down risk assessment (TDRA) under SOX 404?

A top-down risk assessment (TDRA) is the PCAOB-endorsed methodology under Auditing Standard 2201 for scoping SOX 404 controls. It starts at the financial statement level, identifies material accounts and disclosures, traces them down to relevant business processes and assertions, and then selects the key controls that address "what could go wrong" risks. Using TDRA defensibly reduces control counts, which matters because 56% of organizations report their external auditors test fewer in-scope controls than management does.

Which processes are driving the most SOX 404 material weaknesses?

KPMG's 2025 analysis of non-IPO companies shows material weaknesses rose in 2024 across three process areas: Financial Close, Control Environment, and Non-Routine/Complex Transactions. Systems and Revenue material weaknesses held steady. Remediation should prioritize automating close-cycle reconciliations and journal entry controls, formalizing tone-at-the-top and competency assessments for the control environment, and building dedicated review controls with appropriate precision over non-routine transactions like M&A, impairments, and complex revenue arrangements.

What penalties do executives face for SOX 404 non-compliance?

Under SOX Section 906, willful false certification of financial reports by a CEO or CFO carries criminal penalties of up to $5 million in fines and up to 20 years imprisonment; knowing (but not willful) false certification can result in up to $1 million and 10 years. Filing a boilerplate or inaccurate 404(a) Internal Control Report — even when exempt from 404(b) — constitutes a violation of federal securities law and can be prosecuted as securities fraud. The SEC can also bar individuals from serving as officers or directors of public companies.

About the authors

Cannon Nikzad, CPA, is an Account Executive at Optro. Prior to joining Optro, Cannon spent 10 years at EY, serving in their Los Angeles and London offices where he led audit teams conducting integrated audits of U.S. public companies. Connect with Cannon on LinkedIn.