ProCognis, Inc.
Go to Main Page Go to Software Solutions Page Go to Support Solutions Page Go to Consulting Solutions Page Go to Training Solutions Page Go to Company Information Page Go to Contacts Page

404 Tool Page

404 Tool Demo

Tool Comparison


Internal Controls Tool

Sample Selection Tool

J-SOX Compliance Products

FAS142 Tool

404 Overview

404 Planning & Documentation

404 Testing and Evaluation

404 Presentation

Download our 404 Tool Brochure (795KB)






Sarbanes-Oxley is the subject of much discussion and uncertainty in business, finance and accounting circles. The following background information is intended to help dispel misconceptions and define terms that are useful in understanding the impact of the law and its interpretation.

Important Terms and Concepts

Financial Controls

Financial Controls are activities undertaken to mitigate the risks to financial reporting. Controls can be physical, transaction based, high-level, or relating to information technology. An example of a physical control is locking up unused check stock.

A transaction based control is an activity performed at the transaction level, such as having an authorized signer approve each invoice prior to payment. High-level controls focus on oversight, such as the CFO reviewing a budget to actual report prior to month end close. Controls relating to information technology include password protections and restricted access.

The level and nature of financial controls must be tailored to the size and complexity of the company. Generally larger companies have more transaction and information technology based controls and those controls tend to be more formal. Smaller company's tend to rely more heavily on high-level oversight type controls and may have less formalized policies.

Risk Based Approach

A risk-based approach is one that considers all potential risks to financial reporting and then seeks to identify controls that would mitigate the risks. By doing this, a company can identify those areas for which risks exist, but no control activity has been designed to prevent the risk from actually occurring. This is often referred to as gap analysis, because it identifies those gaps in internal control that could pose a risk to financial reporting. A risk-based approach also evaluates the potential risks as to their significance and likelihood of occurring.

By evaluating risk in this manner, more attention can be paid to those controls that mitigate the more significant or likely risks. Generally, a risk-based approach is considered to be a more efficient approach as it allows management to accurately pin point potential problems and focus attention on those areas of greatest importance to the company.

Top-down methodology

Top-down methodology refers to a method for compliance that begins with the financial statements and drills down to individual transactions. This is also considered a more efficient approach as it targets compliance work to those areas that are material to the company. This is differentiated from the bottom-up methodologies often used in traditional audits (see below).

Bottom-up methodology

Bottom-up methodology is used in most financial audits, but is generally not considered appropriate for internal control audits such as SOX 404 or FDICIA. The auditor selects and tests individual transactions and then combines these transactions with other similar items to support general ledger accounts. General ledger accounts are combined to support financial statement line items, which in turn are combined to produce the financial statements.

COSO Framework

The most commonly used framework for assessing internal controls. COSO defines an internal control as:

"Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

The control environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It serves as a foundation for other components. Within this environment, management assesses risks to the achievement of specified objectives. Control activities are implemented to help ensure that management directives to address the risks are carried out. Meanwhile relevant information is captured and communicated throughout the organization. The entire process is monitored and modified as conditions warrant."


The Public Company Accounting Oversight Board was created by the Sarbanes-Oxley Act of 2002 and is responsible for regulating accounting firms that audit public companies. A CPA firm must register with the PCAOB if they wish to perform audits of publicly traded companies. They are essentially the auditor's auditor and as such they are involved in rule-making as well as reviewing the audit work performed by registered firms.

SOX Section 302 (Certification) & SOX Section 404 (Implementation)

While Sarbanes-Oxley regulates many aspects of corporate governance, two important sections of the law created new requirements for management of public companies:

  • Section 302 requires formal certification of effectiveness of financial controls
  • Section 404 requires detailed documentation, monitoring (testing) and reporting of a company's financial controls

Prior to the passing of the Sarbanes-Oxley Act all public companies were already required to have in place internal controls over financial reporting. The Act, specifically Section 302, required senior executives (principally the CEO & CFO) to formally certify those controls were in place and Section 404 required companies to perform an assessment of the effectiveness of the controls. Section 404 further required that the outside auditor "...attest to and report on the assessment made by the management...".

These requirements created a new burden for corporate executives and public accountants.

Accelerated filers/Non-accelerated filers

SEC interpretation of the new law also created two classes of companies:

  • Accelerated filers: public companies with more than $75 Million in public float (measured on the last day of the second quarter each year)
  • Non-accelerated filers: companies who do not meet the requirements as Accelerated filers

Each public company is required to determine their status as accelerated or non-accelerated filers and meet the appropriate requirements on an annual basis. The market capitalization of a company can change frequently and the dollar value requirement is not indexed (without passage of a new law adjusting the limit). This places an additional burden on companies to keep an eye on their status.

If a previously non-accelerated filer company were to suddenly meet the requirements of an accelerated filer, they would be expected to meet the shortened SEC filing deadlines and other measures.

History of the Sarbanes-Oxley Law & SEC Interpretation

Sarbanes-Oxley Act of 2002 was passed into law following the accounting scandals of the late 1990's that burst into the news in 2000 and 2001. The most notable scandals include Enron, Global Crossing, WorldCom and others. In each case, the specific cause for the breakdown could be traced to a failure in corporate governance.

In response, the United States Congress enacted the far-reaching Sarbanes-Oxley Act (also known as Sarbox or SOX) to enforce stricter regulation on financial reporting, board membership, auditor-customer relationships, financial controls documentation/attestation and more. While the law was enacted by Congress, the SEC is mandated to interpret and enforce the Act.

As a result, companies are now expected to document, test and report deficiencies in their financial controls annually and report significant changes must be reported quarterly in their public filings.

This burden is on top of the shortened reporting deadlines that accelerated filers must meet on their quarterly and annual SEC filings (as mandated by the SEC). These shortened deadlines remove 30 calendar days from 10-K's and 10 calendar days from 10-Q's filings when the full impact of the requirement comes into effect.

Regulatory Information and Links

On May 27, 2003 the SEC adopts rules to implement Section 404 of the Sarbanes-Oxley Act. An excerpt of the rule is as follows:

Management's report on internal control over financial reporting and certification of disclosure in Exchange Act periodic reports
The Commission voted to adopt rule and form amendments to implement requirements of Section 404 of the Sarbanes-Oxley Act of 2002.

Management's Report on Internal Control over Financial Reporting
Section 404 of the Act directs the Commission to adopt rules requiring each annual report of a company, other than a registered investment company, to contain (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) management's assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404 also requires the company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board. The Commission received over 60 comments on the Section 404 proposals that expressed general overall support for the Commission's approach to implementing Section 404 of the Act. The adopting release will incorporate a number of changes recommended by commenters.

Under the final rules, management's annual internal control report will have to contain:

a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;

a statement identifying the framework used by management to evaluate the effectiveness of this internal control;

management's assessment of the effectiveness of this internal control as of the end of the company's most recent fiscal year; and

a statement that its auditor has issued an attestation report on management's assessment.
Under the new rules, management must disclose any material weakness and will be unable to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in such control. Furthermore, the framework on which management's evaluation is based will have to be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.

The full text of the rules can be viewed at

On February 24, 2004, the SEC defers implementation until November 15, 2004 for accelerated filers and July 15, 2005 for non accelerated filers.

“Under the new compliance schedule, a company that is an "accelerated filer" …must begin to comply with these amendments for its first fiscal year ending on or after Nov. 15, 2004 (originally June 15, 2004). A non-accelerated filer must begin to comply with these requirements for its first fiscal year ending on or after July 15, 2005 (originally April 15, 2005).”

The full text of this release may be accessed at

On June 17, 2004 Auditing Standard 2 (“AS2”) is approved by PCAOB which addresses the external auditors role in implementing SOX 404.

A significant aspect of this proposed standard is the requirement of the independent auditor to attest on two items. The auditor has to evaluate management's assessment process to be satisfied that management has an appropriate basis for its conclusion. Additionally, the auditor must test and evaluate both the design and the operating effectiveness of internal control to be satisfied that management's conclusion is correct and, therefore, fairly stated. The auditor's report on internal control over financial reporting will express two opinions — an opinion on whether management's assessment of the effectiveness of internal control over financial reporting as of the end of the most recent fiscal year is fairly stated, and an opinion on whether the company has maintained effective internal control over financial reporting as of that date.

The full document can be viewed at

On March 2, 2005, the SEC deferred the deadline for non-accelerated filers until July 15, 2006.

Under the latest extension, a company that is not required to file its annual and quarterly reports on an accelerated basis (non-accelerated filer) and a foreign private issuer filing its annual reports on Form 20-F or 40-F, must begin to comply with the internal control over financial reporting requirements for its first fiscal year ending on or after July 15, 2006.

The full release can be viewed at

On April 13, 2005, after the first year of SOX 404 implementation was completed by the “Accelerated Filers” a roundtable was held which included the SEC, PCAOB, Audit Firms, SEC registrants both large and small, and other interested parties. Chairman Donaldson made the following opening statement:

… I think this is a great opportunity for all of us, and in particular our two organizations, to work and learn alongside each other. And so we thought was a necessary and understandable response to an unprecedented string of corporate scandals, which were rooted in intolerable governance, accounting and audit failures. Section 404 of the Act requires that management assess and report on the ineffectiveness of our internal controls over financial reporting, and that the company's external auditor report on both the internal controls and management's assessment of these controls. As I've said before, all of the provisions of the Sarbanes-Oxley Act, the internal control requirements of Section 404, may have the greatest potential to improve the accuracy and reliability of financial reporting. Strong controls are an important part of this goal, because our capital markets run on the basic premise that companies will present reliable and complete financial data for investment and policy decision making. But we also understand that the process of implementing the requirements of Section 404, as well as the related SEC and PCAOB rules, has consumed considerable time, energy, resources and has generated intense debate. Our staff and the Commission and I have all heard stories, as I'm sure many of you have, of substantial and unanticipated expenses, including internal overhead, audit fees and software expenses, companies pulling staff from other strategic projects to help with internal control reporting, management and auditors talking past one another, and duplicative testing procedures with little or no reliance on prior work. With the distinguished and diverse group of panelists we've assembled, this is an opportunity for us to hear how the process really works for issuers in general. Are these isolated instances or are they widespread? Which of the problems encountered this year were attributable to first-year growing pains, and which are likely to reoccur each year? What are your suggestions for improvement, and how can we help further? We also want to know whether the steps we took to ease the process, such as issuing staff guidance and delaying compliance dates for some groups, were helpful. We'd like to get an idea of how registrants and others feel they have benefitted from the internal control reporting process. We know that over 2,500 registrants have filed their internal control reports by March 31st, approximately eight percent reporting material weaknesses. But we also heard from at least one accounting firm that within a group of 225 registrants the firm audits, approximately 63,000 control deficiencies, that's an average of 275 per company, were identified and most importantly, remedied. We look forward to hearing more about these. We also want to hear from investors. Was the internal control information provided by companies helpful? What was the investor community's reaction to reports of material weaknesses? This roundtable is an important vehicle for gathering feedback on all aspects of the reporting process, and as you can tell, I welcome the candid and constructive feedback from each of our panelists, as do our Commissioners. It's extremely important to me and our five Commissioners, as well as the PCAOB board members, that we hear the experiences and views of people who are familiar with implementing the internal control reporting provisions of Section 404. We also want to make sure we're helping companies and auditors accomplish the goals of Section 404 in the most effective and efficient way.

The full transcript of the roundtable can be viewed at

As an outcome of the April 13, 2005 roundtable, the SEC issued the following statement on May 16, 2005.

...because of the importance we place on effective and efficient implementation of Section 404, we believe the following broad concepts bear mention at this time.

Although it is not surprising that first-year implementation of Section 404 was challenging, almost all of the significant complaints we heard related not to the Sarbanes-Oxley Act or to the rules and auditing standards implementing Section 404, but rather to a mechanical, and even overly cautious, way in which those rules and standards apparently have been applied in many cases. Both management and external auditors must bring reasoned judgment and a top-down, risk-based approach to the 404 compliance process. A one-size fits all, bottom-up, check-the-box approach that treats all controls equally is less likely to improve internal controls and financial reporting than reasoned, good faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance.

In future years we expect the internal control audit to be better integrated with the audit of a company's financial statements. If management and auditors can achieve the goal of integrating the two audits, we expect that both internal and external costs of Section 404 compliance will fall for most companies.

Internal controls over financial reporting should reflect the nature and size of the company to which they relate. Particular attention should be paid to making sure that implementation of Section 404 is appropriately tailored to the operations of smaller companies. Again, this is an area where reasoned judgment and a risk-based approach must be brought to bear. We continue to be actively engaged in projects to evaluate and assess the effects of the internal control reporting rules on smaller companies. In addition to delaying the implementation of those rules for smaller companies, we have encouraged the Committee of Sponsoring Organizations (COSO) of the Treadway Commission to develop additional guidance in applying its internal control framework to smaller companies. We have established the Commission Advisory Committee on Smaller Public Companies to consider the impact of Commission rules - including the internal control reporting rules - on smaller companies.

We encourage frequent and frank dialogue among management, auditors and audit committees with the goal of improving internal controls and the financial reports upon which investors rely. Management of all companies - large and small - should not fear that a discussion of internal controls with, or a request for assistance or clarification from, the auditor will, itself, be deemed a deficiency in internal control. Moreover, as long as management determines the accounting to be used and does not rely on the auditor to design or implement the controls, we do not believe that the auditor's providing advice or assistance, in itself, constitutes a violation of our independence rules. Both common sense and sound policy dictate that communications must be ongoing and open in order to create the best environment for producing high quality financial reporting and auditing; communications must not be so restricted or formalized that their value is lost.

The statement in its entirety can be viewed at the following link

In addition to the formal statement, the SEC staff also issued some thoughts after the first year of implementation. We have a highlighted a few key thoughts below.

Top-Down / Risk-Based Assessments
The feedback indicated that one reason why too many controls and processes were identified, documented and tested was that in many cases neither a top-down nor a risk-based approach was effectively used. Rather, the assessment became a mechanistic, check-the-box exercise. This was not the goal of the Section 404 rules, and a better way to view the exercise emphasizes the particular risks of individual companies. Indeed, an assessment of internal control that is too formulaic and/or so detailed as to not allow for a focus on risk may not fulfill the underlying purpose of the requirements. The desired approach should devote resources to the areas of greatest risk and avoid giving all significant accounts and related controls equal attention without regard to risk.

The assessment of internal control over financial reporting will be more effective if it focuses on controls related to those processes and classes of transactions for financial statement accounts and disclosures that are most likely to have a material impact on the company's financial statements. Employing such a top-down approach requires that management apply in a reasonable manner its cumulative knowledge, experience and judgment to identify the areas of the financial statements that present significant risk that the financial statements could be materially misstated and then proceed to identify relevant controls and design appropriate procedures for documentation and testing of those controls. For instance, the application of judgment by management and the auditor will typically impact the nature, extent and timing of control testing such that the level of testing performed for a low risk account will likely be different than it will be for a high risk account. In performing these steps, management and auditors should keep the "reasonable assurance" standard in mind.

…As previously discussed, the staff believes that management should use a top-down, risk-based approach in determining significant accounts and related significant processes and relevant assertions. The natural result of such an approach is that management would devote greater attention and resources to the areas of greater risk.

The document can be viewed in its entirety at

On the SEC has pushed back the deadline for non-accelerated filers. This new deadline means that year end companies will need to be in compliance by December 31, 2007. Thos companies with a year end after July 15 but prior to December 31 will be the first required to comply (compliance date is as of the year date for fiscal year 2007). The SEC stated the following:

Under the new compliance schedule, a company that is not an accelerated filer, including a foreign private issuer that is not an accelerated filer, will begin to be required to comply with the Section 404 requirements for its first fiscal year ending on or after July 15, 2007.

The statement in its entirety can be viewed at the following link

Sarbanes-Oxley 404 Impact

The law has been in effect since 2002, but the deadline for meeting this new regulation has been pushed back a number of times in response to wide-spread criticism. Companies and audit firms are struggling to complete the massive effort and the cost of implementation has been steep.

In response, the SEC has delayed the deadline of SOX 404 implementation for non-accelerated filers until July of 2006 from the original implementation date of June 2004. The accelerated filers have already suffered through their first year of implementation and many lessons have been learned from their pioneering efforts.

However, the law remains in effect and is unlikely to be repealed or substantially changed to reduce the compliance effort. While compliance will remain a difficult project, non-accelerated filers can benefit from the guidance that is being formulated following the initial year experiences of the accelerated filers.

The SEC and PCAOB have released a number of documents and comments that can serve to help non-accelerated filers in their compliance efforts. See the above section for specific links and other information.

However, accelerated filers have been subject to SOX 404 law since their 2004 10-K filing. Other parts of the law phase in over the next few years.



Financial Reporting Solutions

©2004, 2005, 2006. ProCognis, Inc. All Rights Reserved. Modified March 30, 2009
Service Agreement & Privacy Policy