SOX Section 404 Compliance: 2026 Updates, Key Differences, and Best Practices

If you are a CFO, controller, internal audit director, or external auditor running a Section 404 program, this guide is for you. It covers every operational dimension of SOX 404 compliance: who must comply and when, how to scope and test controls using the top-down, risk-based methodology the SEC and PCAOB actually require, how to classify deficiencies correctly, and what is changing in 2026.

Key takeaway: SOX Section 404 is not a checklist exercise. The 2007 reforms replaced the original exhaustive approach with a risk-based, top-down methodology that focuses testing on controls that matter. Companies that still treat it as a checkbox program waste resources and miss the real exposures.

What Is Required by Section 404 of the Sarbanes-Oxley Act?

Section 404 requires every public company to assess, document, test, and report on the effectiveness of its internal control over financial reporting (ICFR) annually. The statute, enacted in July 2002 following the Enron and WorldCom scandals, splits into two subsections with very different compliance burdens.

• Section 404(a): Management must include in the annual report (Form 10-K or 20-F) an internal control report that states management's responsibility for ICFR, identifies the framework used, contains management's assessment of ICFR effectiveness as of fiscal year-end, and discloses any material weaknesses. If a material weakness exists, management cannot conclude ICFR is effective. This applies to all public companies.
• Section 404(b): The independent registered public accounting firm must attest to and report on ICFR effectiveness. Under PCAOB AS 2201 (formerly AS 5), the auditor opines directly on ICFR effectiveness, not merely on management's assessment process. This applies only to accelerated filers and large accelerated filers.

What Are the Key Differences Between SOX 404(a) and 404(b) Compliance?

The practical gap between 404(a) and 404(b) is significant. Adding the auditor attestation roughly doubles the compliance burden for most companies, because the auditor must independently plan, scope, test, and opine on ICFR, and must perform walkthroughs of every major transaction class personally (this cannot be delegated to management or internal audit).

Feature404(a)404(b)Who performs the assessmentManagementIndependent registered public accounting firmStandard governing the workSEC Release No. 33-8810PCAOB AS 2201Opinion issuedManagement's assertion in 10-KAuditor's attestation report in 10-KWalkthroughs requiredManagement's judgmentAuditor must perform personallyWho it applies toAll public companiesAccelerated filers and large accelerated filers onlyTypical incremental costInternal staff + advisory feesAdditional audit fees (historically $0.7M, $1.7M median)

The original PCAOB Auditing Standard No. 2 (AS 2), in effect from 2004 to 2007, required auditors to evaluate management's assessment process in addition to independently assessing ICFR. That dual-focus approach drove excessive costs. AS 2201 eliminated it and explicitly endorsed the top-down, risk-based methodology.

Filer Classification: Does 404(b) Apply to Your Company?

Filer status, assessed annually at the end of the second fiscal quarter, determines whether 404(b) applies. The thresholds are set by SEC rules and reassessed each year.

Filer TypePublic FloatAnnual Revenue404(a)404(b)Large accelerated filer≥ $700MAnyRequiredRequiredAccelerated filer (not SRC)$250M, $700M≥ $100MRequiredRequiredAccelerated filer (SRC)$75M, $250M> $100MRequiredRequiredSRC / non-accelerated filer$75M, $700M< $100MRequiredExemptNon-accelerated filer< $75MAnyRequiredExemptEmerging growth company (EGC)Varies< $1.235BRequiredExempt (up to 5 years post-IPO)

Source: Crowe analysis of SEC guidance, 2025

A company with a December 31 fiscal year-end assesses its filer status based on public float as of June 30. If float crosses $700M on that date, the company becomes a large accelerated filer and 404(b) applies to the 10-K filed for that fiscal year.

2026 update: The SEC's May 19, 2026 proposed rule release 33-11419 (Public Company Reporting Framework) would raise the large accelerated filer threshold from $700 million to $2 billion. If adopted, this would extend the 404(b) exemption to every public company below $2 billion in float. The proposal is open for comment through approximately July 20, 2026 and is not yet final rules. Until final rules are published, the current $700 million threshold governs. Companies approaching that threshold should model both scenarios when planning their 404 programme investments.

EGC and SRC Exemptions: When Do You Lose Them?

Emerging growth companies under the JOBS Act of 2012 are exempt from 404(b) for up to five fiscal years after their IPO, or until EGC status is lost, whichever comes first. EGC status ends when any of the following occur:

• Annual gross revenues exceed $1.235 billion (inflation-adjusted threshold as of 2024)
• Public float exceeds $700 million (triggering large accelerated filer status)
• More than $1 billion in non-convertible debt is issued in the prior three-year period
• Five fiscal years have elapsed since the IPO

Companies that track revenue and float carefully often discover they are approaching these thresholds mid-year. The loss of EGC status is not always anticipated, and the first 404(b) audit requires significant lead time to prepare.

The IPO Grace Period: When Does 404 Compliance First Apply?

Newly public companies generally have until their second Form 10-K to become 404(a) compliant. The first 10-K after IPO does not require management's ICFR assessment. This is a critical planning window.

Here is a worked example:

1. May 2024: Company completes IPO. Fiscal year ends December 31.
2. Early 2025: First Form 10-K filed. No 404(a) assessment required.
3. June 30, 2025: Filer status assessed based on public float. If float is $300M and revenues are $120M, the company is an accelerated filer.
4. Early 2026: Second Form 10-K filed. 404(a) is required. If filer status is accelerated filer, 404(b) is also required.
5. Planning implication: The company must design, implement, document, and test its ICFR program during 2025, with controls operating for a sufficient period before December 31, 2025 to support the assessment.

Companies that wait until Q3 of the second year to begin building their 404 program consistently run out of time. Controls need to operate for a meaningful period, typically at least six months, before year-end testing can produce reliable evidence.

For foreign private issuers filing on Form 20-F, the 404 obligations and timing differences follow similar logic but with additional complexity: local finance teams may lack U.S. GAAP competency, internal audit functions may be less established, and multi-jurisdiction control environments create documentation challenges.

The Framework Question: Is COSO Required?

The SEC does not mandate COSO, but it is the dominant framework and the practical default. The SEC's interpretive guidance requires management to identify the framework used for the evaluation. In practice, virtually all U.S. public companies use the COSO Internal Control Integrated Framework (2013).

The 2013 update replaced the 1992 version. Companies still relying on the 1992 framework face auditor scrutiny, and the SEC and PCAOB have both signaled that the 2013 framework is the current standard. COSO 2013 is built on five components and 17 principles:

• Control Environment: Tone at the top, integrity, ethical values, board oversight
• Risk Assessment: Identification and analysis of risks to achieving financial reporting objectives
• Control Activities: Policies and procedures that address identified risks, including IT controls
• Information and Communication: Relevant information identified, captured, and communicated
• Monitoring Activities: Ongoing and separate evaluations to assess whether controls are present and functioning

As SEC Chief Accountant Conrad Hewitt stated when announcing the 2007 guidance: "Our guidance enables companies of all sizes to focus on what truly matters to the integrity of the financial statements, risk and materiality."

The Top-Down, Risk-Based Scoping Methodology: How It Actually Works

This is where most guides fail. They name the concept without explaining the mechanics. Here is how the SEC's 2007 interpretive guidance and AS 2201 actually require you to scope a 404 program.

Step 1: Start with Entity-Level Controls

Entity-level controls (ELCs) operate across the entire organization and can have a pervasive effect on the reliability of financial reporting. They include the control environment, risk assessment processes, period-end financial reporting controls, and monitoring activities. Strong ELCs can reduce the extent of process-level testing required. Weak ELCs are a red flag that expands scope.

Step 2: Identify Significant Accounts and Disclosures

A significant account is one where there is a reasonable possibility that it could contain a misstatement that, individually or in combination with others, would be material to the financial statements. Factors to consider:

• Size and composition of the account
• Susceptibility to misstatement due to error or fraud
• Volume of activity and complexity of transactions
• Degree of judgment involved in determining the account balance
• Nature of the account (related-party transactions, estimates, non-routine items)

Step 3: Identify Relevant Assertions

For each significant account, identify which financial statement assertions are relevant: existence/occurrence, completeness, valuation/accuracy, rights and obligations, presentation and disclosure. Not every assertion is relevant to every account. Revenue recognition, for example, typically implicates existence, completeness, and cutoff. Inventory implicates existence, valuation, and completeness.

Step 4: Understand the Flow of Transactions

For each significant account and relevant assertion, understand how transactions originate, are authorized, processed, recorded, and reported. This is the process-level analysis. It identifies where misstatements could enter the financial statements and therefore where controls need to operate.

Step 5: Identify Key Controls

A key control is one that adequately addresses the risk of material misstatement for a relevant assertion. The SEC's guidance is explicit: not every control in every process needs to be identified or tested, only those that adequately address financial reporting risks. Over-scoping, documenting and testing hundreds of non-key controls, is one of the most common and costly mistakes in 404 programs.

Step 6: Scope IT General Controls

IT general controls (ITGCs) are the foundation on which automated application controls rest. If ITGCs are unreliable, automated controls cannot be relied upon, and the scope of manual testing expands significantly. The four ITGC domains are:

1. Program development: Controls over the design and implementation of new systems and applications
2. Program changes: Controls over modifications to existing systems, including change management and approval processes
3. Computer operations: Controls over the processing of data, including batch processing, job scheduling, and incident management
4. Access to programs and data: Controls over logical access, user provisioning, privileged access, and segregation of duties within systems

ITGC failures are pervasive because a single access control weakness can invalidate reliance on automated controls across every process that uses the affected system. The KPMG 2025 SOX Survey found that automated controls dropped from 21% of total in-scope controls in FY2022 to 17% in FY2024, even as the average number of in-scope IT systems jumped from 17 to 40. More systems with fewer automated controls means more IT-dependent manual controls requiring full ITGC support documentation. PCAOB inspection findings consistently identify insufficient ITGC testing as one of the most common deficiencies in ICFR audits.

Multi-Location Scoping

For companies with multiple locations or subsidiaries, AS 2201 does not require every location to be tested. A risk-based coverage approach is appropriate: select locations based on financial significance and risk of material misstatement, with entity-level controls providing coverage for lower-risk locations. Document the rationale for inclusion and exclusion decisions.

Service Organizations: The SOC 1 Report Problem

If your company uses a cloud ERP provider, payroll processor, transfer agent, or other service organization for processes relevant to ICFR, you must obtain and evaluate a SOC 1 Type II report. This is a recurring gap in 404 programs and a frequent finding in PCAOB inspections.

A SOC 1 Type II report (issued under AT-C 320 / SSAE 18) describes the service organization's controls and provides the auditor's opinion on whether those controls operated effectively over the report period. Management's responsibilities include:

• Identifying all service organizations that process transactions or data relevant to ICFR
• Obtaining current SOC 1 Type II reports (covering a period that overlaps with your assessment period)
• Evaluating whether the controls described in the report adequately address the relevant risks
• Assessing any exceptions noted in the report and determining their impact on your ICFR assessment
• Performing complementary user entity controls (CUECs) that the service organization's controls assume you have in place

Companies that implement new ERP systems, migrate to cloud platforms, or change payroll providers mid-year often discover they do not have a current SOC 1 report for the transition period. This creates a gap that cannot be papered over.

Deficiency Classification: Control Deficiency, Significant Deficiency, or Material Weakness?

Getting the classification right is not just a technical exercise. A material weakness requires an adverse ICFR opinion and public disclosure. Misclassifying a material weakness as a significant deficiency is a disclosure failure.

The three-tier framework under AS 2201 and the SEC's rules:

LevelDefinitionDisclosure RequiredControl deficiencyDesign or operation of a control does not allow prevention or detection of misstatements on a timely basisNo public disclosure required; communicate to managementSignificant deficiencyA deficiency, or combination of deficiencies, less severe than a material weakness but important enough to merit attention by those responsible for oversightMust be communicated in writing to audit committee and auditorsMaterial weaknessA deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basisAdverse ICFR opinion; disclosed in 10-K; management cannot conclude ICFR is effective

Severity Evaluation Factors

Classification depends on two dimensions: likelihood (how probable is it that the deficiency will result in a misstatement?) and magnitude (how large would the resulting misstatement be?). Compensating controls can reduce severity, but only if they operate at a level of precision sufficient to prevent or detect the specific misstatement the deficient control was meant to address.

AS 2201 Indicators of At Least a Significant Deficiency (Potentially a Material Weakness)

AS 2201 identifies specific circumstances that are at least significant deficiencies and may rise to material weaknesses:

• Restatement of previously issued financial statements
• Identification of fraud by senior management, regardless of amount
• Ineffective audit committee oversight of financial reporting
• Material misstatement in financial statements not initially identified by the company's controls
• Ineffective control environment

If any of these indicators are present, the burden is on management to demonstrate why the deficiency does not constitute a material weakness.

What Happens After a Material Weakness Is Identified?

Discovering a material weakness late in the fiscal year creates a compressed timeline. The sequence:

1. Communicate immediately to the audit committee and external auditors in writing.
2. Assess whether remediation is feasible before year-end. A control remediated and operating effectively for only two weeks before year-end is unlikely to support a conclusion that the weakness has been remediated.
3. If not remediated by year-end: Management must disclose the material weakness in the annual report. The ICFR opinion will be adverse.
4. Develop a remediation plan with specific milestones, ownership, and a target date. Auditors and the audit committee will expect to see this.
5. Re-test after remediation. The remediated control must operate effectively for a sufficient period before management can conclude the weakness has been addressed in a subsequent period.

The SEC's 2009 study documented that material weakness disclosures are associated with share-price declines, higher audit fees, and management turnover. Early detection and remediation, not late-year surprises, is the goal.

Auditor-Management Coordination Under AS 2201

This dynamic is a major source of confusion and audit friction. Here is what the standard actually says.

What the Auditor Must Do Independently

Under AS 2201, the external auditor must:

• Perform walkthroughs of each major class of transactions personally (cannot be delegated)
• Independently evaluate the design and operating effectiveness of key controls
• Opine directly on ICFR effectiveness (not on management's assessment process)
• Evaluate the severity of any identified deficiencies

What the Auditor Can Rely on From Others

The auditor may use the work of internal audit, management testing, and other company personnel to alter the nature, timing, and extent of the auditor's own procedures. But there are hard limits:

• The auditor cannot use the work of others to the extent that it would result in performing only an insignificant portion of the work.
• For higher-risk areas, the auditor must perform more of the work directly.
• The auditor must evaluate the competence and objectivity of those whose work is used. Internal audit functions that report directly to management (rather than to the audit committee) face objectivity scrutiny.

What Management Cannot Assume

Management cannot rely on the auditor's work to satisfy its own 404(a) assessment obligations. The two processes are parallel, not sequential. Management's assessment must be independently supportable, with its own documentation and evidence. Companies that assume the auditor's testing will cover their assessment gaps are exposed.

The integrated audit concept under AS 2201 means the ICFR audit and financial statement audit are planned and performed together. Knowledge gained in the ICFR audit informs the financial statement audit, and the auditor's assessment of control risk directly affects the nature and extent of substantive testing. A strong ICFR program reduces substantive audit procedures, which is a tangible cost benefit.

The Business Combination Exclusion

One of the most practically useful, and least understood, relief provisions in 404 compliance: management may exclude a newly acquired business from the scope of its 404(a) assessment in the year of acquisition, provided the exclusion is disclosed and the acquired business's financial statements are not included in the annual report for a full fiscal year.

This exclusion is not available for 404(b). Auditors must consider the acquired entity's controls to the extent they are material to the consolidated financial statements. If the acquisition is large enough to be material, the auditor's scope expands even in the year of acquisition, creating a coordination challenge that should be addressed in the acquisition integration plan.

SOX 302 vs. SOX 404: Not the Same Thing

These two provisions are related but distinct, and conflating them creates real compliance gaps.

Section 302 requires the CEO and CFO to certify in each 10-K and 10-Q that they have evaluated disclosure controls and procedures, disclosed to the audit committee and auditors any significant changes in internal controls, and disclosed any fraud involving management or employees with a significant role in internal controls. This is a quarterly obligation.

Section 404 is the annual deep-dive ICFR assessment. It requires a formal management report and, for applicable filers, an auditor attestation.

The practical implication: if a control deficiency is identified mid-year, the 302 certification process may require disclosure of that change even before the annual 404 assessment is complete. Companies that treat 302 as a rubber stamp on the 404 annual cycle miss this quarterly disclosure trigger. For a deeper look at how disclosure teams manage evidence and audit traceability across these obligations, see How Disclosure Teams Can Master Evidence and Audit Traceability.

What Does 404 Compliance Cost, and Has It Improved?

The SEC's 2009 study remains the most authoritative cost benchmark. After the 2007 reforms:

• Median total 404 compliance costs for large accelerated filers fell from approximately $2.9M to $1.7M
• Median total 404 compliance costs for accelerated filers fell from approximately $1.1M to $0.7M
• 89% of surveyed companies reported that 404 compliance improved the reliability of financial reporting
• 78% reported it improved investor confidence
• 66% reported that compliance costs still exceeded the benefits, disproportionately among smaller companies

These figures are from 2009. In 2026, first-time filers implementing new ERP systems, managing complex multi-entity structures, or building programs from scratch face costs that are likely materially higher due to inflation, technology complexity, and the expanded scope of IT general controls in cloud environments. The 2009 data is a floor, not a ceiling, for planning purposes.

As one PCAOB Board Member noted in a 2005 speech: "Much of the initial costs relate to correcting the effects of 'deferred maintenance' and bringing controls up to the standard the federal securities laws have always required." That observation still holds for first-time filers in 2026.

The Five-Phase SOX Maturity Model

Most mid-to-large companies organize their 404 program around a five-phase cycle, aligned with both the SEC's management guidance and AS 2201:

1. Scoping and risk assessment: Identify significant accounts, relevant assertions, and key processes. Perform entity-level control assessment. Document scoping rationale.
2. Process documentation and control design: Document process flows, identify key controls (including ITGCs), assess control design adequacy. Identify design gaps before testing begins.
3. Control testing and evaluation: Test operating effectiveness of key controls. Obtain and evaluate SOC 1 reports for service organizations. Document evidence.
4. Deficiency identification and remediation: Classify deficiencies using the three-tier framework. Communicate to audit committee. Remediate before year-end where feasible.
5. Reporting and continuous improvement: Finalize management's assessment. Coordinate with external auditors on integrated audit. File 10-K. Conduct post-assessment review to improve the program for the next cycle.

The audit committee plays a specific oversight role at each phase: reviewing management's assessment methodology, evaluating the scope of the auditor's work, and receiving and acting on deficiency reports. This oversight function is not passive, and CFOs should treat audit committee engagement as a program input, not just a reporting output.

2026 Updates: What Is Changing in the SOX 404 Landscape

PCAOB Standard-Setting Activity

The PCAOB has been active on standards relevant to integrated audits. In 2024 to 2025, the PCAOB proposed updates to AS 2101 (Audit Planning) that would affect how auditors document their planning process for integrated audits, with direct implications for the auditor-management coordination dynamic in 404 engagements. If finalized, these updates will require more explicit documentation of how the auditor considered ICFR risks in planning the financial statement audit, and vice versa.

PCAOB inspection findings continue to identify ICFR audit deficiencies as among the most common issues: insufficient ITGC testing, failure to adequately test controls over the financial statement close and reporting process, over-reliance on management's testing without sufficient independent verification, and inadequate evaluation of deficiency severity.

Automated Controls and AI-Assisted Testing

The growing use of automated controls (system-enforced segregation of duties, automated reconciliations, exception reporting) and AI-assisted testing tools is changing the economics of 404 compliance. Automated controls, when supported by strong ITGCs, can be tested more efficiently than manual controls and provide more consistent evidence of operating effectiveness.

AI tools are beginning to assist with control documentation, testing sampling, and anomaly detection. Regulators and practitioners are still working through the implications: how should AI-generated testing evidence be documented? What human review is required? The PCAOB's ongoing review of technology-based audit tools will shape these answers. For a broader view of how AI is being applied in finance and where the evidence supports it, see AI in Finance: What Works, What Fails, and the Evidence.

ICFR and ESG/Sustainability Reporting Controls

SOX 404 does not currently cover ESG data. But as CSRD and ISSB frameworks require assured sustainability data, leading companies are extending their ICFR-style control disciplines to sustainability reporting processes: risk identification, control design, testing, and deficiency evaluation. The internal control infrastructure built for 404 compliance is directly transferable. Companies that treat their ICFR program as a compliance silo, rather than a governance capability, will face a steeper climb when sustainability assurance requirements mature. For context on how climate disclosure requirements are evolving, see SEC Climate Rescission: Drafting SAB 74 Disclosures.

FAQ

Can management rely on the external auditor's work to satisfy its 404(a) assessment?No. Management's assessment must be independently supportable with its own documentation and evidence. The auditor's work informs but does not substitute for management's obligations under 404(a).

What framework must management use for the ICFR assessment?The SEC does not mandate a specific framework, but requires management to identify the one used. COSO 2013 is the practical standard. Companies using the 1992 framework face auditor scrutiny.

Does a newly acquired company need to be included in the 404(a) assessment in the year of acquisition?Management may exclude a newly acquired business from the 404(a) scope in the year of acquisition, with disclosure. This exclusion does not apply to 404(b).

What is the difference between a significant deficiency and a material weakness?A material weakness creates a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis. A significant deficiency is less severe but still warrants attention by those responsible for financial reporting oversight. The distinction drives disclosure obligations and the ICFR opinion.

When does a first-time public company need to comply with 404?Generally, the second Form 10-K after IPO. The first 10-K does not require management's ICFR assessment. Filer status as of the second fiscal quarter-end determines whether 404(b) also applies.

How do SOC 1 reports factor into a 404 assessment?For service organizations that process transactions relevant to ICFR, management must obtain and evaluate a SOC 1 Type II report covering the assessment period. Failure to do so is a recurring PCAOB inspection finding.

How does SOX 302 differ from SOX 404?Section 302 requires quarterly CEO and CFO certifications covering disclosure controls and any significant changes in internal controls. Section 404 is the annual ICFR assessment. A control change identified mid-year may trigger a 302 disclosure obligation before the annual 404 assessment is complete.