Guide to SOX 404 Assessments

The Institute of Internal Auditors has published “Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners”.

The Guide incorporates guidance from the U.S. Securities and Exchange Commission, the Public Company Accounting Oversight Board, The Institute of Internal Auditors, and the real-world experience and insight of practicing internal auditors.

The Guide focuses on how costs can be minimized without impairing the effectiveness of your internal controls. It also discusses the interplay between the requirements of Section 404 and those of Section 302, which requires annual and quarterly certifications by the chief executive officer and chief financial officer that include assessments of the internal controls.

Internal control is broadly defined as a process designed to provide reasonable assurance regarding the achievement of objectives. The Guide notes that an internal control system, no matter how well conceived and operated, can provide only reasonable, not absolute, assurance to management and the board regarding achievement of an entity’s objectives.

Management has a great deal of latitude in describing the condition of its internal controls. The only formal requirement is that they don’t assess the controls as effective when there is a material weakness. The assessment should clearly describe management’s opinion.

What is the true condition of the system of internal control at the end of the year? Is it sufficiently robust to provide reasonable assurance that material errors will either be prevented or detected? The investor should be able to read the assessment and understand whether the company has adequate controls to run the business and report the results.

To download a free copy of the Guide, go to this IIA Web Page.