SOX Section 404 Annual ICFR Assessment Checklist

Management must use a suitable, recognized framework for the ICFR assessment. The SEC and PCAOB recognize the COSO 2013 Internal Control — Integrated Framework as the standard. Using the 1992 COSO framework is no longer accepted. Document that COSO 2013 was adopted and all five components and 17 principles were evaluated.

Significant accounts are those with a reasonable possibility of containing a material misstatement. For each significant account, identify which financial statement assertions are relevant (completeness, existence, valuation, rights and obligations, presentation and disclosure). Document this in the scoping memo.

Map business processes to significant accounts: order-to-cash, procure-to-pay, financial close, payroll, IT general controls. For each process, identify the key controls — both manual and automated — that address material misstatement risk.

ITGCs cover access management, change management, computer operations, and data backup/recovery for systems that process significant financial data. ITGC failures cascade — a single pervasive ITGC deficiency can render all automated controls in that system ineffective.

Design effectiveness testing determines whether a control, if operating as designed, would prevent or detect material misstatements. Walk-throughs are the primary technique. For automated controls, obtain evidence that the system logic performs as designed.

Operating effectiveness testing confirms controls functioned throughout the year. Sample sizes follow PCAOB guidance (25 samples for daily controls, 5 for quarterly). Controls must be tested as of year-end, not just at one point in time.

A material weakness exists when there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis. A significant deficiency is less severe but still important enough to merit attention by the audit committee. Every deficiency must be evaluated for severity — do not leave classification as 'TBD.'

Management must communicate all significant deficiencies and material weaknesses to the audit committee in writing. The external auditor must independently evaluate management's classification and must also communicate their findings. Document all communications.

Management's report must: (1) state management's responsibility for ICFR, (2) identify the framework used, (3) state management's assessment conclusion, and (4) if applicable, disclose any identified material weaknesses. The report cannot include a qualified or adverse conclusion — if any material weakness exists, the report must so state.

For large accelerated and accelerated filers, the external auditor's attestation on ICFR must accompany management's report in the 10-K. Coordinate timing of testing, deficiency classification discussions, and their report drafting with the audit partner.

The CEO and CFO Exhibit 31 certifications explicitly reference their evaluation of ICFR. Confirm that the conclusion in management's ICFR report matches the 302 certification language — any inconsistency is an automatic SEC inquiry flag.

Entity-level controls — tone at the top, risk assessment processes, monitoring activities, information and communication, and control environment — affect the overall ICFR assessment. Weak ELCs can elevate other deficiencies to material weakness severity through their pervasive effect.

Acquired entities do not need to be included in the 404 assessment in the year of acquisition if management so elects and discloses. But if included, their ICFR must be assessed. Document the scope decision for every acquisition and disclose in the 10-K.

For multi-location companies, use risk-based scoping to determine which locations are 'significant.' Locations representing more than 15-20% of a financial statement assertion are typically in scope. Document scoping decisions and the rationale for in-scope and out-of-scope locations.

Management review controls (MRCs) such as budget-to-actual variance reviews and analytical procedures are key ICFR controls, but their effectiveness depends on the precision of the review. Document the basis for management's conclusions, the source data used, and what follow-up occurred on variances.

The financial close process — including journal entry controls, account reconciliation procedures, and consolidation — is a high-risk area and a common source of material weaknesses. Test journal entry approval controls, reconciliation frequency, and reviewer qualifications.

Prior-year deficiencies that were remediated must be retested. Remediation is not effective until the new control has operated for a sufficient period — typically one full quarter. A deficiency that was remediated in December cannot be considered effective as of December 31.

Management's risk assessment — identifying risks of material misstatement, inherent risk factors, and how controls address identified risks — must be documented. The risk assessment drives scope: higher-risk assertions require more robust controls and more extensive testing.

The external auditor will review management's testing documentation, risk assessment, scoping memos, and deficiency evaluations. Gaps in documentation — missing evidence, unsigned walkthroughs, test results without conclusions — will be identified as additional deficiencies.

SOX Section 802 makes it a federal crime to destroy documents knowing they may be relevant to an official proceeding. Retain all workpapers, testing evidence, deficiency analysis, and communications with auditors for a minimum of 7 years in a format that cannot be altered.