SOX Section 404 Testing Requirements: Management Assessment and Auditor Attestation

Last updated: 2026-05-04 — ComplianceStack Editorial Team

Sarbanes-Oxley Section 404 is the most operationally demanding provision of the Act — and the one that drives the most compliance cost for public companies. It requires that management annually assess the effectiveness of internal controls over financial reporting (ICFR) and that the external auditor independently attest to that assessment. Getting Section 404 wrong has consequences: material weaknesses disclosed in the annual report directly affect stock price, auditor relationships, and SEC enforcement risk. This guide covers the testing methodology, PCAOB standards, common deficiencies, and the remediation process.

What Section 404 Actually Requires

Section 404 of the Sarbanes-Oxley Act of 2002 contains two subsections with separate obligations:

Section 404(a) — Management Assessment: Requires that each annual report (Form 10-K) contain a management report on the effectiveness of internal controls over financial reporting. Management must state its responsibility for ICFR, identify the framework used for the assessment, and state whether ICFR is effective as of the fiscal year end. If a material weakness exists, management cannot conclude that ICFR is effective.

Section 404(b) — Auditor Attestation: Requires the registered public accounting firm that prepares or issues the audit report to attest to and report on the assessment made by management. The auditor must independently evaluate ICFR — not just review management's work — and issue its own opinion. This applies to large accelerated filers and accelerated filers. Non-accelerated filers (companies with public float under $75 million) are permanently exempt from 404(b) under the Dodd-Frank Act.

The SEC implements Section 404 through rules at 17 CFR §229.308 (Regulation S-K, Item 308). The PCAOB sets auditing standards for the external attestation — currently AS 2201 (An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements).

For the full SOX compliance framework including Sections 302 and 906, see the SOX Compliance: Section 302/404 Guide 2026.

The COSO Framework: What Management Uses for Assessment

Management must use a recognized internal control framework to conduct the Section 404(a) assessment. The most widely used framework is the COSO Internal Control — Integrated Framework (2013). The PCAOB permits other frameworks if they are free from significant deficiencies, publicly available, and subject to due process in their development — but COSO 2013 is the practical standard.

COSO 2013 structures internal control around five components:

Control Environment: The tone at the top, organizational structure, and commitment to competence and integrity. Deficiencies here — weak board oversight, management override of controls — are often characterized as entity-level control weaknesses with pervasive effect.

Risk Assessment: The process by which management identifies and analyzes risks to achieving financial reporting objectives. This includes identifying which accounts and disclosures have risks of material misstatement.

Control Activities: Specific controls that management performs to address identified risks — account reconciliations, journal entry approvals, IT general controls, segregation of duties. These are the controls tested in Section 404.

Information and Communication: Systems that capture, process, and report financial information reliably, including IT systems and communication of control responsibilities.

Monitoring Activities: Ongoing and separate evaluations of the five components — internal audit, control self-assessments, management reviews.

For a practical checklist of COSO 2013 controls by component, see the SOX Audit Committee Compliance Checklist.

How Management Tests Internal Controls: The Testing Methodology

Management's Section 404(a) assessment involves scoping, testing, and evaluating controls. The methodology:

Step 1 — Scoping: Identify the accounts and disclosures with risk of material misstatement. Identify the significant processes and key controls that address those risks. Management is not required to test all controls — only those key controls that address the risk of material misstatement. Over-scoping wastes resources; under-scoping creates gaps.

Step 2 — Control Documentation: Document each key control including the risk addressed, the control description (who performs it, how often, over what population), and the evidence generated. Flow charts and risk-control matrices (RCMs) are standard documentation tools.

Step 3 — Control Testing: Test each key control to determine whether it is operating effectively. Testing approaches include:
— Inquiry: Lowest evidence quality. Can be used to understand process but insufficient alone.
— Observation: Watching a control be performed. More persuasive but point-in-time.
— Inspection: Reviewing documentation of control performance. Examining approved journal entries, reconciliations, authorizations.
— Re-performance: Independently repeating the control. Highest evidence quality.

Sample sizes for control testing vary by frequency and risk. Annual controls typically tested over 100% of population. Monthly controls: 3-5 samples. Daily or transaction-level controls: 25-60 samples depending on population size.

Step 4 — Deficiency Evaluation: Evaluate whether identified control failures constitute a control deficiency, significant deficiency, or material weakness. The distinction drives disclosure requirements and auditor response.

Material Weakness vs. Significant Deficiency: The Disclosure Threshold

The severity classification of control deficiencies determines what gets disclosed and what consequences follow:

Control Deficiency: A control does not operate as designed or a necessary control is missing. Does not require external disclosure. Must be communicated to management.

Significant Deficiency: A deficiency or combination of deficiencies in ICFR that is less severe than a material weakness but important enough to merit attention from those responsible for financial reporting oversight (Audit Committee). Must be communicated to the Audit Committee. Does not require public disclosure — unless the deficiency exists as of the assessment date and is not remediated, in which case the auditor must communicate it but management's disclosure is limited.

Material Weakness: A deficiency or combination of deficiencies in ICFR such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis. If a material weakness exists as of the assessment date, management cannot conclude that ICFR is effective — the 10-K must disclose the material weakness.

Common indicators of potential material weakness under AS 2201 include: restatement of previously issued financial statements, identification of fraud, ineffective Audit Committee oversight, and material misstatement detected by external audit that was not detected by ICFR.

For a complete guide to SOX compliance costs and consequences, see the SOX Section 302/404 Guide 2026 and the Real Cost of Non-Compliance 2026.

PCAOB AS 2201: The Auditor Attestation Standard

External auditors performing Section 404(b) attestations must comply with PCAOB Auditing Standard AS 2201, adopted in 2004 and updated in 2007. Key requirements:

Integrated Audit: The auditor must integrate the ICFR audit with the financial statement audit. They cannot issue separate opinions without considering the interaction between ICFR and financial statement risk.

Top-Down Risk-Based Approach: Auditors start at the financial statement level, identify significant accounts and disclosures, understand entity-level controls, then identify key controls to test. This is conceptually aligned with management's approach under COSO.

Independent Testing: The auditor must independently test key controls — they cannot simply rely on management's testing. They may use the work of others (internal audit, management testing) but must evaluate the competence and objectivity of those performing the work and must perform enough direct testing to form an independent opinion.

AS 2201 paragraphs 25-27 specifically address the use of work of others — auditors with higher risk accounts and controls must perform more direct testing; lower risk allows more reliance on management.

Opinion types: Unqualified (no material weaknesses), adverse (one or more material weaknesses exist), or withdrawal (auditor cannot complete the audit). An adverse ICFR opinion does not prevent filing the 10-K but triggers significant investor and analyst scrutiny.

See the SOX Compliance Guide 2026 for the full auditor relationship framework and what to expect during a Section 404(b) audit.

IT General Controls and Section 404

IT General Controls (ITGCs) are foundational to Section 404 because most financial reporting processes now run through automated systems. If ITGCs are ineffective, the automated application controls they support are also considered unreliable. Common ITGC domains tested in Section 404:

Access to Programs and Data: User access provisioning, privilege management, access reviews, super-user and privileged access controls. Segregation of duties — ensuring that the person who can record journal entries cannot also approve them.

Program Change Management: Controls over changes to financial reporting applications, including change request documentation, testing before deployment, and separation of development and production environments.

Computer Operations: Backup and recovery procedures, job scheduling controls, incident management.

System Development: Controls over new system implementations affecting financial reporting.

ITGC deficiencies are among the most common drivers of material weaknesses in SEC filings. When an ITGC fails — for example, a terminated employee's access not being removed from the financial reporting system within a defined period — the application controls that rely on that IT environment are compromised. Assess your IT control environment using the SOX IT General Controls Checklist or the Compliance Gap Analyzer.

Frequently Asked Questions: SOX Section 404 Testing

Who is exempt from Section 404(b) auditor attestation?
Non-accelerated filers — companies with a public float under $75 million — are permanently exempt from Section 404(b) under the Dodd-Frank Wall Street Reform Act (2010). Emerging growth companies (EGCs) under the JOBS Act are also exempt from 404(b) for up to five years following their IPO or until they no longer qualify as an EGC. All public companies, regardless of size, must comply with Section 404(a) management assessment. Private companies are not subject to Section 404 — though companies preparing for IPO should establish ICFR controls as part of IPO readiness. See the SOX Compliance for Newly Public Companies guide for IPO-year timeline guidance.

What happens if we disclose a material weakness in the 10-K?
Disclosure of a material weakness requires identifying it in the ICFR report within the 10-K (Item 9A of Form 10-K). The company cannot state that ICFR is effective. The external auditor must issue an adverse opinion on ICFR (for 404(b) filers). Common consequences include: stock price decline on disclosure date, increased scrutiny from the Audit Committee, potential SEC comment letter, loss of S-3 shelf registration eligibility (large accelerated filers must remediate before using S-3 for primary offerings), and heightened auditor focus in subsequent years. Remediation typically takes one to three quarters depending on the complexity of the control deficiency.

How much does a Section 404 audit cost?
The average Section 404(b) audit cost varies significantly by company size and complexity. For companies with market capitalization between $75 million and $700 million, external audit fees for the integrated audit (including 404(b)) typically range from $500,000 to $2,000,000 annually. Larger accelerated filers and large accelerated filers pay substantially more. Internal costs — management time for control documentation, testing, and remediation — typically add 50-100% of external audit fees. The Compliance Gap Analyzer can estimate your control testing scope and resource requirements.

More SOX Resources

• SOX Framework Guide
• SOX Section 302 & 906 Penalties
• SOX Audit Interference Penalties
• SOX for Financial Advisors
• SOX for Private Companies
• Compliance Gap Analyzer (Free)
• Free 5-Minute Compliance Quiz
• Regulatory Deadline Tracker
• Remediation Action Plan ($49)
• Find a SOX Compliance Consultant