22-item ICFR assessment workflow based on COSO 2013 and PCAOB AS 2201. Filer-aware: 404(b) items auto-flag for accelerated filers. AI readiness scoring included.
📅 Section 404 Is Annual — Included with Your 10-K
LAF: 60 days after FYE · AF: 75 days · NAF/SRC/EGC: 90 days
Management has documented the ICFR definition per SEC rules: processes designed to provide reasonable assurance regarding reliability of financial reporting, including policies and procedures that pertain to maintenance of records in accordance with GAAP.
Rule 13a-15(f) · SEC Release 33-8238 (2003)
Critical
Recognized control framework selected and applied (COSO 2013)
Management has selected a suitable, recognized ICFR framework — COSO 2013 is the predominant standard (used by ~97% of filers). The framework used must be identified in the 404(a) disclosure. The COSO 2013 update (vs. 1992) is now expected; use of 1992 framework requires justification.
Assessment must address all five COSO components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring. All 17 underlying principles must be present and functioning. Missing principles are deficiencies even if no control failures exist.
Control environment: tone at top, code of conduct, ethics policies
Control environment assessment includes: board and audit committee oversight effectiveness, management philosophy and operating style, organizational structure with clear authority/responsibility, and commitment to competence. Code of conduct existence and enforcement documented.
COSO 2013 Principle 1–5 · PCAOB AS 2201.24
Critical
Period-end financial close process controls documented and tested
Period-end close is a high-risk process requiring robust controls: journal entry review and approval, account reconciliation review, management review of financial statements, and closing timeline controls. Controls must be tested for design and operating effectiveness.
PCAOB AS 2201.40 · COSO Principle 10
High
Fraud risk assessment completed and documented
Risk assessment must include fraud risk consideration: management override risk, fraudulent financial reporting risk, and misappropriation of assets. Anti-fraud programs and controls must be evaluated. Fraud risk assessment is a COSO Principle 8 requirement.
COSO 2013 Principle 8 · PCAOB AS 2401 · AS 2201.14
Management has identified all significant accounts and relevant disclosures using quantitative and qualitative risk factors: account size, volume of activity, susceptibility to misstatement, complexity of underlying calculations, and nature of account (estimates vs. routine transactions).
PCAOB AS 2201.29–.31 · SEC Staff Guidance 2007
Critical
Control objectives documented for each significant process
For each significant account/process, control objectives must be defined (e.g., "Revenue is recorded in the correct period," "Journal entries are properly authorized"). Controls are then mapped to these objectives to demonstrate coverage against the risk of material misstatement.
PCAOB AS 2201.36 · COSO Principle 10–11
Critical
Segregation of duties evaluated for financial system access
Review and document separation between: (1) initiating vs. approving transactions, (2) recording vs. custody of assets, (3) IT access rights in financial systems (ERP admin vs. preparer). Compensating controls must be documented for any SOD conflicts, especially in smaller finance teams.
COSO Principle 10 · PCAOB AS 2201.44
High
4. IT General Controls (ITGCs)
PCAOB AS 2201.42 · COSO Principle 11, 13
Access controls to financial systems reviewed and tested
Review user access to ERP/financial systems: provisioning/de-provisioning processes, privileged access controls, periodic access reviews (at least annually), and separation between production and development environments. Terminated employee access must be removed within defined SLA.
PCAOB AS 2201.42 · COSO Principle 11
High
Change management controls over financial systems documented
System changes to financial applications (ERP patches, configurations) require: formal change request documentation, testing in non-production environment, authorized approval, and post-implementation review. Segregation between developers and production deployers is required.
PCAOB AS 2201.42 · COSO Principle 13
High
Data backup, recovery, and availability controls tested
Financial data backup and recovery controls ensure data integrity: regular backup testing, disaster recovery procedures, data retention per records management policy, and system availability SLAs for financial close activities. Untested backup procedures are a common ITGC finding.
PCAOB AS 2201.42 · COSO Principle 16
Medium
5. Deficiency Identification and Classification
PCAOB AS 2201.63–.70 · SEC Staff Guidance 2007
Deficiency inventory compiled with classification (MW/SD/deficiency)
All identified control deficiencies must be classified: Material Weakness (MW) — reasonable possibility of material misstatement not prevented/detected; Significant Deficiency (SD) — less severe than MW, merits audit committee attention; Deficiency — all others. MW automatically makes ICFR "not effective."
PCAOB AS 2201.A7–A11 · COSO 2013 Chapter 8
Critical
Conclusion on ICFR effectiveness stated (effective or not effective)
Management's annual report must explicitly state whether ICFR is effective or not effective as of fiscal year-end. If any material weakness exists, management cannot conclude ICFR is effective. Ambiguous conclusions (e.g., "ICFR is effective in most respects") are not compliant and will draw SEC comment.
Remediation plans documented for all material weaknesses and SDs
Any identified material weaknesses or significant deficiencies require documented remediation plans with: root cause analysis, corrective action steps, responsible parties, target remediation dates, and management's assessment of timeline feasibility. Auditors evaluate whether remediation is complete or still in process.
SEC Staff Guidance 2007 · PCAOB AS 2201 ¶70
High
6. Section 404(b) — External Auditor Attestation
PCAOB AS 2201 · LAF & AF Only
External auditor engaged for ICFR attestation (PCAOB AS 2201)
Accelerated and large accelerated filers must engage their registered public accounting firm to perform an integrated audit — auditing both the financial statements and ICFR effectiveness under PCAOB AS 2201. The auditor issues a separate attestation report included in the 10-K.
15 USC §7262(b) · PCAOB AS 2201.1 · Rule 2-02(f)
LAF & AF Only
LAF/AF
Auditor walkthrough and controls testing coordinated
Management must coordinate with the external auditor for: walkthroughs of significant business processes, selection of controls to test, agreement on control testing approach (re-performance vs. inquiry + observation), and timing of interim and year-end testing. Auditor independence must be maintained throughout.
Management's Report on ICFR drafted for 10-K Item 9A
The 10-K must include Management's Annual Report on ICFR in Item 9A containing: (1) statement of management's responsibility for ICFR; (2) identification of the framework used; (3) management's conclusion on ICFR effectiveness; (4) all identified material weaknesses; (5) auditor's attestation (LAF/AF only).
S-K Item 308(a) · Rule 13a-15(c)
Critical
Significant ICFR changes in Q4 disclosed
Any significant changes to ICFR during Q4 (the quarter covered by the annual report) that materially affected or are reasonably likely to affect ICFR must be disclosed in Item 9A. This overlaps with the Section 302 quarterly change disclosure but applies to the Q4 period in the 10-K.
Rule 13a-15(d) · S-K Item 308(c)
High
Assessment as-of date is fiscal year-end (not interim)
The ICFR effectiveness conclusion must be as of the last day of the fiscal year — not an interim date. If a material weakness is identified after year-end but before filing, it must be disclosed. Using an "as of" date other than fiscal year-end is a Section 404 violation.
Rule 13a-15(c) · SEC Staff FAQ 2004
Medium
Testing documentation retained for 7 years
All ICFR testing documentation — walkthroughs, control test results, deficiency analyses, management's assessment workpapers — must be retained for at least 7 years under Section 802 (18 USC §1519). External audit workpapers must also be retained for 7 years under PCAOB Rule 4003.
18 USC §1519 (Sec 802) · PCAOB Rule 4003
Medium
Section 302 certifications consistent with Section 404 conclusions
The ICFR conclusion in Section 404(a) and the DC&P effectiveness statement in Section 302 must be consistent. If 404 concludes ICFR is "not effective" due to a material weakness, the Section 302 certification must reflect this — a disconnect between 302 and 404 disclosures triggers SEC scrutiny.
SEC Staff Comment Guidance 2010 · Rule 13a-15
Medium
Get Your AI ICFR Readiness Assessment
After marking your checklist, click below. AI assesses your Section 404 gaps against your filer category and COSO requirements, identifies critical deficiency risks, and generates a prioritized remediation plan.
—
—
—
🚨 Critical Gaps
📋 Remediation Steps
Generate ICFR Assessment Package
Export your Section 404 assessment findings for your auditors, audit committee, and legal counsel.
Free
Assessment Summary
1-page ICFR readiness summary with current status, key gaps, and immediate actions needed.
COSO component completion status
Critical deficiency indicators
Filer-category specific guidance
Top remediation priorities
Premium · $79
Full 404 Documentation Package
Comprehensive ICFR assessment package for your audit team and audit committee.
404(a): Management's annual ICFR assessment using a suitable framework (COSO 2013). Must state whether ICFR is effective or not effective. 404(b): Required for accelerated filers (float $75M–$700M) and large accelerated filers (≥$700M) only — external auditor attestation on ICFR under PCAOB AS 2201. Exempt from 404(b): non-accelerated filers, SRCs, and EGCs for 5 years post-IPO.
Under PCAOB AS 2201.A7, a material weakness is a deficiency where there is a reasonable possibility that a material misstatement will not be prevented, detected, or corrected on a timely basis. If any material weakness exists, management must conclude ICFR is NOT effective. Common material weaknesses: (1) insufficient accounting staff for close process, (2) missing or ineffective ELC tone-at-top controls, (3) inadequate IT general controls (especially access and change management), (4) improper journal entry authorization, (5) restatement triggers. Disclosure of a material weakness typically causes stock price drops of 2–5%.
COSO 2013 (updated from 1992) is the Committee of Sponsoring Organizations' Internal Control — Integrated Framework. It defines ICFR through 5 components and 17 principles: Control Environment (principles 1–5: commitment to integrity, board oversight, authority, HR policies, accountability), Risk Assessment (6–9: objectives, risk identification, fraud risk, change risk), Control Activities (10–12: selecting controls, SOD, technology controls), Information & Communication (13–15: quality information, internal/external communication), and Monitoring (16–17: ongoing evaluation, deficiency communication). All 17 principles must be present and functioning for effective ICFR.
Yes. COSO published specific guidance for smaller public companies: Internal Control over Financial Reporting — Guidance for Smaller Public Companies (2006). For SRCs and NAFs, the COSO framework can be applied with scalable controls that reflect the simpler nature of a smaller organization. Compensating controls are acceptable where formal segregation of duties isn't practical due to limited staff. The key principle: all 17 COSO principles must still be addressed, even if the specific control activities differ from those at a large accelerated filer.