SOX 404(a) vs 404(b): management vs auditor attestation

A controller at a Series D company asks whether their first 10-K needs a 404(b) opinion. The investment bankers say yes. The outside counsel says not yet. Both are half right, and the difference costs real money.

This post walks through what SOX Section 404 actually requires, the split between 404(a) and 404(b), and when a growing company moves from one to both.

The short answer

SOX 404(a) is management's assertion on the effectiveness of internal control over financial reporting. SOX 404(b) is the external auditor's separate attestation on that same ICFR. Both appear in the 10-K for companies subject to them. Not every public filer is subject to 404(b).

What SOX Section 404 is

The Sarbanes-Oxley Act of 2002 was Congress's response to Enron and WorldCom. Section 404 of the Act, codified at 15 U.S.C. §7262, is the part that put real money on the balance sheet of every public company in the United States.

The section has two subsections and they do different work.

Subsection (a) requires management of a public company to produce an internal-control report inside its annual filing. Subsection (b) requires the registered public accounting firm that audits the financial statements to also attest to, and report on, management's assessment. The SEC's own Office of Economic Analysis study of Section 404 walks through the statutory structure and the cost-benefit debate that shaped the 2010 Dodd-Frank exemption.

"ICFR" is the term everyone uses. It stands for Internal Control over Financial Reporting: the processes, policies, and controls that give reasonable assurance the numbers in your financial statements are reliable and prepared in conformity with GAAP. It is narrower than "internal controls" generally. Operational controls and compliance controls live outside the SOX 404 perimeter unless they touch the books.

SOX 404(a): management's responsibility

Under 404(a), management must state in the annual report that it is responsible for establishing and maintaining adequate ICFR, describe the framework it used to evaluate that control (almost always COSO 2013), and provide a conclusion on whether ICFR is effective as of fiscal year-end.

The assertion is signed by the CEO and the CFO. It is not a casual sign off. The same officers have to sign the Section 302 certifications every quarter and the Section 906 certification every annual, and a false assertion is the kind of thing the Department of Justice reads carefully.

To produce the assertion, management has to do real work: scope the in-scope financial reporting processes, identify the relevant accounts and assertions, document the controls, test them through the year, and remediate any deficiencies before year-end. If a material weakness exists at year-end, the assertion says so. Hiding one is worse than disclosing one.

404(a) applies to every public company with SEC-registered equity. There is no filer-size exemption.

SOX 404(b): the auditor's attestation

Under 404(b), the company's external auditor performs a separate audit of ICFR and issues its own opinion on whether ICFR is effective at year-end. This is governed by PCAOB Auditing Standard 2201, the integrated audit standard. "Integrated" because the same PCAOB-registered firm audits both the financial statements and the ICFR, using the same evidence base where it can.

The 404(b) opinion is a separate paragraph, sometimes a separate report, inside the 10-K. It does not just bless management's assertion, the auditor forms its own view. The firm can disagree with management, and has, often publicly.

AS 2201 is heavier than it sounds. The auditor has to identify and test key controls, including entity-level controls and IT general controls, reperform a subset, and document the lot to PCAOB inspection standards. Most first-time 404(b) engagements at growth-stage companies run meaningfully larger than the financial-statement audit they were used to.

404(a) is what management says about its own controls. 404(b) is what a PCAOB-registered firm says about the same controls, under a standard that does not care what management said.

SecurancePro is a CPA firm that performs SOC 1, SOC 2, and SOC 3 engagements. We are not a PCAOB-registered ICFR auditor, and nothing in this post is us offering to sign a 404(b) opinion. If you need one, you hire a firm that does that work.

Who has to do each

404(a) applies to all SEC registrants. 404(b) does not.

• Non-accelerated filers, generally, companies with public float under roughly $75 million, are exempt from 404(b). They still have to produce 404(a). Dodd-Frank made the non-accelerated exemption permanent in 2010.
• Smaller reporting companies that are also non-accelerated filers got further 404(b) relief in the SEC's 2020 amendments to the accelerated filer definition. Commissioner Jackson's 2019 dissent on the proposal is a readable primer on who the rollback covers and why.
• Accelerated filers (public float roughly $75M to $700M) and large accelerated filers ($700M and up) are subject to both 404(a) and 404(b).
• Emerging Growth Companies under the JOBS Act of 2012 are exempt from 404(b) for up to five years after IPO, or until they lose EGC status earlier, typically by crossing a revenue threshold (currently $1.235 billion, indexed), becoming a large accelerated filer, issuing more than $1 billion in non-convertible debt over three years, or hitting the fifth anniversary.

The thresholds move. Check the current SEC definitions before you plan against a number. Rule 12b-2 under the Exchange Act is the canonical reference.

When a company transitions

The transition from "404(a) only" to "404(a) plus 404(b)" is the point where a lot of late-stage companies get surprised. It happens in one of three ways.

EGC status ends. Most commonly by the five-year clock expiring or by revenue crossing the threshold. The 404(b) requirement lands at the next annual report after the triggering event.

Public-float crosses into accelerated-filer territory. Measured as of the last business day of the second fiscal quarter, assessed at fiscal year-end. A company that had a strong run in Q2 can find itself an accelerated filer by December.

The IPO itself. An IPO does not automatically impose 404(b) on day one, the EGC runway usually applies. But the SEC staff looks hard at ICFR maturity in S-1 reviews, and underwriters increasingly ask for a 404(b)-ready control environment before pricing even when the rule does not yet apply.

The practical implication: a company targeting an IPO in the next 12 to 18 months should be building the 404-ready control environment now. Documenting processes, narrowing the general-ledger attack surface, getting an integrated picture of IT general controls, and running a dry run of management's assessment before the external auditors arrive. Companies that start six months before the filing usually end up with a material-weakness disclosure in their first 10-K. It is survivable, but it is not the debut you want.

How this relates to SOC 1

Here is where our lane begins. If a public filer uses a service organization, a payroll provider, a loan-servicing platform, a revenue-recognition system, a hosted ERP, and that service organization processes transactions material to the filer's financial statements, the filer cannot test those controls directly. It relies on a SOC 1 report from the service organization.

A SOC 1 Type II report, prepared under SSAE 18 / AT-C 320, is the document a user auditor pulls evidence from when it cannot walk into the service organization's data center. It is specifically designed for ICFR reliance. The complementary user entity controls section tells the filer what it still has to do on its own side. If you are choosing between scopes, SOC 1 Type 1 vs Type 2 explains why user auditors almost always want the Type II.

A common follow-up from first-time filers: does SOX 404 require SOC 2? It does not. 404 is about ICFR, which is SOC 1 territory. SOC 2 addresses security, availability, and related Trust Services Criteria for vendor-risk audiences. If that distinction is new, read what a SOC 2 report is before scoping either engagement.

SecurancePro issues SOC 1 reports for service organizations whose customers include public filers running 404 programs. Our report is an input to their 404(a) documentation and their auditor's 404(b) work. We do not audit the filer, and we do not sign their 404(b) opinion. We make sure the controls that sit inside our scope are documented, tested, and reported in a form their auditor can use without a second round of questions.

If you want the primer, start with what a SOC 1 report is and then compare it against SOC 2 in SOC 1 vs SOC 2. If your buyers are vendor-risk teams rather than financial-statement auditors, what a SOC 2 report actually tells your buyer is probably the more relevant read.

Our services page has the rest.

If your customers include public filers and their auditors keep asking for a SOC 1, get in touch and we will walk through scope, timing, and the user entity control language that keeps their 404 program clean.