Sarbanes-Oxley Section 404 Specifications

Section 404 requires senior management and business process owners to establish and maintain an adequate internal control structure. In addition, the specification requires senior management to assess the internal control’s effectiveness on an annual basis. The following provides some specifics of Section 404:

  • Management of public companies must assess the effectiveness of the organization’s internal control over financial reporting.
  • An annual review and assessment of the effectiveness of the internal controls must be completed.
  • A company’s independent auditor must attest to management’s assessment of its internal control over financial reporting.
  • A company must demonstrate the following internal controls:
    • Records are logged in reasonable details, accurate and reflect the transactions.
    • Transactions are being recorded.
    • Prevention or timely detection of unauthorized acquisition, use of disposition of the assets that could have a material effect on the financial statements.
    • The IT control environment must include the IT governance process, monitoring and reporting.
    • The IT governance process must include the information systems strategic plan, the IT risk management process, compliance and regulatory management, IT policies, procedures and standards.
    • Monitoring and reporting exists to ensure IT is aligned with business requirements.

An ineffective control environment can be a significant deficiency and a strong indicator that a material weakness in internal control over financial reporting exists.