Section 404: Management Assessment of Internal Controls
In 2003 the SEC adopted rules required by this section. The rules spell out the central SOX compliance audit requirements. Companies are required to include the following information in their annual filing:
- A statement of the responsibility management has to establish and maintain adequate financial reporting controls.
- A statement of how management evaluated the effectiveness of the company’s internal controls.
- A statement from management with an assessment of the effectiveness of the internal controls.
- A statement from the external auditor attesting to management’s assessment.
This audit is different than the audit of financial statements. The audit of financial statements is concerned with the accuracy of the numbers in the financial statements. It does not generally spend much time on internal controls. The Section 404 attestation the auditor must provide is not concerned with the numbers, it’s strictly concerned with the internal controls in place. Just because the auditor doesn’t find any problems with the numbers does not mean the financial controls in place are adequate.