The Sarbanes-Oxley Act of 2002 was enacted in response to major corporate and accounting scandals to protect investors. Section 404 of the Act requires companies to assess the effectiveness of their internal controls over financial reporting and disclose any material weaknesses found. It is one of the most costly aspects of the Act for companies to implement. Section 404 requires management to produce an annual internal control report evaluating the company's controls and the auditor to attest to management's assessment.

1. Sarbanes-Oxley
Act of 2002
Section 404

2. A Bit of Background on the Sarbanes-Oxley Act
• A U.S. federal law that set new or enhanced standards for all U.S. public
company boards, management, and public accounting firms.
• Reaction to major corporate and accounting scandals such as, Enron,
Tyco International, and Adelphia.
• Protects investors by making sure accurate and reliable information is
recorded at all times.
• Meant to restore the public’s faith in U.S, securities markets.
• Provides internal control over the company’s records and transactions.
• The bill is named after its sponsors, Sen. Paul Sarbanes and Rep. Michael
G. Oxley.

3. Timeline of Sarbanes-Oxley Act

4. Breakdown of Votes Between House and Senate
• House voted 334 to 90.
• Senate Banking Committee voted
17 to 4.
• Full Senate voted 97 to 0.
In Favor Opposed
House 334 90
Senate
Banking
Committee
17 4
Full Senate 97 0

5. Sarbanes-Oxley Section 404
Assessment of Internal Control

6. Sarbanes-Oxley Section 404:
Assessment of Internal Control
Section 404
• Requires management and the
external auditor to report on the
adequacy of the company’s
internal control financial
reporting (IFCR).
• Most costly aspect of the
legislation for companies to
implement.
• Management is required to
produce an internal control
report as part of each annual
Exchange Act report.
• This report must confirm that
management is doing its job of
maintaining responsibility of
internal control structure for
financial reporting.

7. Requirements of Section 404
A top-down risk assessment requires management to base both the scope of its assessment
and evidence gathered on risk.
• Management gets wider discretion in its assessment approach.
Auditing Standard No. 5, approved by the PCAOB, is intended to give guidance to management.
• helps cut down high costs of compliance, guidance, and practice.

8. The two standards create a set of requirements:
• Assess both the design and operating effectiveness of
selected internal controls related to significant
accounts and relevant assertions, in the context of
material misstatement risks.
• Understand the flow of transactions, including IT
aspects, in sufficient detail to identify points at
which a misstatement could arise.
• Evaluate company-level (entity-level) controls,
which correspond to the components of the COSO
framework.
• Perform a fraud risk assessment.

9. • Evaluate controls designed to prevent or detect
fraud, including management override of controls.
• Evaluate controls over the period-end financial
reporting process.
• Scale the assessment based on the size and
complexity of the company.
• Rely on management’s work based on factors such as
competency, objectivity, and risk.
• Conclude on the adequacy of internal control over
financial reporting

10. References
Jiamin Wang, Aug. 2008, Sarbanes-Oxley Section 404 Places Disproportionate Burden on Smaller Public Companies.
PCAOB, 2003-2015, Public Company Accounting Oversight Board, Docket 021: Auditing Standard No. 5 – An Audit of Internal
Control Over Financial Reporting That is Integrated with an Audit of Financial Statements.
Nancy M. Morris, June 20, 2007, Securities and Exchange Commission, Retrieved 2010-08-27
Financial Executives International, http://www.financialexecutives.org/, Fei.Mediaroom.com. 2008-04-30. Retrieved 2010-08-27.