This article provides an overview of the SOX 404 process.

The SOX 404 activity follows a top down risk assessment model. Key steps include:

  1. Identify significant financial reporting elements (accounts and disclosures).
  2. Identify material financial statement risks within those accounts and disclosures.
  3. Determine which entity level controls would address those risks sufficiently.
  4. Determine which transaction level controls would address those risks in the absence of sufficient entity level controls.
  5. Determine the nature, extent and timing of evidence required to substantiate the assessment of in-scope controls.

Management is required to document how it has interpreted and derived its top down risk assessment.
This usually takes the form of higher level scoping and then detailed control evidence documents.  The detailed control evidence documents explain:

  1. The control objective.
  2. The process by which the control objective is met.
  3. Evidence which demonstrates the process is in place and meeting the control objective.
  4. Defects and how they will be remediated.

Typically, external audit would evaluate the SOX 404 documentation created, which would then become part of the overall assessment of processes carried out by an external regulator.

For more information please contact Morland-Austin at