In Articles

What is the difference between SOX 404(a), 404(b) and 302?

SOX 302 is just a requirement that the CFO certify the financial statements are accurate. No internal audit is required to comply with SOX 302.

SOX 404(a) requires a company to report their own internal controls framework. An external audit of the controls framework is not required.

SOX 404(b) takes it a step further and requires a robust internal controls framework and testing process to be audited by internal and external auditors every year.

What are the thresholds for a company having to comply with SOX 404(b)?

Why would a company opt to be a Non-EGC Accelerated Filer?

In many cases, a new company elects to disclose specific information about their unique competitive positioning in their Annual SEC Reports. Any information disclosed must be verified by the external auditors as reliable and accurate. Therefore, a SOX 404(b) audit may be required to certify additional information beyond the standard financial disclosures.

Are we required to follow the COSO 2013 Framework?

No, but it is a recognized format and is well understood by all major audit firms. This framework gives an organization a leg up to avoid having to reinvent the wheel during the risk assessment review to make sure it is comprehensive.

Is COBIT required for SOX 404?

No, but it is a great framework for your IT organization to use to address the risk assessment.

What about SOX 906?

906 refers more directly to fraud and not internal controls, and yes it will need to be signed off at the same time as 302. Fraud implies an intent to mislead investors, and this is typically a legal department area to address.

Must we use a CPA firm to design and implement our risk and controls framework?

No, a CPA firm with the right credentials is only required to audit and attest to financials statements. Often, it is more beneficial to hire a non-CPA firm to assist with the risk and controls implementation. The non-CPA firms tend to be more flexible in making recommendations to the executive team when options are not always clear. These firms can also freely provide other expertise to ensure the right processes are put in place.


Check out our article: 4 Ways a SPAC Can Get SOX Controls Right Without Crippling the Organization

If you have additional questions about SOX and implementing the proper risk and controls framework, feel free to reach out to our team anytime at

Recent Posts

Start typing and press Enter to search