Section 404 of the Sarbanes-Oxley Act (SOX 404) mandates that public companies assess their internal controls over financial reporting (ICFRs). SOX 404(a) requires company management to assess ICFRs, and SOX 404(b) calls for registered public accounting firms to attest to and report on the assessments, made by management.
Implementation of SOX 404 began with U.S. accelerated filers who were first required to provide management assessment and auditor attestation in annual reports for periods ending on or after November 15, 2004. Since 2004, all filers, other than non-accelerated filers (who now have been permanently exempted from the requirements of SOX 404(b) by the recently passed Dodd-Frank Wall Street Reform and Consumer Protection Act), have phased into the SOX 404 regulatory scheme and are currently required to provide SOX 404(a) and (b) certifications in their annual reports.
In the six years since the initial implementation date of SOX 404, Audit Analytics has compiled annual reports and published data on the required auditor attestations and management assessments. The SOX 404 Dashboard - Year Six Update, published in October, reports that in year six of SOX 404, only 2.4% of filings contained adverse auditor attestation disclosures. This represents a more than 50% drop since year five, in which the adverse disclosure rate came in at 5%, and an even more significant drop since year one, in which the adverse disclosure rate was 16.9%. The study shows a steady decline in adverse auditor attestations throughout the six years of SOX 404’s existence and suggests that auditor involvement in the evaluation process may have led to the improvement of companies’ ICFRs. However, the study also shows that adverse disclosure rate for management-only assessments continues to be high—27.8% in 2010. Nonetheless, the year six figure reflects a drop from 32.3% in year five, 32.0% in year four, and 32.8% in year three. The study suggests that the high percentage of adverse management assessments indicates that non-accelerated filers fail to maintain ICFRs that are as reliable as ICFRs maintained by accelerated filers.