The inside job

The seemingly uncontroversial Section 404 of the Sarbanes-Oxley Act is turning out to be a thorn in the side of companies trying to clean up their acts. Alexander Cohen reports

When the US Sarbanes-Oxley Act was passed in 2002, the internal control provisions of Section 404 attracted relatively little notice. Similarly, the Securities and Exchange Commission’s (SEC) rules implementing Section 404 were uncontroversial, at least compared with some of its flashier and more contentious proposals, such as the attorney conduct rules.

As the deadline for implementing Section 404 has loomed, however, issuers have discovered that it is the ugly duckling that grew up. Whether or not Section 404 is a beautiful swan or just another surly adolescent is a matter of taste, but it is certainly the case that complying with Section 404 is proving to be one of the most challenging, time-consuming and expensive aspects of the act.

Who is subject to Section 404?

In the same way as the Sarbanes-Oxley Act more generally, Section 404 applies to all issuers of securities, including non-US companies, which have registered securities with the SEC under the US Securities Exchange Act 1934 (the Exchange Act); are required to file reports with the SEC under the Exchange Act; or have filed a registration statement which has not yet become effective under the US Securities Act 1933.

This means, for example, that any non-US issuer that has listed its securities in the US, or has issued securities to the public in the US, whether listed or not, is subject to Section 404.

When does Section 404 take effect?

Under the SEC’s current rules, Section 404 takes full effect for non-US issuers for the fiscal years ending on or after 15 July this year. However, this deadline may yet be delayed, as it has been for certain categories of domestic US issuers. Indeed, in a recent speech at the London School of Economics, chairman of the SEC William Donaldson stated that he had asked the SEC staff to consider whether to delay the implementation of Section 404’s internal control requirements for non-US issuers.

What does Section 404 require?

Section 404 directs the SEC to issue rules requiring an issuer’s annual report to contain an internal control report stating management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting and containing an assessment, as at the end of the issuer’s most recent fiscal year, of the effectiveness of the issuer’s internal control structure and procedures for financial reporting. In addition, Section 404 requires an issuer’s independent auditor to attest to, and report on, management’s assessment in accordance with standards adopted by the US’s Public Company Accounting Oversight Board (PCAOB).

Under the SEC’s rules, an issuer must: maintain internal control over financial reporting; evaluate, with the participation of the chief executive officer (CEO) and the chief financial officer (CFO), the effectiveness of internal control as of the end of each fiscal year; and evaluate, again with the participation of the CEO and CFO, any change in its internal control that occurred during the fiscal year that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting.

Definition of ‘internal control over financial reporting’

For the purposes of the SEC’s rules, “internal control over financial reporting” is defined as a process designed by, or under the supervision of, the issuer’s CEO and CFO, and effected by the issuer to provide reasonable assurance regarding the reliability of financial reporting in accordance with generally accepted accounting principles. It includes policies and procedures pertaining to the maintenance of records that in reasonable detail accurately reflect the transactions and dispositions of the assets of the issuer. It includes policies and procedures that provide reasonable assurance that transactions are recorded so that they permit preparation of financial statements in accordance with accepted accounting principles. It should also be assured that receipts and expenditures of the issuer are being made only in accordance with authorisations of management and directors of the issuer. The policies should also provide reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements.

Framework for evaluation

The SEC has not required the use of a particular framework. However, it has specified that management’s evaluation must be based on a recognised control framework established by a body that has followed due process procedures, including a broad distribution of the framework for public comment. The Committee of Sponsoring Organizations of the Treadway Commission’s ‘Internal Control Integrated Framework’, the Canadian Institute of Chartered Accountants’ ‘The Guidance on Assessing Control’ and the Institute of Chartered Accountants in England and Wales’ ‘Turnbull Report’ are all approved frameworks.

Internal control audits – Auditing Standard No 2

In Auditing Standard No 2, the PCAOB has stated that the objective of internal control audits is to form an opinion as to whether management’s assessment of the effectiveness of the issuer’s internal control is fairly stated in all material respects. The auditor needs to evaluate management’s assessment process and test the effectiveness of internal control.

Under Auditing Standard No 2, the auditor’s report includes two opinions – one on management’s assessment of internal control and one on the effectiveness of the control. An auditor may express an unqualified opinion if it has identified no material weaknesses. If the auditor cannot perform all of the necessary procedures, the auditor may either qualify or disclaim an opinion. If an overall opinion cannot be expressed, Auditing Standard No 2 requires the auditor to explain why.


Given the breadth of the concept of internal control, implementation for a large company with worldwide operations is an exceedingly complex task. The sting in Section 404’s tail is the requirement that an issuer’s independent auditors both sign off on management’s view of internal control and provide their own assessment of internal control. There is little doubt that some issuers will be forced to disclose internal control problems as a result of this process.

Alexander Cohen is a US securities partner in the London office of Latham & Watkins