SOX 404(a) vs. 404(b): What Is the Difference?

Section 404 of the Sarbanes-Oxley Act contains two distinct requirements that are frequently confused — and the difference between them matters significantly depending on your company’s filer status. SOX 404(a) applies to all public companies. SOX 404(b) applies only to accelerated filers and large accelerated filers. Understanding which applies to your organization — and what each actually requires — is foundational to scoping your compliance program correctly.

What SOX 404(a) Requires

SOX 404(a) requires management to assess and report on the effectiveness of the company’s internal control over financial reporting (ICFR) as of year-end. This assessment must be included in the company’s annual report (Form 10-K) and must conclude whether ICFR is effective or not. If management identifies a material weakness, that must be disclosed.

The 404(a) requirement applies to all SEC reporting companies, including non-accelerated filers and smaller reporting companies. It is management’s own assessment — no external auditor attestation is required under 404(a) alone.

To comply with 404(a), management must document the control framework being used (typically COSO 2013), perform a risk assessment to identify significant accounts and processes, test key controls, evaluate deficiencies, and reach a conclusion on ICFR effectiveness. This is meaningful work — it is not a rubber stamp — but the scope and rigor can be calibrated to the size and complexity of the organization.

What SOX 404(b) Requires

SOX 404(b) adds an additional layer on top of 404(a): it requires the company’s external auditor to independently assess and attest to management’s ICFR assessment. This is called the integrated audit — the external auditor audits both the financial statements and internal controls simultaneously, and issues a separate opinion on ICFR.

The 404(b) requirement applies to accelerated filers (public float of $75 million or more) and large accelerated filers (public float of $700 million or more). Non-accelerated filers and smaller reporting companies are exempt from 404(b).

The integrated audit under 404(b) is substantially more rigorous than a 404(a)-only program. The external auditor performs its own walkthroughs, selects its own sample of controls to test, and independently evaluates the design and operating effectiveness of ICFR. Management cannot simply hand over its own test results — the auditor must obtain its own evidence. This drives higher documentation standards, broader control coverage, and more formal evidence requirements across the entire SOX program.

The Practical Differences

For companies subject only to 404(a), the SOX program can be more streamlined. Management has more flexibility in determining the depth and breadth of testing, the number of controls documented, and the evidence retained. The program still needs to be substantive — management must genuinely assess ICFR effectiveness — but it can be sized appropriately for a smaller organization.

For companies subject to 404(b), the external auditor’s requirements effectively set the standard for the entire program. The auditor will have views on which controls are key, what documentation is sufficient, what sample sizes are appropriate, and how management review controls need to be evidenced. A SOX program that would satisfy 404(a) management assessment standards may fall short of what the integrated audit requires.

When Does 404(b) Kick In?

The 404(b) requirement first applies in the fiscal year after a company crosses the accelerated filer threshold — which is based on public float as of the last business day of the most recently completed second fiscal quarter. Companies that go public and quickly achieve a large public float can find themselves subject to 404(b) sooner than expected, sometimes as early as their second 10-K filing.

Pre-IPO companies should model their expected post-IPO float and timeline carefully. Being caught by a 404(b) obligation without having built an integrated audit-ready SOX program is one of the most common and costly compliance surprises for newly public companies.

The Bottom Line

The distinction between 404(a) and 404(b) is not just a technical one — it drives material differences in program scope, documentation requirements, resource needs, and cost. If your organization is approaching the accelerated filer threshold or planning an IPO, understanding which requirement will apply — and when — should be one of the first questions your compliance team addresses.

Veridian Advisory LLC helps companies build SOX programs calibrated to their specific filer status and audit requirements. Whether you are standing up a 404(a) program for the first time or preparing for a first integrated audit under 404(b), contact us to discuss how we can help.