SOX 404 IT Controls

SOX Section 404(b) requires that the management of public companies assess the effectiveness of the internal controls of issuers for financial reporting. It also requires a publicly-held company’s external auditor to attest to and report on management’s assessment of its internal controls over financial reporting (ICFR). The common IT SOX criteria cover the following areas:

  • Information Technology Governance
  • Logical/Physical Security
  • Security Administration
  • Change Management
  • Operations

If your company’s market cap is over $75 million in assets, you are considered an accelerated filer’ and are required to document and test your ICFR. Companies under the $75 million in market cap are not required to perform the testing.

Our Engagement Cycle Includes:

  • Planning
  • Walkthroughs of key processes to document our understanding of the design of the IT SOX controls
  • Documentation of key controls
  • Interim testing and reporting (typically covering the first two quarters of the fiscal year)
  • End of period testing and reporting (covering the third quarter of the fiscal year)
  • Roll-forward testing and reporting (covering the fourth quarter of the fiscal year)

For the last 15 years, we have been assisting our clients with the documentation and testing of their IT SOX 404 controls. In many instances, our clients already have an internal audit department in place that documents and tests ICFR; however, they do not have the proper IT resources address the IT SOX components. In these types of situations, we have been able to successfully integrate our audit process into our clients’ overall SOX testing to provide a ‘seamless’ approach. We also have experience with integrating IT audits with IT SOX 404 testing to gain efficiencies, since there is often overlap between the two audits.

In an attempt to increase efficiency, we also coordinate with our clients’ external audit firms to align our procedures with their specific needs. We ensure the delivery dates of our work papers are received timely to assist them with their specific testing timeframes. By doing so, your external auditors can rely on our work and use it to supplement their testing and documentation requirements, which ultimately decreases the time demands of your employees.

PKM will review management’s remediation of any previous IT SOX findings and update documentation to reflect the remediation efforts at each testing phase. We also have a quality assurance review process to ensure that the conclusions are accurate and are documented appropriately.

Contact Us

For more information on SOX 404 IT documentation and testing, or to schedule a consultation, please contact Systems Partner Mike Morris at or 404-420-5669.