I have been assessing and planning for a Sarbanes-Oxley IT Controls project at a client of ours (they are a foreign filer and so SOX applies to them).
As a matter of public record, I thought it necessary to document the actual wording of the mythical S404 – it is oft-referred to but the full wording is not easily found if you’re not a complete SOX expert.
Accordingly, this is the wording of S404 (the one that gives IS auditors a headache):
“SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall —
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. “
The Securities and Exchange Commission maintains a full copy of the legislation at
this link for the Sarbanes-Oxley Act of 2002.