Internal controls your CFO can sign their name to.
B4Q builds and tests the internal controls over financial reporting Section 404 requires — scoped to your filer status, documented against COSO, and ready before your certifying officers have to sign.
- COSO-aligned control framework
- IPO & pre-public readiness
- 404(a) and 404(b) support
Your CEO and CFO are personally certifying this.
Section 302 requires your principal executive and financial officers to personally certify the accuracy of financial reports and the effectiveness of disclosure controls — not a compliance team, not an auditor, the named officers themselves.
Section 404 backs that certification with a real control framework: management must assess internal control over financial reporting (ICFR) every year, and — depending on filer status — an independent auditor may need to attest to it too.
- 01 Gives certifying officers a defensible basis for what they're signing.
- 02 Builds the control documentation an external auditor will actually test.
- 03 Scopes the right filer-status path instead of over- or under-building the program.
What actually applies to you
Five COSO components. One integrated control system.
Nearly every SOX program in the US is built on the COSO Internal Control – Integrated Framework, organized into five components that work together.
Control Environment
Tone at the top, ethics, and board oversight that everything else depends on.
Risk Assessment
Identifying where financial statements could be materially misstated.
Control Activities
The specific policies and procedures that prevent or catch errors.
Information & Communication
Getting the right financial data to the right people in time to act on it.
Monitoring Activities
Ongoing checks that controls keep working as the business changes.
404(a) or 404(b) — your filer status decides.
Every public company owes a management assessment. Whether an external auditor also has to attest to it depends on your filer status.
Section 404(a)
Management itself assesses and reports on the effectiveness of ICFR — required of every public company, including emerging growth companies and non-accelerated filers.
- Documented control narratives and testing
- Management's own conclusion on ICFR effectiveness
- Foundation for the 404(b) attestation, if required
Section 404(b)
An independent registered public accounting firm attests to management's ICFR assessment — required for accelerated and large accelerated filers.
- Independent testing of the same control environment
- A separate attestation opinion on ICFR
- Non-accelerated filers and many EGCs are exempt
From scoping to a certification your officers can stand behind.
We build the program in the order an auditor will actually test it.
Scoping & Risk Assessment
We identify significant accounts, processes, and locations where a misstatement could actually matter.
Control Documentation
Process narratives, risk-control matrices, and flowcharts get built for every in-scope process.
Design Effectiveness Testing
We confirm each control, as designed, would actually prevent or detect the risk it's meant to address.
Operating Effectiveness Testing
Controls get tested against real evidence to confirm they're operating as designed, not just documented.
Deficiency Remediation
Gaps get classified — deficiency, significant deficiency, or material weakness — and remediated before certification.
Management Certification & Attestation
Management issues its 404(a) conclusion, with 404(b) auditor attestation coordinated where required.
Common gaps in a first-year SOX program.
Every company is different, but these show up often enough in first-time readiness work to plan for early.
Segregation of duties gaps
The same person can initiate, approve, and record a transaction — often in finance teams too lean to split the role.
IT general controls left informal
Access provisioning, change management, and backup controls exist in practice but were never documented or tested.
Uncontrolled spreadsheets
Critical calculations live in spreadsheets with no version control, formula-lock, or independent review step.
Missing evidence of review
A review actually happened, but nothing was signed, dated, or saved to prove it to an auditor later.
A control program built to survive real audit testing.
Scoped to your actual filer status, not the broadest program we could sell you.
Filer-Status-Correct Scoping
We confirm whether 404(b) actually applies before building an attestation-ready program you don't need yet.
IPO-Timeline Aware
We sequence readiness work against your actual path to going public, not a generic template.
Documentation Built for Testing
Control narratives and matrices written the way an external auditor will actually sample them.
Deficiency Triage
Clear classification of findings so leadership knows what's material before certification, not after.
50+ Businesses Served
Across pre-IPO and public companies at every stage of their control maturity.
Year-Round Support
We stay on through the annual certification cycle, not just the initial buildout.
SOX, answered.
Ready to build ICFR your officers can certify?
Book a free strategy call and we'll map your SOX readiness timeline against your filer status.