SOX Compliance & ICFR

Internal controls your CFO can sign their name to.

B4Q builds and tests the internal controls over financial reporting Section 404 requires — scoped to your filer status, documented against COSO, and ready before your certifying officers have to sign.

  • COSO-aligned control framework
  • IPO & pre-public readiness
  • 404(a) and 404(b) support
Control Environment Risk Assessment Control Activities Monitoring
SOX 404
ICFR, Certified
0Years of Experience
0Satisfied Clients
0COSO Components
0Sections That Apply: 302 & 404
Why It Matters

Your CEO and CFO are personally certifying this.

Section 302 requires your principal executive and financial officers to personally certify the accuracy of financial reports and the effectiveness of disclosure controls — not a compliance team, not an auditor, the named officers themselves.

Section 404 backs that certification with a real control framework: management must assess internal control over financial reporting (ICFR) every year, and — depending on filer status — an independent auditor may need to attest to it too.

  • 01 Gives certifying officers a defensible basis for what they're signing.
  • 02 Builds the control documentation an external auditor will actually test.
  • 03 Scopes the right filer-status path instead of over- or under-building the program.
SOX At a Glance

What actually applies to you

Applies toUS public companies
Sec. 302Officer certification
Sec. 404(a)Management ICFR assessment
Sec. 404(b)Auditor attestation (filer-dependent)
Framework usedCOSO Internal Control
Willful violation (Sec. 906)Up to $5M fine / 20 yrs
The Framework

Five COSO components. One integrated control system.

Nearly every SOX program in the US is built on the COSO Internal Control – Integrated Framework, organized into five components that work together.

01

Control Environment

Tone at the top, ethics, and board oversight that everything else depends on.

02

Risk Assessment

Identifying where financial statements could be materially misstated.

03

Control Activities

The specific policies and procedures that prevent or catch errors.

04

Information & Communication

Getting the right financial data to the right people in time to act on it.

05

Monitoring Activities

Ongoing checks that controls keep working as the business changes.

Scoping Your Program

404(a) or 404(b) — your filer status decides.

Every public company owes a management assessment. Whether an external auditor also has to attest to it depends on your filer status.

Management assessment

Section 404(a)

Management itself assesses and reports on the effectiveness of ICFR — required of every public company, including emerging growth companies and non-accelerated filers.

All filersWho it applies to
AnnualAssessment frequency
InternalWho performs it
  • Documented control narratives and testing
  • Management's own conclusion on ICFR effectiveness
  • Foundation for the 404(b) attestation, if required
Management builds & tests controls
Management issues ICFR conclusion
Filed with the annual report
Independent auditor attestation

Section 404(b)

An independent registered public accounting firm attests to management's ICFR assessment — required for accelerated and large accelerated filers.

Accelerated filersWho it applies to
AnnualAssessment frequency
ExternalWho performs it
  • Independent testing of the same control environment
  • A separate attestation opinion on ICFR
  • Non-accelerated filers and many EGCs are exempt
Management's 404(a) assessment
Independent auditor tests & attests
Two opinions filed together
How We Work

From scoping to a certification your officers can stand behind.

We build the program in the order an auditor will actually test it.

01

Scoping & Risk Assessment

We identify significant accounts, processes, and locations where a misstatement could actually matter.

02

Control Documentation

Process narratives, risk-control matrices, and flowcharts get built for every in-scope process.

03

Design Effectiveness Testing

We confirm each control, as designed, would actually prevent or detect the risk it's meant to address.

04

Operating Effectiveness Testing

Controls get tested against real evidence to confirm they're operating as designed, not just documented.

05

Deficiency Remediation

Gaps get classified — deficiency, significant deficiency, or material weakness — and remediated before certification.

06

Management Certification & Attestation

Management issues its 404(a) conclusion, with 404(b) auditor attestation coordinated where required.

What We Typically Find

Common gaps in a first-year SOX program.

Every company is different, but these show up often enough in first-time readiness work to plan for early.

General patterns we see across engagements, not a specific client's results.
01

Segregation of duties gaps

The same person can initiate, approve, and record a transaction — often in finance teams too lean to split the role.

02

IT general controls left informal

Access provisioning, change management, and backup controls exist in practice but were never documented or tested.

03

Uncontrolled spreadsheets

Critical calculations live in spreadsheets with no version control, formula-lock, or independent review step.

04

Missing evidence of review

A review actually happened, but nothing was signed, dated, or saved to prove it to an auditor later.

Why B4Q

A control program built to survive real audit testing.

Scoped to your actual filer status, not the broadest program we could sell you.

Filer-Status-Correct Scoping

We confirm whether 404(b) actually applies before building an attestation-ready program you don't need yet.

IPO-Timeline Aware

We sequence readiness work against your actual path to going public, not a generic template.

Documentation Built for Testing

Control narratives and matrices written the way an external auditor will actually sample them.

Deficiency Triage

Clear classification of findings so leadership knows what's material before certification, not after.

50+ Businesses Served

Across pre-IPO and public companies at every stage of their control maturity.

Year-Round Support

We stay on through the annual certification cycle, not just the initial buildout.

Questions

SOX, answered.

Do private companies ever need SOX compliance?
SOX technically applies to public companies, but private companies preparing for an IPO typically build SOX-ready controls in advance, since the requirement kicks in immediately as a public filer. Some private companies also adopt SOX-style controls voluntarily for investor or lender confidence.
What's the difference between 404(a) and 404(b)?
404(a) is management's own assessment of ICFR, required of every public company. 404(b) adds an independent auditor's attestation on top of that assessment, required for accelerated and large accelerated filers — many emerging growth companies and non-accelerated filers are exempt from 404(b).
What's a material weakness vs. a significant deficiency?
A deficiency is any control gap. A significant deficiency is serious enough to merit attention from those responsible for oversight. A material weakness is severe enough that a material misstatement could go undetected — and typically must be disclosed publicly.
How long does it take to get SOX-ready before an IPO?
Timelines vary by company complexity, but most pre-IPO companies start building ICFR documentation and testing well over a year ahead of their target filing date, since remediation of gaps found during testing takes real time.
Does SOX overlap with SOC 2 or our GRC program?
Yes, particularly around IT general controls and change management. If you already have a GRC program or SOC 2 report, we map existing evidence onto SOX requirements rather than starting from a blank page.

Ready to build ICFR your officers can certify?

Book a free strategy call and we'll map your SOX readiness timeline against your filer status.