What is SOX 404(b) and who does it apply to

Section 404(b) of the Sarbanes-Oxley Act forces a company's outside auditor to put its own reputation behind management's claim that internal controls over financial reporting actually work. It is the only part of SOX where an independent third party signs an opinion on controls, not just on the numbers, and that signature is what gives 404(b) its bite.

Not every public company is on the hook. After the SEC's March 2020 amendments, roughly the same universe of filers still sits inside the rule: accelerated and large accelerated filers. Smaller reporting companies with under $100 million in annual revenue and EGCs inside their five-year window stay out, which means the rule lands hardest on mid-cap and large-cap issuers rather than on early-stage IPOs.

What SOX 404(b) actually requires

The short legal version

Section 404(b) requires the company's independent registered public accounting firm to issue an attestation report on the effectiveness of the company's internal control over financial reporting, or ICFR. The auditor is not just reviewing the financial statements. The auditor is giving a separate opinion on whether the plumbing behind those statements is sound. The PCAOB sets the standard that governs how that opinion is formed, currently Auditing Standard 2201.

The opinion has three possible flavors: unqualified, adverse, or a disclaimer. An adverse opinion on ICFR does not automatically mean the financial statements are wrong, but it tells investors that a material weakness existed at year-end. That is a market-moving disclosure and one of the main reasons 404(b) exists in the first place.

How 404(b) differs from 404(a)

Section 404(a) is the management piece. The CEO and CFO have to assess ICFR and sign off on it inside the 10-K. Every SEC reporting company does this, no exceptions for size.

Section 404(b) is the external piece. The auditor independently tests the same controls, reaches its own conclusion, and publishes that conclusion alongside management's. If management says controls are effective and the auditor disagrees, the disagreement has to be disclosed. That is the entire point.

Why Congress wrote it

The Enron and WorldCom backdrop

The Sarbanes-Oxley Act passed the House 423 to 3 and the Senate 99 to 0 and was signed by President George W. Bush on July 30, 2002. It was written in the middle of the Enron and WorldCom collapses, when the failure mode was not sloppy bookkeeping but executives and auditors looking at the same broken controls and waving them through. Title IV of the statute, which contains Section 404, was the structural answer.

What the auditor attestation is supposed to catch

Restatements, revenue recognition games, and off-balance-sheet vehicles all tend to leave footprints in the control environment long before they hit the income statement. 404(b) is built on the assumption that if an outside auditor is forced to examine the controls and stake a reputation on them, problems surface earlier. The evidence is mixed but directionally supportive. Audit Analytics data cited in Harvard Law's corporate governance forum showed adverse ICFR auditor attestations falling from 15.7% in 2004 to 5.3% in 2015.

Who has to comply

Accelerated and large accelerated filers

The practical answer to "does 404(b) apply to us" starts with filer status under Rule 12b-2 of the Exchange Act. Accelerated filers and large accelerated filers must comply. These are, broadly, companies with $75 million or more in public float that do not qualify as a smaller reporting company under the revenue test.

The smaller reporting company carve-out

This is where the 2020 amendments changed the map. Before March 2020, a company with $250 million in public float was automatically an accelerated filer and automatically subject to 404(b). After the amendments, a company that is eligible to be a smaller reporting company because its most recent audited annual revenues were under $100 million is excluded from the accelerated filer definition, even if its public float sits between $75 million and $700 million. The effect is a carve-out for low-revenue companies that happen to trade at high valuations.

Non-accelerated filers and EGCs

Two groups sit fully outside 404(b). Non-accelerated filers, meaning companies with public float under $75 million or SRCs that qualify on the revenue test, are exempt under Section 404(c), which was added by the Dodd-Frank Act in 2010. Emerging growth companies, created by the JOBS Act of 2012, are exempt for up to five years after their IPO. That EGC exemption ends early if the company exceeds $1.235 billion in annual gross revenues, issues more than $1 billion in non-convertible debt over three years, or becomes a large accelerated filer. The $1.235 billion figure is the current inflation-adjusted cap set by the SEC in September 2022.

How a company gets pulled in, or pushed out

The public float test

Public float is measured on the last business day of the company's most recently completed second fiscal quarter. For a calendar-year company, that is June 30. Cross $75 million in float on that date, fail the SRC revenue test, and you are an accelerated filer for the year. The 404(b) attestation is due with the following 10-K.

The revenue test

The 2020 amendments made revenue a gatekeeper. A company with $600 million in public float but $80 million in annual revenue qualifies as an SRC under the revenue test and therefore is not an accelerated filer. Revenue is measured from the most recent fiscal year with audited financial statements, not a trailing twelve-month figure.

Transition thresholds

Companies do not bounce in and out of 404(b) over small market moves. To exit accelerated filer status, public float has to drop below $60 million, or annual revenues have to fall under the applicable revenue threshold. For large accelerated filers, the float exit threshold is $560 million. The SEC set these at 80% of the entry thresholds on purpose, to give a buffer against share-price volatility.

What compliance actually costs

Audit fees and the transition year spike

The cost nobody warns first-time CFOs about is the run-up before the transition year. A July 2025 GAO report that tracked 96 companies crossing the 404(b) threshold between 2019 and 2023 documented the pattern: costs rise in the year before the attestation kicks in, jump sharply in the transition year, and then settle into smaller year-over-year increases. The SEC's own 2009 study of Section 404 compliance costs found that for 404(b) companies, mean total Section 404 compliance costs were $2.33 million post-2007 reforms, down from $2.87 million before. Adjust that forward and the number is still a meaningful line item for a company with $100 million in revenue.

Internal labor, documentation, and tooling

Audit fees are only part of the bill. The SEC's 2009 study found that for 404(b) companies, internal labor was the single largest cost component, sometimes more than half of total 404 spend. Control documentation, walkthroughs, testing evidence, and SOX-specific GRC software all sit on the company's own P&L. The auditor just tests what the company has already built, and when the company has not built enough, the auditor's fees climb to cover the extra work.

Common misreadings of the rule

Three mistakes show up again and again. The first is assuming 404(b) applies to all public companies. It does not. Non-accelerated filers, SRCs under the revenue test, and EGCs inside their window are out. The second is assuming EGC status lasts exactly five years. It can end earlier if revenues, debt issuance, or float cross the statutory lines. The third is treating 404(a) and 404(b) as a single compliance effort. They share documentation but are two different work products, with two different signers, and the auditor's opinion under 404(b) is independent of management's assessment under 404(a). A clean 404(a) and an adverse 404(b) in the same 10-K is legal, uncomfortable, and has happened.

The companies that handle 404(b) well treat it as a byproduct of a control environment they would want anyway. The ones that treat it as a separate compliance exercise tend to find themselves in the transition-year cost spike with a material weakness and a board asking hard questions. The statute does not care which camp you are in. It only cares what the auditor writes.