Section 404 of the Sarbanes-Oxley Act requires public companies to: (a) evaluate and report on the effectiveness of internal controls over financial reporting (ICFR), and (b) for certain larger companies, have the external auditor attest to that assessment. For newly public companies, the grace period structure is one of the most important but least understood aspects of post-IPO compliance planning.
404(a) vs. 404(b) — The Critical Distinction
| Requirement | Section 404(a) | Section 404(b) |
|---|---|---|
| What it requires | Management assessment of ICFR effectiveness, included in annual report | External auditor attestation on management's ICFR assessment |
| Who it applies to | All public companies | Large accelerated filers (public float ≥$700M as of most recent June 30); Accelerated filers (public float $75M–$700M) |
| EGC exemption | No — EGCs must still comply with 404(a) | Yes — EGCs are permanently exempt from 404(b) while EGC status is maintained |
| When newly public companies must comply | Second Form 10-K filing post-IPO | Depends on filer status as of June 30 of the relevant year |
| Annual cost | $500K–$2M (internal resources) | Additional $500K–$3M in audit fees |
The Newly Public Company Grace Period
The SEC provides a grace period for newly public companies. According to Crowe LLP's October 2025 analysis of SEC guidance, companies generally have until the second Form 10-K filing after their IPO to become SOX Section 404(a) compliant:
Example: IPO in May 2024, Fiscal Year End December 31
First 10-K (for FY 2024): Filed in early 2025 — 404(a) management assessment NOT required. Second 10-K (for FY 2025): Filed in early 2026 — 404(a) management assessment IS required; and may also require 404(b) depending on filer status. Start of 404 readiness work should begin by mid-2024 to meet FY 2025 compliance in early 2026.
The COSO Framework
COSO (Committee of Sponsoring Organizations of the Treadway Commission) developed the internal controls framework that is used in virtually all US SOX 404 compliance programs. The 2013 COSO Internal Control – Integrated Framework has five components:
- Control Environment: Sets the tone at the top — the integrity, ethical values, and competence of company personnel; management's commitment to financial reporting accuracy
- Risk Assessment: Identifying and analyzing risks to the achievement of financial reporting objectives; the basis for determining which controls are necessary
- Control Activities: The specific policies and procedures that ensure management directives are carried out — approvals, reconciliations, reviews, and IT controls
- Information and Communication: Ensuring that relevant information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities
- Monitoring Activities: Assessment of the quality of internal controls over time — ongoing evaluations and separate evaluations (like internal audit)
Material Weaknesses — The Most Common Problem
A material weakness is a deficiency (or combination of deficiencies) in internal controls such that there is a reasonable possibility that a material misstatement of the company's financial statements would not be prevented or detected on a timely basis. A 2024 KPMG study of 2023 IPO filings found that 44% of 122 traditional IPOs disclosed at least one material weakness. The most common root causes were:
- Lack of resources with sufficient knowledge to analyze complex transactions for proper accounting treatment
- Inadequate control design — controls were not designed to operate at sufficient precision to detect material misstatements
- Inadequate policies and procedures — documented policies didn't match how accounting was actually done
Of companies that disclosed material weaknesses at IPO, 73% were able to remediate by the time of the first annual report — but material weakness disclosure at or before IPO is a significant reputational risk and often draws SEC comment letters.
The 18-Month SOX Readiness Timeline
Based on Crowe's 2025 SOX compliance roadmap, the recommended preparation timeline for newly public companies:
- Month 1 (18 months before required compliance): Establish program governance; appoint SOX project leader; define materiality and scope of ICFR
- Months 2–6: Map financial reporting processes; identify risks; design the risk-control matrix
- Months 6–12: Implement control activities; document control procedures; build IT general controls
- Months 12–15: Test controls; identify and remediate deficiencies
- Months 15–18: Management assessment; prepare ICFR report for inclusion in first compliant 10-K
SOX Readiness Is a Core Accounting Advisory Workstream
Accounting advisory firms design the SOX control framework, build the risk-control matrix, and advise on remediation — the work that the PCAOB auditor will test but cannot perform. Companies that engage accounting advisory for SOX readiness at least 18 months before the required compliance date consistently achieve better outcomes than those that start the process 6 months out.
What SOX 404 Actually Tests — Key Control Categories
The SOX 404 compliance program involves identifying "key controls" for each significant financial reporting process and testing whether those controls operated effectively throughout the year. The most common key control categories for technology companies:
| Process Area | Typical Key Controls | Common Deficiency |
|---|---|---|
| Financial close & reporting | Month-end close checklist; account reconciliations reviewed by senior accountant; journal entry approval workflow | Journal entries posted without approval; reconciliations prepared and reviewed by the same person |
| Revenue recognition | Contract review by trained accountant; deferred revenue reconciliation; period-end cutoff review | Revenue recognized based on billing date rather than performance obligation completion |
| Stock-based compensation | 409A valuation review; grant date fair value calculation review; equity award roster reconciliation to cap table | Grants recorded without contemporaneous fair value documentation |
| IT general controls (ITGCs) | Access provisioning and deprovisioning; change management; data backups; privileged access reviews | Terminated employees' system access not removed timely; production changes deployed without documented testing |
| Financial reporting | 10-K/10-Q review by CFO and outside counsel; disclosure committee sign-off; tie-out of press release to financial statements | Financial statement footnotes inconsistent with face statements |
| Payroll & equity compensation | Payroll approval; equity award vesting calculation; Section 16 reporting review | Payroll processed without independent approval; vesting dates not reconciled to HR system |
The Internal Audit Function
Most newly public companies establish or significantly expand an internal audit function as part of SOX readiness. The internal audit function serves three roles in the SOX 404 program:
- Risk assessment: Internal audit helps management identify the financial reporting risks that require key controls — the foundation of the risk-control matrix
- Control testing: Internal audit performs the first-pass testing of key controls (management testing), generating evidence that management uses to support the 404(a) assessment
- Deficiency tracking: Internal audit tracks identified control deficiencies, documents remediation plans, and retests remediated controls
Companies have three options for the internal audit function: (1) hire an in-house internal audit team (typically 2–5 FTEs for a mid-size public company), (2) co-source with an accounting advisory firm (in-house IA director plus outsourced testing support), or (3) fully outsource to an accounting advisory firm. Most newly public companies use a co-sourced model in the first two years.
IT General Controls — The Most Commonly Cited Deficiency
IT General Controls (ITGCs) are the controls over the IT environment that underpin all other controls — if the systems that process transactions are not properly controlled, the transaction-level controls built on top of them may not be reliable. PCAOB inspection findings from 2024 show ITGC deficiencies remain the most common SOX 404 issue area. Critical ITGC categories:
- Logical access controls: Who can access financial systems, at what privilege level, and whether access is reviewed and terminated promptly when employees leave or change roles
- Change management: Whether system changes (to ERP, billing, payroll systems) go through a documented approval and testing process before deployment to production
- Data integrity: Whether key financial data stored in databases is protected from unauthorized modification, and whether changes are logged and reviewed
- Backup and recovery: Whether financial systems data is backed up and whether backups are tested for recoverability
For high-growth technology companies with frequent engineering deployments and a rapidly growing employee base, logical access and change management ITGCs are the most commonly deficient. Both require investment in ITSM tooling (Jira, ServiceNow) and HR system integration to automate access provisioning and deprovisioning.
Realistic Cost Benchmarks
The annual cost of SOX compliance varies significantly with company size, complexity, and maturity. Based on current market data:
| Company Profile | Internal Costs | External Audit Add-on (404(b)) | Advisory/IA Support |
|---|---|---|---|
| EGC, $50–200M revenue, no 404(b) | $400K–$800K (staff + tools) | N/A — exempt | $200K–$600K (co-sourced IA) |
| Accelerated filer, $200M–$1B revenue | $800K–$2M | $500K–$2M additional audit fee | $400K–$1M |
| Large accelerated filer, $1B+ revenue | $2M–$5M+ | $2M–$6M+ additional audit fee | $500K–$1.5M |
The first year of SOX compliance is always the most expensive — designing the control framework from scratch costs significantly more than maintaining it in subsequent years. Protiviti's 2024 SOX compliance benchmark report found that over 50% of companies have experienced increased compliance costs in the prior two years, driven primarily by cybersecurity-related ITGC requirements and more rigorous PCAOB inspection activity.
Real-World SOX Failures — Cautionary Cases
Material weaknesses and SOX failures at newly public companies are more common than most management teams expect. Understanding real cases helps management teams calibrate the risks and prioritize remediation efforts appropriately.
DraftKings — material weakness in first year as public company (2021): DraftKings, which went public via SPAC merger in April 2020, disclosed a material weakness in its internal controls over financial reporting in its first annual report as a public company. The weakness related to the company's financial close process and its ability to produce accurate and timely financial statements — a process that is significantly more demanding as a public company than as a private one. DraftKings' case is notable because the company had specifically chosen the SPAC path partly to accelerate its timeline to public market — the compressed SPAC timeline meant less time to build public-company financial infrastructure. The remediation took approximately 18 months and required significant investment in finance personnel, systems, and process documentation.
Lordstown Motors — restatement and SEC investigation (2021): Lordstown Motors, which went public via SPAC merger with DiamondPeak Holdings in October 2020, disclosed a series of internal control failures culminating in an SEC investigation and restatement of previously filed financial statements. The control failures involved the company's reporting of pre-order deposits — the company had publicly claimed to have 100,000+ pre-orders for its electric pickup truck, but the SEC found that these "orders" were not binding purchase commitments and that the company's internal controls had failed to ensure the accuracy of this disclosure. The Lordstown case illustrates how internal control failures at a company's most strategically sensitive metrics can have catastrophic consequences far beyond the financial statements themselves.
Luckin Coffee — material weakness enabling $310M fraud (2020): While Luckin Coffee is a Chinese company that listed on Nasdaq (not a typical US IPO), its case is included here because it represents the most dramatic illustration of what happens when material weaknesses in internal controls are exploited by management. Luckin's auditors (Ernst & Young Hua Ming) flagged concerns about internal controls, but the company's senior management had fabricated approximately $310 million in sales transactions. The complete failure of controls over revenue recognition — specifically the absence of controls that would detect fictitious transactions — led to Nasdaq delisting, SEC enforcement actions, and criminal charges. The extreme case illustrates that material weaknesses are not merely a compliance issue; they are the mechanism through which fraud becomes possible.
Nikola — restatement and CEO conviction (2022): Nikola's SPAC merger in June 2020 was followed within months by short-seller allegations that the company had misrepresented its technology capabilities. The subsequent SEC investigation and restatement revealed control failures in how the company reported its technology development status and partnership valuations. CEO Trevor Milton was convicted of securities fraud in 2022 in part because internal controls that should have required independent verification of material claims about product capabilities were absent or ineffective. The Nikola case reinforced that SOX controls are not merely about financial statement accuracy — they extend to the controls over any material disclosure that investors rely on to make investment decisions.
SOX 404 Failures — Case Studies in What Happens When Controls Are Inadequate
The consequences of material weaknesses in internal controls over financial reporting range from stock price declines and restatements to SEC enforcement actions and criminal charges. The following cases represent the spectrum of outcomes from control failures at newly public companies.
Nikola — Restatement and SEC Investigation (2021)
Nikola went public via SPAC merger in June 2020 and disclosed its first material weakness in internal controls in its 10-K for fiscal year 2020 — within six months of becoming a public company. The material weakness related to the company's financial reporting processes, including inadequate accounting for complex transactions and insufficient qualified accounting personnel. The material weakness disclosure coincided with SEC and DOJ investigations into founder Trevor Milton's public statements about the company's technology. Milton was ultimately convicted of fraud in 2022. Nikola's case illustrates the most dangerous combination: a material weakness in controls plus a culture of disclosure failures at the leadership level. The controls weakness meant that no adequate financial reporting infrastructure existed to catch or correct the misstatements being made publicly.
DraftKings — Material Weakness in First Year Public (2021)
DraftKings, which completed a SPAC merger in April 2020, disclosed a material weakness in its 10-K for fiscal year 2020 related to information technology general controls — specifically, inadequate segregation of duties and access controls in certain financial systems. The weakness reflected the reality that DraftKings had grown very rapidly as a private company without building the control infrastructure expected of a public company. The stock fell approximately 8% on the material weakness disclosure. DraftKings remediated the weakness over the following year by hiring additional finance and IT staff, implementing role-based access controls, and engaging an external SOX advisory firm to validate the remediation. The remediation was disclosed in the 2021 10-K as complete. DraftKings' case is a useful benchmark: a material weakness in year one is not fatal if properly disclosed, clearly remediated, and accompanied by a credible remediation plan.
Lordstown Motors — Restatement, SEC Investigation, and Delisting (2021–2022)
Lordstown Motors completed a SPAC merger in October 2020 and disclosed a material weakness in its first 10-K related to controls over complex transactions and technical accounting. The company subsequently announced it was investigating potential fraud in its reported pre-order book — the orders that had been central to its equity story and valuation. The SEC opened a formal investigation. Lordstown restated its financial statements, disclosing that pre-orders had been overstated. The company's CEO and CFO resigned. By 2023, Lordstown had filed for bankruptcy. The case represents the extreme end of the control failure spectrum: a company that went public without the accounting and financial reporting infrastructure to accurately represent its business, and whose control failures obscured underlying business model problems until well after the IPO.
Luckin Coffee — Fraud Enabled by Weak Controls (2020)
Luckin Coffee, the Chinese coffee chain that listed on Nasdaq in 2019, disclosed in April 2020 that approximately 2.2 billion Chinese yuan (approximately $310 million) of reported sales from Q2 through Q4 2019 had been fabricated. An internal investigation found that the fabricated transactions were enabled by weak internal controls and that several senior managers were involved. The stock was delisted. While Luckin was a Chinese company audited by a non-Big-Four firm with less rigorous PCAOB inspection oversight than US-based companies, the case reinforced for US regulators and investors the importance of strong SOX-style internal controls — and contributed to the subsequent tightening of PCAOB inspection requirements for Chinese audit firms. For US-listed companies, the Luckin case is often cited by audit committees as a reminder that management override of controls is the most dangerous control risk and requires specific anti-fraud controls beyond standard segregation of duties.
The Material Weakness Disclosure Effect on Stock Price
Academic research on material weakness disclosures by newly public companies consistently finds a negative stock price reaction of 3–8% in the days following disclosure, with larger reactions when the weakness is disclosed alongside a restatement. The reaction is more severe when the weakness relates to revenue recognition or complex transactions (as opposed to IT controls or segregation of duties), because revenue-related weaknesses raise questions about historical financial statement accuracy. Companies that disclose material weaknesses should accompany the disclosure with a specific remediation plan, a timeline for completion, and an explanation of why the weakness did not affect the accuracy of the filed financial statements — even if technically true.
Primary References
SEC Implementation of SOX Section 404
The SEC's official guidance on Section 404 implementation, including the rules governing the management assessment and auditor attestation requirements.
SOX Section 404 Compliance: A Public Company Road Map
Crowe's detailed roadmap covering the grace period timeline, filer status transitions, and the 18-month readiness implementation plan.
COSO Internal Control — Integrated Framework
The authoritative COSO 2013 framework that is the basis for virtually all US SOX 404 compliance programs.
SOX 404 Readiness — Engage Early
Accounting advisory firms design the SOX control framework that the auditor tests. Start at least 18 months before the required compliance date.