Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch

Free Download · SOX 404 ICFR

The complete SOX 404 ICFR compliance checklist.

Twenty-eight controls organized the way PCAOB AS 5 audits actually run, entity-level, business-process, ITGC, application, disclosure, and materiality. Aligned to COSO 2013 + Sarbanes-Oxley Sections 302, 404, 802, and 906. Built by the team that runs continuous ICFR inside the RiskWatch platform, auditor-built, not vendor-marketing.

Start 30-day free trialSee SOX compliance software

28 controls · 6 SOX 404 areas · COSO 2013 + PCAOB AS 5 aligned · no credit card

Trusted by SOX PMOs at Fortune 500 + mid-cap accelerated filers running ICFR programs across 10-K cycles, ITGC continuous monitoring, MRC documentation, and PCAOB AS 5 audit support.

The Coca-Cola CompanyNetAccessAonJohnson & JohnsonPfizerSeaWorld Entertainment
4.8G2 Crowd·108+
4.7Capterra·76+
4.8Gartner Peer Insights·Voice of Customer

What's inside · 28 ICFR controls across 6 SOX 404 areas

Every SOX 404 control area, organized for your 10-K cycle.

Most public-company SOX checklists ship 50+ ITGC items and call it complete. The SEC and PCAOB don't audit ICFR that way. Real SOX 404 testing covers entity-level controls, business-process controls, IT general controls, application controls, disclosure controls, and materiality + scoping, together. The checklist mirrors that structure exactly.

Area 01 · 8 controls

Entity-Level Controls (ELCs)

The COSO 2013 control environment. PCAOB AS 5 paragraph 22-24 require auditors to evaluate ELCs first, weak ELCs increase substantive testing across every other area.

  • Tone at the top, board + executive commitment to integrity
  • Code of Ethics, annual attestation + violation-tracking process
  • Audit Committee independence + financial-expert designation
  • Whistleblower hotline (SOX 301) + investigation procedures
  • SOX 1107 anti-retaliation training + tracked attestations
  • Governance structure, delegations of authority + segregation
  • Risk assessment, annual fraud risk + management override controls
  • Internal audit charter + reporting line to Audit Committee
Area 02 · 5 controls

Business-Process Controls (BPCs)

Process-level controls in the major financial cycles. These are where the auditor walkthroughs live. Material weaknesses in BPCs typically pair with ITGC failures.

  • Revenue, order-to-cash, ASC 606 cutoff, AR reconciliation
  • Expenditure, procure-to-pay, three-way match, AP cutoff
  • Payroll, hire/term workflow, accrual, tax remittance
  • Financial close, journal-entry approval, account reconciliation, sub-ledger close
  • Treasury, cash management, debt covenants, FX exposure
Area 03 · 8 controls

IT General Controls (ITGCs)

ITGCs are the most-cited material weakness cluster year over year. The 5 traditional domains plus computer ops, backup, and DR, what auditors actually walk through.

  • Logical access, provisioning, periodic recertification, terminations
  • Change management, authorization, testing, separation of duties (dev/prod)
  • Computer operations, job scheduling, batch monitoring, error resolution
  • Program development, SDLC controls, code review, deployment approvals
  • Network security, perimeter, segmentation, monitoring, vulnerability cycle
  • Data center physical security, environmental + access controls
  • Backup + restore, schedule, success monitoring, restore testing
  • Disaster recovery + BCP, RTO/RPO testing, failover validation
Area 04 · 4 controls

Application Controls

Automated controls embedded in financially-significant applications. When ITGCs are effective, application controls become testable through baseline + change procedures rather than full re-testing.

  • Input controls, edit checks, completeness, validation rules
  • Processing controls, calculations, totals, exception reporting
  • Output controls, distribution, completeness, accuracy reconciliation
  • Master-data controls, vendor, customer, GL chart-of-account integrity
Area 05 · 3 controls

Disclosure Controls + Procedures

SOX Section 302 quarterly certification + Section 404 annual ICFR opinion. Disclosure controls are the management-certification scaffolding that makes 302 + 404 sustainable.

  • SOX 302 quarterly sub-certification chain + DCC committee minutes
  • SOX 404(a) management ICFR assessment + 404(b) auditor attestation prep
  • Disclosure committee charter + 10-Q / 10-K review timeline
Area 06 · 3 controls

Materiality + Risk Assessment

Risk-based scoping is the single most-debated SOX topic with auditors. Documented thresholds + a defensible risk-assessment trail keep scope discussions out of the year-end fire drill.

  • Quantitative materiality threshold (typically 5% pre-tax income), documented
  • Tolerable error / performance materiality for testing, documented per significant account
  • Risk-based scoping memo, significant accounts, locations, fraud scenarios, walkthroughs

28 controls. 6 SOX 404 areas. PDF appendix maps each control to its COSO 2013 principle and PCAOB AS 5 paragraph.

Get the checklist

Why this checklist

SOX 404 testing is multi-area. Most checklists are ITGC-only.

Sarbanes-Oxley Section 404 requires management's annual assessment of ICFR effectiveness, with Section 404(b) auditor attestation for accelerated + large-accelerated filers. Section 302 layers quarterly CEO + CFO certification on top, and Section 906 attaches criminal penalties for knowing false certification. PCAOB Auditing Standard 5 (AS 5, succeeded by AS 2201 but commonly referred to as AS 5) is the audit standard your external auditor uses to test ICFR. SEC enforcement of SOX-related issues averages over $1B in monetary settlements annually, with internal-control failures cited in the majority of accounting-fraud actions.

The COSO 2013 Internal Control – Integrated Framework is the SEC-recognized standard against which management evaluates ICFR. It has 17 principles across 5 components, control environment, risk assessment, control activities, information + communication, monitoring. Auditors distinguish key controls (those mitigating a reasonable possibility of material misstatement) from management review controls (MRCs, where review depth is the audit-defensible artifact). The 10-K timing window, fiscal-year-end → 60–90 days to file, compresses every gap into overtime.

Material weaknesses rarely surface alone. PCAOB inspection reports show ITGC weaknesses cluster with MRC documentation gaps and IPE (information produced by the entity) reliability issues. SOX 1107 protects whistleblowers reporting accounting issues; SOX 802 mandates 7-year record retention with penalties for tampering. Treating ICFR as a once-a-year assessment instead of a continuous program is what turns a deficiency into a material weakness into a restatement.

Source citations

Who it's for

Built for SOX program leaders.

ICP 01

SOX PMO / Director of Internal Controls

Owns the annual ICFR program, scopes significant accounts + locations, manages SOX team capacity through the 10-K compression window.

28-control structure mirrors the SOX program plan. Walkthrough-ready format. Cross-references each item to COSO principle + PCAOB AS 5 paragraph.
ICP 02

CFO + Audit Committee Chair

Signs the SOX 302 quarterly + 404 annual certifications. Audit committee chair signs off on the SOX program design + management's ICFR assessment.

Section 302 + 404 cycle planner included. Materiality + scoping memo template. Disclosure committee minute template.
ICP 03

IT Audit Director (ITGC)

Owns the 8 ITGC domains, coordinates with IT operations for evidence, manages the application-controls testing approach.

8-domain ITGC structure with example tests + evidence prompts per domain. Application-controls baseline + change-testing approach.

Related

Once you've run the checklist, here's what's next.

Platform

SOX compliance software, continuous ICFR + ITGC automation

See the platform →
Industry

Risk management software for financial services

Financial services →
Industry

Risk management software for banking

Banking →

FAQ

SOX 302 vs 404, ITGCs, COSO, AS 5, and the 10-K window, answered up front.

The questions SOX PMOs ask before they download, and the answers their auditor would give if you asked.

SOX 302 vs SOX 404, what's the difference?
SOX Section 302 requires CEO + CFO quarterly certification of disclosure controls + procedures and ICFR design + operation. It applies to every periodic filing, 10-Q and 10-K. SOX Section 404 layers an annual management assessment of ICFR effectiveness in the 10-K (404(a)), and for accelerated + large-accelerated filers an external auditor attestation on that assessment (404(b)). Section 302 is quarterly self-assessment; Section 404 is the annual third-party validation. Both rely on the same continuous control evidence, the checklist covers controls that satisfy both, plus the disclosure-committee scaffolding that ties them together.
Are ITGCs covered?
Yes, 8 ITGC items spanning logical access, change management, computer operations, program development, network security, data-center physical security, backup + restore, and disaster recovery. ITGCs are the single most-cited material weakness cluster in PCAOB inspection reports, so the checklist treats them as their own first-class section rather than a footnote under controls. Each item lists the typical evidence the auditor walks through and the most common failure modes (e.g., terminated user still active 30+ days, change ticket without testing evidence, restore never validated).
Is the checklist aligned to COSO 2013?
Yes. The COSO 2013 Internal Control – Integrated Framework is the SEC-recognized standard for ICFR assessment, with 17 principles across 5 components: control environment, risk assessment, control activities, information + communication, monitoring activities. The Entity-Level Controls section covers the 17 principles directly; the Business-Process and ITGC sections cover control-activity execution against COSO principle 12 (deploys control activities). The PDF appendix maps each of the 28 checklist items to its COSO principle reference for the management-assessment writeup.
PCAOB AS 5, what does it require?
PCAOB Auditing Standard 5 (now codified as AS 2201 but commonly called AS 5) is the audit standard external auditors use to test ICFR for SOX 404(b) attestation. It is risk-based: auditors plan the audit using a top-down approach that begins with entity-level controls, then identifies significant accounts + disclosures, walks the major classes of transactions, identifies the relevant assertions, and selects controls to test. AS 5 also defines the 3-tier deficiency model (control deficiency, significant deficiency, material weakness) that drives audit reporting. The checklist's 6-area structure mirrors AS 5's top-down approach so management testing aligns with audit testing.
Does it cover 10-K filing timing?
Yes. The PDF appendix includes a SOX 302 + 404 cycle planner that runs from fiscal-year-end backward through the 60-day filing window for large accelerated filers (75 days for accelerated, 90 days for non-accelerated). Milestones cover Q4 walkthrough completion, year-end ITGC re-test, MRC quarterly review evidence, deficiency aggregation + severity assessment, management ICFR assessment writeup, audit committee approval, and 10-K filing. SOX 802 record-retention requirements (7 years for audit work papers) are embedded in the evidence-tracking columns.

From checklist to platform

Run SOX + 39 other frameworks on one platform?

RiskWatch runs SOX 404 ICFR alongside SOC 2, ISO 27001, NIST CSF, HIPAA, GDPR, and 35+ other frameworks on one survey-based platform. ITGC evidence pulls continuously from Okta, Jira, GitHub, Splunk, ERP. MRC documentation captures all 4 elements. Material-weakness early-warning fires before the auditor sees it.

Book a 30-minute walkthroughStart 30-day free trial

Or call US: +1 941-500-4525

Request a Demo