What is the SEC proposing?
The United States Securities and Exchange Commission (SEC) has proposed filer-status changes that could represent one of the most significant shifts to Sarbanes-Oxley (SOX) reporting requirements in decades. If adopted, the proposal would substantially expand the number of companies eligible for non-accelerated filer status, meaning many organizations would no longer be subject to SOX Section 404(b) auditor attestation while remaining fully responsible for management's assessment under Section 404(a).
According to the SEC, at the time it issued its proposed amendments on May 19 [1], if the proposal had been in effect, approximately 80.8% of public companies would have qualified as non-accelerated filers, while only 19.2% would have remained Large Accelerated Filers. Those companies would still have represented approximately 93.5% of total public float, reflecting the SEC's objective of reducing compliance costs for a broader population of issuers while maintaining enhanced reporting requirements for the largest public companies.
While much of the early discussion has focused on potential compliance cost savings, the proposal raises a much broader governance question.
For many companies, the proposal would shift the focus from an auditor-attested environment under Section 404(b) to one in which management's assessment under Section 404(a) serves as the primary basis for evaluating the effectiveness of internal control over financial reporting. That shift places even greater emphasis on management's governance responsibilities and the strength of the organization's internal control framework.
Although the proposal remains subject to the SEC's rulemaking process, public companies should begin evaluating how their governance programs would evolve if it is adopted. The question is no longer simply whether compliance requirements could change. The more important question is how public companies can maintain strong governance when management's assessment becomes the primary source of assurance.
What should companies be thinking about now?
The proposal is not yet final. Public companies should avoid making significant changes to their SOX programs prematurely; however, now is an appropriate time to understand how a change in filer status could impact now is an appropriate time to understand how a change in filer status could affect governance, compliance, and internal audit strategies.
If your organization transitions from an environment that includes external auditor attestation under Section 404(b) to one in which management's assessment under Section 404(a) is no longer subject to auditor attestation, the objective should not be simply to reduce compliance activities. Instead, public companies should evaluate how to right-size their SOX programs while preserving the governance framework that supports reliable financial reporting.
Strong controls support more than regulatory compliance. They promote reliable financial reporting, reinforce operational discipline, and help maintain investor confidence.
A right-sized SOX program may include reducing testing frequency where appropriate, rationalizing redundant controls, and leveraging automation, analytics, and technology to improve efficiency. However, companies should be cautious about eliminating testing altogether.
Over time, significantly reducing testing can result in outdated documentation, unclear control ownership, diminished control awareness, and increased remediation costs. For public companies that remain subject to controls-based external audits, management testing also serves as an important input into auditor reliance strategies. As a result, changes to testing programs may have implications that extend beyond SOX compliance alone.
The objective is not simply to do less—it is to do the right work at the right level of effort. The goal should be optimization, not atrophy.
The objective should not simply be to reduce compliance and/or internal audit spending. Companies should consider whether compliance efficiencies can be reinvested into broader risk management activities that create greater organizational value.
For many public companies, SOX activities consume a significant portion of internal audit resources. If compliance effort is reduced, leaders should ask an important question: How can that capacity be redeployed?
Rather than viewing this solely as a budget reduction opportunity, public companies may choose to redirect internal audit resources toward emerging risks such as cybersecurity, artificial intelligence governance, third-party risk, data governance, operational effectiveness, and enterprise risk management.
Technology can further amplify this opportunity. As organizations adopt automation, analytics, and AI-enabled testing, compliance activities may become more efficient, creating additional capacity without sacrificing control effectiveness.
Internal audit's purpose has never been solely to support SOX compliance. Its broader mission is to provide independent assurance, insight, and foresight across the organization's most significant risks. Organizations that realize the greatest value from potential compliance efficiencies will likely be those that reinvest resources into strategic risk areas rather than simply reducing them.
Don't overlook disclosure controls and procedures
While discussions around SOX often focus on financial reporting controls, disclosure controls and procedures (DCPs) deserve equal attention.
DCPs are designed to ensure information required to be disclosed in SEC filings is accumulated, evaluated, and communicated to management in a timely manner. They extend well beyond traditional financial controls and support areas such as cybersecurity disclosures, legal contingencies, executive compensation, related-party transactions, risk factors, and other matters that increasingly attract regulatory scrutiny.
As public companies consider potential reductions in SOX effort, they should be careful not to weaken the broader governance processes that support accurate and complete disclosures.
The objective is not simply to perform fewer control activities. It is to maintain the governance processes that enable management to make informed disclosure decisions with confidence.
Why strong 404(a) programs still matter
For some public companies, the prospect of transitioning from a 404(b) environment to a 404(a) environment may be viewed primarily as a cost-reduction opportunity. While compliance savings may ultimately materialize, these companies should be careful not to equate fewer regulatory requirements with lower governance expectations.
The absence of auditor attestation does not eliminate the consequences of ineffective controls.
Companies that experience control failures may still face financial statement restatements, SEC scrutiny, increased audit costs, diminished investor confidence, and reputational damage. Public companies reporting material weaknesses or restatements often experience increased cost of capital, elevated audit fees, management distraction, and negative market reactions.
Just as importantly, the SEC's oversight responsibilities do not disappear in a 404(a) environment.
Management remains responsible for assessing and reporting on the effectiveness of internal control over financial reporting. Material weaknesses must still be disclosed. Disclosure Controls and Procedures must still be evaluated. Historically, public companies reporting solely under Section 404(a) have disclosure material weaknesses at significantly higher rates than companies subject to Section 404(b) audit attestation (approximately 40% versus 5.5% over the past 5 years, according to Ideagen Audit Analytics) [2]. In addition, the SEC continues to issue comment letters related to internal control disclosures, material weakness reporting, remediation efforts, and management conclusions regarding control effectiveness.
In a world where fewer public companies are subject to auditor attestation, management's assessment becomes even more important because it may become the primary basis upon which investors, lenders, boards, and regulators evaluate the effectiveness of an organization's control environment.
The question should not be, 'What is the minimum we need to do?' The better question is, 'What level of governance allows us to operate confidently while meeting stakeholder expectations?'
Whether the SEC's proposal is adopted or not, it reminds us of something that has always been true: effective governance begins with management, not the external auditor.
Understanding management's responsibilities under section 404(a)
Many executives associate SOX compliance with auditor testing and attestation. However, the foundation of the Sarbanes-Oxley framework has always been management's responsibility for internal controls.
Under Section 404(a), management is required to establish and maintain internal control over financial reporting (ICFR), evaluate effectiveness annually, document the assessment process, evaluate identified deficiencies, disclose material weaknesses, and include management's report on ICFR in the annual report.
These responsibilities do not disappear if a company is no longer subject to Section 404(b). The question is not whether controls are still required. The question is how companies can maintain an effective governance program while appropriately scaling compliance efforts.
The bottom line
Whether or not the SEC adopts its proposal as drafted, it has already shifted the governance conversation.
Public companies should not view this solely as an opportunity to reduce compliance costs. Instead, they should evaluate how to maintain strong governance while modernizing compliance through risk-based approaches, automation, analytics, and more strategic deployment of internal audit resources.
The future of SOX may involve fewer auditor attestations, but effective governance will continue to begin with management.
How Baker Tilly can help
Public companies don't have to wait for the SEC's proposal to become final to evaluate whether their SOX and governance programs are aligned with today's risks and tomorrow's expectations. A proactive assessment can help identify opportunities to improve efficiency while maintaining strong governance and stakeholder confidence.
Baker Tilly helps organizations strengthen governance through practical, risk-based SOX and internal controls advisory services. Learn more about our SOX services or connect with one of our specialists to discuss your organization's needs.
Sources
[1] U.S. Securities and Exchange Commission, Fact Sheet: Enhancement of Emerging Growth Company Accommodations and Simplification of Filer Status for Reporting Companies, Release Nos. 33-11419 and 34-105515, May 19, 2026. https://www.sec.gov/files/33-11419-fact-sheet.pdf
[2] Ideagen Audit Analytics, Internal Controls database, analysis of SEC registrants' SOX Sections 404(a) and 404(b) material weakness disclosures, accessed July 13, 2026.
Related sections
- CFO Advisory Services
- Commercial Due Diligence
- Energy
- Financial Services
- Forensic Accounting
- Insurance
- Internal Audit
- Lodging
- Manufacturing
- Mergers & Acquisitions
- Private Equity & Portfolio Companies
- Real Estate
- Real Estate Investors
- Risk Advisory
- Sarbanes-Oxley (SOX) Compliance
- Strategy & Management Consulting
- Transaction Advisory Services
- Transaction Advisory Services



