Who is this article for?

Users who want to understand Controls data.

Disclosure Controls or Internal Controls subscription is required.

Ideagen Audit Analytics maintains two separate databases for controls assessments, corresponding to different sections of the Sarbanes-Oxley Act: Disclosure Controls (SOX 302) and Internal Controls over Financial Reporting, or ICFR (SOX 404).

1. Differences

Users searching for material weaknesses might find them in both the Disclosure Controls and Internal Controls databases, causing confusion about duplicates or missed records. These databases serve different purposes and contain distinct information, though they are related. Knowing what each database covers is key to fully understanding a company's controls environment.

1.1. Disclosure Controls (SOX 302)

Section 302 of the Sarbanes-Oxley Act requires a company's CEO and CFO to certify in each periodic filing (10-K, 10-Q, 20-F, 40-F, and amendments) that they have assessed the effectiveness of the company's disclosure controls. These controls ensure material information is recorded and reported promptly.

Since SOX 302 certifications are filed quarterly and annually, the Disclosure Controls database holds more frequent assessments than the Internal Controls database. Each entry reflects one filing's controls evaluation.

In Ideagen Audit Analytics, the DCs database records whether disclosure controls were effective, along with any identified weaknesses. It also captures material weaknesses and changes in internal controls, making its scope broader than the name suggests.

1.2. Internal Controls over Financial Reporting (SOX 404)

Section 404 requires annual filings to include management's assessment of the company's ICFR effectiveness (Section 404(a)) and, for some filers, an external auditor's attestation of this assessment (Section 404(b)).

SOX 404 applies only to annual filings (10-K, 20-F, 40-F, and amendments), so the Internal Controls database holds one assessment per company per fiscal year, which may include management's assessment, the auditor's attestation, or both.

In the ICFR database, controls are marked as effective or not. Controls are deemed ineffective if the auditor reports ICFR as ineffective or if a material weakness is found in management's report. Effective controls have no associated issue taxonomies except exemptions. Significant deficiencies alone do not render controls ineffective under SOX 404 and are usually not separately recorded.

2. Connections

The DCs and ICFR databases are linked, not separate.

Disclosure controls often appear ineffective due to material weaknesses in internal controls. This is because SOX 302 certifications include ICFR as part of the overall disclosure controls framework. A material weakness in ICFR usually means disclosure controls are also deemed ineffective.

Thus, the DCs database records deficiencies from both SOX 302 and SOX 404, while the ICFR database focuses on the annual auditor attestation and management's internal control report.

In summary:

• For the latest control status, including quarterly updates, use the DCs database
• For auditor attestation on internal controls, use the ICFR database
• For material weaknesses, check both databases; DCs may show quarterly findings not in the annual ICFR report

3. Data captured

3.1. Disclosure Controls (SOX 302)

• Effectiveness of disclosure controls (effective, not effective, or not disclosed)
• Material weaknesses — in both disclosure controls and internal controls
• Other notable deficiencies and disclosures (including significant deficiencies)
• Changes in internal controls
• Reported quarterly and annually

3.2. Internal Controls over Financial Reporting (SOX 404)

• Management's assessment of ICFR effectiveness
• Auditor's attestation on ICFR (for filers subject to 404(b))
• Whether controls are effective or not effective
• Taxonomy classifications for material weaknesses (only populated when controls are not effective)
• Whether this is the company's first management report
• Reported annually only

Both databases provide company-level attributes like filer status (accelerated filer, non-accelerated filer, smaller reporting company, etc.) in downloads and as search filters. Filer status is a company attribute, not linked to specific control records, and is taken from the filing's cover page, available across multiple databases. Check each database's data dictionaries and search guides for detailed field information.

6. Filing responsibilities

Not every SEC registrant is subject to the same requirements:

• SOX 302 (DCs) - All SEC registrants filing periodic reports must include the CEO/CFO certification — with the exception of entities issuing asset-backed securities, which are exempt from the certification requirements
• SOX 404(a) (management assessment) - All SEC registrants must include a management report on ICFR in their annual filing
• SOX 404(b) (auditor attestation) - Only accelerated filers and large accelerated filers are required to have the auditor attest to ICFR. Non-accelerated filers, smaller reporting companies, and emerging growth companies are generally exempt from the auditor attestation requirement

This means the ICFR database will have records with a management report but no auditor attestation for companies that are exempt from 404(b).

7. Using the data

7.1. Platform

Disclosure Controls and Internal Controls each have their own search page with database-specific filters. Refer to the search guide for each database for a full list of available filters and what they mean.

7.2. Feeds

DCs data is in Feed 10 (SOX 302 Disclosure Controls) and ICFR data is in Feed 11 (SOX 404 Internal Controls). Each feed has its own data dictionary. Note that the full disclosure text and internal controls text are available only through the feeds or WRDS. They are not available as downloads on the platform.

8. Canadian controls data

Ideagen Audit Analytics tracks controls assessments for Canadian companies in a single Controls database, sourced from SEDAR filings. Unlike the US, Canadian regulations under National Instrument 52-109 do not require separate management reports on ICFR or auditor attestations, resulting in a less formal reporting structure.

Therefore, Canadian controls data is combined in one database, not split like the US. See the Database Catalogue and Canada Controls search guide for details and differences from US databases.