Exemption

SOX Section 405 is an exemption requirement: if your organization is a registered investment company, SOX Sections 401, 402, and 404 do not apply to you. Operationalize this by formally determining whether you meet the “registered investment company” definition, documenting the basis for the exemption, and adjusting your SOX scope, testing plan, and disclosures to avoid overstating coverage. (Public Law 107-204)

Key takeaways:

• Confirm and document registered investment company status before changing SOX scope. (Public Law 107-204)
• Update your SOX scoping memo, control matrix, and certifications so they accurately exclude 401/402/404 where appropriate. (Public Law 107-204)
• Keep “exemption evidence” exam-ready: board/CCO sign-off, legal analysis, and a clear boundary for what remains in scope. (Public Law 107-204)

A SOX “exemption” sounds simple, but it creates real operational risk if you implement it casually. SOX Section 405 states that Sections 401, 402, and 404 do not apply to registered investment companies. (Public Law 107-204) For a Compliance Officer, CCO, or GRC lead, the work is not debating the policy rationale. The work is scoping: determining whether the exemption applies to your specific entity structure, capturing a defensible record of that determination, and aligning your control environment and external messaging with the resulting boundary.

Teams get into trouble in two predictable ways. First, they apply the exemption broadly (for example, to an adviser, administrator, or parent holding company) without a documented entity-by-entity analysis. Second, they treat the exemption as “no SOX,” which can lead to gaps in financial reporting governance and confused internal and external stakeholders. Section 405 is narrow: it only addresses the applicability of Sections 401, 402, and 404, and only for registered investment companies. (Public Law 107-204)

This page gives you requirement-level implementation steps: how to decide applicability, what to change in your SOX program, what evidence to retain, and what auditors usually challenge.

Regulatory text

Requirement (verbatim excerpt): “Sections 401, 402, and 404 do not apply to registered investment companies.” (Public Law 107-204)

What this means for an operator

If the legal entity you are scoping is a registered investment company, you should not represent that it is subject to SOX 401, 402, or 404, and you should not build your SOX control testing and certifications as if those sections apply. (Public Law 107-204)

Operationally, you must do three things well:

1. Determine applicability (are you a registered investment company, and which entities are covered).
2. Translate that determination into SOX scope changes (what you stop testing, what you keep, and what you still do voluntarily).
3. Prove it with an audit-ready record that is consistent across your SOX documentation, governance artifacts, and stakeholder communications. (Public Law 107-204)

Plain-English interpretation of the exemption requirement

SOX Section 405 creates a carve-out: registered investment companies are exempt from the requirements in SOX Sections 401, 402, and 404. (Public Law 107-204) Practically, this affects:

• SOX 404 internal control over financial reporting (ICFR) management assessment and, for many issuers, related auditor attestation workflows.
• SOX 401 enhanced financial disclosures (as described in SOX).
• SOX 402 certain prohibitions on personal loans to executives (as described in SOX).
  Section 405 does not say “SOX does not apply.” It says those specific sections do not apply, and only for registered investment companies. (Public Law 107-204)

Who it applies to

Entity scope

Applies to registered investment companies. (Public Law 107-204)

Operational context (where scoping goes wrong)

You need an entity-level view of:

• The registered investment company entity (or series/trust, depending on structure).
• Related entities that may not be registered investment companies (for example, an adviser, distributor, transfer agent, or parent entity).

Do not assume affiliates share the exemption. Your documentation should explicitly list which legal entities are covered by Section 405 and which are not. (Public Law 107-204)

What you actually need to do (step-by-step)

Step 1: Perform a documented applicability determination

Create a short “SOX Section 405 applicability memo” owned by Compliance/GRC with Legal review. Minimum content:

• Legal entity name(s) and identifiers (as used in your financial reporting and governance).
• Statement of conclusion: “Section 405 applies / does not apply.”
• Basis: the entity is a registered investment company, therefore Sections 401, 402, and 404 do not apply. (Public Law 107-204)
• Boundary: list the entities excluded from the exemption (if any), with a note that they require separate SOX scoping.

Operator tip: write this memo as if it will be read by an external auditor or a regulator who has never seen your org chart.

Step 2: Update SOX scope documentation and testing plans

If Section 405 applies, reconcile every place your organization declares SOX scope:

• SOX scoping memo / annual SOX plan
• ICFR narratives and control matrices
• Risk and control self-assessments
• Management certifications and sub-certifications
• Audit committee materials that reference SOX 404 or ICFR testing
  Your goal is consistency: you are exempt from 401/402/404, so your program should not imply you are performing a full SOX 404 ICFR assessment for the registered investment company entity. (Public Law 107-204)

Decision point: Many teams still keep “SOX-like” controls voluntarily (segregation of duties, change management, reconciliations). That is fine. The key is labeling: describe them as internal controls or financial reporting controls, not as a SOX 404 compliance program for the exempt entity. (Public Law 107-204)

Step 3: Define what stays in scope (governance and “baseline controls”)

Even with an exemption, you still need disciplined financial reporting governance. Build a “baseline financial reporting control set” that typically includes:

• Close and reconciliation governance (ownership, review, escalation)
• Journal entry controls (approval thresholds, review evidence)
• Access and segregation of duties in finance systems
• Change management for financial reporting applications
• Third-party oversight for administrators, custodians, fund accountants, and other outsourced functions (where applicable)

This is not mandated by Section 405, but it reduces operational and reputational risk created by the misconception that “exempt” means “uncontrolled.” Keep it simple and defensible. (Public Law 107-204)

Step 4: Align third-party oversight to the exemption boundary

Registered investment companies frequently rely on third parties for core operations. The exemption does not remove your need to manage third-party risk where those providers affect financial reporting, investor reporting, or operational resilience.

Operationalize this with:

• A list of third parties that touch financial reporting inputs/outputs.
• Contract mapping: which third party performs which control activity (for example, NAV calculation, reconciliations, pricing, shareholder servicing).
• An oversight cadence and evidence expectations (service reporting, issue management, change notifications).

If you use Daydream to run third-party due diligence, map each in-scope third party to the specific control dependency it supports, then collect and track the artifacts you need to show you maintained oversight even while you are exempt from SOX 404. (Public Law 107-204)

Step 5: Train stakeholders and control owners

Run a targeted training for:

• Finance leadership
• Control owners
• Internal audit (if applicable)
• Audit committee liaison

Training objective: “What Section 405 exempts, what it does not, and how we describe our control environment accurately.” (Public Law 107-204)

Step 6: Add an annual re-validation trigger

Treat applicability as something you re-check during annual planning or after material corporate events (reorgs, new products, acquisitions, entity changes). Your evidence should show you did not decide once and forget it. (Public Law 107-204)

Required evidence and artifacts to retain

Keep these artifacts together (single repository) and cross-reference them in your GRC system:

1. SOX Section 405 applicability memo with Legal sign-off. (Public Law 107-204)
2. Entity inventory and scope map showing which entities are registered investment companies vs. not.
3. Updated SOX scoping memo / annual compliance plan reflecting the exemption boundary.
4. Control matrix or baseline control set (even if voluntary) with owners and evidence types.
5. Audit committee / governance minutes or materials noting the exemption and revised approach.
6. Third-party oversight file for material outsourced activities (contracts, service reports, issue logs), especially for providers affecting financial reporting.

Common exam/audit questions and hangups

Expect these challenges and prepare crisp answers:

• “Which legal entities are you claiming are exempt, and why?” Have the memo and entity map ready. (Public Law 107-204)
• “Show me where your SOX documentation reflects that you are not doing 404.” Auditors will look for contradictions across decks, policies, and narratives. (Public Law 107-204)
• “Do affiliates follow the exemption?” Your answer should be entity-specific, not “the enterprise is exempt.” (Public Law 107-204)
• “If you’re exempt from 404, what controls govern financial reporting quality?” Show the baseline control set and oversight routines.
• “How do you oversee third parties doing core accounting or reporting activities?” Bring the oversight file and issue management evidence.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Over-scoping the exemption to the whole org.
   Avoid it: list covered entities explicitly; require Legal review for any addition/removal. (Public Law 107-204)

2. Mistake: Leaving old “SOX 404 compliance” language in policies and presentations.
   Avoid it: run a documentation sweep. Search for “404,” “ICFR,” “SOX testing,” and update language to match your actual obligations. (Public Law 107-204)

3. Mistake: Removing control discipline because “it’s exempt.”
   Avoid it: keep a baseline financial reporting control set and treat third-party oversight as non-negotiable operational hygiene.

4. Mistake: No re-validation mechanism.
   Avoid it: add an annual trigger in your compliance calendar and tie it to entity changes.

Enforcement context and risk implications

No public enforcement cases were provided in the source materials for this requirement. The practical risk is still real: if you misapply the exemption, you can misstate your compliance posture to auditors, investors, or governance bodies, and you may create gaps in financial reporting controls or third-party oversight. Your best defense is clean scoping, consistent documentation, and disciplined governance artifacts. (Public Law 107-204)

A practical execution plan

Use this as an operator’s checklist. Tailor sequencing to your reporting calendar.

30-day plan (Immediate)

• Draft the Section 405 applicability memo and route to Legal for review and sign-off. (Public Law 107-204)
• Build an entity scope map and identify affiliates needing separate analysis.
• Inventory all places where SOX 401/402/404 are referenced in your documentation and board materials.
• Identify third parties supporting financial reporting processes and assign owners.

60-day plan (Near-term)

• Update SOX scoping memo, control matrices, and certification language to align with the exemption boundary. (Public Law 107-204)
• Define a baseline financial reporting control set with owners, evidence types, and escalation paths.
• Stand up a third-party oversight package for key providers (contracts, service reports, issue tracking).
• Brief Finance leadership and the audit committee liaison on the new scope language.

90-day plan (Operationalize and sustain)

• Run a tabletop review: pick a financial reporting process and walk from source data through reporting, including third-party touchpoints, then verify evidence exists.
• Implement an annual re-validation control: entity status check, documentation refresh, and governance sign-off. (Public Law 107-204)
• If you use Daydream, configure a lightweight workflow that ties third-party due diligence artifacts to the financial reporting processes they support, so audits do not turn into inbox archaeology.

Frequently Asked Questions

What exactly is the exemption requirement in SOX Section 405?

It states that SOX Sections 401, 402, and 404 do not apply to registered investment companies. (Public Law 107-204) Your job is to confirm whether you are a registered investment company and document the scope boundary.

Does Section 405 mean “SOX does not apply” to registered investment companies?

No. The text only exempts Sections 401, 402, and 404 for registered investment companies. (Public Law 107-204) You still need clear financial reporting governance and accurate statements about what you do and do not comply with.

Can the exemption cover our adviser or parent company too?

Do not assume that. Section 405 is tied to registered investment companies, so you need an entity-by-entity applicability determination and documentation. (Public Law 107-204)

What should auditors see to get comfortable with our exemption claim?

A Legal-reviewed applicability memo, an entity scope map, and SOX documentation that consistently excludes 401/402/404 for the exempt entity. (Public Law 107-204) Auditors also expect evidence that you still maintain financial reporting controls and third-party oversight practices.

If we stop SOX 404 testing, what controls should we keep?

Keep a baseline set that protects financial reporting quality: reconciliations, approvals, access controls, change management, and oversight of outsourced accounting/reporting activities. Section 405 removes a specific SOX obligation; it does not remove operational accountability. (Public Law 107-204)

How does third-party due diligence connect to this exemption requirement?

The exemption changes SOX testing scope, but it does not change the fact that third parties may perform control-critical activities. Maintain a mapped inventory of those third parties and retain oversight artifacts; tools like Daydream can centralize that evidence and keep it aligned to your control ownership model. (Public Law 107-204)