Co-authored by Luke Childress
Building a sustainable, comprehensive internal control environment to comply with the Sarbanes-Oxley Act of 2002, commonly referred to as SOX, requires a significant amount of time and resources. Ideally, companies begin that process long before the initial public offering (IPO). But newly public companies often need to continue the transformation after the IPO is complete.
With that in mind, let’s review some of the most important aspects of SOX and the steps newly public companies should take right away.
What is SOX?
SOX established rules to protect the public from fraudulent or erroneous practices by public companies by increasing transparency in financial reporting and requiring a formal system of checks and balances.
Some of the most important aspects of SOX for a newly public company are:
SOX Section 302: Corporate Responsibility for Financial Reporting
Section 302 requires that the company’s principal executive and financial officer — typically the CEO and CFO — personally attest to the accuracy and reliability of financial information included in the company’s quarterly 10-Q and annual 10-K reports.
SOX Section 404: Management Assessment of Internal Controls
Section 404 requires a public company’s annual reports to include an assessment of internal control over financial reporting. The company must report any deficiencies identified during their assessment to the Audit Committee and the Board of Directors and disclose material weaknesses in its 10-K.
Section 404(b) also requires the 10-K to include a report from the company’s independent auditor attesting to the effectiveness of the company’s internal controls.
SOX Section 409: Real-Time Issuer Disclosure
Section 409 requires public companies to disclose information on material changes in their financial condition or operations. These disclosures must be reported to regulators within 48 hours, presented in terms that are easy to understand, and supported by qualitative information.
SOX Section 806: Whistleblower
Section 806 protects whistleblower employees by giving them U.S. Department of Labor protections. If a company retaliates against employees for reporting violations, the Department of Justice can criminally charge the responsible parties.
Which Companies Need to Comply with SOX?
All public companies should strive to comply with SOX. However, not all companies are required to comply with all aspects of SOX based on their filing status.
Public companies with a market capitalization of less than $100 million that do not have to accelerate their periodic reporting deadlines are not required to comply with Section 404(b).
Emerging Growth Companies
Emerging growth companies are newly public companies that have total annual gross revenues less than $1.07 billion during their most recent fiscal year and that have not previously sold common equity securities under a registration statement. Emerging growth companies are not required to comply with Section 404(b) for the first five years after their IPO or until they meet one of the following criteria:
- Total annual gross revenues of $1.07 billion or more
- Issued nonconvertible debt exceeding $1 billion in the past three years
- The company is a large accelerated filer
SOX Compliance: Steps to Take
Implementing a SOX compliance program can be a huge undertaking, especially in the initial years of being a public company. The following steps can help.
- Engage an accounting firm and hire an internal audit professional to coordinate the SOX compliance effort.
- Perform an enterprise risk assessment to understand business processes. Begin drafting process flowcharts, narratives, and a risk control matrix (RCM) to document your understanding of internal controls and assist external auditors.
- Hold company-wide meetings outlining the importance of SOX compliance.
- Consider establishing a SOX stakeholder committee comprised of the CEO, CFO, and owners of SOX-related business processes (revenue, procurement, payroll, human resources, legal, etc.). The committee can build buy-in for SOX compliance and hold people accountable for progress and communication.
- Develop and implement detailed steps for handling internal control issues and deficiencies to ensure they are considered and addressed. At a minimum, every public company should have a whistleblower hotline and an Employee Handbook or Code of Conduct.
- Create the following board committees:
- Audit Committee. The Audit Committee provides oversight of the financial reporting process, the audit process, the company’s system of internal controls, and compliance with laws and regulations. At least one member of the Audit Committee must be a financial expert.
- Compensation Committee. The Compensation Committee is responsible for evaluating and recommending the compensation of the firm’s top executive officers, including the CEO.
- Corporate Governance Committee. The Corporate Governance Committee recommends structural changes to ensure the company complies with its legal and fiduciary duties.
Getting up to speed with SOX compliance can be overwhelming — even for seasoned accounting and finance team members. If you need help, Holtzman has you covered. Our team can help provide the guidance and insight you need to navigate the ever-changing regulatory climate. With clients ranging from startups and middle-market leaders to large multinational conglomerates, we dedicate ourselves to delivering stellar results. Learn more about our IPO Readiness services and get in touch.
- Up to Speed on Sarbanes-Oxley (SOX)? What Pre-IPO Companies Need to Know
- The Accounting Firm’s Role: SPAC vs. Traditional IPO