18 Dec ICFR Assessment & Attestation: Are You in Compliance with the Rules?
Each year, public companies must assess the effectiveness of their internal controls over financial reporting (ICFR) under Section 404(a) of the Sarbanes-Oxley Act (SOX). In some cases, private companies should follow suit.
In addition, a public company’s independent auditors are generally required to provide an attestation report on management’s assessment of ICFR under Section 404(b), but some smaller entities may be exempt.
Adherence to Section 404(a) is required only of public companies. However, it may be recommended for some larger private companies — particularly if management is planning to go public or sell the business to a public company.
SOX adherence can make a private business more attractive to public companies, which can result in a higher sale price. Compliance with SOX also can improve the company’s reputation with investors, lenders, and the public by demonstrating that its financial reporting is transparent.
Proponents of Section 404(b) argue that the auditor attestation requirement has led to improvements in the quality of financial reporting and have fought efforts to provide exemptions, but two exemptions are available:
- The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 instructed the Securities and Exchange Commission (SEC) to permanently exempt nonaccelerated filers from Section 404(b). Nonaccelerated filers are defined as companies with a public float of less than $75 million on the last business day of their most recent second fiscal quarter. In March 2020, the SEC provided an additional narrow-scope exception for small reporting companies (SRCs) with a public float between $75 million to $700 million if they had annual revenues of less than $100 million in the most recent fiscal year for which audited financial statements were available.
- The Jumpstart Our Business Startups Act of 2012 gave emerging growth companies (EGCs) a five-year reprieve from compliance with Section 404(b) following an initial public offering (IPO). However, if a company surpasses $1 billion in annual revenue, it will lose its EGC status sooner, after the end of the fiscal year in which it reached that milestone. EGC status also will be lost if it issues more than $1 billion in nonconvertible debt over a three-year period or reaches a public float of $700 million.
SRC vs. Accelerated Filers
In 2018, the SEC expanded its definition of smaller reporting companies (SRCs) from companies with a public float of less than $75 million to those with a public float of less than $250 million. This change allowed nearly 1,000 more companies to qualify for the lighter set of disclosure rules available to SRCs. But, the SEC’s expanded definition of SRCs did not raise the public float thresholds for when a company qualifies as an accelerated filer.
As a result of the March 2020 changes to the exception for nonaccelerated filers, companies with public floats between $75 million and $250 million remain subject to all of the accelerated filer requirements unless their revenues were under the $100 million revenue threshold. Many were hoping for alignment of the SRC and nonaccelerated filer categories, but the SEC decided to take a more-tailored approach.
Some smaller public companies — and large private companies considering an IPO or sale — may be unclear about the ICFR assessment and attestation requirements under SOX. Contact us for questions about the rules or for information regarding best practices in internal controls.