Each year, public companies must assess the effectiveness of their internal controls over financial reporting (ICFR) under Section 404(a) of the Sarbanes-Oxley Act (SOX). In some cases, private companies should follow suit.
In addition, a public company’s independent auditors are generally required to provide an attestation report on management’s assessment of ICFR under Sec. 404(b). But some smaller entities may be exempt.
Adherence to Sec. 404(a) is required only of public companies. However, it may be recommended for some larger private companies — particularly if management is planning to go public or sell the business to a public company.
SOX adherence can make a private business more attractive to public companies, which can result in a higher sale price. Compliance with SOX can also improve the company’s reputation with investors, lenders and the public by demonstrating that its financial reporting is transparent.
Proponents of Sec. 404(b) argue that the auditor attestation requirement has led to improvements in the quality of financial reporting and have fought efforts to provide exemptions. But two exemptions are available:
SRC vs. accelerated filers
In 2018, the SEC expanded its definition of smaller reporting companies (SRCs) from companies with a public float of less than $75 million to those with a public float of less than $250 million. This change allowed nearly 1,000 more companies to qualify for the lighter set of disclosure rules available to SRCs. But, the SEC’s expanded definition of SRCs did not raise the public float thresholds for when a company qualifies as an accelerated filer.
As a result of the March 2020 changes to the exception for nonaccelerated filers, companies with public floats between $75 million and $250 million will still be subject to all of the accelerated filer requirements unless their revenues were under the $100 million revenue threshold. Many were hoping for alignment of the SRC and nonaccelerated filer categories, but the SEC decided to take a more-tailored approach.
Some smaller public companies — and large private companies considering an IPO or sale — may be unclear about the ICFR assessment and attestation requirements under SOX. Contact us for questions about the rules or for information regarding best practices in internal controls.