Back to Recent Posts

Accounting & Audit Alert- ICFR assessment and attestation: Are you in compliance with the rules?

Each year, public companies must assess the effectiveness of their internal controls over financial reporting (ICFR) under Section 404(a) of the Sarbanes-Oxley Act (SOX). In some cases, private companies should follow suit.

In addition, a public company’s independent auditors are generally required to provide an attestation report on management’s assessment of ICFR under Sec. 404(b). But some smaller entities may be exempt.

Assessment guidance

Adherence to Sec. 404(a) is required only of public companies. However, it may be recommended for some larger private companies — particularly if management is planning to go public or sell the business to a public company.

SOX adherence can make a private business more attractive to public companies, which can result in a higher sale price. Compliance with SOX can also improve the company’s reputation with investors, lenders and the public by demonstrating that its financial reporting is transparent.

Attestation exemptions

Proponents of Sec. 404(b) argue that the auditor attestation requirement has led to improvements in the quality of financial reporting and have fought efforts to provide exemptions. But two exemptions are available:

  1. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 instructed the Securities and Exchange Commission (SEC) to permanently exempt nonaccelerated filers from Sec. 404(b). Nonaccelerated filers are defined as companies with a public float of less than $75 million on the last business day of their most recent second fiscal quarter. In March 2020, the SEC provided an additional narrow-scope exception for small reporting companies (SRCs) with a public float between $75 million to $700 million if they had annual revenues of less than $100 million in the most recent fiscal year for which audited financial statements were available.
  2. The JOBS Act of 2012 gave emerging growth companies (EGCs) a five-year reprieve from compliance with Section 404(b) following an initial public offering (IPO). But if a company surpasses $1 billion in annual revenue, it will lose its EGC status sooner, after the end of the fiscal year in which it reached that milestone. EGC status also will be lost if it issues more than $1 billion in nonconvertible debt over a three-year period or reaches a public float of $700 million.

SRC vs. accelerated filers

In 2018, the SEC expanded its definition of smaller reporting companies (SRCs) from companies with a public float of less than $75 million to those with a public float of less than $250 million. This change allowed nearly 1,000 more companies to qualify for the lighter set of disclosure rules available to SRCs.

As a result of the March 2020 changes to the exception for nonaccelerated filers, companies with public floats between $75 million and $250 million will still be subject to all of the accelerated filer requirements unless their revenues were under the $100 million revenue threshold. Many were hoping for alignment of the SRC and nonaccelerated filer categories, but the SEC decided to take a more-tailored approach.

Got questions?

Some smaller public companies — and large private companies considering an IPO or sale — may be unclear about the ICFR assessment and attestation requirements under SOX. Contact us for questions about the rules or for information regarding best practices in internal controls.