Joan Taylor

Joan Taylor

— While fast-growing companies might be lured by shortcuts, cutting corners can often have devastating effects in a heavily regulated market. Not fully addressing compliance requirements under the Sarbanes-Oxley Act of 2002, commonly known as SOX, is one shortcut that can lead to errors in financial statements and corporate disclosures—devaluing stock price and damaging investor confidence.

A balanced approach to SOX compliance—one that considers the organization’s risk tolerance, budget, and operational goals—can keep your company growing and compliant.

Adopt Internal Control Over Financial Reporting

Every fast-growing business is driven by access to capital, so it’s in the company’s best interest to make sure financial statements are accurate and reliable, making investor funds in the marketplace accessible when they’re needed. Guidance for internal control over financial reporting (ICFR) falls into two governing bodies:

• The Securities and Exchange Commission (SEC) determines management’s responsibilities in assessing and certifying their ICFR, covered by SOX.

• The Public Company Accounting and Oversight Board (PCAOB) establishes the role of external auditors.

The SOX Act spans over 11 sections, with sections 302 and 404 being the most well-known and causing the most compliance difficulty for businesses. Section 302 requires company officers certify quarterly that the financial statement fairly, materially, and accurately presents the company’s financial condition. Section 404 requires management maintain adequate internal controls and assess their effectiveness, which provides the basis for management’s certification in Section 302.

Understanding SEC Classification

Section 404 requirements expand into the following two subsections, which a company may fall under depending on its filing classification:

• Section 404(a) requires a company’s management to include a report on the effectiveness of ICFR in its annual report

• Section 404(b) requires the company’s registered public accounting firm to attest to and report on the effectiveness of the ICFR

Classification is largely determined by the public float, or portion of market cap that’s controlled by public investors, as shown in the following table:


SEC Classification Table > Click image to enlarge

Emerging growth companies with revenue of less than $1 billion and public float less than $700 million can stay under Section 404(a) for up to five years—if they stay under those thresholds.

Management’s Responsibilities

Management and the executive officer’s roles are increasingly focused on a company’s internal controls. These roles include the following responsibilities:

• Overseeing the annual internal controls assessment, performed by a competent and objective party that isn’t the external auditor

• Establishing and documenting ICFR controls, such as IT-related controls and financial reporting system