6.11 Internal Control Over Financial Reporting

 

Connecting the Dots

Under the JOBS Act, an entity that qualifies as an EGC is exempt from the requirement to obtain an attestation report on the entity’s ICFR from its independent registered public accounting firm. However, as noted in Section 1.6.2, an EGC only qualifies as such during the period in which it meets certain quantitative requirements or up to five years after its initial registration statement. In contrast, EGCs are not exempt from the requirement to perform management’s assessment of ICFR (Section 404(a) of Sarbanes-Oxley and the disclosure requirement in Regulation S-K, Item 308(a)).

In addition to establishing and evaluating the effectiveness of its DCPs as an entity prepares to go public, management will need to assess whether any changes or improvements have been made to its ICFR. There is substantial overlap between DCPs and ICFR. DCPs apply to all material financial and nonfinancial information filed in a public report (i.e., within and outside the financial statements) and includes the components of ICFR that affect public disclosures and provide reasonable assurance that transactions are recorded as necessary to permit preparation of the financial statements in accordance with the applicable financial reporting framework.

For additional considerations related to control-related public-company disclosure requirements, see Chapter 7.

 

Connecting the Dots

Management should inform the auditor early of its plans to go public. Because of the increased focus on internal controls for public companies, auditors will often increase their audit procedures related to the entity’s internal controls as they perform AICPA audits of an entity that plans to go public in the near future. Auditors can often make helpful suggestions on how management can strengthen internal controls and related documentation in preparing to meet the SEC’s requirements.

To this end, management should consider developing plans for implementing any needed internal control enhancements when preparing for an IPO. A leading practice is to perform a formalized risk assessment and identify risks of material misstatement associated with each process. Once the risks of material misstatement have been identified, identifying the controls needed to address those risks is more straightforward. Furthermore, auditors will request such documentation from management or the entity’s internal auditors.

In addition to the communication matters described in Section 6.7.6, there are incremental requirements for PCAOB audits related to communicating control-related matters to those charged with governance and management, which include the following:

• If auditors become aware that the oversight of the entity’s external financial reporting and ICFR by the entity’s audit committee is ineffective, auditors communicate that information in writing to the board of directors.
• The auditor needs to communicate in writing information about significant deficiencies and material weaknesses before the auditor’s report release date, instead of just on a timely basis as required by AICPA standards. For more detail on evaluating control deficiencies, see Section 3.7.4.

If members of management or those charged with governance have changed since the previous AICPA audits, auditors may decide to include the matters communicated in previous audits in the current communication. All matters must be communicated before the release of the auditor’s report to be included in the registration statement.