6.11 Internal Control Over Financial Reporting

6.11.1 Management and Auditor Attestations

While a newly public entity does not need to provide management’s report on ICFR in a registration statement or in the entity’s first Form 10-K after the registration statement is declared effective, the entity should nonetheless be prepared to evaluate its ICFR on a quarterly basis, and key executives should be comfortable with certifying that DCPs are effective, in accordance with Section 302 of Sarbanes-Oxley. Auditors are not required to issue an auditor’s report on the effectiveness of ICFR in connection with the entity’s registration statement or its first Form 10-K but may be required to do so in the entity’s second Form 10-K.

Connecting the Dots

Under the JOBS Act, an entity that qualifies as an EGC is exempt from the requirement to obtain an attestation report on the entity’s ICFR from its independent registered public accounting firm. However, as noted in Section 1.6.2, an EGC only qualifies as such during the period in which it meets certain quantitative requirements or up to five years after its initial registration statement. In contrast, EGCs are not exempt from the requirement to perform management’s assessment of ICFR (Section 404(a) of Sarbanes-Oxley and the disclosure requirement in Regulation S-K, Item 308(a)).

In addition to establishing and evaluating the effectiveness of its DCPs as an entity prepares to go public, management will need to assess whether any changes or improvements have been made to its ICFR. There is substantial overlap between DCPs and ICFR. DCPs apply to all material financial and nonfinancial information filed in a public report (i.e., within and outside the financial statements) and includes the components of ICFR that affect public disclosures and provide reasonable assurance that transactions are recorded as necessary to permit preparation of the financial statements in accordance with the applicable financial reporting framework.

For additional considerations related to control-related public-company disclosure requirements, see Chapter 7.

6.11.2 Auditors’ Testing of Controls in a PCAOB Audit

In both AICPA and PCAOB audits, auditors are required to obtain a sufficient understanding of the entity’s internal controls to plan the financial statement audit. However, the auditor’s evaluation of the design effectiveness of relevant controls and the related documentation may be more extensive in a PCAOB audit than in an AICPA audit.

Connecting the Dots

Management should inform the auditor early of its plans to go public. Because of the increased focus on internal controls for public companies, auditors will often increase their audit procedures related to the entity’s internal controls as they perform AICPA audits of an entity that plans to go public in the near future. To this end, management should consider developing plans for implementing any needed internal control enhancements when preparing for an IPO. A leading practice is to perform a formalized risk assessment and identify risks of material misstatement associated with each process. Once the risks of material misstatement have been identified, identifying the controls needed to address those risks is more straightforward. Furthermore, auditors will request such documentation from management or the entity’s internal auditors.

In addition to the communication matters described in Section 6.7.6, there are incremental requirements for PCAOB audits related to communicating control-related matters to those charged with governance and management, which include the following:

If auditors become aware that the oversight of the entity’s external financial reporting and ICFR by the entity’s audit committee is ineffective, auditors communicate that information in writing to the board of directors.
The auditor needs to communicate in writing information about significant deficiencies and material weaknesses before the auditor’s report release date, instead of just on a timely basis as required by AICPA standards. For more detail on evaluating control deficiencies, see Section 3.7.4.

If members of management or those charged with governance have changed since the previous AICPA audits, auditors may decide to include the matters communicated in previous audits in the current communication. All matters must be communicated before the release of the auditor’s report to be included in the registration statement.