7.5 Internal Controls and Procedures
There are two types of controls and procedures that a public company will need
to address in its filings with the SEC. ICFR refers to procedures within a company
that are designed to reasonably ensure compliance with the company’s policies
related to the preparation of financial statements that are compliant with U.S. GAAP
and Regulation S-X. DCPs are a broader set of controls that largely encompass ICFR
and are designed to provide assurance that information that the registrant must
disclose in the reports that it files or submits under the 1934 Act is recorded,
processed, summarized, and reported within the periods specified.
When preparing their annual and quarterly reports, registrants need to consider
the requirements related to ICFR. Management must annually file a report containing
its assessment of the effectiveness of ICFR. Moreover, an auditor’s attestation
report on the effectiveness of ICFR must be included in annual reports of non-EGC4 accelerated and large accelerated filers. However, all newly public companies
can take advantage of a phase-in exception in Regulation S-K, Item 308, under which
management’s report and the auditor’s attestation are generally not required before
the second annual report (i.e., until a registrant had been required to file or had
filed a Form 10-K for the prior fiscal year).
Also, on a quarterly basis, the company must:
- Disclose any change in its ICFR that occurred during that quarter and that materially affected, or is reasonably likely to materially affect, its ICFR.
- Evaluate and reach a conclusion about the effectiveness of the company’s DCPs as of the end of the quarter.
In addition to the requirements described above, as part of a company’s quarterly and annual reports,
the registrant’s principal executive and principal financial officer (typically the CEO and CFO) must file
certifications prescribed by Sections 302 and 906 of Sarbanes-Oxley.
The Section 302 certifications signify that the CEO and CFO (1) have reviewed
the respective quarterly or annual report; (2) do not know of any material facts
that were omitted from, or untrue or misleading statements that were included in,
the report; (3) believe that the financial information in the report presents
fairly, in all material respects, the company’s financial conditions, results of
operations, and cash flows; (4) are responsible for establishing and maintaining
DCPs and ICFR;5 and (5) have communicated all detected significant deficiencies and material
weaknesses, as well as any fraud involving the company’s management, to the audit
committee and the external auditors.
In the Section 906 certifications, the CEO and CFO must certify that (1) the
company’s quarterly or annual report complies fully with the requirements of Rule
13a or 15d of the 1934 Act and (2) information contained in this report presents
fairly, in all material respects, the company’s financial condition and results of
operations.
The corporate governance at many registrants includes an internal
subcertification process in which other members of management help the CEO and CFO
assess DCPs. These subcertifications cover matters consistent with those discussed
in the paragraph above and are provided to the CEO and CFO before each periodic
report is issued. A company may wish to consider who will be part of the
subcertification process during its IPO readiness procedures.
While an exemption is available for the first
annual report for management’s assessment of ICFR, management’s evaluation of DCPs,
material changes in ICFR, and certifications must be provided starting with the
first periodic report filed by a newly public company. The following table
summarizes the control-related reporting requirements for various types of
filers:
Description | Applicable
Regulation | Annual Reporting
Requirement? | Interim Reporting
Requirement? | |
|---|---|---|---|---|
Management’s assertion on the effectiveness of DCPs | Rule 13a-15 or 15d-15 of
the 1934 Act | Yes | Yes | |
Management’s
assertion on the
effectiveness of ICFR | Section 404(a) of
Sarbanes-Oxley Regulation S-K, Item 308(a) | Newly public company
filing first Form 10-K | No | No |
Second Form 10-K and
thereafter | Yes | |||
Auditor’s report on the
effectiveness of ICFR | Section 404(b) of
Sarbanes-Oxley Regulation S-K, Item 308(b) | Newly public company
filing first Form 10-K | No | No |
EGCs6 | No | |||
Nonaccelerated filers | No | |||
Non-EGC accelerated filer | Yes | |||
Large accelerated filer | Yes | |||
Disclosure of material
changes in ICFR | Regulation S-K, Item 308(c) | Yes | Yes | |
CEO and CFO
certifications | Sections 302 and 906 of
Sarbanes-Oxley | Yes | Yes | |
Footnotes
4
For special relief provisions available to EGCs, see
Section
1.6.
5
Before the initial requirement to file management’s
assertion on the effectiveness of ICFR, the certifications may omit the
specific references to ICFR.
6
For additional information about
EGCs, see Section 1.6.