ICFR Assessment and Attestation: Are You in Compliance With the Rules?
Blog

ICFR Assessment and Attestation: Are You in Compliance With the Rules?

CPAs & Advisors


Each year, public companies must assess the effectiveness of their internal controls over financial reporting (ICFR) under Section 404(a) of the Sarbanes-Oxley Act (SOX). In some cases, private companies should follow suit.

In addition, a public company’s independent auditors are generally required to provide an attestation report on management’s assessment of ICFR under Sec. 404(b). But some smaller entities may be exempt.

Assessment guidance

Adherence to Sec. 404(a) is required only of public companies. However, it may be recommended for some larger private companies — particularly if management is planning to go public or sell the business to a public company.

SOX adherence can make a private business more attractive to public companies, which can result in a higher sale price. Compliance with SOX can also improve the company’s reputation with investors, lenders and the public by demonstrating that its financial reporting is transparent.

Attestation exemptions

Proponents of Sec. 404(b) argue that the auditor attestation requirement has led to improvements in the quality of financial reporting and have fought efforts to provide exemptions. But two exemptions are available:

  1. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 instructed the Securities and Exchange Commission (SEC) to permanently exempt nonaccelerated filers from Sec. 404(b). Nonaccelerated filers are defined as companies with a public float of less than $75 million on the last business day of their most recent second fiscal quarter.
  2. The JOBS Act of 2012 gave emerging growth companies (EGCs) a five-year reprieve from compliance with Section 404(b) following an initial public offering (IPO). But if a company surpasses $1 billion in annual revenue, it will lose its EGC status sooner, after the end of the fiscal year in which it reached that milestone. EGC status also will be lost if it issues more than $1 billion in nonconvertible debt over a three-year period or reaches a public float of $700 million.

SRC vs. accelerated filers

In 2018, the SEC expanded its definition of smaller reporting companies (SRCs) from companies with a public float of less than $75 million to those with a public float of less than $250 million. This change allowed nearly 1,000 more companies to qualify for the lighter set of disclosure rules available to SRCs.

But, the SEC’s expanded definition of SRCs did not raise the public float thresholds for when a company qualifies as an accelerated filer. This means the $75 million threshold still applies in relation to the Sec. 404(b) exemption. Some members of the SEC favored raising the accelerated filer threshold to $250 million to expand the number of companies that would be exempt from Sec. 404(b). But, based on feedback from auditors and investor advocate groups, the SEC decided to keep the threshold at $75 million.

Got questions?

Some smaller public companies — and large private companies considering an IPO or sale — may be unclear about the ICFR assessment and attestation requirements under SOX. Contact us for questions about the rules or for information regarding best practices in internal controls.

© 2020

Want To Learn More?

Connect with one of our professionals today.