Skip to content


IPO and Getting SOX Right the First Time

If your organization is considering going public, one of the first steps in the planning process is compliance with Sarbanes- Oxley Section 404 (SOX) – Internal Control Over Financial Reporting (ICFR). A proper implementation of SOX Section 404 requires an understanding of risks to financial reporting and the system of internal controls that will provide assurances to the senior executives and pass the external auditor’s scrutiny. This requires dedicated resources and professionals experienced in SOX implementation.

Proper implementation of Section 404 provides reasonable assurance to the executives who must attest to the fair presentation of the financial statements and compliance with SEC regulations. Below are some of the key sections related to compliance. Many sections include sanctions such as fines and up to 20 years in jail.

Section 302

Requires the CEO and CFO to certify in each annual and quarterly report that they have read the report and that report does not contain an untrue statement of material fact or omit to state a material fact. They also certify that the financial statements fairly present the company’s financial condition and results of operations, and that it is their responsibility to evaluate, communicate and disclose matters relating to the company’s internal controls.

Section 401

Requires that financial information for the public in any reports provided to the SEC will not contain any untrue statements or omissions of material facts and will comply with Generally Accepted Accounting Principles (GAAP). Reports will include all material off-balance sheet transactions.

Section 404

SOX compliance audit requirements. Companies are required to include the following information in their annual filing: 1) A statement of the responsibility management has to establish and maintain adequate financial reporting controls, 2) A statement of how management evaluated the effectiveness of the company’s internal controls, 3) A statement from management with an assessment of the effectiveness of the internal controls, and 4) A statement from the external auditor attesting to management’s assessment.

The section 404 audit is different than the audit of financial statements. The audit of financial statements is concerned with the accuracy of the numbers in the financial statements. It does not generally spend much time on internal controls. The Section 404 attestation the auditor must provide is not concerned with the numbers; it’s strictly concerned with the internal controls in place. Just because the auditor doesn’t find any problems with the numbers does not mean the financial controls in place are adequate.

  • Section 409 states: “Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations. These disclosures are to be presented in terms that are easy to understand and supported by trend and qualitative information of graphic presentations as appropriate.”
  • Section 802: Imposes penalties of up to 20 years in jail for altering, destroying, or concealing records or documents that are relevant to a legal investigation. An accountant or auditor who knowingly and willfully violates the requirement to maintain records for five years can also be subject to up to ten years in jail.
  • Section 806: Provides whistleblower protection for employees. An employee is engaging in protected whistleblower conduct if they suspect and report: 1) federal mail, wire, bank, or securities fraud, 2) a violation of federal law relating to fraud against shareholders, and/or 3) a violation of any rule or regulation of the Securities and Exchange Commission (SEC). The protections apply to a employees and contractors of publicly traded companies or their subsidiaries, as well as to someone with a nationally recognized statistical ratings organization (NRSRO). Under this section, someone who retaliates against a whistleblower can be subject to criminal charges.
  • Section 902: In essence says that an executive who violates SOX in a fraudulent manner will be subject to the usual penalties, whether fines or jail time, for fraud.
  • Section 906: Provides penalties of up to $5 million and 20 years in jail for certifying a false or misleading report. The CEO and CFO of the company must provide a written statement that: shall certify that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.

When an organization goes public, they want to make a good first impression. Having material weakness disclosures can result in loss of investor confidence, and lower analyst ratings. This could hurt share price and the overall value of the company. Newly public companies are especially vulnerable since they have a limited history of stock market performance to guide investors.

Look for the next article on the IPO and SOX Material Disclosures from IPOs in 2021.

If you are interested in learning more about SOX implementation, contact Elaine Nissley, Principle in charge of the Internal Audit & Management Consulting segment at McKonly & Asbury.

About the Author

Elaine Nissley

Elaine is a Principal with McKonly & Asbury. Her primary responsibilities include management of the Internal Audit & Management Consulting Services group. Elaine handles client relationships and is accountable for the deliv… Read more

Related Services

Subscribe to Our Newsletter

Contact Us