Many private companies that are starting the S-1 filing process assume that no formal controls are needed until 404(b) kicks in. However, the JOBS Act Emerging Growth Companies (EGCs) are still required to comply with Sarbanes-Oxley Act of 2002 (SOX) Sections 302 and 906, which require CEOs and CFOs to certify financial accuracy and internal control effectiveness – regardless of exemption from 404(b).
These certifications by senior corporate officers emphasize the accuracy of financial statements and the robustness of internal controls, aiming to restore investor confidence that was shaken by high-profile financial scandals. To comply with these certifications, companies must take comprehensive steps to establish, maintain, and document effective internal control systems. This article outlines what companies need to do to comply with SOX 302 and 906 certifications.
Understanding SOX 302 and 906 Certifications
SOX Section 302 requires the CEO and CFO to personally certify that quarterly and annual reports are complete, accurate, and supported by effective internal controls. These certifications must affirm that the reports do not contain any material misstatements and that the internal controls over financial reporting are adequate and effective.
SOX Section 906 further requires them to certify that the financial reports comply with the Securities Exchange Act of 1934 and fairly present the financial condition and results of operations. Violations of Section 906 can result in significant penalties, including criminal liability for false certifications.
The CEO and CFO must certify the company’s quarterly reports (Form 10-Q) and annual reports (Form 10-K). These certifications must be included with each periodic report filed with the SEC.
Key Steps for Compliance
Establishing Robust Internal Controls
The foundation of compliance with SOX 302 and 906 is rooted in the establishment and maintenance of robust internal controls over financial reporting. Companies should start SOX readiness 12–18 months before the IPO, since control gaps often take multiple quarters to fix.
Designing Effective Controls
- Develop internal controls covering all key aspects of financial reporting, including control activities, risk assessments, information and communication processes, and monitoring mechanisms.
- Include both preventive and detective measures to manage financial reporting risks.
Documenting Controls:
- Maintain clear documentation of control objectives, procedures, and responsibilities.
- Update documentation regularly to reflect changes in processes, systems, or regulations.
CBIZ Advisory can help with:
- Assessing current internal control environment and identify gaps relative to the COSO framework.
- Designing and documenting SOX-ready internal controls tailored to your business model.
- Assisting with drafting control narratives, process flows, and risk/control matrices.
Conducting Regular Risk Assessments
Regular risk assessments are essential to identify and mitigate risks that could impact the accuracy and completeness of financial reporting.
Identifying Risks
- Pinpoint financial reporting risks based on operations, industry, and regulatory environment.
- Assess the likelihood and impact of each identified risk.
Mitigating Risks:
- Design and implement controls tailored to identify risks.
- Continuously monitor and reassess risks to ensure that controls remain effective in a changing environment.
CBIZ Advisory can help with:
- Facilitating financial reporting risk assessments to identify areas of high risk.
- Developing risk mitigation strategies aligned with SOX 302/906 requirements.
- Creating heat maps and reporting dashboards for management visibility.
Ensuring Effective Communication and Training
Effective communication and training are critical to ensure that all employees understand their roles and responsibilities related to internal controls and financial reporting.
Communicating Expectations:
- Reinforce the importance of internal controls and clarify employee responsibilities. Emphasize the role of controls in ensuring accurate and reliable financial reporting.
- Foster a culture of transparency and integrity, where employees feel comfortable reporting control deficiencies or potential issues.
Providing Training:
- Offer role-specific training on internal controls, reporting requirements, and ethics.
- Ensure that senior executives, including the CEO and CFO, receive specialized training on their certification responsibilities under SOX 302 and 906.
CBIZ Advisory can help with:
- Developing and delivering tailored SOX training programs for finance, operations, and executive teams.
- Assisting with drafting communication plans that clarify roles and responsibilities related to SOX compliance.
- Providing coaching for CFOs and Controllers on certification responsibilities and documentation expectations.
Implementing Continuous Monitoring and Testing
Continuous monitoring and testing of internal controls are essential to ensure their ongoing effectiveness and to identify and address deficiencies promptly.
Ongoing Monitoring:
- Establish recurring reviews of control activities, risk assessments, and communication processes.
- Leverage technology and data analytics for enhanced monitoring capabilities and detect issues in real time.
Periodic Testing:
- Test controls regularly though walkthroughs, evaluations and/or substantive testing to verify that they are operating as designed.
- Involve internal audit functions or external consultants in the testing process to provide independent assurance.
CBIZ Advisory can help with:
- Establishing monitoring routines, key control dashboards, and exception reporting processes.
- Conducting control testing on behalf of management to validate control effectiveness.
- Implementing technology-driven tools and approaches to support continuous control monitoring.
Addressing Deficiencies and Implementing Corrective Actions
Identifying and addressing control deficiencies promptly is crucial to maintaining effective internal controls and ensuring compliance with SOX 302 and 906.
Identifying Deficiencies:
- Implement processes to detect and report control deficiencies, encouraging employee input.
- Classify deficiencies based on their severity and potential impact on financial reporting.
Implementing Corrective Actions:
- Develop timely and effective actions to remediate and correct identified deficiencies.
- Track implementation of corrective actions and verify their effectiveness through follow-up testing.
CBIZ Advisory can help with:
- Performing root cause analysis of control deficiencies and help design practical remediations.
- Drafting documentation of remediation steps and retesting of controls.
- Advising on severity classification of deficiencies (e.g., material weakness vs. significant deficiency).
Engaging External Auditors
External auditors play a critical role in assessing the effectiveness of internal controls and providing assurance on the accuracy of financial reporting.
Coordinating with External Auditors:
- Engage external auditors early in the process to ensure alignment on audit objectives and expectations.
- Provide auditors with access to internal control documentation, risk assessments, and testing results.
Addressing Auditor Recommendations:
- Address any recommendations or findings from external auditors promptly. Implement corrective actions to address identified issues and enhance control effectiveness.
Conclusion
Compliance with SOX 302 and 906 certifications requires a comprehensive and proactive approach to internal controls and financial reporting, regardless of EGC status. Companies must establish robust control frameworks, conduct regular risk assessments, ensure effective communication and training, implement continuous monitoring and testing, address deficiencies promptly, and engage external auditors effectively. By taking these steps, companies can ensure the accuracy and reliability of their financial reporting, maintain compliance with SOX requirements, and uphold the trust of investors and stakeholders.
At CBIZ Advisory, we help finance leaders evaluate IPO readiness, strengthen financial processes, implement scalable systems, and develop narratives that resonate with investors. Contact our team to learn more about how we can support your journey.
Because when the window opens, preparation will make all the difference.
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.