Your client Green Goo has consummated a wildly successful IPO. Green Goo’s proprietary NanoSlimeTM converts raw sewage into high‑octane gasoline, delighting environmentalists, investment bankers and sanitation engineers alike. Now, the company’s first annual report rolls around and the General Counsel calls up with a seemingly simple question – what does the company have to do about internal control over financial reporting for its first 10-K?

Newly public companies must comply with the Sarbanes-Oxley Act of 2002. SOX Section 404(a) requires an annual assessment by management of the issuer’s internal control over financial reporting (ICFR), while Section 404(b) requires an attestation report of the issuer’s independent auditors on management’s assessment. ICFR is defined in Rule 13a-15(f) (with parallel provisions identical to Rule 13a-15 for Section 15(d) filers appearing in Rule 15d-15). The attestation report is the so-called “SOX audit” representing probably the most controversial part of SOX – think up to $2 million or more per year in compliance costs.

Let’s start with the Section 404(a) management’s assessment. The good news for Green Goo is that the SEC has adopted a transition period permitting a newly public company to wait until its second annual report to comply with Section 404(a). In particular, the various ICFR requirements – to maintain ICFR; to evaluate the effectiveness of ICFR annually; and to evaluate certain ICFR changes – apply only to a company that was required to (or filed) one prior annual report with the SEC. See Rules 13a-15(a), (c) and (d); Form 10-K Item 9A; and Instruction 1 to Item 308 of Regulation S-K (for domestic US companies); see also Instructions to Form 20-F Item 15 (for foreign private issuers).

Similarly, as a newly public company Green Goo can delay its SOX 404(b) auditor’s attestation until its second annual report. See Form 10-K Item 9A and Instruction 1 to Item 308 of Regulation S-K (for domestic US companies); and Instructions to Form 20-F Item 15 (for foreign private issuers). After that point, issuers that are emerging growth companies, or are not large accelerated filers or accelerated filers are exempt from the requirements of SOX 404(b). See Release 33-9142; JOBS Act Section 103 (modifying SOX Section 404(b)).

Yes. Green Goo will need to include the following statement in its first annual report:

This annual report does not include a report of management’s assessment regarding internal control over financial reporting or an attestation report of the company’s registered public accounting firm due to a transition period established by Rules of the Securities and Exchange Commission for newly public companies.

See Instruction 1 to Item 308 of Regulation S-K (for domestic US companies); Item 15 of Form 20-F (for foreign private issuers.)

The SEC has provided transition relief for the SOX 302 certification that is required from a newly public company’s CEO and CFO. (For the text of the certification, see Regulation S-K Item 601, Exhibit 31 and, for foreign private issuers, Form 20-F Item 19, Exhibit 12.) In that case, Rule 13a-14(a) allows Green Goo to omit:

• the portion of the introductory language in paragraph 4 of the certification referring to ICFR; and
• the language in paragraph 4(b) of the certification that refers to the certifying officers’ responsibility for designing, establishing and maintaining internal control over financial reporting for the company.

Note that a company normally is not allowed to change any aspect of the wording of the certification. And another thing – see the last bullet point at the end for a trap to avoid.

Just because the ICFR Rules do not apply during the transition period, there still are some related issues to keep on the radar screen:

• If Green Goo uncovers a material weakness in ICFR during the transition period, let’s talk – disclosure may well be needed. See Question 7 of the SEC Staff’s ICFR FAQ.
• A newly public company must comply with the SEC’s requirements relating to disclosure controls and procedures – which is a cousin of ICFR – from the get go; there is no DC&P transition period. See Rule 13a-15(a).
• Similarly, a newly public company does not enjoy a transition period for the requirement to maintain an appropriate “system of internal accounting controls” under Exchange Act Section 13(b)(2).

Looking down the road to Green Goo’s second fiscal year and annual report:

• it must maintain ICFR (Rule 13a-15(a));
• its management must evaluate the effectiveness of ICFR as of the end of the fiscal year (Rule 13a-15(c));
• its management must evaluate any changes that have materially affected (or are reasonably likely to materially affect), the company’s ICFR (Rule 13a-15(d));
• it must provide the required auditor’s attestation (assuming SOX 404(c) does not apply); and
• it must provide the SOX 302 certification in full – Warning to form checkers everywhere: a company that is newly compliant with SOX 404(b) might miss this requirement (e.g., in its first Form 10-Q filing after its first fully compliant Form 10-K) because of the temptation to cut and paste the certifications from a pre-compliance Form 10-Q. This can result in an SEC Staff comment forcing you to amend the filing to include proper certifications.