ICFR Considerations for Smaller Reporting Companies for Management
Executive Summary
In March 2020, the Securities Exchange Commission (SEC) amended its rules to allow all smaller reporting companies (SRC) that have less than $100 million in annual revenue to qualify as non-accelerated filers. This rule provides SRC’s a way to use their resources towards growing their business and increasing their revenues rather than using their cash in obtaining an independent auditor’s assessment on internal control over financial reporting (ICFR). Although the amended rule relieves some financial burden and certain compliance obligations for the SRC’s, it does not relieve them from management’s attestation to certify on their ICFR. Per the SEC, all publicly traded companies, regardless of their size, are required to perform management’s assessment on the adequacy of ICFR and certify on an annual basis in their 10-K in accordance with the evaluation requirements of Rules 13a-15(c) and 15d-15(c) under the Securities Exchange Act of 1934. This article provides management some options on how to demonstrate compliance with these requirements and Section 404 of Sarbanes-Oxley Compliance (SOX).
Brief Overview on SEC’s Amended rules
The Securities and Exchange Commission (SEC) amended the definitions of an accelerated filer and a large accelerated filer to exclude smaller reporting companies that have not yet begun to generate significant revenue. The amended rules are intended to give relief to companies that no longer qualify as emerging growth companies (EGCs) but have not yet begun to generate significant revenues. According to the SEC, the relief is also intended for issuers that believe they could benefit from the cost savings associated with non-accelerated filer status and could redirect those savings to expanding their businesses.
Under the new rules, a company qualifies as a non-accelerated filer if it qualifies as an SRC and has revenue of less than $100 million in its most recently completed year for which audited financial statements are available. The amendments also increase the public float thresholds for companies exiting accelerated filer status or large accelerated filer status using 80% of the entry thresholds consistent with the revised definition of an SRC. As non-accelerated filers, these issuers also are not subject to the requirement to obtain an auditor’s report on ICFR under Section 404(b) of the Sarbanes-Oxley Act of 2002 (Section 404(b).
The following table summarizes the new requirements:
Management’s Responsibilities over ICFR
Compliance with Section 404 of the SOX Act has posed challenges for smaller public companies due to the lack of clear guidance, unfamiliarity with the regulatory environment, variations in the application of guidance by external auditors, and lack of focused internal resources. Below are a few key excerpts (summarized) from the SEC’s guidance that documents management’s responsibilities over ICFR for all publicly traded companies regardless of their size:
- Management is responsible for maintaining a system of internal control over financial reporting (“ICFR”) that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.
- Management is required to annually evaluate whether ICFR is effective at providing reasonable assurance and to disclose its assessment to investors.
- Management is responsible for maintaining evidential matter, including documentation, for providing reasonable support for its assessment. This evidence will also allow a third party, such as the company’s external auditor, to consider the work performed by management.
Although the guidance provides management flexibility in their approach on their evaluation of ICFR in comparison to the external auditor assessment, it does not allow management to not do anything or not have a basis for their certification on the adequacy of ICFR. The evaluation process (approach) can (and should) be tailored for smaller reporting companies with less complex structures or internal control systems keeping the basic principles in mind. There are two broad principles around which management can successfully complete their evaluation of ICFR for companies of all sizes.
- Risk-Based Approach: Management should evaluate its ICFR using a risk-based approach, and whether it has implemented controls in areas that adequately address the risk of a material misstatement not prevented or detected timely in the financial statements and disclosures.
- Evaluate Operating Effectiveness: Management’s evaluation of evidence about the operation of its controls, nature and extent of testing procedures should be based on its assessment of risk.
As noted above, management is required to perform a risk-based evaluation of internal controls over financial reporting on an annual basis and can leverage the flexibility provided by the SEC in its evaluation procedures (such as focusing on high-risk process areas (including IT related controls) and entity-level controls) to ensure adequacy of internal controls to prevent or detect a material misstatement in the financial statements and its disclosures. Prior to deciding an approach, management should consider the following criteria:
- Availability of resources with an adequate understanding of the SOX Compliance requirements
- Risk-based methodology and documentation to conduct objective evaluation procedures on ICFR
- External auditor expectations on management’s approach towards ICFR assessment
- Organizational structure (based on the “Three Lines of defense” framework published by the Institute of Internal Auditors (IIA)) – refer to the diagram below.
The three lines of defense (3LOD) model, published by the Institute of Internal Auditors (IIA), offers businesses of all sizes a framework to identify, combat, and mitigate the risks and threats organizations face by establishing accountability and defining roles and responsibilities throughout the organization.
Options for management to consider for an effective and efficient ICFR assessment:
1). Evaluation performed by Internal Compliance or Internal Audit: Some companies (generally larger) have an in-house Internal Audit function (3rd line) or a financial controls/compliance function (2nd line) with the necessary subject matter expertise in SOX Compliance and can assist in performing management’s assessment. This would provide higher level of objectivity in its assessment of ICFR and provide greater reliability to senior management and external auditors in disclosing management’s opinion and certifications in its quarterly and annual filings to its shareholders.
2). Outsourcing SOX Compliance: Small to mid-size companies generally do not have internal resources and expertise, such as a dedicated compliance team or an internal audit function that can assist management in an objective evaluation of ICFR. Therefore, it is important for smaller companies to consider external resources who understand the SOX requirements and can provide a risk-based evaluation on the adequacy of an entity’s internal controls and, if needed, assist with the implementation and maintenance of a sustainable SOX program. These resources can assist management in providing a basis to appropriately certify the adequacy of their ICFR to its shareholders. Additionally, these external resources can provide a level of objectivity to the Audit Committee, Senior Management, and to external auditors in evaluating their level of comfort in management’s opinion disclosed in the 10-Q and 10-K.
At times, small companies take risks by not documenting a basis on which an ICFR assessment was performed by management to evaluate its design and operational effectiveness. This could pose regulatory risks with the SEC and may be subject to comment letters and reputational harm due to non-compliance. Therefore, maintaining the documentation of processes and the evaluation of the operating effectiveness of controls procedures is important for organizations to maintain effective SOX compliance and enhance corporate governance. SOX Compliance provides other intangible benefits, such as identifying process redundancies, establishing process accountability, risk management, and streamlining processes in addition to fulfilling compliance requirements.
Centri’s Risk Advisory Services (RAS) team provides advisory solutions to help organizations identify, assess, mitigate, and monitor risks across industries to enhance governance, improve risk posture and enable successful achievement of business objectives in this competitive landscape. Centri’s RAS team offers a variety of risk advisory solutions including, but not limited to SOX Compliance, Outsourced Internal Audit, Risk and Control Assessments, Forensic support, IPO readiness, Corporate Policy development, and more. For more information, please reach out to our RAS experts to learn how we can help.
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
Eight Penn Center
1628 JFK Boulevard
Suite 500
Philadelphia, PA 19103
530 Seventh Avenue
Suite 2201
New York, NY 10018
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
615 Channelside Drive
Suite 207
Tampa, FL 33602
1175 Peachtree Street NE
Suite 1000
Atlanta, GA 30361
50 Milk Street
18th Floor
Boston, MA 02109
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
One Tabor Center
1200 17th St.
Floor 26
Denver, CO 80202
1-855-CENTRI1
virtual@CentriConsulting.com