June 7, 2018
JOBS Act Deadline Looming for Many EGCs
Posted by Jeremy Sucharski
We are reaching the 16-year mark since the Sarbanes-Oxley Act (SOX) was passed by Congress and signed into law. One criticism consistently levied against the legislation is the cost associated with complying with the various provisions. There have been a variety of measures put in place over the years to reduce the expense of SOX and focus efforts on the intended benefits of the law. One of the most notable steps taken was the JOBS Act that was signed into law in April 2012. A key provision of this law was to delay 404(b) compliance for newly public companies until such time that a company hits a disqualifying event. These disqualifying events for entities defined by the JOBS Act as emerging growth companies (EGCs) are:
- Earning $1.07 billion in revenue
- Achieving a $700 million market capitalization
- Reaching five years since the IPO date
Once your EGC achieves one of these disqualifying events, you are required to have a 404(b) opinion issued on your next 10K statement. In the years following the JOBS Act’s signing, IPO activity in the United States rose to levels unseen since the dot-com boom in the late 1990s. Of the 1114 companies that went public between 2013 and 2018, only 41% percent have reached a market cap or revenue threshold that resulted in the loss of their EGC designation.
For many of the rest of these companies, the final disqualifying event, the five-year mark, is fast approaching. If your company is in this position, consider taking the following steps to be fully ready for compliance with 404(b):
- Give yourself more runway: Procrastination does not pay off, and I routinely see companies miss the opportunity to prepare. Instead, companies should look at their EGC status as an incentive to build velocity incrementally by defining their controls, and testing and refining the controls and related documentation. In doing so, an EGC will be well positioned for its first full audit when the time comes.
- Assess your controls: SOX can get a bad reputation because of how it started back in 2004. In “the early years,” we put a control on everything. If it moved…put a control on it! As a result, companies ended up with a massive amount of controls, many of which had little impact on financial reporting, let alone a material impact. To address this issue and avoid control creep, you should leverage a very detailed risk assessment process that begins with a mapping of your financial statements to key processes. Look at both quantitative and qualitative measures when determining if a line item or process step has sufficient risk to be categorized as material. Using flow charts is another very useful tool that will help you visualize your environment and where things can go wrong. By applying these methods, you will have a leaner, more focused control set that is relevant to your company’s key risks.
- Be proactive with your auditor: At the end of the day, it doesn’t matter how good you think your controls and processes are because it is your auditor who issues the 404(b) opinion. For a successful result, you need to engage with your auditor early and often. While they have to abide by independence requirements, auditors are able to engage and discuss your direction, identify key risks and provide insight regarding how those risks are being mitigated. These types of discussions will help to refine your approach and, in turn, will provide a stronger basis for your auditor’s understanding of your control environment. Furthermore, this close collaboration between management and the auditors will help you avoid issues and conflicts during the audit process that can derail a project and waste valuable time.
- Leverage technology: We have all been there. You make updates to a document and send them out for review. Then someone tells you that you have the wrong version. Ouch! Look to the exceptional and affordable software solutions available to provide controlled collaboration and version control of your documentation. These solutions, such as Workiva, also allow multiple parties to access and update a document in real time without the need to save and redistribute the updated file. This includes providing access to parties outside of your organization (e.g. your auditors, outside counsel, etc). Additionally, many products include workflows that can reduce rote tasks, thereby giving you more time in your day to focus on what matters most.
- Focus on risk: The risk environment that your company operates in is rapidly changing, with risks and threats evolving daily. Risk assessments need to be an integrated process, not just a check-the-box exercise done once a year, to successful mitigate your risks. Mapping and flowcharts are a good way for the company and auditors to fully understand the processes they are evaluating and the risks associated with those processes.
These best practices will not only help you transition smoothly to 404(b) compliance, they’ll also enable you to run your organization more efficiently.
Gain more insights on compliance with the JOBS Act, SOX and more with Armanino’s Governance, Risk & Compliance team.
Jeremy has over twelve years of experience delivering internal audit, and consultative services to clients in a variety of industries. Jeremy manages teams and works closely with clients to analyze risks associated with information systems and business processes, implement controls and test those controls for operational effectiveness. He has extensive experience in developing and executing a detailed audit plan to test effectiveness of systematic and manual information system and business process controls. Furthermore, Jeremy is the leader of the firm’s GRC practice. Jeremy is a member of the Information Systems Audit and Control Association (ISACA) and has a B.A. in Business Administration, MIS Concentration, from California State Polytechnic University, San Luis Obispo.