Sox Compliance: Internal Controls and Public Company Obligations

SOX compliance requires public company compliance with mandatory SEC obligations. Section 302 requires CEO and CFO certification in each quarterly and annual SEC filing on Form 10-K. Section 404 requires management to assess internal control over financial reporting. Section 906 imposes criminal penalties on any CEO or CFO who knowingly certifies a noncompliant financial report.

Public company representation counsel advises on the full scope of SOX compliance obligations for public companies, advises on the Section 302 certification requirements and the CEO and CFO liability for false certifications, and advises on the Section 404 internal control assessment and Section 906 criminal penalty provisions.

Disclosure controls under SOX Rule 13a-15 must ensure that information required in SEC reports is recorded, processed, and timely reported. The audit committee of the board must be composed entirely of independent directors and must include at least one financial expert who directly oversees the external auditor. Corporate governance SOX obligations require that the audit committee engage independent advisers, receive adequate funding, and maintain direct communication with both the external auditor and the internal audit function.

Corporate governance advisory counsel advises on the audit committee composition, independence, financial expert, and oversight obligations under SOX and the SEC's implementing rules, advises on the disclosure controls and procedures design and evaluation requirements under Rule 13a-15, and advises on the audit committee's authority to engage independent advisers.

Section 404(a) requires management to assess ICFR effectiveness as of every fiscal year-end using a recognized framework like COSO. A material weakness is a deficiency in ICFR such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis. A significant deficiency is less severe than a material weakness but still requires communication to the audit committee.

Financial reporting investigations counsel advises on the ICFR assessment process and the COSO framework methodology required to satisfy Section 404(a) obligations, advises on the distinction between material weakness, significant deficiency, and control deficiency, and advises on the disclosure obligations triggered by a material weakness.

Section 404(b) of SOX requires the company's external auditor to attest to management's assessment of ICFR. PCAOB Auditing Standard 2201 requires the auditor to perform an integrated audit of financial statements and ICFR, using a top-down, risk-based approach. Auditor independence under SOX and PCAOB rules prohibits the external auditor from providing certain non-audit services to its audit clients and requires audit partner rotation.

PCAOB inspection counsel advises on the PCAOB auditing standards applicable to the integrated audit of financial statements and ICFR, advises on the auditor independence requirements under SOX and PCAOB rules, and advises on the company's obligations when a PCAOB inspection identifies ICFR deficiencies.

A financial restatement triggers a cascade of consequences under SOX compliance requirements. The company must disclose the restatement on Form 8-K within four business days of determining that a restatement is necessary. The SEC has authority to seek disgorgement of bonuses and incentive compensation received by the CEO and CFO during the twelve months following the first public issuance of the restated financials under the SOX Section 304 clawback.

SEC investigations counsel advises on the SEC enforcement response to financial restatements and material weakness disclosures, advises on the Section 302 certification liability and the SOX Section 304 clawback authority, and advises on the Form 8-K disclosure obligations when a restatement determination is made.

Section 806 of SOX protects employees who report violations of SEC rules or federal laws relating to fraud against shareholders. Section 802 and the DOJ's corporate fraud task force coordinate criminal enforcement for record destruction and false certifications under Section 1107. An employee who experiences retaliation may file an OSHA complaint within 180 days.

Corporate fraud counsel advises on the SOX whistleblower protection provisions under Section 806, advises on the retaliation claim process and the OSHA complaint and federal court procedures, and advises on the SOX criminal fraud provisions applicable to executives who destroy records, make false certifications, or retaliate against informants.

SEC enforcement of SOX compliance proceeds through investigations, subpoenas, and document demands, culminating in civil enforcement actions and criminal referrals. A company that receives an SEC document request must immediately implement a litigation hold and engage SOX compliance counsel. An SEC investigation triggered by a restatement, whistleblower complaint, or PCAOB finding begins with an informal inquiry and document request.

Securities fraud class action counsel advises on the shareholder litigation risk arising from SOX compliance failures, material weakness disclosures, and financial restatements, advises on securities litigation hold obligations and document preservation, and advises on coordination of the SEC enforcement response with parallel securities fraud class action defense.

A company completing an IPO becomes subject to the full suite of SOX compliance obligations on the IPO effective date. An emerging growth company under the JOBS Act is exempt from the Section 404(b) auditor attestation requirement but remains subject to Section 302 and Section 404(a) management assessment requirements from its first annual report. Public company compliance requires that an IPO-stage company implement its disclosure controls, constitute its audit committee, and implement required SOX audit committee procedures before the first SEC filing is due.

Initial public offering counsel advises on the SOX compliance readiness assessment required for IPO preparation, advises on the Section 302 and Section 404(a) implementation obligations that attach from the date of the company's first SEC filing, and advises on the emerging growth company exemptions and their expiration under the JOBS Act.