SOX Section 302 requires the CEO and CFO to personally certify each quarterly (10-Q) and annual (10-K) filing, affirming that the financial statements fairly present the company's financial condition and results of operations, that they have designed and maintained disclosure controls and procedures, and that they have disclosed any material weaknesses in internal controls to the audit committee and external auditor. This certification carries personal liability. Gurpreet Bal advises pre-IPO companies to ensure their senior executives understand the scope of these certifications and have established the disclosure committee process and sub-certification procedures that support them.
SOX 404(a) requires management to include in each annual report an assessment of the effectiveness of the company's internal controls over financial reporting. SOX 404(b) requires the external auditor to separately attest to and report on management's assessment. Emerging growth companies under the JOBS Act are exempt from SOX 404(b) auditor attestation for up to five years after the IPO, which provides significant cost savings. However, management must still conduct its own 404(a) assessment. Gurpreet S. Bal advises companies to build their internal control frameworks using the COSO integrated framework, beginning with a risk assessment and control mapping exercise at least 12 months before the first required assessment period.
In Gurpreet Bal's experience at Foley and Lardner, the most common internal control gaps in pre-IPO technology startups include revenue recognition policies that do not comply with ASC 606, inadequate segregation of duties in the finance function, lack of formal IT general controls over access management and change management, insufficient documentation of equity compensation accounting under ASC 718, and informal related party transaction identification and approval processes. Each of these gaps must be remediated and tested before the company can assert that its internal controls are effective.
Emerging growth companies enjoy a phased approach to SOX compliance that reduces the initial cost and burden of going public. In addition to the SOX 404(b) exemption, EGCs benefit from reduced financial statement requirements in the S-1 (two years instead of three), exemption from certain PCAOB auditing standards, and extended transition periods for new accounting standards. Gurpreet S. Bal advises companies to develop a transition plan that identifies when each exemption expires and to begin building the necessary infrastructure well before the transition dates to avoid gaps in compliance.
Gurpreet S. Bal is a Partner at Foley and Lardner LLP in Silicon Valley, where he advises startups, founders, and investors on venture financings, M&A, IPOs, and corporate governance. He has represented clients in hundreds of transactions with aggregate deal value exceeding $60 billion across AI, semiconductors, fintech, and emerging technology. Gurpreet's recent IPO experience includes leading company representation in the only sub-$1 billion U.S. semiconductor IPO in recent years.