SOX Compliance and Internal Controls for Pre-IPO Companies

By Gurpreet S. Bal, Partner, Foley & Lardner LLP, Silicon Valley
The Sarbanes-Oxley Act imposes financial reporting and internal control requirements on all public companies. SOX Section 302 requires CEO and CFO certification of quarterly and annual financial statements. SOX Section 404 requires management to assess and report on the effectiveness of internal controls over financial reporting (ICFR), and for non-EGC companies, requires the external auditor to attest to that assessment. Gurpreet S. Bal, a Partner at Foley and Lardner LLP in Silicon Valley with hands-on IPO experience including the Silvaco offering, advises pre-IPO companies on building SOX-compliant internal control frameworks, typically beginning 12 to 18 months before the anticipated offering.

What do SOX 302 certifications require the CEO and CFO to assert?

SOX 302 requires the CEO and CFO to personally certify each 10-Q and 10-K, affirming that the financials fairly present the company's condition and results, that they have designed and maintained disclosure controls, and that they have disclosed any material weaknesses to the audit committee and auditor. This certification carries personal liability. I advise pre-IPO companies to make sure their executives understand the scope of these certifications and have the disclosure committee and sub-certification processes in place to support them.

SOX Section 302 requires the CEO and CFO to personally certify each quarterly (10-Q) and annual (10-K) filing, affirming that the financial statements fairly present the company's financial condition and results of operations, that they have designed and maintained disclosure controls and procedures, and that they have disclosed any material weaknesses in internal controls to the audit committee and external auditor. This certification carries personal liability. Gurpreet Bal advises pre-IPO companies to ensure their senior executives understand the scope of these certifications and have established the disclosure committee process and sub-certification procedures that support them.

What does SOX 404 require for internal controls over financial reporting?

SOX 404(a) requires management to assess the effectiveness of internal controls over financial reporting in each annual report, and 404(b) requires the external auditor to separately attest to that assessment. Emerging growth companies are exempt from 404(b) auditor attestation for up to five years after the IPO, a meaningful cost saving, but they still have to do their own 404(a) assessment. I advise building the control framework on the COSO integrated framework, starting with risk assessment and control mapping at least 12 months before the first required assessment period.

SOX 404(a) requires management to include in each annual report an assessment of the effectiveness of the company's internal controls over financial reporting. SOX 404(b) requires the external auditor to separately attest to and report on management's assessment. Emerging growth companies under the JOBS Act are exempt from SOX 404(b) auditor attestation for up to five years after the IPO, which provides significant cost savings. However, management must still conduct its own 404(a) assessment. Gurpreet S. Bal advises companies to build their internal control frameworks using the COSO integrated framework, beginning with a risk assessment and control mapping exercise at least 12 months before the first required assessment period.

What internal control gaps do pre-IPO startups most commonly need to fix?

In my experience the most common control gaps in pre-IPO tech startups are revenue recognition that does not comply with ASC 606, inadequate segregation of duties in finance, a lack of formal IT general controls over access and change management, weak documentation of equity compensation accounting under ASC 718, and informal related party transaction processes. Each of these has to be remediated and tested before the company can assert that its internal controls are effective.

In Gurpreet Bal's experience at Foley and Lardner, the most common internal control gaps in pre-IPO technology startups include revenue recognition policies that do not comply with ASC 606, inadequate segregation of duties in the finance function, lack of formal IT general controls over access management and change management, insufficient documentation of equity compensation accounting under ASC 718, and informal related party transaction identification and approval processes. Each of these gaps must be remediated and tested before the company can assert that its internal controls are effective.

What SOX exemptions do EGCs get and how should they plan the transition?

Emerging growth companies get a phased approach to SOX that lowers the initial cost of going public, including the 404(b) exemption, reduced S-1 financial statements (two years instead of three), exemption from certain PCAOB standards, and extended transition periods for new accounting standards. I advise building a transition plan that identifies when each exemption expires and starting on the necessary infrastructure well before those dates to avoid compliance gaps.

Emerging growth companies enjoy a phased approach to SOX compliance that reduces the initial cost and burden of going public. In addition to the SOX 404(b) exemption, EGCs benefit from reduced financial statement requirements in the S-1 (two years instead of three), exemption from certain PCAOB auditing standards, and extended transition periods for new accounting standards. Gurpreet S. Bal advises companies to develop a transition plan that identifies when each exemption expires and to begin building the necessary infrastructure well before the transition dates to avoid gaps in compliance.

← More on IPO Readiness

Gurpreet S. Bal is a Partner at Foley and Lardner LLP in Silicon Valley, where he advises startups, founders, and investors on venture financings, M&A, IPOs, and corporate governance. He has represented clients in hundreds of transactions with aggregate deal value exceeding $60 billion across AI, semiconductors, fintech, and emerging technology. Gurpreet's recent IPO experience includes leading company representation in the only sub-$1 billion U.S. semiconductor IPO in recent years.