For most newly public companies, the Securities and Exchange Commission (SEC) offers relief from certain Sarbanes-Oxley (SOX) requirements allowing time to prepare for the more vigorous aspects of SOX compliance for up to nearly two years. But what if you end up a public company as part of a reverse merger? Can you still get the same relief?
Requirements of Newly Public Company Via IPO
Let’s start with a brief refresher on the general rules for newly public companies via an initial public offering (IPO). So you were a private company that just went through an IPO. You now have several new SEC reporting and compliance requirements just by virtue of being an SEC registrant. Some of those requirements involve external financial reporting such as deadlines for filing 10-Qs and 10-Ks. But you also have considerations around SOX compliance and related evaluations and assessments of internal controls and procedures.
1. Management Assessments
Management of public companies, namely the principal executive and financial officers, is responsible for establishing and maintaining a system of internal controls and procedures, and evaluating and assessing them in support of effectiveness conclusions reported in 10-Qs and 10-Ks. Management’s work focuses on the following:
a) SOX Section 302 – Disclosure Controls and Procedures (DCP). DCP are designed to ensure that financial and non-financial information required to be disclosed in SEC reports is: a) recorded, processed, summarized, and reported within the time periods specified in the SEC’s rules and forms, and b) accumulated and communicated to management to allow timely discussions regarding disclosures. Management of a newly public company via IPO must evaluate DCP and make a statement to the public whether or not DCP are effective by the time they file their first periodic filing (10-Q or 10-K) after going public. The evaluation must then be performed quarterly and management must report their effectiveness conclusions in each 10-Q and 10-K thereafter.
b) SOX Section 404(a) – Internal Controls over Financial Reporting (ICFR). ICFR are designed to prevent material financial statement misstatements and material frauds. Management’s annual ICFR assessments are more time consuming and arduous than DCP evaluations. Management has until the filing of the company’s second 10-K after going public via IPO to complete their initial ICFR assessment and make an effectiveness statement to the public. So depending on the timing of when you actually go public, you may have anywhere from slightly over a year to up to two full years to complete and report on your first ICFR assessment.
2. External Auditor Assessments
You might also be wondering, “What about my external auditors? When do I have to have an ICFR opinion from them?” The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) says that if you are a non-accelerated filer (which includes smaller reporting companies, i.e., those with non-affiliated public float < $75M), you are permanently exempt from having your external auditors give a SOX Section 404(b) opinion on ICFR. If you are an accelerated or large accelerated filer, your external auditors will have to give a SOX Section 404(b) opinion on ICFR. The 404(b) requirement would follow the 404(a) timing mentioned above if your auditors must give an opinion on ICFR; that is, the initial external auditor assessment of ICFR would be required by the time you file your second 10-K after going public via IPO.
But there is a curveball here. The Jumpstart Our Business Startups Act (JOBS Act) may override your SOX Section 404 reporting requirements typically governed by your accelerated/non-accelerated filer status. If you are a newly public company via IPO, you might be considered an emerging growth company (EGC), which among other things allows you to defer any external auditor opinion under SOX Section 404(b) for five years as long as you meet all of the following three criteria:
1. Your annual revenues do not exceed $1 billion
2. You do not issue more than $1 billion in convertible debt over a three-year period
3. You do not become a large accelerated filer (i.e., your non-affiliated public float does not reach $700 million)
If you remain compliant with each of these three attributes, you are considered an EGC and can keep the designation for up to five years after your IPO, which will exempt you from an external audit of ICFR. Once the five year period expires, or you no longer maintain compliance with each of the three attributes noted above, you are no longer an EGC and fall back to the Dodd-Frank Act to determine whether or not you need an external auditor opinion on ICFR.
These are the general rules for SOX requirements of newly public companies via IPO. Now let’s take a look at some special circumstances that companies may run into.
Acquisition by a Public Company
The SEC provides relief on the matter of acquired (public or private) companies of such size and/or complexity where it would be a hardship (time, resources, cost) for management of the acquiring company to assess ICFR of the acquired company subsequent to the acquisition date but prior the acquiring company’s fiscal year end. In such cases, the SEC will allow you to exclude the acquired company from your ICFR assessment as long as adequate disclosure is provided in management’s assessment.
Of course, there is some judgment involved. If your company is a December 31 year-end registrant that has completed an acquisition in the early part of the fiscal year (i.e., January), the SEC may challenge your decision to take the acquisition exclusion given you had nearly twelve months between acquisition and fiscal year-end to assess ICFR of the acquired entity. But if your company consummated an acquisition in December, November, or maybe even July, that makes more sense for a hardship claim, and the SEC most likely would accept the exclusion as disclosed.
Note, the acquiring (i.e., reporting) company must have appropriate controls in place over the acquisition accounting in the year of the acquisition.
Further, the acquisition exclusion applies to management’s ICFR assessment, not the evaluation of quarterly DCP; that is, management’s assessment of quarterly DCP must include consideration of the acquired company beginning with the quarter in which the acquisition was consummated.
Newly Public Company Via Reverse Merger
What is a Reverse Merger?
A reverse merger is a special instance where an already public company acquires another public or private company. Prior to a typical reverse merger, a Special Purpose Acquisition Company (SPAC) is formed and goes public via IPO in order to raise money for the sole purpose of finding a target company to acquire. The SPAC is usually an empty shell company with no operations and the only asset is the cash raised to acquire an operating company. The SPAC then buys an existing operating company and merges it into the public shell company, then takes the name of the acquired operating company. But what does this mean for SOX requirements?
How Does the SEC Treat Reverse Mergers?
Through the unique reverse merger transaction, if the acquired operating company is a private company, it is immediately considered a public company when merged into the already public shell. This means the acquired company is now immediately subject to the SOX requirements of the already public SPAC. The question then is: Can the surviving public company, comprised mainly of the previously private operating company, get any relief from SOX requirements? The answer is yes; however, the relief is due to the circumstances surrounding the unique reverse merger transaction rather than the newly public company (via IPO) or acquisition relief.
The SEC acknowledges that it may not be possible to perform an assessment of the private operating company or the acquirer’s internal control over financial reporting in the period between the consummation date of a reverse merger and the date of management’s assessment of internal control over financial reporting. The SEC recognizes that in many of these transactions, such as those in which the acquirer is a non-operating public shell company, the internal controls of the acquirer may no longer exist as of the assessment date or the assets, liabilities, and operations may be insignificant when compared to the consolidated entity. In these instances, the SEC would not object if the surviving issuer were to exclude management’s assessment of internal control over financial reporting in the Form 10-K covering the fiscal year in which the transaction was consummated.
However, when the transaction is completed shortly after year-end and the surviving issuer is required to file an amended Form 8-K to update its financial statements for its most recent year-end, that filing is equivalent to the first annual report subsequent to the consummation of the transaction and future annual reports should not exclude management’s report on internal control over financial reporting. In lieu of management’s report, the issuer should disclose why management’s assessment has not been included in the report, specifically addressing the effect of the transaction on management’s ability to conduct an assessment and the scope of the assessment if one were to be conducted.
Management’s assessment of quarterly DCP must include consideration of the acquired company merged into the public shell beginning with the quarter in which the reverse merger was consummated.
Always Consult the Experts
The SOX requirements for newly public companies can be complicated, especially when it involves special circumstances like a reverse merger. Please keep in mind, when it comes to SEC filing requirements and questions on nuances of how they work, we always recommend the management team discuss the specifics with SEC counsel.
Jeff Flynn, CPA is a Principal for AC Lordi’s Risk & Compliance practice. He plans global and single site Sarbanes-Oxley compliance efforts, ensuring proper scope for cost effective compliance and coordinating with management, audit committees, and external auditors. He co-developed the firm’s proprietary SOX methodology and has led initial implementation efforts and control optimization efforts for more than 50 clients. He can be reached at firstname.lastname@example.org or 610-738-0100.