Sarbanes Oxley Act 2002 is a federal law that established auditing and financial regulations for financial reporting of public companies. This law was passed to increase transparency in financial reporting by corporations and to require a formalized system of checks and balances in each company, thereby helping protect investors from fraudulent financial reporting. SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States.
In order to build the confidence of the investors, the SOX regulations require the following:
Formal penalties for non-compliance with SOX can include fines, removal from listings on public stock exchanges and invalidation of D&O policies. Under the Act, CEOs and CFOs who willfully submit an incorrect certification to a SOX compliance audit can face fines and/or imprisonment.
As GitLab is planning to go public in November 2020, it is important that we prepare to comply with SOX ahead of listing, as the consequences of non-compliance can be severe. Below are some of the important requirements we will need to adhere to:
Points to note:
Planned timelines for SOX Implementation:
1. Desktop Procedures (DTP)
|#||Business Process||Process Name||DTP Drafted||Process Owner Sign-off||Handbook Link||Flow Chart|
|1||Quote to Cash||Customer account creation and Conversion of lead to opportunity||✅||✅||⏰||✅|
|2||Quote to Cash||Price master management||✅||✅||⏰||✅|
|3||Quote to Cash||Quote creation||✅||✅||⏰||✅|
|4||Quote to Cash||Reseller Management||✅||✅||⏰||✅|
|5||Quote to Cash||Contract Management||✅||✅||⏰||✅|
|6||Quote to Cash||Invoicing to customers (Sales team assisted product sale, Web portal sale and Services)||✅||⏰||⏰||✅|
|7||Quote to Cash||Invoice cancellations and refunds||✅||⏰||⏰||✅|
|8||Quote to Cash||Revenue recognition (for product subscription, services)||✅||✅||⏰||✅|
|9||Quote to Cash||Accounting of income from sale of merchandise||✅||✅||⏰||✅|
|10||Quote to Cash||Accounting of income from GCP Referral||✅||✅||⏰||✅|
|11||Quote to Cash||Accounts receivable||✅||⏰||⏰||✅|
|12||Quote to Cash||Incentive payouts to Sales executives||✅||✅||⏰||✅|
|13||Record to Report||User Access Management in Netsuite||✅||✅||⏰||✅|
|14||Record to Report||Chart of Accounts||✅||✅||⏰||✅|
|15||Record to Report||Journal entries||⏰||⏰||⏰||✅|
|16||Record to Report||Financial Planning and Analysis||✅||✅||⏰||✅|
|17||Record to Report||Reconciliations||⏰||⏰||⏰||✅|
|18||Record to Report||Period End closure||✅||✅||⏰||✅|
|19||Record to Report||Treasury||⏰||⏰||⏰||✅|
|20||Record to Report||Financial Reporting||✅||⏰||⏰||✅|
|23||Regulatory||Corporate Income Tax||✅||✅||⏰||✅|
|24||Hire to Retire||Recruitment||✅||✅||⏰||✅|
|25||Hire to Retire||Employee Master Creation and Updates||✅||✅||⏰||✅|
|26||Hire to Retire||Payroll Processing for US||✅||✅||⏰||✅|
|27||Hire to Retire||Payroll Processing for Non-US||✅||✅||⏰||✅|
|28||Hire to Retire||Leave Management for Payroll Processing||✅||✅||⏰||✅|
|29||Hire to Retire||Employee Exits||✅||✅||⏰||✅|
2. Entity Level Controls
|Control#||Process Name||RCM Link||Process Owner Sign-off||Handbook Link||Testing Link|
|ELC.C.01||Integrity and ethical values||✅||✅||Code of Conduct✅||⏰|
|ELC.C.02||Integrity and ethical values||✅||✅||Code of Conduct✅||Testing Link✅|
|ELC.C.03||Organisational structure||✅||✅||Org Chart✅, Job Family✅, Master Job Family✅||⏰|
|ELC.C.04||Organisational structure||✅||✅||Authorization Matrix✅||⏰|
|ELC.C.05||Board of Directors & Audit Committee||✅||✅||Board of Directors✅||⏰|
|ELC.C.06||Board of Directors & Audit Committee||✅||✅||⏰||⏰|
|ELC.C.07||Board of Directors & Audit Committee||✅||⏰||Audit Committee✅||⏰|
|ELC.C.08||Entity-wide objectives||✅||✅||Organization Strategy✅,KPI Index✅||⏰|
|ELC.C.09||Risk Assessment||✅||✅||Audit Committee✅||⏰|
|ELC.C.11||Risk Assessment||✅||⏰||Accounting policy✅||⏰|
|ELC.C.12||Risk Assessment||✅||⏰||Related party✅||⏰|
|ELC.C.15||Monitoring||✅||✅||Disaster Recovery Plan✅||Testing Link✅|
|ELC.C.16||Risk Assessment||✅||✅||Code of Conduct✅||⏰|
3. Information Technology General Controls
|Control#||Control Family||Control Short Name||Handbook link|
|BC.1.01||Business Continuity||Business Continuity Plan||✅|
|BC.1.02||Business Continuity||Business Continuity Plan: Roles and Responsibilities||✅|
|BC.1.03||Business Continuity||Continuity Testing||✅|
|BC.1.04||Business Continuity||Business Impact Analysis||✅|
|BU.1.01||Backup Management||Backup Configuration||✅|
|BU.1.02||Backup Management||Resilience Testing||✅|
|BU.1.03||Backup Management||Alternate Storage||✅|
|CM.1.01||Change Management||Change Management Workflow||✅|
|CM.1.02||Change Management||Change Approval||✅|
|CM.2.01||Change Management||Segregation of Duties||✅|
|CFG.1.01||Configuration Management||Baseline Configuration Standard||✅|
|IAM.1.01||Identity and Access Management||Logical Access Provisioning||✅|
|IAM.1.02||Identity and Access Management||Logical Access De-provisioning||✅|
|IAM.1.04||Identity and Access Management||Logical Access Review||✅|
|IAM.1.05||Identity and Access Management||Role Change: Access De- provisioning||✅|
|IAM.1.06||Identity and Access Management||Shared Logical Accounts||✅|
|IAM.2.01||Identity and Access Management||Unique Identifiers||✅|
|IAM.2.02||Identity and Access Management||Password Authentication||✅|
|IAM.2.03||Identity and Access Management||Multifactor Authentication||✅|
|IAM.2.04||Identity and Access Management||Authentication Credential Maintenance||✅|
|IAM.2.08||Identity and Access Management||Account Lockout||✅|
|IAM.3.02||Identity and Access Management||Source Code Security||✅|
|IAM.3.03||Identity and Access Management||Service Account Restrictions||✅|
|IAM.4.01||Identity and Access Management||Remote Connections||✅|
|IAM.4.03||Identity and Access Management||Remote Maintenance: Authentication Sessions||✅|
|IR.1.01||Incident Response||Incident Response Plan||✅|
|NO.1.01||Network Operations||Network Policy Enforcement Points||⏰|
|NO.2.01||Network Operations||Network Segmentation||✅|
|RM.1.01||Risk Management||Risk Assessment||✅|
|RM.1.02||Risk Management||Continuous Monitoring||✅|
|SLC.1.02||Service Lifecycle||Source Code Management||✅|
|SYS.1.01||Systems Monitoring||Audit Logging||✅|
|SYS.1.02||Systems Monitoring||Secure Audit Logging||✅|
|SYS.1.05||Systems Monitoring||Audit Logging: Service Provider Logging Requirements||✅|
|SYS.1.07||Systems Monitoring||Audit Log Capacity and Retention||⏰|
|TPM.1.01||Third Party Management||Third Party Assurance Review||✅|
|VUL.3.01||Vulnerability Management||Infrastructure Patch Management||✅|
|DM.4.01||Data Management||Encryption of Data in Transit||✅|
|DM.4.02||Data Management||Encryption of Data at Rest||✅|
4. Risk Assessment and Scoping
5. Business Process Risk Control Matrix
|Control#||Business Process Name||Process Name||Testing Link|
|QTC.C.01||Quote to Cash||Customer account management (Sales operations team assisted sale)||⏰|
|QTC.C.02||Quote to Cash||Customer account management (Online sale)||⏰|
|QTC.C.03||Quote to Cash||Price master management for products||⏰|
|QTC.C.04||Quote to Cash||Price master management for products||⏰|
|QTC.C.05||Quote to Cash||Quote creation for services (Sales operations team assisted sale)||⏰|
|QTC.C.06||Quote to Cash||Quote creation for services (Sales operations team assisted sale)||⏰|
|QTC.C.07||Quote to Cash||Quote creation for products (Sales operations team assisted sale)||✅|
|QTC.C.08||Quote to Cash||Quote creation for products and services (Sales operations team assisted sale)||⏰|
|QTC.C.09||Quote to Cash||Reseller management||⏰|
|QTC.C.10||Quote to Cash||Invoicing for products and services (Sales operations team assisted sale)||⏰|
|QTC.C.11||Quote to Cash||Invoicing for products and services (Sales operations team assisted sale)||⏰|
|QTC.C.12||Quote to Cash||Invoicing for products and services (Sales operations team assisted sale)||⏰|
|QTC.C.13||Quote to Cash||Invoicing for products (Online sale)||✅|
|QTC.C.14||Quote to Cash||Invoicing for products (Renewals)||⏰|
|QTC.C.15||Quote to Cash||Invoicing for products (Online and Sales operations team assisted sale)||⏰|
|QTC.C.16||Quote to Cash||Invoice cancellations and refunds for products and services (Sales operations team assisted sale)||⏰|
|QTC.C.17||Quote to Cash||Invoice cancellations and refunds for products and services (Sales operations team assisted sale)||⏰|
|QTC.C.18||Quote to Cash||Accounting for transactions (recorded in Zuora) in Net Suite||⏰|
|QTC.C.19||Quote to Cash||Income from sale of merchandise||⏰|
|QTC.C.20||Quote to Cash||Income from GCP referral||⏰|
|QTC.C.21||Quote to Cash||Accounts receivable||⏰|
|QTC.C.22||Quote to Cash||Accounts receivable||⏰|
|QTC.C.23||Quote to Cash||Accounts receivable||✅|
|QTC.C.24||Quote to Cash||Accounts receivable||⏰|
|QTC.C.25||Quote to Cash||Accounts receivable||⏰|
|QTC.C.26||Quote to Cash||Accounts receivable||⏰|
|QTC.C.27||Quote to Cash||Accounts receivable||⏰|
|QTC.C.28||Quote to Cash||Accounts receivable||⏰|
|QTC.C.29||Quote to Cash||Commissions to sales team||⏰|
|QTC.C.30||Quote to Cash||Commissions to sales team||⏰|
|QTC.C.31||Quote to Cash||Commissions to sales team||⏰|
|FR.C.01||Record to Report||Chart of accounts and GL accounts||⏰|
|FR.C.02||Record to Report||Chart of accounts and GL accounts||⏰|
|FR.C.03||Record to Report||Chart of accounts and GL accounts||⏰|
|FR.C.04||Record to Report||Chart of accounts and GL accounts||⏰|
|FR.C.05||Record to Report||NetSuite User Access Management||⏰|
|FR.C.06||Record to Report||Accruals||⏰|
|FR.C.07||Record to Report||Provisioning||⏰|
|FR.C.08||Record to Report||Provisioning||⏰|
|FR.C.09||Record to Report||Taxation||⏰|
|FR.C.10||Record to Report||Financial Closure - Posting from sub ledger to General Ledger||⏰|
|FR.C.11||Record to Report||Financial Closure - Posting from sub ledger to General Ledger||⏰|
|FR.C.12||Record to Report||Financial Closure - Close Process||⏰|
|FR.C.13||Record to Report||Financial Closure - Close Process||⏰|
|FR.C.14||Record to Report||Financial Closure - Close Process||⏰|
|FR.C.15||Record to Report||Financial Closure - Close Process||⏰|
|FR.C.16||Record to Report||Financial Closure - Close Process||⏰|
|FR.C.17||Record to Report||Financial Closure - Close Process||⏰|
|FR.C.18||Record to Report||Accounting Policies.||⏰|
|FR.C.19||Record to Report||Accounting Policies.||⏰|
|FR.C.20||Record to Report||Accounting Policies.||⏰|
|FR.C.21||Record to Report||Consolidation||⏰|
|FR.C.22||Record to Report||Reporting||⏰|
|FR.C.23||Record to Report||Reporting||⏰|
|FR.C.24||Record to Report||Reporting||⏰|
|FR.C.25||Record to Report||Reporting||⏰|
|FR.C.26||Record to Report||Reporting||⏰|
|FR.C.27||Record to Report||Treasury||⏰|
|FR.C.28||Record to Report||Treasury||⏰|
|FR.C.29||Record to Report||Treasury||⏰|
|FR.C.30||Record to Report||Treasury||⏰|
|FR.C.31||Record to Report||Treasury||⏰|
|HTR.C..01||Hire To Retire||Hiring||⏰|
|HTR.C..02||Hire To Retire||Recruitment||⏰|
|HTR.C..03||Hire To Retire||Recruitment||⏰|
|HTR.C..04||Hire To Retire||Employee Masters||✅|
|HTR.C.05||Hire To Retire||Employee Masters||⏰|
|HTR.C..06||Hire To Retire||Employee Masters||⏰|
|HTR.C..07||Hire To Retire||Employee Masters||✅|
|HTR.C..08||Hire To Retire||Payroll Processing - Leave Management||⏰|
|HTR.C..09||Hire To Retire||Payroll Processing & Disbursement- Contract Labor||⏰|
|HTR.C..10||Hire To Retire||Payroll Processing & Disbursement- Employees||⏰|
|HTR.C..11||Hire To Retire||Payroll Processing & Disbursement- Employees||⏰|
|HTR.C..12||Hire To Retire||Payroll Processing & Disbursement||⏰|
|HTR.C.13||Hire To Retire||Payroll Processing & Disbursement||⏰|
|HTR.C..14||Hire To Retire||Payroll Accounting||⏰|
|HTR.C..15||Hire To Retire||Payroll Accounting||⏰|
|HTR.C..16||Hire To Retire||Exit||⏰|
|REG.C.01||Regulatory||Sales Tax/ Value Added Tax/ Goods and Service Tax||⏰|
|REG.C.02||Regulatory||Sales Tax/ Value Added Tax/ Goods and Service Tax||⏰|
|REG.C.03||Regulatory||Sales Tax/ Value Added Tax/ Goods and Service Tax||⏰|
|REG.C.04||Regulatory||Sales Tax/ Value Added Tax/ Goods and Service Tax||⏰|
|REG.C.05||Regulatory||Sales Tax/ Value Added Tax/ Goods and Service Tax||⏰|
|REG.C.06||Regulatory||Sales Tax/ Value Added Tax/ Goods and Service Tax||⏰|
|REG.C.07||Regulatory||Corporate Income tax||⏰|
|REG.C.08||Regulatory||Corporate Income tax||⏰|
|P2P.G.01||Procure to Pay||⏰|
|P2P.G.02||Procure to Pay||Employee reimbursements||⏰|
|P2P.G.03||Procure to Pay||Order Management||⏰|
|P2P.G.04||Procure to Pay||Employee reimbursements||⏰|
|P2P.G.05||Procure to Pay||Invoice Accounting||⏰|
|P2P.G.06||Procure to Pay||Invoice Accounting||⏰|
|P2P.G.07||Procure to Pay||Order Management||⏰|
|P2P.G.08||Procure to Pay||Requirement Identification||⏰|
|P2P.G.09||Procure to Pay||Vendor Management||⏰|
|Disclosure Control||Record to Report||Identification and reporting of disclosable information||⏰|
6. Disclosure Committee
|Disclosure Committee Charter Drafted||Charter Approved|
7. Disclosure Controls Policies and Procedures
|Disclosure Controls Policies and Procedures Drafted||Policy Approved|
8. Sec 302 Certification Process
Process/ Control Owner
The process/control owner has a primary responsibility of updating control descriptions in the handbook for those controls in which they have been identified as the control owner. In this role, the process/control owner will update the control descriptions for any assigned controls any time there is a change in a process or control that requires a change in the information. Some process/control owners will also complete a quarterly change control questionnaire that will alert the SOX project management office (PMO) of any changes that have occurred throughout the last three months. The roles and responsibilities of the process/control owner include the following:
SOX Program Management Office (PMO)
The SOX PMO , division of internal audit department has the primary responsibility of managing GitLab’s Sarbanes-Oxley (SOX) compliance program. In this role, the PMO will work under the direction of the Principal Accounting Officer to ensure adequate coverage for SOX compliance.The roles and responsibilities of the PMO include the following:
The below RACI table is used for clarifying, defining roles and responsibilities in cross-functional or departmental projects and processes.
|#||Activity||Responsibility (R)||Accountability (A)||Consulted (C)||Informed (I)|
|1||SOX Scoping and Risk Assessment||PMO||PAO||PO||KSH|
|2||RCM Preparation and Reviews||PMO||PAO||PO||KSH|
|3||RCM Confirmation and Sign-off||PO||PAO||PMO||CFO|
|4||Control Change Updates||PMO||PAO||PO||PO|
|5||Remediation of Gaps||PO||PAO||PMO||CFO|
|7||SOX 404 Management Testing||PMO||PAO||PO||CFO, KSH|
|8||SOX 302 Certification||PMO||CEO, CFO||PAO||KSH|
|9||SOX 404 Certification||PMO||CEO, CFO||PAO||KSH|
|10||10-K filing||PAO||CEO, CFO||PAO||KSH|
|11||10-Q filing||PAO||CEO, CFO||PMO||KSH|
The objective of this document is to summarize management’s approach to plan, organize, execute, document and support its assessment of the effectiveness of GitLab and its subsidiaries’ internal control over financial reporting. Specifically, this document will address the following:
Under the SEC’s rules implementing the requirement of Section 404 of the Sarbanes Oxley Act of 2002, each annual report must include management’s report on internal control over financial reporting that contains the following elements:
The remainder of this document summarizes the scope and approach of management’s assessment of the effectiveness of the company’s internal control over financial reporting (third bullet above).
GitLab has adopted the COSO framework as the criteria for evaluating the effectiveness of the company’s internal control over financial reporting. The COSO framework includes the following components:
Management’s overall assessment must take into consideration all five components of the COSO framework. The decision as to whether an organization’s control structure is operating satisfactorily or not is ultimately one of judgment, dependent upon the relative significance placed on any given component of the control framework.
Project Team and Timing
Senior Internal Audit Manager has been identified as the project leader and will assume the responsibility for providing the overall direction to the project teams and for communicating the project status to management. An in-house internal audit team and a third party consulting firm, as required, will assist the project leader in this effort. Significant milestones relating to the management evaluation of internal controls over financial reporting and estimated timing is defined here. As testing begins, a detailed timeline for completing the testing of internal controls by process will be prepared. Project leader will report project status and results to the management on a monthly basis.
Approach to evaluation
This document lays the framework for testing the effectiveness of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements.
Controls that are significant generally include:
Management’s approach to its assessment of the effectiveness of the company’s internal control over financial reporting is organized in two phases: (1) assessing the entity-wide control framework and (2) assessing process level controls.
Assessing the entity-wide control framework
Management will document the company’s existing entity-wide/corporate control framework and identify potential gaps between the company’s framework and the COSO control framework. The documentation and analysis of the framework will be focused on the entity-wide/corporate internal control over financial reporting, particularly relating to the control environment, risk assessment and monitoring components of COSO. In order to apply and/or assess the components of COSO as they relate to internal control over financial reporting, management must gain an understanding as to the criteria for rating them. In other words, how does the company determine if the control environment, risk assessment process, etc. are satisfactory? Included in Appendix A are some of the key control factors of each of the five COSO components relating to internal control over financial reporting.
Assessing process level controls
Over the past few months, SOX PMO have prepared risk and control matrices in consultation with process owners. In addition to documenting GitLab’s business processes, these risk and control matrices identify the controls over relevant assertions related to all significant accounts and disclosures in the financial statements. These risk and control matrices will be the basis for assessing process level controls. The matrices are to be reviewed and approved by the business process owners and the project leader prior to executing control assessment procedures.
Assessing process level controls will include an evaluation of control design and an evaluation of control effectiveness.
Evaluating design effectiveness of controls
Design effectiveness refers to whether a control is suitably designed to prevent or detect material misstatements in financial statements. It involves consideration of the financial reporting objectives that the control is meant to achieve and whether it will achieve them. When evaluating control design, management should consider the following:
Consideration should be given to each significant control in a group of controls that function together to achieve a control objective. While it is expected that the majority of controls identified will be tested, insignificant controls do not need to be tested if there is another control that will adequately cover the objective.
It is the responsibility of line management to evaluate the design effectiveness of controls in their respective area. Line management will use the recently completed process, risk and control documentation to identify whether there are financial reporting risks not mitigated by controls, e.g., are the controls designed effectively. The risk and control matrices, together with a listing of control gaps or deficiencies, will serve as evidence of this evaluation. If the design of a particular control is deemed to be inadequate or a control gap is identified, business process owners will implement additional controls or changes in the design of existing controls. To maintain management’s evaluation of design effectiveness current, line management will review process, risk and control documentation at quarterly intervals to identify any new or changed risks and highlight the relevant controls that have been implemented to mitigate these risks.
Evaluating operating effectiveness of controls
Operating effectiveness refers to whether the control is functioning as designed. During the evaluation of operating effectiveness, management gathers evidence regarding how the control was applied, the consistency with which it was applied, and by whom it was applied. SOX PMO will execute testing procedures, approved by management, to support management’s evaluation of operating effectiveness of controls for in-scope routine processes. In developing the plan for evaluating operating effectiveness of controls, management will consider the following:
Prior to performing test work on the operating effectiveness of internal control over financial reporting, audit programs will be prepared. The audit program will set out the nature, timing and extent of the procedures to be performed and will serve as a set of instructions to those performing the work. Audit programs will include:
Selection of Test Type and Control Categories
There are a number of techniques that may be used to obtain evidence about the effectiveness of the operation of controls. These techniques include observation, inquiry, inspection and re-performance. There are additional techniques that, when combined with the previously listed techniques may be used to gain sufficient and appropriate evidence related to the operating effectiveness of a control. These techniques include knowledge assessment, corroborative inquiry and system query. See description of testing techniques included in Appendix B.
To determine the appropriate testing technique, it is first necessary to categorize controls into a control type. Controls can generally be categorized into the following:
Selection of an appropriate control category is an important step as the category selected is directly linked to the types of test procedures. General testing steps for determining control effectiveness for each control type are outlined in Appendix C. For controls not falling into the control categories listed above, testing procedures will be determined based on the distinct nature of the control.
Extent of Testing (Sample Sizes)
It is necessary to test controls to the extent deemed necessary for management to be satisfied that the results of the test provide conclusive evidence for management to support the assertion that the control is operating effectively. Once it is decided which technique or combination of techniques to use, the number of items to test in determining whether the control is operating effectively and consistently depends on how the control was applied, the consistency with which it was applied, and by whom the control was performed.
The first step in determining sample size is determining if the control is manual or automated (i.e., system controls). Manually applied controls are prone to random failures, whereas automated controls should be reliable and, as long as the computer systems are working effectively, will tend to operate consistently.
The nature of the control (i.e., manual or automated) will be documented in the risk and control matrices. The following baselines will be used in making sample size judgments for manual and automated controls:
When testing monitoring or manual controls, the sample size will depend on the frequency at which the control occurs. Testing standards are as follows:
|Frequency of Control||Baseline Sample Size|
|Daily / Recurring (multiple times per day)||25|
In situations where an automated or IT control exists and is applied to every transaction, testing will generally be minimal as management will have tested general computer controls to be satisfied that they are functioning appropriately. Therefore, system query will often be the most appropriate testing technique. In this technique, one query as a test is appropriate for an IT system that would be expected to operate consistently in a well-controlled environment. A well-controlled environment is one where the specific configuration, interfaces and system access are appropriately designed and subject to appropriate change control procedures. Observation should also be made to ascertain whether there is any violation to the security access such as sharing of passwords.
Samples should be selected randomly to reflect an appropriate representation of the population. The specific sources and populations used for making sample selections will vary from control to control. Determining the appropriate source and population is a matter of judgment and should consider the following:
The above guidance on extent of testing applies in situations where there is a population to sample from. Controls may also exist where testing techniques and sample sizes may not be applicable. For example:
Rationale for determining sample selection sources and populations will be documented in the working papers, as appropriate.
Timing of Testing
Test of controls should be performed over a period of time that is adequate to determine whether, as of the date specified in the assertion, the controls necessary for achieving the objectives of the control criteria are operating effectively. The period of time over which tests of controls should be performed is a matter of management judgment.
If controls are to be tested over a period of time such as at an interim date using techniques other than knowledge assessment or corroborative inquiry (i.e., inspection, observation, re-performance), management should consider what additional evidence concerning the operation of the control should be obtained for the remaining period.
Evidence should be obtained about the nature and extent of any significant changes in internal control that occur subsequent to the previous or interim date through, for example, inquiry or observation. In addition, sufficient evidence should be obtained about the operating effectiveness of such controls since the previous or interim date, for example, by obtaining evidence about the operating effectiveness of the company’s monitoring of controls.
Prior to the date specified in the assertion, management may change the company’s controls to make them more effective or efficient, or to address control deficiencies. In these circumstances, controls that have been superseded may not need to be considered. For example, if management asserts that the new controls achieve the related objectives of the control criteria and have been in effect for a sufficient period and there is sufficient time to permit the testing of the new design and operating effectiveness, tests may not need to be performed on the design and operating effectiveness of the superseded controls, except to the extent of communicating identified significant deficiencies in controls that might have been identified in an interim period.
Management will prepare a detailed timeline for evaluation of control design and control effectiveness, as well as timelines to address control deficiencies and update control documentation.
Documentation of Test Results
In evaluating and developing the assessment of internal control over financial reporting, evidential matter needs to be maintained to provide reasonable support in the review of management’s assessment and attestation conducted by the independent auditor. This evidential matter must provide sufficient documentation to enable the external auditor to conclude that there is a reasonable basis for the assertion on internal control over financial reporting that will be made by management.
Working papers will be prepared and crossed referenced to enable reviewers and external auditors to easily locate the documentation that supports the conclusion reached on the assessment of the selected internal controls over financial reporting. Working papers will include sufficient documentation to re-perform control testing (i.e., copies of sample documents tested) and will include supporting documentation for all testing exceptions.
Categorization and Escalation of Issues and Remediation
When performing tests of operating effectiveness, management may find exceptions from prescribed control policies or procedures, as we do not expect controls to operate perfectly. In these instances, the nature and cause of the conditions must be investigated. Management is responsible for determining if a mitigating control compensates for the defective control and if that control is designed to achieve the same control objective. If the compensating control is appropriately designed, tests of operating effectiveness will then be performed on the compensating control.
When control testing exceptions are identified, the following steps will be taken:
Deficiencies can range from inconsequential, to significant, to material weaknesses. In limited situations, there may be sufficient evidence to conclude that the error was an isolated incident. If this is the case, it may still be possible to conclude that the control is operating effectively. Management will assess whether deficiencies, either individually or in the aggregate, rise to the level of a significant deficiency or a material weakness. According to the PCAOB Final Ruling, significant deficiencies and material weaknesses are defined as follows:
Deciding whether an internal control deficiency is a significant deficiency or material weakness requires both a detailed understanding by management of the relevant facts and circumstances, and a considerable amount of management judgment. Management will evaluate and formally document its assessment of the significance of a deficiency in internal control over financial reporting by determining the following:
When corrective action is taken to remedy a control deficiency, the corrected control should be in place and operating for a sufficient period of time prior to the assertion date for management to evaluate the corrected control and conclude that the control is operating effectively as of the assertion date. In addition, management will allow sufficient time to test the operating effectiveness of the control. Management will provide a rationale as to why a significant deficiency was not corrected or did not preclude them from concluding that the internal controls over financial reporting were operating effectively.
Appendix A: Evaluation of COSO Control Components
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all components of internal control, providing discipline and structure. The control environment encompasses several control factors, including:
These controls can be broken down as either hard controls (audit committee, organizational structure, assignment of authority and responsibility, human resources policies and procedures) or soft, cultural controls (integrity and ethics, commitment to competence, management operating style). Analysis of the control environment includes consideration as to whether the hard controls are functioning effectively and if there appears to be a breakdown in the soft controls.
Effectively controlled entities strive to have competent people, instill an enterprise-wide attitude of integrity and control consciousness, and set a positive “tone at the top.” They establish appropriate policies and procedures, often including a written code of conduct, which foster shared values and teamwork in pursuit of the entity’s objectives.
Every institution faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory, and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change. According to COSO, effective risk assessment requires:
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. Specific control activities and related control objectives should be documented. With respect to financial reporting, some generic control activities may include written policies and procedures, appropriate authorizations, adequate record keeping, management reviews, and asset safeguards. Control activities over financial reporting may also include or overlap with information system and operational controls. When evaluating control activities, management must consider:
Information and Communication
Pertinent information should be identified, captured, processed, and communicated in a form and timeframe that enables the individuals to carry out their responsibilities. Information systems produce reports that contain operational, financial and compliance-related information and make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary for informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization, as well as externally. Management must consider the following control criteria for processing information:
Communication of information is inherent in processing information; management must consider:
Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.
Monitoring occurs through management and supervisory personnel assessing the quality of internal control systems over the ordinary course of operations. In the evaluation of the monitoring component, management must consider the following criteria:
Appendix B: Testing Techniques
|Observation||Observe the performance of the control.|
|Inquiry||Ask a knowledgeable person for information about the operation of a control; evaluate and obtain evidence about the appropriateness of the follow-up actions.|
|Note that inquiry alone is not sufficient to provide evidence of operation effectiveness.|
|Inspection||Review records or documents supporting and evidencing the operation of a control.|
|Re-Performance||Re-perform the operation of a control to ascertain that it was performed correctly.|
|Knowledge Assessment||Combine inquiry, inspection and re-performance techniques to test the individuals’ knowledge of a subject or competency to perform a control.|
|Corroborative Inquiry||Corroborate the performance of a control through confirmation with other members of the organization. Corroboration is meant to confirm the validity and consistency of the application of the control as a test of operating effectiveness.|
|System Query||Test that automated controls within an IT application are operating as expected.|
Appendix C: Testing Steps by Control Category
Authorization (Manual & System)
Points to consider when performing the listed test steps:
Exception/Edit Report Control
Controls that fall into the exception/edit report category relate to when a report is generated to monitor something and followed-up on through to resolution. In most instances, the reports are focused on exceptions/edits as defined below, however in some instances it may just be a report. For example, if an aging report is generated by the system and followed up, the content does not necessarily represent edits or exceptions, but the control would fall into this category for test of design and test of effectiveness considerations.
In most instances the underlying data for an exception/edit report is to be tested.
Points to consider when performing the listed test steps:
Data interfaces – Data interfaces transfer specifically defined portions of information (data) between two computer systems, using either manual or automated means or a hybrid of both, and should ensure accuracy, completeness and integrity of the data being transferred. The job of a data interface is to transfer the data securely, once and only once, completely, accurately, with integrity, and to highlight any exceptions. Interfaces can be two-way (back and forth between two systems) or one-way (from one system to another), and can link new systems to old/Legacy systems or old/Legacy systems to new systems.
Data conversion – Data conversion is the process of migrating data from a Legacy system (which may have old, duplicate, inaccurate, incomplete data, which reside in several places within the system) to a new system. To perform this process, the data needs to be cleansed, reviewed and synchronized prior to conversion (a critical step), then mapped (which may include parsing or other manipulation), reformatted, translated, consolidated and loaded into the new system (which may include a time lag or delay during which new data is created). Once the data has been converted and loaded into the new system, it must be maintained to ensure its completeness, existence, accuracy and integrity.
Points to consider when performing the listed test steps:
Perform procedures related to system access to change configuration as outlined in the system access control category.
Select samples of interface controls identified from the above and re-perform the steps to determine if the interface is complete.
Inspect exception reports generated highlighting interface problems. Follow through on the resolution of an exception that occurred this year. This exception review may include on-line review exception messages evidence during observation procedures.
Key Performance Indicator (KPI)
Key performance indicators (“KPIs”) are the financial and non-financial quantitative measurements that are:
Points to consider when performing the listed test steps:
Additional considerations in gathering sample of KPIs: Select only those KPIs that are both relevant to financial statement assertions and possess the following qualities:
Management review is the activity of a person different than the preparer, analyzing and performing oversight of activities performed. In many instances, it will be a manager reviewing the work of a subordinate. However, it is not limited to this. It may include co-workers reviewing each other’s work. Examples including internal audit activities, etc.
Points to consider when performing the listed test steps:
Reconciliation is a control designed to verify that two items, such as computer systems, are consistent.
Points to consider when performing the listed test steps:
Segregation of Duties
The separation of duties and responsibilities of authorizing transactions, recording transactions and maintaining custody to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity.
Points to consider when performing the listed test steps:
The ability that individual users or groups of users have within a computer information system processing environment, as determined and defined by access rights configured in the system. The access rights in the system agree to the access in practice.
Points to consider when performing the listed test steps:
System Configuration/Account Mapping Control
Definition System configuration and account mapping includes “switches” that can be set by turning them on or off to secure data against inappropriate processing, based on the organization’s business rules. If the switch is turned on, the checking can be customized for the particular organization to be very robust or very permissive. The more specific definition of each is as follows:
Points to consider when performing the listed test steps:
Additional Consideration in Testing Configurable Controls or Account Mapping:
Account mapping may be changeable in a “live” production environment by users. Mis-mapped accounts may not appear on the financial statements, or they may appear in an inappropriate manner such as in a suspense account or in an “opposite” category such as revenue to liability. An end user can circumvent configurable controls if the control is not appropriately set up to meet the company’s need and user access appropriate. For example, using the warning message “can continue” may not be as appropriate to meet the company’s needs as “cannot continue - transaction is “held/blocked.”
Configurable controls can override security control features. For example, not assigning “authorization groups” to certain accounts, tables or programs can result in ineffective security. On the other hand, a configurable control can be set up but may not be effective unless the system access supports the control as configured (for example: a user with super user access can just change the configured control setting).
GitLab has adequate internal controls and disclosure procedures in place to ensure that its periodic reports, quarterly earnings releases, proxy statements and registration statements are accurate and complete, and upon which the senior officers of the company have relied in making decisions on disclosure issues in connection with such public disclosures.
The company’s current internal processes have been memorialized in various locations in the handbook, but shall be summarized separately as a table on this page entitled, “GitLab’s Disclosure Controls Policy and Procedures,” to be prepared as soon as possible.
The company’s disclosure controls and procedures serve the purpose to help appropriate personnel make decisions on disclosure issues.
The United States Securities and Exchange Commission (the SEC) adopted new rules 13a-14 and 15d-14 under the Securities Exchange Act of 1934, effective as of August 29, 2002, which implement Section 302 of the Sarbanes-Oxley Act of 2002 (the Exchange Act Rules).
The Exchange Act Rules require the company’s chief executive and chief financial officers (each a certifying officer and collectively, the certifying officers) to certify in each of the company’s periodic reports filed with the SEC, among other things, that he is responsible for establishing and maintaining disclosure controls and procedures, and that, as of a date within 90 days prior to the filing date of the applicable report, he has evaluated the effectiveness of the company’s disclosure controls and procedures.
It is necessary and appropriate to establish the GitLab Disclosure committee (the committee), which is intended to implement disclosure controls and procedures necessary to meet the requirements set forth in the Exchange Act Rules and other provisions of the Sarbanes-Oxley Act of 2002.
The company’s chief executive officer and chief financial officer have established the committee pursuant to and vested it with the powers and responsibilities set forth in this charter.
The purpose of the committee is to assure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is properly recorded, processed, summarized and reported to senior management as appropriate to allow timely decisions regarding required disclosure. The committee will also evaluate the adequacy of the company’s disclosure controls and procedures with respect to its periodic reports and quarterly earnings releases.
The committee shall consist of the following individuals as each holds the corresponding position within the company:
|Chief Financial Officer|
|Principal Accounting Officer|
|Senior Technical Accounting Manager|
|Accounting and External Reporting Manager|
|Senior Internal Audit Manager|
|Vice President of Investor Relations|
|Vice President of FP&A|
|Chief Legal Officer|
|Director of Risk and Compliance|
In addition, internal audit shall serve as an ex-officio participant of the committee. Ex-officio participants will not have the right to vote at committee meetings. The committee members may call on other company team members to participate in committee meetings as needed, but such team members will not have the right to vote at committee meetings. The chair and co-chair of the committee shall have the authority to appoint and remove individuals from the committee as they deem appropriate, provided they notify the chief executive and chief financial officers. Any individuals appointed as successors to the above positions shall succeed that member of the committee, unless the chair and co-chair direct otherwise.
The primary channel of work will be GitLab issues or GitLab slack channel
#disclosure-committee where all committee members have access to the information, discussion, conclusions and action plans.
The committee shall meet at the discretion of the chair and co-chair, provided that the committee shall meet not less than once per quarter. This will coincide with public filings of the Company. The chair or co-chair may call meetings by providing a minimum of 24 hours advance notice of the time of the meeting to all members of the committee.
The chair or co-chair may designate an assistant secretary to assist the secretary in keeping minutes of the committee meetings as appropriate to record the meetings and decisions taken with respect to disclosure issues. The minutes (or a briefing of the issues discussed and decisions taken with respect to disclosure issues) of each meeting will be distributed to the chief executive and chief financial officers.
In order to achieve its purpose, the committee will perform two functions. First, it will identify and consider disclosure issues in connection with the preparation of periodic reports and quarterly earnings releases and participate in the review of such disclosures. Second, it will undertake a quarterly evaluation of the company’s disclosure controls and procedures.
Identification and consideration of disclosure issues
The members of the committee will continue to follow the internal processes set forth in the disclosure controls and procedures documented by the company pertaining to the preparation of periodic reports required by the federal securities laws and the preparation of quarterly earnings releases. As part of this process, the committee shall:
Evaluation of disclosure controls and procedures
Each quarter, the committee shall review and evaluate the effectiveness of the company’s procedures for recording, processing, summarizing and reporting information required to be disclosed by the company in its Exchange Act filings. As part of this review and evaluation, in connection with the preparation of the company’s annual report, the committee will assess the effectiveness of the company’s internal control structure and procedures for financial reporting.
The committee shall submit a written report documenting its quarterly conclusions about the effectiveness of the disclosure controls and procedures and annual assessment of the internal control structure and procedures for financial reporting to the company’s chief executive and chief financial officers. Such reports shall be submitted as soon as practicable after the respective reporting period.
Timetable for the preparation of annual and quarterly reports
|Days Prior Filing Date||Task||Responsible Parties|
|More than 30 days||Appoint principal draft personnel||Certifying officers|
|30 days||Begin drafting report and collect information||Principal draft person|
|20 days||Distribute initial draft to certifying officers, disclosure committee and business decision makers||Principal draft personnel|
|20 days||Distribute supporting materials to certifying officers and disclosure committee||Principal draft personnel|
|18 – 20 days||Review draft and commence meetings||Certifying officers, disclosure committee and personnel responsible for business of subsidiaries, divisions or departments, and key geographic regions (the business decision makers)|
|18 days||Provide initial comments to principal draft personnel||Certifying officers, disclosure committee and business decision makers|
|15 – 18 days||Certifying officers discuss with senior accounting staff and business decision makers||Certifying officers and business decision makers|
|15 days||Provide comments to principal draft personnel||Certifying officers, disclosure committee and business decision makers|
|12 days||Provide revised draft to certifying officers, disclosure committee and business decision makers, and initial draft to outside auditors and outside counsel||Principal draft personnel|
|10 – 12 days||Review draft||All parties|
|9 – 10 days||Certifying officers meet with outside auditors||Certifying officers and outside auditors|
|9 days||Provide comments to principal draft personnel||All parties|
|7 days||Distribute revised draft to all parties and audit committee||Principal draft personnel|
|5 days||Certifying officers and disclosure committee meet with audit committee||Certifying officers, disclosure committee and audit committee|
|5 days||Audit committee meeting||Audit committee, CFO, outside auditors and outside counsel|
|4 days||Distribute to all parties substantially final draft||Principal draft personnel|
|2 – 4 days||Provide final comments||All parties|
|1 – 2 days||Finalize and EDGARarize report||Principal draft personnel|
|Filing Date||File report||Principal draft personnel|
Appointment of principal draft person
The principal accounting officer shall initially serve as the principal draft person of the company’s annual and quarterly reports. The principal draft person shall be responsible for preparing and filing each report; coordinating meetings between the certifying officers and committee, the audit committee, and the company’s outside auditors; working with counsel; coordinating the receipt of comments and implementation of changes suggested by all persons involved in the review of each report; and ensuring that the timetable for preparation of each report is followed.
The committee shall review and reassess the adequacy of the committee’s charter at least annually. If the committee deems it necessary or appropriate to revise the charter, it may submit proposed revisions first to the company’s chief financial officer and then to the chief executive officer for review and approval. This charter may be amended upon written direction or approval from the chief executive officer and chief financial officer of the company, provided they notify the company’s audit committee of such amendment.
This policy documents the overall controls and procedures designed to ensure the quality and accuracy of disclosures made in GitLab’s quarterly and annual public filings with the US Securities and Exchange Commission.
Overall controls are established to ensure a schedule of events and responsibility list are developed for each reporting period, disclosable items are identified with sufficient lead-time to allow for:
This is intended to:
|Financial Reporting||Principal Accounting Officer, Senior Technical Accounting Manager and Accounting and External Reporting Manager|
|Accounting||Principal Accounting Officer, Controller and Senior Accounting and Operations Manager|
|Finance||Principal Accounting Officer, Controller and Vice President of Finance|
|Legal||Chief Legal Officer and Vice President of Legal|
|Business Operations, forecasting and planning||Vice President of Finance, Vice President of Financial Planning and Analysis|
|Compliance||Director of Risk and Compliance|
|Tax||Director of Tax|
Quarterly Process: The “working group” is defined as a member committee comprised of representatives from the following business units: Financial reporting, Accounting, Finance, Legal, Business Operations, forecasting and planning, Compliance and Tax. The working group is primarily responsible for tasking the appropriate business unit individuals with ensuring the completeness, accuracy, and timeliness of information related to significant disclosable items. The working group reports directly to the disclosure committee.
The working group is primarily responsible for the early identification of significant disclosable items driven by either:
On or before one month before quarter-end, the members of the working group initiate discussions with their respective business unit contacts regarding any company events, transactions, business arrangements, and/or outlooks that have transpired since the previous quarter.
Each working group member can utilize a Financial Disclosure Communication Questionnaire, as appropriate, to formally facilitate and document the preparatory discussions with their business unit contacts. By two weeks before quarter-end, working group agenda items are prepared for the initial pre-close planning meeting.
Approximately two weeks prior to the quarter-end meeting, the members of the working group formally meet to discuss disclosable items for the upcoming quarter. Attendance is taken at the meeting and an agenda is provided for the meeting.
In lieu of formal meeting minutes, a Footnote/Disclosure Planning Record is produced by the working group during the meeting. The Footnote/Disclosure Planning Record is a summary of all significant disclosable items that have arisen during the current quarter. The working group assigns a three-tiered layer of responsibility to each disclosable item as follows:
If the initial pre-close planning meeting does not result in the complete identification of all significant new disclosable items, or does not result in the complete source, preparer, and monitor responsibility assignments, then a subsequent pre-close planning meeting is held as soon as practically possible (but by no later than reporting date for formal disclosure committee).
Requests for information relevant to significant disclosable items are made by the assigned preparers through the company database as soon as practically possible, but by no later than the final report date to disclosure committee. Responses to such information requests are made by the assigned sources through the company database as soon as practically possible, but by no later than one week before the planned release of the working group report. For all disclosable items, the assigned Sources also complete a Disclosure Cover Sheet.
Key Control # DC.01
Accounting and External Reporting Manager will be responsible for: