Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Sarbanes-Oxley (SOX) Compliance

Sarbanes-Oxley Act of 2002

Sarbanes Oxley Act 2002 is a federal law that established auditing and financial regulations for financial reporting of public companies. This law was passed to increase transparency in financial reporting by corporations and to require a formalized system of checks and balances in each company, thereby helping protect investors from fraudulent financial reporting. SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States.

In order to build the confidence of the investors, the SOX regulations require the following:

Formal penalties for non-compliance with SOX can include fines, removal from listings on public stock exchanges and invalidation of D&O policies. Under the Act, CEOs and CFOs who wilfully submit an incorrect certification to a SOX compliance audit can face fines and/or imprisonment.

SOX Compliance Roadmap for GitLab

As GitLab is planning to go public in November 2020, it is important that we prepare to comply with SOX ahead of listing, as the consequences of non-compliance can be severe. Below are some of the important requirements we will need to adhere to:

Points to note:

Planned timelines for SOX Implementation:

SOX Implementation Checklist

1. Desktop Procedures (DTP)

# Business Process Process Name DTP Drafted Process Owner Sign-off Handbook Link
1 Quote to Cash Customer account creation and Conversion of lead to opportunity :white_check_mark: :white_check_mark: :clock:
2 Quote to Cash Price master management :white_check_mark: :white_check_mark: :clock:
3 Quote to Cash Quote creation :white_check_mark: :white_check_mark: :clock:
4 Quote to Cash Reseller Management :white_check_mark: :white_check_mark: :clock:
5 Quote to Cash Contract Management :white_check_mark: :white_check_mark: :clock:
6 Quote to Cash Invoicing to customers (Sales team assisted product sale, Web portal sale and Services) :white_check_mark: :clock: :clock:
7 Quote to Cash Invoice cancellations and refunds :white_check_mark: :clock: :clock:
8 Quote to Cash Revenue recognition (for product subscription, services) :white_check_mark: :white_check_mark: :clock:
9 Quote to Cash Accounting of income from sale of merchandise :white_check_mark: :white_check_mark: :clock:
10 Quote to Cash Accounting of income from GCP Referral :white_check_mark: :white_check_mark: :clock:
11 Quote to Cash Accounts receivable :white_check_mark: :clock: :clock:
12 Quote to Cash Incentive payouts to Sales executives :white_check_mark: :white_check_mark: :clock:
13 Record to Report User Access Management in Netsuite :white_check_mark: :white_check_mark: :clock:
14 Record to Report Chart of Accounts :white_check_mark: :white_check_mark: :clock:
15 Record to Report Journal entries :clock: :clock: :clock:
16 Record to Report Financial Planning and Analysis :white_check_mark: :white_check_mark: :clock:
17 Record to Report Reconciliations :clock: :clock: :clock:
18 Record to Report Period End closure :white_check_mark: :white_check_mark: :clock:
19 Record to Report Treasury :clock: :clock: :clock:
20 Record to Report Financial Reporting :white_check_mark: :clock: :clock:
21 Regulatory Sales Tax :white_check_mark: :white_check_mark: :clock:
22 Regulatory Wage Tax :white_check_mark: :clock: :clock:
23 Regulatory Corporate Income Tax :white_check_mark: :white_check_mark: :clock:
24 Hire to Retire Recruitment :white_check_mark: :white_check_mark: :clock:
25 Hire to Retire Employee Master Creation and Updates :white_check_mark: :white_check_mark: :clock:
26 Hire to Retire Payroll Processing for US :white_check_mark: :white_check_mark: :clock:
27 Hire to Retire Payroll Processing for Non-US :white_check_mark: :white_check_mark: :clock:
28 Hire to Retire Leave Management for Payroll Processing :white_check_mark: :white_check_mark: :clock:
29 Hire to Retire Employee Exits :white_check_mark: :white_check_mark: :clock:

2. Flowcharts

3. Entity Level Controls

4. Information Technology General Controls

5. Risk Assessment and Scoping

6. Business Process Risk Control Matrix

7. Disclosure Committee

| Disclosure Committee Charter Drafted | Charter Approved | | —— | —— | | :white_check_mark: | :white_check_mark: |

8. Disclosure Controls Policies and Procedures

| Disclosure Controls Policies and Procedures Drafted| Policy Approved | | —— | —— | | :white_check_mark:| :white_check_mark: |

9. Sec 302 Certification Process

Sarbanes-Oxley Roles and Responsibilities

Process/ Control Owner

The process/control owner has a primary responsibility of updating control descriptions in the handbook for those controls in which they have been identified as the control owner. In this role, the process/control owner will update the control descriptions for any assigned controls any time there is a change in a process or control that requires a change in the information. Some process/control owners will also complete a quarterly change control questionnaire that will alert the SOX project management office (PMO) of any changes that have occurred throughout the last three months. The roles and responsibilities of the process/control owner include the following:

SOX Program Management Office (PMO)

The SOX PMO , division of internal audit department has the primary responsibility of managing GitLab’s Sarbanes-Oxley (SOX) compliance program. In this role, the PMO will work under the direction of the Principal Accounting Officer to ensure adequate coverage for SOX compliance.The roles and responsibilities of the PMO include the following:

The below RACI table is used for clarifying, defining roles and responsibilities in cross-functional or departmental projects and processes.

# Activity Responsibility (R) Accountability (A) Consulted (C) Informed (I)
1 SOX Scoping and Risk Assessment PMO PAO PO KSH
2 RCM Preparation and Reviews PMO PAO PO KSH
3 RCM Confirmation and Sign-off PO PAO PMO CFO
4 Control Change Updates PMO PAO PO PO
5 Remediation of Gaps PO PAO PMO CFO
6 Process Flowcharts PMO PAO PO PO
7 SOX 404 Management Testing PMO PAO PO CFO, KSH
8 SOX 302 Certification PMO CEO, CFO PAO KSH
9 SOX 404 Certification PMO CEO, CFO PAO KSH
10 10-K filing PAO CEO, CFO PAO KSH
11 10-Q filing PAO CEO, CFO PMO KSH

Sarbanes-Oxley Section 404 Management Testing Plan

Objective

The objective of this document is to summarize management’s approach to plan, organize, execute, document and support its assessment of the effectiveness of GitLab and its subsidiaries’ internal control over financial reporting. Specifically, this document will address the following:

Management's Responsibilities

Under the SEC’s rules implementing the requirement of Section 404 of the Sarbanes Oxley Act of 2002, each annual report must include management’s report on internal control over financial reporting that contains the following elements:

The remainder of this document summarizes the scope and approach of management’s assessment of the effectiveness of the company’s internal control over financial reporting (third bullet above).

COSO Framework

GitLab has adopted the COSO framework as the criteria for evaluating the effectiveness of the company’s internal control over financial reporting. The COSO framework includes the following components:

Management’s overall assessment must take into consideration all five components of the COSO framework. The decision as to whether an organization’s control structure is operating satisfactorily or not is ultimately one of judgment, dependent upon the relative significance placed on any given component of the control framework.

Project Team and Timing

Senior Internal Audit Manager has been identified as the project leader and will assume the responsibility for providing the overall direction to the project teams and for communicating the project status to management. An in-house internal audit team and a third party consulting firm, as required, will assist the project leader in this effort. Significant milestones relating to the management evaluation of internal controls over financial reporting and estimated timing is defined here. As testing begins, a detailed timeline for completing the testing of internal controls by process will be prepared. Project leader will report project status and results to the management on a monthly basis.

Approach to evaluation

This document lays the framework for testing the effectiveness of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements.

Controls that are significant generally include:

Management’s approach to its assessment of the effectiveness of the company’s internal control over financial reporting is organized in two phases: (1) assessing the entity-wide control framework and (2) assessing process level controls.

Assessing the entity-wide control framework

Management will document the company’s existing entity-wide/corporate control framework and identify potential gaps between the company’s framework and the COSO control framework. The documentation and analysis of the framework will be focused on the entity-wide/corporate internal control over financial reporting, particularly relating to the control environment, risk assessment and monitoring components of COSO. In order to apply and/or assess the components of COSO as they relate to internal control over financial reporting, management must gain an understanding as to the criteria for rating them. In other words, how does the company determine if the control environment, risk assessment process, etc. are satisfactory? Included in Appendix A are some of the key control factors of each of the five COSO components relating to internal control over financial reporting.

Assessing process level controls

Over the past few months, SOX PMO have prepared risk and control matrices in consultation with process owners. In addition to documenting GitLab’s business processes, these risk and control matrices identify the controls over relevant assertions related to all significant accounts and disclosures in the financial statements. These risk and control matrices will be the basis for assessing process level controls. The matrices are to be reviewed and approved by the business process owners and the project leader prior to executing control assessment procedures.

Assessing process level controls will include an evaluation of control design and an evaluation of control effectiveness.

Evaluating design effectiveness of controls

Design effectiveness refers to whether a control is suitably designed to prevent or detect material misstatements in financial statements. It involves consideration of the financial reporting objectives that the control is meant to achieve and whether it will achieve them. When evaluating control design, management should consider the following:

Consideration should be given to each significant control in a group of controls that function together to achieve a control objective. While it is expected that the majority of controls identified will be tested, insignificant controls do not need to be tested if there is another control that will adequately cover the objective.

It is the responsibility of line management to evaluate the design effectiveness of controls in their respective area. Line management will use the recently completed process, risk and control documentation to identify whether there are financial reporting risks not mitigated by controls, e.g., are the controls designed effectively. The risk and control matrices, together with a listing of control gaps or deficiencies, will serve as evidence of this evaluation. If the design of a particular control is deemed to be inadequate or a control gap is identified, business process owners will implement additional controls or changes in the design of existing controls. To maintain management’s evaluation of design effectiveness current, line management will review process, risk and control documentation at quarterly intervals to identify any new or changed risks and highlight the relevant controls that have been implemented to mitigate these risks.

Evaluating operating effectiveness of controls

Operating effectiveness refers to whether the control is functioning as designed. During the evaluation of operating effectiveness, management gathers evidence regarding how the control was applied, the consistency with which it was applied, and by whom it was applied. SOX PMO will execute testing procedures, approved by management, to support management’s evaluation of operating effectiveness of controls for in-scope routine processes. In developing the plan for evaluating operating effectiveness of controls, management will consider the following:

Prior to performing test work on the operating effectiveness of internal control over financial reporting, audit programs will be prepared. The audit program will set out the nature, timing and extent of the procedures to be performed and will serve as a set of instructions to those performing the work. Audit programs will include:

Selection of Test Type and Control Categories

There are a number of techniques that may be used to obtain evidence about the effectiveness of the operation of controls. These techniques include observation, inquiry, inspection and re-performance. There are additional techniques that, when combined with the previously listed techniques may be used to gain sufficient and appropriate evidence related to the operating effectiveness of a control. These techniques include knowledge assessment, corroborative inquiry and system query. See description of testing techniques included in Appendix B.

To determine the appropriate testing technique, it is first necessary to categorize controls into a control type. Controls can generally be categorized into the following:

Selection of an appropriate control category is an important step as the category selected is directly linked to the types of test procedures. General testing steps for determining control effectiveness for each control type are outlined in Appendix C. For controls not falling into the control categories listed above, testing procedures will be determined based on the distinct nature of the control.

Extent of Testing (Sample Sizes)

It is necessary to test controls to the extent deemed necessary for management to be satisfied that the results of the test provide conclusive evidence for management to support the assertion that the control is operating effectively. Once it is decided which technique or combination of techniques to use, the number of items to test in determining whether the control is operating effectively and consistently depends on how the control was applied, the consistency with which it was applied, and by whom the control was performed.

The first step in determining sample size is determining if the control is manual or automated (i.e., system controls). Manually applied controls are prone to random failures, whereas automated controls should be reliable and, as long as the computer systems are working effectively, will tend to operate consistently.

The nature of the control (i.e., manual or automated) will be documented in the risk and control matrices. The following baselines will be used in making sample size judgments for manual and automated controls:

When testing monitoring or manual controls, the sample size will depend on the frequency at which the control occurs. Testing standards are as follows:

Frequency of Control Baseline Sample Size
Annual 1
Semi-annual 1
Quarterly 2
Monthly 3
Fortnight 5
Weekly 5
Daily / Recurring (multiple times per day) 25

In situations where an automated or IT control exists and is applied to every transaction, testing will generally be minimal as management will have tested general computer controls to be satisfied that they are functioning appropriately. Therefore, system query will often be the most appropriate testing technique. In this technique, one query as a test is appropriate for an IT system that would be expected to operate consistently in a well-controlled environment. A well-controlled environment is one where the specific configuration, interfaces and system access are appropriately designed and subject to appropriate change control procedures. Observation should also be made to ascertain whether there is any violation to the security access such as sharing of passwords.

Samples should be selected randomly to reflect an appropriate representation of the population. The specific sources and populations used for making sample selections will vary from control to control. Determining the appropriate source and population is a matter of judgment and should consider the following:

The above guidance on extent of testing applies in situations where there is a population to sample from. Controls may also exist where testing techniques and sample sizes may not be applicable. For example:

Rationale for determining sample selection sources and populations will be documented in the working papers, as appropriate.

Timing of Testing

Test of controls should be performed over a period of time that is adequate to determine whether, as of the date specified in the assertion, the controls necessary for achieving the objectives of the control criteria are operating effectively. The period of time over which tests of controls should be performed is a matter of management judgment.

If controls are to be tested over a period of time such as at an interim date using techniques other than knowledge assessment or corroborative inquiry (i.e., inspection, observation, re-performance), management should consider what additional evidence concerning the operation of the control should be obtained for the remaining period.

Evidence should be obtained about the nature and extent of any significant changes in internal control that occur subsequent to the previous or interim date through, for example, inquiry or observation. In addition, sufficient evidence should be obtained about the operating effectiveness of such controls since the previous or interim date, for example, by obtaining evidence about the operating effectiveness of the company’s monitoring of controls.

Prior to the date specified in the assertion, management may change the company’s controls to make them more effective or efficient, or to address control deficiencies. In these circumstances, controls that have been superseded may not need to be considered. For example, if management asserts that the new controls achieve the related objectives of the control criteria and have been in effect for a sufficient period and there is sufficient time to permit the testing of the new design and operating effectiveness, tests may not need to be performed on the design and operating effectiveness of the superseded controls, except to the extent of communicating identified significant deficiencies in controls that might have been identified in an interim period.

Management will prepare a detailed timeline for evaluation of control design and control effectiveness, as well as timelines to address control deficiencies and update control documentation.

Documentation of Test Results

In evaluating and developing the assessment of internal control over financial reporting, evidential matter needs to be maintained to provide reasonable support in the review of management’s assessment and attestation conducted by the independent auditor. This evidential matter must provide sufficient documentation to enable the external auditor to conclude that there is a reasonable basis for the assertion on internal control over financial reporting that will be made by management.

Working papers will be prepared and crossed referenced to enable reviewers and external auditors to easily locate the documentation that supports the conclusion reached on the assessment of the selected internal controls over financial reporting. Working papers will include sufficient documentation to re-perform control testing (i.e., copies of sample documents tested) and will include supporting documentation for all testing exceptions.

Categorization and Escalation of Issues and Remediation

When performing tests of operating effectiveness, management may find exceptions from prescribed control policies or procedures, as we do not expect controls to operate perfectly. In these instances, the nature and cause of the conditions must be investigated. Management is responsible for determining if a mitigating control compensates for the defective control and if that control is designed to achieve the same control objective. If the compensating control is appropriately designed, tests of operating effectiveness will then be performed on the compensating control.

When control testing exceptions are identified, the following steps will be taken:

Deficiencies can range from inconsequential, to significant, to material weaknesses. In limited situations, there may be sufficient evidence to conclude that the error was an isolated incident. If this is the case, it may still be possible to conclude that the control is operating effectively. Management will assess whether deficiencies, either individually or in the aggregate, rise to the level of a significant deficiency or a material weakness. According to the PCAOB Final Ruling, significant deficiencies and material weaknesses are defined as follows:

Deciding whether an internal control deficiency is a significant deficiency or material weakness requires both a detailed understanding by management of the relevant facts and circumstances, and a considerable amount of management judgment. Management will evaluate and formally document its assessment of the significance of a deficiency in internal control over financial reporting by determining the following:

When corrective action is taken to remedy a control deficiency, the corrected control should be in place and operating for a sufficient period of time prior to the assertion date for management to evaluate the corrected control and conclude that the control is operating effectively as of the assertion date. In addition, management will allow sufficient time to test the operating effectiveness of the control. Management will provide a rationale as to why a significant deficiency was not corrected or did not preclude them from concluding that the internal controls over financial reporting were operating effectively.

Appendix A: Evaluation of COSO Control Components

Control Environment

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all components of internal control, providing discipline and structure. The control environment encompasses several control factors, including:

These controls can be broken down as either hard controls (audit committee, organizational structure, assignment of authority and responsibility, human resources policies and procedures) or soft, cultural controls (integrity and ethics, commitment to competence, management operating style). Analysis of the control environment includes consideration as to whether the hard controls are functioning effectively and if there appears to be a breakdown in the soft controls.

Effectively controlled entities strive to have competent people, instill an enterprise-wide attitude of integrity and control consciousness, and set a positive “tone at the top.” They establish appropriate policies and procedures, often including a written code of conduct, which foster shared values and teamwork in pursuit of the entity’s objectives.

Risk Assessment

Every institution faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory, and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change. According to COSO, effective risk assessment requires:

Control Activities

Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. Specific control activities and related control objectives should be documented. With respect to financial reporting, some generic control activities may include written policies and procedures, appropriate authorizations, adequate record keeping, management reviews, and asset safeguards. Control activities over financial reporting may also include or overlap with information system and operational controls. When evaluating control activities, management must consider:

Information and Communication

Pertinent information should be identified, captured, processed, and communicated in a form and timeframe that enables the individuals to carry out their responsibilities. Information systems produce reports that contain operational, financial and compliance-related information and make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary for informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization, as well as externally. Management must consider the following control criteria for processing information:

Communication of information is inherent in processing information; management must consider:

Monitoring

Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.

Monitoring occurs through management and supervisory personnel assessing the quality of internal control systems over the ordinary course of operations. In the evaluation of the monitoring component, management must consider the following criteria:

Appendix B: Testing Techniques

Testing Technique Description
Observation Observe the performance of the control.
Inquiry Ask a knowledgeable person for information about the operation of a control; evaluate and obtain evidence about the appropriateness of the follow-up actions.
Note that inquiry alone is not sufficient to provide evidence of operation effectiveness.  
Inspection Review records or documents supporting and evidencing the operation of a control.
Re-Performance Re-perform the operation of a control to ascertain that it was performed correctly.
Knowledge Assessment Combine inquiry, inspection and re-performance techniques to test the individuals’ knowledge of a subject or competency to perform a control.
Corroborative Inquiry Corroborate the performance of a control through confirmation with other members of the organization. Corroboration is meant to confirm the validity and consistency of the application of the control as a test of operating effectiveness.
System Query Test that automated controls within an IT application are operating as expected.

Appendix C: Testing Steps by Control Category

Authorization (Manual & System)

Definition

Authorization includes:

Points to consider when performing the listed test steps:

Exception/Edit Report Control

Definition

Controls that fall into the exception/edit report category relate to when a report is generated to monitor something and followed-up on through to resolution. In most instances, the reports are focused on exceptions/edits as defined below, however in some instances it may just be a report. For example, if an aging report is generated by the system and followed up, the content does not necessarily represent edits or exceptions, but the control would fall into this category for test of design and test of effectiveness considerations.

In most instances the underlying data for an exception/edit report is to be tested.

Points to consider when performing the listed test steps:

Interface/Conversion Control

Definition

Data interfaces – Data interfaces transfer specifically defined portions of information (data) between two computer systems, using either manual or automated means or a hybrid of both, and should ensure accuracy, completeness and integrity of the data being transferred. The job of a data interface is to transfer the data securely, once and only once, completely, accurately, with integrity, and to highlight any exceptions. Interfaces can be two-way (back and forth between two systems) or one-way (from one system to another), and can link new systems to old/Legacy systems or old/Legacy systems to new systems.

Data conversion – Data conversion is the process of migrating data from a Legacy system (which may have old, duplicate, inaccurate, incomplete data, which reside in several places within the system) to a new system. To perform this process, the data needs to be cleansed, reviewed and synchronized prior to conversion (a critical step), then mapped (which may include parsing or other manipulation), reformatted, translated, consolidated and loaded into the new system (which may include a time lag or delay during which new data is created). Once the data has been converted and loaded into the new system, it must be maintained to ensure its completeness, existence, accuracy and integrity.

Points to consider when performing the listed test steps:

Select samples of interface controls identified from the above and re-perform the steps to determine if the interface is complete.

Inspect exception reports generated highlighting interface problems. Follow through on the resolution of an exception that occurred this year. This exception review may include on-line review exception messages evidence during observation procedures.

Key Performance Indicator (KPI)

Definition

Key performance indicators (“KPIs”) are the financial and non-financial quantitative measurements that are:

Points to consider when performing the listed test steps:

Additional considerations in gathering sample of KPIs: Select only those KPIs that are both relevant to financial statement assertions and possess the following qualities:

Management Review

Definition

Management review is the activity of a person different than the preparer, analyzing and performing oversight of activities performed. In many instances, it will be a manager reviewing the work of a subordinate. However, it is not limited to this. It may include co-workers reviewing each other’s work. Examples including internal audit activities, etc.

Points to consider when performing the listed test steps:

Reconciliation

Definition

Reconciliation is a control designed to verify that two items, such as computer systems, are consistent.

Points to consider when performing the listed test steps:

Segregation of Duties

Definition

The separation of duties and responsibilities of authorizing transactions, recording transactions and maintaining custody to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity.

Points to consider when performing the listed test steps:

System Access

Definition

The ability that individual users or groups of users have within a computer information system processing environment, as determined and defined by access rights configured in the system. The access rights in the system agree to the access in practice.

Points to consider when performing the listed test steps:

System Configuration/Account Mapping Control

Definition System configuration and account mapping includes “switches” that can be set by turning them on or off to secure data against inappropriate processing, based on the organization’s business rules. If the switch is turned on, the checking can be customized for the particular organization to be very robust or very permissive. The more specific definition of each is as follows:

Points to consider when performing the listed test steps:

Additional Consideration in Testing Configurable Controls or Account Mapping:

Account mapping may be changeable in a “live” production environment by users. Mis-mapped accounts may not appear on the financial statements, or they may appear in an inappropriate manner such as in a suspense account or in an “opposite” category such as revenue to liability. An end user can circumvent configurable controls if the control is not appropriately set up to meet the company’s need and user access appropriate. For example, using the warning message “can continue” may not be as appropriate to meet the company’s needs as “cannot continue - transaction is “held/blocked.”

Configurable controls can override security control features. For example, not assigning “authorization groups” to certain accounts, tables or programs can result in ineffective security. On the other hand, a configurable control can be set up but may not be effective unless the system access supports the control as configured (for example: a user with super user access can just change the configured control setting).

Disclosure Committee Charter (effective 2019-10-17)

Model Disclosure Committee Charter by SEC.

GitLab has adequate internal controls and disclosure procedures in place to ensure that its periodic reports, quarterly earnings releases, proxy statements and registration statements are accurate and complete, and upon which the senior officers of the company have relied in making decisions on disclosure issues in connection with such public disclosures.

The company’s current internal processes have been memorialized in various locations in the handbook, but shall be summarized separately as a table on this page entitled, “GitLab’s Disclosure Controls Policy and Procedures,” to be prepared as soon as possible.

The company’s disclosure controls and procedures serve the purpose to help appropriate personnel make decisions on disclosure issues.

The United States Securities and Exchange Commission (the SEC) adopted new rules 13a-14 and 15d-14 under the Securities Exchange Act of 1934, effective as of August 29, 2002, which implement Section 302 of the Sarbanes-Oxley Act of 2002 (the Exchange Act Rules).

The Exchange Act Rules require the company’s chief executive and chief financial officers (each a certifying officer and collectively, the certifying officers) to certify in each of the company’s periodic reports filed with the SEC, among other things, that he is responsible for establishing and maintaining disclosure controls and procedures, and that, as of a date within 90 days prior to the filing date of the applicable report, he has evaluated the effectiveness of the company’s disclosure controls and procedures.

It is necessary and appropriate to establish the GitLab Disclosure committee (the committee), which is intended to implement disclosure controls and procedures necessary to meet the requirements set forth in the Exchange Act Rules and other provisions of the Sarbanes-Oxley Act of 2002.

The company’s chief executive officer and chief financial officer have established the committee pursuant to and vested it with the powers and responsibilities set forth in this charter.

Purpose

The purpose of the committee is to assure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is properly recorded, processed, summarized and reported to senior management as appropriate to allow timely decisions regarding required disclosure. The committee will also evaluate the adequacy of the company’s disclosure controls and procedures with respect to its periodic reports and quarterly earnings releases.

Members

The committee shall consist of the following individuals as each holds the corresponding position within the company:

Title
Chief Financial Officer
Principal Accounting Officer
Senior Technical Accounting Manager
Accounting and External Reporting Manager
Senior Internal Audit Manager
Vice President of Investor Relations
Vice President of FP&A
Chief Legal Officer
Director of Risk and Compliance

In addition, internal audit shall serve as an ex-officio participant of the committee. Ex-officio participants will not have the right to vote at committee meetings. The committee members may call on other company team members to participate in committee meetings as needed, but such team members will not have the right to vote at committee meetings. The chair and co-chair of the committee shall have the authority to appoint and remove individuals from the committee as they deem appropriate, provided they notify the chief executive and chief financial officers. Any individuals appointed as successors to the above positions shall succeed that member of the committee, unless the chair and co-chair direct otherwise.

Meeting

The primary channel of work will be GitLab issues or GitLab slack channel #disclosure-committee where all committee members have access to the information, discussion, conclusions and action plans.

The committee shall meet at the discretion of the chair and co-chair, provided that the committee shall meet not less than once per quarter. This will coincide with public filings of the Company. The chair or co-chair may call meetings by providing a minimum of 24 hours advance notice of the time of the meeting to all members of the committee.

The chair or co-chair may designate an assistant secretary to assist the secretary in keeping minutes of the committee meetings as appropriate to record the meetings and decisions taken with respect to disclosure issues. The minutes (or a briefing of the issues discussed and decisions taken with respect to disclosure issues) of each meeting will be distributed to the chief executive and chief financial officers.

Functions

In order to achieve its purpose, the committee will perform two functions. First, it will identify and consider disclosure issues in connection with the preparation of periodic reports and quarterly earnings releases and participate in the review of such disclosures. Second, it will undertake a quarterly evaluation of the company’s disclosure controls and procedures.

  1. Identification and consideration of disclosure issues

    The members of the committee will continue to follow the internal processes set forth in the disclosure controls and procedures documented by the company pertaining to the preparation of periodic reports required by the federal securities laws and the preparation of quarterly earnings releases. As part of this process, the committee shall:

    • Review the company’s periodic reports, with a particular focus on “Management’s Discussion and Analysis of Financial Conditions and Results of Operations” and the “Financial Statements and Footnotes to the Financial Statements”. - Review and discuss with the controller’s group whether the company’s periodic reports and earning releases provide a fair presentation of the company’s financial condition, results of operation and cash flows.
    • Assess the materiality of specific events, developments or risks to the company
    • Review financial reporting issues that are significant to the company and other material reporting matters where the person primarily responsible for such matters made significant judgments (either independently or in consultation with others).
  2. Evaluation of disclosure controls and procedures

    Each quarter, the committee shall review and evaluate the effectiveness of the company’s procedures for recording, processing, summarizing and reporting information required to be disclosed by the company in its Exchange Act filings. As part of this review and evaluation, in connection with the preparation of the company’s annual report, the committee will assess the effectiveness of the company’s internal control structure and procedures for financial reporting.

    The committee shall submit a written report documenting its quarterly conclusions about the effectiveness of the disclosure controls and procedures and annual assessment of the internal control structure and procedures for financial reporting to the company’s chief executive and chief financial officers. Such reports shall be submitted as soon as practicable after the respective reporting period.

Timetable for the preparation of annual and quarterly reports

Days Prior Filing Date Task Responsible Parties
More than 30 days Appoint principal draft personnel Certifying officers
30 days Begin drafting report and collect information Principal draft person
20 days Distribute initial draft to certifying officers, disclosure committee and business decision makers Principal draft personnel
20 days Distribute supporting materials to certifying officers and disclosure committee Principal draft personnel
18 – 20 days Review draft and commence meetings Certifying officers, disclosure committee and personnel responsible for business of subsidiaries, divisions or departments, and key geographic regions (the business decision makers)
18 days Provide initial comments to principal draft personnel Certifying officers, disclosure committee and business decision makers
15 – 18 days Certifying officers discuss with senior accounting staff and business decision makers Certifying officers and business decision makers
15 days Provide comments to principal draft personnel Certifying officers, disclosure committee and business decision makers
12 days Provide revised draft to certifying officers, disclosure committee and business decision makers, and initial draft to outside auditors and outside counsel Principal draft personnel
10 – 12 days Review draft All parties
9 – 10 days Certifying officers meet with outside auditors Certifying officers and outside auditors
9 days Provide comments to principal draft personnel All parties
7 days Distribute revised draft to all parties and audit committee Principal draft personnel
5 days Certifying officers and disclosure committee meet with audit committee Certifying officers, disclosure committee and audit committee
5 days Audit committee meeting Audit committee, CFO, outside auditors and outside counsel
4 days Distribute to all parties substantially final draft Principal draft personnel
2 – 4 days Provide final comments All parties
1 – 2 days Finalize and EDGARarize report Principal draft personnel
Filing Date File report Principal draft personnel

Appointment of principal draft person

The principal accounting officer shall initially serve as the principal draft person of the company’s annual and quarterly reports. The principal draft person shall be responsible for preparing and filing each report; coordinating meetings between the certifying officers and committee, the audit committee, and the company’s outside auditors; working with counsel; coordinating the receipt of comments and implementation of changes suggested by all persons involved in the review of each report; and ensuring that the timetable for preparation of each report is followed.

Amendments

The committee shall review and reassess the adequacy of the committee’s charter at least annually. If the committee deems it necessary or appropriate to revise the charter, it may submit proposed revisions first to the company’s chief financial officer and then to the chief executive officer for review and approval. This charter may be amended upon written direction or approval from the chief executive officer and chief financial officer of the company, provided they notify the company’s audit committee of such amendment.

GitLab’s Disclosure Controls Policy and Procedures

Purpose

This policy documents the overall controls and procedures designed to ensure the quality and accuracy of disclosures made in GitLab’s quarterly and annual public filings with the US Securities and Exchange Commission.

Policy

Overall controls are established to ensure a schedule of events and responsibility list are developed for each reporting period, disclosable items are identified with sufficient lead-time to allow for:

This is intended to:

  1. Enhance the completeness and accuracy of the information reported in quarterly SEC filings.
  2. Facilitate the timely certification of quarterly SEC filings by business unit, disclosure committee, and audit committee personnel, and
  3. Ensure the timely, composed satisfaction of increasingly stringent quarterly SEC filing deadlines

Responsible Parties

Function Title
Financial Reporting Principal Accounting Officer, Senior Technical Accounting Manager and Accounting and External Reporting Manager
Accounting Principal Accounting Officer, Controller and Senior Accounting and Operations Manager
Finance Principal Accounting Officer, Controller and Vice President of Finance
Legal General Counsel and Vice President of Legal
Business Operations, forecasting and planning Vice President of Finance, Vice President of Financial Planning and Analysis
Compliance Director of Risk and Compliance
Tax Director of Tax

Procedures

Quarterly Process: The “working group” is defined as a member committee comprised of representatives from the following business units: Financial reporting, Accounting, Finance, Legal, Business Operations, forecasting and planning, Compliance and Tax. The working group is primarily responsible for tasking the appropriate business unit individuals with ensuring the completeness, accuracy, and timeliness of information related to significant disclosable items. The working group reports directly to the disclosure committee.

Key Control # DC.01

  1. Accounting and External Reporting Manager will be responsible for:

    1. Updating the Footnote/Disclosure Matrix on a quarterly basis for all disclosable items,
    2. Ensuring the timely receipt of a properly prepared Disclosure Cover Sheet for each disclosable item, and
    3. Warehousing this documentation within the Workiva tool.
  2. An initial draft of the 10-Q, along with the Footnote/Disclosure Planning Record modified to include draft references, is made available for business unit review by the specified deadline. Any comments from all business unit personnel are due to their corresponding working group representatives by comment period ends. The working group representatives filter the comments from their respective business units and present a unified set of suggestions to the financial reporting representative, who then routes the comments to the appropriate financial reporting personnel for final disposition. A revised draft of the 10-Q (and the accompanying Footnote/Disclosure Planning Record) is completed by the agreed upon date.
  3. Comments from the disclosure committee are received and incorporated into the 10-Q (and the accompanying Footnote/Disclosure Planning Record) and communicated to the audit committee.
  4. The 10-Q is formally filed with the SEC within due date.
  5. The goal is to file the 10-Q day after or shortly after the earnings release.