Sarbanes Oxley Act 2002 is a federal law that established auditing and financial regulations for financial reporting of public companies. This law was passed to increase transparency in financial reporting by corporations and to require a formalized system of checks and balances in each company, thereby helping protect investors from fraudulent financial reporting. SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States.
In order to build the confidence of the investors, the SOX regulations require the following:
CEOs and CFOs are directly responsible for the accuracy, documentation, and submission of all financial reports as well as the internal control structure to the SEC .
Internal Control Report must state that management is responsible for an adequate internal control structure for their financial records. Any shortcomings must be reported up the chain as quickly as possible for transparency.
Companies should develop and implement a comprehensive data security strategy that protects and secures all financial data stored and utilized during normal operations.
Companies must maintain and provide documentation proving they are compliant and that they are continuously monitoring and measuring SOX compliance objectives.
External auditor must independently assess and certify the adequacy of controls over all known risks for the financial reporting.
Formal penalties for non-compliance with SOX can include fines, removal from listings on public stock exchanges and invalidation of D&O policies. Under the Act, CEOs and CFOs who wilfully submit an incorrect certification to a SOX compliance audit can face fines and/or imprisonment.
SOX Compliance Roadmap for Gitlab
As Gitlab is planning to go public in November 2020, it is important that we prepare to comply with SOX ahead of listing, as the consequences of non-compliance can be severe. Below are some of the important requirements we will need to adhere to:
Points to note:
In the first year, an “exemption” is allowed for a new public company on 10-K certification under 404(a) , therefore, 10-K - 404(a) certification can be submitted for Gitlab from FY 2022 (2nd year) onwards.
Additionally, the external audit opinion on internal controls, which is required under sec 404(b) , is temporarily exempt for Emerging Growth Companies (EGCs) for the first five years. While GitLab currently qualifies as an EGC, it is to be noted that this exemption is withdrawn if the criteria for EGCs are not satisfied in any year.