JOBS Act and SOX compliance
In early April, President Barack Obama signed the Jumpstart Our Business Startups (JOBS) Act, a bipartisan bill meant to create jobs and stimulate U.S. economic activity. The main vehicle the act uses to achieve these broad objectives is easing the burden that the Sarbanes-Oxley Act (SOX) places on new public companies. The intent is for this eased regulatory burden to encourage more companies to go public, stimulating economic growth and creating jobs.
The bottom line is the JOBS Act probably won’t have any effect on the average enterprise's SOX 404(b) requirements if it is already a publicly traded company.
What does this act mean to IT compliance professionals? With the arrival of the JOBS Act, Sarbanes-Oxley compliance requirements are bound to change, or are they? As with many compliance questions, the answer is, “It depends.” In this tip, we'll first take a look at the general provisions of SOX as they apply to IT controls, and then, in that context, discuss the impact of the JOBS Act.
Sarbanes-Oxley Act overview
The Sarbanes-Oxley Act passed Congress in 2002 as a response to events surrounding Enron Corp., Worldcom Inc. and other corporate accounting scandals that plagued the financial industry during the early years of this century. SOX contains many wide-ranging provisions covering 11 corporate governance principles, including:
- Oversight of public accounting firms;
- Independence requirements for auditors;
- Personal responsibility of corporate officers for financial statement accuracy;
- Increased reporting requirements for financial transactions; and
- Criminal penalties for corporate fraud.
Of these requirements, the most vexing to IT professionals, and the most expensive to implement, are those found in Section 404 regarding internal controls. There are two main provisions of Section 404 that affect public companies:
- Section 404(a) requires management of public corporations include attestations of their internal controls over financial reporting in their quarterly and annual SEC filings.
- Section 404(b) requires external auditors attest to the accuracy of management’s report on internal controls over financial reporting.
The major complaint from small businesses regarding Sarbanes-Oxley requirements is that the cost to comply with Section 404(b) is disproportionately burdensome due to the high fixed costs of internal controls audits. The SEC addressed this somewhat in 2010 by exempting some small companies from Section 404(b) requirements.
JOBS Act changes
The JOBS Act further reduces the population of companies subject to Section 404(b) requirements by creating a new category of firm: the Emerging Growth Company (EGC). EGCs are firms that meet the following requirements:
- Less than $1 billion in revenue during the past fiscal year.
- Must not have sold common equity in an SEC-registered offering before December 8, 2011.
- Must not have accelerated filer status (less than $700M in public equity).
Companies meeting these three requirements are granted EGC status, offering them a reprieve from some Section 404 requirements. This reprieve lasts until one of the following conditions is met:
- Five years elapse from the initial public offering (IPO) date.
- The company exceeds $1 billion in gross revenue.
- The company achieves accelerated filer status (more than $700M in public equity).
- The company issues more than $1 billion in non-convertible debt within three years.
More SOX and compliance resources
FAQ: What is the impact of Sarbanes-Oxley on IT operations?
Learning Guide: SOX compliance for the security practitioner
During the time a company has EGC status, it is not subject to the external auditing requirements of SOX Section 404(b). Under prior law, new companies were exempt from Section 404(b) for a period of two years. Provided a company remains an EGC, the JOBS Act extends this grace period to five years. The intent is to give the company time to grow before incurring the cost burden of internal controls auditing.
The bottom line is the JOBS Act probably won’t have any effect on the average enterprise's SOX 404(b) requirements if it is already a publicly traded company. On the other hand, for those companies on track to eventually go public, JOBS may offer significant relief from reporting obligations and encourage them to go public earlier -- which, after all, is the law’s intent!
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.