find your solution.
search for solutions by category, industries, insights, and people.
search for solutions by category, industries, insights, and people.
search for solutions by category, industries, insights, and people.
Recent changes to the Federal Deposit Insurance Corporation Improvement Act (FDICIA) thresholds have exempted hundreds of community banks from required attestations on internal controls over financial reporting (ICFR). But don’t celebrate yet! Barring any exemptions for Emerging Growth Company status, if your financial institution is a public company with a public float exceeding $75 million and revenues exceeding $100 million, you will be subject to the more rigorous demands of the Sarbanes-Oxley Act (SOX). In the current high-interest rate environment, we’re seeing banks as low as $2 billion in assets exceed these thresholds.
While both frameworks aim to strengthen internal controls and financial reporting, SOX introduces a significantly higher level of scrutiny, documentation, and executive accountability. For audit leaders, this transition presents an opportunity to enhance the control environment while demonstrating value to the board and external stakeholders.
Under SOX Section 404(a), all public companies must have management assess and report on ICFR. Section 404(b) adds the external auditor attestation for accelerated and large accelerated filers. A company is considered an accelerated filer when its public float is between $75 million and $700 million and its annual revenues surpass $100 million.
See the full SEC guidance for:
Refer to the chart below for filing status and deadlines.
Note: For banks and similar financial institutions, total revenues include all gross income from traditional banking activities—such as interest on loans and investments, dividends, loan origination fees, trust and investment service fees, commissions, brokerage fees, mortgage servicing income, and other banking-related fees.
Banks approaching SOX compliance are encouraged to begin preparations well before the requirements become mandatory. Taking early action can help avoid reportable deficiencies during the first year of compliance and ease the adjustment to more demanding regulations.
Preparing for SOX compliance introduces a more intensive audit and control environment. Institutions can expect several changes, including:
In addition to compliance, strong internal controls reduce risk and protect a company’s reputation. They serve as a frontline measure for accuracy, reliability, and security across business processes. With thoughtful design and consistent application, these controls can limit the likelihood of mistakes or irregularities that might otherwise lead to financial setbacks or regulatory issues.
A mature control environment reflects a company’s dedication to transparency and responsible operations. This commitment can strengthen relationships with investors, customers, and employees by reinforcing confidence in how the organization is managed. Conversely, when controls break down, the consequences can negatively affect investor trust and competitive standing. By building a resilient framework, organizations position themselves for long-term credibility and sustainable growth.
While FDICIA compliance may have established the basis for sound internal controls at your institution, SOX compliance requires coordination across finance, operations, IT, and governance teams.
At Elliott Davis, we have extensive experience assisting banks nationwide in preparing for FDICIA and SOX compliance. Our Financial Services ICFR program includes four pillars:
If your internal audit team is preparing for SOX, or simply wants to advance its ICFR program, contact Elliott Davis today to schedule a readiness consultation.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.
%20(1).jpg)
.jpg)
