SEC Reporting and Audit Requirements

The Securities and Exchange Commission enforces a comprehensive framework of financial reporting and audit obligations that apply to public companies, registered investment advisers, broker-dealers, and other regulated entities operating in US capital markets. These requirements span periodic financial disclosures, mandatory independent audits, internal control attestations, and auditor oversight through the Public Company Accounting Oversight Board (PCAOB). The framework is grounded in statutes including the Securities Exchange Act of 1934, the Sarbanes-Oxley Act of 2002, and implementing rules codified in Title 17 of the Code of Federal Regulations. Understanding the structure, triggers, and boundaries of these obligations is foundational for any entity subject to SEC jurisdiction.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Checklist or steps (non-advisory)
• Reference table or matrix
• References

Definition and scope

SEC reporting requirements are mandatory disclosure obligations imposed on entities that issue publicly traded securities or that register in a regulated capacity under federal securities law. The primary statutory authority is the Securities Exchange Act of 1934, which directs the SEC to prescribe forms and rules governing the content, frequency, and certification of financial reports filed with the Commission. Those reports must include financial statements audited by an independent registered public accounting firm — a firm registered with and subject to inspection by the PCAOB.

The scope of SEC audit requirements extends beyond the annual financial statement audit. It encompasses:

• Annual audited financial statements filed on Form 10-K (domestic issuers) or Form 20-F (foreign private issuers)
• Internal control over financial reporting (ICFR) assessments under Sarbanes-Oxley Act Section 404
• Quarterly unaudited financial statements reviewed (not audited) by the independent auditor under PCAOB Auditing Standard 4105
• Auditor attestation of management's ICFR assessment for accelerated and large accelerated filers under SOX Section 404(b)

The financial-audit-types-explained resource provides broader context on how the SEC audit sits within the full spectrum of financial audit categories.

Core mechanics or structure

Periodic Reporting Forms

The SEC's periodic reporting system operates through a defined schedule of filings. Domestic issuers classified as reporting companies under Section 12 or Section 15(d) of the Exchange Act file:

• Form 10-K: Annual report containing audited financial statements, MD&A (Management Discussion and Analysis), and ICFR disclosures. Large accelerated filers (public float of $700 million or more) (17 C.F.R. § 240.12b-2) must file within 60 days of fiscal year-end; accelerated filers within 75 days; non-accelerated filers within 90 days.
• Form 10-Q: Quarterly report containing unaudited financial statements subject to auditor review. Filed within 40 days (accelerated filers) or 45 days (non-accelerated filers) of each of the first three fiscal quarters.

The Audit Process Under PCAOB Standards

Independent audits of SEC registrants must be conducted in accordance with PCAOB Auditing Standards, not GAAS alone. Key standards include:

• AS 2101 (Audit Planning)
• AS 2201 (Internal Control Over Financial Reporting)
• AS 3101 (The Auditor's Report on an Audit of Financial Statements)

The auditor issues an opinion on whether financial statements are presented fairly in all material respects in conformity with US GAAP (or IFRS for eligible foreign private issuers). For accelerated filers, the auditor also issues a separate opinion on the effectiveness of ICFR under AS 2201.

The pcaob-standards-for-financial-audits page details the specific standards applicable to SEC-registered audits, including the integrated audit framework.

Auditor Registration and Independence

All auditors of SEC issuers must be registered with the PCAOB (Section 102 of SOX). Auditor independence rules are codified in 17 C.F.R. Part 210, Rule 2-01, which prohibits financial, employment, business, and certain non-audit service relationships that impair independence. The SEC enforces independence requirements independently of the AICPA's ethical standards.

Causal relationships or drivers

The SEC's audit and reporting framework is driven by three interlocking forces: investor protection mandates, market integrity concerns, and documented failure episodes that prompted statutory expansion.

Market failures as statutory catalysts: The Securities Exchange Act of 1934 followed the 1929 market collapse and subsequent congressional findings that inadequate disclosure contributed to systemic losses. The Sarbanes-Oxley Act of 2002 followed accounting frauds at Enron, WorldCom, and Adelphia, where auditor failures and management misrepresentation caused aggregate market losses exceeding $100 billion (as documented in the Senate Committee on Banking, Housing, and Urban Affairs report, 2002). Each statutory expansion maps to a specific failure category.

Information asymmetry: Public investors cannot directly observe company operations. Mandatory audited disclosures are structured to reduce the information gap between management and capital markets. The SEC's disclosure system — including the EDGAR filing database — centralizes public access to these reports.

Auditor incentive structures: Because issuers pay audit fees, independence requirements address the conflict between auditor economic dependence on the client and the auditor's obligation to investors. The PCAOB's annual inspection program, established under SOX Section 104, produces inspection reports that identify audit deficiencies at registered firms and create public accountability pressure.

Entity growth triggers: Registration thresholds trigger incremental reporting obligations. A company that crosses $10 million in total assets and has a class of equity securities held by 2,000 or more persons of record (or 500 non-accredited investors) becomes subject to Exchange Act Section 12(g) registration (15 U.S.C. § 78l(g)).

Classification boundaries

SEC reporting entities fall into distinct categories that determine the applicable filing schedule, ICFR requirements, and auditor attestation obligations:

Large accelerated filer: Public float of $700 million or more. Subject to SOX 404(a) management assessment AND SOX 404(b) auditor attestation of ICFR.

Accelerated filer: Public float of $75 million or more but less than $700 million. Subject to both 404(a) and 404(b).

Non-accelerated filer: Public float below $75 million. Subject only to 404(a) management assessment; auditor attestation under 404(b) is not required (SEC Final Rule, Release No. 33-10825, 2020).

Smaller reporting company (SRC): Public float below $250 million or annual revenues below $100 million (with no public float or a float below $700 million). Eligible for scaled disclosure requirements, including abbreviated financial statement requirements.

Emerging growth company (EGC): A company with annual gross revenues below $1.235 billion in its most recent fiscal year, as adjusted periodically by the SEC under the JOBS Act of 2012. EGCs are exempt from SOX 404(b) auditor attestation for up to five fiscal years post-IPO.

Foreign private issuers: File on Form 20-F rather than 10-K; may use IFRS as issued by the IASB without reconciliation to US GAAP (SEC Rule 3-19 and Form 20-F instructions).

The boundary between SEC-reporting and non-reporting entities also affects which audit standards apply — an important distinction addressed in internal-vs-external-audit-differences.

Tradeoffs and tensions

Compliance cost versus disclosure quality

SOX 404(b) auditor attestation imposes significant costs. A 2011 SEC study found that smaller accelerated filers reported average ICFR audit costs of approximately $1.5 million annually (SEC Office of Economic Analysis, Study of the Sarbanes-Oxley Act Section 404, 2011). The legislative tension between investor protection (favoring broader attestation coverage) and capital formation concerns (favoring exemptions for smaller companies) has produced successive threshold adjustments since 2002 — with non-accelerated filers permanently exempted from 404(b) beginning with the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Pub. L. 111-203, § 989G).

Auditor concentration and systemic risk

Four firms — Deloitte, Ernst & Young, KPMG, and PricewaterhouseCoopers — audit a large share of SEC-registered public companies by market capitalization. PCAOB inspection reports and academic literature have raised concerns that concentration limits the competitive discipline that might improve audit quality. The SEC's auditor independence framework cannot fully resolve structural market dynamics.

Principles-based versus rules-based standards

PCAOB standards are more prescriptive than IAASB International Standards on Auditing (ISA), which foreign audit regulators apply. Tension exists between the SEC's domestic PCAOB mandate and the SEC's acceptance of IFRS-based financials for foreign private issuers — creating parallel regimes where the same underlying transaction is audited under materially different procedural standards depending on registrant classification.

Timeliness versus completeness

Accelerated filing deadlines (60 days for large accelerated filers) create pressure on audit completion timelines. The SEC's acceleration of filing deadlines — implemented through Release No. 33-8128 (2002) — reduced windows that previously allowed 90 days for annual reports, generating ongoing tension between deadline compliance and audit thoroughness.

Common misconceptions

Misconception: All SEC-registered companies require a SOX 404(b) auditor attestation.
Correction: Non-accelerated filers and emerging growth companies are explicitly exempt from SOX 404(b). Only accelerated and large accelerated filers must obtain the auditor's attestation on ICFR effectiveness (SEC Release No. 33-10825, 2020).

Misconception: The SEC itself conducts the financial statement audit.
Correction: The SEC does not perform audits. Independent registered public accounting firms registered with the PCAOB conduct audits. The SEC reviews filed financial statements through its Division of Corporation Finance and may issue comment letters, but those reviews are not audits under PCAOB standards.

Misconception: A clean audit opinion means no fraud occurred.
Correction: An unqualified (clean) audit opinion attests that financial statements are free of material misstatement, whether due to error or fraud, to a reasonable assurance level — not absolute assurance. The qualified-vs-unqualified-audit-opinion page explains the precise scope of each opinion type under AS 3101.

Misconception: Form 10-Q financial statements are audited.
Correction: Quarterly financial statements are reviewed, not audited. The independent auditor performs a review engagement under PCAOB AS 4105, which provides limited — not reasonable — assurance. A review does not include the same evidence-gathering procedures as a full audit.

Misconception: Investment advisers registered with the SEC face the same audit requirements as public companies.
Correction: Registered investment advisers are subject to a separate audit framework under the SEC's Custody Rule, Rule 206(4)-2 under the Investment Advisers Act of 1940, which requires annual surprise examinations or audited financial statements — not a PCAOB-standard integrated audit.

Checklist or steps (non-advisory)

The following sequence describes the structural phases of an SEC annual reporting and audit cycle for a domestic accelerated filer. This is a descriptive framework, not professional guidance.

1. Determine filer classification: Confirm public float as of the last business day of the second fiscal quarter to establish deadlines and 404(b) applicability per 17 C.F.R. § 240.12b-2.

2. Engage an independent registered public accounting firm: Confirm PCAOB registration status via the PCAOB registration database. Document the engagement scope in a written engagement letter consistent with PCAOB AS 1301 (Communications with Audit Committees).

3. Conduct management's ICFR assessment: Management evaluates ICFR using a recognized framework — the COSO Internal Control — Integrated Framework (2013) is the most widely cited reference in SEC filings.

4. Complete financial statement audit: Auditor performs risk assessment, plans and executes procedures under PCAOB Auditing Standards, and accumulates sufficient appropriate evidence.

5. Complete ICFR audit (404(b) filers): Auditor performs the integrated audit per PCAOB AS 2201, identifying and testing controls over significant accounts and disclosures.

6. Obtain auditor's reports: Receive the report on financial statements (AS 3101) and, for 404(b) filers, the report on ICFR effectiveness.

7. Prepare and review Form 10-K: Include audited financial statements, management's ICFR assessment, auditor's reports, MD&A, and all required item disclosures per Regulation S-K and Regulation S-X.

8. CEO and CFO certifications: Execute Sections 302 and 906 certifications attesting to disclosure accuracy and ICFR assessment per SOX.

9. File via EDGAR: Submit Form 10-K through the SEC EDGAR system by the applicable deadline (60, 75, or 90 days post-fiscal year-end).

10. Monitor for SEC comment letters: Track EDGAR for any Division of Corporation Finance review correspondence and respond within the 10-business-day standard general timeframe.

The sarbanes-oxley-section-404-audit-requirements page provides detailed procedural treatment of steps 3 through 6 above.

Reference table or matrix

SEC Filer Classification and Audit Obligation Summary