Skip to content

Going Public Through a SPAC: Considerations for Sarbanes- Oxley (SOX) Compliance

Published
Oct 27, 2025
By
Nina Kelleher
Topics
Share

Special Purpose Acquisition Companies (SPACs) have an accelerated timeline for target companies to go public compared to traditional IPOs and for Sarbanes-Oxley (SOX) Compliance. The Sarbanes Oxley Act is a federal law that outlines the importance of transparency, accuracy, and reliability of financial reporting. This Act strives to protect investors, making it imperative to maintain compliance, especially when going public through a SPAC.  For SPACs, this typical grace period for newly public companies applies most commonly to the date the SPAC went public, and not the date the de-SPAC transaction was completed, and the de-SPAC does not trigger another grace period. Once it is determined that SOX compliance and reporting is required, the question often becomes whether Management or Management and the Company’s Auditors are required to opine on the effectiveness of the internal controls over financial reporting (ICFR), respectively compliance with SOX 404a or SOX 404b, while noting that Emerging Growth Company status maximum of 5 years is from the date of the SPAC IPO, if thresholds for SOX 404b are not triggered prior.

Additionally, the SOX 302 certification requires the CEO and CFO to personally certify the accuracy and effectiveness of the financial reporting and disclosure controls beginning with the first quarterly financials.  There is no grace period for compliance with SOX 302.

Key Takeaways:

  • SPACs have a faster timeline for going public compared to traditional IPOs, requiring quicker compliance with SOX regulations, specifically regarding internal controls over financial reporting.
  • Companies undergoing the de-SPAC process need to be vigilant about SOX compliance considerations, understand exemptions and requirements, such as SOX 404a and 404b, while emphasizing proactive preparation.

Understanding the SPAC Process

For companies going public through the traditional IPO route, there is a grace period to comply with SOX during their first annual reporting period. However, for SPACs, the typical grace period for newly public companies applies most commonly to the date the SPAC went public, not the date the de-SPAC transaction was completed. This may be the case if the SPAC’s 8-K is amended to include the target company’s prior-year financials. Once it is determined that SOX compliance and reporting is required, the question becomes whether management or both management and the company’s auditors are required to opine on the effectiveness of the internal controls over financial reporting (ICFR) and compliance with SOX 404a or SOX 404b, respectively.

The de-SPAC Process: Considerations and a Sample Timeline

The de-SPAC process is when a private company merges with a publicly listed SPAC, making it publicly traded. If the company has completed the de-SPAC process, it needs to be aware of the various SOX compliance considerations.

May Be Exempt from
SOX Reporting		 Management’s Attestation
(SOX 404a)		 Management and Auditor’s
Attestation (SOX 404b)
  • First annual financial Report period from when the SPAC went public (first 10-K).
  • Certain circumstances when the SEC may not object to the exclusion of management’s report on internal control over financial reporting (ICFR) in the first Form 10-K filed after the close of the transaction, e.g., a late-in-the-year transaction.
  • Emerging growth companies
    • Total gross revenue is less than $1.235 billion
    • Public float less than $700M
    • Has not issued more than $1 billion in convertible debt in the last three years.
  • Non-accelerated filers/small reporting companies with less than $100 million in revenues.
  • Year of the transaction, if the SPAC’s Form 8-K was amended to include the target’s financial statements for the prior year, if the above criteria are met.
  • Accelerated filer.
  • Year of the transaction, if the SPAC’s Form 8-K was amended to include the target’s financial statements for the prior year, if the above criteria are met.

Some de-SPAC transactions may require SOX 404a or 404b compliance in the year the transaction is completed. Below is a comparison sample timeline detailing SOX compliance requirements for a SPAC vs a company going public through a traditional IPO.

Challenges and Best Practices for SOX Compliance

As a SPAC, it can be difficult to curate SOX compliance and even more challenging to maintain it. Due to the quicker turnaround of a SPAC merger, most companies have less time to proactively establish controls and safeguards, which can potentially lead to operational disruptions, reporting discrepancies, and resource constraints.

Once it is determined which compliance framework, SOX 404a or SOX 404b, is required, the company should immediately begin implementing internal controls to establish and maintain federal compliance. Compared to traditional IPOs, this process needs to start sooner rather than later to meet the expedited deadlines and avoid potential risks and penalties.

Best practices for SPACs wanting to achieve SOX compliance include, but are not limited to:

  • Establish internal controls over reporting and documentation processes for accuracy and safety
  • Assign responsibilities and system access to specific individuals
  • Integrate innovative technologies to automate, track, and manage systems
  • Evaluate and test controls
  • Identify gaps and solutions to mitigate risks

By following these practices, companies are better positioned to foster a company-wide environment of compliance, mitigate risks, and follow their outlined SOX requirements.

Finding SOX Compliance with an Experienced Partner

Working with a team of professionals is a proactive compliance solution. At EisnerAmper, our SOX compliance team combines decades of industry experience, innovative technologies, and a collaborative approach to navigate evolving compliance requirements and enhance processes successfully. To learn more about how our team can guide you on your journey to going public, contact us below.

What's on Your Mind?

a woman in a black dress

Nina Kelleher

Nina Kelleher is a Partner and is the National Practice leader for the EisnerAmper’s Risk and Compliance Services (RCS) practice, with more than 15 years in the risk and regulatory space.

View Profile

Start a conversation with Nina

Explore More Insights

Article

Key Themes from the 2026 SEC Examination Priorities

Read More
a drawing of a sphere
On-Demand Webinar

Fraud in Focus | Emerging Risks and Real-World Insights from EisnerAmper

Read More
Article

Understanding IT Security Audits: A Guide to Protecting Your Organization

  • Cybersecurity
Read More
Article

CMMC Simplified: Best Practices When Preparing

  • Cybersecurity
Read More
background pattern
Article

Cybersecurity Trends in 2025

  • Cybersecurity
Read More
a lake with a large green island in the middle
On-Demand Webinar

The Critical Steps to Navigate the 2026 California Climate Reporting Requirements

Read More
a few people working at a table
Article

Calculating Personal Net Worth for Disadvantaged Business Enterprises (DBEs) and Airport Concession Disadvantaged Business Enterprises (ACDBEs)

Read More
diagram
On-Demand Webinar

Navigating the Future of Cybersecurity | Top Trends to Watch

Read More
a chess board with chess pieces
On-Demand Webinar

Demystifying SOX Compliance | What Public and Pre-IPO Companies Need to Know

  • IPO
  • SOX Compliance
Read More
a blue and white logo
Article

Navigating Cyber Threats: Why Internal Audits Are Crucial for IT Security

  • Cybersecurity
Read More
a white building with a dome and a fountain in front of it
Article

Government Removes Race & Gender-Based Presumptions of Economic Disadvantage: What Businesses Need to Know

Read More
a person in a garment holding a gun
Article

The Growing Role of AI in Cybersecurity: Opportunities and Challenges

  • Artificial Intelligence
Read More
View All Insights

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.

Subscribe