Illustration of stock plan professionals auditing equity plan records

Establishing Critical Controls for Equity Plans

June 19, 2024

Effective management of equity compensation programs involves complex processes, financial reporting, and compliance with tax laws and other requirements. Equity plans also involve material amounts of P&L expense, taxable income, and, of course, stockholder’s equity, making administration of these plans an area of high risk for the granting corporation. This complexity and risk warrant robust  internal controls to ensure compliance, accuracy, and transparency.

Here are four areas in which internal controls are important to administration of your equity plan:

Financial Statement Accuracy

Stock compensation directly impacts a company’s financial statements; for many companies—both public and private—it is a significant component of the P&L. Anyone who has even minimal experience overseeing an equity plan knows that, when it comes to financial reporting for the plan, accuracy is paramount.  

Proper financial reporting controls can help you feel confident that:

  • All equity awards have been valued and expensed and all transactions are correctly accounted for.
  • Forecasts of the financial effects of future plan transactions are based on accurate data and assumptions.
  • Your equity plan accounting procedures align with generally accepted accounting principles (GAAP), as promulgated under ASC 718 (and IFRS 2, if applicable).
  • You have done everything in your power to minimize the risk of financial restatements.

Need some ideas? Check out our top ten list of controls for equity plan financial reports.

Tax Compliance

Tax reporting and withholding is another area of high risk for equity plans for both public and private companies. Mishandling tax withholding or failing to properly report income for equity plan transactions can result in penalties from tax authorities. These penalties can apply to stock plan participants as well as the granting corporation.

Here are some of the tax penalties that internal controls can help you avoid:

  • Equity awards that violate Section 409A can be subject to a 20% penalty plus interest at the penalty rate plus 1%. This penalty is imposed on stock plan participants; if paid by the company, it will result in additional income (and more tax) for the participant.
  • Failure to properly report the income for equity awards on Forms W-2 can result in penalties for the granting corporation. These penalties are adjusted annually for inflation and vary based on when the correct form is filed and whether the failure involves intentional disregard. The penalties are doubled if both the return filed with the IRS and the statement distributed to the participant are incorrect.
  • The company’s failure to properly report the income for equity awards on Forms W-2 can also cause participants to report the wrong amount of income on their tax returns. If the error involves underreporting of income and is corrected after the deadline to file the returns, participants can also be subject to penalties for underpayment of their taxes. In a worst-case scenario, the company might find itself defending lawsuits from participants over these penalties.
  • The penalties to the company for underwithholding on equity plan transactions can equal 100% of the amounts that should have been withheld, plus interest and administrative penalties. Penalties for late tax deposits start at 2% and can climb to 15%, depending on when the deposit is completed.
  • Failure to properly report ISO and ESPP transactions on Forms 3921 and 3922 can result in the same penalties that apply to W-2 reporting failures (and are also double if the failure relates to both the return filed with the IRS and the statement distributed to the participant).

And those are just the US federal tax penalties! There can be additional penalties at the state and local level. Many other countries also have tax withholding and reporting requirements and associated penalties.

Read our tips for auditing tax-related data for equity plan transactions.

Sarbanes-Oxley (SOX) Compliance

Public companies are required to implement certain controls under Section 404 of the Sarbanes-Oxley Act (SOX). In addition, SOX Section 302 requires public company CEOs and CFOs to personally certify the accuracy of the company’s financial records and effectiveness of its financial controls. These SOX mandates are intended to protect investors and the public from accounting errors and fraudulent practices.

To comply with SOX, public companies generally need the following controls:

  • Written documentation of stock plan procedures.
  • Appropriate processes to ensure compliance with relevant laws, monitor and review equity plan activities, and audit equity plan transactions and controls.
  • Separation of duties.
  • Security protocols to ensure that only authorized individuals can access equity plan data.

The NASPP’s Ethics & Compliance in Equity Compensation Series includes a great course on “Critical Financial Controls for Equity Plans” that will help you understand the SOX controls that are essential for an equity plan, including best practices that your auditors will love to see.

Prevention of Fraud

In my experience, stock plan administrators are overwhelmingly an honest and conscientious group of people. But even so, fraud occasionally happens. The potential for fraudulent activities, such as unauthorized (or inappropriate) equity grants or manipulation of vesting schedules or option exercises, necessitates strong internal controls. All companies, public and private, must have controls in place to protect the company from fraud. Segregation of duties, regular audits, and automated systems for tracking stock grants and exercises help detect and deter fraudulent activities.

Clawback Policies Increase Pressure on Internal Controls

Now that public companies are required to adopt policies for recoupment of officers’ incentive-based compensation in the event of a restatement (including little “r” restatements), mismanagement of your equity plan could be costly not only for the company and, in the case of tax compliance failures, the affected participants, it could also be personally costly for your company’s executive officers. Talk about a career-limiting situation!

Equity Plan Audit Processes

So much data to audit! Below is a list of some of the most common audit procedures companies implement for their equity plans.

Personnel Data: Participants’ employment status, termination and separation from service events, leaves of absence (if applicable), address changes, and transfers to new departments or business entities.

Grant Issuances: When equity awards are granted, perform a three-way audit comparing grant recommendations to grants approved and grants recorded. Validate that grants are properly approved and comply with any established grant guidelines.

Transactions: Reconcile shares issued under equity plan transactions with your transfer agent records.

FMVs: Review the stock price values recorded in your equity platform for accuracy—an incorrect value can have significant financial reporting and tax implications.

Tax Records: Review the taxable income and withholding recorded for equity plan transactions.

Financial Records: Audit quarterly financial reports to ensure that all grants are included and appropriately valued and plan expense is recorded correctly.

Plan Limits: Maintain a list of restrictions and limits in your equity plan (such as the number of shares available for grant or a minimum vesting requirement) and review plan transactions regularly for compliance.

Form S-8/Rule 701: When issuing new grants, audit plan balances to ensure that the grants will not exceed the number of shares available under the company Form S-8 registration (for public companies) or Rule 701 exemption from registration (for private companies).

Section 16 Insiders: On at least an annual basis, reconcile insider ownership records to their Section 16 filings to ensure that all their transactions have been reported.

ESPP Purchases: Audit employment statuses, contributions, currency exchange rates, and other key data before each purchase.

Security: Audit team member access to stock plan records on at least an annual basis.

Control Documentation: Regularly review and update your documented procedures to ensure that they reflect your current processes. 

  • Barbara Baksa
    By Barbara Baksa

    Executive Director