The annual report on Form 10-K is the most comprehensive disclosure document a public company files each year. For a newly public company, the first 10-K arrives 60–90 days after the first fiscal year end post-IPO — typically before the management team has fully absorbed the operational demands of being public. Understanding what the 10-K requires — and how it differs from the S-1 — is essential for every CFO and GC.
How the 10-K Differs From the S-1
| Section | In the S-1? | In the 10-K? | Key Differences |
|---|---|---|---|
| Business description (Item 1) | Yes | Yes | 10-K focuses on the full fiscal year; S-1 is forward-looking. Human capital disclosures are more developed in 10-K. |
| Risk factors (Item 1A) | Yes | Yes | 10-K risk factors must be updated to reflect post-IPO risks (lock-up expiration, analyst coverage, quarterly earnings pressure). |
| MD&A | Yes | Yes | 10-K covers the full fiscal year vs. S-1 periods. Must discuss events after the IPO date. |
| Financial statements | Yes — 2-3 years audited | Yes — full fiscal year | 10-K also includes quarterly financial data; first year may have stub period from IPO date. |
| SOX 302 certifications | Not in S-1 | Required — CEO and CFO | CEO and CFO certify accuracy of disclosures and effectiveness of disclosure controls. Criminal liability for knowing false certifications. |
| SOX 906 certifications | Not in S-1 | Required — CEO and CFO | Criminal penalties of up to $5M and 20 years for willful false certification; up to $1M and 10 years for knowing false certification. |
| Internal controls report (404(a)) | Not in S-1 | Second 10-K (typically) | Management assessment of ICFR effectiveness. See SOX 404 guide. |
| Executive compensation tables | Partial — in S-1 | In proxy statement (DEF 14A), incorporated by reference | Full CD&A narrative required in proxy, incorporated into Part III of 10-K. |
| Selected financial data | Eliminated (SEC removed in 2021) | No longer required | SEC eliminated this item in 2021 — no longer required for any registrant. |
The Sarbanes-Oxley Certifications
The 10-K must include two sets of certifications from the CEO and CFO:
- SOX Section 302 Certifications: Filed as Exhibits 31.1 and 31.2. The CEO and CFO certify that: (1) they have reviewed the 10-K; (2) the report does not contain any material untrue statement or mislead by omission; (3) the financial statements fairly present the financial condition and results; (4) they are responsible for disclosure controls and procedures and have designed and evaluated them; (5) they have disclosed any significant changes in internal controls.
- SOX Section 906 Certifications: Filed as Exhibits 32.1 and 32.2 (or combined). Furnished, not filed. Criminal penalties apply for knowing (up to $1M, 10 years) or willful (up to $5M, 20 years) false certifications.
The CEO and CFO Must Personally Understand What They Are Certifying
The SOX certifications are not a formality — they are personal attestations of the accuracy of the financial disclosures and the effectiveness of internal controls. CEOs and CFOs who have never signed a 10-K before should be briefed by securities counsel on exactly what they are certifying, what constitutes a material weakness that must be disclosed, and what the disclosure controls and procedures process requires.
Disclosure Controls and Procedures
The 10-K requires management to evaluate the effectiveness of the company's "disclosure controls and procedures" — the processes designed to ensure that information required to be disclosed is recorded, processed, summarized, and reported on a timely basis. This evaluation is separate from (but related to) the ICFR assessment under SOX 404. A deficiency in disclosure controls can require disclosure even before the SOX 404 assessment is required.
The Proxy Statement Integration
Part III of the 10-K (director information, executive compensation, certain governance information) can be "incorporated by reference" from the proxy statement (DEF 14A). This is standard practice — companies file the proxy statement separately and tell the SEC that Part III of the 10-K is in the proxy. The proxy must be filed within 120 days of the fiscal year end to use this approach. If the proxy is late, Part III must be included directly in the 10-K.
Earnings Release vs. 10-K — The Two-Step Disclosure
Most public companies report fourth-quarter and full-year results via a press release (filed as an 8-K) before the 10-K is filed. The earnings release is typically published 3–4 weeks before the 10-K — providing investors with the headline financial results while the detailed 10-K is being finalized.
This two-step process requires careful coordination:
- The earnings release numbers must exactly match what will appear in the 10-K financial statements
- The auditor must have substantially completed their procedures before the earnings release is issued — most PCAOB auditors will not permit a company to issue results before they have completed their audit work
- Any non-GAAP metrics in the earnings release must be consistent with the definitions and reconciliations in the 10-K
- Forward-looking guidance in the earnings release becomes a reference point against which the 10-K discussion of "subsequent events" and "outlook" is compared by investors
Internal Controls Transition — The First 404(a) Assessment
For most newly public companies, the first SOX 404(a) management assessment appears in the second 10-K — but preparation must begin during the first year. The transition from "no SOX requirement" to "full 404(a) assessment required" is not a binary flip. The process:
- Year 1 (first 10-K — no 404 required): Implement and document SOX controls; identify and remediate any significant deficiencies found during the implementation; train control owners
- Year 2 (second 10-K — 404(a) required): Management performs a formal assessment of ICFR effectiveness using the COSO framework; any identified material weaknesses must be disclosed
- The CEO/CFO certification in the first 10-K: Even before 404(a) is required, the CEO and CFO must certify their evaluation of "disclosure controls and procedures" — a different but related concept. This certification requires management to have actually evaluated whether the controls are working.
Primary References
Form 10-K — Instructions and Requirements
The SEC's official Form 10-K and its instructions — the authoritative source for all 10-K content requirements.
Post-IPO Success Playbook — 10-K and Annual Report Requirements
KPMG's playbook for the first year as a public company — including the 10-K filing requirements, SOX certifications, and first annual report preparation.
The 10-K Filing Timeline
The 10-K has different filing deadlines depending on filer status:
| Filer Status | Annual 10-K Deadline | Threshold |
|---|---|---|
| Large accelerated filer | 60 days after fiscal year end | Public float ≥$700M as of June 30 |
| Accelerated filer | 75 days after fiscal year end | Public float $75M–$700M as of June 30 |
| Non-accelerated filer (including most new IPOs) | 90 days after fiscal year end | Public float <$75M |
Most newly public companies are non-accelerated filers initially (because their June 30 public float is calculated after only a few months of trading). The transition to accelerated filer status occurs when the public float crosses $75M as of the most recent June 30 — which can happen as early as the first summer after the IPO for successful companies. This transition shortens the 10-K deadline from 90 to 75 days and triggers additional compliance obligations.
The Disclosure Committee
Most public companies establish a disclosure committee that reviews and approves all material public disclosures — earnings releases, SEC filings, material 8-K filings, investor presentations, and conference speeches. The disclosure committee is a governance mechanism that helps ensure disclosures are accurate, complete, and consistent with the company's disclosure controls and procedures.
Typical disclosure committee composition:
- Chief Financial Officer (chair)
- General Counsel or Chief Legal Officer
- Chief Accounting Officer or Controller
- Head of Investor Relations
- Chief Executive Officer (for major disclosures)
The disclosure committee typically meets 3–4 weeks before each earnings release and before major SEC filings to review draft disclosures, confirm that material developments have been properly captured, and discuss any ambiguous disclosure judgments. Its conclusions are documented and support the CEO/CFO SOX 302 certifications.
The Audit Committee Role in 10-K Preparation
The audit committee (a committee of independent directors) is responsible for overseeing the financial reporting process, the external audit, and the internal controls over financial reporting. In the 10-K preparation context:
- The audit committee reviews the annual financial statements before they are filed — both the draft financials and the auditor's proposed adjustments
- The audit committee receives the auditor's critical audit matters (CAMs) — the areas the auditor considered most challenging in the audit — and discusses them with management before they are disclosed in the audit report
- The audit committee approves the independent auditor's engagement and fees annually
- The audit committee receives and reviews the "management letter" from the auditor identifying any internal control deficiencies observed during the audit — these observations, while not public, inform the disclosure committee's assessment of whether any deficiency is a material weakness requiring public disclosure
XBRL Tagging Requirements
All SEC filers must submit financial statements in XBRL (eXtensible Business Reporting Language) format alongside the 10-K. XBRL tagging assigns machine-readable tags to each financial statement line item, enabling the SEC and investors to compare financial data across companies and over time. For newly public companies:
- The first 10-K requires XBRL tagging of the face financial statements — balance sheet, income statement, cash flow statement, and statement of equity
- Financial statement footnotes must be tagged in "block text" format in the first year (meaning the entire footnote is tagged as one block), with inline XBRL (iXBRL) detail-level tagging required from the second year
- XBRL tagging is performed by the financial printer or a specialized XBRL tagging firm — it is part of the 10-K filing service provided by firms like Donnelley Financial Solutions, Workiva, or Toppan Merrill
SOX 404 — What Internal Controls the 10-K Requires
The first 10-K's internal controls disclosures depend on whether SOX 404 has kicked in. Understand the timeline.