The JOBS Act granted some relief from the burdens of SOX for emerging growth companies, and while any relief was most welcome, the changes brought on some confusion. And it hasn’t abated even three years later. There’s so much for newly public companies to do as they gear up for their intro on the markets and so much they have to do afterward to be in compliance with the new overseer in their life (the SEC). Working in the middle of an active IPO market, we often get questions about what a newly public company actually needs to take care of to be in compliance with SOX under the JOBS Act.
I’ll get to that in just a moment. First, here’s a quick refresher. The JOBS Act granted a temporary exemption (generally five years, depending on certain factors) from SOX 404(b)—the requirement for external audit attestation on internal controls over financial reporting for so-called emerging growth companies (i.e., practically any Silicon Valley company that’s on the go-public track). There is no exemption from SOX 404(a)—management’s report on internal controls over financial reporting. For any new public company, regardless of size, management is responsible for designing effective internal controls over financial reporting, for testing the effectiveness of those controls, and reporting their take on them beginning with the company’s second 10-K.
There’s a good intent behind all this: Whether you are exempt from audit attestation or not, you still need to report accurate financials. Internal controls over financial reporting should prevent material misstatements in your financials. A restatement of financials would be disruptive to your business, demoralizing to your team and very expensive. Where compliance become a hairy endeavor is in the details. It’s not something you want to put off until the 11th hour before that second 10-K is due. And you don’t want to be blasé about the whole matter just because the auditors won’t be looking at this area until the five-year mark goes by.
After working with companies for years on their internal controls, we have some practical advice that’s useful for both newly public and soon-to-be public companies:
Expect a culture shift. The typical entrepreneurial mindset that pits “nimble, innovative and responsive” as the polar opposite of “discipline and documentation” should change. The attitude that helped create your success needs to evolve to a more disciplined state for this next phase of your organizational development. This, more than anything, can be the biggest challenge of SOX compliance. Approach it as a “check the box, bureaucratic nightmare” and that is what you likely will end up with when you’re done. View and treat SOX as a value-add contribution to the success of your business and you may be surprised by the value you get.
Map out your SOX timeline before you go public. The second 10-K sounds so far away, but it will sneak up on you. You’ll need to ideally have your first round of testing finished in the first or second quarter of the year prior to your second 10-K—that gives you time to remediate and retest before the end of the year. Work backwards from there, keeping in mind other business priorities, such as new system implementations, audit timelines, vacation schedules and other deadlines. Your SOX timeline needs to build in the design, testing and reporting aspects—and you need to manage all that while the business evolves and your first rounds of SEC reporting deadlines create their own challenges.
Design your controls. Take advantage of the processes you already have in place, and identify your existing controls (you might be surprised at how much you already have in place). You’ll need to map to the COSO framework, identify where you already have strong controls and where you need to shore up others. You can develop a “gap list” of controls that need to be implemented and prioritize them so you can work on them over time. Your IT controls and entity level controls need to be addressed as well. The twist for SOX compliance is that not only do you have to have controls, you have to be able to demonstrate that you perform the controls. Reviewing the payroll register isn’t sufficient; documenting your review becomes just as important.
Time to start testing—assume the best but plan for the worst. First-time SOX testing typically has a high failure rate, unfortunately. Most everyone is learning the ropes and still operating under the entrepreneurial mentality of “Let’s get things done fast, and don’t worry about the paperwork.” People may be performing the controls that you have designed but failing to document what they did. For that payroll register review, if the sign-off is missing, it’s hard to demonstrate the review actually happened. On the other hand, some controls may be new, and they may not get done reliably at first; it may take a while for new habits to take hold. “Trust, but verify,” and “test early” will be your mantras, so you can find out who may need more training and which controls are not workable in your environment and need to be redesigned. Remediate and retest. As often as needed.
For more hints on making the transition to a compliant, well-oiled organization, check out our intelligence report on Ensuring a smooth ride as a newly public company.
Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.