Posts

The decision to go IPO is one of the most exciting milestones in a company’s journey—and the start of an incredibly busy and challenging time. While the decision tends to center on the big event, the work leading up to the initial public offering and afterward is enormous and can strain an already busy team. For CFOs and other senior executives who need to lead their company through their initial public offering, here is a guide to going public.

A CFO Guide to IPOs: Don’t Underestimate the Work Involved 

Going IPO is complex and expensive—and time consuming. The prep work leading up to the IPO could take as long as two years. Smart companies build their infrastructure well in advance to be ready for the moment. Then there’s the constant scrutiny that becomes a way of life once the S-1 gets in the hands of analysts, investors and competitors.

You’ll need to be ready for the possibility that regulators will have a lot of questions, in addition to inquiries from savvy investors. Making the wrong move at any point could hurt the company’s growth potential and lead to employee burnout, just when you need your most valued performers the most. You’ll want to cover your bases before finalizing the decision to go public:

Make sure you’re doing it for the right reasons: Personal wealth buildup and boosts to the ego are side benefits to a successful IPO—but the focus should be on raising capital to fund the company’s growth plans.

Consider the alternatives: To explore whether going public makes the most sense for the business at this time, also weigh the pros and cons of other exit strategies, such as a merger or acquisition, strategic alliance, or private equity funding.

Picture the changes ahead: The company as you know it is going to change, as it moves from an organization run by just a few people to a company owned by anyone who wants to buy a piece. Investors will have a right to some decision-making power, and management will no longer have all the control. 

Preparing for Your IPO

Is your company IPO ready? Smart companies that have an IPO in their sights get their financial house in order early on. But you’ll need more than audited financial statements and an S-1 filing to be “ready.” Here are few of the many other steps you’ll need to cover:

  • Know your story: Consistency matters, from the prospectus to the words on your website to the narratives told by senior leaders as they promote the company at roadshows. Anticipate questions and have potential answers ready. How the company describes its talent, product roadmap, geographic expansion and goals, can highly influence share price. 
  • Act like the company is already public: By operating like a public company, as early as a year before the IPO, you can make improvements along the way, such as upgrading outdated systems, wiping out manual processes and overcoming the learning curve of SEC requirements.
  • Develop a SOX timeline: You’ll have until the second 10-K to submit your first Sarbanes-Oxley compliance report, but you’ll need a well-designed system of internal controls that will help prevent material misstatements to financial statements well before that time.

Managing Your Company Through the Post-IPO Transition

A culture shock is inevitable as the company takes on a more disciplined way of operating. Decision-making will be centered around short-term needs and results, rather than the long term. Employees need to be kept informed about the company’s direction in addition to the new expectations on behavior as they’ll have to follow to comply with insider trading rules and restrictions.

Decide how much of your old culture to retain, figure out how to manage the new one, and evaluate the staff to take note of any skill gaps. You’ll need people who are open-minded and willing to switch to new systems and processes, while being able to meet stricter deadlines and shorter turnaround times.

RoseRyan as Your IPO Guide 

As you can tell from this IPO guide, operating as a public company is like living in a whole other world. You need people who have taken companies through the entire IPO process who can help you make sense of it, and thrive in it. They’ll guide you through the before and after of the IPO, by keeping you informed about what to expect, preparing the company for this new world, and getting it through the rocky transitional period. And they’ll fill in the skills gaps and situate your staff with the new way of working. (We’ve also served as a US IPO guide for companies based outside the country that want to list here.)

With tight financial accounting and reporting, and a robust system with efficient, practical processes, the company will be set up for a maximum valuation and its new class of investors. Learn all about RoseRyan’s Transaction Advisory Services and how we can manage your IPO process from start to finish.

As we head into the home stretch for this year’s SOX programs, we thought it would be helpful to highlight some key areas of focus by auditors that deserve particular attention this year. No year is ever the same: From dealing with pandemic-related risks to implementing new accounting standards, companies always have new considerations when it comes to complying with SOX. Based on my SOX crystal ball, here’s what I expect will be key areas of focus in SOX assessments.

How Is Your SOX Compliance in These Key Areas?

Not surprisingly, auditors’ areas of focus tend to align with the areas that the Public Company Accounting Oversight Board has been prioritizing during its inspections. Here’s what the PCAOB says about that:

“While inspections vary by firm, we may focus on auditor’s risk assessment processes, financial reporting, and audit areas affected by economic trends or pressures, audit areas that present challenges and significant risk, new accounting standards, and areas of recurring audit deficiencies.”

What does this thinking mean for SOX compliance in 2021? Well, let’s start with areas of recurring audit deficiencies—we’ve seen internal controls over financial reporting on that list for many years, and no matter how much effort companies put into making improvements, it still isn’t enough in the PCAOB’s view. With all this mind, here some aspects of ICFR that merit your attention this SOX season:

Risk assessment process: Spend the time to prepare a thorough risk assessment and include robust documentation. Have you identified all the areas for potential material misstatements? Do you have controls to mitigate your significant risks? Are all your financial statement assertions covered?

Many companies have addressed the risks in their control set associated with the sudden shift to remote work made because of COVID shelter-in-place orders, but the pandemic continues to present risks to the business. We continue to see supply chain shortages crop up as well as other new impacts of our pandemic life. Be sure you have addressed key changes to your business in your risk assessment.

If you’ve recently adopted new accounting standards, such as ASC 606 (Revenue) or ASC 842 (Leases), or refined your workflow and processes in these areas, make sure you’ve updated your design of controls to reflect the new risks and process flows as part of your sox compliance program.

Management review controls: This has been on the PCAOB list for quite some time—so expect to see further scrutiny here. Look to stated precision levels utilized in the management review process and what the reviewer does when something falls outside those threshold levels, or what happens when the process doesn’t follow the “normal” process. Your auditors will likely expect to see documentation showing that you’ve done these steps for each review.

Completeness and accuracy of IPE: From a SOX perspective, IPE, or “information produced by the entity,” means documenting how control operators satisfy themselves that the data used in the execution of the control is complete and accurate. It sounds simple enough, and yet this is an area that gives most people trouble. We see the whole range of reactions in our client base—from control owners who say, “I get this report from our IT team—it’s their job to make sure it’s complete and accurate” to “It’s a canned report from a leading cloud company—of course it’s complete and accurate.” The reality is, the responsibility for completeness and accuracy is shared between the application owner and the application user.

Let’s break this down even further:

For canned reports—standard reports that you run from a third-party application—you’ll need to demonstrate the report was generated using the appropriate parameters, that the calculations performed in the report are accurate, and that the vendor has effective access and change management controls in place.

  • Parameters: Verify that the parameters used to generate the report are correct, and indicate that you have reviewed them. You can do that by tick mark, a highlight, whatever works for you. But you really do need to look at the parameters—we’ve seen companies run Q1 reports with the dates of January 1 to March 30. The after-the-fact argument of “there was no activity on March 31” isn’t going to fly—the only way to prove that is to run the report using the right date. We’ve also seen stock reports run without a complete population (e.g., it’s missing one of the stock plans).
  • Accuracy of calculations: Verification of calculations performed can be accomplished a few ways—it could be the vendor actually does this verification and includes it in the SOC 1 report. If that’s the case, you can rely on that. Most of the time, a SOC 1 report doesn’t cover this, so you’ll need to do your own verification. Generally a “test of one” will suffice—but be sure you do a “test of one” on all the use cases, not just one. (Here’s a simple example: You can manually recalculate monthly depreciation expense for a single asset and compare your calculation to the report output—if it matches, you’re good. But also include a test for a fully depreciated asset, for an asset added during the month and for an asset retired during the month.)

Digging Deeper into SOC 1 Reports

Effective assessment of a SOC 1 report could be a blog topic in and of itself—so we’ll just hit some highlights:

Make sure the SOC 1 report covers the period you are relying on and it has a bridge letter to get you to the end of your fiscal year. Many vendors will issue a SOC 1 report covering the period through September or October, and then issuing a bridge letter saying there were no changes through December 31. For a calendar year-end company, that should work. If your fiscal year-end is different, you’ll need to do additional work here.

You should also evaluate if the design of controls listed in the report covers the key risks you need covered, and whether any testing exceptions were noted. If there are missing controls, you’ll need to do something more on your end (such as verification of calculations). If there are testing exceptions, then evaluate the impact to your organization—it could be the exception is in an area you are not relying on, or you might have compensating controls in place to mitigate the risk.

The SOC 1 report will also list out any sub-service organizations the vendor relies on, and whether the report includes controls from the sub-service organization. Often they are excluded, so you will need to obtain and review those SOC 1 reports separately. Finally, look at the list of User Control Considerations—controls that the vendor expects you to have in place, typically around access, and evaluate whether your controls address those areas.

You’ll need to go through a similar process for information used in control execution that is developed in-house and for calculations in Excel workbooks, such as tax provisions, data from a data warehouse that was extracted from other systems, custom reports, queries and scripts, etc.

Always Be on Top of SOX Trends

SOX compliance is always evolving. The SOX experts at RoseRyan can help your company master the latest key areas of focus and ensure that your company not only meets compliance requirements but does so in an efficient way that can be carried over to future years. To learn more about how we can create a tailored SOX program for your company and our SOX philosophy, see our latest video , and contact us to help you with your SOX program.

Pat Voll is a vice president at RoseRyan, where she guides and develops new solutions for our strategic advisory practice, which includes corporate governance, strategic projects and operational accounting. She also manages multiple client relationships and oversees strategic initiatives for the firm. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.

Without a doubt one of the most major milestones in a company’s growth journey is going public. That ringing of the opening bell (either literally or figuratively) for your IPO leads to another milestone the company will soon have to hit: becoming SOX compliant.

While the Sarbanes-Oxley Act of 2002 features many provisions designed to prevent financial fraud and enhance corporate governance, Section 404 in particular becomes a pressing concern soon after an initial public offering. This is when management will weigh in on the effectiveness of the company’s internal controls over financial reporting and, eventually, the company’s external auditors will offer an opinion as well.

Challenges in Establishing an Effective SOX Compliance Program

Here are a just a few of the challenges companies face when setting up an effective SOX compliance program:

A shift in some practices. Any change can be tough. The team may have been doing something a certain way for a long time and haven’t yet realized the practice could have a detrimental effect on the financial operations or the veracity of the financial information. New systems may need to be put in place that could take some time to learn. A cultural shift will need to occur if the “tone at the top” (namely the CEO and CFO) isn’t encouraging the best behavior throughout the company.

For the most part, professionals know what the ethical, right thing to do is—however, when systems are put in place to formalize that, it can require some adjustments. SOX experts who are practical in nature and flexible to the companies they work with know this already and come up with solutions that work for the company (its size, industry, complexity).

Disparate ways of working. Cultural differences among geographically dispersed offices can affect the company’s overall need to comply with SOX. Remote offices may follow customs and practices that don’t yet align with where the company needs to shift.

Ever-evolving risks. Here’s where SOX compliance is rarely if ever the same year to year. The top risks affecting the company are frequently changing as are emerging risks that the company may need to address. External experts are often invaluable in this regard as they work with multiple companies and see everything—they can seamlessly incorporate best practices they’ve picked up in the field and adjust them to your company.

Benefits of a SOX Compliance Program

In addition to meeting corporate governance compliance requirements, a SOX program offers multiple benefits, including the ones listed below.

Minimizes the risk of a material misstatement of the financial statement and fraud risk. With the right systems and processes in place, your company can prevent (or better detect) incidents of fraud and prevent errors from occurring that could affect the reliability of your financial reporting. All of the work that goes into SOX compliance contributes to this goal—SOX’s main purpose. It also contributes to protecting the company’s and top management’s reputation.

Introduces efficiencies. With a SOX program tailored for your company that integrates with your workflow, ongoing pain points will be eased and simplifying of controls will be achieved.

Gains trust in the marketplace. Whether your company has always instilled a sense of financial integrity or only now is shoring up its internal controls, potential stakeholders will know they can rely on the information you are sharing with them—and that can have a positive effect on your valuation.

Tips for Creating, Maintaining an Effective SOX Compliance Program

You may be wondering, how do I set up or improve a SOX compliance program? This post highlighted many of the challenges along with the benefits of taking on SOX compliance. SOX experts can help from the very beginning, even before your company is ready to go IPO and also be there when it’s time to bring in your external auditors to meet your SOX 404(b) requirements.

By working closely with SOX experts who have helped a wide range of companies, in various stages of SOX compliance, you can establish a workable, practical SOX compliance program that can be effectively maintained year over year. We’ve helped companies design, document and execute controls, often during a time crunch.

For an assessment of your program or the start of a SOX 404 compliance program, reach out to our corporate governance pros today.

Sarbanes-Oxley compliance has come an incredibly long way since the corporate governance law was passed nearly two decades ago. That doesn’t mean startups are in a hurry to become SOX compliant. Still, for a high-growth startup that may one day go public, its SOX-like compliance efforts can give assurance to management and investors that the company’s financial reporting can be relied upon.

What makes SOX compliance more clearly beneficial, compared to the early days of the anti-fraud law, is the significant financial operational efficiencies that open up when companies assess and tighten up their internal controls over financial reporting. With the help of financial integrity experts, they can realize such efficiencies as they start understanding and documenting their internal controls.

As your early stage startup contemplates the future, including potential exit strategies, what would you need to do to become SOX compliant?

SOX Compliance for Startups

Tip 1. Firm up your financial foundation. Your emerging growth company’s venture into the public markets might seem far away. Strategic opportunities can unexpectedly arise, however, in the form of a SPAC (special purpose acquisition company) merger, accelerating your company’s need to be IPO ready or SOX ready. Despite whatever strategic plan is in the works, the financial foundation of your startup should be sound so that you have the level of financial information and analysis needed to confidently move the company in the right direction.

Have investments in technology kept up with the size and complexity of the company and where it’s headed? Are your accounting processes practical and leading to timely, credible financial reports that are auditable? Do you have access to the kind of strategic financial expertise required to help you move the startup forward?

Tip 2. Keep current on your key risks. As your startup quickly moves ahead, your risk management efforts need to be adjusted. Risks change as the markets change, as new employees are brought in, as the economy shifts, and as customer demographics evolve. A large part of SOX compliance involves understanding the current major risks facing the company, so risk management for IPO-headed startups is also important.

Tip 3. Seek expertise early and often. Whether your company needs a version of “SOX lite” right now, an idea of whether it’s headed in a smart direction in its growth journey, or simply some expert advice, you need the right expertise to help you. Amid fast growth and your assessment of your high growth startup compliance, you’ll likely find that you need more insights than you can find in-house.

You’ll need to connect with experts who will adjust their guidance to where your startup is right now and then will be there with relevant solutions as those needs change. Seek out a finance and accounting consulting firm that understands emerging growth companies like yours as well as the version of the company you hope it will become.

Do the consulting firm’s experts have experience in your industry, with companies like yours? And if they don’t, how can they meet your needs? Look for a consulting firm that tailors its solutions to their clients rather than trying to bend a company toward its solutions.

Tip 4. Be prepared to act like a public company. Does your team have the skills and resources to meet the ongoing financial reporting demands and SOX requirements of a newly public company? The deadlines are not flexible once your company goes public, and the scrutiny is higher. Pre-IPO companies can ease into meeting the higher expectations by truly understanding what it takes to act like a public company, including SOX 404 compliance and all that entails.

Some of the main internal controls that a public company is expected to adopt are simply best practices that every company should be doing, such as segregation of duties. Undertaking good habits as early as possible can minimize the risk of a material misstatement of the financial statements.

Tip 5. Communicate with your external auditors. Here’s a tip that not everyone intuitively realizes is a possibility: You can proactively check in with your external auditors to understand their expectations.

SOX experts can help you keep these communication lines open, while retaining independence between your startup and the auditors. This way you can understand what auditors want to know and minimize any back and forth that would require your attention. After all, you have so many other responsibilities besides SOX compliance for startups.

How Does Sarbanes-Oxley Affect My Startup?

You may be wondering, “How do I implement SOX in my high-growth startup?” The short answer is startups do not have to be SOX compliant until they are public. Depending on your current growth plans, however, you could find that your startup should work toward becoming SOX ready. To set the wheels in motion, reach out to SOX and financial integrity experts who can help guide your company through what you can and should do now, based on your current growth plans.