In 2021, organizations set an all-time record with 796 initial public offerings (IPOs) as of October. Once an IPO is consummated, each IPO CFO will need to comply with SOX (Sarbanes-Oxley) 302 by certifying controls are in place to ensure the accuracy of financial statements. This means the company will want to conduct a risk assessment and create an internal controls roadmap for SOX 302 compliance and, if necessary, a potential future SOX 404(b) audit.
Most IPOs will apply for Emerging Growth Company (EGC) status and be considered Accelerated Filers by the SEC; therefore, the CFO will need to certify 302 compliance standards in the first year. The IPOs who either opt to be a Non-EGC Accelerated Filer or meet any of the Large Accelerated Filer criteria (see table below) must establish internal controls to comply with the more stringent SOX 404(b) audit. SOX 404(b) requires a rigorous internal controls framework and a series of processes and systems that will need to be tested by internal and external auditors.
Both SOX 302 and 404(b) involve having a risk and internal controls framework in place. Implementing an internal controls framework is particularly challenging for an IPO versus an established publicly traded company. IPOs rarely have the systems, processes, and staff in place to comply with a 404(b) audit and often need to make several changes to ensure the accuracy of financial statements. This includes enough staff to segregate duties, financial systems with adequate IT controls, well-defined processes, and in-house SEC knowledge.
Making matters worse, most large audit firms see IPOs as risky undertakings and aren’t overly eager to accept internal control engagements (as reflected in their fees). They are happy to be the independent external auditor, but the IPO will still need assistance from a separate, independent firm to design and implement their internal risk and controls framework.
IPOs are faced with spending more than anticipated and the internal controls environment suddenly turns the innovative entrepreneurial company into a slow-moving bureaucracy. Promises of investor results diminish and capital becomes constrained.
The good news is that there are ways to implement a 404(b) compliant internal controls framework without slowing the organization down.
1. Fit-for-purpose Risk Assessment – A few years ago, we met with a CFO who was anticipating Large Accelerated Filer status to be hit in the following year. He was given a rather generic and lengthy risk assessment conducted by a Big 4 firm. It was overwhelming and better suited for a Fortune 100 corporation. After the CFO disengaged the Big 4 firm, we worked with the finance team to conduct a fit-for-purpose risk assessment. This meant customizing the risk assessment to the capabilities and size of the organization. Although we went through an exercise to map their unique risks to the COSO 2013 framework, we were also mindful of what was relevant to the company and the audit. For example, the company did not have an adequate Board Governance Model. Instead of giving them a generic big company framework, we focused on developing a model that fit their needs. This gave the board the right level of transparency to meet audit requirements without slowing decision-making.
2. Focus on Process Improvement – Many auditors zero in on reducing risk and rarely see the bigger picture. The audit process documentation and narratives become overly focused on identifying and mitigating controls instead of efficiency. Process documentation becomes a chore instead of an opportunity to improve efficiency and eliminate unnecessary steps. While an IPO goes through the process of documenting controls, waste should also be identified and eliminated. During several of our control implementations, our team used process documentation as an opportunity to reduce the amount of time it took the companies to close their books and report financials. Our challenge was to offset any additional controls by eliminating unnecessary steps in any process. This allowed the organization to absorb new controls without adding expensive staff.
3. Consider Organization Impacts – A controls framework introduces the concept of formalized delegation of authority (DOA) and segregation of duties (SOD) frameworks. These frameworks are used to ensure the right people are involved in decision-making to prevent fraud or collusion and control spending. SOD ensures no one person controls an entire process and DOA ensures the right people approve financial commitments above certain thresholds. This can frustrate the entrepreneurial-spirited organization’s leadership. Our new IPO clients are encouraged to keep the DOA as simple as possible and be creative about SOD. For example, one organization’s billing process required the segregation of billing and posting receivables. However, this was performed by one person. Instead of hiring additional staff for approvals, the company implemented approval workflow to allow one of the accountants to approve receivable postings. These simple steps prevented the company from hiring unnecessary staff.
4. Repair Instead of Replace Systems – In most cases, a risk assessment will reveal a significant number of risks associated with ERP systems. Many organizations quickly jump to the conclusion of replacing their ERP systems. Implementing new ERP systems while going public has the potential to make an internal controls implementation worse. ERP implementations rarely finish on time and banking on a new ERP system to meet a 404(b) audit deadline is risky. Instead, take measures to implement quick and easy tools to supplement the ERP system. Our clients typically find the implementation of a reporting and planning solution on top of their legacy ERP becomes their long-term solution instead of a new ERP. In some cases, they make a few modifications in their legacy ERP systems, which is less costly than a new ERP solution.
Trenegy specializes in helping IPOs implement fit-for-purpose controls frameworks that allow organizations to stay efficient. Check out our SOX FAQ page here to learn more.
