Going Public? What Companies Need to Know About SOX Compliance
By Isabelle Bordas, Partner, Assurance Services
Going public is a significant milestone: it helps companies grow by unlocking access to increased capital, and it adds visibility in the marketplace. But operating a public company also requires leaders to comply with numerous regulations, including the Sarbanes-Oxley Act of 2002 (SOX).
Section 404 (a) of the act requires managers to assess the effectiveness of their internal controls over financial reporting (ICFR) in their 10-K. Section 404 (b) requires independent auditors to evaluate managers’ report and provide their own assessment. Additionally, Sections 302 and 906 state that principal executive and financial officers, typically the CEO and CFO, must personally attest (quarterly and annually) that financial information is accurate and reliable.
Meeting the requirements of Section 404 can be a particularly extensive and costly process and be a significant undertaking for newly public companies. There is substantial work involved in implementing the appropriate processes, documenting the system of internal controls, assessing control design, and remediating any deficiencies identified.
The SEC does offer newly public companies some relief: They are permitted to omit the requirements of Section 404 (a) and (b) in their first annual report on Form 10-K. The JOBS Act provides emerging growth companies (EGC) additional relief — the auditor’s attestation report is not required as long as the company qualifies as an EGC.
Since IPO issuers are not required to report on Section 404 until their second annual report filing, is there any benefit to becoming SOX compliant before going public?
Why You Should Start Early
The relief provided to newly public companies does not mean that SOX compliance should not be prioritized pre-IPO. On the contrary, studies have shown that some of the most successful companies operated under public company rules, including SOX compliance, for 12 months prior to going public. Being compliant signals to the market that the company has the right people, processes, and technology in place to fully manage and mitigate risk and protect stakeholders. Implementing a SOX compliance program can be costly, but so is remediating significant deficiencies and material weaknesses — not to mention other potential financial impacts such as fines, penalties, and damage to the company’s reputation.
Newly public companies often exhibit common control deficiencies. An analysis of several post-IPO companies’ first report on ICFR revealed that deficiencies are often caused by:
- Lack of segregation of duties
- Missing documentation, policies, and procedures
- Information technology, security, and access issues
- Skills gaps in accounting personnel resources
- Material and/or numerous audit adjustments
The analysis showed that newly public companies often need to make significant changes to their processes to be compliant. Therefore, to strengthen their internal control environment and limit the risk of material weaknesses, management should plan for SOX compliance as the company prepares for the IPO. To allow enough time to streamline the SOX compliance process, planning should generally begin 18-24 months prior to going public.
Where To Begin
It may be tempting to jump right into identifying controls subject to remediation, but it is critical to follow a set of guidelines and principles to design and implement effective controls. The Committee of Sponsoring Organization (COSO) framework is the most widely adopted by U.S.-listed companies.
The COSO framework is built around five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring. It is aimed at helping companies identify and mitigate risks that can lead to financial misstatement. The framework is implemented in five phases:
- Planning and scoping: Identify an implementation team and develop a plan that includes timing, resources, roles, and responsibilities.
- Assessing and documenting: Assess the company’s control structure and perform a gap analysis by comparing the COSO framework’s components to the company’s existing practices.
- Remediation planning and implementation: Prioritize control deficiencies identified in the gap analysis and define a remediation plan, including timeline.
- Designing, testing, and reporting: Classify controls as critical or non-critical and design procedures to test each critical control. Then, test the controls and report findings to management.
- Optimization of internal controls: Once controls are implemented, it is important to continuously align the risk and controls to the objectives of the company.
The COSO framework describes 17 principles within the five components of effective internal control. These principles emphasize the role of management in demonstrating commitment to integrity and ethical values, the importance of evaluating the risk of fraud, using technology controls, and adequately communicating internally and externally.
Management should inform auditors of their plans to go public as soon as possible. Even though there are commonalities between an AICPA audit and a PCAOB audit, the evaluation of the design effectiveness of the controls and the documentation may be more extensive for the latter. An auditor can provide useful recommendations on how to strengthen controls and related documentation as the company plans to meet the SEC requirements.
Becoming SOX compliant can seem like a daunting task to companies seeking to go public. However, it is an important component of a successful IPO. Many companies have found that significant process changes are necessary to effectively implement a strong internal control framework. Starting early allows time to identify gaps, streamline processes, and limit the risk of reporting material weaknesses post-IPO.