Co-authored by Luke Childress
If your company is thinking about going public, then you have probably heard someone mention how publicly traded companies are required to follow the Sarbanes-Oxley Act of 2002 (SOX). You may be a little unsure of exactly what that requires, but it is important to be ready to comply long before you go public because SOX affects many parts of the way your company is organized.
Congress enacted SOX to reduce corporate fraud by improving internal controls, corporate governance, and accountability in order to lower the risk of fraudulent or misleading financial reporting. The Securities and Exchange Commission (SEC) implements and enforces SOX requirements. The act also emphasizes that Management is responsible for establishing and maintaining an “adequate internal control structure and procedures for financial reporting.”
SOX increased the responsibilities for oversight required of a company’s board of directors, and it required management to create an Internal Control report. Further, SOX required key executives to certify the accuracy of the financial statements they have overseen and to certify that the company’s financial controls are sufficient. Finally, SOX also requires the creation of the Public Company Accounting Oversight Board, a quasi-governmental organization to oversee auditors and their findings.
The legislation is complex, which makes it easy to get lost in the weeds. But if you keep in mind the prime goal of reducing fraud by making it harder to commit, it becomes easier to understand the rationale behind SOX’s requirements.
Setting yourself up for success
To identify procedures that may need to be changed before your company can launch an IPO, let us go through some of the most important questions to ask, as your company readies itself for an IPO.
Potential investors care about a lot more than just your ideas or your future profitability: They also look at how impervious the company is to potential fraud and other malfeasance. Two of the three critical elements that are needed for due diligence when organizing a company are 1) Tone at the top – an ethical environment fostered by Senior Management and 2) Segregation of Duties – ensure no single person has too much authority in any given process or across processes. For an in-depth look into these two elements refer to the “How Venture Capitalist & Private Equity Investors Should Investigate the Companies They Want to Buy,” article, here.
Have you documented everything you need to?
It is easy for a company to put off formalizing procedures, especially if it has not had much turnover and employees are familiar with their daily responsibilities. However, that will not work for a public company, especially in the long run. It is essential that procedures, systems, applications, processes, and guidelines be formalized so that investors and employees can be assured that finances are being handled appropriately now and in the future. When establishing SOX controls, there are three categories that require thorough attention and documentation: 1) Information produced by the entity, 2) Preparer’s procedures and 3) Management review procedures.
Information produced by the entity or IPE, is any information that is produced internally by the company being audited and provided as audit evidence, whether for use in the execution of internal controls or for substantive audit procedures performed by an external auditor. For more information on IPE, refer to the following articles: “How to Document Information Produced by the Entity (IPE): A Controller’s Guide to SOX Compliance,” here, and “Three Types of IPE & IPE Risks,” here.
Preparer’s procedures are often overlooked, but they are very important to document. It is easy for a preparer to become complacent as the various reports they generate and reconciliations they perform become second nature. However, is the company prepared for an unexpected turnover? Does the reviewer know where the data came from or how to recreate it if necessary? The preparer should explicitly document how data-gathering is performed in your company. What are the exact steps the preparer takes to perform an analysis, reconciliation, roll-forward, or similar procedures? What reports do they use and how do they analyze the data?
Management review procedures are very important and need to be memorialized as well. In addition to facing similar turnover risks as the preparer noted above, the reviewer documentation will face greater scrutiny from the auditors. The responsibility of proving the review occurred and what the preparer did was correct, complete, and accurate, falls upon the reviewer. The reviewer should document their review procedures step-by-step as well as have a timestamp of when the review occurred. This is typically evidenced via email or sign-off. Was the data that the preparer used complete and accurate? Was the data manipulated after the report was generated? Are the formulas pulling in the correct information and clerically accurate? Was the data run for the correct period? These are just some of the questions the reviewer needs to think about when performing and documenting their review.
Policies and Procedures are also vital to any organization and need to be documented and strictly followed. The third critical element that is needed for due diligence relates to documenting policies, and procedures. For an in-depth look into the third and last element that is needed for due diligence, refer to the “How Venture Capitalist & Private Equity Investors Should Investigate the Companies They Want to Buy,” article, here. A foundational example is the delegation of authority (DOA). Who is authorized to execute on behalf of the company, and what steps are in place to prevent misuse of that authority? Do individuals know how much they are able to authorize? Appropriate delegation policies and limits should be set and documented to curtail misuse of power. Has the DOA been reviewed by appropriate personnel to ensure it is complete?
You should also examine the computer systems and applications used in your organization. Will your existing general ledger system allow for the stress requirements of SOX? Or should you be thinking of implementing an Enterprise Resource Plan (ERP) system? Is your ERP system future-proof? You want to make sure you choose a system that is appropriate for the size of your company but is also auditable and allows for growth as your company scales.
When you have settled on an ERP system, you want to make sure access is appropriately segregated. What administration rights do employees have to computer data, and are those rights appropriate for their role? It is important to make sure that users have only the level of access they need to do their job. This is also the time to ensure that no single individual has access to multiple sensitive roles which allow for potential fraud and cover up. Having too much access — or access to multiple functions of a process — raises the risk of misappropriation of assets. A strong set of internal controls is your best defense against these and similar risks.
Are your company policies strong and regularly updated?
It is not enough to have a loose code of ethics that everyone follows. It needs to be written down and understood by everyone. A code of conduct and ethics, corporate governance guidelines, and similar bedrock principles of running the business must be documented and regularly reviewed, at least annually. Employees should be required to sign-off on these policies and the documentation should be retained as future audit evidence.
What about your company’s reputation?
This is also a good time to examine “tone at the top,” which is auditor-speak for the actions, behavior, and other contributions that the board of directors and management make toward the company’s reputation. Little of this tone is likely to be written down, unless you proactively capture it through surveys, interviews, and other fact-finding. Find out how others see you, and if there is a problem with parts of that view, determine what you can do to improve “the top’s” reputation.
Many private companies seeking to go public soon realize that they will have to establish a board of directors. However, SOX itself does not mandate a board, but the SEC does. The SEC mandates that a public company have a board of directors that represents its stockholders, not management. A majority of the directors must be independent, and some states, underwriters, and investment banks have additional requirements covering the diversity of board members. The board’s composition and responsibilities should always be in writing and reviewed regularly.
In addition to the board, multiple committees are required to facilitate the various aspects of the business. In certain cases, board members and committee members may overlap. The independence of their members is a major concern: Every committee listed below must have at least one independent member at the time of the IPO, and within 12 months, all members must be independent. Defining “independence” is complex, it generally rules out current or recent employees, major stockholders, those who have received significant payments from the company, and those with other significant familial or social ties to the company or management. Common committees include:
- Audit committee: The audit committee reports to the board and oversees financial disclosures and reporting. Another major responsibility of this committee is to select which external auditors to use and to approve their fees. The committee must have at least three members, and at least one needs to be a financial expert.
- Compensation committee: Directors on this committee oversee executive salaries and other benefits, and they examine such compensations’ relationship to performance.
- Corporate governance committee: This committee concerns itself with the board’s composition, training, evaluation, and orientation. It makes sure that the board is following best practices, as well as its bylaws.
If you are overwhelmed, that is completely understandable. And if you are wondering how to get your company closer to its IPO, Holtzman has you covered. Our team can help you navigate today’s ever-changing regulatory climate, at a time when the right guidance is critical. With clients ranging from startups and middle-market leaders to large multinational conglomerates, we dedicate ourselves to delivering stellar results. Learn more about our IPO Readiness services and get in touch.