Making the decision to go public is an exciting venture for many companies. The preparation and decision-making, however, can be daunting. Preparing for an initial public offering (IPO) requires many decisions about your internal control structure and framework; and, while public companies are required to comply with Sarbanes-Oxley (SOX), compliance requirements and the necessary resources are often overlooked or underestimated.
Four key areas to consider
Companies should consider these four key areas as they continue to grow, scale and take steps toward an IPO.
Embed culture
1. Establish tone at the top: The CEO and CFO must provide leadership around the initiative to gain organizational buy-in. Board and/or audit committee engagement is also critical.
2. Be nimble: Develop internal controls documentation including narratives, flow charts, and risk and control matrices (RCMs) that can be flexible and nimble as roles change, new talent is onboarded and your organization grows and scales.
Start early and educate
3. Engage with key stakeholders: Provide education on the benefits of a strong internal control environment, the implications of Sarbanes-Oxley (SOX) compliance for the organization and the importance of maintaining documentation to support the performance of control activities.
4. Leverage investments in technology: Evaluate processes to develop the most efficient framework. Utilize the enterprise resource planning (ERP) system to automate controls and reduce the need for excessive manual labor-intensive controls. Remember to consider enabling systems/tools such as governance risk and compliance (GRC) suites and ticketing systems.
5. Prioritize the most material risks: Perform a SOX-based risk assessment to prioritize the most material financial statements risks and related processes and system. Establish a strong entity-level and IT general controls (ITGC) environment that underpins any effective system of internal controls.
Engage with third parties
6. Understand the holistic ecosystem of controls: Recognize third-party service providers and applications are a key component of the company’s internal control environment. Ensure System and Organization Control (SOC) reports are reviewed and controls exist internally to address complimentary user entity controls (CUECs).
7. Engage with your external auditors: Seek input from your external auditors on key risk areas and address identified control gaps and improvement opportunities. Strive to align on a common control framework to support a reliance approach and create efficiencies for control owners.
Learn, update and improve
8. Learn from others and avoid pitfalls: There are common issues newly public companies experience that often elevate to material weaknesses in internal control over financial reporting (ICFR), which must be disclosed in SEC filings. Understand what these issues are and incorporate lessons learned into your SOX readiness plan.
9. Keep documents current: In these early stages, view your control environment as evolving. Identify “better” controls and update your RCMs and internal controls documentation regularly to reflect these changes. Explore GRC technologies to centralize data and workflows and automate manual tasks.
10. Segregate duties: Identify functions and activities that need to be separated to support a stronger control environment. If duties can’t be separated, consider implementing mitigating detective controls.
