This slide lists some the key questions boards and management need to ask themselves in contemplating an IPO. The challenges faced by companies preparing for a public offering include: Accelerated reporting deadlines SOX requirements Corporate governance Increased scrutiny of complex accounting policies and positions The scalability of the IT infrastructure Adequacy of people resources
List of selected key policies covering most “go to public” companies Anti-Fraud Policy Insider Trading Policy Code of Conduct (conflict of interest, related party transactions, confidentiality, fair dealing, protection and proper use of company assets, compliance with laws and regulations) HR Policies (Hiring, termination, Equity Award, Annual Review) Accounting/Finance Policies IT Policies (Security, Change Management, Business Continuity Management) Audit Committee Charter Disclosure Committee Charter Compensation Committee Charter Job Descriptions .
Today we will focus on the more pervasive inherent risks that frequently pose significant challenges for companies with public company aspirations – Financial Reporting, Closing the books, IT environment & Governance/SOX compliance Chris, provide us with some guidance on how we maneuver through the maze of what seems to be an increasingly complex financial reporting environment.
One key activity, prior to a public offering, is for management and the audit committee to get ahead of the curve by assessing financial reporting risk so that it can be managed up-front, rather than being susceptible to being managed after the fact by external auditors, regulators and others.
Once done, a financial reporting risk assessment should be periodically updated. Early on, prior to an IPO, your sources of risk indicators may be external auditors, investors, underwriters, etc. Once you are public, the possibility of SEC comment letters (those generated by the IPO and those generated thereafter by public filing reviews) and even of the PCAOB reviewing the work of your external auditor enter the mix and need to be considered, as will new and updated accounting pronouncement which may be applicable to you broadly or specifically.
Thanks Steve, Some, but not all non-public companies have the luxury of longer close timelines. On this slide you can see deadlines for common newly public companies. Non-Accelerated Filers with market cap under 75M, Accelerated 75-700M. In addition to the SEC required deadlines, public companies usually prepare more extensive disclosures than most private companies. So most companies will have to both speed up the close cycle and do more during that same cycle. The increase demands often require more discipline via checklists, status reporting, and rapid issues resolution. Box calendars should be replaced with detailed checklists, daily status reporting and sometimes daily staff meetings should be implemented – especially if your current close schedule does not comply with the rules. Lengthy manual tasks create bottle necks that can best be resolved with stronger systems functionality and better integration. For example Quickbooks and spreadsheets often must be replaced with more mature accounting applications, spreadsheets with interfaces or automated custom applications. You may not have a formal disclosure committee identified with regular meetings set. You may also lack draft disclosure documents. Newly public companies are also subject to SOX 302 Certification requiring the CEO and CFO to certify the financial statements are complete and accurate. Checklists, and in some cases a 302 sub certification provide the executives some additional comfort the financial statements are complete and accurate.
To effectively assess and improve your close process you must start with a detailed task checklist. The task list should reflect each JE, spreadsheet or manual process by person required to close. It should include activities in remote locations and inputs from 3 rd parties. Once this is in place and you have some history you can seek to make improvements. Protiviti advocates evaluating your close process holistically – across our Six Elements of Infrastucture. The slide before you describes some common opportunities for improvements. Focusing on just a few items, let’s first look at the process. In addition to tracking the actual start and end times for all activities, hold formal pre close meetings, daily status meetings, and post close debriefings. These meetings are imperative to verify status, identify delays, raise issues, and establish accountability to due dates. With the results of a detailed checklist you can create insightful dashboards and reports. Consider graphing #tasks by day from -10 to 45 to see how much you’re getting done early, #tasks by person by day to see if the work is spread even. You can also prepare a gantt chart to analyze critical path. Under the Methodologies element of our framework, review your spreadsheets and your reconciliations. Look in particular the nature of the calculations – are they consistent with the GAAP treatment prescribed? Is the level of detail appropriate? Too much = too time consuming, not enough = insufficient to support the audit. Also consider prioritizing reconciliations – moving lower risk recons to post GL close. The Systems is the final element and frequently requires much attention. We’ve mentioned more mature accounting applications to eliminate spreadsheets. Where spreadsheets remain (some always will) specific spreadsheet controls should be implemented to reduce risk. For example, spreadsheets should be organized with separate data entry sections, lock formula cells, password protect work books, store on central server for back up and limited access. On the next slide we’ll discuss common challenges for in revenue – especially for any high tech, software or services company.
The question is raised as many pre-IPO and newly public companies often have smaller IT staffs struggling to support a wide variety of end user needs. Your IT team must support everything from your LAN, PCs, printer support to ERP/accounting applications, to engineering work stations, central storage servers, some also support customer facing applications as well. These “start up” environments often succeed because of a strong “can do” attitude, yet also resist many of the formal processes, approvals and controls required in public companies. Some other key challenges most companies face in preparation to go public include: SOX required controls in the form of SDLCs – these are controls such as an IT Steering Committee, Testing Requirements, and formal approvals prior to making changes to production applications or data. Replacing less expensive, less sophisticated accounting applications with more robust ERP applications better suited to support growth plans, and Additional electronic integration in the form of interfaces, EDI, etc. As you explore alternatives you’ll need to address some significant long term decisions such as outsourcing or hosted applications that may be attractive to mitigate implementation costs and reduce the in house skills necessary to support these applications. In the following slides we will briefly present some key attributes of the IT infrastructure you should consider for IPO readiness.
Looking at the IT infrastructure through our Protiviti Six Elements of Infrastructure, let’s first look at Strategy and Policy. Strategy – You should have a 3-5 year plan for IT, including known application changes, upgrades or replacements. The plan should reflect the growth of the business (volume, location, types of products/services), and call out resource requirements including people, hardware and software and some budgetary cost estimates to implement and maintain the environment. Your plan should also consider any initiatives to improve business continuity in the event of an IT service interruption, security to prevent loss of any sensitive data, and any special requirements to address regulatory requirements such as Payment Card Industry Data Security (Retail), Anti Money Laundering (Fin Svcs), HIPAA (Heathcare) or FDA (Med Devices/Pharma) reporting requirements. Turning our attention to Policy and Procedures, public companies should have repeatable processes and documentation specific to key IT governance functions. Some key examples include: 1) Change Management, including System Development Lifecycle Controls as required for SOX compliance. These typically include protocols (eg. IT Steering Committee and Approvals) for approval and monitoring IT projects, and include testing and approvals before new systems or changes go-live. 2) Data Security, including the processes with approvals for new users or changes to access should be documented and in place. 3) Business Continuity, including the processes to bring up a failover IT environment in the event the primary environment goes down due to disaster or interruption. This will be especially critical where the business model is highly dependant on IT services. Moving on to People, this area often presents the biggest challenges where smaller IT teams struggle to provide a variety of technical skills. That, coupled with stricter controls, adherence to defined procedures with proper segregation of duty requirements requires you to more clearly define distinct roles and responsibilities and restrict sensitive roles to fewer people. Your IT Strategy should include some definition of the skills, roles and even organization charts as you pass milestones. If hiring becomes a challenge you should consider o/s to supplement your core teams skills in areas such as security, BCM, etc.
Management Reporting – Many CFO’s are seeking ways to more proactively measure and monitor IT performance. In addition to the common financial metrics such as IT exp as % of revenue, consider some of the other metrics on the slide. Benchmarking services, such as APQC (avail through Protiviti) offer comparisons by SIC codes so you compare your performance to others in your peer group. (Optional) Methodologies – Within IT usually refers to implementation methodology and it is helpful when common steps are standardized, such as business case and steering committee approval for new projects, approvals for go-live, etc. To comply with SOX however, you need to reference some IT controls framework – consider COBIT. Once adopted take steps to create awareness and foster compliance with your methodologies. Systems – At the core of every good IT function are applications that adequately support user needs. Investing in more robust ERP solutions that are aligned with your current and anticipated business requirements, are used by like companies demanding similar capabilities, and are supported by financially strong and customer responsive vendors will pay dividends over the long term. Many pre-IPO companies select and implement mainline ERP applications as a prerequisite to the IPO. Consider a formal, well governed ERP selection as part of your IT strategy if your requirements indicate you need a change. Well Steve that covers a lot of ground on creating a scalable IT function. I’ll pass it back to you to now.
A typical IPO can take up to four to six months to complete after the initial organizational meeting.
IPO planning should occur well in advance of the organizational meeting.
Potential causes of delay beyond this timeframe include market conditions, preparation of financial statements, structuring issues and SEC review.
Note that the SEC generally attempts to respond to the initial filing of a registration statement within 30 days, and to each amendment to the registration statement within a shorter period, typically one to three weeks.
Will you be ready?
Protiviti's Six Elements of Infrastructure for Public Company Readiness
Is the finance function strategy linked to business strategy?
Do we have all appropriate business policies documented?
Have we clearly defined lines between finance, IT and other functional units?
Do we have appropriate IT policies?
Are overall governance charters, and board policies in place?
How effective and efficient is our Financial Close Process?
How effective is our Budgeting process?
Do we have documented processes?
Is process owner monitoring in place?
Do we have an Enterprise Risk Agenda?
Have we established Internal Audit function?
Do we have appropriate IT Service Organization?
Do we have BOD committees established?
Do we have an effective corporate structure?
Do we have the right professional advisory groups?
Do we have the requisite skills to ensure accurate financial reporting?
Do we have an appropriate Finance organization reporting structure?
Have we defined system users to mitigate Segregation of Duties issues?
Do we generate and review Enterprise Risk Assessment reports?
Internal customer reports?
Process owner self assessment?
Internal audit reports?
KPIs for Finance Organization effectiveness?
Relevant and reliable system reports?
Have we established methodologies for integrated SOX 302, 906 and 404 certification?
Do we have budget and financial control methodologies?
Have we established methodologies for application of accounting policies and estimates?
Do we have the resources and methodologies for IPO-Specific Initiatives?
Are we getting the information we need to run and grow the business?
Do we have an integrated and scalable IT environment?
Have we considered alignment of current ERP environment with key business initiatives?
Do we have appropriate Financial and operating systems?
Have we considered minimization of spreadsheets within financial reporting?
Do we have Internal controls and contracts repositories?
Action Item : Assess current state and urgency of remediation. 1 16 5 2 3 4 6 7 8 9 10 11 12 14 15 13 Business Strategies & Policies Business Processes Organization and People Management Reports Methodologies Systems and Data
Companies need to ensure they have the requisite skills and organization to understand the application of accounting principles and ensure accurate financial reporting.
Efficient Financial Close –
In order to meet the revised SEC filing requirements, companies must ensure they have an accurate and efficient financial close process.
Appropriate Corporate Governance and Sarbanes-Oxley Act of 2002 (”SOX”) Compliance –
Ensuring the company has a robust, regulatory and corporate governance understanding and an efficient, internal control environment is critical to achieving initial and ongoing compliance with SOX regulations.
Scalable IT Environment –
Reviewing the IT system environment to ensure that the company is able to handle the growth in the business is imperative in being public.
Typically, three years of audited income and cash flow statements and two years of audited balance sheets, plus unaudited interim period financials, are required to be presented in the registration statement for the offering.
Selected historical financials for the last five fiscal years are also required, but years four and five need not be audited.
Up to three years of audited financial statements could be required for recent or probable future acquisitions, depending on the significance of the transaction.
More Demanding Financing and Accounting Requirements
The financial statement and accounting requirements imposed on public companies can be significantly more demanding than those that private companies impose upon themselves.
Note that the underwriters for the IPO will require the company’s independent auditors to deliver a “comfort letter” describing their review of, and opinions on, the company’s financial statements. The company’s auditors should be consulted early in the process to identify and resolve any anticipated issues that could prevent delivery of a typical comfort letter.
We often recommend that a company perform a Financial Reporting (FR) Risk Profile.
An FR Risk Profile can serve as the logical "first step" in beginning the necessary risk assessment for scoping management's approach to Sarbanes-Oxley compliance.
This will provide transparency for the drivers and magnitude of financial reporting risks for all to see.
Review SEC comment letters
Review external auditor findings and management letters
Assess other regulatory agency notice or findings
Accurate Financial Reporting (cont’d) Remediate Understand Past, Present and Potential Challenges Identify Authoritative Literature Assign Profile Rating Assess Need for Accounting Position Paper Identify Relevant Accounts and Disclosures
Casual close process, few milestones, informal status reporting
Less mature accounting systems, little electronic integration
Numerous manual activities
No previous disclosure committee
Many spreadsheets, few controls, increasing risk of errors
Minimal documentation of processes
Dependent on key people
Efficient Financial Close Filer Size Form 10-K Deadline Form 10-Q Deadline Large Accelerated Filer Accelerated Filer Non-Accelerated Filer 60 days after fiscal year-end 75 days after fiscal year-end 90 days after fiscal year-end 40 days after fiscal quarter-end 40 days after fiscal quarter-end 45 days after fiscal quarter-end
The SEC rules define the term “internal control over financial reporting” to mean the following:
“ A process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers, or persons performing similar function, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles…”
Preparatory actions required:
Determine which financial reporting elements are critical
Determine which processes need to be documented
Determine who will prepare the documentation
Determine documentation standards
Estimated Time Frame to Complete:
Likely will take 2-4 months to prepare this documentation depending on level of documentation already in existence and complexity of business processes; most companies are utilizing outside resources to assist in creating this body of evidence required by SOX
Becoming SOX Compliant – 2. Identify Risks, Controls, Improvements in Internal Control over Financial Reporting
After documenting the significant business processes affecting financial reporting in Step 1, companies should identify the following:
What are the key risks (i.e. what could go wrong) within each processes?
What controls are in place?
Who is the control owner(s)?
Are the controls adequate in mitigating the risks they are intended to address?
Do the controls operate as intended?
Are there any risks present that are not effectively mitigated by the controls?
Preparatory actions required:
Evaluate the entity-level control environment
Decide on the depth of documentation required
Validate management’s decision on documentation with external auditor
Decide how and where the documentation will be stored and maintained
Determine how to integrate IT risks and controls
Estimated Time Frame:
These activities can run concurrent to the process documentation in Step 1; the extent of this phase is dependent on the nature of the risks within the company’s processes and could take between 2-4 months
Becoming SOX Compliant – 3. Conduct Remediation of Internal Control Structure
The internal control over financial reporting can not be deemed effective if any material weaknesses exist.
After evaluating and testing internal control in Step 2, companies should do the following with respect to any identified deficiencies (areas of improvement):
Evaluate the nature and significance of the deficiencies
Take appropriate action to remedy design deficiencies
Take appropriate action to remedy operating deficiencies
Preparatory actions required:
Determine process for evaluating gaps
Decide methodology for designing solutions to close gaps
Decide approach to implementing solutions to close gaps
Estimated Time Frame:
These activities can run concurrent to the internal control evaluation in Step 2; the extent of this remediation phase is dependent on the nature and complexity of the issues identified but could take between 2-3 months
Becoming SOX Compliant – 4. Evaluate the Role and Composition of the Board and Audit Committees
Factors for consideration from NYSE and Nasdaq requirements include:
Appropriate definition of “Independence”
Independence of majority of Board members
Separate meetings of Independent Board members
Composition, responsibilities and charter for Compensation, Nominating and Audit Committees
At a minimum, the Audit Committee should work with the CEO, the CFO and the Disclosure Committee Chair to evaluate the process for
(i) identifying important financial reporting issues, (ii) presenting such issues to the responsible parties on a timely basis, and (iii) ensuring such issues are fairly presented in accordance with GAAP in the company’s financial statements and public reports
The audit committee must have at least one fully independent member at the time of the initial listing. Thereafter, there must be a majority of independent members within 90 days and a fully independent committee within one year.
The “audit committee financial expert” disclosure is required
Becoming SOX Compliant – 5. Evaluate Need for Internal Audit Function
The NYSE (Rule 303A(7)(e)) requires companies to establish an internal audit function. As explained by the NYSE:
The purpose of the internal audit function is to provide management and the audit committee with ongoing assessments of the company’s risk management processes and systems of internal control. A company may choose to outsource this function to a third party service provider other than its independent auditor.
Develop function in house and hire as needed
Outsource function to a third party service provider
Determine Internal Audit’s Objectives, Charter, Mission, etc.
Develop Internal Audit Plan
Estimated Time Frame:
If function is developed in house, 3-6 months, after hiring full time lead
If function is outsourced, 1-2 months.
Overall time frame could be reduced if the Sarbanes-Oxley risk assessment (focused on financial reporting) and the internal audit risk assessment (for the business, regulatory, and operations risks) are combined.
Becoming SOX Compliant – 6. Implement a Process to Test Internal Controls Over Financial Reporting
Required by Section 404 and by the PCAOB (Public Company Accounting Oversight Board)
Companies must evaluate the effectiveness, as of the end of each fiscal year, of their internal control over financial reporting.
This evaluation will include an assessment of “design effectiveness” and “operational effectiveness”
Design effectiveness – Assess the effectiveness of the controls design in both reducing the stated risks to an acceptable level and achieving the stated financial reporting objectives
Operational effectiveness – Validate that the controls are operating as designed. Validation can occur through process-owner monitoring, entity-level monitoring by management, internal audit validation (testing) or a combination of these
Actions required in developing a testing plan:
Determine what testing will need to be performed
Determine who will perform testing
Determine where testing will be documented and stored
Determine process for concluding on evaluations for reporting
Estimated Time Frame:
Testing should generally be completed by 3-6 months prior to year end so that the external auditors can perform their testing.
Becoming SOX Compliant – 7. Evaluate Need for an Enhanced Financial Reporting Function
In addition to the accelerated 10-K and 10-Q filing deadlines required by Section 409 of Sarbanes-Oxley, “real-time” disclosures (i.e., Form 8-K) must disclose to the public, on a rapid basis (e.g. two business days) information concerning material changes in financial condition or operations
Disclose material correcting adjustments
Describe all material off-balance sheet transactions
Provide tabular disclosure of contractual obligations
Reconcile all publicly disclosed non-GAAP financial measures
Reconcile all non-GAAP financial measures used in SEC filings
Becoming SOX Compliant – 8. Implement a CEO/CFO Certification Process
Required by Sections 302 and 906 of the Sarbanes-Oxley Act
A key step in this process is to establish disclosure controls and procedures, including establishing the makeup and protocols of the Disclosure Committee
CEO and CFO must certify, in writing, periodic reports containing financial statements. The certification must be filed as an exhibit No. 32 and signed; the certification must certify that:
The report fully complies with the requirements of Section 13(a) or 15(d) of the Exchange Act, as applicable;
The information contained in the report fairly presents, in all material respects, the financial condition and results of operations of the company.
CEO and CFO must certify annual/quarterly reports, “disclosure controls and procedures” and “internal control over financial reporting”; the certification must be filed as exhibit No. 31 and signed
Determine whether back-up certifications are required and, if so, who needs to be involved in the chain of certification process
Identify the information needed for the CEO/CFO to certify
Develop the process for holding process owners accountable to create a chain of accountability
Implement ongoing evaluation process to enable certifying officers to focus on change
Estimated Time Frame:
In-house - 1-2 months,
Outsourced – 2-4 weeks
Becoming SOX Compliant – 9. Make Code of Ethics and Business Conduct Policy Publicly Available
Required by Sections 406 of the Sarbanes-Oxley Act
Required to disclose in your annual report on form 10-K that you have adopted a code of ethics. Required to make the code available to investors through one of the following methods:
Filing it as an exhibit to your 10-K
Posting it on your website
Disclosing in your 10-K that you will make the code available upon request.
The Audit Committee is required to establish procedures for:
The receipt, retention and treatment of complaints received by the company regarding accounting, internal accounting controls and auditing matters; and
The confidential, anonymous submissions by employees of the company of concerns regarding questionable accounting or auditing matters.
Companies must consider how to assess these complaints, determine who will conduct the investigation of each complaint, and how the results will be communicated to management and the audit committee in an appropriate manner. As the SEC recognizes in its comments on Rule 10A-3, there is no “one size fits all solution”. Finding the correct solution will require input from management and the design of a program to fit the culture and risk profile of each specific Company.
Decide whether to handle in house or outsource to a third party service provider
Identify hotline technology solution
Develop hotline-related processes
Estimated Time Frame:
If function is developed in house, 3-6 months.
If function is outsourced, 1-2 months. Can substantially be developed with the assistance of outside consultants and vendors.
Becoming SOX Compliant – 11. Address Other SOX Provisions
The determination that a company is SOX-compliant is ultimately a legal determination. Therefore, legal advice should be sought to facilitate this determination.
Many provisions of the Act do not require specific actions, but do require education of directors and officers to ensure ongoing compliance. For example, directors and officers must understand:
Insider trading provisions, including restrictions during pension fund blackout periods (Sections 306 and 403)
The strategy should cover application, infrastructure and organizational requirements, including outsourcing. It should include a roadmap for major projects and projected resource requirements and address the following critical IT related risks:
Failover systems if highlight dependent of high availability systems.
Data security and governance if loss of sensitive data or IP would have a sever impact on the business.
Plans to comply with various regulations (SOX, HIPAA, PCI, etc.), as required
Define and implement formal process and controls for:
Change Management (including IT Steering Committee and SDLCs - System Development Lifecycle Controls)
Security and Access Management and Operations
Establish user support operations consistent with service level agreements
Document and follow standard operations processes
People & Organizational Structure
Ensure that org structure, reporting lines and responsibilities (such as Security or Production Support) are clearly defined
Validate that IT personnel have appropriate skills to support their evolving functions, and ensure ongoing training
IT Strategy & Policies Business Processes People and Organization Management Reports Methodologies Systems and Data Ensuring a Scalable IT Environment – Key Activities