Protiviti's Tips - Will you be ready for an IPO when the market is?


Published on

Protiviti's 'Going Public - Will you be ready when the market is' presentation from December 2009.

Published in: Business, Economy & Finance
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This slide lists some the key questions boards and management need to ask themselves in contemplating an IPO. The challenges faced by companies preparing for a public offering include: Accelerated reporting deadlines SOX requirements Corporate governance Increased scrutiny of complex accounting policies and positions The scalability of the IT infrastructure Adequacy of people resources
  • List of selected key policies covering most “go to public” companies Anti-Fraud Policy Insider Trading Policy Code of Conduct (conflict of interest, related party transactions, confidentiality, fair dealing, protection and proper use of company assets, compliance with laws and regulations) HR Policies (Hiring, termination, Equity Award, Annual Review) Accounting/Finance Policies IT Policies (Security, Change Management, Business Continuity Management) Audit Committee Charter Disclosure Committee Charter Compensation Committee Charter Job Descriptions .
  • Today we will focus on the more pervasive inherent risks that frequently pose significant challenges for companies with public company aspirations – Financial Reporting, Closing the books, IT environment & Governance/SOX compliance Chris, provide us with some guidance on how we maneuver through the maze of what seems to be an increasingly complex financial reporting environment.
  • One key activity, prior to a public offering, is for management and the audit committee to get ahead of the curve by assessing financial reporting risk so that it can be managed up-front, rather than being susceptible to being managed after the fact by external auditors, regulators and others.
  • Once done, a financial reporting risk assessment should be periodically updated. Early on, prior to an IPO, your sources of risk indicators may be external auditors, investors, underwriters, etc. Once you are public, the possibility of SEC comment letters (those generated by the IPO and those generated thereafter by public filing reviews) and even of the PCAOB reviewing the work of your external auditor enter the mix and need to be considered, as will new and updated accounting pronouncement which may be applicable to you broadly or specifically.
  • Thanks Steve, Some, but not all non-public companies have the luxury of longer close timelines. On this slide you can see deadlines for common newly public companies. Non-Accelerated Filers with market cap under 75M, Accelerated 75-700M. In addition to the SEC required deadlines, public companies usually prepare more extensive disclosures than most private companies. So most companies will have to both speed up the close cycle and do more during that same cycle. The increase demands often require more discipline via checklists, status reporting, and rapid issues resolution. Box calendars should be replaced with detailed checklists, daily status reporting and sometimes daily staff meetings should be implemented – especially if your current close schedule does not comply with the rules. Lengthy manual tasks create bottle necks that can best be resolved with stronger systems functionality and better integration. For example Quickbooks and spreadsheets often must be replaced with more mature accounting applications, spreadsheets with interfaces or automated custom applications. You may not have a formal disclosure committee identified with regular meetings set. You may also lack draft disclosure documents. Newly public companies are also subject to SOX 302 Certification requiring the CEO and CFO to certify the financial statements are complete and accurate. Checklists, and in some cases a 302 sub certification provide the executives some additional comfort the financial statements are complete and accurate.
  • To effectively assess and improve your close process you must start with a detailed task checklist. The task list should reflect each JE, spreadsheet or manual process by person required to close. It should include activities in remote locations and inputs from 3 rd parties. Once this is in place and you have some history you can seek to make improvements. Protiviti advocates evaluating your close process holistically – across our Six Elements of Infrastucture. The slide before you describes some common opportunities for improvements. Focusing on just a few items, let’s first look at the process. In addition to tracking the actual start and end times for all activities, hold formal pre close meetings, daily status meetings, and post close debriefings. These meetings are imperative to verify status, identify delays, raise issues, and establish accountability to due dates. With the results of a detailed checklist you can create insightful dashboards and reports. Consider graphing #tasks by day from -10 to 45 to see how much you’re getting done early, #tasks by person by day to see if the work is spread even. You can also prepare a gantt chart to analyze critical path. Under the Methodologies element of our framework, review your spreadsheets and your reconciliations. Look in particular the nature of the calculations – are they consistent with the GAAP treatment prescribed? Is the level of detail appropriate? Too much = too time consuming, not enough = insufficient to support the audit. Also consider prioritizing reconciliations – moving lower risk recons to post GL close. The Systems is the final element and frequently requires much attention. We’ve mentioned more mature accounting applications to eliminate spreadsheets. Where spreadsheets remain (some always will) specific spreadsheet controls should be implemented to reduce risk. For example, spreadsheets should be organized with separate data entry sections, lock formula cells, password protect work books, store on central server for back up and limited access. On the next slide we’ll discuss common challenges for in revenue – especially for any high tech, software or services company.
  • The question is raised as many pre-IPO and newly public companies often have smaller IT staffs struggling to support a wide variety of end user needs. Your IT team must support everything from your LAN, PCs, printer support to ERP/accounting applications, to engineering work stations, central storage servers, some also support customer facing applications as well. These “start up” environments often succeed because of a strong “can do” attitude, yet also resist many of the formal processes, approvals and controls required in public companies. Some other key challenges most companies face in preparation to go public include: SOX required controls in the form of SDLCs – these are controls such as an IT Steering Committee, Testing Requirements, and formal approvals prior to making changes to production applications or data. Replacing less expensive, less sophisticated accounting applications with more robust ERP applications better suited to support growth plans, and Additional electronic integration in the form of interfaces, EDI, etc. As you explore alternatives you’ll need to address some significant long term decisions such as outsourcing or hosted applications that may be attractive to mitigate implementation costs and reduce the in house skills necessary to support these applications. In the following slides we will briefly present some key attributes of the IT infrastructure you should consider for IPO readiness.
  • Looking at the IT infrastructure through our Protiviti Six Elements of Infrastructure, let’s first look at Strategy and Policy. Strategy – You should have a 3-5 year plan for IT, including known application changes, upgrades or replacements. The plan should reflect the growth of the business (volume, location, types of products/services), and call out resource requirements including people, hardware and software and some budgetary cost estimates to implement and maintain the environment. Your plan should also consider any initiatives to improve business continuity in the event of an IT service interruption, security to prevent loss of any sensitive data, and any special requirements to address regulatory requirements such as Payment Card Industry Data Security (Retail), Anti Money Laundering (Fin Svcs), HIPAA (Heathcare) or FDA (Med Devices/Pharma) reporting requirements. Turning our attention to Policy and Procedures, public companies should have repeatable processes and documentation specific to key IT governance functions. Some key examples include: 1) Change Management, including System Development Lifecycle Controls as required for SOX compliance. These typically include protocols (eg. IT Steering Committee and Approvals) for approval and monitoring IT projects, and include testing and approvals before new systems or changes go-live. 2) Data Security, including the processes with approvals for new users or changes to access should be documented and in place. 3) Business Continuity, including the processes to bring up a failover IT environment in the event the primary environment goes down due to disaster or interruption. This will be especially critical where the business model is highly dependant on IT services. Moving on to People, this area often presents the biggest challenges where smaller IT teams struggle to provide a variety of technical skills. That, coupled with stricter controls, adherence to defined procedures with proper segregation of duty requirements requires you to more clearly define distinct roles and responsibilities and restrict sensitive roles to fewer people. Your IT Strategy should include some definition of the skills, roles and even organization charts as you pass milestones. If hiring becomes a challenge you should consider o/s to supplement your core teams skills in areas such as security, BCM, etc.
  • Management Reporting – Many CFO’s are seeking ways to more proactively measure and monitor IT performance. In addition to the common financial metrics such as IT exp as % of revenue, consider some of the other metrics on the slide. Benchmarking services, such as APQC (avail through Protiviti) offer comparisons by SIC codes so you compare your performance to others in your peer group. (Optional) Methodologies – Within IT usually refers to implementation methodology and it is helpful when common steps are standardized, such as business case and steering committee approval for new projects, approvals for go-live, etc. To comply with SOX however, you need to reference some IT controls framework – consider COBIT. Once adopted take steps to create awareness and foster compliance with your methodologies. Systems – At the core of every good IT function are applications that adequately support user needs. Investing in more robust ERP solutions that are aligned with your current and anticipated business requirements, are used by like companies demanding similar capabilities, and are supported by financially strong and customer responsive vendors will pay dividends over the long term. Many pre-IPO companies select and implement mainline ERP applications as a prerequisite to the IPO. Consider a formal, well governed ERP selection as part of your IT strategy if your requirements indicate you need a change. Well Steve that covers a lot of ground on creating a scalable IT function. I’ll pass it back to you to now.
  • Protiviti's Tips - Will you be ready for an IPO when the market is?

    1. 1. Panel Participants: Russ Collins Managing Director, Protiviti [email_address] (469) 374-2549 Wesley P. Williams Partner, Thompson & Knight [email_address] (214) 969-1324
    2. 2. What Does It Mean to Be A Public Company? <ul><li>Closer Scrutiny by Regulators- SEC, PCAOB </li></ul><ul><li>Closer Scrutiny by Investors and Analysts </li></ul><ul><li>Closer Scrutiny of Corporate Governance Policies and Activities </li></ul><ul><li>Timely Year-End and Quarterly Reporting </li></ul><ul><li>Increased Disclosures for Listed Companies </li></ul><ul><li>Scrutiny/Disclosure/Restrictions on Related Party Transactions </li></ul><ul><li>Increased Officer Liability- Officer Certifications and Certification Process </li></ul><ul><li>Effectiveness of Internal Controls Over Financial Reporting- Sox 404 </li></ul><ul><li>Sustainable Process for Management Testing Effectiveness of Controls </li></ul><ul><li>Increased Focus on Forecasting/Planning/Budgeting </li></ul>
    3. 3. Going Public – Some Challenges <ul><li>Do we have the right skills to ensure accurate financial reporting? </li></ul><ul><li>Can we meet the reporting timelines required by the SEC? </li></ul><ul><li>Is our corporate governance structure adequate? </li></ul><ul><li>Do we understand the Sarbanes-Oxley Act requirements? </li></ul><ul><li>Do we have appropriate business policies? </li></ul><ul><li>Do we have documented management processes? </li></ul><ul><li>Does the data used to manage and report our results have integrity? </li></ul><ul><li>How effective is our Internal Audit function </li></ul><ul><li>Is our IT infrastructure scalable to handle our growth? </li></ul>If you are planning an IPO, perform an assessment with a focus on the key risks that most newly public companies tend to face and allow enough time to prepare.
    4. 4. The IPO Process - Timing Generally <ul><li>A typical IPO can take up to four to six months to complete after the initial organizational meeting. </li></ul><ul><ul><li>IPO planning should occur well in advance of the organizational meeting. </li></ul></ul><ul><li>Potential causes of delay beyond this timeframe include market conditions, preparation of financial statements, structuring issues and SEC review. </li></ul><ul><li>Note that the SEC generally attempts to respond to the initial filing of a registration statement within 30 days, and to each amendment to the registration statement within a shorter period, typically one to three weeks. </li></ul><ul><li>Will you be ready? </li></ul>
    5. 5. Protiviti's Six Elements of Infrastructure for Public Company Readiness <ul><li>Is the finance function strategy linked to business strategy? </li></ul><ul><li>Do we have all appropriate business policies documented? </li></ul><ul><li>Have we clearly defined lines between finance, IT and other functional units? </li></ul><ul><li>Do we have appropriate IT policies? </li></ul><ul><li>Are overall governance charters, and board policies in place? </li></ul><ul><li>How effective and efficient is our Financial Close Process? </li></ul><ul><li>How effective is our Budgeting process? </li></ul><ul><li>Do we have documented processes? </li></ul><ul><li>Is process owner monitoring in place? </li></ul><ul><li>Do we have an Enterprise Risk Agenda? </li></ul><ul><li>Have we established Internal Audit function? </li></ul><ul><li>Do we have appropriate IT Service Organization? </li></ul><ul><li>Do we have BOD committees established? </li></ul><ul><li>Do we have an effective corporate structure? </li></ul><ul><li>Do we have the right professional advisory groups? </li></ul><ul><li>Do we have the requisite skills to ensure accurate financial reporting? </li></ul><ul><li>Do we have an appropriate Finance organization reporting structure? </li></ul><ul><li>Have we defined system users to mitigate Segregation of Duties issues? </li></ul><ul><li>Do we generate and review Enterprise Risk Assessment reports? </li></ul><ul><li>Internal customer reports? </li></ul><ul><li>External reports? </li></ul><ul><li>Process owner self assessment? </li></ul><ul><li>Internal audit reports? </li></ul><ul><li>KPIs for Finance Organization effectiveness? </li></ul><ul><li>Relevant and reliable system reports? </li></ul><ul><li>Have we established methodologies for integrated SOX 302, 906 and 404 certification? </li></ul><ul><li>Do we have budget and financial control methodologies? </li></ul><ul><li>Have we established methodologies for application of accounting policies and estimates? </li></ul><ul><li>Do we have the resources and methodologies for IPO-Specific Initiatives? </li></ul><ul><li>Are we getting the information we need to run and grow the business? </li></ul><ul><li>Do we have an integrated and scalable IT environment? </li></ul><ul><li>Have we considered alignment of current ERP environment with key business initiatives? </li></ul><ul><li>Do we have appropriate Financial and operating systems? </li></ul><ul><li>Have we considered minimization of spreadsheets within financial reporting? </li></ul><ul><li>Do we have Internal controls and contracts repositories? </li></ul>Action Item : Assess current state and urgency of remediation. 1 16 5 2 3 4 6 7 8 9 10 11 12 14 15 13 Business Strategies & Policies Business Processes Organization and People Management Reports Methodologies Systems and Data
    6. 6. Prioritize Infrastructure Improvements <ul><li>Medium to High Urgency; Medium to High Need </li></ul>1 5 Urgency Red Yellow Green 1 Current State Orange 2 3 5 4 3 4 2 16 5 1 2 3 4 6 7 8 9 10 11 12 14 15 13 Interpretation <ul><li>Medium to High Need; Low to Medium Urgency </li></ul><ul><li>Medium to High Urgency; Low to Medium Need </li></ul><ul><li>Either low urgency or low Need </li></ul>
    7. 7. Develop Action Plan and Timeline <ul><li>Build Integrated ERP Environment </li></ul><ul><li>Implement Finance & Business Policies </li></ul><ul><li>Establish Financial Close Process Effectiveness </li></ul><ul><li>Build Financial and Operating Analytical Capability </li></ul><ul><li>Minimize spreadsheets use within fin. reporting </li></ul><ul><li>Achieve 3 years of clean external audit </li></ul><ul><li>Build Corporate Governance Structure </li></ul><ul><li>SOX Readiness – Establish Internal Controls </li></ul><ul><li>Develop Scalable IT Processes </li></ul><ul><li>Build Disaster Recovery Capability </li></ul><ul><li>Strengthen Security Posture </li></ul><ul><li>IPO-Specific Initiatives </li></ul><ul><li>Build out Finance / IT / Other Teams </li></ul><ul><li>Additional Operational & Client Service Goals </li></ul>Assume IPO 1/01/10 6/30/10 12/31/10 06/30/11 12/31/11 Initiatives Timing 1H10 2H10 1H11 2H11
    8. 8. Going Public – Typical Risky Areas <ul><ul><li>Accurate Financial Reporting – </li></ul></ul><ul><ul><ul><li>Companies need to ensure they have the requisite skills and organization to understand the application of accounting principles and ensure accurate financial reporting. </li></ul></ul></ul><ul><ul><li>Efficient Financial Close – </li></ul></ul><ul><ul><ul><li>In order to meet the revised SEC filing requirements, companies must ensure they have an accurate and efficient financial close process. </li></ul></ul></ul><ul><ul><li>Appropriate Corporate Governance and Sarbanes-Oxley Act of 2002 (”SOX”) Compliance – </li></ul></ul><ul><ul><ul><li>Ensuring the company has a robust, regulatory and corporate governance understanding and an efficient, internal control environment is critical to achieving initial and ongoing compliance with SOX regulations. </li></ul></ul></ul><ul><ul><li>Scalable IT Environment – </li></ul></ul><ul><ul><ul><li>Reviewing the IT system environment to ensure that the company is able to handle the growth in the business is imperative in being public. </li></ul></ul></ul>
    9. 9. Accurate Financial Reporting <ul><li>Management and the audit committee should know where the key risks to your company’s financial reporting process exist, including: </li></ul><ul><ul><li>Accounting for transactions with significant estimates or judgments </li></ul></ul><ul><ul><li>Complex transactions and new and difficult accounting principles application </li></ul></ul><ul><ul><li>Accurate underlying data </li></ul></ul><ul><ul><li>Adequate system support </li></ul></ul><ul><ul><li>Management override opportunity </li></ul></ul><ul><li>Companies need to work in “anticipatory mode” to get out in front of financial reporting issues before they become reputation threatening. </li></ul>
    10. 10. <ul><li>Preparing for Public Company Regulation </li></ul><ul><ul><li>Public companies are subject to a host of rules, regulations and requirements under the U.S. securities laws, stock exchange regulations and other authorities. </li></ul></ul><ul><ul><ul><li>Prepare well in advance </li></ul></ul></ul><ul><ul><ul><ul><li>Reporting requirements of the Securities Exchange Act of 1934, including requirements to file 10-Ks, 10-Qs, 8-Ks and proxy statements </li></ul></ul></ul></ul><ul><ul><ul><ul><li>CEO and CFO certifications as to the company’s disclosure controls and the accuracy and completeness of its annual and quarterly reports </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Antifraud provisions of Rule 10b-5 and similar provisions of the U.S. securities laws will apply to SEC filings and to the company’s communications generally </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Monitor all public statements for material misstatements or omissions </li></ul></ul></ul></ul></ul>Accurate Financial Reporting (cont’d)
    11. 11. Accurate Financial Reporting (cont’d) <ul><ul><li>Historical Financial Statements </li></ul></ul><ul><ul><ul><li>Typically, three years of audited income and cash flow statements and two years of audited balance sheets, plus unaudited interim period financials, are required to be presented in the registration statement for the offering. </li></ul></ul></ul><ul><ul><ul><li>Selected historical financials for the last five fiscal years are also required, but years four and five need not be audited. </li></ul></ul></ul><ul><ul><ul><li>Up to three years of audited financial statements could be required for recent or probable future acquisitions, depending on the significance of the transaction. </li></ul></ul></ul><ul><ul><li>More Demanding Financing and Accounting Requirements </li></ul></ul><ul><ul><ul><li>The financial statement and accounting requirements imposed on public companies can be significantly more demanding than those that private companies impose upon themselves. </li></ul></ul></ul><ul><ul><ul><li>Note that the underwriters for the IPO will require the company’s independent auditors to deliver a “comfort letter” describing their review of, and opinions on, the company’s financial statements. The company’s auditors should be consulted early in the process to identify and resolve any anticipated issues that could prevent delivery of a typical comfort letter. </li></ul></ul></ul>
    12. 12. <ul><li>We often recommend that a company perform a Financial Reporting (FR) Risk Profile. </li></ul><ul><li>An FR Risk Profile can serve as the logical &quot;first step&quot; in beginning the necessary risk assessment for scoping management's approach to Sarbanes-Oxley compliance. </li></ul><ul><li>This will provide transparency for the drivers and magnitude of financial reporting risks for all to see. </li></ul><ul><li>Review SEC comment letters </li></ul><ul><li>Review external auditor findings and management letters </li></ul><ul><li>Assess other regulatory agency notice or findings </li></ul>Accurate Financial Reporting (cont’d) Remediate Understand Past, Present and Potential Challenges Identify Authoritative Literature Assign Profile Rating Assess Need for Accounting Position Paper Identify Relevant Accounts and Disclosures <ul><li>Material account balances </li></ul><ul><li>Significant / complex transactions </li></ul><ul><li>Financial statement disclosures </li></ul><ul><li>Identify available guidance </li></ul><ul><li>Consider the various alternatives </li></ul><ul><li>Review application of alternatives </li></ul><ul><li>Inventory existing policies and procedures </li></ul><ul><li>Evaluate current practice </li></ul><ul><li>Consider transparency of accounting position </li></ul><ul><li>Finance management consideration of data gathered </li></ul><ul><li>Discussion of findings </li></ul><ul><li>Financial management assigns a rating </li></ul><ul><li>Develop action plan with key stakeholders </li></ul><ul><li>Implement changes </li></ul><ul><li>Re-assess </li></ul>
    13. 13. SEC Requirement for Public Companies: <ul><li>Common Challenges for Pre-Public Companies: </li></ul><ul><li>Casual close process, few milestones, informal status reporting </li></ul><ul><li>Less mature accounting systems, little electronic integration </li></ul><ul><li>Numerous manual activities </li></ul><ul><li>No previous disclosure committee </li></ul><ul><li>Many spreadsheets, few controls, increasing risk of errors </li></ul><ul><li>Minimal documentation of processes </li></ul><ul><li>Dependent on key people </li></ul>Efficient Financial Close Filer Size Form 10-K Deadline Form 10-Q Deadline Large Accelerated Filer Accelerated Filer Non-Accelerated Filer 60 days after fiscal year-end 75 days after fiscal year-end 90 days after fiscal year-end 40 days after fiscal quarter-end 40 days after fiscal quarter-end 45 days after fiscal quarter-end
    14. 14. <ul><li>Develop detailed close checklist </li></ul><ul><li>Some leading practices: </li></ul><ul><li>Pre-determined escalation policy and protocols </li></ul><ul><li>Remote location & 3rd party tasks, report formats clearly defined </li></ul><ul><li>Financial reporting adjustments and approval authority established </li></ul><ul><li>Detailed tracking of financial close activities </li></ul><ul><li>Daily status meetings </li></ul><ul><li>Frequency and participation for Disclosure Committee, Audit Committee and External Audit review </li></ul><ul><li>Accountability to due dates </li></ul><ul><li>Well defined roles, training and requisite skills </li></ul><ul><li>Disclosure Committee composition </li></ul><ul><li>Daily close status and issue reporting </li></ul><ul><li>Use process dashboards to monitor/improve performance (time, JEs by task, person, day, etc.) </li></ul><ul><li>Track proposed GL adjustments </li></ul><ul><li>302 sub certifications </li></ul><ul><li>Level of detail appropriate to materiality requirements </li></ul><ul><li>Reconciliations prioritized, standard templates used </li></ul><ul><li>Replace spreadsheets </li></ul><ul><li>Enhance Spreadsheet Controls </li></ul><ul><li>Integrated systems to control data flow </li></ul><ul><li>Electronic support schedules </li></ul>Business Policies Business Processes People and Organization Management Reports Methodologies Systems and Data Efficient Financial Close (cont’d)
    15. 15. Appropriate Corporate Governance and SOX Compliance Recommended Timeline of selected SOX Activities for Company Embarking on IPO
    16. 16. Becoming SOX Compliant – 1. Document Significant Business Processes Affecting Financial Reporting <ul><li>All key business processes must be documented </li></ul><ul><li>The SEC rules define the term “internal control over financial reporting” to mean the following: </li></ul><ul><ul><li>“ A process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers, or persons performing similar function, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles…” </li></ul></ul><ul><li>Preparatory actions required: </li></ul><ul><ul><li>Determine which financial reporting elements are critical </li></ul></ul><ul><ul><li>Determine which processes need to be documented </li></ul></ul><ul><ul><li>Determine who will prepare the documentation </li></ul></ul><ul><ul><li>Determine documentation standards </li></ul></ul><ul><li>Estimated Time Frame to Complete: </li></ul><ul><ul><li>Likely will take 2-4 months to prepare this documentation depending on level of documentation already in existence and complexity of business processes; most companies are utilizing outside resources to assist in creating this body of evidence required by SOX </li></ul></ul>
    17. 17. Becoming SOX Compliant – 2. Identify Risks, Controls, Improvements in Internal Control over Financial Reporting <ul><li>After documenting the significant business processes affecting financial reporting in Step 1, companies should identify the following: </li></ul><ul><ul><li>What are the key risks (i.e. what could go wrong) within each processes? </li></ul></ul><ul><ul><li>What controls are in place? </li></ul></ul><ul><ul><li>Who is the control owner(s)? </li></ul></ul><ul><ul><li>Are the controls adequate in mitigating the risks they are intended to address? </li></ul></ul><ul><ul><li>Do the controls operate as intended? </li></ul></ul><ul><ul><li>Are there any risks present that are not effectively mitigated by the controls? </li></ul></ul><ul><li>Preparatory actions required: </li></ul><ul><ul><li>Evaluate the entity-level control environment </li></ul></ul><ul><ul><li>Decide on the depth of documentation required </li></ul></ul><ul><ul><li>Validate management’s decision on documentation with external auditor </li></ul></ul><ul><ul><li>Decide how and where the documentation will be stored and maintained </li></ul></ul><ul><ul><li>Determine how to integrate IT risks and controls </li></ul></ul><ul><li>Estimated Time Frame: </li></ul><ul><ul><li>These activities can run concurrent to the process documentation in Step 1; the extent of this phase is dependent on the nature of the risks within the company’s processes and could take between 2-4 months </li></ul></ul>
    18. 18. Becoming SOX Compliant – 3. Conduct Remediation of Internal Control Structure <ul><li>The internal control over financial reporting can not be deemed effective if any material weaknesses exist. </li></ul><ul><li>After evaluating and testing internal control in Step 2, companies should do the following with respect to any identified deficiencies (areas of improvement): </li></ul><ul><ul><li>Evaluate the nature and significance of the deficiencies </li></ul></ul><ul><ul><li>Take appropriate action to remedy design deficiencies </li></ul></ul><ul><ul><li>Take appropriate action to remedy operating deficiencies </li></ul></ul><ul><li>Preparatory actions required: </li></ul><ul><ul><li>Determine process for evaluating gaps </li></ul></ul><ul><ul><li>Decide methodology for designing solutions to close gaps </li></ul></ul><ul><ul><li>Decide approach to implementing solutions to close gaps </li></ul></ul><ul><li>Estimated Time Frame: </li></ul><ul><ul><li>These activities can run concurrent to the internal control evaluation in Step 2; the extent of this remediation phase is dependent on the nature and complexity of the issues identified but could take between 2-3 months </li></ul></ul>
    19. 19. Becoming SOX Compliant – 4. Evaluate the Role and Composition of the Board and Audit Committees <ul><li>Factors for consideration from NYSE and Nasdaq requirements include: </li></ul><ul><ul><li>Appropriate definition of “Independence” </li></ul></ul><ul><ul><li>Independence of majority of Board members </li></ul></ul><ul><ul><li>Separate meetings of Independent Board members </li></ul></ul><ul><ul><li>Composition, responsibilities and charter for Compensation, Nominating and Audit Committees </li></ul></ul><ul><li>At a minimum, the Audit Committee should work with the CEO, the CFO and the Disclosure Committee Chair to evaluate the process for </li></ul><ul><ul><li>(i) identifying important financial reporting issues, (ii) presenting such issues to the responsible parties on a timely basis, and (iii) ensuring such issues are fairly presented in accordance with GAAP in the company’s financial statements and public reports </li></ul></ul><ul><li>Independence: </li></ul><ul><ul><li>The audit committee must have at least one fully independent member at the time of the initial listing. Thereafter, there must be a majority of independent members within 90 days and a fully independent committee within one year.  </li></ul></ul><ul><li>Financial Expert: </li></ul><ul><ul><li>The “audit committee financial expert” disclosure is required </li></ul></ul>
    20. 20. Becoming SOX Compliant – 5. Evaluate Need for Internal Audit Function <ul><li>The NYSE (Rule 303A(7)(e)) requires companies to establish an internal audit function. As explained by the NYSE: </li></ul><ul><ul><li>The purpose of the internal audit function is to provide management and the audit committee with ongoing assessments of the company’s risk management processes and systems of internal control. A company may choose to outsource this function to a third party service provider other than its independent auditor. </li></ul></ul><ul><li>Options available: </li></ul><ul><ul><li>Develop function in house and hire as needed </li></ul></ul><ul><ul><li>Outsource function to a third party service provider </li></ul></ul><ul><ul><li>Combination thereof (co-source required expertise) </li></ul></ul><ul><li>Actions required: </li></ul><ul><ul><li>Determine Internal Audit’s Objectives, Charter, Mission, etc. </li></ul></ul><ul><ul><li>Develop Internal Audit Plan </li></ul></ul><ul><li>Estimated Time Frame: </li></ul><ul><ul><li>If function is developed in house, 3-6 months, after hiring full time lead </li></ul></ul><ul><ul><li>If function is outsourced, 1-2 months. </li></ul></ul><ul><ul><li>Overall time frame could be reduced if the Sarbanes-Oxley risk assessment (focused on financial reporting) and the internal audit risk assessment (for the business, regulatory, and operations risks) are combined. </li></ul></ul>
    21. 21. Becoming SOX Compliant – 6. Implement a Process to Test Internal Controls Over Financial Reporting <ul><li>Required by Section 404 and by the PCAOB (Public Company Accounting Oversight Board) </li></ul><ul><li>Companies must evaluate the effectiveness, as of the end of each fiscal year, of their internal control over financial reporting. </li></ul><ul><li>This evaluation will include an assessment of “design effectiveness” and “operational effectiveness” </li></ul><ul><ul><li>Design effectiveness – Assess the effectiveness of the controls design in both reducing the stated risks to an acceptable level and achieving the stated financial reporting objectives </li></ul></ul><ul><ul><li>Operational effectiveness – Validate that the controls are operating as designed. Validation can occur through process-owner monitoring, entity-level monitoring by management, internal audit validation (testing) or a combination of these </li></ul></ul><ul><li>Actions required in developing a testing plan: </li></ul><ul><ul><li>Determine what testing will need to be performed </li></ul></ul><ul><ul><li>Determine who will perform testing </li></ul></ul><ul><ul><li>Determine where testing will be documented and stored </li></ul></ul><ul><ul><li>Determine process for concluding on evaluations for reporting </li></ul></ul><ul><li>Estimated Time Frame: </li></ul><ul><ul><li>Testing should generally be completed by 3-6 months prior to year end so that the external auditors can perform their testing. </li></ul></ul>
    22. 22. Becoming SOX Compliant – 7. Evaluate Need for an Enhanced Financial Reporting Function <ul><li>In addition to the accelerated 10-K and 10-Q filing deadlines required by Section 409 of Sarbanes-Oxley, “real-time” disclosures (i.e., Form 8-K) must disclose to the public, on a rapid basis (e.g. two business days) information concerning material changes in financial condition or operations </li></ul><ul><ul><li>Disclose material correcting adjustments </li></ul></ul><ul><ul><li>Describe all material off-balance sheet transactions </li></ul></ul><ul><ul><li>Provide tabular disclosure of contractual obligations </li></ul></ul><ul><ul><li>Reconcile all publicly disclosed non-GAAP financial measures </li></ul></ul><ul><ul><li>Reconcile all non-GAAP financial measures used in SEC filings </li></ul></ul>
    23. 23. Becoming SOX Compliant – 8. Implement a CEO/CFO Certification Process <ul><li>Required by Sections 302 and 906 of the Sarbanes-Oxley Act </li></ul><ul><li>A key step in this process is to establish disclosure controls and procedures, including establishing the makeup and protocols of the Disclosure Committee </li></ul><ul><li>CEO and CFO must certify, in writing, periodic reports containing financial statements. The certification must be filed as an exhibit No. 32 and signed; the certification must certify that: </li></ul><ul><ul><li>The report fully complies with the requirements of Section 13(a) or 15(d) of the Exchange Act, as applicable; </li></ul></ul><ul><ul><li>The information contained in the report fairly presents, in all material respects, the financial condition and results of operations of the company. </li></ul></ul><ul><li>CEO and CFO must certify annual/quarterly reports, “disclosure controls and procedures” and “internal control over financial reporting”; the certification must be filed as exhibit No. 31 and signed </li></ul><ul><li>Actions required: </li></ul><ul><ul><li>Determine whether back-up certifications are required and, if so, who needs to be involved in the chain of certification process </li></ul></ul><ul><ul><li>Identify the information needed for the CEO/CFO to certify </li></ul></ul><ul><ul><li>Develop the process for holding process owners accountable to create a chain of accountability </li></ul></ul><ul><ul><li>Implement ongoing evaluation process to enable certifying officers to focus on change </li></ul></ul><ul><li>Estimated Time Frame: </li></ul><ul><ul><li>In-house - 1-2 months, </li></ul></ul><ul><ul><li>Outsourced – 2-4 weeks </li></ul></ul>
    24. 24. Becoming SOX Compliant – 9. Make Code of Ethics and Business Conduct Policy Publicly Available <ul><li>Required by Sections 406 of the Sarbanes-Oxley Act </li></ul><ul><li>Required to disclose in your annual report on form 10-K that you have adopted a code of ethics. Required to make the code available to investors through one of the following methods: </li></ul><ul><ul><li>Filing it as an exhibit to your 10-K </li></ul></ul><ul><ul><li>Posting it on your website </li></ul></ul><ul><ul><li>Disclosing in your 10-K that you will make the code available upon request. </li></ul></ul><ul><li>Actions required: Only upon IPO </li></ul><ul><li>Estimated Time Frame: </li></ul><ul><ul><li>In-house 1-2 months to develop. </li></ul></ul>
    25. 25. Becoming SOX Compliant – 10. Establish a “Whistle Blower” Hotline <ul><li>Required by Section 301 of the Sarbanes-Oxley Act </li></ul><ul><li>The Audit Committee is required to establish procedures for: </li></ul><ul><ul><li>The receipt, retention and treatment of complaints received by the company regarding accounting, internal accounting controls and auditing matters; and </li></ul></ul><ul><ul><li>The confidential, anonymous submissions by employees of the company of concerns regarding questionable accounting or auditing matters. </li></ul></ul><ul><li>Companies must consider how to assess these complaints, determine who will conduct the investigation of each complaint, and how the results will be communicated to management and the audit committee in an appropriate manner. As the SEC recognizes in its comments on Rule 10A-3, there is no “one size fits all solution”. Finding the correct solution will require input from management and the design of a program to fit the culture and risk profile of each specific Company. </li></ul><ul><li>Actions required: </li></ul><ul><ul><li>Decide whether to handle in house or outsource to a third party service provider </li></ul></ul><ul><ul><li>Identify hotline technology solution </li></ul></ul><ul><ul><li>Develop hotline-related processes </li></ul></ul><ul><li>Estimated Time Frame: </li></ul><ul><ul><li>If function is developed in house, 3-6 months. </li></ul></ul><ul><ul><li>If function is outsourced, 1-2 months. Can substantially be developed with the assistance of outside consultants and vendors. </li></ul></ul>
    26. 26. Becoming SOX Compliant – 11. Address Other SOX Provisions <ul><li>The determination that a company is SOX-compliant is ultimately a legal determination. Therefore, legal advice should be sought to facilitate this determination. </li></ul><ul><li>Many provisions of the Act do not require specific actions, but do require education of directors and officers to ensure ongoing compliance. For example, directors and officers must understand: </li></ul><ul><ul><li>Insider trading provisions, including restrictions during pension fund blackout periods (Sections 306 and 403) </li></ul></ul><ul><ul><li>Prohibited conduct (Sections 303, 402, 802, 806, 807, 1102, 1107, etc.) </li></ul></ul><ul><li>Attorneys have specific conduct requirements under the Act that directors and officers should understand (Section 307) </li></ul><ul><li>Actions required: </li></ul><ul><ul><li>Consult with legal counsel to identify the additional relevant SOA requirements </li></ul></ul><ul><ul><li>If appropriate, arrange for Director and Officer Orientation </li></ul></ul><ul><ul><li>For each remaining requirement, develop an action plan </li></ul></ul><ul><ul><li>Assign accountability for execution of the action plan </li></ul></ul><ul><ul><li>Monitor execution of the action plan </li></ul></ul><ul><li>Estimated Time Frame: </li></ul><ul><ul><li>Depending on the nature of the remaining issues, these remaining activities could take up to 6 months. </li></ul></ul>
    27. 27. Ensuring a Scalable IT Environment <ul><li>Ensure the IT system environment is able to handle the growth in the business is imperative in being public. </li></ul><ul><ul><ul><li>Many companies have an accumulation of systems that may or may not meet future requirements of the company. </li></ul></ul></ul><ul><ul><ul><li>Based on the needs of the company, an ERP may be implemented and the timeline for an ERP implementations can often be multi-year. </li></ul></ul></ul>
    28. 28. <ul><li>Common Challenges: </li></ul><ul><li>Smaller IT staff with limited skills and bandwidth </li></ul><ul><li>Informal (non existent) policies & procedures including SDLC controls and business continuity plans </li></ul><ul><li>Proliferation of desktop applications (spreadsheets) & decentralized data storage </li></ul><ul><li>Immature ERP systems </li></ul><ul><li>Lack of integration </li></ul><ul><li>Short term decisions with significant long term implications (e.g. ERP selection, hosted solutions, outsourcing, etc.) </li></ul>Ensuring a Scalable IT Environment
    29. 29. <ul><li>IT Strategy & Policies </li></ul><ul><li>The strategy should cover application, infrastructure and organizational requirements, including outsourcing. It should include a roadmap for major projects and projected resource requirements and address the following critical IT related risks: </li></ul><ul><li>Failover systems if highlight dependent of high availability systems. </li></ul><ul><li>Data security and governance if loss of sensitive data or IP would have a sever impact on the business. </li></ul><ul><li>Plans to comply with various regulations (SOX, HIPAA, PCI, etc.), as required </li></ul><ul><li>Business Process </li></ul><ul><li>Define and implement formal process and controls for: </li></ul><ul><li>Change Management (including IT Steering Committee and SDLCs - System Development Lifecycle Controls) </li></ul><ul><li>Security and Access Management and Operations </li></ul><ul><li>Establish user support operations consistent with service level agreements </li></ul><ul><li>Document and follow standard operations processes </li></ul><ul><li>People & Organizational Structure </li></ul><ul><li>Ensure that org structure, reporting lines and responsibilities (such as Security or Production Support) are clearly defined </li></ul><ul><li>Validate that IT personnel have appropriate skills to support their evolving functions, and ensure ongoing training </li></ul>IT Strategy & Policies Business Processes People and Organization Management Reports Methodologies Systems and Data Ensuring a Scalable IT Environment – Key Activities
    30. 30. <ul><li>Management Reporting </li></ul><ul><li>Establish key metrics to monitor IT’s performance and measure progress towards goals. Some measures should be reported outside the IT </li></ul><ul><li>organization to validate IT service levels are appropriate to support the overall business goals. Sample metrics may include: time to break even on </li></ul><ul><li>new IT investments; time to resolve IT support questions; IT expense/employee; # employees/# IT FTE, IT exp/revenues, etc. </li></ul><ul><li>Methodologies </li></ul><ul><li>Consider what standard models and methodologies (e.g. COBIT) support your IT strategy, and consult with industry experts to determine the </li></ul><ul><li>methodologies the organization will follow. Provide training, require adherence and measure performance around the use of your methodologies. </li></ul><ul><li>Systems and Data </li></ul><ul><li>Determine ERP solution to best meet the financial reporting and operational needs of the organization </li></ul><ul><li>Review IT application portfolio and replace numerous, legacy applications with a more robust solution </li></ul><ul><li>Assess current storage and backup solutions for greater reliability and cost savings </li></ul><ul><li>Ensure systems are configured for security / regulatory compliance requirements </li></ul>IT Strategy & Policies Business Processes People and Organization Management Reports Methodologies Systems and Data Ensuring a Scalable IT Environment – Key Activities
    31. 31. Managing Financial Reporting & Compliance Risk Phase IV Monitor & Manage Phase III Remediation & Preparation Phase II Solution Design Phase I Initial Assessment <ul><li>Review the current state of readiness against policy, process, people, data, reporting, and methodology </li></ul><ul><li>Identify readiness of core public company requirements for accurate financial reporting, efficient financial close, corporate governance and Sarbanes-Oxley compliance, and IT scalability </li></ul><ul><li>Assess the urgency of solution based on cost / benefit, required timeline </li></ul><ul><li>Develop a high level work plan, timeline, resource requirements </li></ul><ul><li>Design required solutions for initial assessment findings with urgent needs </li></ul><ul><li>Develop baseline of appropriate policies and procedures </li></ul><ul><li>Review the Revenue Recognition Process </li></ul><ul><li>Develop baseline for Financial Close Process </li></ul><ul><li>Perform Risk Assessment and initial scoping for SOX Readiness and Compliance </li></ul><ul><li>Assess the IT Environment and help “spec and select” the right ERP system, if required </li></ul><ul><li>Implement selected solutions </li></ul><ul><li>Remediate urgent needs found lacking or absent during assessment process </li></ul><ul><li>Produce SOX Section 302 certification </li></ul><ul><li>Achieve SOX Section 404 compliance </li></ul><ul><li>Manage short and long term goals </li></ul><ul><li>Ensure Section 906 Hotline is in place </li></ul>Well Before the IPO Closer to the IPO Through S-1 Filing Through 2 nd 10-K Filing
    32. 32. In Summary <ul><li>Start early </li></ul><ul><li>Involve appropriate parties </li></ul><ul><li>Perform a risk assessment </li></ul><ul><li>Identify areas of improvement </li></ul><ul><li>Assign responsibility and utilize project management techniques </li></ul>