What To Do: Evaluating Internal Controls During an Initial Public Offering

As many private companies struggle to keep their doors open during the COVID-19 global pandemic, becoming a publicly traded company may become more appealing – yet the process presents many advantages, especially to smaller companies. As a public company, the business would gain greater access to capital and have more opportunities for growth and expansion, while increasing its visibility. Public companies also have the benefit of offering equity awards to employees as additional compensation which can be attractive for potential job candidates. While being a public company has its advantages, an initial public offering (IPO) presents many challenges. One of these disadvantages is the cost associated with the IPO including accounting fees, legal fees, and filing fees. In addition, an IPO can take several months and the time invested by key personnel in the company is significant. Some other factors to consider include:

• How will this impact the management of the day-to-day operations of the company?
• Does the company have the right personnel in upper management to take the company public?
• Will the company have to adjust its accounting practices to comply with GAAP requirements? 

These are all important considerations which need to be contemplated before taking the IPO plunge, but most importantly, has leadership considered the reporting and disclosure requirements that will be required as a public company? Public companies are required to file their financial statements on a quarterly basis with the SEC. In addition, under Section 404a of the Sarbanes Oxley (SOX) Act, management must assess its internal controls over financial reporting in its annual report. While the external auditors are not required to attest on the company’s internal controls over financial reporting under Section 404b until the company exceeds certain market capitalization and revenue thresholds, even management’s assessment can be quite cumbersome for a company that was accustomed to operating in a less formalized environment. There are several ways that management can prepare for this transition.

SOX Readiness

It is recommended that the company perform a SOX readiness exercise prior to going public; often a year or more in advance. Engaging a consultant or hiring an individual with expertise in internal controls is key to a successful SOX implementation. This individual(s) would be responsible for developing an overall project plan and timeline and identifying key stakeholders. The key stakeholders and processes can be identified through the risk assessment process by mapping the financial statement accounts to processes and assessing the overall account-related risk and materiality.

Process Owner Education

It is crucial that the key stakeholders are educated on the overall process and importance of evaluating internal controls. Holding a process owner training meeting is key to a successful implementation. The process owners need to not only understand the overall process, but what is expected of them. Management-review controls, precision level, evidence of review, and accuracy and completeness of information used in the control are all concepts that process owners should be knowledgeable about in order to effectively execute controls.

Identification & Remediation of Control Gaps

Identifying design and operating gaps and remediating as early as possible reduces the potential for any significant deficiencies or material weaknesses. It is important to engage process owners in those remediation discussions to ensure they understand the issue, are on board with the suggested remediation plan, and are able to implement within the suggested timeframe. Remediation should be monitored to completion and re-tested as soon as possible.

Assessment of Entity-Level Controls (ELCs)

An evaluation of entity-level controls should also be performed using an internal controls framework, such as the COSO 2013 framework, which helps organizations design and implement internal controls in light of many changes in business and operating environments. The company will need to have the appropriate oversight and monitoring controls, which may result in the development of additional sub-committees such as an audit committee, disclosure committee, and/or compensation committee. Identifying the personnel with the knowledge and expertise to be committee members is critical. Additional ELCs, such as policies and procedures, employee handbooks, whistleblower reporting mechanisms, etc., may take time to create and roll out so the earlier the assessment can be performed, the more prepared the company will be.

While IPOs have both advantages and disadvantages, if a company makes the decision to go public, having an implementation plan and starting early is the key to success.

Digital Intelligence Newsletter - Q1 2021

• What To Do if an Enterprise Falls Victim to a Ransomware Attack
• What To Do: Evaluating Internal Controls During an Initial Public Offering
• What To Do: Starting a New Job in a Virtual Work Environment