Find answers to your most pressing questions about your IPO planning.

IPO Readiness: Q & A
Find question about?
A: As companies grow and initial public offering (IPO) becomes a part of the growth strategy, the lack of a focus on IT controls can potentially hurt both their top line and filing deadlines.  Companies are often conflicted when trying to balance compliance requirements with the use of emerging technologies and non-traditional technology management processes. Does management sacrifice speed and innovation in favor of meeting auditor requirements, or does it allow the company to stay the course with its development priorities and risk non-compliance? There is another way that satisfies control and compliance requirements without disrupting the company’s culture of independence and innovation.  Read more about how to pre-empt potential problems and find key opportunities

Read More.

  • popular question

  • Q:    What are JOBS Act implications to the IPO Readiness?

    A:    In April 2012, President Obama signed the Jumpstart Our Business Startups Act ("JOBS Act") into law. The new law is designed to make it easier for small and growing businesses - specifically, those on track to conduct an initial public offering (IPO) - to attract investors and access capital while complying with U.S. securities laws. The new law changes existing securities laws in a number of ways.

    To read more about the JOBS Act implications,  download the FAQ Guide.

    [back to top]
  • Q:    How do you select an ERP system?

    A:    Pre-public and newly public companies face many risks during their transformation process, including accurate and timely financial reporting, effective forecasting, appropriate corporate governance, and - last but not least - a scalable IT environment. Organizations must ensure that systems and data are appropriate to help enable the longer-term strategy and growth needs that management has defined. As an organization prepares for its initial public offering, selecting the "right" ERP system often is one of the key considerations for management to address. In fact, a common question many executives ask is, "where do we start?"

    To read more about selecting an ERP system, download the FAQ Guide.

    [back to top]
  • Q:    What are some common mistakes companies make during an IPO?

    A:    Going public in today's environment is much different that it was five to ten years ago. Rapid regulatory change - including provisions around Sarbanes-Oxley - put aditional and significant pressures on an organization's infrastructure, and the market windows for an initial public offering (IPO) tend to open and close much faster. Companies that plan early and invest the time to understand the requirements, pitfalls and best practices are much more likely to have a successful IPO.

    Read our POV on Common Mistakes Made During an IPO.​

    [back to top]
  • general question

  • category The Public Company Readiness Process

    • Q:    What are some common mistakes companies make during an IPO?
      A:    Going public in today's environment is much different that it was five to ten years ago. Rapid regulatory change - including provisions around Sarbanes-Oxley - put aditional and significant pressures on an organization's infrastructure, and the market windows for an initial public offering (IPO) tend to open and close much faster. Companies that plan early and invest the time to understand the requirements, pitfalls and best practices are much more likely to have a successful IPO.

      Read our POV on Common Mistakes Made During an IPO.​

      [back to top]
    • Q:    What is an initial public offering (IPO)?
      A:    An IPO is a corporation’s first offer to sell stock to the public. One primary objective of an IPO is gaining access to market capital. Sometimes referred to simply as “public offerings,” IPOs require an issuer, with the assistance of an underwriting firm, to determine the type of security to issue (i.e., common or preferred shares), the optimum offering price, and the best time to bring the company to market.
      [back to top]
    • Q:    Q: What are the main indicators of a strong IPO Market?

      A: NASDAQ OMX Chief Economist, Frank Hatheway and Protiviti Managing Director, Steve Hobbs discuss the IPO market’s strongest drivers; the IPO pricing process; and the impact of the JOBS Act. Watch the 5 minute interview here:

      Protiviti Managing Director Steve Hobbs interviews NASDAQ OMX Chief Economist Frank Hatheway on IPO pricing.

      [back to top]
    • Q:    What is the difference between an IPO and a public debt offering?
      A:    In an IPO, a company issues stock, which represents an equity (or ownership) stake in a company, on a publicly traded stock exchange. A public debt offering occurs when a company issues bonds (certificates representing debt) to the public; the bondholder then receives interest and a repayment of principal on the “loan” made to the company.
      [back to top]
    • Q:    What are the pros and cons of going public?

      The primary advantage of going public is the increased access to capital that companies gain. A public company can conduct subsequent offerings (commonly referred to as “secondary” or “follow-on” offerings) years or, in some cases, months after an IPO to generate additional capital – usually on highly favorable terms. Additionally, public companies typically boast better growth potential than private firms, maintain greater prestige in the financial community, and are able to lure top talent with more enticing incentives, such as stock awards. Finally, public offerings can equip company leaders with a more precise understanding of the value of the organization, which can strengthen how they subsequently market their stock.

      The primary disadvantage of an IPO boils down to effort, followed by cost. Preparing a company for an IPO and undertaking the necessary business transformation can be a complex and daunting task for even the most well-rounded, professionally run organizations. Recent and not-so-recent regulatory changes, including but not limited to the Sarbanes-Oxley Act of 2002, place a sizeable burden on private organizations preparing to become public companies. The transformation necessary for organizations to be ready to go public requires that they address numerous issues related to regulatory compliance, financial reporting, information technology (IT), internal audit, talent management, policies and procedures, and corporate governance, among other areas.

      Additionally, once a company is publicly held, it must disclose to the public, which includes its shareholders, a much greater amount of information related to company performance, risks, and director and officer compensation. Shareholders can exert significant pressure (related to performance, strategy, compensation and other issues) on the management team and the board of directors. Finally, depending on the breakdown in share ownership, private company founders and executives who take their organizations public risk losing voting control of the company.

      Nevertheless, the large number of successful public companies in North America attests to the fact that returns on becoming a public company can far outweigh the investment in time, effort and money required to prepare and execute an IPO.

      [back to top]
    • Q:    How long does it take to achieve PCR, and what are the key milestones within the process?

      The effort and time required to prepare for an IPO are frequently underestimated.

      While the timeline varies depending on a company’s unique requirements, it typically takes about 12 to 18 months for a private organization to achieve PCR.

      The key milestones in this process should include an initial IPO readiness assessment, Sarbanes-Oxley compliance, financial reporting readiness, IT systems and data readiness, and the execution of corporate governance and IPO-specific requirements. Among these requirements, Sarbanes-Oxley compliance and IT readiness typically require the most time and should therefore begin as soon as the readiness assessment (a diagnostic process that requires three to five weeks to execute) is completed.

      [back to top]
    • Q:    How does a company determine the best time to pursue an IPO?

      A company must consider very carefully the timing of an IPO. Windows of opportunity in the public market can open and close quickly. Thus, it is in the best interest of IPO candidates to be prepared when the market is favorable. Inadequate PCR assessment and planning can delay an offering and/or adversely affect the enterprise’s value when the IPO occurs.

      IPOs tend to bring higher offering prices when equity markets are at their healthiest; however, many IPOs have achieved success during down markets as well. The timing of an IPO should be determined by several factors, including, but not limited to, macroeconomic conditions, the health of the company’s business sector, the company’s capital needs, and its PCR.

      [back to top]
    • Q:    How do companies choose among different listing exchanges?

      U.S. public companies primarily use listing exchanges to access a market for trading their stock. Listing exchanges – such as the New York Stock Exchange (NYSE), Nasdaq and others – also can help member companies strengthen their brand and visibility, provide a support network, and provide capital markets and investor relations (IR) support.

      Companies select a listing exchange based on numerous factors, including the exchange’s listing standards.

      Listing standards consist of various sets of applicable qualifications – such as valuation, pre-tax income, market capitalization and operating history, among others – that member companies must meet to participate in the exchange. Companies also select a listing exchange based on analyst coverage, oversight and accountability, the manner in which trades are executed, and the availability of information.

      [back to top]
    • Q:    How has the nature of public company requirements and the public company preparation process changed in recent years?

      Significant changes have occurred in the IPO market in the past several years. The global financial crisis greatly reduced the pace of IPOs. What’s more, numerous studies show that the average “age” of companies conducting.

      IPOs has generally increased over the past decade, which may indicate that leadership teams are taking more time preparing for a public offering. Additionally, the effort associated with Sarbanes-Oxley compliance requires more attention and focus early on.

      For these reasons, it is important, from a competitive standpoint, to operate private, pre-public companies as if they were already public. This requires pre-public companies to establish and operate their underlying business, finance and accounting, IT and auditing processes, policies, and internal controls in a “public company” fashion while simultaneously meeting the daily demands of running a business.

      [back to top]
    • Q:    How much does it cost to take a company public, and what are the largest cost components?

      IPO costs are dependent upon a number of factors and can vary significantly among companies. For example, a sample budget for a $100 million IPO could range from $3 million to $4 million. These amounts exclude the underwriter’s commission, which usually is about 7 percent of the total public offering price. The largest cost areas include the underwriter’s commission, legal fees, listing fees, accounting fees and printing expenses.

      [back to top]
    • Q:    What are the largest ongoing costs of operating as a public company?
      A:    The largest portions of this cost relate to incremental legal and auditing fees, as well as to additional financial reporting, regulatory compliance, public relations and legal requirements. Related people, process and IT expenses figure into these ongoing costs of operating as a public company.​
      [back to top]
    • Q:    What external service providers comprise an effective IPO transaction team, and what does each of these experts provide?

      The primary external service providers involved in an IPO include the managing underwriters (investment bankers), the underwriters’ legal counsel, the company’s legal counsel, the external auditor, the financial printer and, in some cases, other external service providers with specialized expertise related to the company’s business model, industry or The company’s legal counsel plays a leading role in managing the IPO transaction. Frequently, a pre-IPO company’s legal counsel does not possess the expertise or experience required to take a company public. This may require that the company select a new in-house legal counsel or external legal counsel (well in advance of the IPO).

      The following discussion provides a brief description of each primary external service provider’s role:

      Managing Underwriters: Investment banking firms act as underwriters in the vast majority of IPOs. In some cases, particularly when the public offering is relatively large, a pre-IPO company selects two or three investment banks to serve as managing underwriters. In these instances, one investment bank is typically identified as the lead manager while the other managing underwriters are designated as co-managers. The role of the managing underwriter is to buy the IPO shares from the company and then sell the stock to investors. To fulfill this role, the managing underwriters conduct due diligence, provide guidance on procedural issues, help draft the registration statement, help coordinate the roadshow that the management team conducts, market the offering to investors, and deliver analyst coverage and other support (e.g., generating interest among other analysts in covering the company and its stock) once the IPO is complete. The selection of the managing underwriter typically signals the official starting point of the IPO process, which is accompanied by restrictions (e.g., what information can be communicated publicly) established by the U.S. Securities and Exchange Commission (SEC).

      Underwriters’ Legal Counsel: The underwriters’ legal counsel, typically selected by the managing underwriter, supports the underwriters during the IPO process in negotiating and drafting the underwriting agreement with company counsel; conducts due diligence, document drafting and review; and ensures compliance with relevant state securities regulations and National Association of Securities Dealers (NASD) requirements.

      Company Legal Counsel: The company’s selected legal counsel in the IPO transaction will take the lead in managing the IPO process and all the parties involved. Legal counsel will serve as the communications center among the company, the managing underwriters and their counsel, the external auditing firm, the financial printer, and other third-party vendors (such as the transfer agent and any specialized service providers). Along with the company’s external auditing firm, legal counsel will work with the company to ensure all preparatory work is done to support the contents of the registration statement. Legal counsel will conduct in-depth due diligence on the company to ensure that there are no preventable surprises during the process. Legal counsel will also draft and maintain the master registration statement until the document is transferred to the financial printer toward the end of the process. The registration statement is a highly regulated document that must comply with very specific securities regulations. Confirming compliance (both for the company and the registration statement) with securities laws and SEC rules and regulations will also be the duty of the company’s legal counsel. Legal counsel will also advise the company’s executives on proper behavior during the registration process (e.g., what the company can and cannot do during the “quiet period”) and assist the company in cleaning up any loose ends before the IPO process officially begins (e.g., ensuring the company has proper documentation on major contracts and confirming all pre-IPO stock has been properly issued). Legal counsel will respond to SEC comment letters after the registration statement has been filed and serve as a liaison between the company and the SEC.

      External Auditing Firm: Pre-IPO companies must hire an external auditor in accordance with SEC requirements. The external auditor fulfills several roles during the readiness process and continues to serve as the company’s external auditor following the IPO when it conducts the annual auditing process. The external auditor’s pre-IPO role includes serving as a liaison between the company’s IPO team and the SEC; ensuring that all financial information in the registration statement complies with SEC requirements; and submitting a “comfort letter” to the managing underwriters and the company’s board of directors confirming that the financial statements and various financial data within the registration statement comply with all requirements.

      Financial Printer: The financial printer assumes responsibility for managing registration documents throughout the process. These activities include version control during the drafting and editing of the registration statement, printing and distribution of the prospectus, and filing of the registration statement and other SEC filings via the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system and Extensible Business Reporting Language (XBRL).

      [back to top]
    • Q:    What is the Form S-1 registration statement, and what type of information is required to be submitted?

      The Form S-1 registration statement under the Securities Act of 1933 is the basic registration form that the SEC requires newly public companies to complete. It should be signed by the registrant’s principal executive and accounting officers, and by at least a majority of the board of directors. Companies joining a listing exchange need to complete the Form S-1 filing and have it accepted by the SEC before the transaction can be effected.

      There are a number of items required to be reported in this filing. Examples of this information include:

      • The company’s business model and an overview of its competitive environment
      • Market and industry trends and data
      • The amount of estimated proceeds from the public offering and how the company intends to use those proceeds
      • Information related to the security, including the offering price methodology, and any dilution that may occur to other listed securities
      • Risks associated with the business, which could include recent adverse developments or operating losses, the seasonality of the business, dependence on a few customers or suppliers, and the impact of current or proposed legislation
      • Information regarding a company’s officers, directors, and principal shareholders, including extensive disclosures related to executive compensation
      • Significant management discussion of recent financial results, comparison to prior periods, and future trends, risks and uncertainties
      • Financial information, including two years of audited balance sheets; three years of statements of operations, cash flows, and changes in shareholders’ equity (smaller reporting companies are allowed to present only two years of information); selected financial information for the past five years (smaller reporting companies are not required to present selected financial information); and selected pro forma information (see also Question 59: What are the primary JOBS Act advantages related to the traditional financial reporting requirements of going public?)
      [back to top]
    • Q:    If a company prepares for an IPO and then opts to delay the transaction, what is involved in sustaining its PCR?

      Recent history suggests that IPO readiness initiatives can have a positive impact on valuations and represent a key enabling factor to a successful offering. If the timing of the IPO is delayed, the company should strive to maintain its level of readiness for two reasons. First, the readiness effort requires a significant effort in terms of cost, time, business transformation and operational disruption. Allowing the state of readiness to deteriorate reduces the value of this investment. Second, IPO market conditions can change quickly. When an appropriate IPO timing opportunity arises, it is far better to be prepared to take advantage of this opportunity than to engage in hurried, last-minute readiness activities that can add more cost, effort and risk to the process.​

      [back to top]
  • category An Overview of the Public Company Readiness Effort

    • Q:    What are the most common mistakes made or oversights committed during a PCR effort?

      The IPO journey is complex and can lead to a number of potential oversights and mistakes along the way. Following are some of the most common pitfalls:

      • Failure to assemble the right team to help take the organization public. The team should possess previous IPO and PCR experience, and employees on the team should have the knowledge and bandwidth to participate fully in the readiness effort. Management also should remember that employees have their regular ongoing responsibilities; a successful path to PCR requires striking the right balance between IPO preparation and the performance of day-to-day business operations. Effective project management, including a carefully crafted readiness strategy and plan, also qualifies as critical.
      • Underestimating the level of effort that will be required. Many organizations underestimate the time and effort the readiness effort requires. The journey to PCR involves a complex array of tasks, deadlines and focal points that require significant time, effort and attention throughout the organization. Preparation activities should focus not only on going public, but also on maintaining sound financial reporting, corporate governance and other public company processes post-IPO.
      • Failure to fully develop sound business processes and infrastructure, particularly those that support financial reporting processes. The importance of having strong processes supported by effective controls cannot be overstated. Organizations often scramble to pull together documentation that supports prior annual audits without focusing on the big-picture fundamentals of effective finance and the accounting functions and financial reporting processes that must be in place.
      • Failure to assess the organization’s IT readiness. An organization’s ability to conduct accurate, timely and effective financial reporting and regulatory compliance hinges on the strength of applications and systems infrastructure. Many organizations do not fully anticipate the IT infrastructure support necessary to assist with the demanding reporting and compliance requirements that affect public companies.
      [back to top]
    • Q:    What are the largest risks a company faces if it conducts an incomplete or ineffective preparation process?
      The risks range from the need to delay the timing of the IPO (which frequently prevents the pricing benefits associated with conducting the IPO in favorable market conditions) to the addition of unnecessary costs and frustrations to the readiness effort.
      Ineffective readiness processes frequently spark a “fire drill” mentality as the IPO date nears; this mindset can greatly reduce the pre-public company’s focus on daily business operations while causing errors that arise from the quick scramble to “patch” readiness issues rather than developing sound processes that serve the organization better over the long term. Ineffective preparation processes can also contribute to post-IPO problems, such as the need to prepare and issue financial restatements, which generates large amounts of additional internal work, and worse, poses a major risk from a shareholder value, litigation and reputation standpoint.​
      [back to top]
    • Q:    Q: What are the current hot topics for pre-IPO companies?

      A: Throughout the year, Protiviti conducts research and publishes insightful thought leadership on a broad range of issues affecting publicly held companies, ranging from today’s top risks to internal audit, SOX compliance, and IT security and privacy. We also regularly address key market developments, such as this year’s release by COSO of its new Internal Control – Integrated Framework.

      These issues should be top-of-mind not only for publicly held organizations, but pre-public companies that are planning an initial public offering. This paper provides summary of these studies and insights, along with our viewpoints for pre-IPO organizations.
      [back to top]
    • Q:    What are the primary elements of PCR related to organizational infrastructure that need to be addressed?

      There are six primary infrastructure elements that need to be addressed during the PCR effort:

      • Corporate policies
      • Corporate processes
      • People and organization
      • Management reports
      • Methodologies (e.g., those related to Sarbanes-Oxley compliance requirements, as well as to other financial controls)
      • Systems and data

      From a functional perspective, the following capabilities need to be in place for a readiness effort to succeed. The organizational infrastructure elements identified above support the enablement of these organizational capabilities:

      • Accurate Financial Reporting: Companies need to ensure they have the requisite skills and organizational infrastructure to understand the application of accounting principles and ensure accurate financial reporting.
      • Accurate Forecasting and Budgeting: Similarly, companies should have the financial management skills needed to perform forecasting and budgeting in a relevant, accurate and useful way that enables the highest level of visibility, flexibility and business agility.
      • An Efficient Financial Close: In order to meet SEC filing requirements, companies must ensure they have an accurate and efficient financial close process.3
      • Appropriate Corporate Governance and Sarbanes-Oxley Compliance: Ensuring the company has a robust regulatory and corporate governance understanding and an efficient internal control environment is critical to achieving initial and ongoing Sarbanes-Oxley compliance.
      • Scalable IT Environment: Companies must review the IT system environment to ensure that it is able to handle the anticipated growth in the business.

      3 Additional filing information and submission dates are available on the SEC’s website,

      [back to top]
    • Q:    What are the most important characteristics present among successful PCR efforts?

      From a qualitative perspective, one of the most important characteristics of successful PCR processes centers on an understanding that the effort requires significant time and resources. Executives who lead successful preparation and business transformation efforts truly understand the significant time, effort and scope involved in preparing to become a publicly held entity.

      For this reason, successful PCR efforts typically begin with a formal assessment of current-state readiness. The insights generated during this evaluation are then used to tailor a formal and comprehensive road map that addresses each of the six key infrastructure elements (corporate policies, corporate processes, people and organization, management reports, methodologies, and systems and data) and key functional capabilities (accurate financial reporting, accurate forecasting and budgeting, an efficient financial close process, appropriate corporate governance and regulatory compliance, and a scalable IT environment) that successful readiness demands.

      [back to top]
    • Q:    What are some of the most costly and time-consuming remediation activities pre-public companies typically perform as part of the readiness effort?

      Remediation activities within the capability areas of regulatory compliance (and Sarbanes-Oxley Section 404 compliance in particular) and IT readiness typically consume the most time and cost within the PCR process. This explains why a large percentage of IPO readiness road maps call for Sarbanes-Oxley readiness and IT readiness to commence as soon as the initial readiness assessment has been completed. Sarbanes-Oxley Section 404 compliance is time-consuming due to the sheer volume of its requirements concerning internal controls assessment, implementation, testing and remediation. IT readiness frequently consists of the implementation of new software, including enterprise resource planning (ERP) packages, which normally qualifies as a large-scale corporate initiative. (Note that certain pre-public companies may be able to exercise a Section 404 exemption under the JOBS Act. See other questions for specific guidance on this topic.) Given the time-consuming nature of these regulatory requirements, pre-public companies should carefully – and as early as possible – consider certain major changes (e.g., the acquisition of another company, or the replacement of an external auditing firm with a new auditing firm) in the readiness process. These changes could result in large and costly amounts of additional work. As such, they require extensive evaluation and planning at the very beginning of the readiness effort.

      [back to top]
    • Q:    What are the ongoing operational and management challenges pre-public companies must address while simultaneously conducting the PCR effort?

      While specific issues vary from company to company, most challenges relate to running the business. Pre-public companies, many or most of which are lean in staff, face the same daily operational and management challenges they confront on a daily basis; only these organizations need to address these challenges while also conducting a comprehensive, enterprise wide initiative (one that may at times feel like multiple major initiatives) over a period of 12 to 18 months, with no increase in internal resources.​

      [back to top]
    • Q:    What are the key diagnostics that provide an organization with an accurate assessment of its baseline PCR?

      Management’s initial IPO preparation phase efforts should consist of an assessment that identifies a baseline view of the current state of readiness, followed by a road map designed to close the gap between the current state and IPO readiness.

      The key components of this diagnostic process consist of the following actions:

      • Assess the current state of readiness against benchmarks for the six elements of infrastructure: business policies, business processes, people and organization, management reports, methodologies, and systems and data.
      • Identify the readiness of core public company transformation capability requirements for accurate forecasting and budgeting, reliable financial reporting, an efficient financial close, corporate governance and Sarbanes-Oxley Act (and other regulatory) compliance, and IT scalability (as well as any other major functional requirements by listing exchanges, such as the NYSE’s internal audit requirement).
      • Assess the urgency of business transformation solutions needed to close identified gaps based on an analysis of costs and benefits along with consideration of the required road map.
      • Develop work plans, a timeline and resource requirements to implement the appropriate solutions identified in the road map (see prioritization map on the next page).
      [back to top]
    • Q:    What are the primary steps involved in managing IPO risks and addressing all of the elements required to achieve PCR?

      A thorough diagnostic process and the creation of a comprehensive road map that is executed under the guidance of a rigorous project management approach will go a long way toward managing IPO risks – those that can be managed – and achieving PCR. While careful planning and foresight can help companies optimize the timing of their IPOs, external market conditions can always interfere with the best-laid plans. When pre-public companies begin to address specific results from the initial assessment, they frequently take several of the following steps:

      • Develop a baseline of appropriate accounting, operational and regulatory policies and procedures.
      • Take stock of the maturity of key processes.
      • Develop a baseline for the financial close and forecasting capabilities.
      • Address skills gap and other organizational changes.
      • Perform a risk assessment and initial scoping for Sarbanes-Oxley readiness and compliance.
      • Assess the IT environment and consider the specifications of the right ERP system (if required).
      • Establish a program management office to address incremental work streams and competing initiatives.

      As pre-public companies start to form their readiness plans and prioritize resources accordingly, they also begin to address other common questions:

      • Can we meet reporting timelines required by the SEC?
      • Can we handle the complex accounting and disclosure requirements?
      • Are our forecasting and budgeting capabilities sufficient?
      • Is our IT infrastructure scalable to handle our anticipated growth? What areas of our IT organization may require transformation?
      • Does the data used to manage and report our results have integrity?
      • Will any unfavorable findings resulting from the audit of the previous three years of financial information negatively impact the timing of our public offering?
      • Do we understand the Sarbanes-Oxley Act requirements and how we will prepare to comply?


      [back to top]
  • category Accurate Finance Reporting & Efficient Finance Close

    • Q:    What are the key financial reporting risks that management should address?

      The number and complexity of rules related to financial reporting among public companies have increased significantly in the past decade. The ultimate risk of financial reporting problems – including delayed IPO filings and damage to a company’s reputation – can be severe. For these reasons, assessing and addressing the financial reporting risk profile (FRRP) of an organization represents a crucial component of an effective PCR process.

      The specific financial reporting risk areas that should be evaluated, understood and addressed include:

      • Risks relating to the specific application of accounting principles and standards
      • Consistency in applying financial reporting policies and rules
      • Estimation, reliability and ongoing evaluation processes
      • Forward exposure arising from changing rules or business transactions
        [back to top]
      • Q:    How can companies ensure their revenue recognition process and other technical accounting and reporting areas are consistent and reliable?

        Companies should develop policies for revenue recognition and other key financial reporting and accounting areas based on a robust internal review process, as well as discussions with, and guidance from, their external auditing firm. Management should assign the development of these policies to appropriate owners who maintain current knowledge on recent updates to accounting and auditing rules (e.g., from the SEC and Public Company Accounting Oversight Board [PCAOB]) and accounting guidance (from the Financial Accounting Standards Board [FASB]) and make revisions and updates to internal policies and processes accordingly. Companies should conduct communication and training related to key accounting policies for all relevant finance and accounting staffers.

        With regard to revenue recognition, in 2014, the FASB issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers. As expected, the FASB more recently deferred by one year the effective date of thisstandard (to no later than annual reporting periods that begin after Dec. 15, 2017). Despite that delay, companiesshould immediately begin the process of adopting this significant change (which is the lengthiest standard the FASB has ever issued). Pre-public companies should take steps to consider appropriate changes related to policies, people, processes and technology. The standard-setters’ efforts to codify revenue recognition principles that apply to all industries have resulted in changes in nomenclature that will require careful consideration. The appropriate organizational personnel need to immerse themselves in the new standard and become educated as to its impact on top-line reporting and disclosure. Whatever the impact, there will likely be development and/or modification of policies and procedures; redesign of accounting and reporting processes; IT and ERP system controls updates or improvements; and program, project and change management issues, among other areas.

        Also of note for pre-public companies: In February 2016, the FASB issued its new standard on accounting for leases. The new standard amounts to a significant change in accounting for leases by lessees, as it requires them to recognize on the balance sheet the assets and liabilities for the rights and obligations created by all leases with lease terms of more than 12 months, regardless of how a lease is classified. As a result, balance sheets will grow for lessees that customarily enter into operating leases.

        [back to top]
      • Q:    What additional public company financial reporting requirements must be addressed during the PCR process?

        Companies will need to file their quarterly and annual financials within certain deadlines. Pre-IPO companies also need to meet specific disclosure requirements set by the SEC and report on the effectiveness of their internal control over financial reporting to comply with Sections 302 and 404 of the Sarbanes-Oxley Act.

        Of note, pre-IPO companies should be aware that the PCAOB continues to find deficiencies in registered public accounting firms’ audits of internal control over financial reporting. The PCAOB’s findings are a call to action for issuers, as well as pre-IPO companies, to take a fresh look at the Section 404 readiness and compliance processes.4

        Companies should work in an anticipatory mode to remain ahead of constantly changing financial reporting issues so that these issues do not become reputation-threatening problems after, or even during, the process of going public. Some of the most common causes of financial misstatements among newly public companies include insufficient technical competency, misapplication of financial accounting standards (particularly in the areas of revenue recognition and stock-based compensation), and a lack of supporting documentation.

        Additionally, the audit committee, management and the disclosure committee should understand a broad range of financial reporting risks. (In fact, it is highly recommended that an organization form an audit committee prior to going public.) These risks include accounting for transactions that contain significant judgments or estimates, complex transactions, accounting for related-party transactions, management override, inaccurate underlying data, and inadequate financial systems support.

        4 Inspection Observations Related to PCAOB “Risk Assessment” Auditing Standards (No. 8 through No.15), PCAOB Release No. 2015-007, October 15, 2015:

        [back to top]
      • Q:    How can companies ensure that their planning, forecasting and budgeting processes are sufficient?

        Many private companies conduct their financial planning, forecasting and budgeting on an ad hoc basis using nonautomated tools. To reduce the risk of financial reporting errors and shareholder dissatisfaction, publicly listed companies generally need to have more sophisticated and robust planning, forecasting and budgeting processes than most private companies possess. In fact, in the past decade, there has been a growing movement among leading corporate finance functions to revamp annual budgeting processes and make planning processes more adaptive and forecasting processes more timely, relevant, accurate and useful.

        Pre-IPO companies should address the question of whether their finance and accounting function possesses the necessary performance management talent, processes and supporting technology. This determination should include an evaluation of operational and financial reporting risks that exist within current performance management capabilities, the identification of the source of these risks, and a plan for mitigating these risks while simultaneously improving performance management talent, processes and supporting technology. Taking these steps can reduce the likelihood of the flaring up of shareholder dissatisfaction, which inevitably occurs when a publicly listed company’s actual performance falls short of its forecasted performance.

        [back to top]
      • Q:    How do the SEC’s new rules concerning XBRL affect newly public companies?

        The SEC does not require companies conducting an IPO to include XBRL data in their registration statements.

        However, new issuers are required to provide XBRL financial statements in their first Form 10-Q filing.

        XBRL can be described as the HTML (one of the Internet’s underlying coding languages) of financial information; the technology attaches “data tags” to information in a financial statement to help investors, analysts and other readers more easily access, search, download, compare and analyze specific financial information. According to the SEC, XBRL will help investors and analysts more accurately compare the financial performance of different companies and also help a greater number of smaller public companies attract the attention of analysts and investors. From a readiness perspective, the XBRL requirement represents a finance/IT skill that should either be on staff or easily accessible through an external source.

        [back to top]
      • Q:    Doanyplans regarding the potential convergence of International Financial Reporting Standards (IFRS) and U.S. generally accepted accounting principles (GAAP) affect pre-public ompanies?

        Currently, the answer is “no,” but that could change. Managers and board members at pre-public companies should remain attuned to developments in the ongoing convergence of IFRS and U.S. GAAP. Currently, the informal convergence of IFRS and GAAP continues through the collaboration between the International Accounting Standards Board (IASB) and the U.S. accounting standards-setting body, the FASB.

        Most U.S.-based public companies are monitoring ongoing GAAP-IFRS convergence, and many companies have assigned the management of this issue to a specific finance and accounting executive or manager with expertise in these areas. Some public companies with international operations already produce IFRS versions of their financial statements. Although the exact details and timing of formal convergence have yet to be laid out by the SEC, the effort will create the need to make major process changes within multiple areas (e.g., accounting, tax, IT, human resources, investor relations) of public companies.5

        5 For additional information, read Protiviti’s The Bulletin, “Accounting for Revenue Recognition: A New Era,” Volume 5, Issue 12, 2015:

        [back to top]
      • Q:    What employee compensation and benefits policies and programs, including employee stock ownership plans (ESOPs) and other employee equity ownership plans, should be addressed from a financial reporting perspective?

        All executive compensation and benefits programs, as well as other rewards programs that can potentially exert a material impact on financial reports, should be evaluated in advance of a public offering. Certain areas of compensation programs, including stock-based compensation and other pay components that can be classified as liabilities or equity, should be scrutinized to assess their accounting treatments and financial reporting implications.

        The value of stock options granted to executives or other employees prior to a public offering frequently comes under the scrutiny of regulators once the company becomes publicly listed. Due to the technical nature of these issues, pre-IPO companies frequently enlist outside experts, including public accountants and other risk and compensation experts, to assist with evaluations of compensation and benefits programs.

        [back to top]
      • Q:    What financial reporting policies and processes need to be reviewed and documented as part of the readiness effort?

        First, executive and unit management should be educated on all public reporting requirements. Second, the company should establish a disclosure committee to review SEC reports in advance of its filing.

        Keep in mind that all key business processes should be documented. These include a fair amount of financial reporting policies and processes, such as those that aid in the preparation of financial schedules for external auditors in the support of audits, filings, executive compensation policies, all employee benefit plans, and related disclosure requirements.

        Additionally, pre-public companies should design and implement a process for documenting conclusions on reporting and accounting matters. This process should:

        • Provide background on current transactions, issues or circumstances that warrant an explanation (e.g., transactions involving significant estimates or judgments).
        • Identify key accounting and reporting questions.
        • Reference all pertinent accounting standards and guidelines.
        • Outline facts, historical trends, available data and details of the transaction or issue.
        • Identify acceptable approaches and alternatives for applying the applicable standards and guidance.
        • Document management’s analysis and rationale for the selected alternative, applying the appropriate principle or standard.
        [back to top]
      • Q:    What finance and accounting skills and capabilities are required to manage the rigors of accounting and financial reporting for a public company?

        The finance staff should possess the skills necessary to understand the application of accounting principles (GAAP and, in many cases, IFRS); ensure reliable financial reporting (previous SEC reporting experience is highly recommended); understand the requirements, as well as the rigors of Sarbanes-Oxley compliance (again, specific compliance experience is preferred); develop current financial performance management processes (planning, budgeting and forecasting); work closely with the IT department to maintain the appropriate financial systems environment; and have the authority and expertise to maintain a close working relationship with external auditors and – for executives – the board.

        [back to top]
      • Q:    What financial and accounting information systems and data requirements should be addressed during the readiness process?

        The primary financial system and data requirement focuses on the timely and accurate production of financial reports. The financial reporting, financial close and IT components of the readiness process ultimately should ensure that financial systems contain accurate underlying data that support the production of the financial information necessary to adhere to all of the SEC’s financial reporting requirements.

        Other financial system and data requirements focus on issues such as the implementation of internal controls that help ensure that systems are secure and operating in compliance with relevant regulations, the data is accurate, and information is produced in a timely manner.

        From a practical perspective, these requirements raise questions about the effectiveness of the current ERP system and the existence and quality of IT-related business continuity management and disaster recovery plans, along with many other IT policies and procedures and user access controls (and other security-related considerations). Pre-IPO companies routinely discover that their IT departments and IT-related activities mark one of the greatest and most time-consuming points of focus during the readiness effort; fortunately, some pre-public companies, especially technology startups, have opportunities to optimize work related to IT general controls (ITGC).6

        6 For additional information, read Protiviti’s paper, Agile Technology Controls for Startups – a Contradiction in Terms or a Real Opportunity?, available at

        [back to top]
      • Q:    What is a “disclosure committee,” and what is its role in ensuring that an accurate financial reporting process exists within pre-public companies?

        First, it is important to note that the disclosure committee is a management committee, not a committee of the board. The mission of the disclosure committee is to make disclosure determinations for the company and to review the company’s disclosure guidelines on an annual basis. The disclosure committee may also oversee the subcertification process related to compliance with Section 302 of the Sarbanes-Oxley Act. In many cases, the management disclosure committee consists of the chief executive officer (CEO), chief financial officer (CFO), vice president of finance and/or the general counsel, as well as other managers who play important roles, directly or indirectly, in the production of financial statements.

        Leading disclosure committee practices within pre-public and newly public companies include:

        • The inclusion of seasoned professionals on the committee – professionals who understand the largest issues the company confronts
        • A “tone at the top” from the CEO and CFO that clearly and continually emphasizes the importance of disclosure procedures
        • Members who are knowledgeable about the company’s key business units
        • The inclusion in meetings of accounting managers and in-house and/or outside counsel who can provide guidance on developing regulatory issues, as well as accounting standards
        [back to top]
      • Q:    How do recent and pending acquisitions and any other major transactions need to be handled from a financial reporting perspective during the pre-public phase?

        Very carefully. In certain instances, some pre-public companies tend to avoid conducting major acquisitions in the months leading up to the IPO. On the other hand, an organization’s strategy may be to acquire complementary companies in advance of an IPO to make the initial offering more attractive to investors. Managing multiple significant initiatives concurrently can be demanding on an organization for many reasons. First, the complexity, scope and impact of major acquisitions can be difficult to manage while a private company is simultaneously handling day-to-day business demands and conducting a far-reaching PCR effort. Second, there could be uncertainty as to how the acquisition will be integrated into the organization and ultimately affect the value of the IPO. And third, the complexity of the accounting and financial reporting issues related to acquisitions may not be palatable at a time when the pre-public company’s finance and accounting function is busy adapting to public company accounting, financial reporting and regulatory compliance requirements. Additionally, public offering registration statements generally require inclusion of audited financial statements – along with other information, in many cases – for a “significant” acquisition, according to SEC guidelines.

        This is not to say that private companies with PCR efforts underway should necessarily avoid acquisitions. Those that move forward with these transactions should do so only after careful consideration of how the acquisition might affect the IPO.

        [back to top]
      • Q:    What is a “financial reporting risk profile” (FRRP), and how can it help strengthen PCR?

        The FRRP is a proactive approach to identifying financial reporting issues and managing them to head off financial restatements before they occur, thereby better enabling management to focus efforts on more important matters and reduce the risk of reputation damage.7

        An effective FRRP focuses on six areas:

        • Accounting principle selection and application
        • Estimation processes
        • Related-party transactions
        • Business transaction and data variability
        • Sensitivity analysis
        • Measurement and monitoring

        The underlying objective of an FRRP is to identify the most likely areas of potential misstatements so that the appropriate oversight and control can be established to lessen financial reporting risk. For these reasons – along with the fact that the focus areas listed above correspond to several of the most common reasons why newly public companies are forced to issue financial restatements – the financial reporting risk profile process represents a valuable PCR exercise.

        [back to top]
      • Q:    When do public companies have to submit their annual (10-K) and quarterly (10-Q) financial statements?

        As depicted in the chart below, the size of your organization, in terms of market value, will determine the filing deadlines. The 10-Q is required to be filed either 40 or 45 days after an organization’s fiscal quarter-end, while the deadlines for 10-Ks vary between 60 and 90 days after fiscal year-end.

        [back to top]
      • Q:    What risks do pre-public companies with inefficient financial close processes confront?

        The two primary risks consist of (1) committing an error that later necessitates a financial restatement, and/or (2) missing a required filing deadline. Both can lead to a loss in investor confidence and, consequently, a potential reduction in stock price. Financial restatements can result in SEC fines, lawsuits, reputation damage and significant reductions in shareholder value. Restatements also require an exhaustive internal effort and can be highly disruptive.

        Other risks, while they fall short of the magnitude of problems restatements cause, also qualify as problematic. An inefficient financial close process reduces the amount of time that senior management, the board, external legal counsel and external auditors have to review earnings releases. This can make it more challenging for management to explain variations between periods. On an operational level, inefficient financial close processes tend to consume significant amounts of the finance function’s time and prevent corporate finance from executing more value-added activities.

        A number of different shortcomings cause the problems described above, including limited oversight and monitoring, moving-target “due dates,” lack of a big-picture understanding, lack of knowledge about dependencies, poor checklist version control, low-priority tasks in the critical path, inefficient use of resources, and unclear links to Sarbanes-Oxley Section 302 certification requirements.

        [back to top]
      • Q:    What are the key components, or practices, within a disciplined and efficient financial close process?

        The most effective and efficient financial close processes tend to be defined by a “tone at the top” that clearly communicates the importance of a quick and accurate close. Efficient financial close processes are typically supported by enabling tools, including:

        • An overall finance calendar highlighting significant month-end, quarter-end and annual activities
        • Detailed calendars by functional area (e.g., general accounting, financial planning and analysis) that integrate with the overall finance calendar
        • A comprehensive close task list (or activity checklist)
        • Process flows and activity diagrams, which are helpful to ensure adequate controls are in place and the distribution of workload is optimized across the team to minimize bottlenecks in the process

        Leading companies not only implement these tools, but also automate the activities within them. For example:

        • Auto-alerts can be established to notify preparers, reviewers and senior management if a deadline is close to approaching or has already passed.
        • Workflow can be automated for the review and approval process.
        • Dashboards can be created and customized for multiple levels within the finance team to provide transparency into the overall process.
        [back to top]
      • Q:    How can pre-public companies migrate to a more disciplined and efficient financial close process during a PCR effort?

        The following actions can help compress closing process cycles:

        • Determine all key stakeholders in the close process, and assign clear accountability.
        • Identify key events along the close cycle, and eliminate bottlenecks, unnecessary steps and redundancies within steps.
        • Develop comprehensive and supporting detailed close calendars and close activity checklists.
        • Set demanding yet realistic expectations given your organization’s resources and current capabilities.
        • Develop an approach in which portions of the close process occur prior to period-end.
        • Measure and monitor close process performance.
        [back to top]
      • Q:    What does a comprehensive “close activity checklist” include?

        A close activity checklist enables task-level management of the close process, which in turn enables the monitoring of daily performance and the capturing of performance data that can be used to alert finance and accounting managers to areas of the process that may require adjustments or a more comprehensive redesign. The checklist, which frequently consists of a shared Microsoft Excel file or other commercially available technology, ultimately can enable everyone from staff through executives to monitor the close on a daily basis through dashboard metrics.

        The first step in developing a checklist is to understand the roll-ups and accountabilities. Managers can achieve this understanding by answering questions such as, “Do business units, individual locations and shared service centers need their own checklists?” and “Is there value in consolidating checklists for all entities, locations and divisions into one master checklist?”

        Once the tiers and level of detail required for the checklist are established, the format can be designed. To produce effective reporting, the checklist design should remain simple yet detailed enough to capture relevant data for each activity type (e.g., reconciliations, manual journal entries).

        [back to top]
      • Q:    What is a “close manager,” and how can this position help drive a more efficient financial close?
        A:    ​Another leading financial close practice consists of creating a close manager position, preferably at the same time a company produces its close checklists. The close manager is responsible for ensuring the completeness of the close each month by monitoring performance continually during the close via daily status meetings and issue resolution checkpoints. This individual also works to improve performance continually by analyzing month-to-month performance against plan targets, then recommending – and, when appropriate, implementing – process changes.
        [back to top]
      • Q:    What are some of the leading practices and tools that companies are adopting to achieve a more disciplined and timely financial close?
        A:    ​As described above (Questions 36-40), close calendars, activity checklists, close managers and dashboards represent tools that proactive pre-public companies use to strengthen their financial close processes. While spreadsheets represent the most common supporting technology for these practices, other technology tools are available that provide more sophisticated support of accounting and financial data and reporting.div>
        [back to top]
      • Q:    What is a “close dashboard,” and how can this tool help drive a more efficient financial close?

        A close dashboard, which is populated with information culled from the close activity checklist, provides an organization with a high-level view of when clusters of close activities are actually performed. These dashboards can be used to monitor performance by region, function, activity and process owner, among other categories.

        These reports provide support to the daily close status meetings that close managers conduct and help identify opportunities for rebalancing the allocation of close tasks, clarifying dependencies, and redistributing the timing of activities.

        [back to top]
    • category Sarbanes-Oxley Act Compliance

      • Q:    What are the most important components of compliance with the Sarbanes-Oxley Act, and when do they need to be completed?
        A:    ​Section 404 of the Sarbanes-Oxley Act requires the greatest volume of work among the law’s many components, but it is far from the only provision that requires attention and action during a PCR effort.
        Section 404 lays out requirements related to internal control over financial reporting (ICFR) that should be in place for a company to achieve compliance with the law (see table below). These internal controls must be documented, evaluated, tested and re-worked (through remediation when determined to be ineffective). Further, the company’s current ICFR state must be confirmed (or attested to) by an external auditor and discussed in the company’s financial reports.* Newly public companies generally must include management’s ICFR report and the auditor’s ICFR attestation in their second annual report (after becoming a public company). Sarbanes-Oxley also requires quarterly disclosures related to controls over financial reporting.
        Given these deadlines, newly public companies can elect to delay the achievement of Sarbanes-Oxley compliance until after they become public; however, doing so exposes the organization to serious risks, including the burden of a highly compressed compliance effort amid numerous other challenges newly public companies confront, a lower likelihood of developing a sustainable compliance program, and a greater chance of noncompliance.
        *External auditors that audit these companies are regulated by the PCAOB, which has stepped up its enforcement activities after noting deficiencies in audits of financial statements and internal controls. For more information, read Protiviti’s Flash Report(12/14/2012), “PCAOB Issues Inspection Report Summarizing Deficiencies in Audits of Internal Control over Financial Reporting,” available at
        [back to top]
      • Q:    How much lead time is necessary for pre-public companies to achieve Sarbanes-Oxley compliance?
        A:    ​First-time Sarbanes-Oxley compliance readiness requires approximately four to six quarters, depending on the size and complexity of the organization and the Sarbanes-Oxley compliance expertise it enlists to support the effort. It is highly recommended that companies preparing for an IPO launch their Section 404 compliance activities as soon as the initial readiness assessment has been completed (see Question 1 in Sarbanes-Oxley Act Compliance).
        Many of the internal control and reporting mechanisms of Sarbanes-Oxley require months to implement, and changes in relationships involving board members and/or auditors may require extensive time to put into place. Additionally, due to demands from investors and analysts, many key executives do not have the time to play major roles in post-IPO Sarbanes-Oxley compliance efforts.
        [back to top]
      • Q:    What are some of the leading practices among Sarbanes-Oxley compliance efforts at prepublic companies?
        A:    ​Leading compliance practices include establishing the right tone at the top; dedicating sufficient resources (i.e., enough people who possess the right expertise); implementing a top-down, risk-based approach; implementing supporting automation where possible (and/or activating automated controls in existing software); seeking out opportunities for process improvements during the compliance work; maintaining a close and constructive relationship with external auditors; and, above all, devoting sufficient time and project/process management discipline to the effort.
        [back to top]
      • Q:    What lessons from previous Section 404 compliance efforts can be applied by pre-public companies working on Sarbanes-Oxley compliance?
        A:    Fortunately for newly public companies, the intense difficulty and confusion that characterized the vast majority of early Sarbanes-Oxley compliance efforts in the four years following the law’s passage in July 2002 have lessened.The Public Company Accounting Oversight Board (PCAOB), which oversees external auditing firms, and the SEC have provided additional guidance in recent years that has helped clarify confusing aspects of the regulation while promulgating a more risk-based approach. Additionally, Sarbanes-Oxley compliance lessons have been learned by public companies and their external auditing partners.
        The most relevant lessons pre-public companies can glean from recent Sarbanes-Oxley compliance history include the following:
        1. It is never too early to begin the compliance process, which always requires more time than a compliance team initially estimates.
        2. A top-down, risk-based approach is critical to a successful and efficient compliance program.
        3. The number of internal controls is the primary cost-driver of Sarbanes-Oxley compliance.
        4. Because the market for Sarbanes-Oxley compliance talent and expertise remains tight, it is critical to hire resources and/or bring in third-party experts and auditors early.
        5. A one-size-fits-all approach to compliance does not exist.
        [back to top]
      • Q:    What are some key questions that help pre-public companies assess their state of Sarbanes- Oxley compliance readiness?
        A:    1. Have we fielded a board of directors of the right size, structure, experience and depth to guide us in our decisions and provide the requisite oversight?
        2. Have we established the appropriate oversight, policies and procedures, internal controls, and infrastructure necessary to be a public company?
        3. Have we incorporated the 12 to 18 months of lead time typically required to achieve Section 404 readiness?
        4. Do we have individuals with appropriate experience and qualifications in our finance function?
        5. Are we taking advantage of the application controls in our IT system (and especially our ERP application), or are we expending our resources on many manual controls, which ultimately will require more time and money to test?
        6. Does management and our audit committee know where the key risks within our financial reporting processes exist?
        [back to top]
      • Q:    What are the most common internal control issues reported by public companies?
        A:    ​The most common internal control deficiencies disclosed by public companies include problems with financial systems and procedures (which include the financial close and inventory processes, as well as account reconciliation), personnel issues (which cover segregation of duties, inadequate staffing and, sometimes, training), revenue recognition, documentation, and IT systems and controls (which include security concerns).
        [back to top]
      • Q:    Does an external auditing firm need to verify a company’s Sarbanes-Oxley compliance readiness prior to the IPO?
        A:    ​No, the first external auditor’s attestation of internal controls generally appears in the second annual report a company files following its IPO, according to current Sarbanes-Oxley Act deadlines determined by the SEC. However, there are multiple sections to the Act, and while Section 404’s requirements do not become effective until the second annual report, the Section 302 and 906 certifications (signed by the CEO and CFO) are required in the initial filing. Sections 302 and 906 require the CEO and CFO to certify that the financial statements are accurate, the information is fairly presented, and it complies with the requirements of the Sarbanes-Oxley Act. In addition, deficiencies or material weaknesses could be identified and subsequently disclosed during the pre-IPO financial statement audits and thus would be subject to remediation. Companies will often engage a consulting firm to conduct a comprehensive PCR assessment prior to an IPO. These assessments cover multiple areas, including corporate governance and Sarbanes-Oxley compliance readiness. One output from this assessment is a Sarbanes-Oxley readiness road map with key activities, timelines, and resource commitments to get the organization ready for its compliance requirements.

        [back to top]
      • Q:    Moving forward after an IPO, what resources does a public company require to sustain Sarbanes-Oxley compliance?
        A:    ​From a resources perspective, companies need internal compliance talent, access to external compliance expertise (particularly in the area of IT-related controls and risk management), IT support (which often takes the form of risk- and compliance-related software), and an ongoing training and communications effort to ensure business process ownership of internal controls monitoring and the active management of compliance processes. From a less tangible resources perspective, public companies truly need to establish an appropriate “tone at the top” to ensure that maintaining an effective and efficient approach to compliance remains top of mind throughout the entire organization.
        [back to top]
      • Q:    What are the key activities required of management and a company’s external auditors to maintain Sarbanes-Oxley compliance after the IPO is complete?
        A:    Maintaining Sarbanes-Oxley compliance in a sustainable fashion requires ongoing attention from senior executives, daily hands-on management, and a healthy working relationship with external auditors. However, as a growing number of public companies are realizing, sustainable compliance efforts can deliver returns on investment that include process improvements and cost reductions.
        Once initial Sarbanes-Oxley 404 compliance is achieved, the focus of the program should shift to ongoing management and continuous improvement. The primary opportunities for improvement include the handoff of internal controls monitoring and management responsibilities from the compliance team – which often initially consists primarily of internal audit and corporate finance and accounting managers – to business process owners. This transition is often accompanied by the introduction of supporting software and/or the re-evaluation of existing financial systems to ensure that internal controls options are being utilized. This software is used to reduce the amount of manual, and therefore more error-prone, compliance work around internal controls monitoring.
        From a practical perspective, three of the most important compliance activities occurring on a regular basis are Section 404 reporting on internal controls, Section 302 certifications (by the CEO and CFO) of the quarterly financial statements, and the ongoing operation of a whistleblower hotline that is available for employees to use to report possible ethics and compliance issues anonymously. Internal controls reporting and related certifications typically require a cascade of related reporting and, often, certifications throughout the company’s business processes related to financial reporting.
        [back to top]
    • category Additional Governance Considerations

      • Q:    How can a pre-public company ensure that it has in place a sufficient set of corporate governance, risk management and compliance capabilities?
        A:    ​The Sarbanes-Oxley compliance work that takes place during the PCR effort often sets the tone for how governance, risk and compliance (GRC) management will be maintained in the months and years following the IPO. Successful long-term GRC efforts among established public companies – those that are effective, efficient and often also produce insights that lead to opportunities for revenue and profit increases – tend to share the same success factors as those that define successful pre-public Sarbanes-Oxley compliance efforts (see Question 3 in Sarbanes-Oxley Act Compliance). These include the right tone at the top that pervades throughout the organization, ample resources, supporting technology, and a commitment to identifying related process-improvement opportunities, among others.
        [back to top]
      • Q:    How many corporate directors do boards typically contain?
        A:    ​The average size of a U.S. corporate board is slightly more than nine members, according to Corporate Library research. While boards range in size from three directors to more than two dozen directors, some financial analysts identify the ideal board size as seven directors.* The board needs to be large enough to accommodate board independence and committee requirements set by the SEC and listing exchanges (see Question 1 in Additional Compliance and Corporate Governance Considerations).
        *“Evaluating the Board of Directors,” Investopedia Staff,
        [back to top]
      • Q:    Are public companies required to maintain an internal audit function?
        A:    ​The answer depends on the listing exchange the company joins. The NYSE, for example, requires all member companies to maintain an internal audit function while the NASDAQ’s listing standards do not. According to the NYSE listing standards, internal audit functions among member companies may take the form of a department within the company or exist through a co-sourcing or an outsourcing arrangement.
        [back to top]
      • Q:    What is the role of the internal audit function?
        A:    ​As business risk and organizational complexity have evolved, the internal audit profession – through The Institute of Internal Auditors (IIA) – has continued to redefine itself.
        Today, The IIA defines internal auditing as follows:
        Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve the organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
        Adherence to the International Standards for the Professional Practice of Internal Auditing (The IIA’s Standards) includes following this definition. While there is no regulatory requirement for how a company must define internal auditing, The IIA definition is generally accepted, and the SEC, NYSE and other regulatory bodies may reasonably be expected to refer to The IIA’s definition when considering whether an organization has an internal audit function.
        (For more information about internal auditing and the internal audit function, please see Protiviti’s Guide to Internal Audit: Frequently Asked Questions about Developing and Maintaining an Effective Internal Audit Function, available at
        [back to top]
      • Q:    What are a company’s different options for creating an internal audit function?
        A:    A company may establish an internal audit function using its own employees or create one through a co-sourcing or outsourcing arrangement. Most internal audit functions are led by a chief audit executive (CAE) and a staff that may include audit managers, senior auditors and auditors. When possible, companies also staff their internal audit functions with specialized expertise (e.g., IT auditors). Internal audit budgets vary significantly, depending on numerous factors, including revenues, industry, federal and industry regulations with which the company must comply, number of physical locations, and decentralization, among others.
        [back to top]
      • Q:    What jurisdiction do the SEC and PCAOB have over internal audit functions?
        A:    The internal audit profession is not regulated by the SEC, the PCAOB or any U.S. government agency. However, the PCAOB, through rules about external auditors’ reliance on the work of others, can influence the nature and scope of internal audit work. For example, the PCAOB’s findings regarding deficiencies in registered public accounting firms’ audits of internal control over financial reporting are likely to affect internal audit’s activities as part of the Section 404 compliance process.*
        The IIA is the self-governing body that includes the International Auditing Standards Board (IASB), which is charged with evaluating and developing practice standards. These standards are subject to a public comment period, much like other professional standards and accounting pronouncements.
        *For more information, read Protiviti’s Flash Report (12/14/2012), “PCAOB Issues Inspection Report Summarizing Deficiencies in Audits of Internal Control over Financial Reporting,” available at
        [back to top]
      • Q:    What personal qualities, knowledge and skills should internal auditors possess?
        A:    Internal auditors should possess and demonstrate through their work, actions and communication a number of traits, including, but not limited to, the following:
        -A commitment to and demonstration of competence in the field of internal auditing
        -Strong financial and operational background in accounting, IT, regulatory compliance and/or the industry in which the company operates
        -Honesty and integrity
        -A strong work ethic and attention to detail
        In general, internal auditors should develop and maintain a healthy level of professional skepticism and objectivity to assist in evaluating information and making judgments. Additionally, internal audit professionals should possess exceptional verbal and written communication skills and be proficient in negotiating and reasoning with a variety of departments and groups over which internal audit may have no formal authority. Finally, personal integrity, professional due diligence and curiosity are important traits for individuals tasked with conducting internal audit work.
        Internal auditors also need to acquire and then master new areas of expertise and knowledge of emerging or re-emerging issues. This can be accomplished by attending internal and external training programs.*
        *Realizing the internal audit profession is continuously evolving, Protiviti has conducted a series of internal audit capabilities and needs surveys in recent years to provide benchmarks by which internal auditors can measure their knowledge and skills and identify gaps to be addressed. The latest survey report is available at
        [back to top]
    • category Risk Management Considerations

      • Q:    Q: RISK MITIGATION AND INTERNAL CONTROLS – DO THEY RUN COUNTER TO START-UP ‘DNA’? How do you balance compliance and agility?
        A:    A: As companies grow and initial public offering (IPO) becomes a part of the growth strategy, the lack of a focus on IT controls can potentially hurt both their top line and filing deadlines.  Companies are often conflicted when trying to balance compliance requirements with the use of emerging technologies and non-traditional technology management processes. Does management sacrifice speed and innovation in favor of meeting auditor requirements, or does it allow the company to stay the course with its development priorities and risk non-compliance? There is another way that satisfies control and compliance requirements without disrupting the company’s culture of independence and innovation.  Read more about how to pre-empt potential problems and find key opportunities

        Read More.

        [back to top]
      • Q:    What is directors and officers (D&O) liability insurance, and are companies required to purchase D&O insurance for their board members?
        A:    ​Directors and officers (D&O) liability insurance is payable to the company, or the directors and officers of a company, to cover damages or defense costs in the event they incur such losses as a result of a lawsuit for alleged wrongful acts while acting in their capacity as directors and officers for the organization. There are three basic levels of D&O insurance; they are commonly referred to as Side A, Side B and Side C. Side A coverage protects directors and officers against claims for which the company will not or cannot indemnify a director or officer because of legal or financial solvency reasons; Side B coverage reimburses the company for amounts it pays to directors or officers as indemnification; Side C coverage pays losses arising from certain securities claims against the company. Exclusions will apply for actions taken in bad faith, so D&O insurance is not carte blanche for directors and officers to act with impunity. There are also specialized D&O policies that cover directors and officers in cases where the company is not permitted to indemnify them (e.g., cases where indemnification is prohibited by public policy); this type of policy usually rides on top of Side A coverage.
        While D&O liability insurance is not legally required, it is exceedingly common in the business world, especially for public companies. Liability exposures are very high right now and companies find it beneficial to offer some protection to current or potential directors and officers in order to attract and retain top talent. Currently, the largest litigation concerns for public companies are direct shareholder/investor suits, regulatory claims and employment litigation. The fallout from the recent financial crisis has severely increased the concern about regulatory claims.
        The presence of D&O insurance coverage should allow directors and officers to operate in the best interests of the business, taking calculated risks within the company’s risk appetite without undue concern about potential, and perhaps baseless, litigation. All D&O liability insurance policies will come with significant exclusions, some of which are negotiable, so it is important that the company, and its directors and officers, have a thorough understanding of what is covered and what is not. Consulting legal counsel about the limits of any insurance policy is always advised.
        [back to top]
      • Q:    What board committees should be created prior to an IPO or public debt offering?
        A:    ​There are specific regulations regarding board composition (see Question 1 in Additional Compliance and Corporate Governance Considerations) and committees.
        The following committee requirements reflect current NYSE, NASDAQ and/or SEC rules:
        -Audit Committee: Listed companies must have an audit committee composed of at least three directors, each of whom qualifies as an independent director. Further, each member of the audit committee must be financially literate or must become financially literate within a reasonable period after his or her appointment to the audit committee (financial literacy includes being able to read and understand financial statements). In addition, at least one member of the audit committee must be identified and designated as a financial expert, defined as one “who has accounting or related financial management expertise” obtained as serving as a principal financial or accounting officer, controller, accountant, or auditor or having other relevant experience, as required by the Sarbanes-Oxley Act.
        -Compensation Committee: NYSE rules require boards to have compensation committees composed exclusively of independent board directors. The NASDAQ does not require a listed company to maintain a compensation committee but does require the determination of officer pay be made either by the company’s independent directors or a compensation committee composed of independent directors. As such, NASDAQ companies can have board compensation committees that are composed exclusively of independent directors, or they may also have compensation committees composed of independent and non-independent directors. However, if the latter composition is the case, executive compensation must be recommended to the board by a majority of the independent compensation committee members.
        -Nominating/Governance Committee: Required by the NYSE (and advisable for NASDAQ member companies), nominating/governance committees are responsible for recommending and approving directors and committee members. The NYSE (i) requires listed companies to have a nominating/corporate governance committee composed entirely of independent directors and (ii) directs nominating/governance committees to develop and recommend guidance concerning general corporate governance issues.
        [back to top]
      • Q:    What is the compensation committee’s responsibility related to the oversight of executive compensation plans?
        A:    During the past decade, both the authority and influence of the board of directors’ compensation committee have increased, particularly in the area of executive compensation, as new regulations have required more, and increasingly thorough, disclosures concerning executive compensation packages (including equity incentive plans and other equity awards).
        As with all committees of the board of directors, the compensation committee’s responsibility is to provide oversight. In this case, that means reviewing and approving the executive compensation strategy and plans, providing oversight of the company’s benefit plans, reviewing compensation-related risks, monitoring the approved activities of outside compensation consultants, and reviewing and making recommendations to the entire board of directors regarding the board’s compensation. The compensation committee is also responsible for producing an annual report on executive compensation for inclusion in the company’s proxy statement.
        [back to top]
      • Q:    What is an audit committee “financial expert”?
        A:    In accordance with Sarbanes-Oxley Act Section 407, the SEC requires public companies to have at least one member of the board of directors who qualifies as a “financial expert” serve on the audit committee of the board. The SEC defines “financial expert” as a person who (i) has filed financial statements as a chief or principal financial officer, principal controller, principal accounting officer, public accountant or auditor; and (ii) possesses the following attributes:
        1. An understanding of U.S. GAAP and financial statements
        2. Experience applying U.S. GAAP in connection with the accounting for estimates, accruals, and reserves that are generally comparable to the estimates, accruals and reserves, if any, used in the registrant’s financial statements
        3. Experience preparing or auditing financial statements that present accounting issues generally comparable to those raised by the registrant’s financial statements
        4. Experience with internal controls and procedures for financial reporting
        5. An understanding of audit committee functions
        [back to top]
      • Q:    Does the board have any responsibilities or duties within the PCR effort?
        A:    ​Yes, although the responsibilities of employee directors (e.g., the CEO or the CFO) and non-employee directors differ. Directors who also serve on the management team typically lead the transaction readiness effort and play important, as well as labor- and time-intensive, roles throughout the readiness process (e.g., addressing board composition issues, conducting due diligence, working closely with external service providers as well as auditors and regulators, preparing the registration statement, and conducting presentations as part of the road show)
        Non-employee directors typically do not fulfill as much of a hands-on role as employee directors. However, non-employee directors review and authorize most, if not all, of the key decisions and documentation, including the registration statement, executed during the readiness effort.
        [back to top]
      • Q:    What are the most common PCR risks that boards need to address?
        A:    Aside from ensuring that the board meets all relevant composition and committee requirements, the primary PCR risks the board should monitor generally include the same risks the company’s management and IPO team need to monitor and address. At the highest levels, these risks relate first to compliance with all IPO-related requirements and second to the same issues that investors evaluate when deciding whether or not to buy (and what to pay for) shares. Any issues that negatively affect the public perception of the company’s management team strength, health of industry dynamics, financial outlook, ability to generate cash, and business model strength and resiliency should be monitored by the board.
        Additionally, there are a number of more specific common risk areas that require monitoring during the transaction readiness process. These include “gun jumping” and cheap stock issues (see Questions 88 and 89, respectively) as well as the following:
        The Use of Non-GAAP Financial Measures: Many companies use some non-GAAP measures to describe their results in addition to those also required under U.S. GAAP. When doing so, companies should ensure they remain in compliance with SEC regulations in this area. Examples of common non-GAAP measures include adjusted EBITDA, free cash flows and quality of earnings adjustments. Companies are permitted to utilize these non-GAAP measures in their registration statement (as well as in subsequent SEC filings) if they:
        1. Disclose the most directly comparable GAAP financial measure along with reconciliation between the non-GAAP measure and the comparable GAAP measure
        2. Present the GAAP measure with equal or greater prominence as the non-GAAP measure and the disclosure of why the non-GAAP measure is useful to investors
        Sarbanes-Oxley Compliance: The Sarbanes-Oxley Act adds substantial compliance requirements on pre-IPO companies. In many cases, the time and resources required to achieve compliance are underestimated. For these reasons, the IPO team should integrate consideration of internal controls, including critical internal controls over financial reporting, disclosure and other governance requirements into the organization’s infrastructure as early as possible in the readiness effort. Doing so allows for sufficient time to implement and assess the effectiveness of these internal control protocols.
        Auditor Independence: Sarbanes-Oxley rules prohibit a company’s external auditor from providing many non-audit services, including internal audit, legal guidance, valuations and other (but not all) forms of consulting. Pre-IPO companies should carefully evaluate any existing (non-audit) arrangements with the external audit firm to clarify permissible services and establish clear independence related to current services.
        Recent (or Probable) Acquisitions: Public offering registration statements generally require inclusion of audited financial statements for a “significant” (as defined by SEC guidelines) acquisition that takes place 75 days or more before the offering, or, in the case of the most material acquisitions, as soon as the acquisition is deemed probable. Additional information related to these acquisitions also may be required to be included in the registration statement.
        [back to top]
    • category Additional Compliance and Corporate Governance Considerations

      • Q:    What are the relevant listing exchange and SEC requirements concerning the composition of the board of directors?
        A:    ​A majority of the board must be composed of independent directors. NYSE and NASDAQ provide highly detailed definitions and guidance on what qualifies a director as “independent.” PCR teams should work closely with their company counsel, and/or external counsel, to evaluate whether directors comply with each listing exchange’s independence requirements.

        Given these and other requirements, as well as the board’s involvement in the readiness effort, pre-IPO companies should address board composition early in the readiness process. It can take significant time and effort to select and bring aboard qualified directors if it is determined that the previous composition of the board needs to be altered.

        The Dodd-Frank Act, in effect as of January 2011, contains additional stipulations for the way in which “independence” is defined and determined.

        [back to top]
      • Q:    ​Are pre-public companies required to operate investor relations (IR) functions?
        A:    No. However, the company’s management team and extended IPO team (including external service providers such as the managing underwriters) serve as the de facto investor relations (IR) function during the readiness process and immediately after the IPO has taken place. This IR effort typically is headed by the CEO and the CFO (who typically leads – and sometimes is – the IR function after the IPO and until an IR executive is hired, if the company elects to do so). This effort includes the road show presentations that the CEO and CFO conduct for investors and analysts. (The managing underwriters often organize the road show meetings and help the CEO and CFO refine and finalize their presentations, but do not participate in the presentations.) These presentations play a crucial role in the success of the offering.
        [back to top]
      • Q:    ​Must the external auditor be registered with the Public Company Accounting Oversight Board (PCAOB)?
        A:    Yes. In accordance with the Sarbanes-Oxley Act, each public accounting firm that issues or prepares any report with respect to any issuer or plays a substantial role in the preparation or furnishing of an audit report with respect to any issuer must be registered with the PCAOB.
        [back to top]
      • Q:    ​What is “auditor independence,” and how does it apply to the selection and use of an external auditing firm?
        A:    The phrase “auditor independence” refers to both a mindset (primarily in the context of internal auditors) and specific SEC rules focused on the relationship between external auditing firms and their clients.

        The notion of internal auditor independence describes the integrity and objectivity that informs the work of internal auditors and also explains why, in many cases, a public company’s chief audit executive maintains a dual reporting relationship with the organization’s CEO and the audit committee chair of the board of directors.

        In more practical and legal terms, “auditor independence” refers to a set of SEC rules that govern the relationship between a public accounting firm that conducts annual audits (also known as the external auditor) and its client companies. These rules restrict the external auditor from conducting other non-audit services (e.g., consulting work for audit clients). The rules contain additional restrictions, including limits on auditing firm employee investments in client companies, designed to help ensure the independence, integrity and objectivity of the annual auditing work.

        [back to top]
      • Q:    How much does an annual external audit typically cost?
        A:    External audit fees vary tremendously based on a company’s size, complexity, geographic profile and organization (i.e., the degree to which its operations are centralized versus decentralized). Generally, public company audit fees are significantly higher than the audit fees private companies pay.
        [back to top]
      • Q:    ​What role does an external auditing firm play in the PCR effort?
        A:    The primary role of a company’s external auditors is to conduct an objective audit of the financial statements and issue an independent opinion and any related comfort letter associated with the closing of the offering. External audit firms can play a number of secondary roles in support of an IPO, including offering strategic advice to management on sensitive or problematic areas, and can provide some assistance in responding to SEC comment letters.

        Pre-IPO companies should be aware that registered public accounting firms are coming under heightened scrutiny by the PCAOB with regard to their audits of financial statements and internal control over financial reporting. As a result, external auditors are expected to be more rigorous in their audits.* This may heighten the risk of a pre-public company not being fully prepared to undergo an audit of its financial statements and internal controls successfully.

        *For more information, read Protiviti’s Flash Report (12/14/2012), “PCAOB Issues Inspection Report Summarizing Deficiencies in Audits of Internal Control over Financial Reporting,” available at

        [back to top]
      • Q:    What are Federal Sentencing Guidelines, and should their consideration be included in the PCR process?
        A:    The Federal Sentencing Guidelines (FSG) consist of rules that determine the punishment for individuals and organizations (including public companies) convicted of felonies and Class A misdemeanors in the U.S. federal court system. The guidelines determine sentences based on the conduct associated with the offense and the defendant’s criminal history. FSG frequently are addressed within compliance efforts because the existence of an “effective compliance and ethics program” as defined in the guidelines can, in many cases, reduce the severity of sentences.
        [back to top]
      • Q:    What is the Foreign Corrupt Practices Act, and does it apply to all U.S. public companies?
        A:    The Foreign Corrupt Practices Act (FCPA) contains anti-bribery provisions that make it illegal for anyone subject to U.S. jurisdiction to offer, promise, gift or authorize the giving, with a corrupt motive, of anything of value to foreign officials – directly or indirectly – for the purpose of influencing the official to assist in obtaining or retaining business. Despite its importance, FCPA compliance sometimes is overlooked during the PCR process. While most public and private organizations are familiar with the FCPA’s anti-bribery provisions, the law contains additional obligations for issuers of U.S. securities. As a result, FCPA compliance represents an important part of PCR. Executives within pre-public companies with operations in foreign jurisdictions need to be aware of all of the Act’s provisions and take appropriate steps to comply.
        [back to top]
      • Q:    What FCPA considerations and steps should pre-public companies take?
        A:    The FCPA states that issuers must “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.”

        The law also states that issuers must devise and maintain a system of internal accounting controls that provide numerous specific assurances related to management’s authorization of transactions, adherence to GAAP, access to company assets, and more.

        During the readiness effort, companies should ensure that board-level FCPA compliance oversight exists; FCPA compliance and anti-corruption controls are integrated into Sarbanes-Oxley compliance readiness activities; and a designated member of senior management takes responsibility for coordinating the FCPA compliance program. These activities reflect the highest-level steps that comprise the FCPA compliance component of PCR. Numerous compliance-specific steps that should be performed also exist.

        [back to top]
      • Q:    How does FCPA compliance relate to Sarbanes-Oxley compliance?
        A:    Section 302 of the Sarbanes-Oxley Act reflects the spirit of the provisions (those related to “books and records”) within the FCPA. Despite its importance, FCPA compliance sometimes is overlooked during the PCR process. This may be because the FCPA lacks the concept of “materiality” that helps drive home the threat of criminal liability for executives and managers who knowingly violate provisions within the Sarbanes-Oxley Act. Adherence to both Sarbanes-Oxley Section 302 and the FCPA is an essential part of a public company’s compliance program – and therefore should be appropriately considered and addressed in the readiness effort.
        [back to top]
      • Q:    Are pre-public companies required to have a formal code of conduct and an ethics program?
        A:    Although the adoption of a formal code of conduct (or ethics program) is not technically required, it is highly recommended from a governance, risk management and compliance perspective. The SEC, via Sarbanes-Oxley Section 406, requires public companies to disclose whether they have adopted a code of ethics for senior financial officers, and if not, the reasons why, as well as any changes to, or waiver of any provision of, that code of ethics. As mentioned in Question 7, the Federal Sentencing Guidelines direct courts and judges to consider the existence of an “effective compliance and ethics program” favorably when determining sentences. Additionally, the absence of a formal code of conduct and/or ethics program can lead to concerns among shareholders and also send the wrong message to employees.
        [back to top]
      • Q:    Are formal records management, business continuity management (BCM) and/or enterprise risk management (ERM) programs required to be in place before a company can complete an IPO or public debt offering?
        A:    ​While components of the FCPA, Sarbanes-Oxley and SEC rules related to financial reporting and accounting require specific records management processes, there are no formal rules requiring companies to establish comprehensive records management, BCM or ERM programs before issuing securities.

        That said, each of these capabilities represents sound business practices in place at large numbers of public companies. These capabilities require specific, and fairly sophisticated, types of business process, skills and IT support to succeed. The most effective PCR programs identify the immediate and long-term process, talent and technology an organization needs to have in place to complete an IPO and, equally important, to be in a position to thrive as a public company.

        [back to top]
    • category A Scalable Information Technology (IT) Enviroment

      • Q:    How do you select an ERP system?
        A:    Pre-public and newly public companies face many risks during their transformation process, including accurate and timely financial reporting, effective forecasting, appropriate corporate governance, and - last but not least - a scalable IT environment. Organizations must ensure that systems and data are appropriate to help enable the longer-term strategy and growth needs that management has defined. As an organization prepares for its initial public offering, selecting the "right" ERP system often is one of the key considerations for management to address. In fact, a common question many executives ask is, "where do we start?"

        To read more about selecting an ERP system, download the FAQ Guide.

        [back to top]
      • Q:    What IT strategies should be assessed and evaluated during the PCR effort?
        A:    A formal IT strategy for managing technology and applications during the readiness effort and continuing 12 to 24 months after the IPO should be created at the onset of the readiness effort. It should be based on the IT-related analysis conducted during the initial readiness assessment.
        [back to top]
      • Q:    What are the largest and most common IT-related risks that pre-public companies must address?
        A:    Pre-IPO companies frequently report that their IT departments represent one of the greatest points of focus during the readiness effort. In most cases, there are three areas within IT that require significant attention during the PCR effort in order to mitigate risk:

        1. Systems and data related to the accurate and timely production of financial statements. This includes a wide and varied range of needs, including systems availability, data cleanliness and control, and the updating and maintenance of financial systems.

        2. Creating, testing, monitoring and managing IT general controls that pertain to Sarbanes-Oxley compliance. To be sure, this qualifies as a major effort and requires numerous steps; effective collaboration among IT, finance, accounting and internal audit; and, in most cases, collaboration with the company’s external auditors.

        3. Supporting business process improvements conducted during the readiness effort with related systems and applications changes and updates. During the readiness effort, most companies seek to achieve better financial and management reporting capabilities; greater standardization of business processes; the reduction of manual business process steps (i.e., greater emphasis on automation); greater visibility into cost, sales pipelines and other operational areas; more highly integrated supply chain management capabilities; better data integrity; and more easily tracked “audit trails,” among other needs. Each of these needs contains an IT element that must be in place for the improvement to be implemented successfully.

        [back to top]
      • Q:    Given these risks, what steps should pre-public companies take to ensure that their IT environments are scalable and, thus, able to adapt to increased demands?
        A:    Developing a scalable IT environment requires a significant amount of work in each of the six primary infrastructure areas of the PCR effort. Teams leading the IT readiness effort should consider and appropriately address the following questions in each of these areas:

        1. Business Policies: Have we established and documented all of our key IT processes, as well as a formal IT strategy for managing technology and applications both pre-IPO and one to two years post-IPO?

        2. Business Processes: Have we assessed our processes for risks, controls, effectiveness and efficiency?

        3. People and Organization: Do we have the required committees, the right organizational structure, and the appropriate IT resource levels?

        4. Management Reports: Do we report timely, relevant, actionable and insightful information to the right stakeholders?

        5. Methodologies: Have we developed methodologies for handling heightened public company requirements, including core methodologies and IT frameworks, scalability, IT talent who understand these methodologies, and reporting metrics that meet performance and compliance needs?

        6. Systems and Data: Are our systems scalable to acquire the information needed to run and grow the business? Are appropriate redundancies and checkpoints built in?

        [back to top]
      • Q:    How frequently do pre-public companies elect to implement a new enterprise resource planning (ERP) system during the readiness effort, and how long does the implementation typically require?
        A:    ​Most companies on the IPO path face the decision of whether to replace their ERP system – if not before or during the readiness process, then certainly during the 12 to 18 months following the public offering. This is because some of the biggest challenges confronting pre-public companies can be addressed by a more robust ERP system. However, these implementations require significant time, financial investment, opportunity cost and operational disruption – and, as a result, pose significant risks to the IPO process.

        The primary challenges that an enhanced ERP system can help a pre-public or newly public company address include the need for better financial and management reporting, standardization of business processes, elimination or minimization of manual or non-scalable processes, integrated supply chain management planning (or manufacturing or service delivery), greater visibility into costs and customer response time, international and multicurrency capabilities, stronger data integrity and “auditability,” and better process, data integrity and security controls (including those related to financial reporting).

        ERP implementation risks stem from the fact that these types of projects are highly complex, represent a significant investment, significantly impact internal control over financial reporting, and can extend over a long period, during which most aspects of the business are involved in the implementation.

        Given the advantages and the risks that ERP implementations pose for pre- and post-IPO companies, it makes sense to identify a three- to five-year ERP strategy during the readiness effort. Companies should choose and implement an ERP system that will support the business for the next three to five years, not one that will merely address immediate needs and “pain points.” A solution that only addresses today’s most pressing needs may be inadequate to support the growth of international, multicurrency, multiproduct, in-house manufacturing operations on which a company’s revenues may be based in the not-so-distant future.

        Senior executives need to determine what the ERP system will need to support in the future and then begin the selection process.

        [back to top]
      • Q:    What other IT policy- and process-related evaluations and activities should pre-public companies undertake?
        A:    Numerous IT policies should be assessed and/or established during the readiness effort, and each should be documented. These include those related to security, data backup, change management, spreadsheet management (e.g., version control), business continuity management (BCM) and disaster recovery, Internet data transmission, and remote and virtual private network (VPN) access, as well as security and privacy issues related to Internet and data use.

        Additionally, companies should assess IT processes for risks, controls, effectiveness and efficiency during the readiness effort. These processes frequently include the software development life cycle, data validation and verification, complex or critical calculations, critical management reports, disaster recovery, and BCM planning.

        [back to top]
      • Q:    ​What IT staffing and skills evaluations should pre-public companies perform?
        A:    During the PCR process, company leaders should determine whether the firm possesses the necessary talent, organizational structure, and governance processes to support all of the financial reporting, financial close and other business processes that will be necessary to operate as a public company. Many pre-public companies create an IT standards committee as part of this process. Pre-public companies also routinely assess whether talent is in place to ensure that the IT function can support both current needs as well as requirements that likely will emerge during the first two years of operations as a public entity.
        [back to top]
      • Q:    What types of IT management reports do pre-public companies typically implement as part of the readiness effort?
        A:    To communicate timely, relevant, actionable, accurate and insightful information to the right stakeholders, prepublic companies often strengthen and/or implement several different types of IT management reports by taking the following actions:

        1. Implementing monitoring procedures to detect control issues and areas related to change management and segregation of duties, all of which are communicated in periodic management reports

        2. Creating performance reports based on IT metrics selected by finance and accounting managers

        3. Ensuring that issues identified within evolving processes are proactively corrected through the use of exception reports, internal reporting and audit reports

        4. Ensuring a robust escalation and reporting process is in place

        [back to top]
    • category Legal and Procedural Considerations

      • Q:    From a procedural perspective, what are the most common issues that arise during a public offering transaction?
        A:    During the IPO process, companies often underestimate the number and complexity of requirements necessary to complete the offering transaction. In addition, there are numerous ongoing initiatives and obligations as well as the addition of regulatory and marketplace scrutiny that influence public companies. For these reasons, an early, well-thought-out assessment of a company preparing to go public can help identify and address issues that typically arise during the IPO process, including the following:

        Corporate Issues: The readiness team should identify important contracts and agreements that may influence the offering, including “change of control triggers” in agreements, undocumented or vague arrangements between various commercial and related parties, and weak confidentiality protocols. The team should also address any unresolved intellectual property issues, as well as outstanding litigation and contingencies.

        Liability Concerns: Federal securities laws require accurate and complete disclosure of all material information necessary for an informed investment decision. A material misstatement or an omission of a material fact can result in liability to the issuer, its directors, “controlling” persons and the underwriters. A comprehensive due diligence process can reduce risks related to incomplete disclosure of material information.

        Company Considerations: During the readiness effort, IPO teams should carefully examine if and how executive compensation and employee benefit plans may influence the public offering. IPO teams also should review new equity incentive award plans for potential accounting and financial reporting implications. Additionally, IPO teams should establish a disclosure committee (a company committee, not a board committee) responsible for establishing disclosure guidelines, parameters for determining and addressing material events, and oversight of the subcertification and reporting process (in accordance with Sarbanes-Oxley compliance efforts). In doing so, the IPO team should appoint to the disclosure committee seasoned financial and operational professionals as well as subject-matter experts who are knowledgeable about the company’s key business units.

        [back to top]
      • Q:    What type of legal cleanup issues and disclosure activities need to be conducted as part of an IPO or public debt filing?
        A:    In the early stages of preparing for an IPO, a company’s legal department should evaluate opportunities to address any legal areas that may be affected by the IPO. For example, the company should inventory and review its key processes and determine what impact the IPO will have on each. Specifically, the company should consider taking the following actions:

        1. Inventory and review key contracts and agreements for any confidentiality concerns or change-of-control triggers.

        2. Formalize any significant undocumented arrangements, including employment agreements.

        3. Assess and attempt to settle any outstanding litigation and contingencies.

        4. Revise formal reporting and documentation throughout the organization.

        5. Review financing arrangements for prepayment penalties and impact of a “trigger event,” such as an IPO.

        6. Revisit venture capital and other documents, such as shareholders’ agreements, buy-sell agreements and registration rights agreements.

        7. Assemble both a secure physical and electronic “data room” to retain key documents.

        8. Formalize the company’s document retention policy.

        [back to top]
      • Q:    What filing documentation do management and the board of directors need to furnish to the SEC and the listing exchange?
        A:    Regarding disclosure activities, the company’s in-house legal counsel should work closely with outside counsel to ensure that all disclosure requirements are met. Federal securities laws require accurate and complete disclosure of all material information necessary for an informed investment decision. A material misstatement or omission can result in liability to the issuer, its directors and controlling persons, and the underwriters of the IPO.
        [back to top]
      • Q:    What is the pricing committee’s role?
        A:    The pricing committee is responsible for approving the pricing terms of the common stock offering. The board of directors is responsible for designation of the company’s pricing committee, which typically consists of key members of the company’s executive management (e.g., CEO, CFO and general counsel), as well as key professional advisers such as underwriters, ownership groups and other parties with significant ownership interest.
        [back to top]
      • Q:    What is a “controlled company,” and how do its listing exchange requirements differ from those of other companies?
        A:    As mutually defined by the NYSE and NASDAQ, a “controlled company” is a company of which more than 50 percent of the voting power for the election of directors is held by an individual, a group or another company. This level of holding effectively places the holder of the majority shares in a position to control the outcome of the voting on any shareholder issue. However, the exact degree of control is determined by the terms of participation contained within the purchase agreements for the shares and the bylaws of the company proper.

        Under NYSE regulations, a controlled company must comply with almost all of the provisions of Section 303A Corporate Governance standards. In short, controlled companies are exempt from the requirements regarding majority board independence, as well as the establishment of compensation committees and nominating/governance committees. A controlled company relying on this exemption must disclose in its annual meeting proxy statement (or, if the company does not file proxy statements, in its annual report) its status as a controlled company and the basis for determining that it is a controlled company.

        Under NASDAQ rules, a controlled company is exempt from the following requirements: the majority independent board member requirement, independent director oversight of director nominations, nominations committee charter or board resolution, and independent director oversight of executive officer compensation. It is important to note that controlled companies must still maintain an independent audit committee, establish a code of conduct and hold executive sessions with independent directors on a regular basis. A controlled company relying on this exemption must disclose in its annual meeting proxy statement (or if the company does not file proxy statements, in its annual report) its status as a controlled company and the basis for determining that it is a controlled company.

        [back to top]
      • Q:    What is “gun jumping,” and to what publicity restrictions does a pre-public company need to adhere?
        A:    The phrase “gun jumping” refers to communications that violate sections of SEC regulations related to how and when information about a pre-public company’s securities is shared. An issuer, underwriter and any other person involved in a public offering must be very careful when distributing information concerning the issuer or its securities.

        The Securities Act of 1933, which created the SEC, imposes certain restrictions and parameters of permissible communications during three periods:

        1. The period beginning when the company reaches an agreement with the managing underwriter to make a public offering and ending when the registration statement containing the issuer’s preliminary prospectus is filed with the SEC – the “pre-filing period”

        2. The period from the filing of the registration statement until the SEC declares the registration statement effective – the “waiting period” or “registration period”

        3. The period from the effective date of the registration statement until the termination of the offering or the expiration of the prospectus delivery requirements – the “post-effective period” or “quiet period”

        The consequences of engaging in gun jumping can be serious; in some cases, gun jumping can result in a mandatory delay or “cooling-off period” for the offering. These SEC-mandated delays have resulted in companies having to present their offerings during less-favorable market conditions than they had targeted. Additionally, in some cases, the SEC has required that an underwriter responsible for gun jumping withdraw from the offering. Furthermore, the SEC may require the company to include a risk factor in its prospectus to disclose a possible gun-jumping violation. If this occurs, the company’s finance and accounting team may, in turn, require that the company book a corresponding contingent liability in its financial statements.

        [back to top]
      • Q:    What are “cheap stock” issues, and how should they be evaluated and addressed?
        A:    Cheap stock continues to be a focus area for the SEC. The term “cheap stock” refers to a market price that is significantly less than the offering price for the 12-month period prior to the IPO.

        The SEC takes the baseline position that all stock issued within those 12 months is presumed to be in anticipation of an IPO and continues to be a focus area for the Commission. Generally, the SEC staff challenges the fair value of equity granted in the period preceding the IPO, while a company is private, with the presumption that the exercise prices were below the market value of the stock at the time of the grant. The key issues related to cheap stock include the valuation methodologies utilized, liability versus equity classifications, and beneficial conversion features of convertible preferred stock.

        All stock grants authorized within 12 months of an anticipated IPO should be evaluated and a determination made whether they meet the definition of cheap stock under the SEC rules. When conducting this evaluation, management should carefully consider the significant factors, assumptions, and methodologies used in determining the fair value of the company’s underlying common stock. Items to consider include the use of a third-party valuation firm versus internal resources, the valuation range if multiple methodologies were utilized, marketability and illiquidity discounts, and price-to-earning (P/E) ratios of comparable public companies.

        In addition, stock grants can be classified as either equity or liabilities depending on the facts and circumstances of the specific transaction. The company should carefully consider the classification requirements based on both the FASB and SEC rules, as they could differ (e.g., as in the case of “mandatorily redeemable” preferred stock, which may require alternative treatment under the SEC rules).

        Prior to an IPO, a company may issue convertible preferred stock with a conversion price significantly below that of the anticipated IPO price. However, the SEC may require the company to use the IPO price/conversion feature, as opposed to the price used when the company was private.

        [back to top]
    • category The Jumpstart Our Business Startups Act (2012)

      • Q:    What are JOBS Act implications to the IPO Readiness?
        A:    In April 2012, President Obama signed the Jumpstart Our Business Startups Act ("JOBS Act") into law. The new law is designed to make it easier for small and growing businesses - specifically, those on track to conduct an initial public offering (IPO) - to attract investors and access capital while complying with U.S. securities laws. The new law changes existing securities laws in a number of ways.

        To read more about the JOBS Act implications,  download the FAQ Guide.

        [back to top]
      • Q:    What are the primary objectives of the JOBS Act?
        A:    Broadly, the new law is intended to make it easier for small businesses and entrepreneurs to attract investors and access capital while complying with U.S. securities laws. More specifically, and more relevant for PCR efforts, the JOBS Act creates a new category of reporting companies – “emerging growth companies” (EGCs) – that are no longer subject to certain SEC regulations previously required of newly public companies. Understanding the definition of an EGC is very important; determining when EGC status applies and when it no longer applies will, at times, represent a complex and confusing process for many companies.

        EGCs now have a reprieve (of up to five years in length) from a number of rules and requirements including:

        1. Section 404(b) of the Sarbanes-Oxley Act (auditor attestation of internal control over financial reporting)

        2. The furnishing of three years of audited financial statements (EGCs going public now are required to submit only two years of audited financials)

        3. The submission of five years of selected and summary financial data (number of years required to be presented is consistent with years of audited financial statements presented)

        In effect, the JOBS Act exempts EGCs for up to their first five years in the public market from the compliance burdens (and costs) associated with Sarbanes-Oxley Section 404(b). These companies will still have to comply with Section 404(a) of Sarbanes-Oxley, which requires management to issue an internal control report beginning with the company’s second annual report following its public offering, as well as comply with other provisions requiring disclosures and certifications pertaining to the control environment.​

        [back to top]
      • Q:    What is an emerging growth company (EGC)?
        A:    An emerging growth company is defined as an IPO “issuer that had total annual gross revenues of less than $1 billion during its most recently completed fiscal year.” The JOBS Act lays out a number of parameters for determining how long a company retains its EGC status or eligibility.​
        [back to top]
      • Q:    How long does a company retain its EGC eligibility?
        A:    Once designated an EGC (by posting annual gross revenues of less than $1 billion during its most recently completed fiscal year), a company retains its EGC status until the earliest of the following dates:

        -The last day of the fiscal year of the issuer following the fifth anniversary of the date of the company’s initial public offering of common equity securities;

        -The last day of the fiscal year during which the issuer had total annual gross revenues of $1 billion or more;

        -The date on which the issuer has, during the previous three-year period, issued more than $1 billion in nonconvertible debt; or

        -The date on which such issuer is deemed to be a “large accelerated filer.”

        With respect to the last date, a “large accelerated filer” is an issuer that meets the following requirements at the end of its fiscal year:

        -The issuer had an aggregate worldwide market value of the voting and nonvoting common equity held by its non-affiliates of $700 million or more, as of the last business day of the issuer’s most recently completed second fiscal quarter.

        -The issuer has been subject to the requirements of Section 13(a) or 15(d) of the Exchange Act for a period of at least 12 calendar months.

        -The issuer has filed at least one annual report pursuant to Section 13(a) or 15(d) of the Exchange Act.

        -The issuer is not eligible to use the requirements for smaller reporting companies in Part 229 of the Exchange Act for its annual and quarterly reports.​

        [back to top]
      • Q:    To what companies does the JOBS Act apply?
        A:    The JOBS act applies to all EGCs that conduct an IPO​ on or after December 8, 2011. The new law does not apply to companies that went public before that date. The JOBS Act also applies to new foreign filers.
        [back to top]
      • Q:    May companies that qualify for EGC status choose to forego the available exemptions?
        A:    Yes, but with a caveat.

        An issuer qualifying for EGC status may forego reliance on any exemption available to it. For example, if the issuer has competitors that are already reporting companies, it may, for competitive reasons, choose to provide more robust disclosures than would otherwise be required of it as an EGC. However, if the EGC chooses to comply with financial reporting requirements applicable to non-EGCs, it must comply with all of the requirements.

        In other words, an EGC-eligible company cannot opt in or opt out of specific requirements; a company eligible for EGC status is either “all in” or “all out,” with no ability to “cherry-pick” compliance requirements. Additionally, any decision by the company to take advantage of its right to claim “EGC status” must be made at the time it files its first registration statement or Exchange Act report. If the company chooses to disclose beyond what is required of an EGC, it cannot revert back to claim an EGC exemption at a later date.​

        [back to top]
      • Q:    What are the primary advantages, related to going public, of the JOBS Act?
        A:    In addition to reducing part of the Sarbanes-Oxley compliance burden, the JOBS Act is intended to reduce the costs of going public by providing newly public companies with a temporary reprieve from other SEC regulations by phasing in certain regulations over a five-year period. This allows smaller companies to go public sooner and permits a more streamlined reporting approach for these issuers. Specifically, the JOBS Act:

        1. Expands the eligibility requirements of SEC Regulation A to include companies conducting direct public offerings of up to $50 million, meaning the aggregate share offering amount a company can make before it must register the offering with the SEC has been increased from the prior threshold of $5 million.

        2. Requires the SEC to revise Rule 506 of Regulation D, which bans general solicitation and advertising in offerings that are exempt from registration under this rule, to permit general solicitation in direct public offerings, thereby broadening the investor base.

        3. Allows an EGC to engage in oral or written communications with qualified institutional buyers and institutional accredited investors (as defined in Rule 501 of the Securities Act) in order to gauge their interest in a proposed IPO either prior to or following the first filing of the IPO registration statement.

        4. Exempts from registration under the 1933 Securities Act transactions involving the offer or sale of securities by an issuer over a 12-month period of either (a) $1 million or less, or (b) if the issuer provides potential investors with audited financial statements, $2 million or less, with both amounts adjusted by the SEC for inflation.

        5. Removes SEC regulations preventing small businesses from using advertisements to attract investors and increases the number of shareholders that can invest in a private company to 2,000, or 500 who are not accredited investors (i.e., investors who purchased shares via crowdfunding), without triggering SEC reporting requirements.

        These provisions are designed to provide more flexibility for companies to “test the waters” in the investor community. During the time it takes to pursue an IPO, an issuer may need to conduct a private placement in order to raise capital to permit it to continue to carry out its business plans and to cover the expenses associated with preparing for the IPO. While the SEC has provided additional interpretive guidance that has provided greater certainty for issuers that must complete a private placement to institutional investors while they are pursuing an IPO, the ability to explore these opportunities adds further flexibility, particularly as market conditions change.​

        [back to top]
      • Q:    What is crowdfunding, and how is it treated within the JOBS Act?
        A:    Crowdfunding leverages social media to provide funding for a variety of ventures. Sometimes called “crowdsourced funding,” it focuses on pooling money from individuals who have a common interest to support disaster relief, charitable causes or political campaigns, and are willing to provide small contributions toward the venture, usually via the Internet. When the goal of crowdfunding is commercial in nature and there is an opportunity for crowdfunding participants to share in the venture’s profits, federal and state securities laws will likely apply. The JOBS Act requires websites involved in crowdfunding to register with the SEC while requiring companies seeking to raise money in this manner to provide information on their financial status, business plans and shareholder risks.​
        [back to top]
      • Q:    What are the primary JOBS Act advantages related to the traditional financial reporting requirements of going public?
        A:    With respect to reporting to the SEC, the JOBS Act:

        Permits an EGC to submit a draft registration statement on a confidential basis to the SEC staff for confidential nonpublic review prior to public filing, so long as the initial confidential submission, and any required amendments, are made public at least three weeks before the issuer’s commencement of a road show.

        1. Permits an equity IPO registration statement with two years of audited financial statements (as opposed to the prior requirement calling for three years of audited financial statements). However, this provision only applies to an equity IPO registration statement. It would not apply to other registration statements or to periodic reports such as the Annual Report on Form 10-K under the 1934 Exchange Act.

        2. Omits selected financial data (which is currently required for up to five years of data) for any periods preceding the earliest audited financial statements included in the initial registration statement, including within its selected financial data or in its MD&A disclosure for those periods. This provision would apply to future registration statements and periodic reports such as the Annual Report on Form 10-K under the 1934 Exchange Act.

        3. Allows an EGC to adopt any new or revised accounting standards using the same time frame as private companies if the standard applies to private companies. This provision would apply to future registration statements and periodic reports such as the Annual Report on Form 10-K under the 1934 Exchange Act. Usually, new accounting standards provide for a less-demanding time line for private companies (compared to public companies) in transitioning to, and implementing, the new standard.

        4. Provides that an EGC may comply with the SEC’s executive compensation disclosure requirements on the same basis as a smaller reporting company. A “smaller reporting company” is generally defined as an issuer with a public float of less than $75 million or, in the case of an issuer that has no public float (e.g., an IPO registrant), has annual revenues of less than $50 million.

        5. Exempts an EGC from certain provisions of the Dodd-Frank Act, including current and future executive compensation-related disclosures (e.g., the “say-on-pay” vote requirement), the advisory vote on golden parachute payments requirement (“say-on-golden-parachutes”), the requirement to disclose the relationship between executive compensation and the financial performance of the company (“pay-for-performance”), and the CEO pay-ratio disclosure requirement.

        6. So long as it retains its EGC status, exempts the issuer from complying with the internal control attestation requirements of Sarbanes-Oxley Section 404(b) as well as any future Public Company Accounting Oversight Board (PCAOB) rules that might be adopted relating to mandatory audit firm rotation or supplemental auditor discussion and analysis reporting.​

        [back to top]
      • Q:    Does the JOBS Act pose any potential risks or problems for pre-IPO companies?
        A:    There are several potential missteps companies can commit with regard to the JOBS Act. First, companies planning an IPO that neglect to pay sufficient attention to the JOBS Act requirements for retaining EGC status do so at their own risk. For example, it would be a mistake to presume that the five-year exemption from Sarbanes-Oxley Section 404(b) compliance is a given.

        Second, companies that fail to understand EGC status fully – and fail to monitor their ongoing EGC eligibility once they have concluded their IPO – also are exposed to potential surprises presenting compliance issues. For example, suppose that an EGC with a December 31 fiscal year-end enjoys an unexpected flurry in its fourthquarter revenues, boosting its annual sales over the $1 billion threshold. According to the JOBS Act, this situation would strip the company of its EGC status, effective that fiscal year. This would, in turn, subject the company to the attestation requirements of Section 404(b) for that year (unless the company is exempted as a nonaccelerated filer). The point is that the company must monitor its EGC status carefully.

        To be sure, the SEC may issue interpretations providing a transitional period in the case of the dates triggering the Section 404(b) attestation requirement. Unless there is such a transitional period, however, instances may arise where a company will be forced to complete a large amount of detailed work (e.g., preparing for the Section 404(b) attestation process) in collaboration with outside parties (e.g., its external auditor) in a highly condensed time frame. Such occurrences can cost a lot of money if the activity is conducted in crisis mode. Given this type of possibility, companies and their advisers should watch for any interpretations issued by the SEC staff on these or other matters.

        Another significant risk is that, although the JOBS Act may not require certain financial information and disclosures, companies may be required to provide the additional information to other stakeholders.​

        [back to top]
      • Q:    Why is it important to monitor EGC status?
        A:    There are two reasons. First, a company must achieve and maintain EGC status in order to enjoy the exemptions provided in the JOBS Act. Second, determining when EGC status no longer applies can be a difficult undertaking, as well as one with significant implications on regulatory compliance activities.

        A company that qualifies as an EGC needs to understand what is likely to happen to its business during the five-year exemption period. The EGC status only applies until the earliest of four dates outlined previously (see Question 3 in The Jumpstart Our Business Startups Act 2012).

        As noted earlier, if a company exceeds the threshold of one of the EGC tests in Year Three after going public, it would need to be prepared to comply with Section 404(b) unless the SEC provides interpretive relief in the form of a transition period. As a result, a prospective IPO candidate expecting to qualify as an EGC should carefully consider how its growth trajectory may affect its EGC status and monitor its ongoing status over time.​

        [back to top]
      • Q:    To what traditional reporting and compliance requirements must EGCs continue to adhere?
        A:    While the JOBS Act provides for potentially easier but limited capital-raising as well as relaxations in certain disclosures, solicitation and past financial information, it leaves unchanged numerous existing SEC and stock exchange requirements for newly public companies.

        Concerning corporate governance requirements, EGCs still must satisfy the following areas, among many others:

        -Annual proxy statements
        -Annual shareholder meetings
        -Accounting and auditing complaints hotline
        -Independent audit committee containing at least one financial expert
        -Compensation and nominating committees of the board
        -Board risk oversight disclosures
        -Compliance with relevant stock exchange listing standards
        -Compliance with insider trading restrictions

        Concerning finance, accounting and internal controls requirements, EGCs must continue to prepare for quarterly external auditor reviews, perform effective profit-and-loss forecasting, and implement and maintain adequate information systems, among other activities.​

        [back to top]
      • Q:    Besides exempting EGCs from Sarbanes-Oxley Section 404(b) compliance requirements (for up to five years), does the JOBS Act absolve EGCs from other facets of Sarbanes-Oxley’s rules?
        A:    No. The JOBS Act does not exempt an EGC of its responsibilities under Sarbanes-Oxley Sections 302 and 906, nor does it relieve management of the responsibility to comply with Section 404(a) of Sarbanes-Oxley. These compliance requirements of EGCs and other newly public companies include the following:

        1. Upon going public, the disclosures and executive certifications required by Sections 302 and 906 must be filed in quarterly and annual filings under the 1934 Exchange Act, effective immediately. The initial focus of these requirements is on disclosure controls and procedures.

        2. Regarding internal control over financial reporting, management must disclose each quarter any material changes occurring in the internal control environment.

        3. Beginning with the second Annual Report on Form 10-K filing after going public, management must issue its internal control report, pursuant to the requirements of Section 404(a), which includes the company’s assertion on the effectiveness of internal control over financial reporting.

        4. Once the first internal control report is issued, subsequent executive certifications issued quarterly, as required by Section 302, must incorporate language regarding internal control over financial reporting, in effect adding additional certifications for management to make on a quarterly basis.​

        [back to top]
      • Q:    How does the JOBS Act affect the process through which pre-public companies achieve a confident state of public company readiness?
        A:    A company planning an IPO needs to pay attention to the JOBS Act requirements and, specifically, to its ongoing EGC status if it achieves eligibility and elects to file and report as an EGC. A prospective IPO candidate expecting to qualify as an EGC will want to evaluate its plan for growing the business after going public to ascertain if and when it might lose its EGC status prior to the five-year anniversary date, and to put monitoring processes in place to be able to react to changes, midyear, so that it is able to comply in the first year in which a higher level of compliance is required.

        Aside from the exemptions discussed herein, the JOBS Act does not in any way preclude a pre-IPO company from needing to work through a large assortment of public company transformation activities related to financial reporting, the financial close, Sarbanes-Oxley compliance (except for Section 404(b)), corporate governance, risk management, the creation of a scalable information technology (IT) environment, and numerous other legal and procedural considerations.

        In short, nearly all of the steps suggested in the Guide to Public Company Readiness remain highly recommended, if not necessary.​

        [back to top]
      • Q:    Is the JOBS Act subject to future revisions or other changes?
        A:    Yes. Although many facets of the law took effect when it was enacted in April 2012, other provisions still need to be finalized and implemented by the SEC.

        It is also important to note that the law, despite its bipartisan support and ultimate passage, experienced opposition during the legislative process. Some senators tried to reinstate across-the-board investor protections and were successful in adding the crowdfunding provision as an amendment. SEC commissioners, including the chairperson, as well as institutional investors and consumer advocacy groups, expressed concerns that the legislation goes too far in removing SEC oversight. This general view maintains that the new legislation may create greater risks for investors and ultimately could erode confidence in the capital markets. Any pattern of significant abuses of investors by companies filing as EGCs can create pressure on Congress to reconsider the JOBS Act, either portions of it or all of it.

        These concerns may affect both the nature and the timing of the SEC’s full implementation of the JOBS Act. As a result, it behooves leaders at companies considering public offerings to monitor JOBS Act developments closely, including rulemaking and SEC staff guidance.​

        [back to top]
      • Q:    If a parent company that does not qualify as an EGC decides to spin-off a wholly owned subsidiary and undertake an IPO of this business, and the subsidiary would meet the provisions of an EGC, would the subsidiary be able to claim EGC status as a newly public company?

        ​Yes. In general, the analysis to determine whether an issuer is an EGC focuses on whether the issuer, and not its parent, meets the requirements of an EGC. Based on the particular facts and circumstances, however, the EGC status of an issuer may be questioned if it appears that the issuer or its parent is engaging in a transaction for the purpose of converting a non-EGC into an EGC, or for the purpose of obtaining the benefits of EGC status indirectly when it is not entitled to do so directly.

        [back to top]


    Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

    Contact Protiviti
    Steve Hobbs
    Managing Director

    > Submit Request for Proposal

    Get the Guide
    Click to download Guide to Public Company Readiness FAQ Guide, 2nd. Ed..