The recent economic environment has been tough for the capital markets, making all sources of capital increasingly difficult for companies to access. While there has been a recent uptick in the IPO market in the United States following one of the worst IPO droughts in decades (according to a May 9, 2009, Reuters article), bank lending has declined, and venture capital remains hard to secure.
For startups and growth companies that offer strong value propositions to investors, public offerings are still an attractive avenue for raising capital; however, median age to IPO and/or acquisition has effectively doubled during the period from 1994 to 2008. And as the age to IPO and/or time to other exits increases, it is imperative for management to run companies as if they were already public. This approach will help the organization be ready to strike when the market begins to recover. Preparedness is the name of the game.
In the past, there have been a number of cases – including some involving high-profile filers – where delays occurred during the process, as evidenced by multiple filings, extensive U.S. Securities and Exchange Commission (SEC) comments, and even mid-offering restatements of prior periods. Had those companies prepared more thoroughly or extensively, they likely would have taken some or all of those delays out of play. This is why it is vital to pay close attention to the underlying business and IT processes, policies and internal controls even when new product development, revenue generation and cost management remain top priorities. This approach is similar to how a well-run public company operates.
This issue of The Bulletin focuses on certain aspects of the IPO preparation process, including the need for a readiness assessment, along with specific areas management should address – common financial reporting challenges, the close process, Sarbanes-Oxley compliance and the IT infrastructure.
The Case for Preparedness
Right up until the slowdown in the capital markets, smaller companies that were already time and resource-constrained often neglected addressing organizational and non-urgent matters pertaining to sustainable infrastructure and the control environment. As many of these companies experience a slowdown in the pace of business in today’s market, they are finding more time available to address these often ignored but critical areas. However, the resources available to address these areas continue to be in equal demand elsewhere within the organization.
Companies make progress in a down market by leveraging opportunities and optimizing positive return on investment (ROI) with scarce resources. The ROI is often realized in terms of enhanced productivity, accountability and allocation of resources, as well as strengthening eventual IPO readiness. The effort and time required to prepare for an IPO are frequently underestimated. Savvy companies are quick to realize the importance of strengthening core business processes and controls well in advance of an offering.
As IPO markets continue to remain sluggish, long-term success rests on balancing the business needs in today’s uncertain market with seizing opportunities when the market begins to rebound. The competition for key resources critical to the pre-IPO process will dramatically increase as the economy improves. Therefore, preparing in advance for the inevitable upturn not only can help strengthen business processes, but also can reduce the total costs incurred to run the business.
Recent history has proven that IPO readiness initiatives can have a positive impact on valuations and are a key enabling factor to a successful offering. Through a commitment to governance and compliance, cost savings resulting from improved operating processes, better alignment of core processes and IT infrastructure with business strategy and stronger internal and financial controls, businesses with IPO aspirations are able to increase investor confidence. Companies that are ready to go public demonstrate increased accountability and control through continuous
monitoring and reliable reporting. The result: fewer unwanted surprises.
Begin with a Readiness Diagnostic
The slowdown in the economy presents silver linings in the form of lower personnel costs, reduced turnover of skilled and valuable employees, and favorable and creative deals struck with various business partners such as vendors, contractors, distributors and customers. As CEOs, CFOs and other executives of private companies address these opportunities, they should be equally concerned about IPO readiness. Management’s initial IPO preparatory efforts should focus on baselining the current state and drawing a road map to get the company from where it is to where it should be. This baselining approach is made possible through an effective diagnostic process that accomplishes the following:
- Assesses the current state of readiness against policies, processes, people, reporting, methodologies, and systems and data benchmarks
- Identifies the readiness of core public company requirements for reliable financial reporting, efficient financial close, corporate governance and Sarbanes-Oxley Act compliance, and IT scalability
- Assesses the urgency of solutions needed to close identified gaps based on an analysis of costs and benefits along with the required timeline
- Develops work plans, timeline and resource requirements to implement the appropriate solutions
An initial readiness assessment should focus on key elements of infrastructure, as illustrated in the chart below.
An initial assessment provides the key first step in creating the necessary road map to an IPO or deploying an alternative exit strategy. As noted earlier, the current market conditions afford plenty of opportunities for companies to begin addressing specific results from the assessment. Typical low-hanging fruit include:
- Developing a baseline of appropriate policies and procedures
- Taking stock of, and nailing down, the revenue recognition process
- Developing a baseline for the financial close process
- Performing a risk assessment and initial scoping for Sarbanes-Oxley readiness and compliance
- Assessing the IT environment, considering the specifications and selecting the right enterprise resource planning (ERP) system, if required
Getting ahead of the curve and re-mediating urgent and time-consuming needs found lacking or absent during the readiness assessment is a step in the right direction. Additional questions to be considered as companies prioritize resources and ponder the best options in a down market include:
- Can we meet the reporting timelines required by the SEC?
- Can we handle the complex accounting and disclosure requirements applicable to our industry?
- Is our IT infrastructure scalable to handle our expected growth?
- Does the data used to manage and report our results have integrity?
- Do we understand and know how we must prepare to comply with Sarbanes-Oxley Act requirements?
- Will any unfavorable findings resulting from the audit of the previous three years of financial information have a negative impact on the timing of a public offering?
- If we have international operations, does our internal control framework include the evaluation, mitigation and monitoring of potential corruption schemes involving foreign officials, regardless of monetary value? (Note: See Issue 9, Volume 3, of The Bulletin for issues pertaining to the Foreign Corrupt Practices Act, which have often been overlooked by management of newly public companies.)
Additionally, in this environment, companies must ask themselves if internal resources are best positioned to tackle these issues from a bandwidth perspective, as well as necessary subject-matter expertise. Often, the correct answer lies in seeking the right combination of resources and expertise to augment existing capabilities as the company moves towards a public offering.
Financial Reporting Challenges
Newly public companies must have an audit committee composed of independent directors. We recommend that one be formed prior to going public and that both management and the audit committee understand the key risks to the company’s financial reporting process. These risks may include accounting for transactions with significant estimates or judgments, complex transactions, accounting for and reporting related-party transactions, the risk of management override, inaccurate underlying data and inadequate systems support.
Companies need to work in an anticipatory mode to stay ahead of financial reporting issues so they do not become reputation-threatening after – or during the process of – going public. This is important, as commonly cited causes of financial misstatements of newly public companies include insufficient technical competency, misapplication of financial accounting standards in areas such as revenue recognition and stock-based compensation, and lack of supporting documentation.
We suggest the following preparatory steps:
- Educate executive and unit management on public reporting requirements.
- Establish a disclosure committee to review SEC financial reports.
- Hire competent accounting staff who understand SEC reporting requirements.
- Create processes that aid in the preparation of financial schedules for external auditors in support of audits, filings and related comfort letters.
- Review executive compensation policies and employee benefit plans and related disclosure requirements.
- Determine whether any new functions must be established (e.g., investor relations).
- Commence website development (e.g., for SEC filings, investor relations information, etc.).
- Determine the role and function of the company’s treasury to prepare for proper handling of IPO proceeds.
In addition, formulate a process for documenting conclusions on reporting and accounting matters. This process should:
- Provide background on the current transaction, issue or circumstances (e.g., significant estimates or judgments).
- Identify the key accounting and reporting questions.
- Reference all pertinent accounting standards and guidance (for example, in the United States, using the Financial Accounting Standards Board’s new codification structure for financials prepared under U.S. generally accepted accounting principles).
- Outline facts, historical trends, available data, and details of the transaction or issue.
- Identify acceptable approaches and alternatives for applying the applicable standards and guidance.
- Document management’s analysis and rationale for the selected alternative, applying the appropriate principle or standard.
Experience has shown that the above process best positions management to address questions raised by the SEC staff about the company’s accounting and reporting practices.
Improving the Close Process
Under the SEC’s requirements in the United States, the filing deadlines for annual and quarterly reports vary depending on the size of a company’s public float, or the aggregate worldwide market value of its common equity held by non-affiliates. Regardless of the timing requirements, failure to meet the filing dates may precipitate stock price reductions, securities litigation, loan defaults (if prohibited in loan covenants), suspension of trading or revocation of registration, not to mention reduction in investor confidence.
The APQC (formerly the American Productivity & Quality Center) reports that both public and pre-IPO companies face challenges around unclear responsibilities, as well as a lack of clarity about the close process and company timelines. To provide a rough benchmark, APQC notes that top quartile performers are closing their books within five business days, second quartile performers within eight business days, and third quartile performers within 12 business days.
We suggest the following steps to compress closing process cycle time:
- Determine all key stakeholders in the close process, and assign clear accountability.
- Identify key events along the close cycle, and eliminate unnecessary steps and redundancies.
- Develop a detailed close calendar and task list.
- Establish discipline around executing the close process.
- Measure and monitor close process performance.
Experience provides several important insights around improving the close process: “Tone at the top” is especially vital to reliable financial reporting, and a detailed task list is critical. Recognize that the more manual the activity, the slower the close process will be. In addition, it is essential to set realistic expectations given your resources and capabilities. Also, there is no need to wait until the period ends to begin the close process. And finally, new opportunities for improvement and/or automation must be constantly identified, and the close process should be revised as necessary.
In May 2007, the SEC approved Interpretive Guidance, Management’s Report on Internal Control Over Financial Reporting. The guidance is based upon two broad principles:
(1) focus on whether the internal controls adequately address whether a material error or misstatement would not be prevented or detected on a timely basis, and (2) base the evaluation on assessment of risk, including the risk of control failure. The guidance is useful for newly public companies, as they must file management’s internal control report along with an auditor attestation in their second annual report filed after going public.
The SEC guidance is important, as it is the Commission’s direct communication to management as to what the company must do to comply with Section 404 of the Sarbanes-Oxley Act. Several key points can be drawn from this guidance:
- Internal control deficiencies only matter if they could result in a material weakness (i.e., there is no need to mire the controls evaluation process in minutiae).
- The Section 404 compliance process is top-down, not bottom-up.
- Risk should drive the evaluation of internal control over financial reporting.
- Entity-level controls are critical components of the control structure, not afterthoughts, and should be considered when determining the nature, extent and timing of detailed testing of process-level controls.
- Management is an insider, and the external auditor is not. This difference in personal knowledge can impact the work performed – especially the nature, timing and extent of tests of operating effectiveness of internal controls.
- There is flexibility in the auditor’s use of the work of others who are both competent and objective.
The SEC guidance is important, as management can achieve a form of “safe harbor” by following it. We suggest that companies preparing for an IPO:
- Apply a well-thought-out and repeatable, top-down, risk-based approach. Read and understand the guidance from the SEC. In addition, read the Public Company Accounting Oversight Board’s An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements: Guidance for Auditors of Smaller Public Companies. Engage your external auditor in substantive discussion about key decision points in the compliance process.
- Focus on the number of key controls, which is the primary cost-driver. Use an assessment of risk to narrow the controls down to those that really matter. These are the controls you will evaluate and test.
- Avoid sole reliance on independent tests of controls, which is the high-cost practice. Look at how you manage and monitor your business and give yourself credit for the entityand process-level monitoring controls in place to reduce the extent of reliance on detailed manual testing of process controls.
- Don’t forget to focus on the risk of fraud and management override. It will help you manage the audit process, as the external auditor is expected to focus on these areas.
- Integrate Section 404 compliance and the Section 302 executive certification process to make these two vital Sarbanes-Oxley compliance activities more sustainable. (Note: See Issue 3, Volume 2, of The Bulletin for our views as to how this integration can be achieved.)
Even though Section 404 compliance is not required until the company’s second annual report after going public, keep in mind that Section 302 requires that executive certifications must be filed with all periodic quarterly and annual reports filed after going public. Therefore, it is important to hit the ground running with a reliable financial reporting process.
No newly public company wants to be embarrassed with a restatement of prior-period financial statements. Begin your preparations now.
Pay Attention to IT
For many companies that have gone public, the IT function has grown organically over time in a mostly reactionary manner. In order to scale the IT infrastructure effectively and handle the requirements of going public, most companies need to make significant strides in improving the formalization of their IT strategy and policies. Therefore, companies with IPO aspirations should think through their short- and long-term strategies around the use of technology, including whether to have a centralized or decentralized IT function, the robustness of their IT-related policies and procedures, and availability of IT support personnel.
This assessment should take into account how heavily segments and key functions of the business rely on IT, considering such factors as transaction volume, support of key operating objectives, the criticality of customer-facing systems and processes, information for decision-making (e.g., inventory reordering), and regulatory and compliance implications.
Segregation of duties is also an important factor from an IT perspective, as well as a broader governance perspective. This area is difficult for the typical IPO company to manage, particularly an organization that is growing rapidly and just beginning to formalize sustainable infrastructure. With an emphasis on a lean, one-team mentality – which may have worked when the company was in start-up mode – it is often the case that too many people have sweeping access to IT systems and data. This level of access allows team members to conduct their diverse responsibilities and fill in for each other as needed. However, broad access, particularly when not absolutely required, erodes the confidence of external auditors and others that the company’s records are reliable and free of significant fraud risk.
We suggest companies with IPO plans do the following:
- Perform a study of the segregation of duties and security for their major financial reporting system(s).
- Pull back excess access when it is not absolutely necessary.
- Separate incompatible or sensitive duties when feasible; create simple monitoring mechanisms when high-profile access cannot be readily restricted.
- Pay attention to the IT issues raised by your external auditors.
Establish an Internal Audit Function
New York Stock Exchange (NYSE) regulations require that listed companies maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal controls. According to the NYSE, a company may choose to outsource this function to a third-party service provider other than its independent auditor. For companies going public, compliance with the internal audit rule must be by their listing date on the NYSE.
Although other exchanges do not have a similar requirement, we recommend that the company consider establishing an internal audit capability because it plays a significant role in creating and maintaining an effective internal control structure. Note that the NYSE guidance does not stipulate the minimum requirements of an internal audit function, nor does it establish any specific or detailed parameters for maintain ing an internal audit function on an ongoing basis. This is because the size, budget and structure of internal audit functions depend on many factors.
Most effective internal audit functions are inherently focused through a risk-based assessment that directs appropriately skilled personnel to evaluate an entity’s risk management processes and internal control systems. For information on starting up and staffing an internal audit function, refer to the second edition of Protiviti’s Guide to Internal Audit: Frequently Asked Questions about Developing and Maintaining an Effective Internal Audit Function (available at www.protiviti.com).
While the current market presents unprecedented challenges and difficulties, it also provides opportunities for companies with IPO aspirations to take a step back and revisit their long-term strategic goals against the current environment. A thoughtful readiness assessment and IPO road map will position companies to make sound decisions in order to weather the current tough times, as well as take advantage of opportunities to prepare for the future by focusing on certain aspects of the IPO preparation process. Companies with IPO aspirations are advised to address common financial reporting issues, improve their financial close process, address Sarbanes-Oxley compliance and strengthen their IT infrastructure.
Key Questions to Ask
Key questions for board members:
- Has the board approved the appropriate charters for the audit, nominating and compensation committees? Has the appropriate composition of independent directors serving on the full board and on the nominating, compensation and audit committees been determined? Do the current board members have public company experience? Do any of the current directors qualify as a “financial expert” as defined by Sarbanes-Oxley?
- Do the board and executive management understand the corporate governance requirements of the applicable listing standards? Is the board satisfied that there is a robust internal control environment that supports compliance with applicable regula tory and corporate governance requirements? Is an internal audit function in place?
- Is the board satisfied that management has developed policies and procedures appropriate for a public company, such as insider trading, risk management, legal signing authority and limits,
- HR matters (e.g., harassment, discrimination, etc.), other areas of prohibited conduct and records retention (in accordance with SEC regulations)?
- Does management have a mechanism to enforce and monitor compliance with corporate policies? Is there a business code of conduct and ethics policy?
- Does the board have a good understanding of where the company fits on the spectrum of alternative approaches to accounting and reporting issues? Is the company well-armed with white papers on key issues and ready to withstand external auditor and regulatory scrutiny? Is the company more “conservative” or more “creative” in its approach to accounting and reporting, and does the board agree with that approach?
Key questions for management:
- Does the finance staff have the requisite skills to understand the application of accounting principles and ensure reliable financial reporting? Does the company have sufficient SEC reporting experience within the finance group? Are roles and responsibilities within the finance function clearly articulated? Is the compensation of finance function professionals conducive to objectivity in preparing financial reports?
- Has management identified the owners of the business processes affecting financial reporting and defined their roles and responsibilities? Have data owners been identified within the business, and does the IT function know who they are? Is it clear who decides on investments in IT infrastructure?
- Is management satisfied that there is adequate security and segregation of duties within the company’s systems? Are there sufficient policies around user access, IT security, data and application availability, change management, IT operations and other key areas?
- Does management understand the Sarbanes-Oxley requirements? Has the company’s readiness for Section 302 and Section 404 been assessed? Are appropriate disclosure controls and procedures in place? Has the Section 404 compliance process been designed and documented? Is there a quarterly certification process in place that can be integrated with an annual evaluation of internal control over financial reporting?
- Has management thought about the advisors needed to prepare for the IPO process? Is there an underwriter in place? Is there a legal advisor in place? Is there a suitable audit firm appointed?
- Are there other appropriate advisors (e.g., actuary, reserve engineers, compensation, etc.)?
Public Company Readiness – Preparing for Challenge
If your company is planning a transition from private to public ownership, you will face greater regulatory and reporting challenges than at any time since the passage of the Securities and Exchange Act of 1934. The Sarbanes-Oxley Act, increasing corporate governance demands and new accounting rules have placed a sizable burden on already lean organizations. At Protiviti, we help newly public companies and companies contemplating entering the public equity or debt markets to make informed decisions about their future. Learn more at www.protiviti.com.
The Bulletin (Volume 3, Issue 10)