Skip to content Skip to footer
Search

Loading Results

Getting IPO ready? Build in the right controls from the start

July 02, 2021

Colton Fontenot
Director, Cyber, Risk and Regulatory, PwC US
Michael Giles
Director, Cyber, Risk and Regulatory, PwC US
Robert Ryan
Director, Cyber, Risk and Regulatory, PwC US

A key step is to comply with the Sarbanes-Oxley Act, which takes expertise, careful planning and a shift in mindset.

Key points:

  • Setting up a SOX program takes significant time and resources, but will position the company for future public entity compliance.
  • Moving from a private to public entity includes increased requirements for documentation of internal controls, which can be a culture shift for many organizations.
  • This is a good time to invest in technology that will help automate key compliance activities.

After a record year for initial public offerings (IPOs) in 2020, investors expect the momentum to continue through 2021 as the nation’s economic growth accelerates. While it’s an opportune time to raise capital, companies need to consider the many compliance requirements a public company faces. Going public is a complex process, especially if you’re considering the latest IPO alternatives, like a special purpose acquisition company (SPAC) or a direct listing.

Regardless of the path you choose to list your company on a stock exchange, it’s important to have the right systems and processes in place to operate successfully as a public entity. Critically, this will involve compliance with the Sarbanes-Oxley Act (SOX) — a 2002 law intended to provide transparency and assurance over public filings and financials.

While some companies have merged with a SPAC as a faster route to IPO, this alternative has its challenges. The shell company’s filing history starts the clock ticking and gives executives less time to set up an internal control environment that complies with SOX. Ultimately, it’s not the SPAC but the operating company that will have to comply with SOX and other regulations, and that’s where executives should concentrate when it comes to setting things up properly.

This new regulatory scrutiny, as well as the need to build and maintain customer trust, means that efforts to comply with SOX should start well before a company files to go public. Here are three key actions to consider sooner rather than later.

Disclose material weaknesses before you file to go public

Increasingly, more companies are disclosing material weaknesses in their internal control over financial reporting (ICFR) process. Here you have the opportunity to assess the control environment and disclose any material weaknesses as part of your initial disclosures ahead of a public listing — this goes for both traditional IPOs and those going public through a SPAC merger. Many companies going public may have grown through strategic acquisitions over time, so it’s important to take a close look at internal controls and potential weaknesses — and develop a plan to remediate them.

According to a 2020 PwC report, approximately half of companies going public in 2020 disclosed a material weakness (38% of SPACs), up from 31% in 2017. While companies may have time to prepare for the auditor’s opinion on internal controls (404b), the market expectation is that companies understand their internal controls and potential weaknesses well before going public and that they provide increased transparency to potential investors.

When material weaknesses are disclosed, management is expected to take action to remediate them and to include disclosures on remediation plans. There’s a benefit to early disclosure in an S-1 (or S-4 in the case of a SPAC) — both investors and regulators will expect transparency. Not to mention, public companies are under increased scrutiny from auditors and regulators.

Start early and build a program that is scalable and sustainable

Creating a comprehensive system of controls is a continuing journey, one of the most crucial — and labor intensive — steps to readiness. It’s not something that happens overnight. Companies should start early and scale the internal controls program for future SOX compliance.

Take a close look at your people and make sure they understand the increased expectations on documentation of controls for a public company. It can be a shock for a company to shift from the unregulated culture of a private company to the highly scrutinized atmosphere of a public entity.

Keep in mind that some compliance requirements come quicker than others. Certifications related to quarterly disclosure controls and procedures are due in the first quarterly filing. The time to comply with management’s SOX attestation (404a) and the auditor’s SOX controls opinion (404b) is longer, although there’s increased pressure on SOX readiness with SPACs given that the company inherits the SPAC’s public company filing history.

All this means time is of the essence. Choosing a partner to support SOX readiness can help companies in the short term while also working to develop a long term plan to support sustainable SOX compliance, including identifying the resources and technology needed to deliver.

Adopt different technologies and upskill your people

Having the right technologies and expertise are invaluable. For example, digital tools equipped to do analytics-based risk assessments and deliver insights can be a way to develop a scalable and cost-effective SOX program. Invest in technology that will allow you to automate routine SOX tasks.

Companies that embrace technology early on, and develop a plan for integrating it into the full SOX program, from scoping to testing and reporting, can improve the quality of the program and enable sustainable compliance. Further, innovation and technology can lead to decreased costs of compliance and provide insights into the business, driving additional value from SOX.

SOX compliance may seem like something that can be addressed after your ticker symbol starts trading, but it’s been our experience that the most successful companies start preparing early.

Contact us

Monica Nayar

Monica Nayar

Partner, Cyber, Risk and Regulatory, PwC US

Lauren Massey

Lauren Massey

Principal, Cyber, Risk and Regulatory, PwC US

Colton Fontenot

Colton Fontenot

Director, Cyber, Risk and Regulatory, PwC US

Michael Giles

Michael Giles

Director, Cyber, Risk and Regulatory, PwC US

Robert Ryan

Robert Ryan

Partner, Cyber, Risk and Regulatory, PwC US

Mike Bellin

Mike Bellin

Partner, Consulting Solutions, US IPO Co-leader, PwC US