How to avoid Sarbanes-Oxley compliance surprises
The good news is that you are, or will be, a new public company. The bad news is that you’re a public company.
The recent popularity of SPACs (Special Purpose Acquisition Companies)—according to Grant Thornton research, they raised more than $26 billion in January 2021 alone— has brought well-deserved attention to the many benefits that accompany going public. Unfortunately, far less attention has been paid to the requirements and effort such a transition triggers—too often overlooked and underestimated.
Companies made public via SPAC face risks that companies made public via traditional IPO (Initial Public Offering) are typically more prepared to address. Most commonly, these areas are related to financial close and SEC (Securities & Exchange Commission) reporting, corporate governance, and internal control over financial reporting (ICFR).
Focus on internal control over financial reporting
The biggest shock to many new public companies is the significant ICFR obligations associated with the Sarbanes-Oxley Act of 2002 (SOX). Regardless of your SEC filing status, all public companies are expected to design and operate an effective ICFR environment that is aligned to a suitable framework (e.g., COSO Internal Control – Integrated Framework (2013)). Those controls also need to be tested annually by the company to support financial statement disclosures regarding internal control.
The internal control expectations for modern public companies are substantial. While virtually all private organizations recognize the importance of effective ICFR, many have gaps in control, insufficient control documentation, unmitigated segregation of duties risks, and other challenges they need to quickly overcome. Becoming SOX compliant often necessitates changes to underlying business and information technology (IT) processes and financial applications that companies had not contemplated.
This effort requires specialized skills to design and operate controls, implement corrective actions, and execute the SOX compliance program. According to Alan Demir, Director, Risk Advisory, “Formalizing your internal controls, and establishing a sustainable SOX compliance program can be a huge project. Many companies preparing to go public via SPAC haven’t adequately considered the cost or effort to build the program, the temporary and ongoing resources required, or the strain it will put on their teams.”
While there are grace periods for meeting SOX demands, they are relatively brief given the work required to comply. The clock starts when the SPAC goes public, not when your transaction is completed. And grace periods can be further truncated if certain thresholds (such as annual gross revenues) are reached.
Consider this best-case business scenario, which is a worst-case SOX compliance scenario: A company completes the transaction in year 2 of the SPAC. They were already a large private company with nearly $2 billion in revenue. After the transaction, the stock price has increased substantially and at the end of the first quarter, they have over $1 billion in public float. This combination likely results in the company having an SEC filing status of “Large Accelerated Filer”. However, for SOX compliance, that means in the year the transaction is completed, the company needs to design and operate an effective ICFR as of fiscal year end, and those controls are required to be audited by the financial statement auditor in accordance with SOX 404(b).
Contributing to the ICFR challenge
Successful private companies with long-tenured staff may have more difficulty meeting ICFR requirements, because the lack of turnover means fewer employees with public company experience. Even if your team is very capable, training is often required to increase awareness, understanding and acceptance of internal control expectations. “Successful private companies often have highly tenured staff, with limited turnover, or they're not hiring from public companies,” Demir observed. “Those folks likely won’t have the recent experience necessary to understand or address many of the SOX compliance requirements.”
Does your team know the difference between “process” and “control”?
If you ask a team member to explain a given control and they respond with “I take this report and discuss it with Sally. Then we send it to Dave who…”, you likely have some work to do. They are discussing the process, and may not fully understand the specific risk(s) intended to be mitigated, or the discrete actions that constitute the control.
Because much of this work consists of documentation, documentation, and more documentation, those same well-run companies often have difficulty evidencing the control operated. “A material weakness in internal control is the potential for misstatement; not that one actually occurred,” says Maximilian Geier, Senior Manager, Risk Advisory. “The real pain and frustration for private companies is that you can be doing all the right things, but if you don’t formally execute controls or have adequate documentation to support those activities, deficiencies will be identified.”
Geier continued, “In addition to multiple deficiencies that remain unremediated at fiscal year-end, many newer public companies also have individual or aggregated significant deficiencies or material weaknesses. Remember that material weaknesses are disclosed in your financial statements.”
The consequences of noncompliance
Tangible and costly impacts result from ineffective ICFR, especially if the company has one or more material weaknesses. The likelihood of these negative impacts increases if significant deficiencies or material weaknesses recur each year. They can include, but are not limited, to:
- Increased operational and auditor costs
- Loss of shareholder confidence, negatively impacting stock price
- Fines and penalties
- Delisting from your registered exchange
We’ve never met a Chief Financial Officer who looks forward to explaining a material weakness on an investor call.
SPAC transactions demand quick action, but how quick?
We have helped companies complete this process under very short timelines. However, a 3 - 6+ month process to design and deploy an internal control framework, and test those controls is more typical, and the minimum recommended timeframe.
Your SOX obligations aren’t waiting—you shouldn’t, either
Even if you are just starting to think about a transaction, these actions will allow you to move forward with confidence:
- Leverage your external auditor. If your external auditor is registered with the Public Company Accounting Oversight Board (PCAOB), they should know what’s expected. Ask for relevant education and their perspectives on your control environment.
- Learn about SOX…fast. The Sarbanes-Oxley act of 2002 consists of 11 titles and 65 sections. For internal controls, pay attention to Sections 302, 404 and 906. Follow that up with learning about the PCAOB and Auditing Standard (AS) 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements. While the standard is written for auditors, it’s good to know the test questions you’ll be expected to pass!
- Know who’s on your team and educate them. Too often companies think SOX compliance resides within the Accounting department only. SOX compliance extends deep into the organization, from Sales, to Payroll, to IT and beyond. Start thinking about your team as anyone who could be a process or control owner that would be in-scope for SOX compliance. This includes service providers that support those business and IT processes, and relevant financial applications.
The keys to success
- Leverage a methodical, proven process. SOX compliance has been around for nearly 20 years. There are successful approaches that have helped many organizations establish and operate a practical SOX compliance program. Do your homework, and don’t recreate the wheel. Consider a knowledgeable service provider that brings methodology, enablers, training, and experience with your external auditor to help jumpstart your activities, and put you on a straight path to compliance.
- Create an informed plan. There’s a lot of work to be done in a very short time, even for companies that have good controls. Build a realistic plan that works backwards from your compliance deadlines. Make sure it includes time to remediate control gaps, and incorporates internal and external resourcing needs to achieve the plan.
- Document, document, document. You need to document every one of your relevant entity level, business and IT processes and key controls — from your Code of Conduct, to how you process accounts receivable, to how you administer access to your financial applications. All of that has to be captured in gory detail, including the risks to financial statement misstatement, and control procedures that mitigate those risks.
Documentation commonly takes the form of process narratives, flow charts, and risk and control matrices (RACM). Producing those documents demands an exhaustive, expertly applied process that’s responsive to your external auditor’s expectations. This important exercise will allow you to identify potential gaps in control design or documentation, and quickly develop an improvement plan to enhance controls.
- Tackle control gaps head on. There’s no point in making excuses, complaining, or trying to explain why a missing control is ok. Acknowledge the gap, create a plan to fix it, and execute.
- Communicate with your external auditor. At some point in the future, your auditor will need to opine on your ICFR. Discuss your plan with them, request feedback on your process and control documentation, and understand their audit expectations. Building that into the program upfront will save you lots of heartburn later.
- Test your controls before your external auditor does. While a control may sound great in a meeting and look good in a flow chart, it may not be consistently performed. This can be for a number of reasons (performed by multiple people, only applied to a subset of transactions, etc.) Once you feel good about the design of the control and adequacy of control evidence, test that control over a period of time to ensure it is being consistently executed.
Going public via a SPAC is a great leap forward for companies. With proper planning, it doesn’t have to be a leap into a thicket of regulatory demands. Even if you don’t go public, internal controls are good for your business. They have been proven to reduce risk and improve business performance. Take advantage of the opportunity to formalize and advance your internal controls where appropriate.
Maximilian Geier, CPA
Max is a Partner in Grant Thornton’s southern California Advisory practice with over 13 years of professional management consulting experience focused on IPO readiness, internal audit, Sarbanes-Oxley, business process transformation, IT audit, and regulatory compliance.
Los Angeles, CA
Our featured risk, compliance and controls insights
No Results Found. Please search again using different keywords and/or filters.