MGO CPA | Tax, Audit, and Consulting Services

Topic: Sarbanes-Oxley

5 Reasons Your Private Company Should Adopt Public Company Controls

Key Takeaways:

  • Implementing public-company-level internal controls early on can help your private company prepare for a potential IPO or acquisition, ultimately reducing the risk of adverse disclosures and easing your transition.
  • Private companies experiencing fast growth can benefit from stronger controls to prevent fraud and other errors, so that financial data remains reliable no matter how big they scale.
  • If you enhance your internal controls, you can increase your credibility with investors, banks, and other stakeholders — potentially lowering costs and adding financial security.
  • If you are in an industry with public peers or high security standards (like utilities or tech), you might benefit from adopting similar control measures to maintain competitiveness and stakeholder confidence.

~

Often viewed as a “public company problem,” private organizations may want to consider implementing internal controls similar to Sarbanes-Oxley (SOX) Section 404 requirements. The inherent benefits of a strong control environment may be significant to a private company; they enhance accountability throughout the organization, reduce risk of fraud, improve processes and financial reporting, and provide more effective engagement with the board of directors. 

While not always smaller, private organizations often have limited resources in specialty areas, including accounting for income tax. This resource constraint — with the work being performed outside the core accounting team — combined with the complexity of the issues means private companies are ideal candidates for, and can achieve significant benefit from, internal controls enhancements.

Thinking ahead, there are five reasons private companies may want to adopt public-company-level controls:

  1. Initial Public Offering (IPO) — Walk before you run! If the company believes an IPO may be in its future, it’s better to “practice” before the company is required to be SOX compliant. A phased approach to implementation can drive important changes in company culture as it prepares to become a public organization. Recently published reports analyzing IPO activity and first-time internal control over financial reporting (ICFR) assessments reveal that adverse disclosures on internal controls are three times more likely to be made during a first-time assessment. Making a rapid change to SOX compliance without proper planning can place a heavy burden on a newly public company.
  2. Private Equity (PE) Buyer — If it is possible that the company will be sold to a PE buyer, enhanced financial reporting controls can provide the potential buyer with an added layer of security or confidence regarding the company’s financial position. Further, if the PE firm has an exit strategy that involves an IPO, the requirement for strong internal controls may be on the horizon.
  3. Rapid Growth — Private companies that are growing rapidly, either organically or through acquisition, are susceptible to errors and fraud. The sophistication of these organizations often outpaces the skills and capacity of their support functions, including accounting, finance, and tax. Standard processes with preventive and detective controls can mitigate the risk that comes with rapid growth.
  4. Assurance for Private Investors and Banks — Many users other than public shareholders may rely on financial information. The added security and accountability of having controls in place is a benefit to these users because the enhanced credibility may affect the organization’s cost of borrowing.
  5. Peer-Focused Industries — While not all industries are peer-focused, some place significant weight on the leading practices of their peers. Further, some industries require enhanced levels of security and control. For example, utility companies, industries with sensitive customer data (financial or medical), and tech companies that handle customer data often look to their peer groups for leading practices, including their control environment. When the peer group is a mix of public and private companies, a private company can benefit from keeping pace with the leading practices of their public peers.

Private companies are not immune from intense stakeholder scrutiny into accountability and risk. Companies with a clear understanding of the inherent risks that come from negligible accounting practices demonstrate the ability to think beyond the present and to be better prepared for future growth or change in ownership.

How MGO Can Help

We offer a comprehensive approach to internal control implementation, personalized to meet your private company’s unique needs. Our team’s experience in audit, risk management, and advisory can help your business establish robust controls that enhance accountability, reduce fraud risk, and prepare for the future — whether that looks like growth or a public offering.

Whether you are preparing for an IPO, meeting private equity expectations, or merely enhancing your operational efficiency, our team provides the guidance and the tools needed to help you navigate any complexity with confidence. To learn more about how we can assist your business, reach out to us today.

Tech IPOs: Steering Clear of Common Pitfalls on Your Path to Becoming a Public Company

Key Takeaways:

  • For tech founders, taking a company public can provide significant benefits like increased capital, visibility, and liquidity, but the process is complex and comes with risks, such as increased regulatory scrutiny and reduced control.
  • There are several common pitfalls to avoid during the IPO journey, including underestimating timelines, not building a strong financial foundation, and not having the right leadership in place.
  • Tech companies should focus on a few things to facilitate post-IPO success as a public entity: investor relations, internal controls, and cultural shifts. These maintain trust and compliance across the board.

~

For many tech founders, the prestige and promised rewards of taking a company public are strong motivators to pursue an initial public offering (IPO).

But IPOs, however attractive, are extremely complicated and can be overwhelming — especially if you’re not a transaction expert and have never navigated the full process. Without the right information, tech founders are liable to experience delays, derailments, and disappointments on their road to an IPO.

Are you a tech founder looking to IPO for the first time? Read our guide to understand what the IPO process looks like for tech companies like yours — and what pitfalls you’ll need to avoid along the way.

Should You Go Public?

While an IPO can be a great avenue to grow your business, it isn’t the right strategy for every company — or every founder. To make an informed decision, you need to understand the benefits and drawbacks of pursuing an IPO.

Benefits

  • Increased access to capital. An IPO can offer a massive influx of capital, enabling substantial, accelerated growth.
  • Greater visibility. Going public can improve a tech company’s market visibility and credibility, which can in turn improve brand reputation and recognition.
  • Increased liquidity for shareholders. An IPO allows early investors to cash out, while stock options remain an incredibly attractive incentive for many employees, even during times of market volatility. The stock options unlocked by an IPO can be key to attracting and retaining top talent.
  • Access to a market valuation. Being listed on the stock market means the public markets offer a valuation of the tech company, which may be seen as more objective and credible than a privately sourced valuation.

Drawbacks

  • Greater regulatory and compliance requirements. Publicly traded tech companies are subject to more regulatory and compliance requirements than their privately owned counterparts, and the transition to a publicly traded company can cause compliance costs to skyrocket. Public companies also face scrutiny from regulatory bodies like the SEC. Any mistake, like a reporting misstatement, is highly public and can damage the company’s reputation — and stock price.
  • Less control. Public tech companies must answer to shareholders and regulators, impacting how much control a founder will have over their company. Founders also often find they have less control over their finances after going public, as the IPO process can “lock up” their cash.
  • Vulnerability to market volatility. Market conditions and other external factors can cause stock prices to fluctuate, whereas private company valuations are more insulated from such forces.
  • Increased disclosure requirements. Public tech companies have additional disclosure requirements, which means competitors will have access to more information about the company. This dynamic could impact a company’s competitive advantage in the marketplace.

Are You Asking the Right IPO Questions?

Preparing for an IPO means investigating every aspect of your business. Asking the right questions will help you see beyond the obvious to gain an in-depth understanding of how investors will think about your company and how you can set yourself up for success throughout the IPO process.

Ready to get started?

Read This IPO Checklist

Stage 1

IPO Readiness Assessment

A readiness assessment can help you identify gaps or issues that could prevent your organization from successfully operating as a public company. For most tech companies, the readiness assessment will uncover substantial changes required to facilitate a transition to a public company, such as implementing more robust internal controls or developing specialized accounting capabilities in house. BDO recommends clients assess readiness in the following key areas:

  • Accounting & SEC reporting
  • Ta
  • Risk
  • Technology
  • Operations
  • People
  • Financial planning & analysis

Common Pitfalls:

  1. Failure to develop a compelling story. Before a leader even considers pursuing an IPO, they need to create a narrative that gets potential investors excited about the future of the company. They must define success, determine what metrics will be used to track it, and put systems in place to measure and report on progress. These steps are key to securing investor interest and confidence. Common success metrics for tech companies include annual recurring revenue (ARR), customer retention, the Rule of 40, customer acquisition costs, daily active users, and monthly active users.
  2. Overestimating existing resources. Tech companies often fail to understand what resources they already have and what resources they still need to secure. For example, pursuing an IPO requires specialized skills related to investor relations, treasury, income tax, technical accounting, SEC reporting, and internal controls, which most private tech companies don’t have in house. Failing to conduct a proper resource assessment can lead to a delayed IPO filing, as the company will have to make up ground and secure those resources later.
  3. Lack of IPO experience. As they prepare for an IPO, tech founders should prioritize building a leadership team that includes professionals who have experience taking tech companies public. IPO veterans can help guide the rest of the team through the process while identifying and addressing potential issues before they happen.
  4. Relying on private-company experience. Private tech company founders sometimes underestimate the depth and breadth of the requirements that come with going public. They may even make the mistake of believing that a private company approach will be sufficient post IPO. Instead of relying on what they already know, founders must continuously assess their policies, procedures, and governance structures and compare them to public-company requirements to identify and proactively address gaps.
  5. Failure to protect intellectual property (IP). IP is a major asset for many tech companies and can significantly impact their valuations. Before tech leaders take their company public, they must assess their current protections and deploy tactics like developing a strong patent portfolio to ensure their IP is secure.

Stage 2

Roadmap and Program Management

Once you understand your current state, it’s time to develop a roadmap to guide your transformation from a privately held company to a public company. A strong roadmap will require input from numerous people and functions across the company, as well as reasonable estimates around the time and effort required to meet your objectives. Effective program management is critical to developing your roadmap as quickly and efficiently as possible.

Common Pitfalls:

  1. Underestimating timelines. Tech leaders often underestimate the time needed to prepare a company for an IPO, which can take as long as 18-24 months. A successful transformation depends on a realistic and carefully planned timeline. Attempting to rush the process can lead to expensive and public mistakes like financial misstatements.
  2. Missing inputs. A successful IPO process relies on participation from the full organization. Failing to include specific departments or professionals in the roadmap stage can lead to process gaps that later derail progress. For example, failure to include IT in the roadmap stage can lead to errors when it comes time to upgrade or rationalize back-office technology in advance of the IPO filing.
  3. Lack of a change management plan. Poor change management can lead to unnecessary disruption. For example, lack of a change management plan can create employee discontent during the transition, causing the company to lose key talent and disrupting operations at a crucial juncture.

Stage 3

March to IPO

At this stage, your goal is to get ready for the IPO filing, which entails executing your roadmap to prepare your organization to operate as a public company. This is also the point at which you will begin preparing for the IPO filing process itself, including selecting an underwriter, pricing the IPO, and conducting a roadshow.

Common Pitfalls:

  1. Failure to build a strong financial foundation. Tech companies preparing to go public need to review their financial statements to verify they are accurate, audited, and up to date. Many tech leaders opt to review three years of financials, even if regulations allow for fewer, to help bolster investor and regulator confidence. Failure to build a strong financial foundation can delay SEC filings, which may impact filing status and result in expensive fines.
  2. Inadequate pro forma reporting plans. Tech company leaders must vet their post-IPO reporting plans against SEC reporting rules to ensure they will meet all relevant requirements. They must also design a comprehensive reporting process, building in checks and balances to ensure all numbers are accurate.
  3. Misaligning compensation structures. As tech leaders revisit their compensation structures, they must make sure that compensation plans don’t conflict with shareholder interests. For example, option-based compensation for CEOs can encourage excessive risk-taking behavior that may damage customer relationships and firm performance, decreasing shareholder value.
  4. Skipping the trial run. Tech companies should practice operating like a public company before filing for an IPO. This trial run can help uncover hidden or overlooked issues like a lack of uniform controls and reporting policies. Companies that skip the trial run often find themselves surprised by requirements and challenges post IPO, which can take significant time and money to address.

Stage 4

Post-IPO Support

After the IPO has been filed, it’s time for your tech company to start operating as a public company. At this stage, you need to ensure you are delivering on your promises, managing expectations with your new shareholders, and meeting your new reporting requirements as a public company.

Common Pitfalls:

  1. Lack of forecasting capabilities. As private companies transform themselves to prepare for an IPO, they need to adopt strong revenue forecasting capabilities. Unfortunately, newly public tech companies often struggle with revenue forecasting, which can cause investor distrust and reputational damage.
  2. Failure to maintain investor relations. Investor expectations will expand after going public, as shareholders await regular updates on company performance. Failing to build strong relationships with investors through proactive, comprehensive communication can breed mistrust.
  3. Failure to manage the cultural shift. When private tech businesses transition into public companies, a major cultural shift often follows. Failure to manage that shift correctly can lead to employee dissatisfaction and talent retention issues.
  4. Poor internal controls. Once a tech company goes public, it will have to comply with new reporting requirements and regulations, notably Sarbanes-Oxley (SOX). Prior to filing the IPO, the company should have all necessary internal controls in place — without them, the company may experience issues like material misstatements that can negatively impact stock price.

How MGO Can Help

There’s no question that going public is an exciting “next step” in your company’s evolution. With an IPO comes additional opportunities to transform the business, but it can also come with more challenges. MGO’s team is here to support you at every stage, from IPO planning and readiness assessments to execution and post-IPO acquisition services.

With today’s rapidly evolving technology, you want to stay at the forefront of developing products that transform how we work, think, and engage with the world. Reach out to our Technology team today to find out how we can help you achieve your goals.

Written by Hank Galligan and Jim Clayton. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

How to Elevate Your Company’s IPE Documentation to Optimize SOX Compliance

By Jonathan Bayeff, CPA & Cesar Reynoso, CPA

Executive Summary:

  • The Sarbanes-Oxley (SOX) Act established stricter financial reporting requirements for public companies, leading to increased scrutiny of Information Produced by the Entity (IPE).
  • IPE carries different levels of risk depending on whether it is system-generated and manually prepared IPE. Strong documentation is key to validating completeness and accuracy of IPE.
  • Best practices for IPE documentation include identifying the source, parameters, and format of reports; validating totals and counts; retaining screenshots; and having knowledgeable reviewers.

~

Passed by Congress in 2002, the Sarbanes-Oxley (SOX) Act revolutionized public company audits by introducing financial reporting requirements aimed at increasing transparency and preventing fraud. Most notably, the SOX Act established the Public Company Accounting Oversight Board (PCAOB), a nonprofit organization that oversees the audits of public companies to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.  

The PCAOB refines its auditing standards annually and, in recent years, the organization has placed greater scrutiny on the work of external auditors. To keep up with PCAOB compliance, external auditors have imposed more rigorous documentation requirements on companies. As a result, companies have felt pressure to provide more expansive Information Produced by the Entity (IPE).

If external auditors have applied greater scrutiny on your reporting, you may be wondering: What level of documentation is sufficient? How can you improve your documentation to avoid deficiencies and provide greater clarity? In this article, we will discuss: 1) what IPE is, 2) the risks associated with different IPE, and 3) how to document your IPE thoroughly.

What is IPE?

IPE is any information created by a company used as part of audit evidence. Audit evidence may be used to support an underlying internal control or as part of a substantive audit. Although there are documentation and risk severity differences between system-generated and manually prepared IPE, the fundamental questions that need to be addressed are the same:

  1. Is the data complete?  
  1. Is the data accurate?

Risk Levels of Different IPE

Here is an overview of how risk levels vary for different types of information you report to auditors:  

Low Risk

“Out of the box” reports carry the lowest risk. These reports are also referred to as “standard” or “canned” reports. Standard reports have been developed by software companies — such as Oracle NetSuite, QAD, or SAP — as part of their enterprise resource planning (ERP) systems. Typically, the end user (you) and even your IT team cannot modify these reports. Given the constrained editability, greater reliance is placed on these reports.   

Medium Risk

Custom reports are typically driven by the business team and developed in-house by your company’s IT team. When your company’s ERP system does not have a report that would provide sufficient data, the in-house developers create a custom report. The IT team follows their change management process when developing the request report. If the report results do not align with your business team’s expectations, the query is refined, and the process is repeated until it does.  

High Risk   

A manually prepared workbook or an ad-hoc query are inherently the riskiest documentation. A manually prepared workbook may be a debt reconciliation prepared by your staff accountant, or a list of litigations the company is involved in drafted by your legal department. Given that these are manually drafted, the margin of error may be high.  

An ad-hoc query is considered high risk since the report is not subject to IT General Controls (ITGC) testing. The end user may input any parameters to generate the report. Since no control testing is performed by your company, external auditors would need to rely on their own IT team to vet the nonstandard query. 

How to Document IPE? 

Your documentation will vary to a certain degree depending on whether the IPE is manually prepared or system generated. In either case, it is important to be as thorough as possible when documenting your procedures.  

Manual IPE

For a manually prepared workbook, provide thorough documentation about the origins of the data. It is ideal to have someone who is privy to the information review the workbook.  

When the reconciliation is comprised of debt instruments, the reviewer should do the following:   

  1. Match the list of individual debt instruments to the signed agreements.  
  1. Validate the reconciliation and each individual schedule for mathematical accuracy.  
  1. Confirm ending principal balances with creditors (where possible).  

If the list consists of litigations compiled by the legal department, the reviewer should do the following:   

  1. Send confirmations to outside counsel (where possible).  
  1. Obtain a list of commitments and contingency journal entries made to an accrual.    

These additional steps provide greater comfort that the list compiled is complete and accurate.   

System-Generated IPE

For system-generated IPE, there are a handful of questions to keep in mind:   

  1. Have you identified the report or saved search that was used?   
  1. What parameters were used to generate this report?   
  1. In what format is the data exported?   
  1. After you run your report and confirm the parameters are correct, what format should be utilized for your export?  

Exported Data

Most ERP systems allow the exporting of data in the following four formats:   

  1. PDF (portable document format) 
  1. Excel  
  1. CSV (comma-separated values)   
  1. Text file   

One major drawback in an Excel, CSV, and text file is that, by their nature, they are editable upon export. An additional drawback of a text file is that it does not contain formatting. As the volume of data grows, proving out the completeness and accuracy becomes more challenging. For these reasons, a PDF export is typically preferred.  

After the data is exported in one of the four formats, you want to ensure that it agrees back to the system (completeness and accuracy). Here are a few ways to do that:     

  1. Does the exported data have dollar amount totals? If so, agree the total dollar amount to the system.  
  1. Does the exported data have hash totals? An example of a hash total is employee ID numbers which in aggregate have no real value other than providing confirmation that the data is complete and accurate.   
  1. Does the report have a total line count? If totals are not available, line counts may be used. However, it is important to note that while the line count may agree, the data itself could have still been inadvertently manipulated.  

Screenshots of Data

Retaining screenshots is imperative for documentation. A detailed screenshot should include some (if not all) of the following:  

  1. Totals (dollar amounts, hash amounts, etc.)   
  1. Lines count   
  1. Parameters utilized 
  1. Time and date stamp 

The first three items validate the completeness and accuracy of the exported data. The fourth item confirms when the report was run and if it was timely. There are many reports that are point-in-time and may not be recreated at a future date. Knowing the constraints of the reports you use is important. Retaining screenshots cannot be overemphasized, especially for point-in-time reports.   

Certain ERP systems or online portals do not provide a preview of the report prior to the export. This puts a constraint on the validation of completeness and accuracy, as it inhibits screenshots from being taken. In this case, as part of the review, the reviewer should re-run the report and validate that the original report used matches the information in the re-run report.

Strengthen Your SOX Compliance by Implementing Best Practices  

There is no perfect science to IPE documentation. But the end goal is to be as detailed as possible. By simply focusing on the fundamental questions and ensuring that your documentation addresses them, your documentation will inevitably improve.   

Developing best practices for your team is the cornerstone for any successful audit. Ensure you have the right guidance to make it happen. Our Audit and Assurance team can tailor a SOX environment to meet your needs. Contact us today to learn more.