US SOX: Be SOX ready for your IPO - what to do before the IPO date
February 18, 2021
With the US IPO market heating up, it’s worth flagging the importance of a SOX programme implementation. The US stock exchange listing process is complex - so this is a topic to plan well in advance of the IPO.
Over a series of blogs, I will share my approach to a SOX programme implementation. This will cover from before the date of IPO, to the date of management’s first SOX effectiveness certification as well as the auditor’s first SOX effectiveness opinion.
Let’s start with what is important to consider in preparation of the IPO when it comes to SOX. In the IPO filing, management should disclose to stakeholders the material weakness(es) identified. If there is no comprehensive list of procedures to perform, here are the five steps I recommend:
- Step1 : Scoping. Management should determine which components, business processes and IT systems need to be included in the SOX programme using qualitative and quantitative factors. For the latter, management should discuss materiality with auditors, as it is likely that they will use a lower materiality for the audit of listed companies compared to the audit of a private company.
- Step 2 - Identify the risks. SOX is all about a top down risk-based approach. For all business processes, IT systems and entity level controls in scope, you should identify the ‘what could go wrong’ using professional judgment, knowledge of your company and business. There are plenty of risk libraries available on the market to help you with this step.
- Step 3 - Assess the current control design. You should identify the control activities in place by inquiring with the control operator and corroborate this information by testing one evidence of the control activities being performed. For most private companies, this is the step where control deficiencies are quickly identified. But don't worry. I expect management to find plenty of gaps related to lack of documentation or to ineffective IT general controls. In fact, disclosing a material weakness related to IT general controls is one of the two most common material weaknesses disclosed in an initial IPO filing.
- Step 4: Aggregate the control deficiencies. With all control deficiencies identified, you should aggregate them by topic, location or internal control COSO component. Remember that identifying the ‘why of the why' will help you assess the material weakness(es) to be disclosed. This comprehensive list of control deficiencies will give you a plan for another step of your SOX journey, the remediation; and
- Step 5: Disclose the material weakness(es). Work closely with your lawyers and auditors to present the conclusion of steps one to four and to agree on a wording to be included in your IPO filing.
Management often ask me the key success factors of this first SOX programme implementation step and I see three main ones:
- A good PMO and governance process in key.
- Keep your lawyers and auditors involved from the start.
- Do not underestimate the importance of the human factor. Explain to everyone involved from the Audit Committee to the control operator what the process means for the company and for them.
Keep looking out for the next part of the series which will focus on what should be considered from the IPO date to the filing of the first annual report.