US SOX: What to do during the “SOX Lite” period
May 11, 2021
You made it! Your IPO is a success. But what does “IPO day+1” mean for your SOX programme?
US listing rules are complex. Though if I simplify them for this blog (and assuming you meet the relevant criteria), a newly public company only becomes “Full SOX” after management files the first annual report. This exemption period is often called “SOX Lite”, and could look like:
- A calendar year-end company completes an IPO in June 2021;
- The “SOX Lite” period lasts from June to December 2021; and
- The “Full SOX” period will start on 1 January 2022.
During the “SOX Lite” period, there are still requirements of management as part of the first annual report, including the CFO and CEO signing the important Section 302 certification. In a previous blog, I talked about the steps that you should take to get ready from a SOX point of view. Based on my experience of helping US-listed companies in their SOX journey, below are the practical steps you should take as part of the “SOX Lite” period.
- Step 1: Refine control design and documentation. In my experience, companies don’t have perfectly designed and documented controls at IPO date. You should use your “SOX Lite” period to improve the documentation of your controls. I suggest you discuss what your external auditors’ expectations are in terms of documentation. Risk and control matrices, flowcharts and narratives are very common documentation to prepare, but each situation is different and it’s important for all stakeholders to be on the same page.
- Step 2: Complete limited or full operating effectiveness testing. To get more comfort on the completeness of control deficiencies to remediate before “Full SOX”, I often see companies perform limited or full operating effectiveness testing during the “SOX Lite” period. This helps management avoid last-minute surprises from both management testing and external auditors’ perspectives.
- Step 3: Ongoing efficiency remediation including identification, and tracking of deficiencies. As part of your pre-IPO SOX readiness process, you identified control deficiencies. Some of them may have been aggregated into material weakness(es) and disclosed in your IPO filing. It’s important for you to start the remediation process as soon as possible. Good governance around this process is critical for your success: remember to prioritise which control deficiencies should be remediated first considering risk, capacity and capabilities.
- Step 4: Management Section 302 certification without SOX certification. As mentioned above, for newly public companies that are not yet subject to “Full SOX”, the SEC allows the wording of the Section 302 certification to be modified and you can delete the bullet point related to internal control over financial reporting. You should familiarise your CFO and CEO with the wording of this certification and explain the process you have in place so they’re comfortable with signing the document.
In my experience, some of the key success factors for the “SOX Lite” period include:
- US listing rules can be complex and this blog oversimplifies them. You should consult with your SOX implementation partner to ensure you understand the timing of your SOX journey. Depending on whether you meet some criteria and thresholds, you could be exempt from “Full SOX” for several years; and
- Continue to involve your external auditors, because they’ll now have to perform an audit in accordance with the PCAOB auditing standards.