3 Internal Control Considerations for the IPO Journey of Life Science Companies

One of the biggest changes and focus areas for a company undergoing an initial public offering (IPO), or a newly public company, is ensuring accurate financial reporting in compliance with US Securities and Exchange Commission (SEC) regulations and laws that govern public filers. Compliance with these standards is managed through a set of robust internal controls and your company’s program of internal control over financial reporting (ICFR).

Smaller companies work with fewer resources as a function of a smaller market capitalization and less cash flow. As a result, they haven’t always been able to have:

  • Clearly defined processes and segregation of duties
  • Adequate headcount
  • A full implementation of a robust ERP system

Internal control activities are primarily composed of a combination of process, people, and information technology systems. Deficiencies in any of these areas can lead to a material weakness even if that particular area isn’t subject to rigorous assessment by external auditors.

Common Mistakes

It’s not uncommon for newly public life sciences companies to file an S-1 document or their first 10-K with a disclosed material weakness. Data presented in Audit Analytics’ September 2019 report on Sarbanes-Oxley Act (SOX) 404 disclosures presents instances and pervasiveness of negative ICFR disclosure as the result of management’s 404(a) self-assessment.

The report revealed the most common, ongoing internal controls issues that led to ineffective ICFR concerned the competency and training of accounting personnel and a lack of segregation of duties.

This can be traced to a limited headcount typical across pre-commercial life sciences companies, in particular, fewer accounting personnel available to distribute sensitive components of transaction responsibilities.

It’s important to note the effort, testing, and documentation required by an independent, external auditor’s 404(b) assessment can be far greater than management’s 404(a) self-assessment. The required level of support the independent auditor must archive to support their opinion is subject to strict Public Company Accounting Oversight Board (PCAOB) audit and inspection standards which serve the public investor. Meanwhile, the documentation and testing required to support management’s assessment remains private within the company. It’s also subject to SEC guidance with an understanding that some of the documentation and supporting evidence comes from management’s daily interaction with the controls as opposed to a third-party rigorously looking inward.

Define and Maintain Your Process

To provide a reasonable basis for its assessment of ICFR, management must have documented processes in place to address ICFR risks.

Once the process has been defined, then it becomes easier for management and the auditor to identify deficiencies in the string of events by comparing the expected control activities to what actually occurred.

The process defines the order in which steps should occur to ensure the objective of accurate financial reporting is met. Management should define the process before identifying potential pitfalls, so they can identify anomalies or exceptions.

Proper Documentation

As part of a well-defined process, management must consider:

  • Segregation of duties
  • Independent review
  • Approval of journal entries
  • Reconciliations

New public companies often lack the level of diligence necessary to ensure all journal entries are independently reviewed and properly supported. Similarly, reconciliations must have established thresholds for following up on variances and resolving reconciling items. If this type of auditable documentation is lacking, it could result in a material weakness.

Clinical Research Expense Accrual

One of the most significant risks of misstatement for a life sciences company is the reporting of their clinical research expense accrual. Booking the financial elements of the project status based only on a third-party invoice or statement that’s incorrect could result in a material weakness. It’s crucial to reflect the correct status and completion progress of various research and clinical activities.

The key activity in establishing a clinical research expense accrual process is to validate the actual percentage complete and incurred through:

  • Contract and contract addendum review
  • Robust discussions of actual progress between the company’s clinical operations personnel and the third parties involved in facilitating the clinical activities

A misstatement from bad information reported to accounting are often more common than an accounting error in accounting calculations.

Your company should have a period-end mechanism where operations discusses the project status with a broad swath of internal and external stakeholders to ensure that this activity has been properly recorded.

Importance of Knowledgeable People and Headcount

Another factor of the control environment is the accounting department’s knowledge base. Management needs to have a good understanding of the business to address certain accounting positions in the proper way. Often these positions require a detailed level of subjective, or judgement-based, knowledge of the business.

For example, at month end, management likely conducts an analysis comparing the budget to actual results to identify variances that aren’t in alignment with their expectations. To research and resolve any follow-up on the root cause of variances will require detailed knowledge of operations and changes in the business before management can accept the justification. Variances could occur due to change in headcount, delays in clinical studies, or activities that may affect accounting treatment such as a drug’s Food and Drug Administration (FDA) approval.

Insufficient Accounting Headcount

Segregation of duties and staffing insufficiency are typical for many smaller companies subject to 404(a); at least 39% of smaller companies have self-reported ineffective ICFR since 2013.

The life sciences sector has far less headcount overall with the largest allocation going toward research and development (R&D) as opposed to accounting and finance. Regardless of the resources available to a company, the same set of ICFR standards for management exist for all public companies.

A typical reason for a material weakness at a newly public life sciences company would be insufficient accounting headcount. It’s not uncommon for a biotechnology company to go public with only two to four people in the accounting department. This makes it exceedingly difficult to properly segregate sensitive accounting activities and ensure segregation of duties.

According to the SEC, “Management is responsible for maintaining a system of [ICFR] that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.”

As part of management’s self-evaluation of ICFR—regardless of industry—management must maintain reasonable support for its assessment.

Documentation

An integral part of this support is documentation of the design of the controls management has placed in operation to adequately address the financial reporting risks. However, a life sciences company must also be wary about documentation that might conflict with or affect change management for the FDA required current Good Practice (CGxP) documentation.

Leadership Involvement

Insufficient accounting headcount will typically require more senior executives to become heavily involved in the details including leadership from other departments such as human resources or legal.

Due to certain reporting and filing requirements, management will need a savvy accounting leader with technical expertise who understands when to file a SEC report externally and when to document an accounting memo or position paper internally.

Leveraging Consultants

Fortunately, management can scale resources up or down by leveraging consultants or other third-parties to provide additional bandwidth for:

  • Resource constraints and technical guidance
  • Complex judgements and conclusions
  • Leveraging best practices
  • Recent ongoing experience

As long as management supervises the consultants, certain resource needs can be effectively met on an as-needed basis.

Importance of ERP Systems

One of the first major projects for new-found IPO cash resources is to upgrade to a more robust ERP system. It’s not uncommon for a life sciences company to go public with a tier 2 or tier 3 enterprise resource planning (ERP) systems, or even QuickBooks, as opposed to a tier 1 system such as Oracle or SAP.

Tier 3 systems lack the internal control functionality inherently built into higher-tier ERP systems—such as user role management—to enforce:

  • Segregation of duties
  • Park and post of journal entries
  • Integration with various supporting modules or systems

For companies using a tier 3 system, it’s easier for management to override controls or to adjust already-posted entries. Additionally, there are typically few logical controls to enforce segregation of duties.

Diligence for System-Generated Data and Reports

Another factor relevant to Information Technology (IT) is the diligence SEC and PCAOB have required when using system-generated data and reports in the performance of a control, or in the generation of a population from which to select a sample and test the control.

Based on published regulator comments, they have explicitly called out that external auditors have failed to test controls sufficiently over the completeness and accuracy of system-generated data or reports used in the operation of those controls.

Safety Measures

To safely rely on a system generated report, your company must ensure that the source of the report has effective information technology general controls (ITGCs). Any parameters entered to run the report, such as report name or date range, must be validated as accurate.

Your company must conduct activities to ensure the report is complete by pulling the data from the system or exporting the data in an editable report. Diligent attention to validating the completeness and accuracy of system-generated reports requires a real-time methodology and constant discipline to ensure the control performer captures and retains the evidence necessary to convince the auditor that the control owner documented its completeness and accuracy.

An auditor could fail an internal control for not validating the underlying report used in the performance of the control, even if the report itself is correct and control attributes were performed without exception. 

For more details, please see 5 Key Considerations for Enterprise System Selection.

We’re Here to Help

Life sciences companies have proactive opportunities to address control issues as part of the IPO journey to become a compliant, mature SEC filer. Addressing the typical risk areas of processes, people, or systems can help you meet the requirements.

With a little creativity and diligence, you can prevent or timely address a material weakness and improve the overall control environment of your newly public organization.

For more information, please contact your Moss Adams professional.