One of the biggest changes and focus areas for a company going public through a traditional initial public offering (IPO), or through a special purpose acquisition company (SPAC), is ensuring accurate financial reporting in compliance with US Securities and Exchange Commission (SEC) regulations and laws that govern public filers.
As a company looking to go public, compliance with these standards must be managed through a strict process supported by internal control over financial reporting (ICFR) to prevent embarrassing corrections or disclosures.
Our article addresses the following:
What Are Internal Control Activities?
Internal control activities are primarily composed of a combination of process, people, and information technology systems. Deficiencies in any of these areas can lead to a disclosed material weakness, before or after you go public, even if that particular area isn’t subject to formal assessment by external auditors.
What Are Common Internal Control Mistakes Leading Up to a Public Exit?
High growth companies tend to work with fewer resources as development and product teams outpace the infrastructure. As a result, they don’t always have:
- Clearly defined processes and controls
- Adequate headcount and segregation of duties
- A full implementation of a robust enterprise resource planning (ERP) system
It’s not uncommon for companies to file an S-1 or S-4 registration statement with a disclosed material weakness. Data presented in Audit Analytics’ September 2020 report on Sarbanes-Oxley Act (SOX) 404 disclosures reveals instances and pervasiveness of negative ICFR disclosure as the result of management’s 404(a) self-assessment.
The report indicates companies face difficulties in their efforts to install adequate financial reporting systems and processes.
This can be traced to a limited headcount—in particular, fewer accounting personnel available to distribute sensitive components of transaction responsibilities.
Once required, it’s important to note the effort, testing, and documentation required by an independent, external auditor’s 404(b) assessment can be far greater than management’s 404(a) self-assessment. The required level of support the independent auditor must archive to support their opinion is subject to strict Public Company Accounting Oversight Board (PCAOB) audit and inspection standards which serve the public investor.
Meanwhile, the documentation and testing required to support management’s assessment remains private within the company. It’s also subject to SEC guidance with an understanding that some of the documentation and supporting evidence can come from management’s daily interaction with controls as opposed to third-party testing and evaluation.
How Do You Define and Maintain Your Internal Controls Process?
To provide a reasonable basis for its assessment of ICFR, management must have documented processes in place to address financial reporting risks.
Once the process has been defined, then it becomes easier for management and the auditor to identify deficiencies in the string of events by comparing the expected control activities to what actually occurred.
The process defines the order in which steps should occur to ensure the objective of accurate financial reporting is met.
What Documentation Should Be Part of the Internal Controls Process?
As part of a well-defined process, management must consider:
- Segregation of duties
- Independent review
- Approval of journal entries
New public companies often lack the level of diligence necessary to ensure all journal entries are independently reviewed and properly supported. Similarly, reconciliations must have established thresholds for following up on variances and resolving reconciling items. If this type of auditable documentation is lacking, it could result in a material weakness.
Stricter Accruals Accounting
One of the most significant risks of misstatement is the reporting of a company’s accruals. Private-to-public companies often need to move to stricter accruals accounting as they transition to the public markets.
A misstatement from bad information reported to accounting is often more common than an error in accounting calculations
What Accounting Cutoff Procedures Should Your Company Include in Its Internal Controls Process?
Your company should have a period-end mechanism where accounting discusses business activities with a broad swath of internal and external stakeholders to ensure activities have been properly recorded. These cutoff procedures include revenue, expenses, shipping, receipts, third-party services, and the number of hours worked.
Too often, private companies won’t complete accruals until year-end. However, public companies should have a hard close for accruals on a monthly- or quarterly-basis. If your company is planning to go public, spend time making sure proper accounting cutoff procedures are in place prior to the transition.
For more information on accounting and reporting considerations during SPAC transitions, please read our article.
Importance of Knowledgeable People and Headcount
Another factor of the control environment is the accounting department’s knowledge base. Management needs to have a good understanding of the business to address certain accounting positions in the proper way. Often these positions require a detailed level of subjective, or judgement-based, knowledge of the business.
For example, at month end, management likely conducts an analysis comparing the budget to actual results to identify variances that aren’t in alignment with their expectations. To research and resolve any follow-up on the root cause of variances will require detailed knowledge of operations and changes in the business before management can accept the justification.
What Are the Potential Effects of an Insufficient Accounting Headcount?
A typical reason for a material weakness at a newly public company would be insufficient accounting headcount. It’s not uncommon for a company to go public with only two to four people in the accounting department. This makes it exceedingly difficult to properly segregate sensitive accounting activities and ensure segregation of duties.
Segregation of duties and staffing insufficiency are typical for many smaller companies subject to 404(a); at least 39% of smaller companies have self-reported ineffective ICFR since 2013.
Regardless of the resources available to a company, the same set of ICFR standards for management exist for all public companies.
According to the SEC, “Management is responsible for maintaining a system of ICFR that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.”
As part of management’s self-evaluation of ICFR—regardless of industry—management must maintain reasonable support for its assessment.
An integral part of this support is documentation of the design of the controls management has placed in operation to adequately address the financial reporting risks. Any statements announced publicly need to match information included on financial statements.
Insufficient accounting headcount will typically require more senior executives to become heavily involved in the details including leadership from other departments such as human resources or legal.
Due to certain reporting and filing requirements, management will need a savvy accounting leader with technical expertise who understands when to file a SEC report externally and when to document an accounting memo or position paper internally.
How Could Your Company Leverage Consultants?
Fortunately, management can scale resources up or down by leveraging consultants or other third parties to provide additional bandwidth for:
- Resource constraints and technical guidance
- Complex judgements and conclusions
- Leveraging best practices
- Recent ongoing experience
As long as management supervises the consultants, certain resource needs can be effectively met on an as-needed basis.
What ERP System Should a New Public Company Choose?
One of the first major projects for a new public company with cash resources is to upgrade to a more robust ERP system. It’s not uncommon for a company to go public with a tier 2 or tier 3 ERP systems, or even QuickBooks, as opposed to a tier 1 system such as Oracle or SAP.
Tier 3 systems lack the internal control functionality inherently built into higher-tier ERP systems—such as user role management—to enforce:
- Segregation of duties
- Park and post of journal entries
- Integration with various supporting modules or systems
For companies using a tier 3 system, it’s easier for management to override controls or to adjust already-posted entries. Additionally, there are typically few logical controls to enforce segregation of duties.
Diligence for System-Generated Data and Reports
Another factor relevant to information technology (IT) is the diligence the SEC and PCAOB have required when using system-generated data and reports in the performance of a control, or in the generation of a population from which to select a sample and test.
Based on published regulator comments, they have explicitly called out that external auditors have failed to test controls sufficiently over the completeness and accuracy of system-generated data or reports used in the operation of those controls.
To safely rely on a system generated report, your company must ensure that the source of the report has effective information technology general controls (ITGCs). Any parameters entered to run the report, such as report name or date range, must be validated as accurate.
Your company must conduct activities to ensure the report is complete by pulling the data from the system or exporting the data in an editable report. Diligent attention to validating the completeness and accuracy of system-generated reports requires a real-time methodology and constant discipline to ensure the control performer captures and retains the evidence necessary to convince the auditor that the control owner documented its completeness and accuracy.
An auditor could fail an internal control for not validating the underlying report used in the performance of the control, even if the report itself is correct and control attributes were performed without exception.
For more details, please see 5 Key Considerations for Enterprise System Selection.
We’re Here to Help
Companies have proactive opportunities to address control issues as part of the IPO journey to become a compliant, mature SEC filer. Addressing the typical risk areas of processes, people, or systems can help you meet the requirements.
With a little creativity and diligence, you can prevent or timely address a material weakness and improve the overall control environment of your newly public organization.
For more information, please contact your Moss Adams professional.