SOX preparation for pre-IPO
2021 was a record-breaking year for IPOs. More than one-thousand businesses completed the process to offer shares publicly and raise capital from private investors. But before your company can "go public," you must comply with the Sarbanes-Oxley Act of 2002 (SOX).
Financial reporting accuracy and timeliness heavily depend on a well-controlled IT environment. In this guide, we hope to equip you with the information you need to prepare successfully.
- Key SOX Provisions for companies considering an IPO
- Pre-IPO Preparedness Checklist
- SOX Compliance Requirements
- How can SafePaaS help address pre-IPO needs
Key SOX provisions for companies considering an IPO
For pre-IPO companies, preparing for SOX compliance can seem daunting, and there are many opportunities for error that carry steep penalties for failure to comply. Companies generally have a few years to prepare, and the following steps can help make your path to compliance less painful.
Make sure you have a clear timeline of procedures and reports that you must have in place. It's wise to create a short-term plan for the current year and a longer-term plan for the lead-up to being fully compliant.
Upgrade Financial Reporting Systems
Before starting the process of becoming a public company, you need to ensure that you have a system capable of providing accurate, timely information. Identifying the proper measures and closely surveying them can significantly enhance your financial results because it forces the company to focus on the factors that drive your business.
Another reason to consider upgrading your financial reporting systems is that SOX sets several additional requirements, including disclosure controls and procedures. Internal controls over financial reporting are designed to help ensure the company's financial statements are accurate and free of misstatements.
Choose a Framework
Various non-profit industry groups have developed frameworks to help companies strengthen their internal controls and prepare for SOX compliance.
COSO - created the "Internal Control Framework" to guide the development of your company's controls.
COBIT - ISACA developed COBIT an industry group focused on IT governance. COBIT will help bring your IT processes into compliance.
ITGI - recommendations draw on COSO and COBIT but focus more on the security-related aspects of internal controls.
A company headed towards an IPO should conduct a thorough compliance risk assessment. A risk assessment will help the organization catalog and prioritize the full spectrum of its compliance risks and gauge its resource allocations. A proper risk assessment can be a beneficial tool in identifying the areas where the company might be more vulnerable to risk. The risk assessment focuses on testing and validating internal controls with the most significant risk of a potential violation.
The assessment portion of the IPO process should focus on the entire company, especially if a company has subsidiaries or branches operating with different software and processes. The whole company must comply. Therefore, operations must be thoroughly assessed and audited. However, if a subsidiary or branch is too small and does not pose a material effect on the financial soundness of the company, an exception can be made.
Document your processes
Controls must be thoroughly documented to pass your audit with minimum cost and stress. The stream of information and lines of authority are especially crucial. Procedures intended to prevent or detect flaws should also be well documented.
Your data is only as secure as your weakest system. Failure to follow industry standards concerning data security could harm your company brand if IT controls fail to protect sensitive data. A common best practice is to implement a "least privilege access" policy that users only have access to the data they need to do their job. This policy helps to guard your company against insider threats.
You should also evaluate any vendors who may have access to your systems. Vendors who have had a breach can compromise your data's security or integrity. Not to mention your company is still accountable if fraud or a breach occurs at a vendor.
Test your Controls
An evaluation of controls should also be performed using an internal controls framework, like those mentioned above, which helps organizations design and implement internal controls considering many changes in business and operating conditions. Additional policies and procedures may take time to create and implement, so assess in advance or expect possible hold-ups.
During the testing phase, you will likely encounter processes or controls that didn't perform as expected. This is one reason testing is so essential in the IPO process. Testing allows you to find the weak spots and take corrective action. Suppose you uncover substantial weaknesses that could have a material impact on the company. In that case, those weaknesses must be reported to the public in a 10-K.
Pre-IPO Preparedness checklist
Many resources are available for companies preparing for an IPO. One area of the process that can be difficult to navigate is how to implement compliance properly. Building your compliance infrastructure before going public is critical, given the costs of compliance failures and reputational and financial harm.
SOX requires all qualifying SEC-registered organizations to document, evaluate, monitor, and report on internal control over financial reporting and disclosure controls and procedures, which include IT controls.
The first step in this process will be to assess the overall strength of your IT control in the organization by considering the following questions:
- Does the SOX steering committee understand the risks inherent in IT systems and their impact on compliance with Section 404 - Management Assessment of Internal Controls?
- Does IT management understand the financial reporting process, and its supporting systems?
- Does the CIO fully understand the types of IT controls necessary to support reliable financial processing?
- Are policies governing security, availability, and processing integrity established, documented, and communicated to all members of the IT organization?
- Are the IT department's roles and responsibilities related to Section 404 documented and understood by all department members?
- Do members of the IT department understand their roles, do they possess the requisite skills to perform their job responsibilities relating to internal control, and are they supported with appropriate skill development?
- Is the IT department's risk assessment process integrated with the company's overall risk assessment process for financial reporting?
- Does the IT department document, evaluate and remediate IT controls related to financial reporting annually?
- Does the IT department have a formal process to identify and respond to IT control deficiencies?
- Is the effectiveness of IT controls monitored and followed up regularly?
SOX compliance requirements
SOX aims to enhance corporate governance through measures that will strengthen internal checks and balances and also strengthen corporate accountability. However, it is essential to emphasize that Section 404 does not merely require companies to establish and maintain an adequate internal control structure and assess its effectiveness on an annual basis.
For those organizations that have begun the compliance process, it has quickly become apparent that information technology plays a vital role in internal control by supporting the systems, data, and infrastructure components critical to the financial reporting process. The public accounting oversight board, PCAOB believes that IT controls are so important that it issued an auditing standard that discusses the importance of information technology in internal control. In particular, it states:
"The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."
Public companies must comply with the following SOX requirements:
- Provide periodic financial statements for external audits
- Provide an annual assessment of internal controls, approved by independent auditors
- Report any financial material changes to the public promptly
- Have good internal controls in place (both financial and IT) to detect and prevent fraud and ensure the company's financial and data integrity
Public companies demonstrate compliance with SOX requirements by providing the SEC and investors with the following information:
1. Financial Reporting
Companies must provide routine financial reports approved by independent auditors. The SOX Act states that accounting companies that conduct audits can’t provide any other services to the businesses they audit, like consulting or tax guidance.
All financial statements from public companies must comply with GAAP (Generally Accepted Accounting Principles). Financial statements must equitably represent the company's financial circumstances, and the CFO or CEO must certify that "to the best of their knowledge, there are no untrue or misleading statements or omissions in the reports."
2. Internal Controls
Section 404 of SOX requires organizations to implement internal controls to ensure accurate financial reporting. These controls, sometimes called 404 controls, are rules that prevent and detect errors in a company's financial reporting process. Internal controls avoid or detect concerns in organizational processes, ensuring the organization achieves its objectives.
SOX does not provide a list of specific controls. Instead, companies must define their controls to meet the regulator's goals. For example:
- Segregation of duties
- Access control
- Data backup systems, and
- change management
- Internal control report
SOX requires organizations to file a report demonstrating that the company's management remains responsible for the internal control structure applied to financial records.
All material weaknesses must be reported immediately to senior management to ensure transparency. Sections 302 and 404 are relevant to this aspect of SOX:
- Section 302: the CEO and CFO are responsible for reporting and internal controls
- Section 404: ensures accounting practices remain transparent by requiring quarterly reports and annual disclosures
3. Data security policies
SOX requires companies to create and uphold a data security policy that protects the storage and use of financial data. SOX requires organizations to enforce this policy consistently and to communicate it with employees.
4. Real-time issuer disclosures
"Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations. These disclosures are to be presented in terms that are easy to understand and supported by trend and qualitative information of graphic presentations as appropriate." In summary, if an event leads to a significant change in financial conditions or operations, the company must tell shareholders and stakeholders immediately.
5. Criminal penalties
SOX makes the signing executives, usually, the CEO or CFO, personally and individually responsible for their attestations. The penalty for filing a false or misleading report can be a fine of up to $5 million and 20 years of jail time.
6. Internal audit priorities
Internal audit and controls testing is typically the largest, most complex, and most time-consuming part of compliance because internal controls include all of the company's IT assets. These assets include computers, hardware, software, and all other electronic devices where financial data resides.
An IT controls audit focuses on:
Assess how the company restricts access and provisions to ensure that only the right people can access sensitive financial data.
Assesses how the company backs up data and critical systems to minimize disruptions and data loss in a disaster.
Assess how the company manages changes to the IT environment. These changes could be new employees, new software, new infrastructure, software updates, or configuration changes. These changes must be recorded in an audit trail and should be monitored.
Assess how the company determines sensitive data, protects it, monitors its access and how security incidents are detected. In the event of an incident, the company must take corrective action promptly and effectively.
How SafePaaS can help?
With SafePaaS, you can detect potential policy violations and sensitive access risks for all users and identities. Policy Manager provides fine-grained capabilities analyzing all users and identities across all your ERP environments and applications. With built-in remediation, the world's leading organizations use Policy Manager to identify and prevent risk in any application that meets audit requirements.
How can SafePaaS address your pre-IPO needs
ARCPaaS™ allows pre-IPO companies to establish a unified platform to efficiently manage enterprise-wide Governance, Risk, and Compliance (GRC) processes. Executives, Business Process Owners, Internal Control Managers, and Auditors can improve their productivity by collaborating on key GRC tasks such as risk assessment, control activities, independent audit, remediation, and management certification. ARCPaaS™ provides a role-based dashboard to ensure that management can make timely and accurate decisions based on complete insight to mitigate risk proactively.
Proactive Enterprise Risk Management (ERM)
Establish an ERM framework, and monitor enterprise risk and KRI's to reduce the frequency and severity of loss events. Take action in real-time to perform root-cause analysis with ad-hoc reports, reduce inconsistencies in procedures, and make better decisions by adding context to data from multiple sources.
Audit Analytics and compliance monitoring with Interactive dashboards and Reports
Use interactive dashboards for real-time corrective action modeling and allow business managers to explore risk exposure ad hoc. You can easily access audit dashboards remotely over a smartphone or mobile device.
ARCPaaS™ monitors risk and controls in all major ERP systems including SAP, Oracle E-Business Suite, Oracle ERP Cloud, PeopleSoft, and J D Edwards to improve testing effectiveness and findings across the enterprise in a single integrated solution. Our DataProbe™ technology collects audit samples from ERP systems and stores control evidence.
Enterprise Risk Management
Implement risk assessment processes to meet your organization's objectives. Maintain your Risk Library with Process, Risks, and Controls
Manage enterprise risk ratings like impact and likelihood that best describe your approach to risk evaluation
Manage Control Design based on the contextual framework to measure risk factors before controls (inherent), after controls (residual), or both
The Audit Planning module enables you to schedule projects and resources, so there is a clear view of fieldwork assignments and tracking of audit testing in an annual plan.
The easy-to-use web-based planning tool can be configured for small or large groups, allowing multiple plans to support enterprise audit objectives.
Reduce regulatory compliance costs and penalties. You can transform compliance "silos" into a single enterprise platform that results in lower testing time with standardized self-assessment and management certification templates. Integration with ERP controls also enables you to streamline compliance with continuous controls monitoring. Management can easily update documentation and certify internal controls to comply with the most complex regulations, such as Sarbanes-Oxley (SOX). ARCPaaS™ can be configured to support various industry and regulatory frameworks such as AML, Basel II, COSO, COBIT, GDPR, FCPA, FISMA, FERC, HIPAA, NCR, OMB-123, OSHA, PCI DSS, and Solvency II.
Improve audit findings by replacing random sampling, spread-sheets, or generic business intelligence with audit analytics that are purposely built to detect anomalies or patterns in any data source to provide better assurance for business processes and controls
Take a snapshot of any ERP system to map and translate your data into actionable insight. You can prevent operational losses such as duplicate supplier payments with advanced fuzzy matching.
Issue and remediation workflows
Workflow-enabled issue and remediation management tracks findings from all audit engagements and allows you to track the implementation status of recommendations made by your department and related management action plans. You can facilitate issue follow-up, trend analysis, prior audit review, and committee reporting.
Management can easily access the findings and perform remediation actions in a timely manner to reduce overall risk exposure. Role-based access ensures that data and functions are only accessible and available based on each user's role and authorization.
Automated ERP controls monitoring
You can continuously monitor business activities within your enterprise applications with instant access to the most extensive catalog of automated application monitors covering 1,000+ business objects for major processes such as Procure-to-Pay, Order-to-Cash, Hire-to-Retire, Design-to-Ship, and Financial Record-to-Report. You can test ERP configuration controls by enforcing an application setup consistent with operating standards.
Segregation of duties (SoD) policy management
- Jumpstart your top-down risk-based SoD analysis with hundreds of SoD Rules based on thousands of application functions included in our rules repository
- Rapidly reduce SoD risks with workflow-enabled collaboration among process owners, application managers, IS security, and auditors
Self-service identity-based access provisioning
- Safeguard your most important business information against cybersecurity risks with policy-based centralized orchestration of user identity management and access control.
- Improve productivity and reduce costs by enforcing access policies, such as segregation of duty (SoD) rules, before violations get introduced into the ERP environment, controlling sensitive business information to potential threats and vulnerabilities.
Periodic user certification and review
- Automate periodic user access reviews to comply with access policies and maintain an audit trail to support IT General Controls.
- Enable managers to detect dormant users and unauthorized system access.
Having a solution like SafePaaS in place to prepare for SOX compliance removes the pain and pressure from pulling together your supporting audit documentation and evidence. SafePaaS provides the data and security needed for pre-IPO SOX compliance by securing risk across all your business applications, automating manual tasks, and enforcing internal controls.