Despite the disruption of the global pandemic, 2020 proved to be a hot market for initial public offerings (IPOs), with 183 traditional IPOs and 242 special purpose acquisition company (SPAC) deals raising more than $150 billion in total. 2021 is expected to follow suit, too.
If your company is considering going public, you’ll need to make sure that you’ve laid the groundwork to operate efficiently, demonstrate compliance, and mitigate the cost of risk and compliance. That includes setting up and running an effective internal controls program to demonstrate SOX compliance.
What is SOX compliance?
Well, if you’re planning on going public, you should probably know this, but since 2002, public companies have been bound by the regulations of the Sarbanes-Oxley Act (SOX), which establishes compliance regulations around corporate public records. Organizations must report annually on their internal controls for financial reporting—this provides assurance on the adequacy of controls, protects stakeholders, and prevents fraud and financial misstatements.
Public companies are required to be SOX compliant, but many non-public organizations also comply. And for organizations looking to go public, laying the groundwork for SOX compliance should be a top priority. In fact, many successful IPO companies operate under public company rules (including SOX) for at least one full year before going public.
Did you know:
SOX carries some of the heaviest fines for any instance of non-compliance and can cost senior executives $1,000,000 per violation and up to 20 years in prison, and can cost the organization $5,000,000 per violation.
The benefits of SOX compliance
Besides avoiding hefty fines and keeping executives out of jail, SOX ensures that organizations have the right internal controls in place to mitigate risks, gaps, and weaknesses related to financial records and reporting.
But it has a whole host of other benefits. It helps to create a strong control environment, improve documentation and communications, standardize processes, and reduce complexity and human error.
When an organization—especially one that is on the road to IPO—can demonstrate SOX compliance, it shows that it has the right people, processes, and technology in place to fully manage and mitigate risk, and protect stakeholders.
Create a strong control environment
The control environment is more than just a set of internal controls. The term actually refers to the attitudes and values of executives and directors and how they recognize the importance of method, transparency, and care in the creation and execution of their company’s policies and procedures.
Controls, testing, reconciliation and data play a strong part—but as a second or third line of defense. The employees within an organization are the first line. If the executives and directors don’t create a strong control environment, they’ll never have good governance—no matter how many well-constructed controls they have.
If an organization can show it has a strong control environment, it could result in a reduced scope of it’s internal controls evaluation by external auditors, making SOX somewhat less cumbersome. A way to help show a strong controls environment could include:
- Having internal audit send an annual survey to executives on a variety of business activities like hiring, vendor selection, or employee evaluations
- Annual ethics training, presenting front-line employees in a number of questionable situations
- Regularly testing finance employees on their specific roles and responsibilities.
Sending and collecting these surveys and tests within a software platform will make it easier to quickly demonstrate your efforts on building a strong control environment if and when the time comes.
Get your documentation in order
There’s no question that documenting organizational policies and procedures helps organizations run better. But SOX has made such documentation mandatory in order to prove compliance. As a result, employees know what’s expected of them, what’s unacceptable, and further weakness and control gaps can be identified.
Good documentation should include:
- Process or workflows: how are things done?
- Narratives to provide further context: why are things done?
- Risk and control matrices: what might happen and how will we mitigate it?
Once you’ve documented everything, you’ll be able to identify areas for automation. Where can you insert automated workflows so you’ve got an extra layer of assurance that a control activity was performed correctly?
Why is this important? Well, CEOs and CFOs must personally attest to the effectiveness of internal control over financial reporting. In fact, SOX made it a crime to portray the organization’s operations and finances in a false light. (See fines and sentencing note above.) So your C-suite wants to be sure you’re doing the right things in the right way, and can prove it.
An auditor must also attest annually to an organization’s evaluation of its controls. This means the auditor has to review all of the documentation of the controls and procedures, and walkthrough and evaluate how well employees perform the control activities.
When these things are documented, automated, and easily accessible in a collaborative GRC tool, it makes it that much easier to demonstrate compliance, internally and externally.
Communicate better: inside, outside, sideways, and upways
With your strong control environment established, processes defined, refined, and automated you propel yourself into a position where it’s easier to be transparent—both horizontally and vertically—on your operations.
This means improved communications with the Board and audit committee—and who doesn’t want that? In some cases, you could even create self-serve reporting, so at any given time, stakeholders across the business can get a full picture of your compliance posture. This reduces the amount of reactionary requests and increases the visibility of the value delivered by your team.
Find areas for harmonization
If you’re on the road to IPO, chances are you already need to comply with other regulations like ISO, HIPAA, GDPR, or GLB. Each regulation has controls. A good opportunity here is to identify where these controls overlap. This is where you’ll want a Compliance Mapping tool.
Using Compliance Maps, you can:
- identify applicable regulations and standards
- harmonize a list of requirements across all applicable regulations and standards
- map controls in frameworks to requirements
- aggregate testing results and issues to track and report on compliance status in real-time
Sure you could do this manually, but identifying the intersections is not always easy or apparent. By mapping your compliance regulations in a unified platform, you’ll not only streamline your SOX work, but you’ll optimize other regulatory activity, like risk assessments, controls testing, and process mapping.
Standardize and consolidate processes
As organizations grow, it’s not uncommon for silos to form. This is especially true when mergers and acquisitions occur: similar teams doing the same things in different ways.
Through documentation of processes, compliance mapping, and better transparency, you’ll be able easily spot areas that could use standardization or consolidation. A few of these could include:
- Risk scoring methodology
- Technology or tool use
- Data inputs (formats)
- Reporting methods and formats
- Metrics and measurements
Standardized processes can be evaluated far more quickly by auditors, provide more assurance, and optimize operations.
Automate what you can and get your people on more value add work
Automation is powerful and frees up employees from tedious mountains of manual tasks, refocusing them on more value-add strategic work. But automation also reduces human error. Just think, no more calculation errors in spreadsheets, or working off an outdated file.
By automating things like workflows and control testing, you’ll be able to test more of your data in a shorter period of time, getting more assurance with less (or no) errors. More assurance, less tests, refocus people on value-add work, faster and easier to report on your overall compliance posture.
There are so many benefits to positioning your pre-IPO organization for SOX compliance. Better integration, better processes, more assurance, better communication, and everyone marching to the beat of the same drum. It’s not easy or quick, but it will make you a more successful and more conscious organization in the long run.
Reaching internal controls utopia
Learn how to plan, implement, review, and test internal controls.
- Assess the maturity level of your internal controls.
- Create a thorough internal control system.
- Minimize internal control failures.