Rapid changes in corporate governance requirements present a challenge to many organizations in running their business while meeting increasingly onerous compliance obligations. The Sarbanes-Oxley Act of 2002 (SOX) requires evaluation of the control environment over financial reporting, which presents a major challenge for companies preparing for an IPO.

There is much more to SOX than simply testing a company’s internal control over financial reporting. Companies entering public markets must have the proper board composition, evaluate the need for an internal audit function (required by the New York Stock Exchange), and have the requisite corporate policies and procedures. They also must be prepared to provide quarterly executive certifications, and eventually, management’s conclusion on the internal control over financial reporting. This compliance effort can be costly. To achieve long-term, cost-effective compliance, you need a risk-based approach to minimize non-value-added activities and maximize the effectiveness of your business processes. Organizations should focus on implanting a sustainable process early on as opposed to taking an ad hoc project-based approach.

Risk
Investors’ attitudes have changed. Financial transparency and governance frequently matter as much as the financial bottom line. Your company’s financial reputation is everything to investors. Along with transparency, too often a company’s board and management underestimate the effort of designing and implementing controls over financial reporting, as well as changing the company culture from private to public.

As part of this process, there is an opportunity for establishing a cost-effective, sustainable internal control structure with a focus on improving the quality of upstream business processes. At Protiviti, we have helped hundreds of companies handle their SOX compliance with this focus in mind. Below, we describe our points of view on how you can achieve a cost-effective compliance process.

Point of View
1. Start early. Many of the internal control and reporting mechanisms of SOX can take time to implement, and changes in relationships with parties such as board members or auditors can take a long time to ramp up. Furthermore, in the post-IPO world, executives are pulled in different directions. The new toll on their schedules from meetings and other activities with investors and analysts frequently does not allow them to play a major role in SOX compliance. For this reason, it would be a mistake to delay SOX readiness until post-IPO.

2. Become “SOX-ready.” SOX readiness does not simply mean becoming SOX-compliant ahead of time. Rather, a company’s limited resources during the pre-IPO period should be focused on the most critical areas – such as revenue, inventories and financial close – based on a risk assessment, which is usually the first step of the exercise. Resources should be devoted to planning ahead to remediate any major gaps, which can range from system data integrity issues and inadequate manual review procedures to a lack of established methodology.

 
3. Look for value-added opportunities. The overall effort for SOX compliance requires a holistic view of the company’s processes and controls. Implementing the right controls should not be a once-off project; it should benefit your compliance efforts as well as improve your operations. Value-added action plans increase the efficiency and effectiveness of critical processes and improve the disclosure infrastructure. Controls can be based on information technology (business systems) and people. The focus should be on predictability, auditability, transparency, compliance, data integrity and documentation.

4. Determine the most cost-efficient means of sourcing for becoming SOX-ready. More than six years have passed since SOX legislation was enacted and the latest SEC guidance for management compliance tends to be more and more principle based. Some of the key factors to consider when putting together the SOX team, whether in-house or outsourced, involve determining whether the team has 1) a well-developed approach with a proven track record, 2) experience interacting with the company’s external auditors, and 3) effective project management skills.

As you asses your SOX readiness, some key questions to ask yourself are:

1. Have you fielded a board of directors of the right size, structure, experience and depth to help guide your decisions and provide the requisite oversight?
2. Have you established the appropriate oversight, policies and procedures, internal controls and infrastructure necessary to be a public company?
3. Have you incorporated the 12 to 18 months of lead time typically required for SOX 404 readiness?
4. Do you have individuals with appropriate experience and qualifications in your finance function?
5. Are you taking advantage of the application controls in your IT system, or are you expending your resources on many manual controls, which will in turn cost you more to test?
6. Do management and the audit committee know where the key risks to your financial reporting process exist? Over the course of our experience, we have consistently received the following feedback from audit committees, CFOs and other management:
   1. It is never too early to begin the process.
   2. It will always take longer than you think.
   3. A top-down and risk-based approach is critical.
   4. The number of key controls is the primary cost-driver.
   5. Get third-party support and auditors scheduled early, because resources are scarce.
   6. A one-size-fits-all approach doesn’t exist.

As a pre-IPO company, you are undoubtedly receiving a lot of attention already from investors regarding the transparency of your financial reporting and disclosures, well ahead of the actual SOX compliance date (your second 10-K filing). With focused efforts and appropriate teaming, the benefits of becoming “SOX-ready” can go well beyond saving time and money. Building a healthy and effective financial reporting infrastructure demonstrates a proactive culture. This in turn boosts investor confidence and adds value to the overall effectiveness of business processes within the organization.