Podcast | Get Ready for Your IPO: Financial Reporting, Cybersecurity, Sustainability and More – with Stephen Alicanti, Kristy Balsanek, Charles Soranno and Andrea Vardaro Thomas

Kevin Donahue: Hello. This is Kevin Donahue, a senior director with Protiviti, welcoming you to a new edition of Powerful Insights. In this episode, we are going to be talking about all things around initial public offering, or IPO, readiness. Spoiler alert: There is a lot — accounting, financial reporting, cybersecurity, and even ESG and climate reporting. Joining me today are Stephen Alicanti and Kristy Balsanek from DLA Piper and Charlie Soranno and Andrea Vardaro Thomas from Protiviti. Stephen and Kristy both are partners with DLA Piper, while Charlie and Andrea are leaders in Protiviti’s Business Performance Improvement solution.

Thanks for joining me, everyone. Let’s dive right into our topic here. Charlie, I’m going to start it off with you. We know that preparing for an IPO is a long and intense process, requiring months or even years of preparation. In your experience, what areas typically become the so-called long poles in the tent leading up to an IPO that companies should consider?

Charles Soranno: Kevin, there’s certainly a lot. A couple of things that come to mind are the accounting and reporting records and processes, and then prepping for those PCOAB audits. If you think about the accounting and reporting pieces, generally what companies struggle with, and we help our clients through, is unwinding the private-company accounting. Let me give one example: A private company does a business combination where maybe the excess over purchase price is recorded as goodwill, and as a private company, they can amortise that goodwill. As a public company. business combinations, any excess is allocated first to intangible assets, either finite or indefinite, and the remainder is then allocated to goodwill, which is not amortised in a public company setting, but assessed for impairment periodically. That appears to be a onetime finite item, but it has to be done at the earliest period presented in the financial statements that go to the SEC, and then every year after that.

In terms of getting ready for the PCOAB audits, four things come to mind: SEC-ready financial statements, of course, and higher auditor scrutiny. What does that mean? It means more sample sizes and lower levels of materiality the auditor is going to be looking at. The auditors have to gain an understanding under AS 5 of the internal controls over financial reporting, which is a new protocol for companies looking to go public. And the auditor has to reestablish their own independence, which is not a client protocol, but it is an auditor protocol, which could delay the process. Andrea is going to weigh in on some of the other items, including segmentation.

Kevin Donahue: One of the long poles I often see is how a company decides to externally disclose their segments. It’s important not only because it impacts how the company is managing their business but also because the segments form a basis for how the company develops and communicates their equity store in the IPO, and then, as a public company, how they continue to report their financial performance in SEC filings and to the street.

What we see is, a lot of times, there is a need for changes or updates to financial reporting structures or data hierarchies to align with the new segments. When companies start to determine what their segments might be, the focus might be on benchmarking to make sure that they’re complex, comparable with other peer public companies, especially as they’re disclosing externally.

But you have to think about SEC reporting in the vein that it’s frequently a target for SEC comments. When making the decision around segments, you’ll need to consider adherence to U.S. GAAP requirements and be able to support how information is being presented to that chief operating decision-maker. The CoDM receives the management reporting packages, so it’s aligning information with how it’s being presented to the CoDM and how it will be used for future discussions with investors and analysts.

One other area, moving on from the accounting side, is the forecast and forecast accuracy. As a public company, it’s critical for you to have accurate forecasts that can demonstrate quality of earnings, instill investor confidence, and allow management to identify and evaluate any potential risk opportunities and even uncertainties that might have an impact on the company’s financial projections in the future.

What I see many companies struggle with is consistency of forecast accuracy and the ability to produce a timely forecast. Most of the time, this is due to a lack of accurate data from underlying systems or even team capabilities. And it’s not just the financial-modeling capabilities; it’s also how they’re connecting the financial forecast to the business and the business strategy. Improving forecast accuracy takes time and many reps that are needed to prove it out over the course of time, adding those improvements in, which is why it tends to be that long pole for many companies that are preparing to go public.

Kevin Donahue: That’s a great rundown by both of you. Thank you. Stephen, I wanted to have you jump into this question as well. I know there are some issues related to, say, business combinations and acquisitions that come into play, too.

Stephen Alicanti: There are business combinations and significant acquisitions or things that have to be monitored carefully when you’re contemplating an IPO. Typically, transactions of that nature are governed by item 3-05 of regulation S-X. Generally, if you close a significant acquisition, you’re required to include historical target financial statements as well as pro forma financial statements. And the rules are complex.

There’s some latitude, depending on the significance of those acquisitions, as to when the financial statements are required. Generally, they’re based on three quantitative tests: the investment test, the asset test and the income test. If you have an acquisition that trips the 20% threshold in any one of those tests, you’ll need one year of audited financial statements of that target company plus a stub period. If you go over 40%, you’ll need two years of audited financials, plus a stub period of that target company, and then you’ll also need pro formas.

There are also rules around aggregating multiple acquisitions that may not be individually significant. The good news is that if historical financial statements of a target company are required, it’s not necessary to have those be PCAOB-audited, so you can have a traditional AICPA audit for those target financial statements.

The other long pole that jumps to mind for me is stock compensation. As you’re approaching an IPO, keep in mind that the SEC typically scrutinises stock-based activity in the 12- to 18-month period preceding the IPO. For example, if the company is issuing options or warrants to executives, that may be deemed compensation — it may be very straightforward compensation — and the SEC may determine that an accounting charge is appropriate for purposes of that compensation. The SEC compares those prior issuances against the midpoint of the range in the IPO.

The thing that’s thorny about this is that companies generally disclose the IPO price range and an amendment to their S-1 after they’ve cleared all their SEC comments. This is an issue that can come up very late in the process while you’ve commenced your roadshow, and it can be very challenging if the SEC disagrees with your analysis. If they require an accounting charge, you’d have to go back and potentially restate financials. This is something that if you’re thinking about any equity issuances in that time frame, definitely consult with your external advisers. 409A valuations may be required, or accounting charges may also be required, depending on the circumstances.

Kevin Donahue: These long poles certainly are a challenge for companies, and we see they’re primarily focused on requirements to prepare the company in advance of an IPO. However, often, once these companies are public, they struggle with being able to keep up with incremental demands required of a public company. Andrea, how should companies be thinking about readiness to become a public company after the IPO is effective?

Andrea Vardaro Thomas: Once the companies determine what their long poles are, they should shift focus to address the long pole, to de-risk the IPO timeline and ensure that if there’s any important dependencies or overlaps, those get addressed. We typically refer to this as infrastructure build-out. I’d argue that infrastructure build-out is the most important phase of the IPO journey for most companies because when companies start their IPO process, they tend to focus on the incremental work around the transaction itself — drafting the S-1, the analyst-day preparation, the roadshow.

But once all the third parties that are assisting in the transaction go away, the company does need to stand on its own as a public company. This means being able to file quarterly 10-Qs, annual 10-Ks within the SEC reporting timelines, and then there’ll be additional activities: Think about investor-relation procedures — quarterly-earnings release, analyst calls. All those procedures will need to be implemented.

Part of the infrastructure bill we always recommend is to conduct a mock public company quarterly process in advance of the IPO — and I recommend doing this no less than two quarters prior to the effective date of the IPO because you want to have enough reps in place so you can work out any issues and build the muscle memory across the company.

When we say “a mock public company quarterly process,” what does that include? I recommend starting off with creating that calendar and the formal processes around that calendar for those incremental activities the companies might not be doing today as a private company but will need to do as a public company. An example of some of these newer incremental activities we often see is that companies might not prepare quarterly tax provisions. Obviously, there’s no drafting of a 10-Q or review of that 10-Q document. Incremental quarterly audit review procedures of the SAS 100, earnings release, analyst-call prep, 302 and 906 certifications, quarterly disclosure committee: Those are all examples of most activities that private companies are not doing. When you think about those incremental activities, they all need to be completed within the SEC timeline requirements. That’s generally 40 to 45 days following a quarter end, depending on the filing status.

Because there are all these new incremental activities required of you as a public company, we see that most companies need to find ways to accelerate their financial-close process. Ideally, the book close is seven to eight days after quarter end to make sure they can achieve all these additional activities. Then, as I mentioned earlier, being able to produce a timely and accurate forecast and quarterly financial projections is also important in this process as well.

When we think about conducting that mock process, I would start with the process itself on dates that are achievable, not necessarily within the public company timeline. You can form that basis for identifying challenges and opportunities and then identify those opportunities to implement ongoing refinements and enhancements and continue that mock process so the company gets those reps in place so by the time you are public, it’s second nature versus a fully new process.

Kevin Donahue: Charlie, I’d like to get your views here from a SOX perspective and the requirements in place on that front.

Charles Soranno: As Andrea points out, the infrastructure build starts early, and the internal-controls SOX should start effectively at the same time. There is a fallacy out there where potential registrants, when we meet with them early, might believe that Sarbanes-Oxley requirements really start kicking in when the auditor may be providing an attestation of the internal control function. And for smaller companies — emerging growth companies and the like — that could be as long as five years.

But companies should be preparing well in advance. The management’s assertion over internal controls has to be done at the end of the first full year after becoming a SEC registrant. What that means, in summary, is that the risks have to be assessed, processes have to be well-documented, the controls have to be evaluated for design effectiveness and then they have to be tested for operating effectiveness so management has the ammunition to be able to say, “We believe that our internal control environment is sound,” and that’s done at the end of the first full year after becoming a public registrant.

However, the first periodic filing after a company becomes a registrant, which is typically a 10-Q — a quarterly report — the CEO and the CFO have to assert to a soundness of the internal control environment under section 302. And then you might be saying, “Isn’t that Sarbanes-Oxley?” It is. It’s SOX lite, so we recommend to our clients that high-risk processes get documented and tested, which would include revenue recognition and the financial close and financial reporting process. All that should start to be evaluated, as Andrea points out, in the infrastructure-build protocols.

Andrea Vardaro Thomas: To add to that point too, and to circle back to Stephen’s point earlier on the business combinations, we often see that after an M&A transaction, integration of systems and processes, even integrating the organisation — especially the CFO organisation — that has a significant impact not only on the company’s ability to meet the public company timeline but also on internal controls. As you think about integrating any new acquisitions during your IPO journey, you’re going to have to think about, do you have compensating controls, mitigating controls? There might be significant deficiencies or material weaknesses that need to be disclosed. Those are all considerations you’ll need to think about in advance of the IPO and as you continue the journey as a public company and build out your formal SOX processes.

Stephen Alicanti: Andrea and Charlie hit on the common theme here: The IPO is the first step in the process. The experience from that IPO process — from a drafting disclosure and the due diligence exercise that the company goes through with its underwriters — will certainly help prepare the company and its management team for some of the disclosure obligations as a public company. But strong corporate governance and effective disclosure controls are going to be paramount, and that’s part of the infrastructure build-out mentioned earlier. If management teams and the board have limited public company experience, they need to be realistic about their internal capabilities and the need to involve external advisers.

From a legal perspective, once you become a public company, you’re going to be subject to a new level of disclosure obligations. Transparency is going to be foreign to people used to operating with private companies. Often, there are thorny issues that arise, and they require rapid decision-making. It could be a cybersecurity event or other events that require disclosure, and you want to build trust in the market that you have timely and accurate reporting. Public company readiness assessments are one way to help a company understand where you’re at and where the company needs to be in the process to function effectively as a public registrant.

Kevin Donahue: Charlie, for public companies, there are also certain disclosure requirements companies need to adhere to. One is the rule adopted by the SEC last year, in 2023, which requires public companies to make certain disclosures related to cybersecurity risk management, strategy, governance and even incident disclosures. How should these companies think about preparing for this rule as part of their public company readiness efforts? 

Charles Soranno: This is the part of the presentation where we say, “Nothing ever comes off the list.” As you mentioned, the SEC put these new rules out in late 2023, and there are two components to it: the 10-K component and the 8-K piece. The 10-K component is the company’s backbone to identifying and mitigating and disclosing cyber risk activities — the risk management over that process and the governance, meaning the board, the audit committee and others. What we’re seeing often is cyber experts being added to both the board and the audit committee. The other piece of it is the 8-K disclosure, or the incident-reporting piece, which is required four days after an incident is deemed material and describes the nature of the event and the remedial actions taken, and any financial impact that has been determined.

Kevin Donahue: Kristy, let’s bring you into the conversation here. In March of this year, the SEC adopted rules to enhance and standardise climate-related disclosures for investors. There have been some developments there — we’re going to talk about that in a moment. But first, what steps should a prospective public company take now to prepare?

Kristy Balsanek: There was, in March of this year, an approved landmark climate-disclosure reporting rule from the SEC. The intent for this rule is focused on enhancing and standardising climate-related reporting for public companies. As many of you may know, there have been a number of standards globally that companies have had to navigate, and there are a lot of differences between them. Companies should think about taking two main steps: that readiness assessment, and remediation. In terms of readiness, that’s to assess what the rule requires and whether the company has already implicated those rules.

Essentially, there are about five main requirements the SEC rule has put forward, and that starts at the governance level — thinking about whether a company has a board oversight for climate-related risk, and disclosing what the management role is in climate-related risk, how it’s identified, how it’s assessed, and what we’re talking about are risks that climate has on the company itself. In addition to governance, there are requirements around disclosing material climate-related risks and about disclosing targets and goals around material risks in that area that will have to be considered.

That’s also inclusive of the use of carbon offsets or renewable-energy credits, also known as RECs. The biggest change here for requirements as well relates to greenhouse-gas emissions and reporting around what’s known as Scope 1 and Scope 2, and regarding those areas of greenhouse-gas emissions, many companies haven’t had to measure or think about disclosing that type of data. And that relates to greenhouse-gas emissions that are material for the company, that relate to what they already own or what they’re purchasing — electricity. Companies are going to need to think about whether they’re already collecting that information and how they may think about whether it’s material.

What’s known as Scope 3, which would then entail greenhouse-gas emissions for the entire value chain, that is not inclusive of this rule. There’s a lot of controversy about that, but it’s not in the final rule. But Scope 1 and Scope 2 are for certain filers, and that would relate to whether material or nothing. Then there’s financial information that would have to also be disclosed that would relate to costs and expenses and other data around climate.

Thinking about what those requirements look like will be important to go through — how to remediate: Is there a gap between what companies are doing now versus what they’re going to be potentially required to do?

One of the key things in terms of thinking about how to remediate, of course, is putting a cross-functional team together to assess what these requirements look like — how you would assess materiality, what kind of data will be collected, identified and disclosed, and what the timeline will be. But one key piece of this is these global frameworks. The SEC, of course, is just one, and so a lot of companies are reporting voluntarily through other types of frameworks that people may be familiar with: the ISSB or the SASB, GRI, the Greenhouse Gas Protocol. There are a lot of acronyms out there, but there are standards that perhaps there’s data that you already have that you can leverage.

And then in the U.S., there’s also, at the state level, California has already issued bills that are requiring Scopes 1, 2 and 3. It doesn’t matter whether it’s material or not, but those requirements for California are coming into effect soon. There’s a timeline phase-in as well. And, for those who are operating globally, on the EU side, there’s a directive for corporate sustainability reporting that goes beyond climate that companies will also likely have to be looking at as well. That is something to navigate overall and to think about what can be leveraged to address any gaps with the SEC rule.

Kevin Donahue: Kristy, as I mentioned, and you noted as well, there have been some developments. In April this year, 2024, the SEC issued an order pausing the implementation of the final rule requiring companies to disclose climate-related risks pending the outcome of a legal challenge to this mandate. In short, what does that mean for companies as they enter into their preparations to comply with this requirement? 

Kristy Balsanek: Immediately after the approval, within basically the same day, numerous lawsuits were filed, and they’ve all now been consolidated into one circuit. We’re now waiting to see the results of that decision. The SEC voluntarily stayed. This is important to recognise — that it was a voluntary decision, and the rule’s been stayed, and we’re going to wait and see what the time frame may look like.

There’s another important lawsuit that we will be waiting to hear from the Supreme Court, which relates to regulatory authority. For those who may be aware of it, it’s the Chevron case, and that will be coming out in June. The current SEC lawsuit is being waited on for this Supreme Court case to go forward, and we’ll see what the decision is in terms of regulatory authority. But in the meantime, the timeline looks like, for the SEC lawsuit with the 8th Circuit, it likely will be either at the end of this year or early next year.

Then, of course, it could be appealed again, potentially up to the Supreme Court, which would be another year of timing. In the meantime, we’re still recommending that companies look and understand what the SEC rule requires on climate. There may be parts that are struck down, but there may be parts that do get upheld, so it’s important to understand what the requirements are. Again, as I mentioned, there are a lot of global frameworks already in place, and in the U.S., there are the California state requirements as well. How this all fits together to try and proceed efficiently in a manner that will address these differences but try to be more standardised, we’ll have to wait and see. But it’s important to start early because there’s a lot of data gathering and changes within companies to think about in order to adhere to these rules.

Kevin Donahue: To emphasise your point, you mentioned the different state laws like the California requirements. But in addition, with the CSRD, that’s not just impacting companies based in Europe. It’s anyone operating there — perhaps even a vendor of someone operating there — so the point, if I’m understanding, is, you can’t really afford to delay, even if the SEC’s rule is being delayed.

Kristy Balsanek: That’s right. And because the EU is very broad, while the initial phase-in, the applicability, will start on the EU side with EU companies, subsidiaries of U.S. companies may be pulled in depending on the number of employees and the amount of revenue. Also, as the phase-in occurs, it may come up to the parent in the U.S. even. There’s a lot of applicability assessment recommended to be undertaken.

Also to your point, the word for the directive in the EU is sustainability. While the U.S. has been more focused on the SEC in California on climate, sustainability for the EU covers climate. It covers social, business, human rights, diversity, inclusion. And the governance piece is really critical as well. It’s quite broad.

Kevin Donahue: Excellent. Thank you. Thank you, everybody. This has been a great conversation.

A final wrap-up question. Andrea, what advice would you have for companies seeking to go public? How can they avoid the common mistakes a pre-public company makes that could negatively affect the organisation’s short- or long-term success as an SEC filer?

Andrea Vardaro Thomas: We’ve talked about a lot of these points, but I would first recommend doing that initial upfront assessment — understanding what your current state is now and identifying, what are the long poles, what are the heavy lifts that your organisation needs to undertake, and then shift that focus to infrastructure build-out to make sure the company can function successfully once it is public after that transaction.

But during the process itself, through that IPO journey, I’d recommend making sure there’s an adequate program management structure in place to drive that IPO-readiness effort. Establish a steering committee. That steering committee should be made up of key stakeholders throughout the organisation — not just within finance and the legal side, but also from an HR perspective, technology and the business side. It should also include relevant third-party advisers and even the audit committee chair.

This committee should meet frequently — typically, monthly — to review the project status, any major milestones, remediation of those long poles that have been identified, and to address and surface any challenges or potential dependency delays that might impact that IPO timeline. This can help track the IPO preparation. It can help track the infrastructure build once the company is public and allow the company to make a realistic go-or-no-go decision once the IPO is imminent.

Kevin Donahue: Stephen, I’ll ask you to share your final thoughts.

Stephen Alicanti: Andrea hit the nail on the head: This is a long road. Be patient, be careful, undertake the assessments upfront. Advanced preparation will serve you well in the IPO process and then as a go-forward public company.

Kevin Donahue: That was a great conversation. I want to thank Stephen, Kristy, Charlie and Andrea for joining me today.

A couple of key takeaways: This is almost certainly going to be a very long road for any private company planning to go public. They’re going to have to look at cybersecurity, financial reporting, climate reporting and much more. It’s important to start and prepare early.

For more information, I encourage you to visit the DLA Piper and Protiviti websites for more information on preparing to become a publicly held organisation. And finally, as always, I encourage you to please subscribe to our Powerful Insights podcast series and review us wherever you listen to your podcast content.