Guide to Public Company Transformation: Frequently Asked Questions

An IPO is a corporation’s first offer to sell stock to the public. One primary objective of an IPO is gaining access to market capital. Sometimes referred to simply as “public offerings,” IPOs require an issuer, with the assistance of an underwriting firm, to determine the type of security to issue (i.e., common or preferred shares), the optimum offering price and the best time to bring the company to market.

In an IPO, a company issues stock, which represents an equity (or ownership) stake in a company, on a publicly traded stock exchange. A public debt offering occurs when a company issues bonds (certificates representing debt) to the public; the bondholder then receives interest and a repayment of principal on the “loan” made to the company.

The primary advantage of going public is the increased access to capital that companies gain. A public company can conduct subsequent offerings (commonly referred to as “secondary” or “follow-on” offerings) years or, in some cases, months after an IPO to generate additional capital – usually on highly favorable terms. Additionally, public companies typically boast better growth potential than private firms, maintain greater prestige in the financial community, and are able to lure top talent with more enticing incentives such as stock awards. In addition, a public company provides liquidity to its shareholders and can equip company leaders with a more precise understanding of the value of the organisation, which can inform how they subsequently market their stock.

The primary disadvantage of an IPO boils down to effort, followed by cost. Preparing a company for an IPO and undertaking the necessary business transformation can be a complex and daunting task for even the most mature, well-rounded and professionally run organisations. Recent and not-so-recent regulatory changes, including but not limited to the Sarbanes-Oxley Act of 2002, place a sizeable burden on private organisations preparing to become public companies. The transformation necessary for organisations to be ready to go public requires that they address numerous issues related to regulatory compliance, financial reporting, information technology (IT), internal audit, talent management, policies and procedures, and corporate governance, among other areas.

Additionally, once a company is publicly held, it must disclose to the public, which includes its shareholders, a much greater amount of information related to company performance, risks, and director and officer compensation. Shareholders can exert significant pressure (related to performance, strategy, compensation and other issues) on the management team and the board of directors. Also, depending on the breakdown in share ownership, private company founders and executives who take their organisations public risk losing voting or board control of the company. Being public increases a company’s exposure to shareholder lawsuits as well as restrictions placed on insider stock sales at the IPO “lock-up period” and during the “blackout periods” preceding and following earnings releases.

Nevertheless, the large number of successful public companies filing in U.S. public markets attests to the fact that returns on becoming a public company can far outweigh the investment in time, effort and money required to prepare and execute an IPO.

The effort and time required to prepare for an IPO are frequently underestimated. While the timeline varies depending on a company’s unique requirements, it typically takes about 12 to 18 months (and in some cases as long as 24 months based on relative complexity and existing maturity) for a private organisation to achieve PCR.

The key milestones in this process should include an initial IPO readiness assessment, Sarbanes-Oxley compliance, financial reporting readiness, IT systems and data readiness, and the execution of corporate governance and IPO-specific requirements. Among these requirements, financial reporting, Sarbanes-Oxley compliance and IT readiness typically require the most time and should therefore begin as soon as the readiness assessment (a diagnostic process that typically requires four to six weeks to execute) is completed (see Question 20).

Image

A company must consider very carefully the timing of an IPO. Windows of opportunity in the public market can open and close quickly. Thus, it is in the best interest of IPO candidates to be well prepared and act when the market is favorable. Inadequate PCR assessment and planning can delay an offering and/or adversely affect the enterprise’s value when the IPO occurs.

IPOs tend to bring higher offering prices when equity markets are at their healthiest; however, many IPOs have achieved success during down markets as well. The timing of an IPO should be determined by several factors, including, but not limited to, macroeconomic conditions; the health of the company’s business sector; the company’s track record and prospects for maintaining a strong (or reliable/predictable) revenue and earnings growth trend; the company’s products or services visibility and interest to the consuming and investing public; the company’s environmental, social and governance (ESG) profile appeal to sustainability-focused investors; the company’s capital needs; and its PCR.

U.S. public companies primarily use listing exchanges to access a market for trading their stock. Listing exchanges – such as the New York Stock Exchange (NYSE), Nasdaq and others – also can help member companies strengthen their brand and visibility, provide a support network, and provide capital markets and investor relations (IR) support.

Companies select a listing exchange based on numerous factors, including the exchange’s listing standards. Listing standards consist of various sets of applicable qualifications – such as valuation, pre-tax income, market capitalisation and operating history, among others – that member companies must meet to participate in the exchange. Companies also select a listing exchange based on analyst coverage; oversight and accountability; the manner in which trades are executed; and the availability of information.

The company should seek advice from their banking and other market advisors who can provide a more in-depth analysis into whether one exchange is more preferable than the other for attracting the company’s optimal investor base.

Significant changes have occurred in the IPO market in the past several years. What’s more, numerous studies show that the average “age” of companies conducting IPOs has generally increased over the past two decades, which may indicate that leadership teams are taking more time preparing for a public offering. Additionally, the effort associated with financial reporting readiness and Sarbanes-Oxley compliance requires more attention and focus early on.

For these reasons, it is important, from a competitive standpoint, to operate private, pre-public companies as if they were already public. This requires pre-public companies to establish and operate their underlying business, finance and accounting, IT and auditing processes, policies, and internal controls in a “public company” fashion while simultaneously meeting the daily demands of running a business.

IPO costs are dependent on a number of factors and can vary significantly among companies. For example, a sample budget for a $100 million to $200 million IPO could range from $2 million to $3 million, specifically attributable to the offering. These amounts exclude the underwriter’s commission, which usually is about 7 percent of the total public offering price. The largest cost areas include the underwriter’s commission, legal fees, listing fees, accounting fees and printing expenses.

The largest portions of this cost relate to incremental legal and auditing fees, as well as to additional financial reporting, regulatory compliance, public relations and legal requirements. Related people, processes and IT expenses also figure into these ongoing costs of operating as a public company.

The primary external service providers involved in an IPO include the managing underwriters (investment bankers), the underwriters’ legal counsel, the company’s legal counsel, the external auditor, the financial printer, the external advisor with IPO/SEC filing and accounting expertise, and, in some cases, other external service providers such as investor relations and capital market advisors with specialised expertise related to the company’s business model, industry or regulatory requirements. For example, a company in a highly regulated industry may hire external legal counsel with specialised expertise in its industry’s regulatory demands.

The company’s legal counsel plays a leading role in managing the IPO transaction. Frequently, a pre-IPO company’s legal counsel does not possess the expertise or experience required to take a company public. This may require that the company select a new in-house legal counsel or external legal counsel (well in advance of the IPO). The following discussion provides a brief description of each primary external service provider’s role:

Managing Underwriters: Investment banking firms act as underwriters in the vast majority of IPOs. In some cases, particularly when the public offering is relatively large, a pre-IPO company selects two or three investment banks to serve as managing underwriters. In these instances, one investment bank is typically identified as the lead manager while the other managing underwriters are designated as co-managers. The role of the managing underwriter is to buy the IPO shares from the company and then sell the stock to investors. To fulfill this role, the managing underwriters conduct due diligence, provide guidance on procedural issues, help draft the registration statement, help coordinate the roadshow that the management team conducts, market the offering to investors, and deliver analyst coverage and other support (e.g., generating interest among other analysts in covering the company and its stock) once the IPO is complete. The selection of the managing underwriter typically signals the official starting point of the IPO process, which is accompanied by restrictions (e.g., what information can be communicated publicly) established by the U.S. Securities and Exchange Commission (SEC).

Underwriters’ Legal Counsel: The underwriters’ legal counsel, typically selected by the managing underwriter, supports the underwriters during the IPO process in negotiating and drafting the underwriting agreement with company counsel; conducts due diligence, document drafting and review; and ensures compliance with relevant state securities regulations and National Association of Securities Dealers (NASD) requirements.

Company Legal Counsel: The company’s selected legal counsel in the IPO transaction will take the lead in managing the IPO process and all the parties involved. Legal counsel will serve as the communications center among the company, the managing underwriters and their counsel, the external auditing firm, the financial printer, and other third-party vendors (such as the transfer agent and any specialised service providers). Along with the company’s external auditing firm, legal counsel will work with the company to ensure all preparatory work is done to support the contents of the registration statement. Legal counsel will conduct in-depth due diligence on the company to ensure that there are no preventable surprises during the process. Legal counsel will also draft and maintain the master registration statement until the document is transferred to the financial printer toward the end of the process. The registration statement is a highly regulated document that must comply with very specific securities regulations. Confirming compliance (both for the company and the registration statement) with securities laws and SEC rules and regulations will also be the duty of the company’s legal counsel. Legal counsel will also advise the company’s executives on proper behavior during the registration process (e.g., what the company can and cannot do during the “quiet period”) and assist the company in cleaning up any loose ends before the IPO process officially begins (e.g., ensuring the company has proper documentation on major contracts and confirming all pre-IPO stock has been properly issued). Legal counsel will respond to SEC comment letters after the registration statement has been filed and serve as a liaison between the company, the external auditing firm and the SEC.

External Auditing Firm: Pre-IPO companies must hire an external auditor in accordance with SEC requirements. The external auditor fulfills several roles during the readiness process and continues to serve as the company’s external auditor following the IPO when it conducts the annual auditing process. The external auditor’s pre-IPO role includes serving as a liaison between the company’s IPO team and the SEC; ensuring that all financial information in the registration statement complies with SEC requirements; and submitting a “comfort letter” to the managing underwriters and the company’s board of directors confirming that the financial statements and various financial data within the registration statement comply with all requirements.

Financial Printer: The financial printer assumes responsibility for managing registration documents throughout the process. These activities include version control during the drafting and editing of the registration statement, printing and distribution of the prospectus, and filing of the registration statement and other SEC filings via the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system and Extensible Business Reporting Language (XBRL).

Other External Service Providers: There are many potential accounting, financial reporting, system and resource issues to address for an IPO, including matters relating to financial statements, registration statement requirements, taxation, compensation, SOX compliance, project management, complex technical accounting issues and reporting system integration. Engaging external providers for transaction support and advisory services can provide the company with an objective view of issues and provide project management during this time-sensitive period.

Other Experts

The company may engage additional experts such as valuation and tax experts. Valuation experts may be required to value stock compensation issued to employees during the course of the year and within a short period of time before the IPO date (typically two years). Valuation of tangible and intangible assets for business combinations and impairment analysis may also be required. Management is required to understand and agree with the valuation methodology used in order to conclude on the accounting and disclosures.

The Form S-1 registration statement under the Securities Act of 1933 is the registration form that the SEC requires newly public companies to complete. It should be signed by the registrant’s principal executive and accounting officers, and by at least a majority of the board of directors. Companies joining a listing exchange need to complete the Form S-1 filing and have it accepted by the SEC before the transaction can be effected. There are a number of items required to be reported in this filing.

Examples of this information include:

• The company’s business model and an overview of its competitive environment
• Market and industry trends and data
• The amount of estimated proceeds from the public offering and how the company intends to use those proceeds
• Information related to the security, including the offering price methodology, and any dilution that may occur to other listed securities
• Risks associated with the business, which could include recent adverse developments or operating losses, the seasonality of the business, dependence on a few customers or suppliers, and the impact of current or proposed legislation
• Information regarding a company’s officers, directors, and principal shareholders, including extensive disclosures related to executive compensation
• Significant management discussion of recent financial results, comparison to prior periods, and future trends, risks and uncertainties
• Financial information, including two years of audited balance sheets; three years of statements of operations, cash flows and changes in shareholders’ equity; selected financial information for the past five years; and selected pro forma information. Financial statements for interim periods may also be required, depending on the timing of the initial registration statement.

Notwithstanding the above, smaller public companies and emerging growth companies (EGCs) – as defined in Question 61 – may present only two years of audited information and are not required to present selected financial information. See also Question 59 regarding the primary JOBS Act advantages related to the traditional financial reporting requirements of going public.

Recent history suggests that IPO readiness initiatives can have a positive impact on valuations and represent a key enabling factor to a successful offering. If the timing of the IPO is delayed, the company should strive to maintain its level of readiness for two reasons. First, the readiness effort requires a significant effort in terms of cost, time, business transformation and operational disruption. Allowing the state of readiness to deteriorate reduces the value of this investment.

Second, IPO market conditions can change quickly. When an appropriate IPO timing opportunity arises, it is far better to be prepared to take advantage of this opportunity than to engage in hurried, last-minute readiness activities that can add more cost, effort and risk to the process.

Yes. All pre-IPO companies are permitted to submit a draft on a confidential basis to the SEC staff for confidential nonpublic review prior to public filing, so long as the initial confidential submission, and any required amendments, are made public at least 15 days before the issuer’s commencement of a roadshow. It is important to note, however, that the confidentiality does not change the substance of what pre-public companies must accomplish to prepare for an IPO.

The IPO journey is complex and can lead to a number of potential oversights and mistakes along the way. Following are some of the most common pitfalls:

• Failure to assemble the right team to help take the organisation public. The team should possess previous IPO and PCR experience, and employees on the team should have the knowledge and bandwidth to participate fully in the readiness effort. Management also should remember that employees have their regular ongoing responsibilities; a successful path to PCR requires striking the right balance between IPO preparation and the performance of day-to-day business operations. Effective project management, including a carefully crafted readiness strategy and plan, also qualifies as critical. Effective project management should ensure there is a sufficient communication process across all stakeholders; provide clarity on team responsibilities; manage risk and issues; and provide effective coordination with auditors, legal counsel and other advisors.
• Underestimating the level of effort that will be required. Many organisations underestimate the time and effort the readiness effort requires. The journey to PCR involves a complex array of tasks, deadlines and focal points that require significant time, effort and attention throughout the organisation. Preparation activities should focus not only on going public, but also on maintaining sound financial reporting, corporate governance and other public company processes post-IPO.
• Failure to fully develop sound business processes and infrastructure, particularly those that support financial reporting processes. The importance of having strong processes supported by effective controls cannot be overstated. Organisations often scramble to pull together documentation that supports prior annual audits without focusing on the big-picture fundamentals of effective finance and the accounting functions and financial reporting processes that must be in place.
• Failure to assess the organisation’s IT readiness. An organisation’s ability to conduct accurate, timely and effective financial reporting and regulatory compliance hinges on the strength of applications and systems infrastructure. Many organisations do not fully anticipate the IT infrastructure support necessary to assist with the demanding reporting and compliance requirements that affect public companies.

The risks range from the need to delay the timing of the IPO (which frequently prevents the pricing benefits associated with conducting the IPO in favorable market conditions) to the addition of unnecessary costs and frustrations to the readiness effort.

Ineffective readiness processes frequently spark a “fire drill” mentality as the IPO date nears; this mindset can greatly reduce the pre-public company’s focus on daily business operations while causing errors that arise from the quick scramble to “patch” readiness issues rather than developing sound processes that serve the organisation better over the long term. Ineffective preparation processes can also contribute to post-IPO problems such as the need to prepare and issue financial restatements, which generates large amounts of additional internal work, and worse, poses a major risk from a shareholder value, litigation and reputation standpoint.

There are six primary infrastructure elements that need to be addressed during the PCR effort:

• Corporate policies
• Corporate processes
• People and organisation
• Financial statements and management reports
• Methodologies (e.g., those related to Sarbanes-Oxley compliance requirements, as well as to other financial controls)
• Systems and data, including robust cybersecurity protocols

From a functional perspective, the following capabilities need to be in place for a readiness effort to succeed. The organisational infrastructure elements identified above support the enablement of these organisational capabilities:

• Accurate Financial Reporting: Companies need to ensure they have the requisite skills and organisational infrastructure to understand the application of accounting principles and ensure accurate financial reporting.
• Accurate Forecasting and Budgeting: Similarly, companies should have the financial management skills needed to perform forecasting and budgeting in a relevant, accurate and useful way that enables the highest level of visibility, flexibility and business agility.
• An Efficient Financial Close: In order to meet SEC filing requirements, companies must ensure they have an accurate and efficient financial close process.^[2]
• Appropriate Corporate Governance and an Effective Internal Controls Structure (Sarbanes-Oxley Compliance): Ensuring the company has a robust regulatory and corporate governance understanding and an efficient internal control environment is critical to achieving initial and ongoing Sarbanes-Oxley compliance.
• Scalable IT Environment: Companies must review the IT system environment to ensure that it is able to handle the anticipated growth in the business.

From a qualitative perspective, one of the most important characteristics of successful PCR processes centers on an understanding that the effort requires significant time and resources. Executives who lead successful preparation and business transformation efforts truly understand the significant time, effort and scope involved in preparing to become a publicly held entity.

For this reason, successful PCR efforts typically begin with a formal assessment of current-state readiness. The insights generated during this evaluation are then used to tailor a formal and comprehensive road map that addresses each of the six key infrastructure elements (corporate policies, corporate processes, people and organisation, management reports, methodologies, and systems and data) and key functional capabilities (accurate financial reporting, accurate forecasting and budgeting, an efficient financial close process, appropriate corporate governance and regulatory compliance, and a scalable IT environment) that successful readiness demands (see Question 16).

Remediation activities within the capability areas of financial reporting, regulatory compliance (and Sarbanes-Oxley Section 404 compliance in particular) and IT readiness typically consume the most time and cost within the PCR process. This explains why a large percentage of IPO readiness road maps call for Sarbanes-Oxley readiness and IT readiness to commence as soon as the initial readiness assessment has been completed.

Sarbanes-Oxley Section 404 compliance is time-consuming due to the sheer volume of its requirements concerning internal controls assessment, implementation, testing and remediation. IT readiness frequently consists of the implementation of new software, including enterprise resource planning (ERP) packages, which normally qualifies as a large-scale corporate initiative. Companies may also need or want to address material weaknesses noted by their external auditors in pre-IPO audits. (Note that certain pre-public companies may be able to exercise a Section 404 exemption under the JOBS Act. See Questions 53-67 for specific guidance on this topic.)

Given the time-consuming nature of these regulatory requirements, pre-public companies should carefully – and as early as possible – consider certain major changes (e.g., the acquisition of another company, or the replacement of an external auditing firm with a new auditing firm) in the readiness process. These changes could result in large and costly amounts of additional work. As such, they require extensive evaluation and planning at the very beginning of the readiness effort.

While specific issues vary from company to company, most challenges relate to running the business. Pre-public companies, many or most of which are lean in staff, face the same daily operational and management challenges they confront on a daily basis; only these organisations need to address these challenges while also conducting a comprehensive, enterprisewide initiative (one that may at times feel like multiple major initiatives) over a period of 12 to 18 months, with no increase in internal resources.

Image

Management’s initial IPO preparation phase efforts should consist of an assessment that identifies a baseline view of the current state of readiness, followed by a road map designed to close the gap between the current state and IPO readiness. The key components of this diagnostic process consist of the following actions:

• Assess the current state of readiness against benchmarks for the six elements of infrastructure: corporate policies; corporate processes; people and organisation; management reports; methodologies; and systems and data.
• Identify the readiness of core public company transformation capability requirements for accurate forecasting and budgeting, reliable financial reporting, an efficient financial close, corporate governance and Sarbanes-Oxley Act (and other regulatory) compliance, and IT scalability (as well as any other major functional requirements by listing exchanges, such as the NYSE’s internal audit requirement).
• Assess the urgency of business transformation solutions needed to close identified gaps based on an analysis of costs and benefits along with consideration of the required road map.
• Develop work plans, a timeline and resource requirements to implement the appropriate solutions identified in the road map (see prioritisation map in Question 21 below).

A thorough diagnostic process and the creation of a comprehensive road map that is executed under the guidance of a rigorous project management approach will go a long way toward managing IPO risks — those that can be managed — and achieving PCR. While careful planning and foresight can help companies optimise the timing of their IPOs, external market conditions can always interfere with the best-laid plans.

When pre-public companies begin to address specific results from the initial assessment, they frequently take several of the following steps:

• Develop a baseline of appropriate accounting, operational and regulatory policies and procedures.
• Take stock of the maturity of key processes.
• Develop a baseline for the financial close and forecasting capabilities.
• Address skills gap and other organisational changes.
• Perform a risk assessment and initial scoping for Sarbanes-Oxley readiness and compliance.
• Assess the IT environment and consider the specifications of the right ERP system (if required).
• Establish a program management office to address incremental work streams and competing initiatives.

As pre-public companies start to form their readiness plans and prioritise resources accordingly, they also begin to address other common questions:

• Can we meet reporting timelines required by the SEC?
• Can we handle the complex accounting and disclosure requirements?
• Are our forecasting and budgeting capabilities sufficient?
• Is our IT infrastructure adequate for current time-sensitive reporting requirements and scalable to handle our anticipated growth? What areas of our IT organisation may require transformation?
• Is our cyber awareness and readiness sufficient to provide confidence to ourselves and others that our intellectual property and data are safely secured?
• Does the data used to manage and report our results have integrity?
• Will any unfavorable findings resulting from the audit of the previous three years of financial information negatively impact the timing of our public offering?
• Do we understand the Sarbanes-Oxley Act requirements and how we will prepare to comply? 

Image

Image

The number and complexity of rules related to financial reporting among public companies have increased significantly in the past decade. The ultimate risk of financial reporting problems — including delayed IPO filings and damage to a company’s reputation — can be severe. For these reasons, assessing and addressing the financial reporting risk profile (FRRP) of an organisation represents a crucial component of an effective PCR process.

The specific financial reporting risk areas that should be evaluated, understood and addressed include:

• Risks relating to the specific application of accounting principles and standards
• Consistency in applying financial reporting policies and rules
• Estimation, reliability and ongoing evaluation processes
• Forward exposure arising from changing rules or business transactions
• Valuation
• New accounting standards

Companies should develop and maintain policies and procedures for key financial and nonfinancial reporting and accounting areas based on a robust internal review process, as well as discussions with, and guidance from, their external audit firm. Management should assign the development of these policies to appropriate owners who maintain current knowledge on recent updates to reporting, accounting and auditing rules (e.g., from the SEC and the Public Company Accounting Oversight Board [PCAOB]) and accounting guidance (from the Financial Accounting Standards Board [FASB]) and make revisions and updates to internal policies and processes accordingly. Companies should conduct communication and training related to key accounting policies for all relevant finance and accounting staff.

Whatever the impact of any new accounting or reporting standards, or any other new pronouncements that may follow, there will likely be development and/or modification of policies and procedures; redesign of accounting and reporting processes; IT and ERP system controls updates or improvements; and program, project and change management issues, among other areas.

Companies will need to file their quarterly and annual financials within certain deadlines (see Question 35). Pre-IPO companies also need to meet specific disclosure requirements set by the SEC and report on the effectiveness of their internal control over financial reporting to comply with Sections 302 and 404 of the Sarbanes-Oxley Act. Of note, pre-IPO companies should be aware that the PCAOB continues to find both accounting and reporting deficiencies, as well as internal control deficiencies in registered public accounting firms’ audits of internal control over financial reporting.^[3]

Companies should work in an anticipatory mode to remain ahead of constantly changing financial reporting issues so that these issues do not become reputation-threatening problems after, or even during, the process of going public. Some of the most common causes of financial misstatements among newly public companies include insufficient technical competency, misapplication of financial accounting standards (particularly in the areas of revenue recognition and stock-based compensation), and a lack of supporting documentation.

Additionally, the audit committee, management and the disclosure committee should understand a broad range of financial reporting risks. (In fact, it is highly recommended that an organisation form an audit committee prior to going public.) These risks include accounting for transactions that contain significant judgments or estimates, complex transactions, accounting for related-party transactions, management override, inaccurate underlying data, and inadequate financial systems support.

Throughout the PCR process, underwriters will request financial projections and compare the company’s historical performance to its past forecasts. Companies will need to be able to demonstrate a track record of preparing realistic budgets and accurate forecasts, in addition to clearly articulating why variances have occurred. For early-stage companies, projections and profitability are some of the most important measures of performance. In the case of companies that are early stage with heavy R&D or otherwise pre-revenue, profitability may not be the primary focus, and other key performance indicators (KPIs) may be more relevant.

Analysts will expect the company to have determined the frequency and type of guidance it will disclose prior to the Analyst Day diligence session as part of the IPO process. After a company goes public, budgets and forecast projections will become an important tool for external research analysts. This information and a public company’s ability to meet its own earnings estimates and those of the investment community can have a significant impact on its stock performance. Therefore, accurate budgeting and forecasting is critical for a successful IPO, as the market allows little room for error, and significant underachievement might have an unfavorable impact.

KPIs are critical for offering valuable insights to current stakeholders and potential investors that can increase the attractiveness of a company. Choosing and accurately reporting KPIs and non-GAAP metrics can be a significant difficulty for pre-public companies. Failing to identify appropriate KPIs and non-GAAP metrics can result in the company not meeting expectations from investors and potentially impact the stock price.

When disclosing metrics in MD&A, management will need to have a clear definition of the metric and a description of how it is calculated; rationale for why the metric provides useful information to investors; and alignment as to how management uses the metric in managing or monitoring the performance of the business.

The SEC does not require companies conducting an IPO to include XBRL data in their registration statements. However, new issuers are required to provide XBRL financial statements in their first filing as a publicly listed entity.

XBRL can be described as the HTML (one of the internet’s underlying coding languages) of financial information; the technology attaches “data tags” to information in a financial statement to help investors, analysts and other readers more easily access, search, download, compare and analyse specific financial information. According to the SEC, XBRL will help investors and analysts more accurately compare the financial performance of different companies and also will help a greater number of smaller public companies attract the attention of analysts and investors. From a readiness perspective, the XBRL requirement represents a finance/IT skill that should either be on staff or easily accessible through an external source.

Currently, the answer is no, but that could change. Managers and board members at pre-public companies should remain attuned to developments in the ongoing convergence of IFRS and U.S. GAAP. Currently, the informal convergence of IFRS and GAAP continues through the collaboration between the International Accounting Standards Board (IASB) and the U.S. accounting standards setting body, the FASB.

Most U.S.-based public companies are monitoring ongoing GAAP-IFRS convergence and have seen a substantial impact from changes in revenue recognition and lease accounting. Many companies have assigned the management of this issue to a specific finance and accounting executive or manager with expertise in these areas.

Foreign private issuers (FPIs) are allowed to present their financial statements in conformity with IFRS as issued by the IASB, without reconciliation to U.S. GAAP. Alternatively, FPIs can present their financial statements in conformity with either U.S. GAAP or home-country GAAP along with a reconciliation to U.S. GAAP. An EGC FPI that elects to present financials on a home-country GAAP basis can elect the extended transition period for complying with new or revised financial accounting standards in the U.S. GAAP reconciliation.

All executive compensation and benefits programs, as well as other rewards programs that can potentially exert a material impact on financial reports, should be evaluated in advance of a public offering. Certain areas of compensation programs, including stock-based compensation and other pay components that can be classified as liabilities or equity, should be scrutinised to assess their accounting treatments and financial reporting implications.

The value of stock options granted to executives or other employees prior to a public offering frequently comes under the scrutiny of regulators once the company becomes publicly listed, particularly with regard to potential cheap stock issues. Companies may receive comments requiring explanations for valuations that appear unusual (e.g., unusually large increases in the fair value of the underlying shares leading up to the IPO). Option pricing methods should be carefully reviewed. Due to the technical nature of these issues, pre-IPO companies frequently enlist outside risk and compensation experts to assist with evaluations of compensation and benefits programs.

First, executive and unit management should be educated on all public reporting requirements. Second, the company should establish a disclosure committee (see Question 32) to review SEC reports in advance of its filing.

Keep in mind that all key business processes should be documented. These include a fair amount of financial reporting policies and processes, such as those that aid in the preparation of financial schedules for external auditors in the support of audits, filings, executive compensation policies, all employee benefit plans, and related disclosure requirements. Some key financial reporting policies that should be considered are segment reporting, earnings per share, stock compensation, non-GAAP measures and KPIs, revenue recognition and lease accounting.

Additionally, pre-public companies should design and implement a process for documenting conclusions on reporting and accounting matters. This process should:

• Provide background on current transactions, issues or circumstances that warrant an explanation (e.g., transactions involving significant estimates or judgments)
• Identify key accounting and reporting questions
• Reference all pertinent accounting standards and guidelines
• Outline facts, historical trends, available data and details of the transaction or issue
• Identify acceptable approaches and alternatives for applying the applicable standards and guidance
• Document management’s analysis and rationale for the selected alternative, applying the appropriate principle or standard

The finance staff should possess the skills necessary to understand the application of accounting principles (GAAP, non-GAAP financial measures and, in certain cases, IFRS); ensure reliable financial reporting (previous SEC reporting experience is highly recommended); understand the requirements, as well as the rigors of Sarbanes-Oxley compliance (again, specific compliance experience is preferred); develop current financial performance management processes (planning, budgeting and forecasting); work closely with the IT department to maintain the appropriate financial systems environment; and have the authority and expertise to maintain a close working relationship with external auditors, executives and the board of directors.

The primary financial system and data requirement focuses on the timely and accurate production of financial reports. The financial reporting, financial close and IT components of the readiness process ultimately should ensure that financial systems contain accurate underlying data that support the production of accurate financial information necessary to adhere to all of the SEC’s financial reporting requirements.

Other financial system and data requirements focus on activities such as the implementation of internal controls that help ensure the confidentiality, integrity and availability of financial systems and data. From a practical perspective, these requirements provide guidance and may lead to questions about the effectiveness of the current ERP system and supporting IT policies and procedures related to user access management, change management and IT operations (and other security-related considerations). Pre-IPO companies routinely discover that their IT departments and IT-related activities are one of the most significant and most time-consuming points of focus during the readiness effort; many pre-public companies seek to advance and optimise processes related to IT general controls (ITGC) as part of their readiness efforts.

First, it is important to note that the disclosure committee is a management committee, not a committee of the board. The mission of the disclosure committee is to make disclosure determinations for the company and to review the company’s disclosure guidelines on an annual basis. The disclosure committee may also oversee the sub-certification process related to compliance with Section 302 of the Sarbanes-Oxley Act. In many cases, the management disclosure committee consists of the chief executive officer (CEO), chief financial officer (CFO), chief information officer (CIO), and vice president of finance and/or the general counsel, as well as other managers who play important roles, directly or indirectly, in the production of financial statements.

Leading disclosure committee practices within pre-public and newly public companies include:

• The inclusion of seasoned professionals on the committee — professionals who understand the largest issues the company confronts
• A tone at the top from the CEO and CFO that clearly and continually emphasises the importance of disclosure procedures
• Members who are knowledgeable about the company’s key business units
• The inclusion in meetings of accounting managers and in-house and/or outside counsel who can provide guidance on developing regulatory issues, as well as accounting standards

Very carefully. In certain instances, some pre-public companies tend to avoid conducting major acquisitions in the months leading up to the IPO. On the other hand, an organisation’s strategy may be to acquire complementary companies in advance of an IPO to make the initial offering more substantial to investors. Managing multiple significant initiatives concurrently can be demanding on an organisation for many reasons. First, the complexity, scope and impact to the control environment of major acquisitions can be difficult to manage while a private company is simultaneously handling day-to-day business demands and conducting a far-reaching PCR effort. Second, there could be uncertainty as to how the acquisition will be integrated into the organisation and ultimately affect the value of the IPO. And third, the complexity of the accounting and financial reporting issues related to acquisitions may not be palatable at a time when the pre-public company’s finance and accounting function is busy adapting to public company accounting, financial reporting and regulatory compliance requirements. Additionally, public offering registration statements generally require inclusion of audited financial statements — along with other information, in many cases — for a “significant” acquisition, according to SEC guidelines (see Question 106).

This is not to say that private companies with PCR efforts underway should necessarily avoid acquisitions. Those that move forward with these transactions should do so only after careful consideration of how the acquisition might affect the IPO.

The FRRP is a proactive approach to identifying financial reporting issues and managing them to head off financial restatements before they occur, thereby better enabling management to focus efforts on more important matters and reduce the risk of reputational damage.^[4]

An effective FRRP focuses on six areas:

• Accounting principle selection and application
• Estimation processes
• Related-party transactions
• Business transaction and data variability
• Sensitivity analysis
• Measurement and monitoring

The underlying objective of an FRRP is to identify the most likely areas of potential misstatements so that the appropriate oversight and control can be established to lessen financial reporting risk. For these reasons — along with the fact that the focus areas listed above correspond to several of the most common reasons why newly public companies are forced to issue financial restatements — the financial reporting risk profile process represents a valuable PCR exercise.

Image

As depicted in the chart below, the size of your organisation, in terms of market value, will determine the filing deadlines. The 10-Q is required to be filed either 40 or 45 days after an organisation’s fiscal quarter-end, while the deadlines for 10-Ks vary between 60 and 90 days after fiscal year-end.

Image

Foreign private issuers are required to file an annual report within 120 days of the end of the company's fiscal year or if the fiscal year-end date changes. Quarterly reporting on Form 10-Q and current reporting on Form 8-K are not required.

Foreign private issuers are not subject to the quarterly reporting requirements of Exchange Act Rules 13a-13 and 15d-13. Foreign private issuers that file annual reports on Form 20-F are required only to furnish promptly, in a Form 6-K, material information:

(i) Distributed to stockholders or to a national exchange, if made public by that exchange, or

(ii) Required to be made public by its domestic laws [Exchange Act Rules 15d-13(b) and 13a-13(b)].

An EGC is defined as having total annual gross revenue of less than $1.235 billion and is exempted from certain regulatory requirements (e.g., Section 404(b) of the Sarbanes-Oxley Act of 2002) for up to five years unless:

• Its total annual revenues are $1.235 billion or more;
• It has issued more than $1 billion in non-convertible debt in the past three years; or
• It becomes a large accelerated filer.

No. The smaller reporting company thresholds do not affect the application of the current thresholds contained in the SEC’s “accelerated filer” and “large accelerated filer” definitions.

Accordingly, companies with $75 million or more of public float that qualify as smaller reporting companies will remain subject to requirements applicable to accelerated filers. These requirements include the timing of the filing of periodic reports and providing an annual auditor’s attestation of management’s assessment of internal control over financial reporting as required by Section 404(b) of the Sarbanes-Oxley Act.

The SEC may consider additional changes to the “accelerated filer” definitions that, if adopted, would have the effect of reducing the number of companies that qualify as accelerated filers. Currently there is an overlap between the smaller reporting company thresholds and accelerated filer thresholds and, as such, qualifying as a smaller reporting company will now no longer automatically make a registrant a non-accelerated filer.

The two primary risks consist of (1) committing an error that later necessitates a financial restatement, and/or (2) missing a required filing deadline. Both can lead to a loss in investor confidence and, consequently, a potential reduction in stock price. Financial restatements can result in SEC fines, lawsuits, reputational damage and significant reductions in shareholder value. Restatements also require an exhaustive internal effort and can be highly disruptive. Other risks, while they fall short of the magnitude of problems restatements cause, also qualify as problematic. An inefficient financial close process reduces the amount of time that senior management, the board, external legal counsel and external auditors have to review earnings releases. This can make it more challenging for management to explain variations between periods. On an operational level, inefficient financial close processes tend to consume significant amounts of the finance function’s time and prevent corporate finance from executing more value-added activities.

A number of different shortcomings cause the problems described above, including limited oversight and monitoring, moving-target “due dates,” lack of a big-picture understanding, lack of knowledge about dependencies, poor checklist version control, low-priority tasks in the critical path, inefficient use of resources, and unclear links to Sarbanes-Oxley Section 302 certification requirements.

The most effective and efficient financial close processes tend to be defined by a tone at the top that clearly communicates the importance of a quick and accurate close. Efficient financial close processes are typically supported by enabling tools, including:

• An overall finance calendar highlighting significant month-end, quarter-end and annual activities 
• Detailed calendars by functional area (e.g., general accounting, financial planning and analysis) that integrate with the overall finance calendar
• A comprehensive close task list (or activity checklist) 
• Process flows and activity diagrams, which are helpful to ensure adequate controls are in place and the distribution of workload is optimised across the team to minimise bottlenecks in the process 

Leading companies not only implement these tools, but also automate the activities within them. For example:

• Auto-alerts can be established to notify preparers, reviewers and senior management if a deadline is close to approaching or has already passed.
• Workflow can be automated for the review and approval process.
• Dashboards can be created and customised for multiple levels within the finance team to provide transparency into the overall process. 

The following actions can help compress closing process cycles:

• Determine all key stakeholders in the close process and assign clear accountability.
• Identify key events along the close cycle, and eliminate bottlenecks, unnecessary steps and redundancies within steps.
• Develop comprehensive and supporting detailed close calendars and close activity checklists.
• Set demanding yet realistic expectations given your organisation’s resources and current capabilities.
• Develop an approach in which portions of the close process occur prior to period-end.
• Measure and monitor close process performance.

A close-activity checklist enables task-level management of the close process, which in turn enables the monitoring of daily performance and the capturing of performance data that can be used to alert finance and accounting managers to areas of the process that may require adjustments or a more comprehensive redesign. The checklist, which frequently consists of a shared file or other commercially available technology, ultimately can enable everyone from staff through executives to monitor the close on a daily basis through dashboard metrics.

The first step in developing a checklist is to understand the roll-ups and accountabilities. Managers can achieve this understanding by answering questions such as, “Do business units, individual locations and shared service centers need their own checklists?” and “Is there value in consolidating checklists for all entities, locations and divisions into one master checklist?”

Once the tiers and level of detail required for the checklist are established, the format can be designed. To produce effective reporting, the checklist design should remain simple yet detailed enough to capture relevant data for each activity type (e.g., reconciliations, manual journal entries).

Another leading financial close practice consists of creating a close manager position, preferably at the same time a company produces its close checklists. The close manager is responsible for ensuring the completeness of the close each month by monitoring performance continually during the close via daily status meetings and issue resolution checkpoints. This individual also works to improve performance continually by analysing month-to-month performance against plan targets, then recommending — and, when appropriate, implementing — process changes.

A close dashboard, which is populated with information culled from the close activity checklist, provides an organisation with a high-level view of when clusters of close activities are actually performed. These dashboards can be used to monitor performance by region, function, activity and process owner, among other categories. These reports provide support to the daily close status meetings that close managers conduct and help identify opportunities for rebalancing the allocation of close tasks, clarifying dependencies, and redistributing the timing of activities.

As described above (Questions 38-42), close calendars, activity checklists, close managers and dashboards represent tools that proactive pre-public companies use to strengthen their financial close processes. While spreadsheets represent the most common supporting technology for these practices, other technology tools are available that provide more sophisticated support of accounting and financial data and reporting.

Section 404 of the Sarbanes-Oxley Act requires the greatest volume of work among the law’s many components, but it is far from the only provision that requires attention and action during a PCR effort.

Section 404 lays out requirements related to internal control over financial reporting (ICFR) that should be in place for a company to achieve compliance with the law (see table below). Section 404 consists of two parts. The first part (Section 404(a)) requires an internal control report issued by management. Management must document, evaluate, test ICFR and remediate control deficiencies, if any, to support an assertion in the internal control report that ICFR is effective.

The second part of Section 404 (Section 404(b)) is an attestation requirement. For companies that are accelerated filers or large accelerated filers, the effectiveness of ICFR must be attested to by an external auditor and the auditor’s report on ICFR (typically combined with the report on the financial statements) included in the company’s financial reports. Newly public companies generally must include management’s ICFR report and the auditor’s ICFR attestation in their second annual report (after becoming a public company). Sarbanes-Oxley also requires quarterly disclosures related to controls over financial reporting. An emerging growth company (EGC) is exempted from certain regulatory requirements, including Section 404(b) of the Sarbanes-Oxley Act, for up to five years or until certain other criteria are met, as noted below.

Given these deadlines, newly public companies can elect to delay the achievement of Sarbanes-Oxley compliance until after they become public; however, doing so exposes the organisation to serious risks, including the burden of a highly compressed compliance effort amid numerous other challenges newly public companies confront, a lower likelihood of developing a sustainable compliance program, and a greater chance of noncompliance.

Becoming Sarbanes-Oxley (SOX) Ready

Image

Notes:

*An emerging growth company (EGC) is exempt from certain regulatory requirements for up to five years or until the earliest of four dates: the last date of the fiscal year following the fifth anniversary of its IPO; the last date of the fiscal year where total annual gross revenues are greater than $1.235 billion; the date the issuer has, during the previous three-year period, issued more than $1 billion in nonconvertible debt; or the date the company is deemed to be a “large accelerated filer.”

First-time Sarbanes-Oxley compliance readiness requires approximately four to six quarters, depending on the size and complexity of the organisation and the Sarbanes-Oxley compliance expertise it enlists to support the effort. It is highly recommended that companies preparing for an IPO launch their Section 404 compliance activities as soon as the initial readiness assessment has been completed (see Question 44).

Many of the internal control and reporting mechanisms of Sarbanes-Oxley require months to implement, and changes in relationships involving board members and/or auditors may require extensive time to put into place. Additionally, due to demands from investors and analysts, many key executives do not have the time to play major roles in post-IPO Sarbanes-Oxley compliance efforts.

Leading compliance practices include establishing the right tone at the top; dedicating sufficient resources (i.e., enough people who possess the right expertise); implementing a top-down, risk-based approach; implementing supporting automation where possible (and/or activating automated controls in existing software); seeking out opportunities for process improvements during the compliance work; maintaining a close and constructive relationship with external auditors; and, above all, devoting sufficient time and project/process management discipline to the effort.

Fortunately for newly public companies, the intense difficulty and confusion that characterised most early Sarbanes-Oxley compliance efforts have lessened to an extent. However, these efforts are constantly evolving. The PCAOB, which oversees external auditing firms, and the SEC have provided additional guidance that has helped clarify confusing aspects of the regulation while promulgating a more risk-based approach. Additionally, Sarbanes-Oxley compliance lessons have been learned by public companies and their external auditing partners.^[5]

The most relevant lessons pre-public companies can glean from recent Sarbanes-Oxley compliance history include the following:

• It is never too early to begin the compliance process, which always requires more time than a compliance team initially estimates.
• A top-down, risk-based approach is critical to a successful and efficient compliance program.
• The number of internal controls is the primary cost-driver of Sarbanes-Oxley compliance.
• Because the market for Sarbanes-Oxley compliance talent and expertise remains challenging, organisations should hire resources and/or bring in third-party experts and auditors early.
• A one-size-fits-all approach to compliance does not exist.

• Have we fielded a board of directors of the right size, structure, experience and depth to guide us in our decisions and provide the requisite oversight?
• Have we established the appropriate oversight, policies and procedures, internal controls, and infrastructure necessary to be a public company?
• Have we incorporated the 12 to 18 months of lead time typically required to achieve Section 404 readiness?
• Do we have individuals with appropriate experience and qualifications in our finance function?
• Are we taking advantage of the application controls in our IT system (and especially our ERP application), or are we expending our resources on many manual controls, which ultimately will require more time and money to test?
• Does management and our audit committee know where the key risks within our financial reporting processes exist?

The most common internal control deficiencies disclosed by public companies include problems with financial systems and procedures (which include the financial close and inventory processes, as well as account reconciliation), personnel issues (which cover segregation of duties, inadequate staffing and, sometimes, training), revenue recognition, documentation, lack of technical competence (i.e., accounting and financial reporting), and IT systems and controls (which include improper personnel access as well as external security concerns).

No, the first external auditor’s attestation of internal controls generally appears in the second annual report a company files following its IPO, according to current Sarbanes-Oxley Act deadlines determined by the SEC. However, there are multiple sections to the Sarbanes-Oxley Act, and while Section 404’s requirements do not become effective until the second annual report, the Sections 302 and 906 certifications (signed by the CEO and CFO) are required in the initial filing. Sections 302 and 906 require the CEO and CFO to certify that the financial statements are accurate and the information is fairly presented and complies with the requirements of the Sarbanes-Oxley Act. It is important to note that control deficiencies or material weaknesses could be identified during the pre-IPO financial statement audits and thus would be subject to remediation. They could also be identified by the auditor during the audit of the first year following the IPO. Therefore, even though a Section 404(b) attestation may be delayed until the second annual report following the IPO, ICFR issues can and will be raised by the auditor if there are significant weaknesses creating audit adjustments.

Companies will often engage a consulting firm to conduct a comprehensive PCR assessment prior to an IPO. These assessments cover multiple areas, including corporate governance and Sarbanes-Oxley compliance readiness. One output from this assessment is a Sarbanes-Oxley readiness road map with key activities, timelines and resource commitments to get the organisation ready for its compliance requirements.

Image

Notes:

* An emerging growth company (EGC) is exempted from certain regulatory requirements, including Section 404(b) of the Sarbanes-Oxley Act of 2002, for up to five years or until the earliest of four dates:

• The last date of the fiscal year following the fifth anniversary of the issuer’s IPO
• The last date of the fiscal year where total annual gross revenues were more than $1.235 billion
• The date the issuer has, during the previous three-year period, issued more than $1 billion in nonconvertible debt in the past three years
• The date the company is deemed to be a large accelerated filer

From a resourcing perspective, companies need internal compliance talent, access to external compliance expertise (particularly in the area of IT-related controls and risk management), IT support (which often takes the form of risk and compliance-related software), and an ongoing training and communications effort to ensure business process ownership of internal controls monitoring and the active management of compliance processes. From a less-tangible resources perspective, public companies truly need to establish an appropriate tone at the top to ensure that maintaining an effective and efficient approach to compliance remains top of mind throughout the entire organisation.

Maintaining Sarbanes-Oxley compliance in a sustainable fashion requires ongoing attention from senior executives, daily hands-on management and a healthy working relationship with external auditors. However, as a growing number of public companies are realising, sustainable compliance efforts can deliver returns on investment that include process improvements and cost reductions.

Once initial Sarbanes-Oxley Section 404 compliance is achieved, the focus of the program should shift to ongoing management and continuous improvement. The primary opportunities for improvement include the handoff of internal controls monitoring and management responsibilities from the compliance team — which often initially consists primarily of internal audit and corporate finance and accounting managers — to business process owners. This transition is often accompanied by the introduction of supporting software and/or the reevaluation of existing financial systems to ensure that internal controls options are being utilised. This software is used to reduce the amount of manual, and therefore more error-prone, compliance work around internal controls monitoring.

From a practical perspective, three of the most important compliance activities occurring on a regular basis are Section 404 reporting on internal controls, Section 302 certifications (by the CEO and CFO) of the quarterly financial statements, and the ongoing operation of a whistleblower hotline that is available for employees to use to report possible ethics and compliance issues anonymously. Internal controls reporting and related certifications typically require a cascade of reporting and, often, certifications throughout the company’s business processes related to financial reporting.

In the end, the company will need to build a process that includes the following key elements:

• Planning and scoping
• Development of process and control documentation
• Controls design assessment and design effectiveness testing
• Controls operating effectiveness testing
• Remediation of design and testing deficiencies
• Filing year retesting
• Year-end management’s assertion and assessment procedures, including formal evaluation of unremediated control deficiencies

Broadly, the law is intended to make it easier for small businesses and entrepreneurs to attract investors and access capital while complying with U.S. securities laws. More specifically, and more relevant for PCR efforts, the JOBS Act created a new category of reporting companies — “emerging growth companies” — that are no longer subject to certain SEC regulations previously required of newly public companies. Understanding the definition of an EGC is very important; determining when EGC status applies and when it no longer applies will, at times, represent a complex and confusing process for many companies.

EGCs have a reprieve (of up to five years) from a number of rules and requirements, including:

• Section 404(b) of the Sarbanes-Oxley Act (auditor attestation of internal control over financial reporting)
• The furnishing of three years of audited financial statements (EGCs going public are required to submit only two years of audited financials)
• The submission of five years of selected and summary financial data (number of years required to be presented is consistent with years of audited financial statements presented)

In effect, the JOBS Act exempts EGCs for up to their first five years in the public market from the compliance burdens (and costs) associated with Sarbanes-Oxley Section 404(b). These companies will still have to comply with Section 404(a) of Sarbanes-Oxley, which requires management to issue an internal control report beginning with the company’s second annual report following its public offering, as well as comply with other provisions requiring disclosures and certifications pertaining to the control environment.

An emerging growth company is defined as an IPO issuer that had total annual gross revenues of less than $1.235 billion (indexed for inflation by the SEC approximately every five years) during its most recently completed fiscal year. Under the JOBS Act, there are a number of parameters for determining how long a company retains its EGC status or eligibility.

Once designated an EGC (by posting annual gross revenues of less than $1.235 billion during its most recently completed fiscal year), a company retains its EGC status until the earliest of the following dates:

1. The last day of the fiscal year of the issuer following the fifth anniversary of the date of the company’s IPO of common equity securities
2. The last day of the fiscal year during which the issuer had total annual gross revenues of $1.235 billion or more
3. The date on which the issuer has, during the previous three-year period, issued more than $1 billion in nonconvertible debt
4. The date on which such issuer is deemed to be a large accelerated filer.

With respect to the last date, a large accelerated filer is an issuer that meets the following requirements at the end of its fiscal year:

• The issuer had an aggregate worldwide market value of the voting and nonvoting common equity held by its non-affiliates of $700 million or more as of the last business day of the issuer’s most recently completed second fiscal quarter.
• The issuer has been subject to the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (Exchange Act) for a period of at least 12 calendar months.
• The issuer has filed at least one annual report pursuant to Section 13(a) or 15(d) of the Exchange Act.
• The issuer is not eligible to use the requirements for smaller reporting companies in Part 229 of the Exchange Act for its annual and quarterly reports.

The Fixing America’s Surface Transportation (FAST) Act of 2015 further amends Section 6(e)(1) of the Securities Act to enact a “grace period” for an EGC that subsequently ceases to be an EGC after confidentially submitting or publicly filing its IPO registration statement.

The amendment provides that the issuer will continue to be treated as an EGC until the earlier of (1) the date that such issuer consummates its IPO pursuant to such registration statement, or (2) the end of the one-year period beginning on the date the issuer ceases to be an EGC.

In addition, FAST provides additional accommodations to EGCs, including shortening the number of days (from 21 to 15) for publicly filing documents prior to the issuer road show.

The JOBS Act applies to all EGCs that conduct an IPO, including new foreign filers.

Yes, but with a caveat.

An issuer qualifying for EGC status may forgo reliance on any exemption available to it. For example, if the issuer has competitors that are already reporting companies, it may, for competitive reasons, choose to provide more robust disclosures than would otherwise be required of it as an EGC. However, if the EGC chooses to comply with financial reporting requirements applicable to non-EGCs, it must comply with all of the requirements.

In other words, an EGC-eligible company cannot opt in or opt out of specific requirements; a company eligible for EGC status is either “all in” or “all out,” with no ability to “cherry-pick” compliance requirements. Additionally, any decision by the company to take advantage of its right to claim “EGC status” must be made at the time it files its first registration statement or Exchange Act report. If the company chooses to disclose beyond what is required of an EGC, it cannot revert back to claim an EGC exemption at a later date.

In addition to reducing part of the Sarbanes-Oxley compliance burden, the JOBS Act is intended to reduce the costs of going public by providing newly public companies with a temporary reprieve from other SEC regulations by phasing in certain regulations over a five-year period. This allows smaller companies to go public sooner and permits a more streamlined reporting approach for these issuers. Specifically, the JOBS Act:

• Expands the eligibility requirements of SEC Regulation A to include companies conducting direct public offerings of up to $50 million, meaning the aggregate share offering amount a company can make before it must register the offering with the SEC has been increased from the prior threshold of $5 million
• Permits general solicitation in direct public offerings, thereby broadening the investor base (a revision to the SEC’s Rule 506 of Regulation D)
• Allows an EGC to engage in oral or written communications with qualified institutional buyers and institutional accredited investors (as defined in Rule 501 of the Securities Act) in order to gauge their interest in a proposed IPO either prior to or following the first filing of the IPO registration statement
• Exempts from registration under the 1933 Securities Act transactions involving the offer or sale of securities by an issuer over a 12-month period of either (a) $1 million or less or (b) if the issuer provides potential investors with audited financial statements, $2 million or less, with both amounts adjusted by the SEC for inflation
• Allows small businesses to use advertisements to attract investors and increases the number of shareholders that can invest in a private company to 2,000, or 500 who are not accredited investors (i.e., investors who purchased shares via crowdfunding), without triggering SEC reporting requirements

These provisions are designed to provide more flexibility for companies to “test the waters” in the investor community. During the time it takes to pursue an IPO, an issuer may need to conduct a private placement in order to raise capital to permit it to continue to carry out its business plans and to cover the expenses associated with preparing for the IPO. While the SEC provided additional interpretive guidance that offered greater certainty for issuers that must complete a private placement to institutional investors while they are pursuing an IPO, the ability to explore these opportunities adds further flexibility, particularly as market conditions change.

Crowdfunding leverages social media to provide funding for a variety of ventures. Sometimes called “crowdsourced funding,” it focuses on pooling money from individuals who have a common interest to support disaster relief, charitable causes or political campaigns and are willing to provide small contributions toward the venture, usually via the internet. When the goal of crowdfunding is commercial in nature and there is an opportunity for crowdfunding participants to share in the venture’s profits, federal and state securities laws will likely apply. The JOBS Act requires websites involved in crowdfunding to register with the SEC while requiring companies seeking to raise money in this manner to provide information on their financial status, business plans and shareholder risks.

With respect to reporting to the SEC, the JOBS Act permits EGCs to:

• Submit a draft registration statement on a confidential basis to the SEC staff for confidential nonpublic review prior to public filing, so long as the initial confidential submission, and any required amendments, are made public at least 15 days before the issuer’s commencement of a roadshow. Non-EGCs are also permitted to submit draft registration statements to IPOs for review on a nonpublic or confidential basis.
• Prepare an equity IPO registration statement with two years of audited financial statements (as opposed to the prior requirement calling for three years of audited financial statements). However, this provision only applies to an equity IPO registration statement. It would not apply to other registration statements or to periodic reports, such as the Annual Report on Form 10-K under the 1934 Exchange Act.
• Adopt any new or revised accounting standards using the same time frame as private companies if the standard applies to private companies. This provision would apply to future registration statements and periodic reports, such as the Annual Report on Form 10-K under the 1934 Exchange Act. Usually, new accounting standards provide for a less-demanding timeline for private companies (compared to public companies) in transitioning to, and implementing, the new standard.
• Permits, through the FAST Act, an EGC that filed or confidentially submitted its registration statement to omit financial information for historical periods that would otherwise be required by Regulation S-X at the time of filing or submission, provided:
  • The EGC reasonably believes the omitted financial information will not be required to be included in the filing at the time of the contemplated offering, and
  • The issuer amends the registration statement prior to distribution of the preliminary prospectus to include all financial information required at the time of the amendment.
• Provides that an EGC may comply with the SEC’s executive compensation disclosure requirements on the same basis as a smaller reporting company. Specifically, the definition of a smaller reporting company includes registrants with a public float of less than $250 million, as well as registrants with annual revenues of less than $100 million for the previous year and either no public float or a public float of less than $700 million.^[6] It also exempts an EGC from certain provisions of the Dodd-Frank Act, including current and future executive compensation-related disclosures (e.g., the “say-on-pay” vote requirement), the advisory vote on golden parachute payments requirement (“say-on-golden parachutes”), the requirement to disclose the relationship between executive compensation and the financial performance of the company (“pay-for-performance”), and the CEO pay-ratio disclosure requirement.
• So long as it retains its EGC status, exempts the issuer from complying with the internal control attestation requirements of Sarbanes-Oxley Section 404(b), as well as any future PCAOB rules that might be adopted relating to mandatory audit firm rotation or supplemental auditor discussion and analysis reporting.

There are several potential missteps companies can commit with regard to the JOBS Act. First, companies planning an IPO that neglect to pay sufficient attention to the JOBS Act requirements for retaining EGC status do so at their own risk. For example, it would be a mistake to presume that the five-year exemption from Sarbanes-Oxley Section 404(b) compliance is a given.

Second, companies that fail to understand EGC status fully – and fail to monitor their ongoing EGC eligibility once they have concluded their IPO – also are exposed to potential surprises presenting compliance issues. For example, suppose that an EGC with a December 31 fiscal year-end enjoys an unexpected flurry in its fourth-quarter revenues, boosting its annual sales over the $1.235 billion threshold or achieves a $700 million capitalisation market value the following second quarter post effective date (after filing an annual report). According to the JOBS Act, these not-uncommon situations would strip the company of its EGC status, effective that fiscal year. This would, in turn, subject the company to the attestation requirements of Section 404(b) for that year (unless the company is exempted as a non-accelerated filer). The point is that the company must monitor its EGC status carefully and be aware of potential triggers that would lead to a non-EGC status determination.

The SEC may issue specific interpretations to issuers providing a transitional period in the case of the dates triggering the Section 404(b) attestation requirement. Without transitional relief, instances may likely arise where a company will be forced to complete a large amount of detailed work (e.g., preparing for the Section 404(b) attestation process) in collaboration with outside parties (e.g., its external auditor) in a highly condensed time frame. Such occurrences can cost a lot of money if the activity is conducted in crisis mode. Given this type of possibility, companies and their advisors should watch for any interpretations issued by the SEC staff on these or other matters.

Another significant risk is that, although the JOBS Act may not require certain financial information and disclosures, companies may be required to provide the additional information to other stakeholders.

There are two reasons. First, a company must achieve and maintain EGC status in order to enjoy the exemptions provided in the JOBS Act. Second, determining when EGC status no longer applies can be a challenging undertaking, as well as one with significant implications on regulatory compliance activities.

A company that qualifies as an EGC needs to understand what is likely to happen to its business during the five-year exemption period. The EGC status only applies until the earliest of four dates outlined previously (see Question 55).

As noted earlier, if a company exceeds the threshold of one of the EGC tests in Year Three after going public, it will need to be prepared to comply with Section 404(b), unless the SEC provides interpretive relief in the form of a transition period. As a result, a prospective IPO candidate expecting to qualify as an EGC should carefully consider how its growth trajectory may affect its EGC status and monitor its ongoing status over time.

While the JOBS Act provides for potentially easier but limited capital-raising as well as relaxations in certain disclosures, solicitation and past financial information, it leaves unchanged numerous existing SEC and stock exchange requirements for newly public companies. Concerning corporate governance requirements, EGCs still must satisfy the following areas, among many others:

• Annual proxy statements
• Annual shareholder meetings
• Accounting and auditing complaints hotline
• Independent audit committee containing at least one financial expert
• Compensation and nominating committees of the board
• Board risk oversight disclosures
• Compliance with relevant stock exchange listing standards
• Compliance with insider trading restrictions

Concerning finance, accounting and internal controls requirements, EGCs must continue to prepare for quarterly external auditor reviews, perform effective profit-and-loss forecasting, and implement and maintain adequate information systems, among other activities.

No. The JOBS Act does not exempt an EGC of its responsibilities under Sarbanes-Oxley Sections 302 and 906, nor does it relieve management of the responsibility to comply with Section 404(a) of Sarbanes-Oxley. These compliance requirements of EGCs and other newly public companies include the following:

• Upon going public, the disclosures and executive certifications required by Sections 302 and 906 must be filed in quarterly and annual filings under the 1934 Exchange Act, effective immediately. The initial focus of these requirements is on disclosure controls and procedures.
• Regarding internal control over financial reporting, management must disclose each quarter any material changes occurring in the internal control environment.
• Beginning with the second annual report on Form 10-K filing after going public, management must issue its internal control report, pursuant to the requirements of Section 404(a), which includes the company’s assertion on the effectiveness of internal control over financial reporting.
• Once the first internal control report is issued, subsequent executive certifications issued quarterly, as required by Section 302, must incorporate language regarding internal control over financial reporting — in effect, adding additional certifications for management to make on a quarterly basis.

A company planning an IPO needs to pay attention to the JOBS Act requirements and, specifically, to its ongoing EGC status if it achieves eligibility and elects to file and report as an EGC. A prospective IPO candidate expecting to qualify as an EGC will want to evaluate its plan for growing the business after going public to ascertain if and when it might lose its EGC status prior to the five-year anniversary date, and to put monitoring processes in place to be able to react to changes midyear, so that it is able to comply in the first year in which a higher level of compliance is required.

Aside from the exemptions discussed herein, the JOBS Act does not in any way preclude a pre-IPO company from needing to work through a large assortment of public company transformation activities related to financial reporting, the financial close, Sarbanes-Oxley compliance (except for Section 404(b)), corporate governance, risk management, the creation of a scalable IT environment, and numerous other legal and procedural considerations.

In short, nearly all of the steps suggested in the Guide to Public Company Transformation remain highly recommended, if not necessary.

Yes. Many facets of the law took effect when it was enacted in April 2012, while other provisions were not finalised until early 2015. Still other facets of the law were not implemented by the SEC until late 2015.

It is also important to note that the law, despite its bipartisan support and ultimate passage, experienced opposition during the legislative process. Some senators tried to reinstate across-the-board investor protections and were successful in adding the crowdfunding provision as an amendment. SEC commissioners, including the chairperson, as well as institutional investors and consumer advocacy groups, expressed concerns that the legislation goes too far in removing SEC oversight. This general view maintains that the legislation may create greater risks for investors and ultimately could erode confidence in the capital markets. Any pattern of significant abuses of investors by companies filing as EGCs can create pressure on Congress to reconsider the JOBS Act, either portions of it or all of it.

These concerns may affect both the nature and the timing of the SEC’s full implementation of the JOBS Act. As a result, it behooves leaders at companies considering public offerings to monitor JOBS Act developments closely, including rulemaking and SEC staff guidance.

During the IPO process, companies often underestimate the number and complexity of requirements necessary to complete the offering transaction. In addition, there are numerous ongoing initiatives and obligations, as well as the addition of regulatory and marketplace scrutiny, that influence public companies. For these reasons, an early, well-thought-out assessment of a company preparing to go public can help identify and address issues that typically arise during the IPO process, including the following:

Corporate Issues: The readiness team should identify important contracts and agreements that may influence the offering, including change-of-control triggers in agreements, undocumented or vague arrangements between various commercial and related parties, and weak confidentiality protocols. The team should also address any unresolved intellectual property issues, as well as outstanding litigation and contingencies.

Liability Concerns: Federal securities laws require accurate and complete disclosure of all material information necessary for an informed investment decision. A material misstatement or an omission of a material fact can result in liability to the issuer, its directors, “controlling” persons and the underwriters. A comprehensive due diligence process can reduce risks related to incomplete disclosure of material information.

Company Considerations: During the readiness effort, IPO teams should carefully examine if and how executive compensation and employee benefit plans may influence the public offering. IPO teams also should review new equity incentive award plans for potential accounting and financial reporting implications. Additionally, IPO teams should establish a disclosure committee (a company committee, not a board committee) responsible for establishing disclosure guidelines, parameters for determining and addressing material events, and oversight of the sub-certification and reporting process (in accordance with Sarbanes-Oxley compliance efforts). In doing so, the IPO team should appoint to the disclosure committee seasoned financial and operational professionals, as well as subject-matter experts who are knowledgeable about the company’s key business units.

In the early stages of preparing for an IPO, a company’s legal department should evaluate opportunities to address any legal areas that may be affected by the IPO. For example, the company should inventory and review its key processes and determine what impact the IPO will have on each. Specifically, the company should consider taking the following actions:

• Inventory and review key contracts and agreements for any confidentiality concerns or change-of-control triggers
• Formalise any significant undocumented arrangements, including employment agreements
• Assess and attempt to settle any outstanding litigation and contingencies
• Revise formal reporting and documentation throughout the organisation
• Review financing arrangements for prepayment penalties and impact of a trigger event, such as an IPO.
• Revisit venture capital and other documents, such as shareholders’ agreements, buy-sell agreements and registration rights agreements
• Designate both a secure physical and electronic data room to retain key documents
• Formalise the company’s document retention policy

Regarding disclosure activities, the company’s in-house legal counsel should work closely with outside counsel to ensure that all disclosure requirements are met. Federal securities laws require accurate and complete disclosure of all material information necessary for an informed investment decision. A material misstatement or omission can result in liability to the issuer, its directors and controlling persons, and the underwriters of the IPO.

The pricing committee is responsible for approving the pricing terms of the common stock offering. The board of directors is responsible for designation of the company’s pricing committee, which typically consists of key members of the company’s executive management (e.g., CEO, CFO and general counsel), as well as key professional advisors, such as underwriters, ownership groups and other parties with significant ownership interest.

As mutually defined by the NYSE and Nasdaq, a “controlled company” is a company of which more than 50 percent of the voting power for the election of directors is held by an individual, a group or another company. This level of holding effectively places the holder of the majority shares in a position to control the outcome of the voting on any shareholder issue. However, the exact degree of control is determined by the terms of participation contained within the purchase agreements for the shares and the bylaws of the company proper.

Under NYSE regulations, a controlled company must comply with almost all of the provisions of Section 303A Corporate Governance Standards. In short, controlled companies are exempt from the requirements regarding majority board independence, as well as the establishment of compensation committees and nominating/governance committees. A controlled company relying on this exemption must disclose in its annual meeting proxy statement (or, if the company does not file proxy statements, in its annual report) its status as a controlled company and the basis for determining that it is a controlled company.

Under Nasdaq rules, a controlled company is exempt from the following requirements: the majority independent board member requirement, independent director oversight of director nominations, nominations committee charter or board resolution, and independent director oversight of executive officer compensation. It is important to note that controlled companies must still maintain an independent audit committee, establish a code of conduct and hold executive sessions with independent directors on a regular basis. A controlled company relying on this exemption must disclose in its annual meeting proxy statement (or, if the company does not file proxy statements, in its annual report) its status as a controlled company and the basis for determining that it is a controlled company.

The phrase “gun jumping” refers to communications that violate sections of SEC regulations related to how and when information about a pre-public company’s securities is shared. An issuer, underwriter and any other person involved in a public offering must be very careful when distributing information concerning the issuer or its securities.

The Securities Act of 1933, which created the SEC, imposes certain restrictions and parameters of permissible communications during three periods:

1. The period beginning when the company reaches an agreement with the managing underwriter to make a public offering and ending when the registration statement containing the issuer’s preliminary prospectus is filed with the SEC — the “pre-filing period” or “quiet period.” During this phase, the company usually hosts a formal kick-off meeting with its third-party professionals, often called an “all hands meeting.” The underwriter then completes financial, business, accounting and legal due diligence in order to understand the company better and conclude whether it wants to underwrite the securities to be sold. In addition, all parties typically participate in the drafting sessions for the filing to be made on Form S-1.
2. The period from the filing of the registration statement until the SEC declares the registration statement effective – the “waiting period” or “registration period.” During the waiting period, the issuer and the underwriter begin to gauge market interest, and the SEC reviews the registration statement where multiple rounds of comments and refilings can occur.
3. The period from the effective date of the registration statement until the termination of the offering or the expiration of the prospectus delivery requirements – the “post-effective period” or “quiet period.”

The consequences of engaging in gun jumping can be serious; in some cases, gun jumping can result in a mandatory delay or “cooling-off period” for the offering. These SEC-mandated delays have resulted in companies having to present their offerings during less-favorable market conditions than they had targeted. Additionally, in some cases, the SEC has required that an underwriter responsible for gun jumping withdraw from the offering. Furthermore, the SEC may require the company to include a risk factor in its prospectus to disclose a possible gun-jumping violation. If this occurs, the company’s finance and accounting team may, in turn, require that the company record a corresponding contingent liability in its financial statements.

Cheap stock continues to be a focus area for the SEC. The term “cheap stock” refers to a market price that is significantly less than the offering price for the 12-month period prior to the IPO.

The SEC takes the baseline position that all stock issued within those 12 months is presumed to be in anticipation of an IPO and continues to be a focal point for the Commission. Generally, the SEC staff challenges the fair value of equity granted in the period preceding the IPO, while a company is private, with the presumption that the exercise prices were below the market value of the stock at the time of the grant. The key issues related to cheap stock include the valuation methodologies utilised, liability versus equity classifications, and beneficial conversion features of convertible preferred stock.

All stock grants authorised within 12 months of an anticipated IPO should be evaluated and a determination made whether they meet the definition of cheap stock under the SEC rules. When conducting this evaluation, management should carefully consider the significant factors, assumptions and methodologies used in determining the fair value of the company’s underlying common stock. Items to consider include the use of a third-party valuation firm versus internal resources, the valuation range if multiple methodologies were utilised, marketability and illiquidity discounts, and price-to-earnings (P/E) ratios of comparable public companies.

In addition, stock grants can be classified as either equity or liabilities, depending on the facts and circumstances of the specific transaction. The company should carefully consider the classification requirements based on both the FASB and SEC rules, as they could differ (e.g., as in the case of “mandatorily redeemable” preferred stock, which may require alternative treatment under the SEC rules).

Prior to an IPO, a company may issue convertible preferred stock with a conversion price significantly below that of the anticipated IPO price. However, the SEC may require the company to use the IPO price/conversion feature, as opposed to the price used when the company was private.

The Sarbanes-Oxley compliance work that takes place during the PCR effort often sets the tone for how GRC management will be maintained in the months and years following the IPO. Successful long-term GRC efforts among established public companies – those that are effective, efficient and often also produce insights that lead to opportunities for revenue and profit increases—tend to share the same success factors as those that define successful pre-public Sarbanes-Oxley compliance efforts (see Question 46). These include the right tone at the top that pervades throughout the organisation, ample resources, supporting technology, and a commitment to identifying related process improvement opportunities, among others.

The average size of a U.S. corporate board is slightly more than nine members, according to Corporate Library research. Boards can range in size from three to more than two dozen directors. The board needs to be large and diverse enough to accommodate board independence and committee requirements set by the SEC and listing exchanges (see Question 82) and to satisfy the expertise expectations of shareholders and other stakeholders.

The answer depends on the listing exchange the company joins. The NYSE, for example, requires all member companies to maintain an internal audit function, while currently the Nasdaq does not. According to the NYSE listing standards, internal audit functions among member companies may take the form of a department within the company or exist through a co-sourcing or outsourcing arrangement. Moreover, companies that list on the NYSE must comply with the internal audit function requirement within one year of the listing date.

As business risk and organisational complexity have evolved, the internal audit profession — through The Institute of Internal Auditors (IIA) — has continued to redefine itself.

The IIA defines internal auditing as follows:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve the organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Adherence to the International Standards for the Professional Practice of Internal Auditing (The IIA’s Standards) includes following this definition. While there is no regulatory requirement for how a company must define internal auditing, The IIA definition is generally accepted, and the SEC, NYSE and other regulatory bodies may reasonably be expected to refer to The IIA’s definition when considering whether an organisation has an internal audit function.

Internal audit plans generally address activities for all areas or topics considered based on a risk assessment that includes:

• Assessment of organisation risks
• A testing plan based on the level of assessed risk
• Details on how the internal audit function will support management ICFR assessment
• The internal audit department budget
• A schedule of activities for the year

From a pragmatic perspective, many companies dedicate early-stage internal audit activities in assisting management to implement Sarbanes Oxley initiatives and assist in maturing the ICOFR (internal controls over financial reporting) environment.

(For more information about internal auditing and the internal audit function, please see Protiviti’s Guide to Internal Audit: Frequently Asked Questions About Developing and Maintaining an Effective Internal Audit Function, available at www.protiviti.com.)

A company may establish an internal audit function using its own employees or create one through a co-sourcing or outsourcing arrangement. Most internal audit functions are led by a chief audit executive (CAE) and a staff that may include audit managers, senior auditors and auditors. When possible, companies also staff their internal audit functions with specialised expertise (e.g., IT auditors). Internal audit budgets vary significantly, depending on numerous factors, including revenues, industry, federal and industry regulations with which the company must comply, number of physical locations, and decentralisation, among others.

The internal audit profession is not regulated by the SEC, the PCAOB or any U.S. government agency. However, the PCAOB, through rules about external auditors’ reliance on the work of others, can influence the nature and scope of internal audit work. For example, the PCAOB’s findings regarding deficiencies in registered public accounting firms’ audits of internal control over financial reporting are likely to affect internal audit’s activities as part of the Section 404 compliance process.

The IIA is the self-governing body that includes the IASB, which is charged with evaluating and developing practice standards. These standards are subject to a public comment period, much like other professional standards and accounting pronouncements. The IIA has introduced the 2024 Global Internal Audit Standards, which became effective on January 9, 2025. These new standards consolidate and update the previous International Professional Practices Framework (IPPF) to enhance clarity and applicability across various sectors and regions.

Internal auditors should possess and demonstrate through their work, actions and communication a number of traits, including, but not limited to, the following:

• A commitment to and demonstration of competence in the field of internal auditing
• A strong financial and operational background in accounting, IT, regulatory compliance and/or the industry in which the company operates
• Honesty and integrity
• A strong work ethic and attention to detail

In general, internal auditors should develop and maintain a healthy level of professional skepticism and objectivity to assist in evaluating information and making judgments. 

Additionally, internal audit professionals should possess exceptional verbal and written communication skills and be proficient in negotiating and reasoning with a variety of departments and groups over which internal audit may have no formal authority. Finally, personal integrity, professional due diligence and curiosity are important traits for individuals tasked with conducting internal audit work.

Internal auditors also need to acquire and then master new areas of expertise and knowledge of emerging or reemerging issues. This can be accomplished by attending internal and external training programs. 

A majority of the board must be composed of independent directors within one year of listing. The NYSE and Nasdaq provide highly detailed definitions and guidance on what qualifies a director as “independent.” (See also Question 102.) PCR teams should work closely with their company counsel, and/or external counsel, to evaluate whether directors comply with each listing exchange’s independence requirements.

Given these and other requirements, as well as the board’s involvement in the readiness effort, pre-IPO companies should address board composition early in the readiness process. It can take significant time and effort to select and bring aboard qualified directors if it is determined that the previous composition of the board needs to be altered.

No. However, the company’s management team and extended IPO team (including external service providers, such as the managing underwriters) serve as the de facto IR function during the readiness process and immediately after the IPO has taken place. This IR effort typically is headed by the CEO and the CFO (who typically leads — and sometimes is — the IR function after the IPO and until an IR executive is hired, if the company elects to do so). Companies also engage third-party IR firms to act as the company’s IR function until an IR executive is hired. This effort includes the roadshow presentations that the CEO and CFO conduct for investors and analysts. (The managing underwriters often organise the roadshow meetings and help the CEO and CFO refine and finalise their presentations, but do not participate in the presentations.) These presentations play a crucial role in the success of the offering.

Yes. In accordance with the Sarbanes-Oxley Act, each public accounting firm that issues or prepares any report with respect to any issuer or plays a substantial role in the preparation or furnishing of an audit report with respect to any issuer must be registered with the PCAOB.

The phrase “auditor independence” refers to both a mindset (primarily in the context of internal auditors) and specific SEC rules focused on the relationship between external auditing firms and their clients.

The notion of internal auditor independence describes the integrity and objectivity that informs the work of internal auditors and also explains why, in many cases, a public company’s CAE maintains a dual reporting relationship with the organisation’s CEO and the audit committee chair of the board of directors.

In more practical and legal terms, “auditor independence” refers to a set of SEC and PCAOB rules that govern the relationship between a public accounting firm that conducts annual audits (also known as the external auditor) and its client companies. These rules restrict the external auditor and any of the auditor’s affiliates from conducting other non-audit services (e.g., consulting work for audit clients) and restrict the company and its affiliates from hiring prior audit firm staff during a one year cooling off period. The rules contain additional restrictions, including limits on auditing firm employee investments in client companies, designed to help ensure the independence, integrity and objectivity of the annual auditing work. In addition, the rules include other requirements such as partner rotation, independent communication requirements and audit committee preapproval of audit and non-audit services.

External audit fees vary significantly based on a company’s size, complexity, geographic profile and organisation (i.e., the degree to which its operations are centralised versus decentralised). Generally, public company audit fees are higher than the audit fees private companies pay.

The primary role of a company’s external auditors is to conduct an objective audit of the financial statements and issue an independent opinion and any related comfort letter associated with the closing of the offering. External audit firms can play a number of secondary roles in support of an IPO, including offering strategic advice to management on sensitive or problematic areas, and can provide some assistance in responding to SEC comment letters.

Pre-IPO companies should be aware that registered public accounting firms have come under heightened scrutiny by the PCAOB with regard to their audits of financial statements and internal control over financial reporting. As a result, external auditors are expected to be more rigorous in their audits. This may heighten the risk of a pre-public company not being fully prepared to undergo an audit of its financial statements and internal controls successfully.

The Federal Sentencing Guidelines (FSG) consist of rules that determine the punishment for individuals and organisations (including public companies) convicted of felonies and Class A misdemeanors in the U.S. federal court system. The guidelines determine sentences based on the conduct associated with the offense and the defendant’s criminal history. FSG frequently are addressed within compliance efforts because the existence of an “effective compliance and ethics program” as defined in the guidelines can, in many cases, reduce the severity of sentences.

The Foreign Corrupt Practices Act (FCPA) contains anti-bribery provisions that make it illegal for anyone subject to U.S. jurisdiction to offer, promise, gift or authorise the giving, with a corrupt motive, of anything of value to or from any government official or any private party – directly or indirectly – with the intent to influence any action or decision in order to gain or retain an improper advantage.

Despite its importance, FCPA compliance sometimes is overlooked during the PCR process. While most public and private organisations are familiar with the FCPA’s anti-bribery provisions, the law contains additional obligations for issuers of U.S. securities. As a result, FCPA compliance represents an important part of PCR. Executives within pre-public companies with operations in the U.S. and foreign jurisdictions need to be aware of all of FCPA’s provisions and take appropriate steps to comply.

The FCPA states that issuers must “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.”

The law also states that issuers must devise and maintain a system of internal accounting controls that provide numerous specific assurances related to management’s authorisation of transactions, adherence to GAAP, access to company assets, and more.

During the readiness effort, companies should ensure that board-level FCPA compliance oversight exists, FCPA compliance and anti-corruption controls are integrated into Sarbanes-Oxley compliance readiness activities, and a designated member of senior management takes responsibility for coordinating the FCPA compliance program. These activities reflect the highest-level steps that comprise the FCPA compliance component of PCR. Numerous compliance-specific steps that should be performed also exist. Consequently, the directors and management of a public company are responsible for ensuring that the provisions of the FCPA are complied with, whether or not the company has foreign operations.

Section 302 of the Sarbanes-Oxley Act reflects the spirit of the provisions (those related to “books and records”) within the FCPA. Despite its importance, FCPA compliance sometimes is overlooked during the PCR process. This may be because the FCPA lacks the concept of “materiality” that helps drive home the threat of criminal liability for executives and managers who knowingly violate provisions within the Sarbanes-Oxley Act. Adherence to both Sarbanes-Oxley Section 302 and the FCPA is an essential part of a public company’s compliance program — and therefore should be appropriately considered and addressed in the readiness effort.

Although the adoption of a formal code of conduct (or ethics program) is not technically required, it is highly recommended from a governance, risk management and compliance perspective. The SEC, via Sarbanes-Oxley Section 406, requires public companies to disclose whether they have adopted a code of ethics for senior financial officers, and if not, the reasons why, as well as any changes to, or waiver of any provision of, that code of ethics.

As mentioned in Question 88, the Federal Sentencing Guidelines direct courts and judges to consider the existence of an “effective compliance and ethics program” favorably when determining sentences. Additionally, the absence of a formal code of conduct and/or ethics program can lead to concerns among shareholders and also send the wrong message to employees.

While components of the FCPA, Sarbanes-Oxley and SEC rules related to financial reporting and accounting require specific records management processes, there are no formal rules requiring companies to establish comprehensive records management, BCM or ERM programs before issuing securities.

That said, each of these capabilities represents sound business practices in place at large numbers of public companies. These capabilities require specific, and fairly sophisticated, types of business and technology processes, skills and IT support to succeed. The most effective PCR programs identify the immediate and long-term processes, talent and technology an organisation needs to have in place to complete an IPO and, equally important, to be in a position to thrive as a public company.

A company’s IT strategy should align with enterprise strategic objectives (regardless of public company intentions). In the context of public company readiness, management may also elect to think more specifically about certain IT domains, including but not limited to user access administration, IT change management, IT operations, cybersecurity, data privacy (if applicable), business continuity/disaster recovery and third-party risk management. In some cases, disclosures in these areas may be included in public filings, so it’s important to incorporate them into ongoing IT strategic efforts.

Pre-IPO companies frequently report that their IT departments represent one of the greatest points of focus during the readiness effort. There are four areas within IT that require specific focus and attention during public company readiness efforts, including:

Systems and data related to the accurate and timely production of financial statements. This includes a wide and varied range of needs, including systems availability, data cleanliness and control, and the updating and maintenance of financial systems.

Creating, testing, monitoring and managing IT general controls that pertain to Sarbanes-Oxley compliance. To be sure, this qualifies as a major effort and requires numerous steps; effective collaboration among IT, finance, accounting and internal audit; and, in most cases, collaboration with the company’s external auditors.

Supporting business process improvements conducted during the readiness effort with related systems and applications changes and updates. During the readiness effort, most companies find a need for business transformation to achieve a number of improvements, including better financial and management reporting capabilities; greater standardisation of business processes; the reduction of manual business process steps (i.e., greater emphasis on automation); greater visibility into cost, sales pipelines and other operational areas; more highly integrated supply chain management capabilities; better data integrity; and more easily tracked audit trails, among other needs. Each of these needs contains an IT element that must be in place for the business transformation to be implemented successfully.

Developing, maintaining and communicating data security, cybersecurity and privacy strategies and policies. A solid information security foundation should have the right policies and strategies in place. This includes ensuring compliance with a growing number of regulations and managing applications, users, technical infrastructure and third-party vendors.

Developing a scalable IT environment requires a significant amount of work in each of the six primary infrastructure areas of the PCR effort. Teams leading the IT readiness effort should consider and appropriately address the following questions in each of these areas:

• Business Policies: Have we established and documented all of our key IT processes, as well as a formal IT strategy for managing technology and applications, both pre-IPO and one to two years post-IPO?
• Business Processes: Have we assessed our processes for risks, controls, effectiveness and efficiency?
• People and Organisation: Do we have the right skills and competencies to develop and sustain IT general controls, and do we have the required committees, the right organisational structure, and the appropriate IT resource levels? Is technology access appropriately granted, managed and segregated?
• Management Reports: Do we report timely, relevant, actionable and insightful information to the right stakeholders?
• Methodologies: Have we developed methodologies for handling heightened public company requirements, including core methodologies and IT frameworks, scalability, IT talent who understand these methodologies, and reporting metrics that meet performance and compliance needs?
• Systems and Data: Are our systems scalable to process the information needed to run and grow the business? Are appropriate redundancies and checkpoints built in?

Many companies on the IPO path face the decision of whether to replace their ERP system — if not before or during the readiness process, then certainly during the 12 to 18 months following the public offering. This is because some of the biggest challenges confronting pre-public companies can be addressed by a more robust ERP system. However, these implementations require significant time, financial investment and opportunity cost – and could result in operational distraction and disruption and/or pull focus from key personnel. Management should consider the business needs associated with an ERP implementation and balance those with other (potentially competing) readiness activities.

The primary challenges that an enhanced ERP system can help a pre-public or newly public company address include the need for better financial and management reporting; standardisation of business processes; elimination or minimisation of manual or non-scalable processes; integrated supply chain management planning (or manufacturing or service delivery); greater visibility into costs and customer response time; international and multicurrency capabilities; stronger data integrity and “auditability”; and better process, data integrity and security controls (including those related to financial reporting).

ERP implementation risks stem from the fact that these types of projects are highly complex, represent a significant investment, significantly impact internal control over financial reporting, and can extend over a long period, during which most aspects of the business are involved in the implementation.

Given the advantages and the risks that ERP implementations pose for pre- and post-IPO companies, it makes sense to develop an ERP strategy during the readiness effort. Companies should choose and implement an ERP system that will support the business for the next three to five years, not one that will merely address immediate needs and “pain points.” A solution that only addresses today’s most pressing needs may be inadequate to support, for example, the growth of international, multicurrency, multiproduct, and in-house manufacturing operations on which a company’s revenues may be based in the not-so-distant future. Furthermore, an enterprise view should consider the integration requirements with other key operational systems.

Senior executives need to determine what the ERP system will need to support in the future and then begin the selection process.

Numerous IT policies should be assessed and/or established during the readiness effort, and each should be documented. These include those related to information security, data backup, cloud security, change management, spreadsheet management (e.g., version control), business continuity and disaster recovery, data transmission and remote access to company networks, data and systems as well as cybersecurity and privacy issues related to internet and data use.

Additionally, companies should assess IT processes for risks, controls, effectiveness and efficiency during the readiness effort. These processes frequently include the software development life cycle, data validation and verification, complex or critical calculations, critical management reports, disaster recovery, and BCM planning. This is often intense, time-consuming work. Some pre-public companies may have opportunities to use a lighter, more optimised ITGC framework and implementation methodology that complements innovative, leading software development practices, such as development operations (DevOps) and agile project management. Technology companies and cloud service providers can help to strengthen a public company’s controls and achieve compliance objectives (e.g., for Sarbanes-Oxley and Service Organisation Controls [SOCs]) without compromising the flexibility, speed, drive and ingenuity so critical for their success in the competitive emerging technology landscape.

During the PCR process, company leaders should determine whether the enterprise possesses the necessary talent, organisational structure, and governance processes to support all of the financial reporting, financial close and other business processes that will be necessary to operate as a public company. Pre-public companies also routinely assess whether talent is in place to ensure that the IT function can support both current needs and requirements that likely will emerge during the first two years of operations as a public entity.

To communicate timely, relevant, actionable, accurate and insightful information to the right stakeholders, pre-public companies often strengthen and/or implement several different types of IT management reports by taking the following actions:

• Implementing monitoring procedures to detect control issues and areas related to change management, user access and segregation of duties, all of which are communicated in periodic management reports
• Creating performance reports based on IT metrics selected by finance and accounting managers
• Ensuring that issues identified within evolving processes are proactively corrected through the use of exception reports, internal reporting and audit reports
• Ensuring a robust escalation and reporting process is in place

Directors and officers (D&O) liability insurance is payable to the company, or the directors and officers of a company, to cover damages or defense costs in the event they incur such losses as a result of a lawsuit for alleged wrongful acts while acting in their capacity as directors and officers for the organisation. There are three basic levels of D&O insurance; they are commonly referred to as Side A, Side B and Side C. Side A coverage protects directors and officers against claims for which the company will not or cannot indemnify a director or officer because of legal or financial solvency reasons; Side B coverage reimburses the company for amounts it pays to directors or officers as indemnification; Side C coverage pays losses arising from certain securities claims against the company. Exclusions will apply for actions taken in bad faith, so D&O insurance is not carte blanche for directors and officers to act with impunity. There are also specialised D&O policies that cover directors and officers in cases where the company is not permitted to indemnify them (e.g., cases where indemnification is prohibited by public policy); this type of policy usually rides on top of Side A coverage.

While D&O liability insurance is not legally required, it is exceedingly common in the business world, especially for public companies. Liability exposures remain high, and companies find it beneficial to offer some protection to current or potential directors and officers in order to attract and retain top talent. Currently, the largest litigation concerns for public companies are direct shareholder/investor suits, regulatory claims and employment litigation.

The presence of D&O insurance coverage should allow directors and officers to operate in the best interests of the business, taking calculated risks within the company’s risk appetite without undue concern about potential, and perhaps baseless, litigation. All D&O liability insurance policies will come with significant exclusions, some of which are negotiable, so it is important that the company, and its directors and officers, have a thorough understanding of what is covered and what is not. Consulting legal counsel about the limits of any insurance policy is always advised.

There are specific regulations regarding board composition (see Question 82) and committees.

The following committee requirements reflect NYSE, Nasdaq and/or SEC rules:

Audit Committee: Listed companies must have an audit committee composed of at least three directors (three to five is a typical size), each of whom qualifies as an independent director. Further, each member of the audit committee must be financially literate or must become financially literate within a reasonable period after his or her appointment to the audit committee. (Financial literacy includes being able to read and understand financial statements.) In addition, at least one member of the audit committee must be identified and designated as a financial expert, defined as one “who has accounting or related financial management expertise” obtained while serving as a principal financial or accounting officer, controller, accountant or auditor, or having other relevant experience, as required by the Sarbanes-Oxley Act (see Question 104).

Compensation Committee: Listed companies must have a compensation committee composed exclusively of at least two independent board directors. The board of directors must affirmatively determine that the directors do not have a relationship to the company that is material to that director’s ability to be independent from management. The compensation committee must have a written charter that addresses the scope of the committee’s responsibilities, structure, process and membership requirements as well as other rights and responsibilities (i.e., use of compensation consultants, legal counsel or other committee advisors).

Nominating/Governance Committee: Required by the NYSE (and advisable for Nasdaq member companies), nominating/governance committees are responsible for recommending and approving directors and committee members. The NYSE (1) requires listed companies to have a nominating/corporate governance committee composed entirely of independent directors, and (2) directs nominating/governance committees to develop and recommend guidance concerning general corporate governance issues.

The NYSE and Nasdaq board summary composition requirements are:

Image

*Transition periods for IPO companies regarding Rule 10A-3's audit committee independence requirements are:

• During the initial 90 days following an IPO, all members of the audit committee, except one, are not required to meet the independence criteria set by Rule 10A-3.
• For the first year after an IPO, a minority of the audit committee members can be non-independent according to Rule 10A-3. Typically, for committees consisting of three members, this means that from day 91 to day 365 post-IPO, only two members need to be independent.

**Committee requirements:

• Each committee must have at least one independent director as of the following timing: Nasdaq – at the time of listing; NYSE – by the earlier of the IPO closing date or five business days from the listing date.
• Nasdaq and NYSE rules mandate that within 90 days following IPO a majority of the directors should be independent.
• Nasdaq and NYSE rules both require that all committees become fully independent within a year.
• A “controlled company” is one in which more than 50% of the voting power for the election of directors is held by an individual, a group or another company.

A “controlled company” is one in which more than 50% of the voting power for the election of directors is held by an individual, a group or another company.

During the past decade, both the authority and influence of the board of directors’ compensation committee have increased, particularly in the area of executive compensation (chief executive officer and all other executive officers of the company), as new regulations have required more, and increasingly thorough, disclosures concerning executive compensation packages (including equity incentive plans and other equity awards).

As with all committees of the board of directors, the compensation committee’s responsibility is to provide oversight. In this case, that means reviewing and approving the executive compensation strategy and plans, providing oversight of the company’s benefit plans, reviewing compensation-related risks, monitoring the approved activities of outside compensation consultants, and reviewing and making recommendations to the entire board of directors regarding the board’s compensation. The compensation committee is also responsible for producing an annual report on executive compensation for inclusion in the company’s proxy statement.

In accordance with Sarbanes-Oxley Act Section 407, the SEC requires public companies to have at least one member of the board of directors who qualifies as a “financial expert” serve on the audit committee of the board. The SEC defines “financial expert” as a person who has (i) education and experience as a public accountant, auditor, principal financial officer, principal accounting officer or controller, or experience in one or more positions that involve performance of similar functions; (ii) experience actively supervising persons in the positions above; (iii) experience overseeing or assessing the performance of companies or public accountants with respect to the preparation, auditing, or evaluation of financial statements; or (iv) other relevant experience, and possesses the following attributes:

• An understanding of U.S. GAAP and financial statements
• Experience applying U.S. GAAP in connection with the accounting for estimates, accruals and reserves that are generally comparable to the estimates, accruals and reserves, if any, used in the registrant’s financial statements
• Experience preparing or auditing financial statements that present accounting issues generally comparable to those raised by the registrant’s financial statements
• Experience with internal controls and procedures for financial reporting
• An understanding of audit committee functions

Yes, although the responsibilities of employee directors (e.g., the CEO or the CFO) and nonemployee directors differ. Directors who also serve on the management team typically lead the public company readiness effort and play important, as well as labor- and time-intensive, roles throughout the readiness process (e.g., addressing board composition issues; conducting due diligence; working closely with external service providers, as well as auditors and regulators; preparing the registration statement; and conducting presentations as part of the roadshow).

Nonemployee directors typically do not fulfill as much of a hands-on role as employee directors. However, nonemployee directors review and authorise most, if not all, of the key decisions and documentation, including the registration statement, executed during the readiness effort. Nonemployee directors who are chosen based on industry or subject-matter expertise may have additional emphasis on their involvement and would ordinarily look to do that through board committee efforts.

Aside from ensuring that the board meets all relevant composition and committee requirements, the primary PCR risks the board should monitor generally include the same risks the company’s management and IPO team need to monitor and address. At the highest levels, these risks relate first to compliance with all IPO-related requirements and second to the same issues that investors evaluate when deciding whether or not to buy (and what to pay for) shares. Any issues that negatively affect the public perception of the company’s management team strength, health of industry dynamics, financial outlook, ability to generate cash, and business model strength and resiliency should be monitored by the board. To confirm, audits of financial statements to be filed in an S-1 must be performed by PCAOB-registered audit firms (and under auditing standards promulgated by the PCAOB).

Additionally, there are a number of more specific common risk areas that require monitoring during the transaction readiness process. These include “gun jumping” and cheap stock issues (see Questions 73 and 74, respectively), as well as the following:

The Use of Non-GAAP Financial Measures: Many companies use some non-GAAP measures to describe their results in addition to those also required under U.S. GAAP. When doing so, companies should ensure they remain in compliance with SEC regulations in this area, which is often the focus of SEC scrutiny. Examples of common non-GAAP measures include adjusted earnings before interest, taxes, depreciation and amortisation (EBITDA); free cash flows; and quality of earnings adjustments. Companies are permitted to utilise these non-GAAP measures in their registration statements (as well as in subsequent SEC filings) if they:

• Disclose the most directly comparable GAAP financial measure along with reconciliation between the non-GAAP measure and the comparable GAAP measure
• Present the GAAP measure with equal or greater prominence as the non-GAAP measure and the disclosure of why the non-GAAP measure is useful to investors

In addition, the SEC staff have focused on these areas:

• The appropriateness of adjustments to eliminate normal, recurring cash operating expenses or items identified as non-recurring, infrequent or unusual
• The use of individually tailored accounting principles
• The disclosure of why management believes the non-GAAP presentation provides useful information to investors regarding the financial condition or results of operations of the registrant

Sarbanes-Oxley Compliance: The Sarbanes-Oxley Act adds substantial compliance requirements on pre-IPO companies. In many cases, the time and resources required to achieve compliance are underestimated. For these reasons, the IPO team should integrate consideration of internal controls, including critical internal controls over financial reporting, disclosure and other governance requirements into the organisation’s infrastructure as early as possible in the readiness effort. Doing so allows for sufficient time to implement and assess the effectiveness of these internal control protocols.

Auditor Independence: Sarbanes-Oxley rules prohibit a company’s external auditor from providing many non-audit services, including internal audit, legal guidance, valuations and other (but not all) forms of consulting. Pre-IPO companies should carefully evaluate any existing (non-audit) arrangements with the external audit firm to clarify permissible services and establish clear independence related to current services.

Recent (or Probable) Acquisitions: Public offering registration statements generally require inclusion of audited financial statements for a “significant” (as defined by SEC guidelines) acquisition that takes place 75 days or more before the offering, or, in the case of the most material acquisitions, as soon as the acquisition is deemed probable. Additional information related to these acquisitions also may be required to be included in the registration statement.

Cybersecurity Incident Reporting, Risk Management and Governance Protocols

Public companies are required to give investors prompt and useful information about material cybersecurity incidents as well as information on the company’s approach to cyber risk management, strategy and governance. Registrants are required to describe the processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.

Nonfinancial reporting public companies are encouraged, often in response to demands made by investors and other stakeholders, to make a number of nonfinancial disclosures across a wide range of issues and topics (e.g., human capital, risk factors, sustainability). Including these disclosures in public filings requires companies to ensure that these disclosures are subjected to the same quality control processes as those afforded financial disclosures.