15. Appropriate Corporate Governance and SOX Compliance Recommended Timeline of selected SOX Activities for Company Embarking on IPO
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
Notes de l'éditeur
This slide lists some the key questions boards and management need to ask themselves in contemplating an IPO. The challenges faced by companies preparing for a public offering include: Accelerated reporting deadlines SOX requirements Corporate governance Increased scrutiny of complex accounting policies and positions The scalability of the IT infrastructure Adequacy of people resources
List of selected key policies covering most “go to public” companies Anti-Fraud Policy Insider Trading Policy Code of Conduct (conflict of interest, related party transactions, confidentiality, fair dealing, protection and proper use of company assets, compliance with laws and regulations) HR Policies (Hiring, termination, Equity Award, Annual Review) Accounting/Finance Policies IT Policies (Security, Change Management, Business Continuity Management) Audit Committee Charter Disclosure Committee Charter Compensation Committee Charter Job Descriptions .
Today we will focus on the more pervasive inherent risks that frequently pose significant challenges for companies with public company aspirations – Financial Reporting, Closing the books, IT environment & Governance/SOX compliance Chris, provide us with some guidance on how we maneuver through the maze of what seems to be an increasingly complex financial reporting environment.
One key activity, prior to a public offering, is for management and the audit committee to get ahead of the curve by assessing financial reporting risk so that it can be managed up-front, rather than being susceptible to being managed after the fact by external auditors, regulators and others.
Once done, a financial reporting risk assessment should be periodically updated. Early on, prior to an IPO, your sources of risk indicators may be external auditors, investors, underwriters, etc. Once you are public, the possibility of SEC comment letters (those generated by the IPO and those generated thereafter by public filing reviews) and even of the PCAOB reviewing the work of your external auditor enter the mix and need to be considered, as will new and updated accounting pronouncement which may be applicable to you broadly or specifically.
Thanks Steve, Some, but not all non-public companies have the luxury of longer close timelines. On this slide you can see deadlines for common newly public companies. Non-Accelerated Filers with market cap under 75M, Accelerated 75-700M. In addition to the SEC required deadlines, public companies usually prepare more extensive disclosures than most private companies. So most companies will have to both speed up the close cycle and do more during that same cycle. The increase demands often require more discipline via checklists, status reporting, and rapid issues resolution. Box calendars should be replaced with detailed checklists, daily status reporting and sometimes daily staff meetings should be implemented – especially if your current close schedule does not comply with the rules. Lengthy manual tasks create bottle necks that can best be resolved with stronger systems functionality and better integration. For example Quickbooks and spreadsheets often must be replaced with more mature accounting applications, spreadsheets with interfaces or automated custom applications. You may not have a formal disclosure committee identified with regular meetings set. You may also lack draft disclosure documents. Newly public companies are also subject to SOX 302 Certification requiring the CEO and CFO to certify the financial statements are complete and accurate. Checklists, and in some cases a 302 sub certification provide the executives some additional comfort the financial statements are complete and accurate.
To effectively assess and improve your close process you must start with a detailed task checklist. The task list should reflect each JE, spreadsheet or manual process by person required to close. It should include activities in remote locations and inputs from 3 rd parties. Once this is in place and you have some history you can seek to make improvements. Protiviti advocates evaluating your close process holistically – across our Six Elements of Infrastucture. The slide before you describes some common opportunities for improvements. Focusing on just a few items, let’s first look at the process. In addition to tracking the actual start and end times for all activities, hold formal pre close meetings, daily status meetings, and post close debriefings. These meetings are imperative to verify status, identify delays, raise issues, and establish accountability to due dates. With the results of a detailed checklist you can create insightful dashboards and reports. Consider graphing #tasks by day from -10 to 45 to see how much you’re getting done early, #tasks by person by day to see if the work is spread even. You can also prepare a gantt chart to analyze critical path. Under the Methodologies element of our framework, review your spreadsheets and your reconciliations. Look in particular the nature of the calculations – are they consistent with the GAAP treatment prescribed? Is the level of detail appropriate? Too much = too time consuming, not enough = insufficient to support the audit. Also consider prioritizing reconciliations – moving lower risk recons to post GL close. The Systems is the final element and frequently requires much attention. We’ve mentioned more mature accounting applications to eliminate spreadsheets. Where spreadsheets remain (some always will) specific spreadsheet controls should be implemented to reduce risk. For example, spreadsheets should be organized with separate data entry sections, lock formula cells, password protect work books, store on central server for back up and limited access. On the next slide we’ll discuss common challenges for in revenue – especially for any high tech, software or services company.
The question is raised as many pre-IPO and newly public companies often have smaller IT staffs struggling to support a wide variety of end user needs. Your IT team must support everything from your LAN, PCs, printer support to ERP/accounting applications, to engineering work stations, central storage servers, some also support customer facing applications as well. These “start up” environments often succeed because of a strong “can do” attitude, yet also resist many of the formal processes, approvals and controls required in public companies. Some other key challenges most companies face in preparation to go public include: SOX required controls in the form of SDLCs – these are controls such as an IT Steering Committee, Testing Requirements, and formal approvals prior to making changes to production applications or data. Replacing less expensive, less sophisticated accounting applications with more robust ERP applications better suited to support growth plans, and Additional electronic integration in the form of interfaces, EDI, etc. As you explore alternatives you’ll need to address some significant long term decisions such as outsourcing or hosted applications that may be attractive to mitigate implementation costs and reduce the in house skills necessary to support these applications. In the following slides we will briefly present some key attributes of the IT infrastructure you should consider for IPO readiness.
Looking at the IT infrastructure through our Protiviti Six Elements of Infrastructure, let’s first look at Strategy and Policy. Strategy – You should have a 3-5 year plan for IT, including known application changes, upgrades or replacements. The plan should reflect the growth of the business (volume, location, types of products/services), and call out resource requirements including people, hardware and software and some budgetary cost estimates to implement and maintain the environment. Your plan should also consider any initiatives to improve business continuity in the event of an IT service interruption, security to prevent loss of any sensitive data, and any special requirements to address regulatory requirements such as Payment Card Industry Data Security (Retail), Anti Money Laundering (Fin Svcs), HIPAA (Heathcare) or FDA (Med Devices/Pharma) reporting requirements. Turning our attention to Policy and Procedures, public companies should have repeatable processes and documentation specific to key IT governance functions. Some key examples include: 1) Change Management, including System Development Lifecycle Controls as required for SOX compliance. These typically include protocols (eg. IT Steering Committee and Approvals) for approval and monitoring IT projects, and include testing and approvals before new systems or changes go-live. 2) Data Security, including the processes with approvals for new users or changes to access should be documented and in place. 3) Business Continuity, including the processes to bring up a failover IT environment in the event the primary environment goes down due to disaster or interruption. This will be especially critical where the business model is highly dependant on IT services. Moving on to People, this area often presents the biggest challenges where smaller IT teams struggle to provide a variety of technical skills. That, coupled with stricter controls, adherence to defined procedures with proper segregation of duty requirements requires you to more clearly define distinct roles and responsibilities and restrict sensitive roles to fewer people. Your IT Strategy should include some definition of the skills, roles and even organization charts as you pass milestones. If hiring becomes a challenge you should consider o/s to supplement your core teams skills in areas such as security, BCM, etc.
Management Reporting – Many CFO’s are seeking ways to more proactively measure and monitor IT performance. In addition to the common financial metrics such as IT exp as % of revenue, consider some of the other metrics on the slide. Benchmarking services, such as APQC (avail through Protiviti) offer comparisons by SIC codes so you compare your performance to others in your peer group. (Optional) Methodologies – Within IT usually refers to implementation methodology and it is helpful when common steps are standardized, such as business case and steering committee approval for new projects, approvals for go-live, etc. To comply with SOX however, you need to reference some IT controls framework – consider COBIT. Once adopted take steps to create awareness and foster compliance with your methodologies. Systems – At the core of every good IT function are applications that adequately support user needs. Investing in more robust ERP solutions that are aligned with your current and anticipated business requirements, are used by like companies demanding similar capabilities, and are supported by financially strong and customer responsive vendors will pay dividends over the long term. Many pre-IPO companies select and implement mainline ERP applications as a prerequisite to the IPO. Consider a formal, well governed ERP selection as part of your IT strategy if your requirements indicate you need a change. Well Steve that covers a lot of ground on creating a scalable IT function. I’ll pass it back to you to now.