How to Streamline the SOX Compliance and Control Readiness Process

Embarking on an IPO journey demands a strategic approach to compliance, your internal controls, and, ultimately, SOX. With 40 percent of newly-public companies disclosing material weaknesses, early preparation can enhance your company’s attractiveness to investors and strengthen its risk posture. 

In a recent survey of executives in the CFO|Circle, 45 percent of respondents said their companies need to overhaul their compliance practices. With compliance preparation requiring 18 to 24 months of work, now is a great time for finance teams to get ahead of the people, process, and impacts to come. 

In a conversation with Robert Ryan, a partner in Risk + Regulatory at PwC, Carmen Lam, VP of Internal Audit at Klaviyo; Roxanne Oulman, Board Member at Klaviyo and Audit Committee Chair at AuditBoard; and Josh Harding, CFO at AuditBoard, finance leaders in The Circle discussed when to start ramping up your company’s control readiness process, tactics to build out your compliance team, and how to approach material risk disclosures.

Start your SOX Compliance Efforts 12-24 Months Ahead of a Planned Exit

When surveyed about their SOX compliance readiness, 66 percent of CFO|Circle members in the conversation said they were not prepared to IPO from a compliance perspective. That is completely natural and expected in this tepid IPO climate, noted the VIPs; most companies do not begin significant preparation until the board indicates that the company should be prepared for an IPO. 

However, advance planning is critical because compliance is a complex body of work and a board can push for an IPO very quickly if the market presents an attractive window for the business. As your company prepares for a transition from private to public (and even if a merger or acquisition is more likely or preferred), it’s important to start building out a robust control environment 12 to 24 months ahead of a potential exit. Many of the same resources that you will need to build out your control framework and support compliance efforts will also be responsible for drafting an S-1, investor materials, and financial statements as an IPO approaches (or data rooms, management presentations, confidential information memorandums (CIM), etc in the event of an acquisition). By getting an early jump on compliance and your control environment, you can more effectively spread out your team’s workload across the entire IPO readiness journey. 

That said, companies can’t control the market and CFOs often don’t have the ability to “slow the train” if the board wants to move quickly. 

“It all comes down to being prepared and starting your IPO readiness assessment well in advance. This way, if the market gets hot a few quarters out and your investors, board, and management team say, ‘let’s go,’ you are ready to hit the accelerator on your timeline and be in the best possible readiness position to be public.” –Robert Ryan, Partner in Risk + Regulatory, PwC

Assemble Your Team With Key Hires, CXO Peers, and External Experts

To run a comprehensive SOX readiness process, you will want to hire outside compliance experts and invest in collaborative partnerships internally with your CXO peers. 

Carmen, who built out year-one SOX programs for Meta and Slack in previous career chapters, recommended hiring an internal audit leader 12 to 18 months ahead of a target exit date. This allows enough time to identify any documentation gaps, stand up the audit function, and educate the rest of the company on compliance requirements. 

“One consideration to hiring your head of internal audit is to bake in six to nine months for the hiring process into your overall timeline. The role requires a specific skill set and it takes time to find someone who has experience taking a company public.” –Carmen Lam, VP of Internal Audit, Klaviyo

Additional key internal and external partnerships to develop during the compliance readiness process include: 

• Outside vendors to support the risk assessment process
• Audit Committee Chair to establish an open communication channel with the CFO and executive team, and lean on their prior experience with compliance 
• C-Suite Peers and Adjacent Functions to align on the many changes required across the organization, specifically your CEO, CTO (especially for homegrown systems environments), CIO, CHRO and General Counsel. 

Identify and Disclose Your Company’s Material Weaknesses

One of the most important factors you want to identify during the compliance readiness process is if your company has any material weaknesses. According to PwC, material weaknesses can relate to the following areas: 

• The financial close process, which includes a range of issues related to the timely gathering of data for use in the close process. It can also include issues with accounting policies and procedures that prevent timely, accurate, or complete information from being reported.
• Personnel inadequacies, which relate to deficiencies in the number, training, qualifications, and conduct of resources. It also includes issues associated with segregation of duties.
• IT general controls, spanning the suite of controls across the IT domains (access to programs and data, computer operations, system change management, and system implementation). Deficiencies in IT general controls have a downstream impact on the reliability of business process controls or data.

That same PwC analysis reported that the number of material weaknesses disclosed in a company’s 10-K jumped 73 percent from 2021 to 2022. In the first quarter of 2023, material weaknesses increased 25 percent relative to the same period the prior year. Underlying causes include an uptick in IPOs and SPACs during that time; companies overlooking risk mitigation efforts for their digital transformation initiatives; and employee turnover that results in insufficient knowledge transfers from the outgoing to new control owners.

The VIPs noted that material weaknesses are significant matters, but they do not typically impact the stock price unless it has a direct correlation to revenue. 

“CFOs need to uncover material weaknesses early, ensure transparency with your audit committee chair and board of directors, and err on the side of being overly disclosive in your S-1 to ensure you don’t surprise investors and the market after you’re public. After these disclosures, the expectation is that you will fix the material weaknesses in the first year as a public company and some investors will ask you about your progress in your first few quarters as a public company.” –Josh Harding, CFO, AuditBoard

If your organization does not fix these material weaknesses after the company has been public for a year or more, that can have severe implications for the business.

Set Your Company Up For Future Success, Regardless of Exit Type

Compliance and controls preparation is not just for IPO readiness — there are benefits for any exit outcome, including a sale of the business.  In many M&A situations, a credible IPO alternative creates a sense of urgency for prospective buyers.  Sophisticated buyers will look to see if you’re truly ready for an IPO. If your control environment is weak and your financial reporting does not look public company ready, they will determine that an IPO is not a real alternative for your business. This can have a real impact on valuation or even kill a deal if a buyer thinks they can walk away and buy the business later.

“The majority of compliance ownness falls on the CFO, regardless of the type of exit. If you don’t have the processes and controls to demonstrate readiness, you limit the opportunities for your company.” –Roxanne Oulman, Board Member at Klaviyo and AuditBoard

In addition to ensuring your controls are in good order, some best practices to follow include cleaning up your financial reporting (e.g. cost of revenue vs. opex, allocations, supporting policy memos, etc) and ensuring your P&L and cash flow forecasting is accurate. “Forecasting your revenue, billings, and cash flow is probably the most complex item, especially the working capital section,” said Roxanne. “You should be doing all of this now, regardless of your exit timeline.” 

The Takeaway:

While many growth-stage companies might not be focused on SOX compliance and controls readiness until an IPO is likely or imminent, CFO’s in The Circle recommend starting these efforts early because they can take years of work or uncover items that can’t be addressed overnight (e.g. need to switch out a key system.). This will allow you to make your target hires for the process, identify materials weaknesses and begin solving them, and have the right processes already in place for when your company does exit.

Apply to join The Circle to participate in conversations like this one within a private leadership community of CXOs.