Not all roads lead to successful IPO

Welcome guest blogger, Jason Chiang. With RGP for nearly 8 years, Mr. Chiang has more than 20 years of experience and expertise in Audit, Risk and Compliance. He has consulted with a range of companies from financial services, biotech, manufacturing, healthcare and other industries. Mr. Chiang is a Certified Public Accountant (inactive) and Certified Internal Auditor. He has served on both sides of the house as a senior audit manager and senior auditor as well as a risk manager. It is evident that he understands the motivations and hurdles facing these organizations and approaches their complex issues with integrity and professionalism.

The following article was written by Jason Chiang (with editing support from Stephenie Buehrle). The approach and recommendations are his.


Not all roads lead to successful IPO

When a company approaches their initial public offering (IPO), it enters a very different arena. Having access to public funds, that is the retirement savings of Main Street USA, the company must meet quarterly SEC filing requirements. This is a significant amount of work. An investment in the people experienced with technical accounting, SEC financial reporting, and Sarbanes Oxley Compliance (SOX) evaluations combined with an investment in systems and tools to do the work efficiently and with completeness and accuracy is crucial to meet the filing deadlines.

One cannot audit all internal controls over financial reporting (ICFR). Thus, performing a SOX risk assessment is necessary to identify the significant accounts and their relevant assertions. If you happen to be one of these companies developing a road-map to your IPO, SOX may not be the place where you want to focus significant time and financial resources, but you realize that it has to get done. Be sure that you consider, at minimum, these critical components:

Risk Assessment                                  

A risk assessment is the process of identifying significant accounts and disclosures and their respective relevant assertions as they relate to financial statements. A properly done risk assessment will allow the company work smart by focusing its internal controls evaluation on the areas where there is a possibility of a material error.

The Risk Assessment must include:

  • Quantitative factors such as account balance, frequency of transactions, dollar value of each transaction; and
  • Qualitative factors such as complexity of related transactions, subjectivity of accounting rules over related transactions, and fraud considerations.
  • As business and risks change, the risk assessment needs to be updated.

Narrative                                                                

A narrative provides mid-level detail of the transactions and internal controls within a business process and includes who, how frequent, and in what location the transactions and controls are being performed. The initial creation of narratives provides the process owners an opportunity to revisit and reflect on the current processes, and make improvements for operational efficiency or control effectiveness. It is a written document that can be read by internal employees, internal auditors, and external consultants and auditors to gain a preliminary understanding of the process. As processes change, the narrative provides a format to document the change.

What critical things must be considered regarding Narratives?

  • The narrative should be written knowing that auditors will be a primary reader and will be looking for controls that mitigate risks.
  • When describing management review processes in the narrative, articulating how the manager gains assurance of the completeness and accuracy of the supporting evidence before signing off. If the manager is using judgment, describing the factors considered.
  • Narratives should be updated as changes are implemented in the organization. The updates should follow a workflow where there is a review process for significant changes.

Control Matrix                                      

A control matrix lists the controls the company has identified to mitigate risks. The control matrix serves as evidence that identified risks are mapped to controls which are to be evaluated for management’s assessment of internal controls. The control matrix also is a primary client document auditors leverage to perform their independent test of controls.

Take care to ensure that:

  • The controls in the Controls Matrix are mapped to risks.
  • The Controls Matrix is in a format where it is sortable or reportable by controls mapped to risks for test of controls purposes, and risks are mapped to controls for an evaluation whether risks are mitigated by controls.
  • Controls in the Controls Matrix should be labeled and provided an abbreviated title (10 words max) for ease of reporting and reference purposes.

Testing                                                                      

Testing is the evaluation of design and operating effectiveness of the company’s controls. The results of testing of controls provide company management with a baseline to that might have impacts to strategic and operational decisions. For publicly held companies, testing is an SEC requirement.

Critical considerations for testing:

  • Important, if deemed necessary, to be able to re-perform the actual control performed by the employee (e.g. for 3-way match of purchase order, invoice, and shipping docs, test that an employee had performed this and has evidence of such, rather than the auditor requesting the 3 docs and testing oneself).
  • When testing management review controls, cannot just accept sign-off, but need to understand the steps and judgments used by the manager, and test accordingly.
  • The documentation of testing should allow someone else to reasonably re-perform the testing. If testing is being relied upon by external auditors, then the breadth of documentation is more important. If not, not all needs to be retained, but should be readily retrievable when needed.

Certifications                                        

Control owners certify to the CFO and CEO that controls are operating effectively on a quarterly basis, and if not operating effectively, the remedial action plans. The control owners are held directly accountable for their controls as they are certifying to the top two officers of the company.

Recommendations for certifications:

  • The number and level of person certifying to the CFO and CEO should be carefully considered. The level should be their direct reports and one level removed to maintain the efficiency and integrity of the certification. If it is a larger organization, there can also be sub-certifications up to the senior manager level.
  • The certification questions should have a combination of checklist questions, as well as, open ended questions to encourage a thoughtful process.
  • Utilizing software for tracking, follow-up, and retention purposes is advised.

Depending on the number of people involved with the inputs into the various components, one might decide that performing and capturing the work in Excel is sufficient, while others might prefer utilizing a SOX tool where there are extra protections in version control while allowing multiple users to perform inputs simultaneously in multiple locations. A SOX tool may also provide management with options for review, analysis and oversight that are not available in Excel.

To avoid unexpected setbacks, be sure to plan enough time into your IPO readiness map for SOX evaluations. The initial SOX program development and implementation is likely to require six months and can vary depending on your access to subject matter experts. Coordination and alignment of the SOX efforts and objectives among the audit committee, senior management, process owners, and internal and external auditors is paramount for a successful implementation.


If your organization is approaching your initial public offering and you’re interested in learning more about how RGP can support you with subject matter expertise and a tailored technology solution to help ensure that you are prepared for your SEC filing and financial reporting requirements, reach out to us (Information@policyIQ.com, 412.263.3330) and we’ll connect you with our RGP colleagues near you!

Pre-IPO? RGP and policyIQ Help with Preparations to Go Public

Are you considering going public and beginning to think about all of the steps you should take to prepare? RGP and our GRC tool, policyIQ, can help you to ensure that you have a solid offering and that you are presenting your company in the best possible light.

RGP creates true partnerships with our clients—educating while advising

RGP can help with a range of needs including shoring up your processes and documentation comprising of things like helping you to properly document processes, and ensuring that necessary policies and procedures are in place. This would, almost certainly, include working with you to build a sound financial reporting foundation and solid internal control environment.

We can support your organization with activities that are specific to preparing for SEC Registration such as performing an accounting review to ensure your company meets all necessary financial requirements, helping with the development of your Prospectus, and the performance of a Legal Review.

If your need is more closely related to people resources, such as the need for an interim CFO or adjustments to your Board of Directors, we can help you to make those selections, as well.

NYSE_WallSt

policyIQ: powerful, easy to use and have up and running in no time

RGP’s Governance, Risk and Compliance tool, policyIQ, is easy configure, implement, roll-out and maintain for a range of purposes that serve companies who are seeking public offering. For more than ten years, policyIQ has served clients for the development and maintenance of their SOX 404 documentation, policies and procedures, and automation of their management certification processes.

Clients also take advantage of policyIQ’s flexibility, security features and accessibility to serve their related needs; including as a data room for their Board of Directors and for the development and review of their Prospectus.

Recently, we have worked with clients to make a fresh start, helping them to automate their Financial Statement Risk Assessment and relating their significant accounts and disclosures to relevant assertions and associated risks, controls and tests. We have also made quick work of capturing the 17 Principles required by the 2013 COSO Framework, the associated 87 Points of Focus and helping clients through their transition process—mapping to relevant controls, identifying gaps, performing rationalization and strengthening documentation and procedures, where necessary.

A different kind of software provider—in the best possible way

While many other products have come and gone, been bought and sold, and experienced lags in support, development and testing that have proven difficult for their users, policyIQ has a very different history. RGP has owned policyIQ and supported policyIQ clients in the marketplace for more than a decade. Our software has undergone 29 major and more than 30 minor releases in that time, carrying out thorough testing prior to each release, without ever charging our clients for the latest enhancements or upgrades. We operate differently than a typical software provider; we work hard to keep our software up to date (offering the latest in technology and services) while keeping the cost very affordable.

Reach out to us with any questions regarding RGP’s Pre-IPO services or software. We have approximately 3,000 professionals in nearly 70 offices around the world—someone near you—ready to help you take the next step!

Thinking about going public with an IPO? Now is the time – and Resources can help!

signatureWith President Obama’s signing of the JOBS (Jumpstart Our Business Startups) Act in early April, the regulatory requirements for a company considering going public have been lessened – making now a great time for a growing company to consider an IPO.  Resources Global Professionals’ own Colleen Cunningham, Global Managing Director of Finance & Accounting, discusses the Act in more detail in her most recent blog post.

“…the new law also eases many of the restrictions on early-stage business investing that have been in place since the original Securities Acts in the 1930s. As such, the process of “going public” as well as “being public” will be much easier for those companies that meet the definition of an “emerging growth company” (those with annual gross income under $1 billion in the most recently completed fiscal year).”

Colleen and the team at Resources have also prepared a summary of the Act, available online in our latest Financial Alert.

If you are a private organization considering an IPO, reach out to us and we’ll connect you to Resources Global experts in your city who can help you navigate the process.