SOX Center of Competence Germany | The 6 Questions SOX Leaders Must Ask Themselves | Internal Controls Survey | COVID-19's impact on SOX 404 programmes | Internal controls over financial reporting | Outlining a programme that meets stakeholder expectations | Uncovering the full picture of control costs | Maintaining controls in a COVID-19 environment
For each of the past three years, 26 –34 percent of U.S. based, NYSE and NASDAQ IPOs have disclosed material weaknesses in their S-1/S-1A filings.
Material weaknesses primarily fall in areas of accounting complexity that require the use of estimates and judgement, such as business combinations, tax, equity, financial reporting, accounting estimates and non-routine and complex transactions. Errors in the Statement of Cash Flows are commonly referenced in material weaknesses around the financial reporting process. Material weaknesses are typically the result of control gaps or controls and processes that have not been properly designed, rather than controls that fail to operate. Companies should not overlook the technology aspect of financial reporting. Often systems used by private companies are not able to scale to the requirements of public companies.
1. Summary of material weaknesses reported by recent IPOs
Luisa v. Esterházy
Partner, Audit, Regulatory Advisory, Sustainability Reporting & Governance, Risk Compliance
KPMG AG Wirtschaftsprüfungsgesellschaft
Process areas with highest concentration of material weaknesses
2. Examples of material weaknesses
Common themes
Inadequate control design/lack of control
"... lack of effective communicaton and coordination between the accounting and operations personnel ... which resulted in a number of adjustments..."
"... internal controls related to the cash disbursements process were not adequately designed to identify unauthorized payment requests... we were subject to a cyberattack by a third party. This deficiency in our controls resulted in the theft of a portion of our funds."
Segregation of duties issue
"... limited personnel resulted in our inability to consistently establish appropriate authorities and responsibilities in pursuit of our financial reporting objectives..."
Lack of accounting resources and expertise
"... lack of a sufficient complement of qualified personnel within the accounting organization who possessed an appropriate level of expertise, experience and training commensurate with our corporate structure and financial reporting requirements..."
Systems/ technology/ ITGC
"... IT general controls weaknesses in managing access and change in our significant financial systems..."
Inadequate/lack of formal policies and procedures
"We did not design and maintain formal accounting policies, processes and controls to analyze, account for and disclose complex transactions."
Control not operating effectively
"... ineffective controls procedures ... [and] ineffective monitoring of controls related to the financial close and reporting process."
Top 6 process areas
Financial reporting
"Ineffective controls related to the review of the consolidated statement of cash flows, including the operating and financing cash flows..."
Systems
"Lack of integrated financial reporting systems necessitated a highly manual and error prone internal control environment."
Tax
"... did not have controls designed to address the accuracy of income tax expense (benefit) and related combined balance sheet accounts, including deferred income taxes, as well as adequate procedures and controls to review the work of external experts engaged to assist in income tax matters or to monitor the presentation and disclosure of income taxes...
Equity
"... administration of capital stock transactions, including stock issuances and a reverse stock split which were not effected in accordance with the requirements of applicable law and the communication of stock option awards which were not validly authorized."
Non-routine/complex transactions
"... insufficient complement of experienced personnel with the requisite technical knowledge of financial statement disclosures and accounting for non-routine, unusual or complex events and transactions."
Accounting estimates
"... lack of sufficient qualified accounting personnel and controls with respect to the review of third-party valuations used to determine the fair value of our preferred stock tranche obligations and the recording of the corresponding fair value."
3. Key takeaways
- For each of the past three years, 26 - 34 percent of U.S.-based, NYSE and NASDAQ IPOs have disclosed material weaknesses in their S-1/S-1A filings.
- Material weaknesses primarily arise in areas of accounting complexity that require the use of estimates and judgment, such as business combinations, tax, equity, financial reporting, accounting estimates and non-routine and complex transactions. Errors in the statement of cash flows are commonly referenced in material weaknesses around the financial reporting process. Private companies often do not have the in-house expertise and/or resources are stretched too thin to appropriately identify, analyze, and account for such transactions.
- Material weaknesses are typically the result of control gaps or controls and processes that have not been properly designed, rather than controls that fail to operate. Companies should perform a proper risk assessment, including identification of "what could go wrongs", and ensure controls are designed at an appropriate precision level and performed by competent personnel.
- Companies should not overlook the technology aspect of financial reporting. Often systems used by private companies are not able to scale to the requirements of public companies. Additionally, IT general controls and application controls are not properly implemented to ensure financial information is appropriately safeguarded and accurately processed.
- 2018 data showed an increase in the material weaknesses referencing the general control environment. Management should be careful to design and maintain an effective control environment commensurate with the financial reporting requirements of a public company. This includes putting in place monitoring controls, policies, proper authorities and segregation of duties, as well as control structure and oversight in the design and implementation of systems. Lack of resources and/or lack of resources with the right expertise is the number one driver of an overall ineffective control environment.
4. Lessons learned from prior IPOs
- Start early: A key success factor for getting a pre-IPO company through SOX compliance is starting early. While timing may vary by company size, structure, number of locations in scope, etc., it takes at least a year or more to get a company through its initial SOX compliance effort. Many pre-IPO companies do not have employees with recent SOX experience and thus tend to discount the effort related to the changing regulatory environment. The burden of leading the SOX compliance effort typically falls on Accounting and Finance along with other IPO responsibilities.
- Tone at the top: Getting buy-in from the Executive Management team, including the CEO, CFO, and CIO is essential. Communication that comes directly from upper management supporting the SOX effort and reemphasizing this message during strategic meetings/discussions throughout the course of the project helps ensure success.
- Key employees: Employees that need to provide support or that may be impacted by SOX should be notified prior to kicking off the project and should receive SOX awareness training. A kick-off meeting with key executives is highly recommended.
- Dedicate resources: Most companies underestimate the number of resources required to successfully navigate through a company's first year of compliance. If the company does not have an established Internal Audit department, resource needs should be addressed early on by hiring or collaborating with outside consultants.
- Cost: Although companies are aware that the initial cost of compliance is high, most companies still underestimate this cost.
- Risk and reward: Companies should strive to take a risk-based approach to SOX and consider this exercise as a means to add value and improve processes while achieving an important compliance requirement.
- Transition from private to public: The transition from being a privately held company to a public company can be significant. The additional hurdle of getting the company through SOX compliance makes this process even more challenging.
- Expect change: Depending on how well the company and its finance and accounting functions are structured, the company may experience slight to significant changes after the completion of its initial documentation and identification of design gaps.
- New processes: While existing processes may change, the company will also need to establish new processes as part of being a public company.
- Technology considerations: Companies that have not adequately invested in technology and tools for financial reporting and business operations may struggle with technology and system limitations. This may require additional resources to implement new technology/systems or customize existing systems and reports. The IT effort required for SOX compliance should not be underestimated. Additionally, to the extent possible, companies should consider implementing necessary new systems prior to the IPO. KPMG uses multidisciplinary teams that typically include Internal Audit, IT and Tax.
- External auditor: It is important to get external auditors involved early on during the process to understand their expectations related to auditor reliance and to get buy-in on the scope and timing of the project. KPMG's experience as an auditor of public companies and in working with other Big Four firms can help to navigate your discussions with the external auditors.