IPO readiness

Download PDF

As private companies consider their path to an IPO, technology strategy plays a critical role in the journey. Even if an IPO is not the ultimate outcome, companies invest in technology capabilities and implement stronger practices to command a more competitive price when the right buyer is found. This is because, as technology becomes integral to business processes, it directly impacts two significant IPO risks: 1) Failure to close the books in a timely manner and meet SEC-required disclosure and filing requirements, and 2) Non-compliance with SEC regulations, notably the Sarbanes-Oxley (SOX) Act. While this paper focuses on the latter, we recognize the importance of systems that enable management to expedite financial closing processes.

In KPMG’s most recent study into the underlying causes of Material Weaknesses within SOX programs, it was noted that Technology related material weaknesses have steadily increased from 31% in 2021 to 56% in 2024. While ‘Lack of Accounting Documentation, Policy and/or Procedures’ and ‘Lack of Accounting Resources/Expertise’ remain the top two reasons for material weaknesses, Technology is firmly in third place and rising. One or more Material Weaknesses in your SOX control environment can be expensive and laborious to remediate, and in some cases could result in a financial restatement – an outcome that is both costly and disruptive to the organization. With this in mind, it is critical to plan early for your IPO journey to limit the potential impact through pre- and post-IPO activities. The process can be complex, but one thing is clear: organizations that start planning early tend to achieve better IPO outcomes.

Dive into our thinking:

IPO readiness

Aligning technology strategy with SOX compliance

Download PDF

Complying with SOX is complex and is a significant uplift for most private organizations. Starting early is key, typically about 18-24 months from the first potential year of SOX compliance. The first thing an organization should do is consider their potential SOX timeline, based on their planned IPO period. There are several rules governing when that SOX compliance date could be, so it is prudent to establish an understanding of those dates early.

Once known, the next prudent step is to perform a readiness assessment to determine the likely scope of SOX and the current state of the environment. Almost all private companies will require uplift, but until that assessment is performed, the degree of the effort will largely be unknown. In our experience, when Executives and Management have little or no prior public company experience, they often underestimate the level of effort required.

After understanding the gaps, a prioritized, risk-based remediation plan should be developed to move the company towards a SOX-compliant environment. Some of the key questions that need to be considered when developing this plan should include:

Which gaps are most likely to result in an adverse SOX opinion?
Which gaps are complex, critical, and/or will take longer to remediate?
Can our technology comply? Can our systems enforce segregation of duties and meet logging/monitoring requirements?
What documentation (policies, procedures, narratives, control matrices) is needed?
How do we know/meet the standard of our External Auditor in a SOX environment, and how do we build that into our plan?
What if we don’t IPO? How far do we go to balance SOX readiness with avoiding unnecessary inefficiency?

The key challenges

Of course, this can become even more complex if the company is also in the process of implementing a new ERP or General Ledger system, all while management and employees are already operating at capacity. Let’s dive a little into some of the more common challenges:

People – SOX can be complex, and if your people, from Senior Management down to employees running key processes, don’t have prior experience in operating in a public company environment, the expectations can be a surprise and a major operational and cultural adjustment. Capacity is almost always a challenge. Private organizations tend to run leaner to achieve better IPO outcomes, so naturally, they often need resources to help with the SOX process. One of the biggest and most unappreciated risks is change management. Getting an organization to start operating as a public company does not happen overnight. It requires tone from the top, strong communication, an effective project plan and PMO, coordination across business teams and hands on training and support for the process owners.

Processes – key IT processes will almost always need to be uplifted, as well as documented in detail to support the SOX requirement. The key is to establish efficiency while building SOX compliant processes. That may include centralizing processes, leveraging more automated workflows or technologies to automate and integrate data flows. Key outsource providers will also need to be brought under the governance umbrella.

Technology – while most technologies can support a compliant SOX environment, there may be limitations. Legacy technology, or the use of technology designed for smaller enterprises, may limit the ability to comply. If system limitation results in more manual data extraction and manipulation, it can create an unstable SOX environment subject to an increased risk of breakdowns and errors. A lot of modern ERPs require ERP specific controls skills in order to fully leverage automated capabilities to better manage SOX risks. Finally, the impact of AI to SOX is still in its infancy but is coming fast – audit firms and regulators are still working through the expectations for public companies, so organizations approaching an IPO need to be braced for its impact.

While the process for IPO/SOX IT readiness follows a relatively standard conceptual process, the detail beneath can vary wildly from company to company based on several factors, e.g. complexity of the industry, number of locations, decentralization of processes, history of acquisitions, legacy technology, skillset of the internal teams and many more. For now, let’s focus on what we see as behaviors and factors that drive better outcomes.

A clear plan –

as we mentioned above, SOX compliance is complex and requires all stakeholders to work together towards a clear vision. By starting early, knowing what the gaps are and having a clear remediation plan, the organization can work in a coordinated manner towards the first year of compliance. IT components of the SOX program are driven by business processes, and changes to the IT plan should be considered in tandem with how the overall program is being executed, which is why tight project management and communication are critical.

A highly coordinated and integrated ‘one team’ approach –

with finance, IT, HR, and other key teams working together on the strategy and execution of the detailed plan. This is especially important for IT readiness as the IT scope for SOX is driven by upstream risk assessments and identification of critical business processes. Business process owners should own certain key decisions (e.g. determining appropriate access to systems and data, approving and testing changes to critical systems, etc.) affecting IT processes and controls and must be engaged and accountable for driving the future state for controls. Finally, some of the more significant IT gaps may require investment in system changes, upgrades or implementations, so management and executives need to understand and appreciate the roadmap.

Ownership and accountability within the company –

outside advisers are critical to provide experience, direction, influence strategy and add capacity to internal teams, but they can’t do everything and can’t always effect change. Tone at the top, both across the company and from IT leaders, and accountability for making change happen from within must be present to effect change in an effective way. This internal ownership and accountability provide a significantly higher chance of success.

Teams with the right experience –

there is no substitute for experience when it comes to SOX implementation. Individuals that have a deep understanding of the regulation AND have a prior track record of supporting implementations are uniquely placed to guide your teams through the process from beginning to end. Working with experienced IPO SOX teams offers the advantage of understanding the nuances between SEC and the PCAOB requirements, which govern your External Auditor. This expertise helps navigate management’s SEC-driven demands versus what External Auditors might seek under PCAOB influence. Additionally, these teams are well-versed in the methodologies of major public accounting firms, thanks to their extensive experience.

Ultimately, every implementation is different and key decisions, guided by internal risk appetite, external advice, your external auditors and your Executives and Board members, will be made throughout the journey. That’s why most organizations engage specialist advisers to help them navigate the process and add experience, expertise, and capacity to their teams as designs are finalized, gaps are remediated and controls are implemented.

Finally, it is important to remember that SOX doesn’t end at implementation. As a public company, SOX compliance is a living, breathing and continuous requirement, so any newly implemented processes must translate into documented, consistently executed behaviors – the new standard for day-to-day, sustainable execution.

For more information, or to start planning the impact to your technology environment, contact us to see how we can help.