IPO Readiness Sarbanes-Oxley Compliance & Other Considerations Presented by:
IPO Readiness Enhanced Financial / Legal compliance SEC / Stock Exchange Compliance Entity Structure / Registration Filing Requirements Establish Audit Committee External Audit Considerations Independence / registered with PCAOB Internal Audit Department NYSE and Nasdaq Requirement Sarbanes-Oxley Compliance Section 302 Quarterly Certification Section 404 Annual Disclosure and Certification Add operating expense requirements One time cost of $500k to $1M for Sarbanes Oxley Compliance / Legal support One time investment banking fees, audit fees, legal fees of $XX for IPO/Structured Deal Annual ongoing cost of $3M+ for Board of Directors, legal, finance and IT support
Audit Committee An Audit Committee, composed of independent outside directors with at least one financial expert, is required for all publicly traded companies. The SEC requires the Audit Committee to have: at least one fully independent member at the time of an issuer's initial listing a majority of independent members within 90 days, and a fully independent committee within one year.
Audit Committee Responsibility plays a critical role in providing oversight over and serving as a check and balance on a company's financial reporting system. provides independent review and oversight of a company's financial reporting processes, internal controls and independent auditors. provides a forum separate from management in which auditors and other interested parties can candidly discuss concerns. helps to ensure that management properly develops and adheres to a sound system of internal controls, that procedures are in place to objectively assess management's practices and internal controls, and that the outside auditors, through their own review, objectively assess the company's financial reporting practices.
Audit Committee Directly responsible for the appointment, compensation, retention and oversight of the work of any registered public accounting firm and each such registered public accounting firm must report directly to the audit committee; Must establish procedures for the receipt, retention and treatment of complaints regarding accounting, internal accounting controls or auditing matters, including procedures for the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters; Must have the authority to engage independent counsel and other advisors, as it determines necessary to carry out its duties; and Each issuer must provide appropriate funding for the audit committee.
External Auditor Each company applying for initial listing must be audited by an independent public accountant that is registered as a public accounting firm with the Public Company Accounting Oversight Board, as provided for in Section 102 of the Sarbanes-Oxley Act of 2002 Must adhere to PCAOB audit, ethics, and quality control standards Prohibited from providing certain non-audit services to audited companies Required lead audit partner rotation every five year
Internal Audit Department NYSE Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the listed company's risk management processes and system of internal control. A listed company may choose to outsource this function to a third party service provider other than its independent auditor. All listed companies must have an internal audit function in place no later than the first anniversary of the company's listing date. NASDAQ Considering similar requirements to NYSE
Sarbanes-Oxley Compliance Section 302 require the principal executive and financial officers of a public company to certify in their company's annual and quarterly reports that such reports are accurate and complete and that they have established and maintained adequate internal controls for public disclosure. Section 404 mandates that all publicly-traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness.
Sarbanes-Oxley Section 404 Risk Assessment Determine scope of compliance requirements based on materiality Documentation Complete walkthroughs Create or update process narratives and risk control matrices Compliance with COSO Framework and Entity Level Controls Review Testing Phase 1 Design Effectiveness Phase 2 Operating Effectiveness Company Assessment
Sarbanes-Oxley Compliance Plan Identify financial statement elements and complete financial statement risk assessment Complete entity-level risk and control assessment Designate standard framework for documenting and testing internal controls Document information flows, policies and procedures of critical processes Identify key controls mitigating the key risks Identify fraud risks Assess control design effectiveness (achieve objectives) Testing of key controls (overview) Perform walkthroughs of key processes Perform detailed sample testing Perform post-remediation testing Perform year-end follow-up/roll-forward testing Validate control operating effectiveness (operating as designed) Design and implement solutions for control gaps and weaknesses Evaluate use of service organizations Complete IT-related control assessment Validate management assessment with external auditor Establish timeline and other administrative aspects Establish process for executive certification Create Ongoing Plan Develop project communication plan with management and external auditors
Process and Control Documentation Includes all key business processes (financial and IT) as identified within the SOX risk assessment A Walkthrough validates the process and internal controls are operating as documented. Includes: Review of the existing documentation (e.g. narrative, risk control matrix, policies and procedures, etc.), interview process owner(s), and obtain supporting documentation. Recommend changes to the process documentation requirements to mitigate all control deficiencies
COSO Framework COSO - the system of internal control supporting the external financial reporting objective (e.g. SOX) must include five interrelated components: Control Environment Risk Assessment Control Activities Information Communication Must achieve 17 principles within the 5 interrelated components
Entity Level Controls The Tone at the Top sets the baseline for SOX compliance. Obtain and review the company s policies and procedures Obtain and review existing charters (Audit Committee, Internal Audit, Disclosure Committee, etc.) Interview or send questionnaires to Senior Leadership Team, Audit Committee Chairperson and partner from external audit firm (see note below) Review BOD and Audit Committee agendas and minutes Obtain and review all process sub-certifications Understand the organization s ethics climate, including code of conduct, conflicts of interest, etc. Understand and review Corporate Governance and Risk Management structure
Internal Control Testing The goal is to test the design and operating effectiveness of the key controls. Sample sizes will vary based upon the frequency of a transaction and control execution. Typical sample sizes are as follows: Daily 25 Weekly 10 Monthly 5 Quarterly 2 Annually 1.
Company Assessment Company Assessment evaluates deficiencies in aggregate to summarize the organization s assessment on internal controls over financial reporting. Prepared once all phases have been completed. Evaluates and consolidates deficiencies, explains remediation plans, and presents the conclusion to management.
Sarbanes-Oxley Compliance Timeline This is the optimal timeline that gives clients enough time to remediate deficiencies. It can be sped up based on client s need and ability to quickly remediate(if needed). Description Year 1 Y 2 M1 M2 M3 M4 M5 M6 M7 M8 M9( M10 M11 M12 M1 M2 M3 M4 M5 M6 Risk Assessment Documentation & Walk Thrus Finance IT General Controls COSO & ELC Review Testing (Finance & IT) Initial Testing Update Testing Year End Testing Remediation Testing Company Assessment Vonya Global would request that one key Company X employee be assigned at least part-time to the entire Sarbanes-Oxley compliance effort. This person will assist with introductions, coordination, meetings, obtaining documentation, etc.
Sarbanes-Oxley Compliance Budget Detail Control Design Evaluation Control Operating Effectiveness Testing Documentation & Walkthroughs Initial Testing Remediation Testing Update Testing Accrued Liabilities 40 50 25 12.5 Fixed Assets 40 50 25 12.5 FSCP 80 100 50 25 Inventory 80 100 50 25 OTC - AR and Allowance 40 50 25 12.5 OTC - Cash App 40 50 25 12.5 OTC - Revenue 80 100 50 25 Payroll 40 50 25 12.5 Purchase to pay 60 80 40 20 Taxes 40 50 25 12.5 Treasury 30 40 20 10 ITGC 275 275 137.5 TBD 845 995 497.5 180 Budget estimates the specific time per cycle for 3 rd party resources only. Budget does not take into account time required by Company X employees Additional time required by Company X employees per cycle includes: Documentation 8-10 hours includes interviews and various reviews Walkthroughs 6-8 hours All Phases of Testing 50-60 hours to pull samples and answer questions Deficiencies 10-15 hours Other - 16 hours - this generally is training (IPE, evidence of review, etc) and other conversations with process owners Total = 90-110 hours per cycle Remediation testing cannot be determined specifically, but in an immature control environment there is high likelihood of significant control deficiencies and hence more remediation testing required. Estimated at 50% of initial testing.
Top Reported Deficiencies Top 6 Ineffective Internal Control Accounting Rule Violations Reported by Auditors From 2004-2011 Rank Frequency Percentage Description 1 733 10.82% Tax Issues / FAS 109 issues 2 676 9.98% Revenue Recognition Issues 3 573 8.46% Liability & Accrual Estimation Failures 4 554 8.18% Current Asset Issues 5 528 7.79% Inventory, COGS Issues 6 423 6.24% PPE, Intangible Asset Issues
Internal Audit Budget Outsourced Staffing Minimum Requirements Establish Internal Audit Charter Create Internal Audit Reporting Structure Create Internal Audit Templates Conduct Internal Audit Risk Assessment Present Findings to Audit Committee Total 320 400 hours (~$100K) Only in Year 1 Optional Requirements Create Internal Audit Project Plan based on result of Risk Assessment Complete projects on Internal Audit Plan Present Findings to Audit Committee and Management Total 160 240 hours per project (typical--~$50k per project x 4 projects = $200k)
About Vonya Global A management consulting firm providing internal audit outsourcing services Founded by Sargon Youmara, Steven Randall, and Veronika Fritz The 3 founding partners have worked together serving the internal audit community in Chicago since 2000 Assisted hundreds of companies through Sarbanes-Oxley Compliance, including the first ever Section 404 filer (Qualcomm) Internal audit team is comprised of experienced full-time permanent staff, most of whom have over 10 years of professional experience
Vonya Global Client Profile Publicly traded corporations Locations in multiple countries Under $5 billion in annual revenues Facing change (rapid organic growth, acquisition, divestiture, etc ) Technology, Manufacturing, Healthcare, Retail, Financial Services, Waste Management