SOX for Pre-IPO Companies: A CFO’s Tips for a Successful Exit

Of the many competing priorities finance teams at pre-IPO companies must balance, Sarbanes-Oxley compliance (aka SOX) can often get pushed back. When preparing for an initial public offering, the CFO and finance department are predominantly engaged in higher-priority efforts including: establishing robust financial planning, systems, and reporting; developing investor relations; setting up appropriate governance structures; and conforming financial statements to meet SEC requirements. Moreover, U.S. or foreign newly public companies are allowed a one-year grace period — outlined in the SEC’s Final Rule Release No. 33, formalized in 2009 — to be fully compliant with the Section 404 internal control requirements, which may also contribute to organizations pushing back SOX compliance.

Yet, it’s never too early to start setting the foundation for SOX compliance in your organization’s culture and processes. Since 2016, an average of 43% of pre-IPO companies disclosed at least one material weakness before going public, PwC reports. Material weaknesses are not only potentially damaging to the reputations of a company’s audit committee and executives, they can also decrease shareholder confidence in your company and even negatively impact your share value. This is why many consulting firms including EY, PwC, and RSM recommend starting your SOX compliance preparations 12-24 months in advance of an IPO. 

In my experience, having an 18-24 month runway to establish the people, processes, and technology required for SOX compliance will not only set you up for a successful IPO, but also help lay a strong risk management foundation that sets your company up for future growth. In this blog, I will share what I view are the ingredients for a successful pre-IPO SOX program from a people, process, and technology perspective that CFOs can leverage to set their companies on a path for success. 

Seven Tips for Building Out a Pre-IPO SOX Program

First and foremost, my advice to CFOs is to seek proper mentorship and support early on from a CFO who has gone through the IPO process before. This is a valuable step, as there are numerous benefits to having direct access to a peer who can share their first-hand wisdom and experience. 

Taking a strategic approach to preparing your control environment for SOX compliance can positively affect not only the outcome of your IPO, but your organization’s performance as a first-year public company and beyond. The following are my key recommendations.

People

1. Hire an established CAE with experience building out a SOX program. In a CFO Circle roundtable, Carmen Lam — VP of Internal Audit at Klaviyo whose experience includes building out first-year SOX programs at Meta and Slack — noted the importance of baking in 12-18 months ahead of a target exit date to hire an internal audit leader who has had experience taking a company public. 

2. Hire an external consulting firm with experience building out SOX programs before hiring the rest of your team. Bringing in outside expertise early on will facilitate the development of your compliance program by providing best practices for documenting your controls, creating narratives, and performing walkthroughs. This guidance will help set a practical foundation for building out the expertise of your team moving forward. 

Process

3. Obtain standard SOX risk and control matrices relevant to your industry. These standard matrices should be available from your external consulting firm and are integral to building out your SOX control environment for the first time. 

4. Create workflows 12-18 months out from your pre-IPO date to document in-scope finance, accounting, and IT processes. This allows for ample time to perform walk-throughs, uncover any potential material weaknesses, and have sufficient time to implement remediation plans ahead of your exit date. 

5. Educate your organization. Invest time in properly educating your control and process owners on the importance of SOX compliance requirements, why internal controls are necessary, and how their activities impact financial statements. Though this process requires time and persistence, it is essential for successful, ongoing compliance. 

Technology

6. Use a purpose-built controls management solution to save time and consulting fees. Tapping into the power of technology at the right time can help you accelerate and streamline your SOX compliance efforts. Leveraging purpose-built technology like AuditBoard’s internal controls management solution can significantly reduce time spent on control documentation and validation due to automating the workflows described above. 

For example, AuditBoard users who upload their consultant’s RCMs and use the solution’s control certification workflow to document controls can reduce time spent on this initiative by up to 50%. In addition, having your control data in one central place can significantly reduce time spent by your consulting partner on reviewing your controls.

“Having the appropriate financial and operational controls in place is critical for success. As a board and audit committee member, this also helps me ensure accuracy and timeliness. Leveraging purpose-built technology like AuditBoard creates a strong foundation for business resilience and growth as your company’s governance, risk, and compliance needs mature.”

Roxanne Oulman, Board Member and Audit Committee Chair at Klaviyo, in a CFO Circle roundtable

7. Invest in a connected risk platform to help further drive compliance across all your assurance, risk, and controls activities. A connected risk approach to compliance differs from legacy GRC approaches by helping businesses unify around a common risk taxonomy, drive cross-functional collaboration and alignment, and surface more risk. A centralized platform acts as the cornerstone of this approach by unifying all controls, risk, and assurance data in a single source of truth, driving front-line risk and controls ownership and improving efficiency via extensive automations. 

Successful Exits Call For Proactive SOX Compliance

Material weaknesses can take significant time and energy to remediate. By starting SOX efforts well in advance of a targeted exit date, CFOs empower themselves and their teams to uncover potential material weaknesses early, effectively communicate those findings to the audit committee chair and board of directors, and buy themselves sufficient time to properly address them. By following the best practices noted above and strategically leveraging technology to streamline your efforts, you can confidently navigate the path to SOX readiness, helping to pave the way to a successful IPO outcome. Ultimately, starting early can help you embrace this journey with confidence, knowing that your diligence and foresight will pay off in the long run.