IPO Readiness: A Corporate Governance Perspective

IPO Readiness

While 2016 was a comparatively slow year for initial public offerings, the expectation for 2017 is much more positive as economies grow stronger. As members in the Private Equity and Investment Banking community know, filing the appropriate paperwork with the SEC is just one step in long process. There are numerous Corporate Governance considerations for every IPO and this article will address some of these.

Audit Committee

The Audit Committee is one of primary committees of a company’s Board of Directors. The post-IPO Board of Directors must be comprised of independent outside directors. An Audit Committee is required for all publicly traded companies, and must be composed of independent outside directors with at least one member serving as a financial expert. The SEC requires the Audit Committee to have:

  • at least one fully independent member at the time of an issuer’s initial listing,
  • a majority of independent members within 90 days, and
  • a fully independent committee within one year.

The Audit Committee is an essential element to a healthy corporate governance system. It’s primary responsibility is to oversee financial reporting and disclosure and specifically the Audit Committee:

  • plays a critical role in providing oversight over and serving as a check and balance on a company’s financial reporting system;
  • provides independent review and oversight of a company’s financial reporting processes, internal controls and independent auditors;
  • provides a forum separate from management in which auditors and other interested parties can candidly discuss concerns; and
  • helps to ensure that management properly develops and adheres to a sound system of internal controls, that procedures are in place to objectively assess management’s practices and internal controls, and that the outside auditors, through their own review, objectively assess the company’s financial reporting practices;
  • is directly responsible for the appointment, compensation, retention and oversight of the work of any registered public accounting firm and each such registered public accounting firm must report directly to the audit committee;
  • must establish procedures for the receipt, retention and treatment of complaints regarding accounting, internal accounting controls or auditing matters, including procedures for the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters; and
  • must have the authority to engage independent counsel and other advisors, as it determines necessary to carry out its duties.

Public Accounting Firm

Each company applying for IPO listing must be audited by an independent public accountant that is registered as a public accounting firm with the Public Company Accounting Oversight Board, as provided for in Section 102 of the Sarbanes-Oxley Act of 2002. The accounting firm must adhere to PCAOB audit, ethics, and quality control standards. The firm is prohibited from providing certain non-audit and consulting services as these services pose a conflict of interest in the firm’s ability to express and unbiased opinion on the financial statements. The PCAOB requires the lead audit partner rotate off of the account every five years.

Internal Audit Requirement

As defined by the Institute of Internal Auditors, internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. A properly implemented internal audit function should improve management, control, and organizational performance by identifying, tracking, reporting, and proposing solutions for control deficiencies, regulatory requirements, corporate governance effectiveness, and company policy compliance.

The Securities and Exchange Commission has toyed with the idea of requiring all listed companies to have an internal audit function. It was proposed in 2013, but the proposal was withdrawn. However, the NYSE does require, as a condition of listing, all companies to have an internal audit function. The NYSE Listed Company Manual Section 303A.07(c) states:

    Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the listed company’s risk management processes and system of internal control. A listed company may choose to outsource this function to a third party service provider other than its independent auditor. While Section 303A.00 permits certain categories of newly-listed companies to avail themselves of a transition period to comply with the internal audit function requirement, all listed companies must have an internal audit function in place no later than the first anniversary of the company’s listing date.

NASDAQ has been considering similar requirements

Compliance – Section 404 of the Sarbanes-Oxley Act of 2002

Section 404 of the Sarbanes-Oxley Act of 2002 mandates that all publicly-traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. There are multiple phases to the typical SOX 404 compliance initiative which require ample time and resources to complete.

  • A Risk Assessment determines the scope of compliance requirements based on the potential impact to the financial statements (materiality).
  • Documentation is the procedure that is used to understand and describe transaction processing and identify key internal controls. The process for creating documentation is threefold, conducting process walkthroughs, creating written process narratives and flowcharts, and developing risk and control matrices.
  • The goal of Internal Control Testing is to verify the design and operating effectiveness of the internal controls identified in during the documentation.
    • Phase one of testing is the design effectiveness, which evaluates whether the control as designed meets the control objective. Controls failing the design effectiveness tests must be redesigned and retested.
    • Phase two of the testing is operating effectiveness, which evaluates whether the control is operating as designed. Control failing the operating effectiveness testing must be remediated and retested. Design effectiveness testing is completed by testing samples of transaction populations and sample sizes are dictated by how often the control is performed (daily, weekly, monthly, quarterly, annually).
  • The COSO Risk Management Framework is the method for used to determining the effectiveness of a system of internal control that supports the financial reporting process (SOX 404). COSO states a system of internal control must include five interrelated components (Control Environment, Risk Assessment, Control Activities & Information and Communication) and achieve 17 principles to be designed and operating effectively. Under the framework, all 17 principles must be present and functioning for effective internal control.
  • The “Tone-at-the-Top” sets the baseline for SOX 404 compliance and the Entity Level Controls (also called management review controls) can eliminate the need for certain rigorous process level controls. Items will include:
    • company’s policies and procedures
    • board committee charters (Audit Committee, Internal Audit, Disclosure Committee, etc.)
    • interviews with Senior Leadership Team, Audit Committee Chairperson and partner from external audit firm
    • Board of Directors and Audit Committee agendas and minutes
    • process sub-certifications
    • organization’s ethics climate, including code of conduct, conflicts of interest, etc.
    • Corporate Governance and Risk Management structure
  • The final stage is to prepare the Company Assessment, which evaluates deficiencies in aggregate to summarize the organization’s assessment on internal controls over financial reporting. The report will consolidate deficiencies, explain remediation plans, and present the conclusion to management.

Additional Staffing

The process described above will require additional staffing throughout the organization. Some will include:

  • Director of Financial Reporting
  • Tax Director
  • Financial Reporting/Accounting/ Tax Staff (multiple)
  • Legal Counsel (SEC filings/Board meetings)
  • IT Manager
  • Internal Audit Director
  • Internal Audit Staff (multiple)

Filing for an IPO is simply the first step in the process of become a publicly traded company. The rigors as described above can be quite extreme and carry a significant financial burden, upwards of $2 million in many cases. However, with appropriate planning the financial commitment can be spread over a longer period of time, which will ease the burden. A strong system of internal control is a good place to start.


This blog post was authored by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit co-sourcing, outsourcing, and consulting services; a member of the Institute of Internal Auditors (IIA) Chicago Chapter Board of Governors; a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research; the President of the Oz Park Baseball Association, a not-for-profit organization dedicated to providing fundamental based baseball in a safe environment in the city of Chicago; and an Advisory Board Member of the Chicago Youth Baseball Initiative, a University of Illinois at Chicago community group dedicated to providing Chicago youth with the opportunity to play baseball in a fun and safe environment, while offering educational experiences on a world-class college campus. If you would like more information about Vonya Global or if you have a question for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.