SPACs and IPOs pose challenges for SOX compliance

The record number of companies going public through special purpose acquisition companies and initial public offerings last year could be facing some extra hurdles when it comes to Sarbanes-Oxley rules.

A recent POV report from Deloitte aims to help public company CFOs and management teams become SOX ready. Section 404 of the Sarbanes-Oxley Act of 2002 requires public companies to set up an internal control structure and evaluate it. Their annual reports need to include the company’s own assessment of internal control over financial reporting, along with an auditor’s attestation. However, the SPAC process has allowed many companies to fast-track the process of going public by setting up shell companies, and the Securities and Exchange Commission is starting to call them out for neglecting some of the accounting requirements. Section 302 of SOX covers the disclosure controls and procedures, while Section 906 requires certification by the CEO and CFO of periodic reports containing financial statements.

“The SPACs are considered an acquired entity because the SPAC acquirer is the shell and they’re already an existing public company,” said Lindsay Rosenfeld, managing director and co-leader of governance, risk and controls for Deloitte & Touche LLP. “Then they acquire the SPAC target, who then becomes the full public entity as opposed to the traditional IPO, where the company does an IPOs on their own and they’re not acquired by an already existing holding company. In some cases, that can accelerate the SOX compliance timeline. In a traditional IPO, you have until one year after your first 10-K to be 404(a) compliant. You always have to be 302 and 906 compliant for the 10-Q, regardless of whether it’s a SPAC or traditional IPO, after your first 10-Q. But a lot of these SPAC entities are having to accelerate their 404(a) requirements, and the rule makers haven’t commented on that or adjusted any of the regulations to allow them that one-year deferral. That does become a challenge for some of these SPAC companies to navigate.”

SEC building with official seal
The Securities and Exchange Commission headquarters in Washington, D.C.
Joshua Roberts/Bloomberg

SPAC transactions increased from 248 in 2020 to a record 613 last year, according to SPAC Analytics. Heightened scrutiny from the SEC may have depressed SPAC activity to some extent this year, but it’s still a hot market for SPACs and IPOs.

“The market’s been going up and down,” said Rosenfeld. “We still see a significant amount of SPAC companies registered with the SEC, and they only have 18 months to find that target and take the target public. We don’t see that market cooling, and we don’t see the IPO market cooling. There are still a good number of SPAC companies that are listed and are looking for targets.”

Nevertheless, CEOs and CFOs need to overcome a number of challenges to become ready for SOX compliance for the first time. “One of the key questions that I’m often asked and one of the reasons why we wrote this POV is what do I really have to do from an S-1 filing perspective, their first initial filing document for the IPO?” said Rosenfeld. “What do I really have to do from a 302 and 906 compliance perspective? And then what can I wait to do later for a 404(a) or 404(b) perspective? That’s the journey that we’re looking to help companies on how they scale and what to really focus on each one of those milestones. There’s a lot of judgment involved in making that decision. The rules aren’t so explicit as to exactly what has to get done in each one of these milestones. For the S-1, the initial filing, it’s really silent. There’s no SOX requirement for that first filing, yet if a company knows that they have a material weakness, that’s considered material information for the investors and should be disclosed as a risk factor. So then the question arises: What should companies know and not know for that first S-1? Then you fast forward to 302 and 906, which are controls over disclosures and procedures. What is enough to do to get them comfortable with certifying that their financial statements in their filings are accurate and complete? It really takes looking at it from a risk-based perspective. Where is the risk within the organization that could result in those financial statements not being accurate and complete, doing that scoping and risk assessment, making sure that you’re focused on the right place for those 302 and 906 certifications. Often what we talk about is trying to not do too much, too fast. Take a systematic approach with a lens on risk to the organization. What do they need to do to make sure they’re in compliance, but also mitigating their risk?”

SPAC acquisitions provide a kind of shortcut to an IPO, but the level of risk varies. “It depends on the preparedness of the SPAC target,” said Rosenfeld. “Each situation’s a little bit different, but what we are seeing is that the number of companies that are going to market in their initial offering with a material weakness, whether they’re a SPAC or a traditional IPO, is quite significant, somewhere around the 50% mark of companies that go public with material weaknesses. I don’t know the separation between SPACs and traditional IPOs, but I’d say anecdotally that the SPACs probably have more than the traditional IPO companies. It may depend on the size of the company, how long they’ve been thinking about and preparing for entry into the public market. But they’re using that vehicle of material weakness to mitigate some of that compliance risk, to say we are disclosing to the public that we do have material weaknesses in our controls over financial reporting.”

Companies have to go beyond disclosing the material weaknesses to potential investors. They also have to take steps to fix them.

“If companies don’t address their material weaknesses over many quarters and year-ends, the SEC will comment on that in comment letters on what they’re doing to address material weaknesses,” said Rosenfeld. “They’re required to disclose in their public filing what they’re doing to prepare to address those material weaknesses.”

Companies need to work on remediating the weaknesses in internal controls and get the right personnel in place to test them. “For some of these companies, the burden on remediating those material weaknesses is pretty sizable,” said Rosenfeld. “It comes down to a risk assessment. It comes down to scaling what is most important to remediate and what maybe can be left on the table to remediate later. All of it should get remediated and would need to be remediated over a period of time, but balancing what is possible for the organization to get done, given that they’ve got so many other things going on too. SOX is just one piece of the pie in what companies need to do when they go to market. They’re now on tighter deadlines for closing financial reports on a quarterly basis. They’ve got investor relations, they’ve got earnings releases. There are all sorts of other things that the organization has to do as a public company. Helping them think through how to prioritize and focus on what really matters is an important part of the process.”

For reprint and licensing requests for this article, click here.
Audit Sarbanes-Oxley Deloitte IPOs
MORE FROM ACCOUNTING TODAY