Companies that went public before the slowdown in the IPO and SPAC markets have been having trouble complying with the internal control audit requirements of the Sarbanes-Oxley Act, according to a recent report by Deloitte.
The market for initial public offerings and special-purpose acquisition companies that helped businesses go public through mergers with these shell corporations, also known as blank-check companies, boomed in 2020 and 2021 before slowing to a crawl last year due to the rise in interest rates and closer scrutiny by the Securities and Exchange Commission of the accounting used by SPACs, as well as a number of high-profile failures of SPAC mergers. But those companies that went public and survived now face challenges in complying with Sarbanes-Oxley.
The
"All of us witnessed the record-breaking IPO and SPAC activities in 2020 and 2021, and a lot of those companies are not without growing problems," said Kajal Shah, a partner in accounting advisory and transformation services at Deloitte & Touche LLP, who co-authored the report. "One of the key challenges that a lot of newly public companies are facing is Sarbanes-Oxley and internal controls over financial reporting. The root cause of this could be that a lot of companies still look at SOX compliance as a one and done, check-the-box mentality, whereas it's much broader than that. It certainly does take a village to get successfully SOX compliant. It's a team effort."
She believes that setting the right tone at the top is critical for companies that have recently gone public when it comes to SOX compliance. "It is going to take all of the relevant stakeholders to get successfully SOX compliant," said Shah. "CFOs and the key stakeholders of the organization have the onus on them to ensure that there is an effective tool set while embarking on a SOX implementation journey."
Companies need to have the right resources in place to achieve SOX compliance, she noted. "These companies in their pre-IPO, pre-SPAC stage — versus now being a public company — did they plan for the scale and growth in terms of their resource pool? Did they factor in the recent restructurings and workplace turn over? We've all witnessed that when there are inadequate resources, that leads to improper segregation of duties, from not having adequate resources to ensure that you have an effective SOX program as well as the monitoring of that SOX program," said Shah.
Some companies that go public fail to perform a thorough risk assessment to identify if they have enough funds in their account balances to meet the risks out there, for example if their bank suddenly fails, and to see whether there are any gaps or improvements needed in their internal control activities.
"Risk assessment should be as integrated as possible," said Shah. "It's not just from a financial reporting and financial risk perspective, but there's more value added to doing a very robust and thorough risk assessment. That could bring a lot of operational value to an organization. Ensuring that the appropriate risks have been considered for all of the relevant stakeholders is key."
A public company's SOX program needs to be sustainable, so executives have to develop a plan that begins with an appropriate governance structure to achieve accountability and collaboration, such as a SOX steering committee or through automation.
"The SOX program is here to stay, so it needs to be sustainable," said Shah. "Are CFOs and stakeholders of organizations looking at what's next? How do they scale with how the company is scaling in terms of their SOX program? Do they have the appropriate leverage with tools and technology? Are they considering automation? Are they even thinking about reassessing and modernizing their SOX program?"
Technology is pivotal in a successful SOX program, and stakeholders need to devote careful attention to the IT infrastructure. The problems Deloitte was seeing in some of its clients prompted it to release the report with guidance on SOX compliance for newly public companies.
"It is so pervasive through the entire organization that we've seen a lot of companies surface with general IT controls issues, so it does need the right level of attention and the right level of accountability and ownership within an organization," said Shah. "In a nutshell, there was a lot of what we were seeing live with these public companies that pushed us to draft this point of view, to share the guidance with others that are out there, as well as the companies that have gone public, in what you could do to address these challenges and issues that you're facing."