The JOBS Act - Reflecting on SOX requirements

It is incredible to think that the JOBS Act is now more than 11 years old.

The Jumpstart Our Business Startups (JOBS) Act was enacted by the Obama administration in 2012 with a target to arrest a long-term decline in IPOs. It did this by easing some of the perceived barriers to entry to the US Capital Markets which it was hoped would drive more IPOs. That increased IPO activity would then, in turn stimulate the US labour market.

The JOBS Act establishes the category of emerging growth company (EGC), which the SEC defines as a company issuing stock for the first time with a total annual gross revenue of less than $1.235 billion during its most recently completed fiscal year. The JOBS Act provides a series of reliefs for these qualifying companies from some of the registration and ongoing reporting requirements related to an IPO. Most commentators report that the JOBS Act has been a success. Whilst undoubtedly buoyed by market conditions, IPOs have increased in those 11 years, and many CEOs and CFOs report the JOBS Act had a beneficial impact in reducing the burden of the IPO process.

At BDO, we work with many companies who have either been through an IPO using some of the reliefs or are considering one.

Exploring the reliefs for EGCs

One area that provides significant relief is the deferral of the auditor’s attestation of internal controls over financial reporting. This is found under section 404b of the Sarbanes-Oxley Act (SOx) for up to 5 years after the IPO, so long as the company qualifies as an EGC. An audit of controls can be an intensive time investment for all involved; and the ability to defer that for a meaningful amount of time is often seen as very attractive. Note this relief does not apply to the company’s attestation under section 404a of SOx, which will need to be issued from the second annual report filing.

Notwithstanding that, it is important to remember this is a deferral rather than something that removes a requirement altogether. It is really important therefore that management and auditors are engaged ahead of time to avoid reaching year 5 with no pre-work or planning in place – otherwise this will put Companies and their auditors on a difficult pathway.

Key observations to consider early on

Given the volume of recent IPOs, there are many EGCs out there who are in their period of relief and my strong encouragement to them is to start talking with appropriately registered and experienced auditors to plan for 404b. It is never too early.

After years of leading integrated audits, which combine the financial statement audit requirements with controls-based audits and reporting under 404b, here are some key observations to consider of things which are worth thinking about early.

1)?????Documentation – 5 years is a great period of time to get some really robust documentation of controls and processes in place. Good documentation of processes and controls can drive process improvement and excellence. Companies will often have their own internal documentation in place created for their own needs, but will need to challenge themselves as to whether it will stand up to the rigours of an external audit. Have all instances of what could go wrong been identified? Are control owners identified and aligned with the controls and how will doubtless changes in the business processes be captured? There will be many options on how to document the processes, which may be done by the Company or by use of supporting experts. Start thinking about documentation early.

2)?????Dialogue – It is really important to build up positive dialogue about SOx. We are huge believers that a controls-based audit approach is the most effective way to execute an audit. Done well, it removes surprises and risk from the audit, presents opportunities to improve how things are done and focuses management and audit teams on what is important. How organisations engage with SOx requirements is a barometer to the overall success of a SOx implementation project. It is important to remember controls go far beyond the finance function, and early engagement with other teams (particularly production and IT) is of high importance.

3)?????Deficiencies – these are a fact of life in a controls audit. It is important to remember that an auditor’s mindset will change from “what has gone wrong” to “what could have gone wrong.” Often more things could have gone wrong than actually did, so companies typically should be accustomed to a longer list of control deficiencies than audit adjustments. Control deficiencies are also often more judgemental than audit differences. They also can be more emotive, particularly when considering reportable material weaknesses. Clear communication channels are key and very often companies will want auditors to do “dry runs” of controls testing in the period before reporting begins.

4)?????Dealing with challenge – as set out above deficiencies will arise. The dynamic of how they are dealt with will be important. Companies and their auditors should be ready to assess the impact of deficiencies and should really be setting in place a cadence to do this in a sustainable way before the all-important year of adoption. Companies will need to consider the impact of deficiencies and whether mitigating or compensating control exist.

5)?????Data – auditors will be very focused on the integrity and accuracy of data and system reports used in the control framework. Questions around where that data has come from, and how the control operator is satisfied on the completeness and accuracy of that data will be asked. Often answering those questions is not straightforward and involves the input of IT specialists and/or service organisations. Not addressing this question early can lead to material weaknesses which may not be remediated timely.

?6)?????Diaries – this might seem like a strange one to include, but we cannot understate how important project management is to a controls audit. Considering external auditors, management, internal audit and other advisors there are many stakeholders involved. Controls will need to be tested through the year and complex issues resolved through engaged working party groups. Setting these protocols and establishing relationships will be key to making these a success. Reporting timelines are often put under pressure and companies will deploy resource to specifically focus on project management.

Controls audits are a requirement as a US listed company. We believe this is actually a great thing for Companies and the wider ecosystem, and believe other markets should follow.

Notwithstanding that, there is a cost and time commitment to embed and the deferral as part of the JOBS Act is rightly very helpful. The deferral can also give management and auditors a great opportunity to carefully plan out the 404b audit when it arrives.

We trust this is a useful list for those of you who are embarking on this journey.

For more information or to have a conversation about what’s involved in an audit of internal controls, please contact Joe Lucey or myself.?