Special Purpose Acquisition Company (SPAC) is the hottest acronym to hit the accounting streets since generally accepted accounting principles (GAAP) and internal controls over financial reporting (ICFR). Every direction you turn, another SPAC is raising capital in an initial public offering and using the proceeds to snap up private companies to take public.
While navigating the SPAC lifecycle, many target company CFOs prioritize accounting readiness initiatives such as auditing of historical financials or crafting accounting standard memos, but it is imperative that considerations be made for meeting requirements associated with Sarbanes-Oxley (SOX). When working with pre-IPO or pre-SPAC companies, it is not uncommon to hear CFOs say they were unprepared for the demands associated with meeting SOX 404 requirements and the complexities involved with its adherence.
Here are five tips for CFOs and executives to consider as it relates to SOX readiness brought on from the completion of a SPAC merger.
1. Continually Monitor Your Financial Profile
Requirements associated with Sarbanes-Oxley can vary significantly depending on the financial makeup of the newly public company. A majority of companies will emerge from their SPAC merger as an Emerging Growth Company (EGC) with annual revenues less than $1 billion and a public float less the $750 million, affording them a longer runway to achieving 404(b) compliance. However, during the first years as an EGC, revenues and stock price can rise to a point where the criteria outlined above are surpassed, leaving a company scrambling to meet SOX 404(b) requirements and auditor attestation over ICFR. In the event action is to be taken around Sarbanes Oxley, it is important that companies continuously monitor their financial performance quarter to quarter.
2. Start SOX Readiness Efforts Early
Whether you anticipate meeting the criteria of an EGC upon acquisition and are subsequently exempt from Sarbanes-Oxley 404(b) requirements, or surface as a large-accelerated filer with a short window to achieve Sarbanes-Oxley standards, it is vital that management implements a plan to address these requirements as soon as practicable due to the time and effort necessary to complete the process. Efforts to achieve SOX 404(b) compliance from scratch can take upwards of four to six quarters when you take into account the time to conduct process walkthroughs, document controls, remediate design gaps, and execute detailed testing, among other activities. Whether a SPAC merger is imminent, or the prospect of such activity is on the horizon, best practice is to develop a strategic plan agreed to by management as soon as possible.
3. Be Prepared for Heightened PCAOB and Auditor Scrutiny Around ICFR
The Public Company Accounting Oversight Board (PCAOB) has substantially increased their demands on audit firms and companies with respect to ICFR. Auditors are performing more extensive, costly, and time-consuming audit procedures related to internal controls in order to demonstrate that the controls are working at “a level of precision” necessary to detect and prevent material misstatements. Internal controls and SOX efforts are no longer a “check the box” activity, but one that requires robust planning, time, and documentation to meet increasing demands from the PCAOB.
4. System Selection – Automated versus Manual Controls
Executive management should utilize the time afforded to them prior to requiring compliance with SOX 404(b) – whether as an EGC or accelerated filer – to determine if their current system ecosystem is sufficient to scale with the growing business. While the short-term cost of implementing a new enterprise resource planning (ERP) system, human resource information system (HRIS), or procurement application may be high, it will save companies in the long run as these help create fast, efficient, and effective controls that can be tested using more accurate and inexpensive methods than manual controls. Additionally, when implementing new systems, don’t forget to account for IT General Controls which require detailed documentation to support granting and removal of access, changes to in-scope applications, and backup of system data, among other things.
5. Implement a Next-Gen Governance Risk and Compliance (GRC) Tool
Companies can quickly find that efforts to achieve SOX 404 compliance is a labor intensive and extremely manual exercise, filled with Excel spreadsheets, Visio flowcharts, and Word testing sheets. As the newly public company begins to scale and grow, early adoption of a next-gen GRC tool will have lasting benefits.
While it may not be front of mind for many executives, it is a common theory that the path to SOX compliance is one of the most challenging aspects of a public company, requiring time and attention across all functional areas of the company. These tips will better prepare executives for the journey ahead.