Maximize Your IPO With Robust Internal Controls

Maximize Your IPO With Robust Internal Controls

Read This Before You Start the Initial Public Offering (IPO) Process

Going public is the dream of many business owners. Access to stock investors gives you the resources to grow faster. A public company also has much better liquidity than a privately-owned company. If you have venture investors or angel investors, they will welcome the opportunity to realize a profit on their investment. With those benefits, it’s natural to race to the stock market and complete the paperwork as fast as possible. That’s a mistake. In fact, accounting firm EY recommends starting the IPO (initial public offering) planning process 12-24 months in advance. What if you don’t have the patience for that level of effort? Let’s explain how with a quick story.

Remember Groupon? The company built a billion dollar business by offering group discounts (i.e. “group + coupon”) to local businesses. It is a simple model and the company has grown quickly. Unfortunately, the company’s internal controls have not kept pace. According to the Wall Street Journal:

Groupon Inc. is revising financial results it reported in its first quarter as a public company, after discovering executives failed to set aside enough money for customer refunds. The popular online-coupon company’s auditor, Ernst & Young, called the error a “material weakness in its internal controls” for 2011. Groupon shares, which have been trading below their $20 initial public offering price, sank 6% to $17.20 in after-hours trading.

The company suffered two losses in this case. First, a 6% stock price drop is painful, especially for major shareholders. Second, the company’s credibility with investors will take time and effort to rebuild. As you consider an IPO (initial public offering), it pays to take your time and do it right. Otherwise, your stock price may take a big hit like Groupon.

Assess Your Company’s Internal Control Environment

Waiting for auditors to publicly report deficiencies in your company is not a winning strategy. The better approach is to carry out a detailed assessment of internal controls and management processes first. Seeking advice from a major accounting firms is one strategy that makes sense. However, if outside accountants find your business disorganized, their analysis will take longer and cost more money. That’s why we recommend assessing your company internally before seeking outside advice. Start by examining the following areas:

  • Accounting. Regulators have high expectations regarding accounting and financial practices. Seek a third party review to ensure you are ready on this front.
  • Technology controls and management. If your technology group is operating on a “move fast and break things” model, you will need to change. Testing, access management, and security are all areas that need to be considered.
  • Business strategy. A well written measurable strategy is important to develop before you become a public company. Investors will expect to receive status updates on your strategy and performance quarterly.

For purposes of this discuss, we will focus on technology controls. That’s not to say that other areas are less important though.

Mind The Gap: Your Company Versus IT Controls

To succeed as a public company, managers need to have confidence in internal controls. These processes detect and prevent risks and losses from occurring in the business. For example, use identity management controls to prevent inappropriate access to financial data. Here are a few of the most commonly used IT controls:

  • Logical access controls for data, applications, and infrastructure. “Logical access” generally includes tools and methods for identification, authorization, and authentication to systems.
  • Data backup and recovery controls. Stating that your company has backups is not enough — you need to show these backups have been tested. Imagine your company’s computers were destroyed in a fire — do you have the capacity to recover?
  • Managing IT vulnerabilities. No technology environment is perfect. Investors and regulators expect public companies to have methods to detect and manage vulnerabilities.
  • Patch management controls. Poor performance regarding patches has made many security problems much worse. For example, Microsoft releases new patches monthly for a variety of products. Building a process to monitor new patches and implement them in your environment is a key control.
  • Identity and access management. Can you prove that each employee’s access and permissions are correct? Do you have evidence of management oversight and approval? Those are typical questions that auditors will ask regarding identity management.

The Business Case for Identity Management in IPO Preparation

Your business case for identity management is easy to link to IPO preparations. Strong identity and access controls promote a healthy risk management culture across the company. Here are four factors to consider in your business case:

  • Obtain clean audits. Every company wants to publish “clean” audited financial statements. To get that result, a robust system of internal controls is needed, including identity management. Keep in mind that your internal auditors are likely to look closely at IT governance, including access and identity management.
  • Provide peace of mind to managers. Under the Sarbanes-Oxley Act (SOX), CEOs and CFOs are expected to take responsibility for the financial statements. How can they feel confident in approving the financials unless there is a process to detect and prevent inappropriate access?
  • Save time in reporting and audits. Making the transition to a public company requires a great deal of work. During the transition, you will probably have the support of external consultants. Once they depart, how can you stay compliant? Use Compliance Auditor to get ready for your audits without spending hours of management time each year.

Why These Steps Matter Even if You’re Not Going Public This Year…

After finding out about all the work required to take your company public, you might decide to take your company in a different direction. Does that mean that identity and access management doesn’t matter? Well, you may not face the same level of scrutiny as a private company. But if you skimp on control and oversight processes, keep in mind that you are exposing the company to increased risks.



EY’s guide to going public (EY)

Groupon Forced to Revise Results (Wall Street Journal)

IPO Pressure: Get Ready to Meet the IT Demands of a Public Company (TechTarget)

Written by Nelson Cicchitto