GRC Tuesdays: Governance, Risk, and Compliance as an Enabler to a Successful IPO

According to Statista, there have been over 1,250 Initial Public Offering (IPO) on the US stock market from 2015 to 2020. And looking at the 780 Priced companies for the first 3 quarters of 2021, there’s no slowing down on this front.

That’s all good, but what is the relation with Governance, Risk, and Compliance (GRC) may you ask?

In order to become public and list its shares on the stock market, a business needs to go through an Initial Public Offering – or IPO.

To do so, they must undertake certain regulatory obligations including following accounting standards and preparing financial statements, and they must meet the requirements of the regulator body that oversees public companies. This includes assessing their Internal Controls over Financial Reporting (ICFR). In short, here, they are asked to declare whether they can provide reasonable assurance concerning the reliability of their financial reporting.

As explained by Protiviti in their Public Company Transformation guide though, “Initial public offerings (IPOs) often generate a great deal for excitement and can give new luster to company brands. It is easy to forget that IPOs can only thrive in the right business climate – and for organizations that have undertaken the business transformation necessary to reach this stage. […] Many companies find that achieving a genuine state of readiness requires a new level of thinking, work and investment that goes far beyond what is often described as “infrastructure considerations.” For example companies need to assess and often make substantial upgrade to their financial reporting processes or information technology (IT) environments, as well as their governance, risk and compliance (GRC) capabilities

When comparing this finding with the first management report on ICFR after an IPO, and most specifically the top issues relating to internal control, it appears that IPO companies may not have the “infrastructure” mentioned by Protiviti in place quite yet:

Source: Internal Control Weaknesses Following an IPO – Audit Analytics

Time is of the Essence

Stock market experts regularly highlight that timing is of the utmost importance for a successful IPO: the company needs to be ready when the tide starts to form.

But, when you are leading an emerging company, internal control and compliance might not be your top priority. As a result, external consultants are often asked to step in at the last minute (or close to it) to help the company set its compliance processes to fulfil its regulatory needs.

Not only is this costly, but also, since GRC is all about achieving objectives, addressing uncertainty, and acting with integrity – hence running better, why not have these processes in place from the very start? Especially as it could prevent some of the issues listed above that arise during an IPO.

Most will reply that this is because investment in GRC infrastructure is not prioritized. Indeed, there is still a perception that a GRC tool will require a heavy budget, lengthy implementation timeframes, and will anyway require a lot of consulting support to get started.

But the GRC software market has changed, and this perception is somewhat outdated: standard automated solutions for segregation of duties and internal control over financial reporting with preconfigured risk rulesets and controls are available in Cloud delivery. This means that the company can simply subscribe to these services and be running very rapidly!

Access Governance & Internal Control Solutions to The Rescue

 

If accounting personnel competence and training is not something that a GRC tool can provide, uncovering and mitigating segregation of duties, enabling control documentation and control testing, but also automating the identification of issues in system configuration, master data and transactions is definitely in scope!

For instance, with SAP Cloud Identity Access Governance, organizations can reduce the risks associated with segregation of duties (SoD) conflicts and sensitive access for on-premise and cloud solutions.

This access analysis service includes predefined and configurable SoD rules, and it enables the refinement of assignments to optimize user access for greater security and compliance.

Businesses can therefore use the service to manage access controls but also take advantage of preconfigured audit reporting.

This type of solution is perfect to optimizes time and efficiency in determining correct role assignments, which supports key audit reporting requirements.

But that’s not solving the issues relating to the deficiencies in the Internal Control over Financial Reporting process. And it’s pretty crucial to identify and remediate these issues to ensure the confidence of investors… and to stay in business of course!

As put by the American Institute of CPAs (AICPA) when explaining why Internal Control over Financial Reporting is important to a company: “Because errors and fraud can and do occur, it is important that you establish safeguards for your plan to ensure you can adequately meet your fiduciary responsibilities”.

And here again, Cloud solutions are available with preconfigured content so they can be used very rapidly. They enable the fast setup of an ICFR approach and efficient roll-out of controls.

SAP Financial Compliance Management for instance is such a Cloud solution that provides businesses with the tools to become compliant with internal controls, laws, and regulations.

The solution enables them to document their internal controls framework and manage potential risks to their organization, as well as develop and monitor checks put in place to ensure compliance.

This solution comes preloaded with controls (and associated automated procedures) in the areas of:

  • Journal Entries
  • Purchasing
  • Suppliers
  • Invoices
  • Payments
  • General Ledger Accounts
  • Sales Orders
  • Customers
  • Change Logs
  • Assets
  • Products
  • Contract-Based Revenue Recognition

If you are a company investigating IPO, or simply a company who wants to improve its access governance and internal control procedure, why not give it a try?

What about you, how do you address these requirements today? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard