Why SOX preparation can be the key to IPO success

Why SOX preparation can be the key to IPO success

Organizations can position themselves for IPO success by taking steps to become SOX compliant ahead of schedule.

In brief
  • Organizations should consider the steps required to become SOX compliant before filing for an IPO, even the ones that qualify as emerging growth companies. 
  • Preparing for SOX can also help organizations prepare for IPO success and send a signal that they have strong controls in place. 
  • One of the key provisions of SOX requires that the senior officers of a public company attest to the accuracy of their financial reports.

Investment activity soared in 2021, with the US recording the highest combined number of IPOs in more than 20 years. While the buzz surrounding IPOs and startups dominates the headlines, infusion of capital is often just the first step toward going public. As companies move forward with plans to build their business, develop new products and services, and design future revenue streams, they also need to consider how they will comply with the Sarbanes-Oxley Act of 2002 (SOX).  

Many executives tend to underestimate the effort required to comply with SOX and also tend to overlook the reality that preparing for SOX can set the business up for success in the future. Demonstrating SOX compliance sends a signal that the organization has not pursued a “growth at all costs” approach and understands how to prioritize risks, establish strong internal controls, and deploy a sound financial reporting system.  


The right timing for SOX

While organizations are typically aware of the SOX timetable when they file for an IPO, the clock should actually start ticking even before they file. This approach is suited for traditional companies as well as those classified as emerging growth companies (EGCs). EGCs are exempt from certain Public Company Accounting Oversight Board (PCOAB) requirements, including the internal control audit attestation (SOX 404b) by an external auditor for five years and reduced disclosure requirements.   


These organizations may have more time to comply with SOX, but as a leading practice, they should put this extra time to good use by preparing for SOX, which can ultimately benefit them. For example, as organizations work through their SOX compliance journey, they typically build in sound management practices that help them address a broad range of business issues, which include developing the tools and mindset to:  


  • Prioritize risks  
  • Strengthen internal control structures  
  • Improve performance audits  
  • Establish centralized, automated financial reporting 

Key SOX provisions for companies considering an IPO

To prepare for SOX, an organization must typically meet three key provisions:  

  1. Section 302 mandates that senior officers of a public company, most often the chief executive officer and chief financial officer, certify the organization has established and maintained internal controls to confirm the accuracy of information found within their reports.  
  2. Section 404 requires management and external auditors to report on the adequacy of the internal controls over financial reporting. The provision also requires that external auditors attest to management’s assessment of the effectiveness of those internal controls. 
  3. Section 802 outlines rules for record-keeping, which includes a) destruction and falsification of records, b) defined retention periods for storing records and c) specific types of business records that must be stored. 

Leading practices for year one

Organizations about to embark on their year-one SOX journey should start by establishing a governance structure that sets clear lines of responsibility and follows a two-pronged approach. The first step involves setting up a steering committee, independent of control owners, to oversee the project. The second step identifies key business process and IT stakeholders who will serve as control owners and execute the program.    

As the SOX program progresses, the organization should establish materiality thresholds and identify significant accounts, major processes, and opportunities to team with the external auditor to confirm both the approach and scope.

The organization should also implement Section 302. In addition to annual certification by the chief executive officer and chief financial officer, this encourages a bottom-up approach in which the control owners also certify on a regular basis the design and effectiveness of the controls for which they oversee. This process typically follows a quarterly cadence and places controls at the forefront to alert the internal audit and internal controls team of a change or potential issue. 

As the organization starts the next phase, the internal controls team should interview key business process and IT personnel to document entity-level controls. This helps identify in-scope financial and IT systems and processes. As this work is performed, control gaps are identified and addressed, leading to the development of a robust Risk and Control Matrix (RCM) and process flows narrative.  

The SOX assessment concludes with validation of results, proposed recommendations for deficiencies and analysis of action plans. This is followed by a report to management on the program status and a plan to communicate and coordinate with the external auditor. At this stage, an organization will essentially be operating as fully compliant with SOX.   

Common pitfalls leading to deficiencies

In the rush to go public, some companies may find themselves trying to adopt a risk framework that may not be tailored to their specific needs. Accurately evaluating the risk universe before implementing the RCM and associated controls minimizes the likelihood that a severe deficiency could be designated as a material weakness. Additional layers include performing a gap analysis, benchmarking against similar organizations, and using leading practices from professional and regulatory bodies.  

To further this approach, the internal controls team needs to train control owners and those charged with governance regarding the importance of documentation and maintenance of control design. This empowers these key players to “own” the control framework and follow through on proper execution.      

The SOX team should also deploy a robust change management protocol to identify key system, policy, procedure and/or owner changes. This provides an opportunity to collaborate with business and IT teams prior to implementation. Engaging process owners from IT, internal audit and internal controls sets the stage for open discussions on the impact to the controls and financials.  

At this stage, organizations can start mock stress tests. Working toward compliance prior to the IPO enables organizations to perform full life-cycle testing one year before the external auditor issues an integrated audit opinion. This offers assurance that the controls framework functions as intended and provides adequate time to remediate deficiencies.

Organizations may also want to consider relying on technology to streamline the effort needed to become SOX-compliant. The proprietary EY platform Virtual Internal Auditor (VIA) provides an avenue for both controls testing automation and optimization. By creating analytics scripts, workflows and a centralized repository, organizations can perform automated testing that standardizes the approach for continuous testing and reduce the manual efforts. As the internal controls’ framework matures, VIA also contains an optimization functionality that can allow organizations to enhance their control universe and rationalize out redundant controls to drive down their overall cost of SOX compliance.

Benefits of becoming SOX-compliant

SOX compliance represents a major undertaking for any organization. Each entity should consider the resources available for not only the design and implementation of compliance efforts, but also for maintaining future state compliance.  

Becoming SOX-compliant can be time-consuming and expensive. As they prepare for SOX, organizations may opt to bring in a qualified team of professionals to help develop and maintain their program. This will not only expedite the process, it will also offer additional comfort with respect to regulatory compliance.  

These steps often serve as a springboard for IPO success, particularly as investors place a higher valuation on companies with established controls. Even more, preparing for SOX can position a business for profitable, sustainable growth in the years ahead.  


In the rush to go public, some organizations tend to overlook the fact that preparing to comply for SOX offers benefits that go beyond compliance. SOX-ready organizations have often shown they understand how to prioritize risks and know what it takes to establish strong internal controls. These steps often serve as a springboard for IPO success. 

Related articles

How do you decrease the cost of controls without increasing risk?

We describe the ACE approach (automate, centralize, eliminate), which rationalizes the controls environment without compromising risk coverage. Learn more.

17 Dec 2020 Milene Carvalho + 2