FAST Act Paves the Road for Streamlining IPOs

Steve Hobbs 2By Steve Hobbs
Managing Director, Public Company Transformation




Good news for small companies considering an IPO. On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the FAST Act). Aside from directing transportation spending, this act includes provisions relevant to startup companies and companies seeking to pursue the IPO path. Below, I’ve outlined the major ways in which this act affects so-called “emerging growth companies,” or EGCs – defined as companies with revenues of less than $1 billion in their most recent fiscal year – by potentially reducing the costs related to initial filings and allowing them to keep their information confidential longer.

  1. Longer confidentiality period. Under the JOBS Act, which created the EGC category, a company that meets that definition needs to publicly file a registration statement for its IPO no fewer than 21 days before the start of its roadshow. Under the FAST Act, this time period has been reduced to 15 calendar days.
  2. Maintaining EGC status longer. In some cases, companies that have started the IPO process as EGCs have lost that status – for example, if the SEC review process continued past the end of the fiscal year in which the issuer crossed over the $1 billion revenue threshold. Under the FAST Act, such a company would remain an EGC through the earlier of either its IPO date or the 1-year anniversary of it otherwise losing EGC status. By retaining this status, the company is entitled to reduced regulatory and reporting requirements under the Securities Act and the Exchange Act.
  3. Reduced disclosure requirements. The FAST Act permits EGCs to omit historical financial information from their initial confidential submission or public filing of the IPO registration statement if this historical financial information would not be required in a registration statement (S-1 or F-1) at the time of the road show.For example, EGCs are currently required to include 2 years of audited financial statements in their public IPO filings. For some issuers, the timing of the IPO process may be such that the fiscal year would complete while the review process is still going on, and therefore the company would need to add audited financial statements for that most recent year. Under the FAST act, in a situation like that, financial statements for the earlier year would not be required in the registration statement. Instead of going through the expense and effort to audit and include financial statements from that prior year, the issuer could simply omit that year from the initial and subsequent filings.

These provisions do not free small companies of the onerous task of preparing and filing their IPO-related financial statements but they do provide some relief, including a longer confidentiality period.

Watch What You Say: Auditing Cybersecurity Disclosures

David BrandBy David Brand
Managing Director, Leader of Protiviti’s IT Audit practice




In the face of ongoing, persistent and ever-more dramatic data breaches, corporate assurances to the security of information are rightfully met with investor and regulatory skepticism. And while companies have rushed to inoculate themselves against potential damage by purchasing cyber insurance, regulators – and insurers – are reviewing published cybersecurity disclosures carefully to determine whether the companies’ claims regarding their cybersecurity programs – people, processes and technology – are consistent with reality.

These reviews merit attention for several reasons. For example, the price for failing to adequately assess and disclose cyber risks could be regulatory sanction and/or a denied insurance claim.

Questions about disclosures – and inquiries from external auditors related to cybersecurity – have been raised at several conversations with our clients recently. The basis for the questions can be traced back to a U.S. Securities and Exchange Commission Guidance published in October 2011. But the urgency and frequency of the questions in meeting rooms and board rooms have increased, in apparent contradiction to public corporate cybersecurity assurances.

External auditors are generally asking two questions:

  1. For companies making disclosures: What programs exist to ensure the disclosures are accurate?
  2. For companies without disclosures: What controls and procedures are in place to ensure that there is nothing occurring that should be disclosed?

The typical response, to date, has been for management to provide a memo with a general description of relevant risks; a list of the people, processes and technology in place to address cyber risk; a list of relevant internal audit efforts addressing cyber risk; and a statement that management is not aware of any relevant undisclosed breaches.

These responses tend to be quantitative, which begs the question: Should Internal Audit evaluate and weigh in on the efficacy of cyber risk mitigation programs? A 2015 article in the Harvard Law School Forum on Governance and Financial Regulation says yes. I would agree.

Critical intellectual property (IP) – the so-called “crown jewels” – must be identified and protected. In addition to traditional perimeter defenses, companies need to develop and regularly review an intrusion response plan. The plan needs to account not only for theft, but also for the possible destruction of data. Response plans should be tested with live simulations designed to break and fix vulnerabilities before they can be exploited by hackers.

Sounds like common sense, doesn’t it? It has been my experience, however, that all too often, companies tend to address theoretical risks with theoretical responses. A self-assuring, “no stranger danger here” mentality may, in fact, be your organization’s greatest vulnerability. Instead, what companies are better off doing – and what most cybersecurity experts these days recommend – is to assume that they have already been breached, and focus their security efforts on rapid detection, interdiction and recovery.

To that, I would add the need for a strong cyber risk control and governance framework, such as the one developed by the National Institute of Standards and Technology (NIST).

As for internal audit, it definitely should be auditing cybersecurity disclosures to make sure that what management is telling shareholders is consistent with actual risks. Words matter, and the world is watching.

For more on current IT audit trends, views and challenges, download the latest ISACA/Protiviti IT Audit Benchmarking survey or view the highlights.

Your SharePoint Investment: Don’t Leave It to Chance

Scott Gracyalny smallBy Scott Gracyalny
Managing Director, Software Services




If your organization is like most, you probably have at least one installation of SharePoint. Chances are, it’s running your intranet, or maybe a document sharing system. Maybe users love it. Maybe they don’t. Perhaps you could be getting a better return on your investment. If your organization is like most, you have no way of knowing.

We know this, because you told us. According to the results of a just-released Protiviti survey, 95 percent of companies that use SharePoint say it is an important collaboration and communication tool for them. They even give it a high level of importance (7.4 on a 10-point scale). And yet, 90 percent said they don’t have a formal way of tracking how employees use SharePoint (user adoption). Half rated user adoption as only fair or inadequate.

These numbers point to a lack of a cohesive, constructive SharePoint adoption and governance strategy. The reasons are varied, but may stem from the fact that, more often than not, SharePoint enters the organization as a point solution – either direct from IT, or by the request of a department with a specific use in mind.

From there, the road to enterprisewide adoption is typically a winding path, with additional applications being added from the bottom up as users learn of, and request, expanded functionality. Most commonly, SharePoint evolves from a content storage tool, to a tool for business intelligence using all that newly accessible data, before moving on to more complex and mature collaborative workflows.

This evolution doesn’t have to be left to chance – and it appears, you agree. More than two-thirds (69 percent) said additional training would improve user adoption.

A clear strategy can make a big difference. By tying SharePoint use to specific business goals and working with users to develop and adopt processes utilizing SharePoint’s untapped potential, companies can get much more from their SharePoint investment.

We’ve seen clients put SharePoint to work in a variety of critical processes, including automating contracting and sales, and to facilitate risk and compliance workflows. Workflow capabilities are native to SharePoint, but often require third-party assistance to configure properly.

Of course, as with any proposed change, change management is key. Users need to be engaged early in the planning process to ensure that any new processes will truly enhance their experience and not just create more work.

For every organization that has made the investment in SharePoint, I recommend taking a hard look at how to maximize it. In fact, I think this should be a number one SharePoint priority. Complementary third-party products can also be leveraged to enhance or extend SharePoint functionality. Most organizations would be surprised by how much value SharePoint can deliver with sustained attention to the issues above.

Fraud and White-Collar Crime: A Conversation with Donald Rebovich and Scott Moritz

Listen to Donald J. Rebovitch, a professor of criminal justice and Director of the Economic Crime and Justice Studies Department at Utica College, and Scott Moritz, a leader of Protiviti’s Fraud Risk Management practice and former FBI special agent, discuss results of the joint Protiviti-Utica College survey and other topics in this informative podcast.

It’s That Time of Year: The 2016 Audit Committee Agenda

It was a good kickoff of the new year, with more than 1,500 forward-looking directors and executives logging on to our January 7th webinar, Setting the 2016 Audit Committee Agenda. Hosted by Protiviti’s Brian Christensen and David Brand and me, the webinar was based on our latest issue of The Bulletin, which I’ve tweeted about, but have not previously addressed here.

Given the high attendance and rapid-fire Q&A (we will be covering some of these questions on this blog soon), I want to recap Protiviti’s ten Mandates for Audit Committees in 2016 that shaped the discussion. These mandates are intended to augment the normal, ongoing operations of the committee. The first five address issues pertaining to enterprise, process and technology risk issues. The rest focus on financial reporting issues.

  1. Ensure the risk profile reflects current business realities. Historically, boards have looked at their risk profiles annually. That was the case for more than half of webinar participants (51.5 percent). Given the increasing economic, political and global risk volatility, it is critical that boards ensure that the risk profile remains current and that emerging risks are identified timely as the risk landscape changes. The audit committee has either a direct or indirect interest in having a current view of the organization’s risks, depending on the risks’ impact on public and financial reporting.
  2. Understand the technology-related risks that present threats to the business model. Whether your company is creating the disruption or reacting to it, audit committees need to stay abreast of these changes. For example, the United States Securities and Exchange Commission (SEC) requires listed companies to disclose significant cybersecurity breaches and other related matters.
  3. Pay attention to risk culture and the tone of the organization. Recent catastrophic risk management failures have one thing in common: The tone at the top was not as strong as it could have been. A resounding majority of webinar participants (86.5 percent) said maintaining a robust risk culture is important to leaders in their organization. I hope this is true for your organization, as well.
  4. Consider the need for expanded capabilities of the finance organization. Big data, business intelligence, reporting enhancements – all of these changes, along with the increasing regulatory/compliance burden, are increasing demands on the finance organization, particularly in the areas of automation and information technology. Make sure your organization has allocated adequate resources to this critical and growing area.
  5. Consider the need for expanded capabilities of the internal audit function. As risk management matures, internal audit’s role as the third line of defense changes. Every year, technology-enabled auditing and data analytics rank as top challenges in our Internal Audit Capabilities and Needs Survey – which means we’re not making the progress that needs to be made. And the list of internal audit priorities continues to grow. The audit committee needs to ensure that internal audit is sufficiently resourced to execute its risk-based audit plan.
  6. Make the necessary process adjustments to enable the new revenue recognition standard. It’s common knowledge that public companies must comply with new Financial Accounting Standards Board (FASB) revenue recognition standards beginning with calendar year 2018. The task here is to make sure that your company gets started. There’s a lot of work entailed, even if it’s just in determining how the new rules affect your organization – and yet, less than 40 percent of organizations have even started.
  7. Review the Public Company Accounting Oversight Board (PCAOB) inspection report on the audit firm and understand how it impacts the audit process. As the PCAOB increasingly holds audit firms accountable for the quality of their audits, it could affect what auditors are looking for when they audit your organization. Audit committee members should review the PCAOB inspection report on the company’s audit firm and determine whether there are any implications for the organization. Also, the PCAOB is seeking public comment on a draft of 28 audit quality indicators, and audit committees need to keep an eye on that development.
  8. Consider the PCAOB-audit committee dialogue. Both the PCAOB and the SEC have increased their outreach to audit committees. We encourage audit committee members to obtain an understanding of what these organizations expect in a quality audit.
  9. Pay attention to developments on the lease accounting front. There’s a new standard on leases coming out in early 2016 that will have a significant effect on so-called “off balance sheet” financing. Going forward, both operating and capital leases will have to be accounted for on balance sheets. If this impact is significant, the company may need to start thinking about the related implications to contractual agreements, loan covenants and capital ratios, among other things.
  10. Ascertain the implications of the SEC’s concept release on audit committee disclosures. The SEC wants more transparency into audit committee activities. In 2015, the agency issued a concept draft of new audit committee disclosures. If you haven’t reviewed these already, you need to.

As 2016 builds a full head of steam, it promises to be a wild ride. As always, we’ll be here at The Protiviti View to help you find the signal amid the noise. If your audit committee has other priorities that aren’t on this list, I’d love to hear them. Feel free to weigh in, in the comment section below.


“No Fraud Here?” Look Again, Says New Survey From Protiviti and Utica College

Nobody wants to believe that their company is losing significant revenue to fraud. And, understandably, organizations don’t want to spend scarce resources managing risks they don’t consider legitimate. With regulators and prosecutors increasingly holding executives accountable for fraud prevention, however, there’s a strong incentive to replace the old refrain of “no fraud here” with the more proactive “not on my watch.”

That’s the conclusion of a new study from Protiviti and the Economic Crime and Justice Studies Department at Utica College, released yesterday. The study, titled “Taking the Best Route to Managing Fraud and Corruption Risk,” is based on a 2015 survey of board members, C-suite executives, general counsel and chief audit executives.

Our survey corresponded with a September memorandum from the U.S. Department of Justice – The Yates Memo – instructing prosecutors not to give corporate defendants cooperation credit unless they identified the individuals responsible for illegal conduct. The memo is named for its author, Deputy Attorney General Sally Quillian Yates, who subsequently elaborated: “We are not going to be accepting a company’s cooperation when they just offer up the vice president in charge of going to jail.”

Against that backdrop, it was distressing to see, in the survey results, how few companies are living up to the fraud risk assessment provisions of COSO 2013, Principle 8, and remain in reactive response mode “putting out fires.” Only 17 percent of respondents described their organization’s fraud risk strategy as “well defined,” and only 57 and 35 percent of large and mid-size companies, respectively, had a fraud detection program in place. In addition, third-party fraud and corruption risk is barely on the radar of most organizations. Less than one in 10 respondents reported a high level of confidence in their organization’s vendor fraud and corruption risk oversight. A lack of internal resources was cited as the biggest challenge to proactive fraud risk assessment.

Other notable findings that emerged from our research:

  • Few companies are availing themselves of the tools and best practices for mitigating fraud risk, e.g., less than one in five utilize ongoing forensic data analysis to identify potential red flags and fraud indicators.
  • Just over one-third of the respondents reported their organizations do not conduct due diligence on business intermediaries (third parties) prior to onboarding.
  • Organizations without strong fraud detection and reporting programs face a higher risk of whistleblower disclosures.

And a cautionary note: As much the internal audit profession is to be applauded for reaching beyond its accounting roots to strengthen interdepartmental relationships through “soft” skills, such as interpersonal communication, it is critical to maintain a clear line between improving communication and compromising assurance. Our report refers to the trend toward “consultative” audits, stressing that while surprise audits may sometimes be seen as running counter to an organization’s culture, they are an effective fraud deterrent when used in a targeted manner and focused on perceived problem areas or intransigent business units or geographies. That’s not to say such audits can’t be handled with dignity and respect, merely that we need to ensure that in adding the soft skills, we don’t lose our edge.

I recommend downloading and perusing the survey for the full findings. You can find key highlights in this video.


A Farewell to Michael Oxley

Staunch champions of corporate governance and fair financial reporting lost a friend over the holidays with the passing of former U.S. Rep. Michael Oxley on January 1. The Ohio Republican, co-author, with Democratic Senator Paul Sarbanes, of the landmark Sarbanes-Oxley Act of 2002 (SOX), was an ethical stalwart and strong advocate and warrior for corporate oversight and accounting reform.

SOX, drafted in response to a spate of high-profile corporate frauds around the turn of the century, significantly impacted the modern corporate governance landscape by elevating internal control over financial reporting to a top corporate priority. For anyone who entered the professions of accounting, finance, internal auditing and consulting after 2002, SOX has always been the law of the land. But those of us who remember the scandals of the Enron era can attest to the enormous problem placed on the doorstep of Congress at the time.

There are those who argue that SOX is excessively burdensome and overdone and, in essence, an overreaction to the acts of a few. But here’s the skinny: There were too many examples of egregious abuses. As a result of the bad behavior of an unscrupulous minority of executives, shareholders suffered significant losses, people lost their life savings and overall confidence in the capital markets waned dangerously. In the United States, a situation like this gives Congress a strong political will to act. And act they did. SOX is a compendium of the abuses of the Enron era. The law reads as if Mr. Oxley, Mr. Sarbanes and their authorship team listed all of the high-profile abuses on a whiteboard and then designed mechanisms to address each one. They did what they had to do to solve the problem they were faced with. In doing so, they sent a powerful message of accountability for fair public and financial reporting.

SOX certainly isn’t perfect, but it has stood the test of time. After an initial period of adjustment and the pains of a very messy learning curve following the law’s enactment, the increased emphasis on internal controls has resulted in a precipitous decline in restatements of financial statements. According to studies by Audit Analytics, the number of restatements has declined significantly since its 2006 peak. More importantly, the number and severity of accounting issues underlying each restatement also have declined. That’s good news.

SOX also created the Public Company Accounting Oversight Board (PCAOB) and popularized the COSO Internal Control – Integrated Framework. That Framework had been around since 1992 but it wasn’t used widely. When SOX Section 404 required an evaluation of the effectiveness of internal control over financial reporting, the Securities and Exchange Commission required “a suitable framework” to support that assessment. All heads turned to the COSO Framework, treating it as the only game in town. Today, the Framework is used by almost all issuers and their external auditors as a basis for their SOX Section 404 evaluations.

While debate on the relative costs and benefits of SOX Section 404 continues, there is empirical evidence that the capital markets place significant value on strong internal control. An earlier study released in May of 2006 by Lord & Benoit reported that shareholders benefit when companies have effective internal control over financial reporting. To illustrate, for the period from March 31, 2004 to March 31, 2006, the Russell 3000 share index increased by 17.7 percent. The Lord & Benoit study found that companies reporting no material weaknesses for either 2004 or 2005 enjoyed a 27.7 percent increase in share price. Companies reporting material weaknesses in 2004 but no material weaknesses in 2005 experienced a 25.7 percent increase in share price. However, companies reporting material weaknesses in both 2004 and 2005 suffered a 5.7 percent decline in share price. Therefore, the companies that reported that their internal control over financial reporting was ineffective both years experienced poorer performance in their stock price relative to the companies that did not.

Some have questioned the value of SOX, arguing that it did not prevent the financial crisis. The truth is that SOX wasn’t designed to prevent a crisis of this nature. The financial crisis was a systemic breakdown on a number of fronts involving an entire industry – a virtual “perfect storm.” To elaborate further on whether or not SOX could have prevented such a storm would detract from the message of this post. Suffice it to say that SOX doesn’t mandate how financial institutions are run, how risks are managed and when CEOs and their boards need to take a fresh look at the validity of the critical assumptions underlying their corporate strategy and business model.

SOX continues to fulfill its purpose, and Michael Oxley should be credited for the cultural change he enabled with this landmark legislation. He was a true statesman, a Republican who reached across the aisle to work with his fellow Democratic legislative partner, Paul Sarbanes, to enhance corporate management accountability to shareholders at a time when the reliability of public financial statements was called into question. These two men stepped into the arena as their country watched, with everyone knowing that something had to be done. Today, with forward progress in Washington D.C. so often hamstrung by partisan gridlock and intransigence, Sarbanes-Oxley shines as an example of what can be done when our elected officials come together to work for the common good.

Michael Oxley performed admirably when he had his moment in the legislative arena. He will be missed.