• A financial statement audit evaluates whether a company’s financials are fairly presented in accordance with applicable accounting standards. An integrated audit also includes an assessment of internal controls over financial reporting.

• Common audit mistakes include late or missing provided-by-client (“PBC”) requested submissions, insufficient or unreliable documentation that hinders effective risk assessment, weak internal and IT controls, and errors in applying accounting standards.

• Preparing early, understanding the internal control environment, and training staff can help your company provide relevant and reliable information, which is critical for assessing audit risk and demonstrating compliance with applicable laws and regulations.

—

Financial statement audits are a critical checkpoint for companies, stakeholders, and investors. While the process has its limitations, the goal of an audit is to provide reasonable assurance that the company’s financial statements are free of material misstatement (whether due to error or fraud).

However, the audit process is only as effective as the broader environment supporting it — including timely and reliable financial information, a well-resourced accounting function, effective oversight by the board or audit committee, and a clear understanding of the entity’s operations and the regulatory landscape of its industry.

Many organizations approach audit season underprepared or unaware of the common pitfalls and complex or nontraditional transactions that can delay the process, increase costs, or raise compliance concerns.

In this article, we explain the financial statement audit process, common mistakes we see companies make during external audits, and best practices that lay the foundation for a smoother audit experience.

Understanding Financial Audits

During a financial statement audit, an independent registered public accounting firm follows generally accepted auditing standards (GAAS) and assesses your company’s financial records, transactions, and reporting processes. Independent auditors gather and evaluate relevant and reliable evidence to determine whether the financial statements are presented fairly — following generally accepted accounting principles (GAAP), international financial reporting standards (IFRS), or another applicable financial reporting framework.

The process typically follows these phases:

1. Audit planning and risk assessment: External auditors work closely with company management to understand the operations of the business, identify significant risk areas, and develop an audit strategy that is unique to the organization.

2. Internal control evaluation: The auditor assesses the design and operating effectiveness of internal controls over financial reporting, often through walkthroughs and targeted testing of key controls. The results of this evaluation directly inform the auditor’s risk assessment and the nature, timing, and extent of substantive audit procedures. In an integrated audit, this process also includes gathering information to develop an opinion on the effectiveness of internal controls. Auditors pay particular attention to information technology general controls (ITGCs), which are foundational to the reliability of automated processes and system-generated reports. If the auditors identify material weaknesses, they may need to disclose them in the financial statement footnotes or the auditor’s report (depending on the severity and context).

3. Substantive testing: The auditor gathers evidence by examining transactions, account balances, and disclosures through sampling, confirmations, and recalculations. Strong internal controls impact the audit team’s risk assessment and may allow the team to reduce the amount of substantive testing required.

4. Conclusion and reporting: The auditor drafts the opinion letter, communicating findings to management and those charged with governance.

10 Common Types of Mistakes Made in Public Audits

Despite best intentions, many organizations encounter issues during the annual audit that delay timelines, increase costs, or raise red flags. Here’s a look at some common mistakes and why they matter:

1. Inadequate Documentation of Internal Controls

Many companies fail to maintain sufficient documentation around their internal control procedures. This lack of documentation makes it difficult for auditors to understand and — if necessary — test the design, implementation, and effectiveness of key controls. As a result, auditors may need to perform additional walkthroughs or expand their substantive testing — potentially increasing audit costs and timelines.

For publicly traded companies, this issue can have additional implications under Section 404 of the Sarbanes-Oxley Act (SOX). Section 404(a) requires management to assess and report on the effectiveness of internal control over financial reporting (ICFR). Section 404(b) requires the independent auditor to attest to and report on management’s assessment for accelerated filers.

If the auditors deem internal controls ineffective, management must disclose material weaknesses in its annual filing with the SEC. This can affect investor confidence, internal resource allocation, and external perceptions of the company’s governance. These findings may also place added pressure on the accounting team to remediate deficiencies under tight deadlines while still managing the financial close and reporting cycle.

2. Late or Incomplete Audit PBC Requests

Prior to audit fieldwork, the audit team sends a “provided by client” (PBC) list to management outlining the documents and financial data auditors need. Submitting incomplete or delayed items stalls fieldwork and may increase audit fees.

3. Improper Revenue Recognition

Misapplying Accounting Standards Codification (“ASC”) 606 or lacking support for revenue transactions — including cutoff periods around year-end — is a recurring audit issue. Companies often struggle to identify and document performance obligations in their contracts with customers and allocate the transaction price appropriately among those obligations.

These issues are especially common in arrangements involving bundled products or services, where the timing and pattern of revenue recognition may differ by deliverable. Inadequate documentation or inconsistent application of these principles can lead to audit adjustments or the need for expanded testing.

4. Weak IT General Controls

Deficiencies in ITGCs — such as user access management, change management, physical security of IT systems, intrusion detection, and system backup and recovery processes — can compromise the integrity of financial reporting systems and result in control deficiencies or audit findings. Increasingly, cybersecurity risk is also a critical area of concern, particularly as companies face heightened exposure to data breaches and unauthorized access.

In cases where companies outsource key processes or use cloud-based platforms that affect financial reporting, it’s important to obtain and evaluate SOC 1 Type 2 reports from service providers. These reports help assess whether the third party’s control environment supports reliable financial reporting. Failing to obtain or properly review these reports can result in audit scope limitations or the need for additional procedures.

5. Errors in Lease Accounting

ASC Topic 842  introduced significant changes to lease accounting — increasing complexity in how companies identify, measure, and disclose lease arrangements. Common mistakes include misclassifying leases, failing to identify embedded leases in service or supply agreements, and incorrectly applying accounting treatment for lease modifications and remeasurement events.

Errors can also arise in calculating the right-of-use asset and lease liability, selecting the appropriate discount rate, and preparing the required footnote disclosures. These issues can lead to material misstatements and require substantial audit follow-up — especially when a company maintains a large or decentralized lease portfolio.

6. Inaccurate or Unsupported Estimates

Many key areas in financial reporting rely on management’s judgment, especially when it comes to technical estimates such as goodwill impairment, valuation of long-lived assets, fair value of debt or equity instruments, and contingent liabilities. These estimates require a disciplined process of identifying the appropriate valuation method, documenting key assumptions, and evaluating both supporting and contradictory information.

Errors often arise when companies fail to update assumptions based on current market conditions, skip critical steps in the impairment testing process, or use inconsistent inputs across related estimates. A lack of documentation or transparency around the basis of these estimates raises audit concerns and can result in restatements or material weaknesses in internal controls over financial reporting.

7. Failure to Perform Timely Reconciliations

Account reconciliations help ensure accuracy and reliability in financial statements by comparing information in your financial records with third-party support — such as bank statements or loan documents. Delayed or inconsistent reconciliations of bank accounts, intercompany balances, and key general ledger accounts can indicate larger issues with the financial close process.

8. Insufficient Segregation of Duties

In smaller or rapidly growing companies, it’s common for individuals to handle multiple steps within a transaction cycle — such as initiating, approving, and recording transactions. This increases the risk of errors and intentional misstatements.

A lack of proper segregation of duties introduces risk at the process level and signals broader weaknesses in the company’s control environment (a key component of internal control frameworks). When auditors identify these gaps, they may reduce their reliance on controls and expand the scope of substantive testing — increasing the time and resources required for the audit and potentially causing delays.

Strengthening segregation of duties supports the integrity of financial reporting and reinforces a culture of accountability.

9. Poor Communication Between Financial Reporting and Operational Teams

A disconnect between accounting and other departments — including operations, legal, and procurement — can result in incomplete or misclassified transactions and missed disclosures. This issue is especially common in areas like inventory management, project accounting, and deferred revenue recognition.

It can also impact the identification and disclosure of related party transactions, legal contingencies, and other matters that require input from departments outside of finance. For example, if legal teams do not communicate the existence of pending or threatened litigation, the accounting team may fail to properly record or disclose a loss contingency — resulting in audit findings or misstatements. Clear, documented communication channels between departments are critical for complete and accurate financial reporting.

10. Lack of Readiness for New Accounting Standards

Companies often underestimate the effort required to adopt new standards — such as those related to segment disclosures (ASU 2023-07), income tax disclosures (ASU 2023-09), and business combinations (ASU 2023-05). Late-stage implementation leads to rushed adjustments and audit stress.

Fortunately, many of these issues are avoidable through proper preparation, communication, documentation, and adherence to regulations.

How to Prepare for a Smoother Audit Season

Here are a few best practices to reduce audit risks and improve efficiency in the financial statement reporting process:

• Start early: Preparing for the year-end audit should begin months in advance. Develop and assign internal timelines for PBC deliverables, reconciliations, and close procedures.

• Assess and document internal controls: Clearly document your control procedures. Perform regular controls testing throughout the year and update them to reflect changes in processes or personnel at year-end.

• Invest in training: Your accounting and finance teams should stay current on new standards and audit requirements to reduce the risk of misapplication.

• Leverage technology thoughtfully: Use financial close and compliance tools to streamline workflows, manage documentation, and maintain audit trails.

• Conduct a pre-audit walkthrough: Reviewing key areas of risk, estimates, and controls ahead of time enables your company to address issues before auditors arrive.

• Foster collaboration: Create open channels of communication between auditors, internal accounting functions, IT, operational departments, and the audit committee to minimize misalignment. Collaboration between external auditors and the internal audit team can also be beneficial. However, under the Public Company Accounting Oversight Board’s new QC 1000 standards, internal auditors are considered “other participants” in the audit, which may affect how their work is evaluated and used. Companies should understand the implications of this designation and ensure internal audit activities are properly documented and aligned with audit objectives.

Be Proactive to Prevent Audit Mistakes Before They Happen

A successful audit is more than a compliance milestone. It’s a sign of sound corporate governance. By recognizing common mistakes and addressing them proactively, you can support more accurate and timely financial statements, reduce audit fatigue in your team, and build trust with stakeholders and regulators.

How MGO Can Help

Our Audit and Assurance team supports public companies through every stage of the audit lifecycle — from preparing internal controls documentation to navigating complex accounting standards and responding to auditor inquiries. Our professionals bring deep industry experience to help clients identify risks and streamline financial reporting processes. If you’re approaching audit season or facing challenges with audit readiness, reach out for guidance tailored to your specific needs.

The post 10 Common Public Audit Mistakes That Could Delay Your Timeline appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• New FASB guidance now affects how your company identifies the accounting acquirer in SPAC and VIE-related transactions.  

• There are fewer transactions that may qualify as business combinations now under ASU 2025-03.  

• You must still evaluate VIE status for disclosure, even if it doesn’t impact acquirer identification.  

—

Summary 

The Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) 2025-03, Determining the Accounting Acquirer in the Acquisition of a Variable Interest Entity, to address stakeholder concerns about unintuitive accounting outcomes in transactions involving variable interest entities (VIEs). For example, many operating companies have entered the U.S. public markets by merging with a special-purpose acquisition company (SPAC). While a SPAC merger might be economically similar to conducting an IPO, under the old guidance, it often resulted in a new basis of accounting for the operating company instead of carryover basis. Stakeholders expressed concerns to the FASB about this inconsistency, which will be less likely to occur under the new ASU. 

After adopting the ASU, an entity must assess the factors in ASC 805, Business Combinations, to determine the accounting acquirer in an acquisition transaction primarily effected by exchanging equity interests when the legal acquiree is a VIE that meets the definition of a business.  

Background 

Identifying the accounting acquirer is important because it affects the carrying amounts of the combined entities’ assets and liabilities and post-combination net income. The accounting acquirer records the assets acquired and liabilities assumed in a business combination generally at their acquisition date fair values, with limited exceptions. Additionally, the accounting acquirer reflects the accounting acquiree’s income beginning on the acquisition date.  

Under prior U.S. generally accepted accounting principles (U.S. GAAP), if the legal acquiree was a VIE, the primary beneficiary of the VIE was always the accounting acquirer. Conversely, when the legal acquiree is not a VIE, if a business combination is effected primarily by exchanging equity interests, and the determination of the accounting acquirer is not clear after applying the guidance in ASC 810, Consolidation, an entity must consider the following factors from ASC 805 to identify the accounting acquirer:  

• Relative voting rights in the combined entity 

• Existence of large minority voting interest in the combined entity 

• Composition of the governing body of the combined entity 

• Composition of senior management of the combined entity 

• Terms of the exchange of equity interests 

• Relative size of the combining entities 

Applying these factors can result in a determination that the legal acquiree is the accounting acquirer and, therefore, the transaction is a reverse acquisition. See our Blueprint, Business Combinations Under ASC 805, for more guidance on evaluating these factors and the accounting for a reverse acquisition. 

Main Provisions 

To address stakeholders’ concerns about the inconsistency in the accounting for the acquisition of a VIE that is a business as compared to the accounting for a voting interest entity that is a business, the FASB issued ASU 2025-03. The new guidance requires that an entity evaluate the factors in ASC 805-10-55-12 through 55-15 to determine the accounting acquirer when all the following conditions are met: 

• The acquisition transaction is effected primarily by exchanging equity interests. 

• The legal acquiree is a VIE. 

• The legal acquiree meets the definition of a business. 

The ASU cannot be applied to other transactions. As such, for acquisitions of VIEs that are effected primarily by exchanging cash or other assets or incurring liabilities, and for acquisitions of VIEs that do not meet the definition of a business, the primary beneficiary is always the accounting acquirer. See our Blueprint, Control and Consolidation Under ASC 810, for more guidance on identifying a VIE and its primary beneficiary. 

ASU 2025-03 Has a Limited Scope 

ASU 2025-03 does not change the guidance for identifying the acquirer of a VIE for a transaction that is not effected primarily by exchanging equity interests or for the acquisition of a VIE that does not meet the definition of a business. An entity cannot analogize to the guidance in ASU 2025-03 if the acquired VIE is not a business.  

Consider the following example:  

• Company A (the legal acquirer) issues some of its equity in exchange for all the equity of a life sciences entity (the legal acquiree).  

• The legal acquiree is a VIE but does not meet the definition of a business because substantially all the fair value of the gross assets acquired is concentrated in a single asset.  

• Company A determines that it is the primary beneficiary of the VIE and, therefore, is the accounting acquirer. 

Conversely, had the legal acquiree in met the definition of a business, the accounting acquirer might be different, depending on the facts and circumstances and based on the analysis of the factors in ASC 805. 

Insights 

Fewer Transactions May Be Business Combinations After Adopting ASU 2025-03 

After adopting ASU 2025-03, an entity that effects an acquisition transaction by primarily exchanging equity interests to acquire a VIE that is a business must consider the factors in ASC 805 to identify the acquirer. As a result, fewer transactions will be accounted for as business combinations. However, while the FASB’s intention when issuing this guidance was to align the accounting for economically similar transactions involving businesses, there will still be inconsistencies in the accounting for transactions involving VIEs that are not businesses, as discussed in the alert above.  

Legal Acquiree’s Vie Status Affects Required Disclosures 

While the legal acquiree’s VIE status will be less relevant in determining the accounting acquirer in a business combination primarily effected by exchanging equity interests when the VIE meets the definition of a business, ASC 810 requires that the primary beneficiary of a VIE disclose information about the VIE’s assets and liabilities unless an exemption from the disclosure requirements apply. The new ASU does not change these requirements. Therefore, the primary beneficiary may still need to determine whether the legal acquiree is a VIE for disclosure purposes.    

Effective Dates and Transition 

The following table summarizes effective dates and transition for ASU 2025-03: 

Accounting Standards Update No. 2025-03 Business Combinations (Topic 805) and Consolidation (Topic 810): Determining the Accounting Acquirer in the Acquisition of a Variable Interest Entity 

Written by Adam Brown and Jon Linville. Copyright © 2025 BDO USA, P.C. All rights reserved. www.bdo.com 

How MGO Can Help 

Navigating the evolving landscape of U.S. GAAP and variable interest entity (VIE) accounting can certainly be complex, especially with the adoption of ASU 2025-03. At MGO, our experienced assurance and consulting professionals are well-versed in the nuances of ASC 805 and ASC 810 and are equipped to help our clients interpret and apply this new guidance. Whether you’re planning a SPAC transaction, assessing business combinations, or re-evaluating your existing VIE structures, we can provide you with the tailored strategic insights and practical solutions your organization needs. Contact us to learn how we can help you maintain compliance and stay confident in your financial reporting.  

The post FASB Changes Guidance on Determining the Accounting Acquirer of a Variable Interest Entity  appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• AI, talent shortages, and real-time auditing are transforming how financial audits are conducted in 2025.

• Clean, accessible data and early collaboration are key to smoother, more insightful audits.

• Audits are evolving from compliance checks into strategic tools for managing risk and driving better decisions.

—

In today’s fast-changing environment, financial audits are more than just a year-end requirement — they’re an opportunity to assess risk, strengthen financial processes, and uncover insights that can drive smarter decisions. But the audit landscape is changing rapidly. Emerging technologies, shifting workforce dynamics, and evolving stakeholder expectations are redefining what a successful audit looks like.

Top 5 Audit Considerations for 2025

Here are five key financial audit trends to keep in mind as the year progresses:

1. Real-Time and Continuous Auditing Are Gaining Traction

Why wait until the end of the year to catch an issue? In 2025, more businesses are moving toward real-time or continuous auditing — and you should consider whether it’s right for you.

By working with your audit team throughout the year, you can test controls earlier, address valuation challenges in Q4, and resolve issues before they snowball into major delays. This approach reduces the year-end scramble and leads to a smoother, more predictable audit process.

Auditors can perform interim work, test new transactions, and review draft financial statements well before the final books close. This shift helps everyone: your team stays ahead of deadlines, and auditors gain more time to focus on high-risk areas.

What you can do: Collaborate with your auditors. Share early drafts of key reports, hold strategy calls, and front-load documentation to ease the pressure in January. A deliverables calendar and clear role assignments can help your team stay on track.

2. AI Is Reshaping the Audit Process — But Clean Data Is Key

Artificial intelligence (AI) and automation are transforming how audits get done. If your auditor isn’t using AI to analyze entire datasets, detect anomalies, or streamline documentation, they’re already behind. AI tools help reduce manual testing, speed up reviews, and allow audit teams to focus on big-picture risks and strategic value.

But the benefits of AI depend on how well you’ve prepared your systems. Poor data quality or disconnected platforms will limit the effectiveness of even the most advanced tools. In 2025, expect your auditors to ask questions about your tech stack, cloud platforms, and internal data governance processes. You’ll need to demonstrate that your financial data is structured, accessible, and secure — or risk delays and incomplete assessments.

What you can do: Start by reviewing your financial systems, organizing your data, and working with your IT and compliance teams to make sure your internal controls align with how AI-driven audits are conducted.

3. The Audit Talent Crunch Could Impact Your Engagement

The audit profession is facing a serious talent shortage — and that could affect your experience as a client. Audit teams are leaner than ever, with firms struggling to recruit and retain professionals who have the right combination of financial reporting, analytics, and tech skills.

The result? Tighter timelines, increased workloads, and in some cases, fewer people available to answer your questions or dive into complex areas of your business.

This isn’t just a staffing issue. It’s about the changing nature of the audit profession. In 2025, auditors are expected to bring expertise beyond accounting — including data analytics and even industry-specific regulations.

What you can do: When evaluating or re-engaging an audit firm, ask about staffing depth and technical capabilities. Make sure your team has a primary point of contact who understands your business and can provide continuity throughout the audit cycle.

4. Firms Are Reassessing Auditor Relationships for Better Alignment

If you’re exploring new audit firms this year, you’re not alone. Many organizations are re-evaluating their audit relationships to find teams that offer deeper industry knowledge, better communication, or more advanced technology.

Making the switch doesn’t have to be overwhelming. With a little planning, you can set the stage for a smooth transition that strengthens your financial reporting and aligns with your long-term goals.

From onboarding timelines to regulatory requirements and data access, there are a few key areas to keep in mind. But the most important step is finding a team that understands your business and can provide a smooth handoff without disrupting your reporting cycle.

What you can do: Work with your new audit firm to create a clear onboarding plan. Set expectations early, discuss timing, and collaborate on gathering documentation so your first engagement starts off strong.

5. Audits Are Becoming Strategic — Not Just a Compliance Exercise

Gone are the days when an audit was just a formality. Today, audits can offer powerful insights into operational risks, data security, and financial performance. Your board, investors, and regulators increasingly expect your audit function to go beyond the basics.

As reporting expectations grow and risk environments evolve, treat your audit like a strategic asset. Work with auditors who not only meet compliance standards, but who also understand your goals and can offer value-added insights along the way.

What you can do: Engage your auditors as advisors. Share your business strategy, new ventures, or expansion plans. The more context they have, the more relevant and insightful their findings will be — and the better your business will be prepared for what’s next.

Turn Your Audit Into an Advantage

Now is the time to align your internal processes with the evolving audit landscape — and choose audit partners who can grow with you. Just as the audit process is evolving, so should your mindset: approach your next audit not as a task to complete, but as a tool to strengthen your business for what’s ahead.

How MGO Can Help

We offer Assurance services to meet the evolving needs of both public and private companies. Our team brings deep knowledge and experience to deliver you a high-quality, efficient audit experience. Reach out to us today to learn how we can support your organization.

The post Financial Audit Trends for 2025: What Your Business Needs to Know appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• SEC expands nonpublic review to include Section 12(g) registrations and de-SPAC transactions, increasing flexibility for issuers. 

• Issuers can now submit draft registration statements any time after an IPO, removing the previous one-year restriction. 

• Underwriters’ names can be omitted from initial draft filings, but disclosure is required in later public submissions. 

—

Key Changes to SEC’s Nonpublic Review Process You Need to Know 

The SEC’s Division of Corporation Finance has introduced expanded accommodations for issuers submitting draft registration statements for nonpublic review. These updates provide greater flexibility for you, while still maintaining regulatory oversight. Key changes include: 

• Broader eligibility: Nonpublic review now extends to initial registrations under Section 12(g) of the Exchange Act and de-SPAC transactions. 

• Extended timing: Issuers can submit draft registration statements at any time after their IPO, removing prior restrictions. 

• Underwriter disclosure flexibility: Issuers may initially omit underwriter names, with disclosure required in later filings. 

These changes are striving to streamline the capital formation process while maintaining investor protection. 

Expanded Nonpublic Review Accommodations 

The Jumpstart Our Business Startups (JOBS) Act of 2012 first allowed Emerging Growth Companies (EGCs) to submit draft registration statements for initial public offerings (IPOs) through a confidential review process. This year, the SEC expanded this process to include non-EGCs, certain Exchange Act registration statements, and other draft filings submitted within one year of an IPO. 

With these latest updates, the SEC has further broadened the scope of the nonpublic review process, offering you as the issuer more flexibility regarding your submission timing and initial disclosure requirements. 

Expanded Nonpublic Review: Key Updates for You to Know 

Initial Registration of Securities Under the Exchange Act 

The SEC has broadened the nonpublic review process to include initial registrations under Section 12(g) of the Exchange Act. Now, you can confidentially submit an initial registration of a class of securities using Forms 10, 20-F, or 40-F under Exchange Act Sections 12(b) and 12(g). 

To comply with SEC requirements, if you’re submitting draft initial registration statements for nonpublic review, you have to confirm in a cover letter that you will publicly file the following: 

• The registration statement and draft submissions are at least 15 days before any roadshow. 

• If no roadshow is planned, the public filing must occur at least 15 days before the requested effective date. 

Additionally, SEC staff comment letters and issuer responses will be released no earlier than 20 business days after the registration statement’s effective date. 

Draft Registration Statements Post-IPO 

Under the new SEC accommodation, you can now submit draft registration statements at any time after your IPO for any: 

• Securities Act offering 

• Exchange Act registration of a class of securities under Sections 12(b) or 12(g) 

This removes the previous one-year restriction following an IPO’s effective date. 

Key filing requirements include: 

• You must confirm in your cover letter that you will publicly file the registration statement at least two business days before the requested effective date. 

• Exchange Act registration statements (Forms 10, 20-F, or 40-F) must be publicly available for 30 or 60 days (as applicable) before effectiveness. 

• Only the initial submission qualifies for nonpublic review. Subsequent amendments, including responses to SEC staff comments, must be publicly filed. 

De-SPAC Transactions: Nonpublic Review Eligibility 

With the SEC’s SPAC rules effective July 2024, target companies in de-SPAC transactions are now treated as co-registrants since the de-SPAC functions as the target’s IPO equivalent. 

Under the expanded rules, your registration statements for de-SPAC transactions (when the SPAC is the surviving entity) may now qualify for nonpublic review, provided the co-registrant target also meets the eligibility criteria for a draft submission. 

Omitted Information 

You may now omit the name of the underwriter(s) from initial draft registration statement submissions. However, keep in mind that the underwriter(s) must be disclosed in subsequent submissions and public filings. 

While draft registration statements must be substantially complete when submitted, you can continue to omit financial information that you reasonably believe will not be required when the registration statement is publicly filed. 

Additionally, you may omit certain historical financial information from your IPO draft registration statements: 

• Emerging Growth Companies (EGCs) may omit annual and interim periods that will not be required separately at the time of the offering. 

• Non-EGCs may omit annual and interim periods that will not be required separately at the time of public filing. 

Additional accommodation may be available. For more guidance, refer to A Guide to Going Public. 

Foreign Private Issuers 

Foreign Private Issuers (FPIs) may take advantage of these expanded accommodations or utilize the procedures available to EGCs if you qualify. Alternatively, FPIs can follow the guidance outlined in the SEC staff’s 2012 statement. 

Guidance for SEC Filings and Compliance  

MGO’s Public Company Services team has a strong history of guiding companies through SEC filings, IPOs, SPAC transactions, and public company compliance. With deep industry knowledge, MGO helps companies navigate the registration process, meet SEC requirements, and improve financial disclosures while adapting to regulatory changes. Contact us to learn more.

The post SEC Expands Nonpublic Review Process for Draft Registration Statements  appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Proactive planning means focusing on the “how” instead of just the “what” — turning basic questions into actionable strategies for effective implementation.

• An ecosystem perspective involves considering the broader impact on third-party stakeholders to ensure the entire supply chain is prepared for going public.

• Holistic risk management requires cross-functional collaboration to coordinate risk mitigation, enhancing organizational resilience against new public company risks.

~ 

Preparing for your initial public offering (IPO) means investigating every facet of the business — not only to obtain the best possible valuation, but also to make the changes necessary to operate as a public company and achieve long-term growth. Asking the right questions can help you see beyond the obvious, illuminating factors you may have otherwise overlooked and setting your organization up for post-IPO success.

Here are five ways to take common IPO questions from a basic 101 level up to a more advanced 201 to deepen readiness and unlock new value.

IPO Checklist: 5 Ways to Level Up Your IPO Questions

1. Ask “How”, Not “What

Don’t plan passively. Approach key questions in a way that mandates proactive action rather than reactive changes. A seemingly small alteration — a “how” instead of a “what” — can transform a basic inquiry into a forcing function that spurs teams to take concrete steps.

• 101: What new reporting obligations will we face as a public company?

• 201: How can we resource and connect our finance, IT, and legal teams to meet new reporting requirements on time and without misstatements?

While the 101 question can establish new reporting needs and responsibilities, the 201 question goes further, pushing leaders to actively plan toward these goals.

2. Think About Your Ecosystem, Not Just Your Organization

Going public brings scrutiny from new stakeholders, such as boards, shareholders, and regulators. It is no longer enough for leaders to focus on their organization alone. Instead, they must broaden their perspective to consider the effects of all changes — new regulations, reporting requirements, cybersecurity risks, and more — on their third-party ecosystem.

• 101: What new laws and regulatory bodies apply to our business as a public company?

• 201: Are we prepared to validate that our third-party providers, in addition to our own organization, are complying with any new requirements?

Answering the 201 question requires looking beyond the organization to consider the risks posed by third-party partners. Financial institutions, for example, will need to verify that any third-party service providers comply with existing consumer protection laws under Dodd-Frank.

Cutting across all industries, the Securities and Exchange Commission (SEC) adopted new rules in 2023 requiring public companies to disclose any material cybersecurity intrusions or breaches, as well as information about their cyber risk management, governance, and security. Companies pursuing an IPO must prepare to comply with these new requirements themselves and be ready to validate that any third-party providers can also remain compliant.

3. Adopt a Holistic View of Risk

Effective risk management requires cross-functional cooperation and communication. No matter the business area — cybersecurity, operations, supply-chain management — identifying risks is not enough; nor is simply naming the strategies to mitigate risks.

• 101: What new risks are most relevant to our business as we prepare for operations as a public company?

• 201: What is each department’s risk mitigation responsibility, and where are there opportunities for coordination?

Every department has a role to play in risk mitigation. Clearly defining those roles and the interconnections between them can build resilience in the lead up to an IPO and help companies adapt to new risks after going public.

4. Move from the Abstract to the Specific

Tailoring approaches to specific objectives will help you manage more variables and define what kind of public company you want to be. Whenever possible, leaders should design questions to address specific challenges, rather than using general terms.

• 101: Who are the new stakeholder audiences (e.g., board members and regulators) with whom we need to establish communications as a public company?

• 201: How will we communicate with board members, shareholders, and regulators? What tools, channels, and reporting structures will we build?

The 101 question identifies an important consideration, but it stops there. The 201 question addresses finding and filling in the gaps. You can use what you know to pave the way toward learning what you don’t.

5. Think About Your Price on Day 100

The IPO is not an end-state; it is the beginning of a new chapter. Every action taken in service of a public offering must also include a path to further growth.

• 101: How do we obtain the best possible valuation for our company?

• 201: How can we leverage our momentum to improve our valuation 100 days after going public?

The 101 question speaks to an important need, but its focus is limited. Success as a public company demands growth beyond the IPO event. Asking the 201 question can help you embed a future-focused mindset into all planning decisions. The day one valuation matters, but so does valuation on day 100 — and beyond.

How MGO Can Help 

Navigating the complexities of an IPO requires guidance and a comprehensive strategy. MGO’s Transaction Advisory Services team supports you throughout the process, from proactive planning to risk management, so that your entire ecosystem is ready for the transition. Reach out to our team today to discover how MGO can help you achieve your long-term growth objectives and post-IPO success.

The post Essential IPO Questions: Your Comprehensive Checklist appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• New SEC cybersecurity rules require public companies to disclose material cybersecurity incidents, risk management processes, and governance.
• Determining “materiality” of cyber incidents for disclosure is challenging and requires close collaboration between CISOs providing technical context and CFOs/executives making final determinations.
• To comply, companies should take steps such as designating accountable leadership, adding specialized cybersecurity knowledge, and updating financial processes.

—

For years, chief financial officers (CFOs) could afford to be removed from the daily cybersecurity efforts led by chief information security officers (CISOs). But, with new Securities and Exchange Commission (SEC) cybersecurity rules, those days are gone.

Adopted on July 26, 2023, the SEC’s “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rules recognize cyber incidents can significantly impact public companies’ operations, finances, and reputations. The requirements push companies to be more transparent and accountable about cybersecurity.

While compliance with these rules falls squarely on publicly traded organizations, the impact extends to private-owned companies as well. If your company is a vendor or partner to public firms, you can expect inquiries and audits to verify you meet their security standards. Liabilities and risks permeate the entire supply chain.

SEC Cybersecurity Disclosure Requirements

If you are a public company, what do you need to report under the new rules? Here are the main requirements:

Cybersecurity Incident Disclosure

• Report within four business days of determining the incident is “material”
• Describe the nature, scope, timing, and impacts (or potential impacts)
• Note any undetermined details at time of filing
• Compliance required for SEC registrants as of December 18, 2023; smaller reporting companies (SRCs) have until June 15, 2024, to comply

Annual Risk Management & Strategy Disclosure

• Outline processes to identify, assess, and manage material cyber risks
• Explain how these processes integrate with overall risk governance
• Detail impacts from previous material incidents
• Disclose use of third-party security consultants/auditors and procedures
• Compliance required for all registrants (including SRCs) beginning with annual reports for fiscal years ending on or after December 15, 2023

Annual Governance Disclosure

• Describe board oversight and committee responsibilities for cyber risk
• Identify management roles accountable for cybersecurity programs
• Specify escalation protocols to board/committees on cyber issues
• Compliance required for all registrants for fiscal years ending on or after December 15, 2023

Determining Cybersecurity “Materiality”

A central tenet of the SEC guidelines is the “materiality” concept regarding incident reporting. Essentially, cybersecurity events are considered “material” and require disclosure if they could sway investment decisions or shareholder votes. Think of materiality as anything significant enough to concern your board and executive team.

The tricky part is that materiality determinations do not solely rest with technology and security leaders. Corporate officers and boards make the ultimate call, despite often lacking full context into security event ramifications on financials and operations. Bridging this disconnect through close CISO collaboration is critical to set appropriate disclosure thresholds aligned with your company’s true risk profile. Ideally, final decisions should also be independently verified by an outside, nonbiased service provider.

The SEC final rule also makes extensive (more than 40) references to “third party” impacts. A breach or attack affecting a key vendor could very well represent a material event for your organization that necessitates SEC disclosure. Do not let third-party cybersecurity shortcomings undermine compliance.

Best Practices to Comply with New SEC Cybersecurity Rules

While no one-size-fits all checklist exists, your company and relevant vendors should consider these best practices on the path to cybersecurity rule compliance:

1. Designate Accountable Leadership

Empower specific business leaders as security program owners, not just technical teams. These individuals need to establish clear reporting and communication between security operations and the board/c-suite. Executive working sessions focused on cybersecurity scenario planning are also advised.

2. Add Cybersecurity Knowledge

The rules do not explicitly require it, but it is wise to have dedicated cybersecurity oversight at the board level. Bringing in third-party advisors can help boards understand cyber responsibilities and implement improved processes. This knowledge is often lacking today despite its importance.

3. Update Financial Processes

The speedy 8-K cybersecurity incident reporting necessitates updates to disclosure management procedures. Public companies should already have 8-K drafting processes, so adjusting for cyber specifics presents a modest lift. The key is removing bottlenecks to rapidly describe incident details.

4. Dedicate Compliance Resources

CISOs in many companies oversee skeletal teams lacking the bandwidth for major initiatives like interpreting new regulations, implementing new disclosures processes, conducting risk assessments, and more. Ensure your team has the resources needed to achieve compliance.

5. Build Cybersecurity Culture

Equip your leadership team, board, and financial executives with a comprehensive understanding of cyber risks and disclosure nuances. Implement ongoing education and guidance programs to keep them well-versed in cybersecurity threats, response procedures, and the latest developments in the field.

How MGO Can Expedite Your Compliance Journey

The SEC cybersecurity rules are a wake-up call to take cyber preparedness as seriously as any other existential risk to your organization. Let our team of security, financial, and regulatory professionals guide you toward proactive, comprehensive compliance. Reach out today to discuss your roadmap.

The post CFOs and CISOs: Boost Your SEC Cybersecurity Compliance with These 5 Best Practices appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Internal controls, especially around fraud prevention, are essential for limiting losses, driving efficiency, improving accountability, and boosting company value during investments or M&A deals.
• The “tone at the top” from leadership in fostering an ethical environment, along with proper segregation of duties, are key elements for fraud prevention and strong internal controls.
• Well-established policies and procedures, like Delegation of Authority rules and restricted system access protocols, are also vital for maintaining adequate controls to enable company growth.

—

As the economy stands on shaky legs, private equity and venture capital firms are necessarily careful and strategic when assessing potential investment opportunities. Whether your long-term plan includes acquiring another company, selling your business, or seeking new capital, strengthening your internal control environment — with a focus on preventing fraud — is a powerful way to increase actual and perceived value.

In the following, we will lay out the reasons why fraud prevention is an essential element to proper corporate governance and illustrate key areas to examine whether your internal control environment is built to help your operation succeed.

The Importance of Internal Controls in Fraud Prevention

A robust internal control system is the first step toward managing, mitigating, and uncovering fraud. A strong internal control environment will:

Protect your company’s assets by reducing the risk of theft or misappropriation of cash, inventory, equipment, and intellectual property.

Detect fraudulent activities or irregularities early on and deter employees from attempting fraud in the first place.

Provide cost savings by limiting opportunities for financial losses, costly investigations, and legal expenses associated with fraud.

Drive operational efficiency by providing clear processes and guidelines that reduce the risk of errors or inefficiencies in day-to-day operations.

Improve employee accountability by implementing checks and balances that discourage unethical behavior.

When seeking an investment or undertaking a significant M&A deal, you should have a firm grasp of the strength and quality of your internal control environment. Not only will you reduce the risk of fraud in the near term, but you will also cultivate confidence with potential investors and M&A partners.

Fraud Prevention Starts with the “Tone at the Top”

The first key element to look for in measuring the strength of your internal controls is ensuring a clear and proactive “tone at the top”, meaning an ethical environment fostered by the board of directors, audit committee, and senior management. A good tone at the top encourages positive behavior and helps prevent fraud and other unethical practices.

There are four elements to fraud: pressure, rationalization, opportunity and capability.

Pressure motivates crime. This could be triggered by debt, greed, or illegal deeds. Individuals who have financial problems and commit financial crimes tend to rationalize their actions. Criminals may feel that they are entitled to the money they are stealing, because they believe they are underpaid. In some cases, they simply rationalize to themselves that they are only “borrowing” the money and have every intention of paying it back.

Criminals who can commit fraud and believe they will get away with it may just do it. Capability means the criminal has the expertise as well as the intelligence to coerce others into committing fraud. The board of directors is responsible for selecting and monitoring executive management to ensure best practices are in place to limit the motivations of all four elements of fraud.

Proper Segregation of Duties for Internal Controls

The second key element to look for in your internal controls is a well-established segregation of duties. The idea is to establish controls so that no single person has the ability that would allow them the opportunity to commit fraud. Companies must make it extremely difficult for any single employee to have the opportunity to perpetrate a crime and subsequently cover it up.  

Fraud Controls 

There are three types of controls that help manage the risks of fraud: preventative, detective, and corrective.

• Preventative controls seek to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product. Preventative controls are the best of the three as they are the first line of defense and a backstop to fraud. If designed correctly, preventative controls stop an undesirable event from even happening.  
• Detective controls exist to detect and report when errors, omission, and unauthorized uses or entries have already occurred. Although it is important to identify these adverse events, you are doing so after the fraud has already been committed.  
• Corrective (also referred to as compensating) controls are designed to correct errors, omissions, and unauthorized uses and intrusions once they are detected.  

Preventing Misappropriation of Assets 

An important component of segregation of duties is to prevent the misappropriation of assets and reduce fraud risk. Below are some examples of best practices for various types of assets: 

• Cash Receipt: segregate the receipt of cash/checks and the recording of the journal entry in the accounting system into two roles.
• Accounts Receivable: segregate the responsibilities of recording cash received from customers and providing credit memos to customers. (If one person performs both functions, it creates the opportunity to divert payments from the customer to the employee and then cover the theft with a matching credit to the customer’s account).
• Cash Reconciliation: the individuals who authorize, process, or record cash should not perform the bank reconciliation to the general ledger.
• Inventory: individuals who order goods from the suppliers should not have the ability to log the goods received in the accounting system.
• Payroll: segregate the responsibilities of compiling gross and net pay for payroll, with the responsibilities of verifying the calculation. (If a single individual performs both functions, it allows for the opportunity to increase personal compensation and the compensation of others without authorization. It also provides an opportunity to create a fictitious payee and make corresponding payroll checks).

The Importance of Policies and Procedures

The third key element to look for in your investees is well-established policies and procedures. Make sure that any company you consider acquiring has basic policies and procedures in place, such as Delegation of Authority (DOA).

The DOA is a policy where the executive team delegates authority to the management of the company. Individuals should be considered appropriate to fulfill delegated roles and responsibilities. The DOA should be reviewed at least annually. Subsequently, it is important to ensure that the DOA is being followed, and that approvals do not deviate from it. Any such anomalies should be rare and, when they do occur, they need to be reviewed and approved. Constant deviations from the DOA may be a sign that the DOA needs to be restructured.

A second essential policy and procedure is restricted computer and application access. This is to protect sensitive company financials and proprietary data. The company should have a robust control environment and maintain computer logins and password access on a need-to-know basis. Access should only be granted by the owner of the application or system and subsequently logged by the administrator. Now more than ever companies are hiring remote employees. This shift in the dynamic workspace further emphasizes the need for a quality IT controls environment.

How We Can Help

As you prepare your company for future growth, getting an impartial third-party opinion on your internal control environment can be a powerful tool for finding gaps and inefficiencies, and implementing value-added changes.

Our dedicated Public Company teams offer a deep level of industry experience and technical skills. We can help prepare your company for a major capital raise, including going public via an IPO or RTO. Or we can help optimize value for an M&A deal, whether you are buying or selling. Contact us today to access an external, holistic vision focused on helping you grow and succeed.

The post Internal Controls: Keys to Limiting Fraud and Boosting Your Company Value appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• The Sarbanes-Oxley (SOX) Act established stricter financial reporting requirements for public companies, leading to increased scrutiny of Information Produced by the Entity (IPE).
• IPE carries different levels of risk depending on whether it is system-generated and manually prepared IPE. Strong documentation is key to validating completeness and accuracy of IPE.
• Best practices for IPE documentation include identifying the source, parameters, and format of reports; validating totals and counts; retaining screenshots; and having knowledgeable reviewers.

—

Passed by Congress in 2002, the Sarbanes-Oxley (SOX) Act revolutionized public company audits by introducing financial reporting requirements aimed at increasing transparency and preventing fraud. Most notably, the SOX Act established the Public Company Accounting Oversight Board (PCAOB), a nonprofit organization that oversees the audits of public companies to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.  

The PCAOB refines its auditing standards annually and, in recent years, the organization has placed greater scrutiny on the work of external auditors. To keep up with PCAOB compliance, external auditors have imposed more rigorous documentation requirements on companies. As a result, companies have felt pressure to provide more expansive Information Produced by the Entity (IPE).

If external auditors have applied greater scrutiny on your reporting, you may be wondering: What level of documentation is sufficient? How can you improve your documentation to avoid deficiencies and provide greater clarity? In this article, we will discuss: 1) what IPE is, 2) the risks associated with different IPE, and 3) how to document your IPE thoroughly.

What Is IPE?

IPE is any information created by a company used as part of audit evidence. Audit evidence may be used to support an underlying internal control or as part of a substantive audit. Although there are documentation and risk severity differences between system-generated and manually prepared IPE, the fundamental questions that need to be addressed are the same:

1. Is the data complete?  

2. Is the data accurate?

Risk Levels of Different IPE

Here is an overview of how risk levels vary for different types of information you report to auditors:  

Low Risk

“Out of the box” reports carry the lowest risk. These reports are also referred to as “standard” or “canned” reports. Standard reports have been developed by software companies — such as Oracle NetSuite, QAD, or SAP — as part of their enterprise resource planning (ERP) systems. Typically, the end user (you) and even your IT team cannot modify these reports. Given the constrained editability, greater reliance is placed on these reports.   

Medium Risk

Custom reports are typically driven by the business team and developed in-house by your company’s IT team. When your company’s ERP system does not have a report that would provide sufficient data, the in-house developers create a custom report. The IT team follows their change management process when developing the request report. If the report results do not align with your business team’s expectations, the query is refined, and the process is repeated until it does.  

High Risk

A manually prepared workbook or an ad-hoc query are inherently the riskiest documentation. A manually prepared workbook may be a debt reconciliation prepared by your staff accountant, or a list of litigations the company is involved in drafted by your legal department. Given that these are manually drafted, the margin of error may be high.  

An ad-hoc query is considered high risk since the report is not subject to IT General Controls (ITGC) testing. The end user may input any parameters to generate the report. Since no control testing is performed by your company, external auditors would need to rely on their own IT team to vet the nonstandard query. 

How to Document IPE

Your documentation will vary to a certain degree depending on whether the IPE is manually prepared or system generated. In either case, it is important to be as thorough as possible when documenting your procedures.

Manual IPE

For a manually prepared workbook, provide thorough documentation about the origins of the data. It is ideal to have someone who is privy to the information review the workbook.  

When the reconciliation is comprised of debt instruments, the reviewer should do the following:   

1. Match the list of individual debt instruments to the signed agreements.  

2. Validate the reconciliation and each individual schedule for mathematical accuracy.  

3. Confirm ending principal balances with creditors (where possible).  

If the list consists of litigations compiled by the legal department, the reviewer should do the following:   

1. Send confirmations to outside counsel (where possible).  

2. Obtain a list of commitments and contingency journal entries made to an accrual.    

These additional steps provide greater comfort that the list compiled is complete and accurate.   

System-Generated IPE

For system-generated IPE, there are a handful of questions to keep in mind:   

1. Have you identified the report or saved search that was used?   

2. What parameters were used to generate this report?   

3. In what format is the data exported?   

4. After you run your report and confirm the parameters are correct, what format should be utilized for your export?  

Exported Data

Most ERP systems allow the exporting of data in the following four formats:   

1. PDF (portable document format) 

2. Excel  

3. CSV (comma-separated values)   

4. Text file   

One major drawback in an Excel, CSV, and text file is that, by their nature, they are editable upon export. An additional drawback of a text file is that it does not contain formatting. As the volume of data grows, proving out the completeness and accuracy becomes more challenging. For these reasons, a PDF export is typically preferred.  

After the data is exported in one of the four formats, you want to ensure that it agrees back to the system (completeness and accuracy). Here are a few ways to do that:     

1. Does the exported data have dollar amount totals? If so, agree the total dollar amount to the system.  

2. Does the exported data have hash totals? An example of a hash total is employee ID numbers which in aggregate have no real value other than providing confirmation that the data is complete and accurate.   

3. Does the report have a total line count? If totals are not available, line counts may be used. However, it is important to note that while the line count may agree, the data itself could have still been inadvertently manipulated.  

Screenshots of Data

Retaining screenshots is imperative for documentation. A detailed screenshot should include some (if not all) of the following:  

1. Totals (dollar amounts, hash amounts, etc.)   

2. Lines count   

3. Parameters utilized 

4. Time and date stamp 

The first three items validate the completeness and accuracy of the exported data. The fourth item confirms when the report was run and if it was timely. There are many reports that are point-in-time and may not be recreated at a future date. Knowing the constraints of the reports you use is important. Retaining screenshots cannot be overemphasized, especially for point-in-time reports.   

Certain ERP systems or online portals do not provide a preview of the report prior to the export. This puts a constraint on the validation of completeness and accuracy, as it inhibits screenshots from being taken. In this case, as part of the review, the reviewer should re-run the report and validate that the original report used matches the information in the re-run report.

Strengthen Your SOX Compliance by Implementing Best Practices  

There is no perfect science to IPE documentation. But the end goal is to be as detailed as possible. By simply focusing on the fundamental questions and ensuring that your documentation addresses them, your documentation will inevitably improve.

Developing best practices for your team is the cornerstone for any successful audit. Ensure you have the right guidance to make it happen. Our Audit and Assurance team can tailor a SOX environment to meet your needs. Contact us today to learn more.

The post How to Elevate Your IPE Documentation to Optimize SOX Compliance appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• The Securities and Exchange Commission (SEC) is promoting the enhancement and standardization of registrants’ disclosures related to cybersecurity risk management, strategy, and governance by adopting a rule that requires public companies to disclose “material” cybersecurity breaches within four days of determining its materiality.
• The SEC wants to know: the processes the companies use to assess, identify, and manage cybersecurity risks, as well as the board’s oversight of such risks and management’s role in assessing and managing those risks.
• The rules apply to nearly all registrants that file periodic reports with the SEC (including foreign private issuers and smaller reporting companies).
• Registrants must also include their risk management, strategy, and governance disclosures in their 2023 annual reports.

—

The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to adopt new rules on disclosure to promote clarity surrounding “material” breaches and what’s being done to combat them. And it wants them to do this within four days of determining if a cybersecurity breach was material on Form 8-K. However, delays may be permitted if immediate disclosure of the breach could pose a national security or public safety risk.

Defining “Material” Disclosures

According to the U.S. Supreme Court, a piece of information is material to investors when its disclosure “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Why Is the SEC Implementing This Rule Change?

The SEC seeks to protect companies and investors as cybersecurity incidents have increased in number and sophistication in recent years. In their fact sheet they note: “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology (…) All of these trends underscored the need for improved disclosure.”

But corporations are contesting the rules, arguing this short announcement period is unreasonable — and could reveal vulnerabilities that could be exploited by more cybercriminals looking to take advantage of a company mid-breach.

What Are the Requirements for Risk Management, Strategy, and Governance Disclosures?

Public companies will be required to disclose their cybersecurity breaches within a four-day time period. This disclosure must include additional details too, like the timing of the incident, its impact on the company, and management’s expertise on cybersecurity in Form 10-Ks (and Form 20-Fs for Foreign Filers).

How Will the SEC Cybersecurity Rules Affect You?

The SEC has observed that previous cybersecurity announcements have been inconsistent and inadequate.

Many public companies already have plans in place to share sensitive information about their cyber incidents with federal agencies (FBI). Last year, the Cybersecurity and Infrastructure Security Agency (CISA) adopted cybersecurity rules that require critical infrastructure entities to report breaches within three days to CISA. This reporting duplication could prove confusing and time-consuming.

Ultimately, all public companies need robust internal controls and reporting systems to maintain compliance with the SEC requirements. This assumes issuers already have top-tier cybersecurity technology and processes in place. If not, they’ll need to build these functions out to minimize subsequent fallout from investors and regulators when these inadequacies are made public in their reporting.

The SEC strives to protect investors, which isn’t a bad thing. However, the enforcement of these new rules may not be the most logical option to do so.

Ultimately, the question may not necessarily be how many days you should take to disclose your breach but who should actually be regulating cybersecurity, and who has the authority to call the shots. Cybersecurity is no longer a “nice to have” function in an organization.

How We Can Help

It’s important to stay vigilant to protect your organization from risk and maintain compliance. Our Technology and Cybersecurity Practice can help verify you are compliant and strengthen your overall cybersecurity, so these incidents are less likely to occur. And, if they do, you’ll be ready to mitigate risks sooner— and make progress towards compliance with the SEC’s new rules.

If you are ready to assess your cybersecurity posture, or you have questions about
how the SEC’s new requirements could affect you, schedule a conversation with our Technology and Cybersecurity team today.

The post SEC Adopts Rules for Cybersecurity Risk Management appeared first on MGO CPA | Tax, Audit, and Consulting Services.

Mergers with SPACs have always been an alternative to traditional IPOs. With the IPO market effectively minimized for the time being, SPAC mergers are an increasingly desirable public market liquidity option for private companies.

What the Numbers Tell Us

2020 is a record-shattering year for a revitalized SPAC market. According to data provided by ELLO Capital, there have been 95 SPAC IPOs so far in 2020, raising $37.8 billion (average size: $397 million). That compares with 59 in all of 2019, which raised $13.6 billion (average size: $230 million).

On July 22, 2020, Pershing Square founder Bill Ackman raised $4 billion in the IPO of Pershing Square Tontine Holdings Ltd., the largest SPAC IPO to date. With an initial target of $3 billion, the SPAC included a unique pricing approach: a fixed pool of warrants to be distributed to shareholders who accept a subsequent deal – increasing the take for approvers.

“COVID-19 is likely a direct cause of the acceleration in SPACs this year, as global lockdown policies have restricted travel and the ability to do roadshows. As a result, SPACs have largely replaced traditional IPOs,” said Mark Young, co-founding partner of Bridge Point Capital. “Plus, SPACS appeal to the high-growth technology sector, which has led the market recovery post-February correction, and continue to drive growth in the work-from-home economy.”

SPACs: Rules of the Road

• Speed is the name of the game – Leveraging the market expertise of leadership team, a SPAC can raise funds in a matter of days, without the time and resource demands of a roadshow.
• Minimum value is set – The acquired company/companies must have a minimum value, generally 80% of the fund the SPAC has in escrow following the IPO. Multiple closings, obviously, complicate the otherwise-simple SPAC process and inject completion risk into the transaction.
• The clock is ticking – There’s a deadline reality for both the SPAC and the target: If the SPAC doesn’t close the deal by the deadline, it must return the funds it raised in its offering. On the flip side, getting near the deadline can help give a target company some leverage.
• Valuation risk – Investors in SPACs are very much like IPO investors: there is an expectation that they are buying at a discount and there is significant growth potential around the corner. They are not looking for turnaround stories. In turn, SPACs are perceived as focused on growth verticals.
• Shareholder approval required – The SPAC is a public company that inherits all the baggage – reporting/regulatory demands, liabilities, etc. – of a public company. Approval by target company shareholders likely will be required. And the SPAC would need to file a proxy statement and secure approval from the Securities and Exchange Commission.
• Redemption risk – Here’s an interesting twist: At the time of the transaction, the SPAC’s public shareholders can redeem their stock. The risk: the SPAC’s cash availability – which might be needed to complete the transaction – could take a hit if the redemptions are significant.
• Warrants also in play – Sometimes the purchase price includes stock; the value of those shares are impacted by the associated rights. In most cases, the warrants can be exercised at a premium to the original offering price. What can happen: the valuation of stock included in purchase price may rise above, or fall below, the value of the stock issued to a target. The driving factor: can a deal actually get done.
• Navigate the de-SPAC phase – Definition: the time between the definitive agreement and closing. What needs to be done: communicate details of the transaction to the SPAC’s stakeholders. The goal: optimize the story, educate sales people, engage analysts – protect value.

The Record So Far

• DraftKings (NASDAQ: DKNG): Shares in the online fantasy and gambling company jumped to $18.69 per share when the merger agreement was announced in December, and then edged up to $19.35 per share on the first day of trading, Since then, the price has climbed to about $44.00 per share before settling back into the $37.00-$40.00 area. Its current market capitalization is over $13.5 billion.
• Virgin Galactic (NYSE: SPCE.N): The Richard Branson-backed competitor to Elon Musk’s SpaceX and Jeff Bezos’ Blue Origin, Virgin Galactic shares currently trade in around $17.00-$20.00, about double their late October day-one level, and more than three times their low of $6.90 per share. The stock has reached a high of $42.49 per share, and the company’s current market capitalization is $3.9 billion.
• Nikola (NASDAQ: NKLA): The green truck company has been on a roller-coaster ride since its late June debut. It has climbed as high as $93.99 at one point and currently trades at about $37.00 per share. Market capitalization is just under $14 billion.

Leading the way is a pending deal from Churchill Capital Corp. III, which has agreed to acquire health-cost management services provider MultiPlan for $11 billion. This would make it the largest ever SPAC deal.

“The healthcare and life sciences industries are two sectors likely to continue driving SPAC growth in the COVID-19 era,” said Nadia Tian, co-founding partner of Bridge Point Capital. “This is because healthcare traditionally outperforms the market in a recession, SPACs allow biotech companies to have more cash on hand than a traditional IPO, and the government and consumers are especially focused on these areas as we search for solutions to the COVID-19 outbreak.”

Final Thoughts

Private companies that were planning an IPO or other significant M&A deal before the global economic downturn caused by the COVID-19 pandemic may want to seriously consider a SPAC deal. As with all transactions significant, intensive planning, vetting, due diligence and other considerations must be undertaken.

MGO’s dedicated SEC practice has experience with IPOs, RTOs, M&A deals and the unique characteristics of SPAC acquisitions. To understand your options, and the path ahead, please feel free to reach out to us for a consultation.

The post SPACs Surge: A New Route to Public Markets appeared first on MGO CPA | Tax, Audit, and Consulting Services.