• A new executive order may allow 401(k) plans to invest in private equity, hedge funds, and other alternatives typically reserved for institutions.

• Plan sponsors must weigh higher returns against risks like illiquidity, valuation challenges, and increased fiduciary oversight responsibilities.

• Legal and regulatory frameworks are evolving fast, requiring plan providers to strengthen transparency, fee structures, and participant education.

—

On August 7, 2025, President Trump signed an executive order directing the Department of Labor (DOL) and Securities and Exchange Commission (SEC) to expand access to alternative assets — including private equity, real estate, and digital assets — for 401(k) plans. The goal: open the door to private equity, hedge funds, real estate, and even crypto in retirement plan menus. As both 401(k) auditors and trusted advisors, MGO is helping plan sponsors understand what this expanded access to private equity means for governance and compliance.

Why This Matters Now

With fewer public companies and growing demand for diversified retirement options, private equity firms and plan administrators have been advocating for broader access to private markets. Major players like Blackstone, KKR, and Apollo are pushing to offer these strategies to everyday savers through target date funds and pooled investment options.

Regulators are responding, Trump’s executive order is expected to accelerate this trend by instructing the DOL and SEC to build a framework for oversight and access. This move is positioned as a retirement security initiative to democratize access to high-quality investment options, aiming to empower over 90 million Americans currently excluded from alternative asset opportunities.

Potential Benefits

• Higher return potential: Private equity has historically delivered strong long-term performance, with average annual returns nearing 14% compared to ~8% for public equities.

• Diversification: Adding private market exposure can reduce correlation to public stocks and may help smooth volatility over time.

• Tax deferral: Returns on alternative investments in 401(k)s keep the same tax advantages as traditional plan assets.

• Expanded access: Ordinary investors gain exposure to asset classes previously reserved for accredited or institutional investors, democratizing retirement portfolio options.

Risks and Concerns

• Liquidity and transparency: Private investments are harder to value, less liquid, and more complex to manage than traditional funds.

• Fee structures: Management and performance fees are significantly higher than index funds, which can erode participant returns.

• Fiduciary exposure: Plan sponsors carry legal responsibilities under the Employee Retirement Income Security Act (ERISA). If alternatives are misused or misunderstood, liability risk increases.

• Focused investment risk: Private equity funds may concentrate on specific sectors or strategies, which can increase exposure to market shifts or operational volatility.

• Potential for loss: Like all investments, private equity carries risk — including the possibility of capital loss — despite the perception of higher returns.

Regulatory Momentum

The Trump administration’s order builds on a 2020 DOL information letter that cautiously allowed private equity in defined contribution plans — but few sponsors acted. The new order goes further by directing agencies to build consistent frameworks for oversight, pricing, and participant protections.

The order also instructs the SEC to revise applicable regulations to support the inclusion of alternative assets in participant-directed defined contribution plans. The SEC has indicated it may issue new valuation and fee disclosure rules to support this shift.

What Plan Sponsors Should Do

How MGO Can Help

As plan sponsors consider adding private equity or other alternatives to 401(k) lineups, fiduciary responsibilities and audit requirements become more complex. MGO offers guidance to help organizations evaluate these changes, manage risk, and stay compliant with ERISA and DOL expectations.

Our employee benefit plan (EBP) audit team conducts hundreds of 401(k) plan audits annually. We understand the documentation, disclosures, and governance needed to support evolving investment strategies. Whether you’re navigating new guidance, restructuring plan offerings, or preparing for audit readiness, we bring the insight and experience to support your goals. Contact us today to learn how we can help you.

The post Private Equity Access in 401(k) Plans Gains Steam appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• A slower SEC rulemaking process may reduce regulatory pressure, giving asset managers more time to adapt compliance strategies and implement reforms. 

• Shifting SEC priorities could lead to revised or withdrawn regulations, offering asset managers a chance to reassess risk and reallocate compliance resources. 

• A more supportive stance on digital assets may open the door for investment firms to expand offerings and attract clients exploring cryptocurrency exposure. 

—

A Regulatory Reset in Progress 

With a new SEC chairman at the helm, your investment firm may soon feel the impact of a more measured and business-friendly regulatory approach. Paul Atkins’ confirmation signals a likely shift away from rapid-fire rulemaking and toward methodical, consultative oversight — a welcome reprieve for asset managers overwhelmed by previous years’ aggressive timelines and expanding mandates. 

While there’s still uncertainty about how far these changes will go, your firm can prepare to capitalize on a potentially reduced compliance burden, extended implementation windows, and emerging opportunities in areas like digital assets. 

What’s Changing at the SEC? 

The appointment of Chairman Atkins follows former Acting Chair Mark Uyeda’s philosophy: “Slow is smooth and smooth is fast.” This shift in mindset means your organization may benefit from longer regulatory timelines, fewer surprises, and increased opportunities to provide input before new rules are finalized. 

Key Implications: 

• Deliberate Rulemaking: Asset managers may no longer need to scramble to meet short compliance deadlines. The SEC appears poised to review and potentially withdraw or revise several proposed rules, including those on ESG disclosures, outsourcing, and custody of client assets. 

• Extended Timelines for Final Rules: Rules adopted but not yet in effect — such as the updated Form N-PORT — could see delayed implementation. This gives your firm more time to develop thoughtful compliance strategies and engage in dialogue with regulators. 

• Regulatory Clean-Up: An executive order mandates the SEC to eliminate “anti-competitive” regulations. This could simplify your compliance burden, reduce red tape, and make way for innovation — especially for firms looking to explore emerging sectors. 

Digital Assets: A Strategic Advantage 

Chairman Atkins is also signaling a more favorable stance on digital assets. If your firm has been hesitant to move into cryptocurrency and blockchain investments, now may be the time to re-evaluate. 

Under the prior administration, SEC enforcement actions created a chilling effect on digital innovation. In contrast, Atkins — with advisory experience in crypto — is expected to introduce clearer, more constructive frameworks. His focus on “rational and principled” regulation could position digital assets as a viable component of your offerings, giving early movers a strategic edge. 

Don’t Scale Back Just Yet 

Despite this seemingly softer tone, your compliance strategy shouldn’t be scaled down prematurely. Regulatory priorities are still evolving, and the risks of misjudging the new agenda remain high. 

Stay informed and keep your compliance systems strong while observing how the SEC’s actions unfold. By maintaining readiness and flexibility, your organization can adapt strategically and avoid costly missteps. 

Your Best Practices for Navigating Regulatory Shifts 

• Monitor SEC statements and actions closely to stay ahead of regulatory pivots. 

• Use extended comment periods to advocate for reasonable, industry-informed rulemaking. 

• Evaluate potential investments in compliance technology or digital assets with regulatory trends in mind. 

• Avoid reducing compliance resources until changes are formally adopted and clarified. 

How MGO Can Help 

Navigating regulatory uncertainty requires both agility and insight, and that’s where MGO comes in. Our team stays on top of every SEC development, helping investment firms interpret shifts in policy, plan for evolving compliance demands, and seize emerging opportunities, from ESG to digital assets. Whether you need support rethinking your compliance strategy, evaluating new technologies, or engaging regulators during comment periods, MGO can give you the clarity and experience you need to stay ahead, regardless of the headlines.   

The post How a Softer SEC Could Benefit Your Investment Firm  appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• SEC expands nonpublic review to include Section 12(g) registrations and de-SPAC transactions, increasing flexibility for issuers. 

• Issuers can now submit draft registration statements any time after an IPO, removing the previous one-year restriction. 

• Underwriters’ names can be omitted from initial draft filings, but disclosure is required in later public submissions. 

—

Key Changes to SEC’s Nonpublic Review Process You Need to Know 

The SEC’s Division of Corporation Finance has introduced expanded accommodations for issuers submitting draft registration statements for nonpublic review. These updates provide greater flexibility for you, while still maintaining regulatory oversight. Key changes include: 

• Broader eligibility: Nonpublic review now extends to initial registrations under Section 12(g) of the Exchange Act and de-SPAC transactions. 

• Extended timing: Issuers can submit draft registration statements at any time after their IPO, removing prior restrictions. 

• Underwriter disclosure flexibility: Issuers may initially omit underwriter names, with disclosure required in later filings. 

These changes are striving to streamline the capital formation process while maintaining investor protection. 

Expanded Nonpublic Review Accommodations 

The Jumpstart Our Business Startups (JOBS) Act of 2012 first allowed Emerging Growth Companies (EGCs) to submit draft registration statements for initial public offerings (IPOs) through a confidential review process. This year, the SEC expanded this process to include non-EGCs, certain Exchange Act registration statements, and other draft filings submitted within one year of an IPO. 

With these latest updates, the SEC has further broadened the scope of the nonpublic review process, offering you as the issuer more flexibility regarding your submission timing and initial disclosure requirements. 

Expanded Nonpublic Review: Key Updates for You to Know 

Initial Registration of Securities Under the Exchange Act 

The SEC has broadened the nonpublic review process to include initial registrations under Section 12(g) of the Exchange Act. Now, you can confidentially submit an initial registration of a class of securities using Forms 10, 20-F, or 40-F under Exchange Act Sections 12(b) and 12(g). 

To comply with SEC requirements, if you’re submitting draft initial registration statements for nonpublic review, you have to confirm in a cover letter that you will publicly file the following: 

• The registration statement and draft submissions are at least 15 days before any roadshow. 

• If no roadshow is planned, the public filing must occur at least 15 days before the requested effective date. 

Additionally, SEC staff comment letters and issuer responses will be released no earlier than 20 business days after the registration statement’s effective date. 

Draft Registration Statements Post-IPO 

Under the new SEC accommodation, you can now submit draft registration statements at any time after your IPO for any: 

• Securities Act offering 

• Exchange Act registration of a class of securities under Sections 12(b) or 12(g) 

This removes the previous one-year restriction following an IPO’s effective date. 

Key filing requirements include: 

• You must confirm in your cover letter that you will publicly file the registration statement at least two business days before the requested effective date. 

• Exchange Act registration statements (Forms 10, 20-F, or 40-F) must be publicly available for 30 or 60 days (as applicable) before effectiveness. 

• Only the initial submission qualifies for nonpublic review. Subsequent amendments, including responses to SEC staff comments, must be publicly filed. 

De-SPAC Transactions: Nonpublic Review Eligibility 

With the SEC’s SPAC rules effective July 2024, target companies in de-SPAC transactions are now treated as co-registrants since the de-SPAC functions as the target’s IPO equivalent. 

Under the expanded rules, your registration statements for de-SPAC transactions (when the SPAC is the surviving entity) may now qualify for nonpublic review, provided the co-registrant target also meets the eligibility criteria for a draft submission. 

Omitted Information 

You may now omit the name of the underwriter(s) from initial draft registration statement submissions. However, keep in mind that the underwriter(s) must be disclosed in subsequent submissions and public filings. 

While draft registration statements must be substantially complete when submitted, you can continue to omit financial information that you reasonably believe will not be required when the registration statement is publicly filed. 

Additionally, you may omit certain historical financial information from your IPO draft registration statements: 

• Emerging Growth Companies (EGCs) may omit annual and interim periods that will not be required separately at the time of the offering. 

• Non-EGCs may omit annual and interim periods that will not be required separately at the time of public filing. 

Additional accommodation may be available. For more guidance, refer to A Guide to Going Public. 

Foreign Private Issuers 

Foreign Private Issuers (FPIs) may take advantage of these expanded accommodations or utilize the procedures available to EGCs if you qualify. Alternatively, FPIs can follow the guidance outlined in the SEC staff’s 2012 statement. 

Guidance for SEC Filings and Compliance  

MGO’s Public Company Services team has a strong history of guiding companies through SEC filings, IPOs, SPAC transactions, and public company compliance. With deep industry knowledge, MGO helps companies navigate the registration process, meet SEC requirements, and improve financial disclosures while adapting to regulatory changes. Contact us to learn more.

The post SEC Expands Nonpublic Review Process for Draft Registration Statements  appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Companies that are listed on NYSE or Nasdaq must have clawback policies to recover erroneously awarded incentive compensation.

• Clawback analysis is required when there’s a material or potential material error in financial statements, leading to restatement.

• Issuers must disclose their clawback policies and relevant recovery details in annual reports and other filings.

—

This Snapshot summarizes the SEC’s clawback rules and includes SEC staff guidance on the checkboxes found on the cover pages of annual reports and the clawback disclosure requirements in Item 402(w) of Regulation S-K (“S-K”). 

Overview 

Registrants listed on the New York Stock Exchange (NYSE) or Nasdaq Stock Market (Nasdaq) (“issuers”) must have policies in place to provide for the recovery of erroneously awarded incentive compensation (the “clawback” rules).   

The rules require issuers to file their clawback policies as an exhibit to their annual reports and make several disclosures in annual reports and proxy and information statements. 

Clawback Analysis 

Upon preparing a financial statement restatement, an issuer must recover incentive-based compensation awarded to any current or former executive officers during the three years preceding the date of the restatement. A clawback analysis is triggered by an accounting restatement that corrects an error that: 

Is material to the previously issued financial statements (a “Big R” restatement) 

Would result in a material misstatement if the error was corrected or remained uncorrected in the current period (a “little r” restatement) 

BDO Insight: Assessing the Materiality of an Error 

In making the materiality determination, an issuer must consider the quantitative and qualitative effect of the error from the perspective of a reasonable investor based on the totality of information that an issuer discloses. See our publication, Accounting Changes and Error Corrections, for more guidance. 

Once an issuer has determined an accounting restatement is necessary, the issuer must evaluate whether incentive-based compensation awarded to any current or former executive officers during the three years preceding “the date the issuer is required to prepare the restatement” must be recovered. 

The amount to be recovered is the difference between the amount of incentive-based compensation “received” by the executive and the amount that the executive should have received based on the restated financial reporting measure(s). Under the transition period, the clawback policy only applies to incentive-based compensation received on or after October 2, 2023, the effective date of the rule (even if the incentive compensation was granted before that date). 

Such recovery does not require misconduct by an executive or consideration of whether the executive had responsibility for the erroneous financial statements. 

The following table describes some key terms in the rule: 

There are limited exceptions whereby issuers are not required to collect erroneously awarded compensation, including: 

When expenses paid for collection would exceed the amount of the recovery and the issuer has made a reasonable attempt to recover. 

Recovery would violate home country law. 

Recovery would cause a tax-qualified retirement plan to fail to meet the requirements of the Internal Revenue Code. 

Disclosures 

Checkboxes 

The clawback checkboxes appear on the cover page of annual reports on Forms 10-K, 20-F, and 40-F and require issuers to indicate whether: 

The financial statements included in the filing reflect the correction of an error to previously issued financial statements (the “first checkbox”). 

Any of the error corrections identified in 1) required an analysis for the recovery of incentive-based compensation from its executive officers (the “second checkbox”). 

Disclosure Requirements 

SEC Reference 

S-K Item 402(w) 

Issuers must disclose: 

The date the accounting restatement was required to be prepared 

The total erroneously awarded compensation, including how the amount was calculated (or an explanation about why the amount has not been determined) 

The total erroneously awarded compensation outstanding at the end of the most recently completed fiscal year (including the name of the executive officer and the amounts that have been outstanding for 180 days or more since the determination of such amounts) 

Any estimates used in determining the amount to be recovered for incentive-based compensation tied to stock price or total shareholder return 

An explanation of any clawback analyses that did not result in the recovery of erroneously awarded compensation 

Recovered amounts that were deducted from the executive’s compensation that is presented in the Summary Compensation Table pursuant to S-K Item 402(c) 

SEC Staff Guidance 

At the 2023 AICPA & CIMA Conference on Current SEC and PCAOB Developments, the SEC staff provided its view that issuers should check the first checkbox when the financial statements reflect the correction of an accounting error, as defined in U.S. GAAP (or IFRS), in the previously issued financial statements. This includes “Big R,” “little r,” and voluntary restatements. The SEC staff indicated that voluntary restatements include corrections of immaterial errors in the financial statement footnotes. However, issuers are not required to check the first checkbox for any out-of-period adjustments that are recorded in the financial statements of the current period. 

The following table summarizes the types of error corrections and the applicability of the first checkbox based on the remarks of the SEC staff: 

At the 2024 AICPA & CIMA Conference on Current SEC and PCAOB Developments, the SEC staff further addressed the application of the clawback checkboxes as well as the disclosures required when a restatement requires the recovery of erroneously awarded compensation. The SEC staff emphasized that the disclosures required by S-K Item 402(w) are not solely dependent on the use of the clawback checkboxes.  

The clawback checkboxes apply to annual reports, not quarterly reports (such as Form 10-Q). In contrast, the S-K Item 402(w) disclosures apply to restatements during or after the last completed fiscal year that require the recovery of erroneously awarded compensation. Accordingly, the application of the clawback checkboxes depends on when a restatement is reflected, whereas the application of the S-K Item 402(w) disclosures depends on when a restatement is determined. As such, the S-K Item 402(w) disclosures may apply to an issuer even when the clawback checkboxes do not. To illustrate this, the SEC staff provided the following example: 

Before filing its 2024 Form 10-K, an issuer restates its first, second, and third quarter 2024 Form 10-Qs to correct an error. After filing the amended Form 10-Qs, the issuer files its 2024 Form 10-K and presents restated 2024 interim financial information in an unaudited footnote to comply with S-K Item 302. In this instance, the SEC staff indicated it would not object if the issuer does not check the first checkbox on the cover page of its 2024 Form 10-K because the previously issued financial statements included in the annual report do not reflect the correction of an error.^[4] However, the issuer must include the S-K Item 402(w) disclosures in its 2024 Form 10-K^[5] because the restatement occurred during or after its last completed fiscal year. 

The SEC staff also addressed the application of the first checkbox in annual reports following a restatement. For example, assume an issuer identifies a material error to the financial statements included in its 2023 Form 10-K. The issuer amends its 2023 Form 10-K to correct the error and checks the first checkbox. In its 2024 Form 10-K, the issuer is not required to check the first checkbox for the same restatement because investors were made aware of the error when the issuer checked the first checkbox in its amended 2023 Form 10-K. However, if an issuer restates its previously issued financial statements in a filing other than an annual report (such as a registration statement or Form 8-K), the SEC staff believes the issuer must check the first checkbox in its annual report that reflects the correction of the error to the previously issued financial statements to inform investors of the error.  For example, assume an issuer identifies an immaterial error to the financial statements included in its 2023 Form 10-K. Prior to filing its 2024 Form 10-K, the issuer corrects the error in its financial statements by filing them in an Item 8.01 Form 8-K. In this circumstance, the SEC staff believes the issuer should check the first checkbox when it files its 2024 Form 10-K as the issuer has not previously checked the first checkbox to inform investors of the error. 

The second checkbox applies to Big R or little r restatements (it does not apply to voluntary restatements). When the first checkbox is checked due to a Big R or little r restatement, the second checkbox applies. This is true even if the executive officers did not receive incentive compensation during the relevant periods of the recovery analysis, and when the restatement has no impact on incentive compensation received, as an analysis for the recovery is required. 

Lastly, the SEC staff shared observations from its review of the disclosures required by S-K Item 402(w). First, issuers must comply with the disclosure requirements when a restatement requires a clawback analysis, even when recovery is not required. In these instances, the issuer must briefly explain why the application of its recovery policy did not require recovery. The SEC staff also reminded issuers that the clawback disclosures must be tagged using Inline XBRL. 

Insight: Checkboxes 

We encourage issuers to work closely with legal counsel regarding the applicability of the checkboxes to their particular facts and circumstances.  

Written by Timothy Kviz and Paula Hamric. Copyright © 2025 BDO USA, P.C. All rights reserved. www.bdo.com 

How MGO Can Help  

MGO can help issuers navigate the complexities of SEC clawback rules by providing guidance on compliance, financial restatements, and disclosure requirements. Our team is well-versed in assessing material errors and can help you conduct a proper clawback analysis, as well as assist with SEC filings, including S-K Item 402(w) disclosures. With a deep understanding of regulatory frameworks and industry best practices, our team supports you in developing and maintaining effective clawback policies, mitigating overall risk, and fostering transparency with your stakeholders every step of the way. Contact us to learn how we can be your trusted partner in safeguarding corporate integrity and governance.  

References

^[1] Compliance and Disclosure Interpretations (C&DIs) 121H.02 and 121H.03 provide guidance on which persons are considered named executive officers and require individualized disclosure pursuant to Item 6.F of Form 20-F and Item B.(19) of Form 40-F. 

^[2] Also refer to C&DI 121H.04. 

^[3] Financial reporting measures are “measures that are determined and presented in accordance with the accounting principles used in preparing the issuer’s financial statements, and any measures derived wholly or in part from such measures.” This includes GAAP and non-GAAP measures or metrics, as well as stock price and total shareholder return (TSR). 

^[4] This is consistent with the SEC staff’s view detailed in June 2024 CAQ SEC Regulations Committee Highlights, Topic III.A. 

^[5] Or its definitive proxy statement if the issuer forward incorporates Part III information into its Form 10-K. 

The post SEC Clawback Rules: A Snapshot appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• To stay compliant, it’s important that you maintain accurate records, robust internal controls, and ongoing employee training.

• Risk mitigation is key, and proactive measures such as whistleblower hotlines and internal audits can help identify and address potential violations early on.

• Legal adherence is also important — make sure your compliance program aligns with all DOJ and SEC regulations to avoid severe penalties.

—

The Foreign Corrupt Practices Act (FCPA), a U.S. law enacted in 1977, targets bribery and corruption in international business transactions. The FCPA generally applies to any U.S. business entity but becomes more relevant to companies operating in foreign countries and certain foreign companies operating in the United States. The law’s accounting provisions require entities covered by the FCPA to keep accurate books and records and maintain adequate internal accounting controls. 

The Securities and Exchange Commission (SEC) and U.S. Department of Justice (DOJ) enforce the FCPA. Violations of the FCPA can result in fines, penalties, and criminal charges. Enforcement of the FCPA has increased considerably over the past decades, and both the DOJ and the SEC have expanded their roles from enforcer of anti-bribery laws to compliance regulators. Both private and public corporations are increasingly expected to adhere to a specific standard of FCPA compliance and are expected to have compliance programs that are effective and hold up to DOJ’s scrutiny. 

U.S. companies operating on the international playing field and foreign companies operating in the U.S. are both subject to the FCPA. In recent years, penalties exceeding $2 billion have been assessed against companies for FCPA violations. In 2023 alone, the SEC’s Division of Enforcement filed 784 enforcement actions, obtained nearly $5 billion in financial remedies, and awarded nearly $600 million to whistleblowers who reported their employers’ illegal activity. In this article, we provide insights into dealing with violations and offer practical ideas for mitigating risk. 

Addressing FCPA Risks 

The path to FCPA compliance is both proactive and reactive.  

A compliance program must align with the DOJ’s Evaluation of an Effective Compliance Program (as updated on Sept. 23, 2024), which serves as the Criminal Division’s guidance for prosecutors evaluating such programs. In addition, the DOJ has continued to enhance its expectations around effective corporate compliance by creating additional incentives for individuals to report information about criminal conduct directly to the DOJ. 

Determining if your company’s compliance program is well designed, resourced, and working provides a basis for evaluating the program’s effectiveness. Strong internal controls and whistleblower hotlines can help organizations identify and address problems at the earliest stages, which may then allow the organization to self-report to the SEC and the DOJ. A robust compliance program that also includes ongoing employee training can reduce the potential for FCPA violations.  

Discovering FCPA Violations 

Although effective internal controls and continuous monitoring of certain activities or transactions might catch potential acts of non-compliance, FCPA violations may come to light through various channels, including the following:   

• Whistleblower hotlines: Employees may report potentially illegal or non-compliant activities through their organization’s whistleblower hotline or other reporting mechanisms that allow them to anonymously share their concerns about potential illegal acts, including FCPA violations. Routine monitoring, triage, and escalation of these reporting channels can increase an organization’s opportunities for early identification of potentially illegal activities. 

• Employee exit interviews: Some employees may feel uncomfortable discussing their observations of allegedly illicit activity while still employed or, in certain instances, may not know about the organization’s whistleblower mechanism. Others may innocently report on illegal transactions during an exit interview. Finally, some may be unaware of the appropriate whistleblower mechanism in place. Information that comes to light during employee exit interviews must be appropriately triaged and forwarded to the proper internal parties.   

• Internal audits: Companies may develop and maintain protocols designed to uncover potential regulatory violations or non-compliance, including internal controls evaluations; financial record reviews; third-party due diligence investigations; reviews of gift, travel, and entertainment expenses; and employee training opportunities. 

• Routine business activities: During the regular course of business, an organization’s employees may notice suspicious activities that require further review. In some cases, the information may pass through the normal chain of command until a reasonable explanation is offered or an internal investigation is triggered. 

• SEC or DOJ notifications: Occasionally, the SEC or DOJ will have been notified of potential illegal activities through their respective whistleblower awards programs: the SEC Whistleblower Program and the DOJ’s Corporate Whistleblower Awards Pilot Program. In such instances, both agencies can initiate contact with an organization through informal means, such as phone calls or emails. More formal notifications — such as a Wells Notice, a Target Letter, a subpoena, or a civil complaint — alert an organization that an enforcement action is imminent or ongoing.  

Regrettably, an organization’s first notice of an FCPA violation may arrive as a result of a whistleblower report made directly to the SEC or DOJ or arise from another investigation implicating a different organization. Both the existing SEC and new DOJ whistleblower programs have further incentivized individuals to notify them of potential illegal activities and violations.  

Understanding SEC and DOJ Whistleblower Programs 

Reports of suspicious activity received through internal channels can be evaluated through substantive internal investigative work; self-reporting may then become an option. However, possible illegal behavior can be directly reported to regulatory bodies — and updated FCPA and anti-bribery anti-corruption regulations have made the process easier and more lucrative for whistleblowers. 

The SEC’s whistleblower program, created by the Dodd-Frank Act, encourages individuals to report illegal activities directly to the SEC. In return, people who divulge high-quality information that leads to an SEC enforcement action may receive between 10% and 30% of the money the SEC collects. For example, the SEC announced in August 2024 that it will be awarding two whistleblowers the sums of $4 million and $20 million, respectively, for their pivotal roles in an SEC enforcement action. 

The DOJ’s Criminal Division Corporate Whistleblower Awards Pilot Program is designed to mirror and supplement other successful whistleblower programs managed by the SEC, the Commodity Futures Trading Commission (CFTC), and the Financial Crimes Enforcement Network (FinCEN) and is specifically targeted at private non-public health care programs, privately held companies and others that are not publicly traded as well as cryptocurrency businesses. Information provided by the whistleblower through this program is intended to fill the gaps in other agencies’ whistleblower programs by advancing criminal investigations and prosecutions pertaining to compliance violations by financial institutions, foreign and domestic corruption, including violations of the FCPA and Foreign Extortion Prevention Act (FEPA), as well as specific health care fraud that is not covered by the False Claims Act qui tam program. Similar to other programs, the whistleblower may receive a percentage of any civil or criminal forfeitures that result from a successful DOJ prosecution. However, certain conditions will apply. Additionally, the DOJ may decline to prosecute companies that voluntarily self-report potential violations in a timely manner. 

Whether the FCPA violation is discovered through an internal or external channel, the organization’s leaders must respond in a manner that can withstand the scrutiny of investigators and be responsive to the organization’s stakeholders. 

Making an Organized Response to an FCPA Violation 

Reacting to a potential FCPA violation appropriately and in a defensible manner can significantly impact the outcome, the decision to self-disclose, and the resolution of the matter. In addition, amendments to the Corporate Whistleblower Awards Pilot Program give companies 120 days to self-disclose from the point of receiving a whistleblower allegation in order to benefit from the program’s presumption of declination (subject to other qualifying elements). An orderly response to any allegation often stems from plans established well before an incident occurs. Given the implications of self-disclosure, whether formal protocols are in place or not, the following eight tasks should be considered part of an organization’s course of action after learning of a potential FCPA violation:  

1. Notify the Legal Department: A company’s general counsel or outside counsel should be involved as soon as an FCPA compliance issue is suspected or identified. Not only can counsel provide legal guidance at the outset of the process, but their work is generally protected by attorney-client privilege and the work-product doctrine. Early access to the situation can also help prepare counsel for any internal investigations or litigation that may arise from the incident, as well as providing the background information needed to make an informed decision regarding self-disclosure. 
2. Identify the parties involved: Although the investigation process will be fluid and expanding, it’s crucial to gain an early understanding of the parties within the organization who were involved with any suspicious payments or activities. Learning who knew of and authorized the payments in question may significantly impact the scope of any current or future investigations. 
3. Capture the data: One of the first things legal counsel will typically do is issue a legal hold to anyone associated with the identified potential issue or with knowledge about any transactions. This notifies them to preserve certain items that could be evidence that is needed during an investigation. These types of litigation holds are instrumental in gathering the facts and circumstances needed to understand a potential FCPA non-compliance.  
4. Consider hiring independent expertise: Navigating potential FCPA violations requires the knowledge of complex laws and regulations that outside counsel may provide. Such expertise can assist in the investigative process and during potential interactions with the regulatory and enforcement authorities. In addition, evaluating the facts and circumstances surrounding any suspicious transactions will likely require the type of deep dive into the organization’s accounting systems and internal controls that typically is best handled by forensic accounting and investigations professionals.  
5. Perform a preliminary investigation: Forming a plan of action requires knowledge of the facts and circumstances surrounding the suspected illicit activity. Consider using internal groups, such as the audit department, to gather transactional data for review. Be mindful of the independence of the internal team(s) used to perform such a preliminary review, as this might impact the reliance on their findings. 
6. Inform key stakeholders: It is critical to inform the organization’s Board of Directors and Audit Committee about the possible incident early in the process. In addition, briefing the auditor can help them understand the company’s response to the allegations, as well as the potential impact on the current or past audits and help address the auditors’ obligations when such a disclosure is made.  
7. Assess the organization’s compliance programs: The strength of an organization’s compliance program may affect the outcome of an SEC or DOJ investigation. Questions regarding the effectiveness of the compliance program should include: Does the program include up-to-date training in FCPA compliance for employees? Is a whistleblower hotline in place? Has the organization engaged in due diligence for resellers and third-party vendors? Evidence of attempts to maintain good corporate governance can mitigate penalties in most cases. 
8. Keep communication channels open: In situations such as this, the organization’s reputation and financial well-being are at risk. As the investigation proceeds, communicate frequently with key stakeholders, including the Audit Committee, the Board of Directors, the C-suite, the Human Resources Department, compliance leadership, and the company’s auditors.  

Independent and thorough investigation of an FCPA violation demonstrates an understanding of the importance of internal controls, compliance programs, tone at the top, and training. Additionally, an organized response aids company leaders in developing a well-documented and defensible response to inquiries from government regulatory bodies. The results of an internal investigation may also steer the company toward self-reporting the incident through proper channels. 

Mitigating the Risks of Future FCPA Violations 

Assessment and remediation after a regulatory investigation can enhance an organization’s compliance program and, despite the human error element, can help reduce the risk of future violations. Taking a proactive approach can result in a robust compliance program that is rigorously enforced, updated, and maintained, signaling a developed culture of compliance within the organization. While there is no guarantee of leniency, the SEC and DOJ do consider the existence and effectiveness of compliance programs when determining penalties for FCPA violations. 

Organizations may focus on several key areas to mitigate potential FCPA risks, including the following: 

• Compliance program maturity: An organization may begin by evaluating the maturity of its compliance program, focusing particularly on whether the program addresses its true compliance risks. Efficient allocation of limited resources hinges on a thorough review of the current compliance program to expose any existing vulnerabilities. 

• Transactions monitoring: Failure to implement strategies and technology for data analytics and continuous transactions monitoring can be costly in the long run when not aligned with current regulatory expectations.  

• Reporting mechanisms: Employees need an accessible, confidential way to report potential violations. A working whistleblower program or similar mechanism is a critical part of an effective compliance program. 

• Training: Up-to-date training about FCPA compliance for employees and third parties not only can decrease the risk of non-compliant behavior but also demonstrates to regulators the organization’s proactive manner of addressing these risks. 

• Third-party due diligence: Organizations generally are held accountable for FCPA compliance failures that occur through third parties, including vendors and resellers. A thorough due diligence process is a must. Noncompliant and ill-trained third parties — especially when weak compliance measures are in place — can result in significant fines and legal action against the organization. 

Compliance is a critical component of ethical business conduct, relying on thorough assessment of an organization’s processes to help ensure alignment with laws and regulations. 

Is Your Organization Prepared to Manage FCPA Compliance? 

Swift, decisive action is necessary when an organization identifies a potential FCPA violation. However, a robust compliance program can proactively address the risks associated with doing business in today’s strict regulatory landscape.  

Our Forensics team members have the experience and skill to assist in both proactive and reactive situations. Before trouble strikes, we can conduct strategic evaluations of your organization and your compliance ecosystems to address overall risk. We also can help prepare your response to government enforcement and inquiries from the DOJ, SEC, or foreign regulators.  

Our professionals come from forensic, accounting, regulatory, investigative, enforcement, litigation support and operational backgrounds, with extensive experience working with counsel and regulators. As accountants and forensic specialists, we can help you navigate highly technical and operational elements in a manner that is effective, defensible, and responsive to regulatory standards and expectations. 

Written by Didier Lavion. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com 

How MGO Can Help 

MGO’s team of forensic accountants can assist you in navigating the complexities of FCPA regulations, making sure you implement and maintain robust compliance programs. From conducting internal audits and risk assessments to developing whistleblower programs and providing employer training, we can provide you with tailored solutions to help your organization proactively manage the full spectrum of FCPA risks.

By leveraging our deep industry experience and regulatory insights, you can enhance your internal controls, respond effectively to potential violations, and safeguard your operations from costly penalties. Contact us to learn more.  

The post FCPA Compliance: A Practical Guide for Identifying and Mitigating the Risk of Violations appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• SOX requires CEOs/CFOs to certify financials, creating top-down accountability in reporting.
• Continuous monitoring and tech updates are vital to maintain SOX compliance in a dynamic regulatory landscape.
• Embedding SOX compliance into daily operations builds transparency and reduces risk.

—

Reliable financial reporting can protect companies and their investors from fraudulent activities. In fact, the C-Suite is held to stringent requirements imposed by the intricate provisions of the Sarbanes-Oxley Act of 2002 (SOX), making transparency and accountability essential components of corporate governance.

Despite the serious consequences of noncompliance — including fines, criminal charges, loss of reputation, and delisting — SOX compliance may be shuffled behind a myriad of competing corporate initiatives. Taking a proactive approach is generally best, and it begins with gaining a deeper understanding of what SOX compliance means to members of the C-suite.

SOX Compliance Relevance to the C-Suite

Prior to 2002, a series of financial scandals eroded investor confidence and exposed significant flaws in corporate governance. The Sarbanes-Oxley Act was the government’s response.

Complying with SOX has become a crucial component of contemporary corporate governance. SOX establishes legal accountability for senior executives, who can be held personally responsible for inaccuracies and misstatements of the financial statements they certify. The financial integrity of a company hinges on its accurate financials; unreliable financial reporting can erode the trust of investors and tarnish the company’s reputation in the market. Strong internal controls can streamline processes, provide the C-suite with reliable data, and help mitigate risk.

Key C-Suite Responsibilities

SOX contains two sections that are particularly relevant to the C-suite and have led to significant changes in corporate governance.

• Section 302 mandates that senior executives certify the accuracy of financial reports. The CEO and CFO sign personal attestations as to the accuracy and completeness of the reports, which makes them accountable for the integrity of the company’s financial reporting.
• Section 404 requires that senior executives establish and maintain robust internal controls, continuously monitoring and updating them as needed.

It’s important to note here that senior executives like the CFO and CEO may not participate in the writing of financial reports or the design and implementation of internal controls. However, they do oversee such activities and, more importantly, provide an overall “tone from the top” that promotes integrity and ethical behavior.

Building a SOX-Compliant Culture

SOX compliance depends on the company’s culture of compliance, something that can be built into the company’s day-to-day operations. Just as the responsibility for compliance falls to the C-suite, senior executives are also responsible for taking the steps needed to build a SOX-compliance culture. Developing that environment starts with the C-suite leading by example and demonstrating a commitment to ethical behavior and transparency.

Employees are another key component to SOX compliance. Training and awareness programs help educate them about SOX requirements and inculcates the importance of compliance. Staff also should feel comfortable reporting their concerns about suspicious activities to their superiors without fear of retaliation.

While complying with SOX, senior executives can help ensure that employees understand and use the internal controls they approve; procedures that become part of the process are easier for employees to embrace. Instead of approaching compliance as a separate “exercise,” frame it as a normal part of doing business.

Finally, the board of directors and audit committee members contribute to the company’s governance and its culture of transparency.

Implement Effective Internal Controls

Internal controls provide a framework for ensuring the integrity of financial reporting and compliance with regulatory requirements. Such controls help the company:

• Comply with regulations and laws.
• Prevent and detect fraud.
• Enhance reliability of financial records.
• Identify and help mitigate risk.
• Provide clear guidance on accountability within the organization.
• Present accurate and complete financial information.
• Promote a corporate culture of transparency, integrity, and ethical behavior.

Before designing and implementing internal controls, it’s important to start with a comprehensive risk assessment to help identify potential vulnerabilities. Control procedures then can be developed and documented, with clear guidance on the assignment of responsibilities.

Even after internal controls are in place, the work continues. Monitoring people, processes, and systems in any organization is an ongoing process. Changes to any of those categories — such as employee turnover or implementation of new processes — could result in weakened controls, but periodic reviews and testing can help identify and address critical situations. Another way to improve compliance and reduce human error is by leveraging technology and automation. Companies that lack the in-house capabilities to implement such technology should consider outsourcing this critical function.

Challenges and Best Practices for SOX Compliance

Companies with poor Internal Controls over Financial Reporting (ICFR) are missing a critical component of the company’s corporate governance. ICFR processes are designed to help ensure the reliability of financial reporting, and SOX controls are focused on the production of accurate financial statements. Senior executives on the path to SOX compliance will face challenges, but it is well worth the effort to overcome them.

Lack of awareness, especially among the C-suite, can be the first issue to address. If senior executives do not understand the serious consequences of noncompliance, then building compliance into the company’s culture can become a nonissue. Understanding SOX requirements is an important first step.

Employees often resist changes to established procedures. But a “we’ve always done it this way” mindset can stand in the way of progress that leads to SOX compliance. Senior executives can lead by exhibiting a willingness to change and an expectation that others will align their actions with the company’s culture of compliance.

C-suite members must understand that reactive compliance is generally more costly than proactive compliance. Poor ICFR processes can lead to material weaknesses and irregularities in financial reporting, which in turn can lead to loss of reputation, loss of stakeholder trust, and potential delisting. The culture of transparency and compliance should permeate the entire company, and that can be accomplished with programs that are comprehensive, consistent, and routine.

Continuous Improvement and Adaptation

The corporate environment is not static. Emerging risks and regulatory changes can affect a company’s preparation and filing of financial reporting. The C-suite must stay informed about changes and adapt their compliance strategies accordingly.

For example, trends that may affect SOX compliance processes include increased use of technology — including AI and automation — and a greater emphasis on data analytics. Regulatory bodies may alter their regulatory requirements, which means evaluating and realigning processes to remain in compliance.
SOX compliance requires on-going evaluation. As senior executives lead their companies to full compliance, the following steps are needed to maintain the right program for the current environment:

• Monitor your internal processes and controls.
• Refresh them as needed.
• Check with auditors to learn how they assess financial reporting.

Finally, obtaining objective opinions and advice from third party professionals can assist the C-suite in making informed decisions as they move toward SOX compliance.

How MGO Can Help

MGO supports your C-suite with tailored SOX compliance solutions, emphasizing robust internal controls and fostering a culture of transparency and accountability. Our team provides guidance in developing customized internal control frameworks that promote reliable financial reporting and SOX compliance. We also offer comprehensive training programs for executives and staff, embedding a compliance-focused culture throughout the organization. Additionally, MGO offers ongoing monitoring and advisory services, with regular assessments and strategic adjustments to keep compliance aligned with evolving regulations. Contact us to learn more.

Written by Dawn Williford and Sucheta Atre. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

The post SOX Compliance Tips to Build Transparency Culture appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• For tech founders, taking a company public can provide significant benefits like increased capital, visibility, and liquidity, but the process is complex and comes with risks, such as increased regulatory scrutiny and reduced control.
• There are several common pitfalls to avoid during the IPO journey, including underestimating timelines, not building a strong financial foundation, and not having the right leadership in place.
• Tech companies should focus on a few things to facilitate post-IPO success as a public entity: investor relations, internal controls, and cultural shifts. These maintain trust and compliance across the board.

—

For many tech founders, the prestige and promised rewards of taking a company public are strong motivators to pursue an initial public offering (IPO).

But IPOs, however attractive, are extremely complicated and can be overwhelming — especially if you’re not a transaction expert and have never navigated the full process. Without the right information, tech founders are liable to experience delays, derailments, and disappointments on their road to an IPO.

Are you a tech founder looking to IPO for the first time? Read our guide to understand what the IPO process looks like for tech companies like yours — and what pitfalls you’ll need to avoid along the way.

Should You Go Public?

While an IPO can be a great avenue to grow your business, it isn’t the right strategy for every company — or every founder. To make an informed decision, you need to understand the benefits and drawbacks of pursuing an IPO.

Benefits

• Increased access to capital. An IPO can offer a massive influx of capital, enabling substantial, accelerated growth.
• Greater visibility. Going public can improve a tech company’s market visibility and credibility, which can in turn improve brand reputation and recognition.
• Increased liquidity for shareholders. An IPO allows early investors to cash out, while stock options remain an incredibly attractive incentive for many employees, even during times of market volatility. The stock options unlocked by an IPO can be key to attracting and retaining top talent.
• Access to a market valuation. Being listed on the stock market means the public markets offer a valuation of the tech company, which may be seen as more objective and credible than a privately sourced valuation.

Drawbacks

• Greater regulatory and compliance requirements. Publicly traded tech companies are subject to more regulatory and compliance requirements than their privately owned counterparts, and the transition to a publicly traded company can cause compliance costs to skyrocket. Public companies also face scrutiny from regulatory bodies like the SEC. Any mistake, like a reporting misstatement, is highly public and can damage the company’s reputation — and stock price.
• Less control. Public tech companies must answer to shareholders and regulators, impacting how much control a founder will have over their company. Founders also often find they have less control over their finances after going public, as the IPO process can “lock up” their cash.
• Vulnerability to market volatility. Market conditions and other external factors can cause stock prices to fluctuate, whereas private company valuations are more insulated from such forces.
• Increased disclosure requirements. Public tech companies have additional disclosure requirements, which means competitors will have access to more information about the company. This dynamic could impact a company’s competitive advantage in the marketplace.

Are You Asking the Right IPO Questions?

Preparing for an IPO means investigating every aspect of your business. Asking the right questions will help you see beyond the obvious to gain an in-depth understanding of how investors will think about your company and how you can set yourself up for success throughout the IPO process.

Ready to get started?

Read This IPO Checklist

Stage 1

IPO Readiness Assessment

A readiness assessment can help you identify gaps or issues that could prevent your organization from successfully operating as a public company. For most tech companies, the readiness assessment will uncover substantial changes required to facilitate a transition to a public company, such as implementing more robust internal controls or developing specialized accounting capabilities in house. BDO recommends clients assess readiness in the following key areas:

• Accounting & SEC reporting
• Ta
• Risk
• Technology
• Operations
• People
• Financial planning & analysis

Common Pitfalls:

1. Failure to develop a compelling story. Before a leader even considers pursuing an IPO, they need to create a narrative that gets potential investors excited about the future of the company. They must define success, determine what metrics will be used to track it, and put systems in place to measure and report on progress. These steps are key to securing investor interest and confidence. Common success metrics for tech companies include annual recurring revenue (ARR), customer retention, the Rule of 40, customer acquisition costs, daily active users, and monthly active users.
2. Overestimating existing resources. Tech companies often fail to understand what resources they already have and what resources they still need to secure. For example, pursuing an IPO requires specialized skills related to investor relations, treasury, income tax, technical accounting, SEC reporting, and internal controls, which most private tech companies don’t have in house. Failing to conduct a proper resource assessment can lead to a delayed IPO filing, as the company will have to make up ground and secure those resources later.
3. Lack of IPO experience. As they prepare for an IPO, tech founders should prioritize building a leadership team that includes professionals who have experience taking tech companies public. IPO veterans can help guide the rest of the team through the process while identifying and addressing potential issues before they happen.
4. Relying on private-company experience. Private tech company founders sometimes underestimate the depth and breadth of the requirements that come with going public. They may even make the mistake of believing that a private company approach will be sufficient post IPO. Instead of relying on what they already know, founders must continuously assess their policies, procedures, and governance structures and compare them to public-company requirements to identify and proactively address gaps.
5. Failure to protect intellectual property (IP). IP is a major asset for many tech companies and can significantly impact their valuations. Before tech leaders take their company public, they must assess their current protections and deploy tactics like developing a strong patent portfolio to ensure their IP is secure.

Stage 2

Roadmap and Program Management

Once you understand your current state, it’s time to develop a roadmap to guide your transformation from a privately held company to a public company. A strong roadmap will require input from numerous people and functions across the company, as well as reasonable estimates around the time and effort required to meet your objectives. Effective program management is critical to developing your roadmap as quickly and efficiently as possible.

Common Pitfalls:

1. Underestimating timelines. Tech leaders often underestimate the time needed to prepare a company for an IPO, which can take as long as 18-24 months. A successful transformation depends on a realistic and carefully planned timeline. Attempting to rush the process can lead to expensive and public mistakes like financial misstatements.
2. Missing inputs. A successful IPO process relies on participation from the full organization. Failing to include specific departments or professionals in the roadmap stage can lead to process gaps that later derail progress. For example, failure to include IT in the roadmap stage can lead to errors when it comes time to upgrade or rationalize back-office technology in advance of the IPO filing.
3. Lack of a change management plan. Poor change management can lead to unnecessary disruption. For example, lack of a change management plan can create employee discontent during the transition, causing the company to lose key talent and disrupting operations at a crucial juncture.
   

Stage 3

March to IPO

At this stage, your goal is to get ready for the IPO filing, which entails executing your roadmap to prepare your organization to operate as a public company. This is also the point at which you will begin preparing for the IPO filing process itself, including selecting an underwriter, pricing the IPO, and conducting a roadshow.

Common Pitfalls:

1. Failure to build a strong financial foundation. Tech companies preparing to go public need to review their financial statements to verify they are accurate, audited, and up to date. Many tech leaders opt to review three years of financials, even if regulations allow for fewer, to help bolster investor and regulator confidence. Failure to build a strong financial foundation can delay SEC filings, which may impact filing status and result in expensive fines.
2. Inadequate pro forma reporting plans. Tech company leaders must vet their post-IPO reporting plans against SEC reporting rules to ensure they will meet all relevant requirements. They must also design a comprehensive reporting process, building in checks and balances to ensure all numbers are accurate.
3. Misaligning compensation structures. As tech leaders revisit their compensation structures, they must make sure that compensation plans don’t conflict with shareholder interests. For example, option-based compensation for CEOs can encourage excessive risk-taking behavior that may damage customer relationships and firm performance, decreasing shareholder value.
4. Skipping the trial run. Tech companies should practice operating like a public company before filing for an IPO. This trial run can help uncover hidden or overlooked issues like a lack of uniform controls and reporting policies. Companies that skip the trial run often find themselves surprised by requirements and challenges post IPO, which can take significant time and money to address.

Stage 4

Post-IPO Support

After the IPO has been filed, it’s time for your tech company to start operating as a public company. At this stage, you need to ensure you are delivering on your promises, managing expectations with your new shareholders, and meeting your new reporting requirements as a public company.

Common Pitfalls:

1. Lack of forecasting capabilities. As private companies transform themselves to prepare for an IPO, they need to adopt strong revenue forecasting capabilities. Unfortunately, newly public tech companies often struggle with revenue forecasting, which can cause investor distrust and reputational damage.
2. Failure to maintain investor relations. Investor expectations will expand after going public, as shareholders await regular updates on company performance. Failing to build strong relationships with investors through proactive, comprehensive communication can breed mistrust.
3. Failure to manage the cultural shift. When private tech businesses transition into public companies, a major cultural shift often follows. Failure to manage that shift correctly can lead to employee dissatisfaction and talent retention issues.
4. Poor internal controls. Once a tech company goes public, it will have to comply with new reporting requirements and regulations, notably Sarbanes-Oxley (SOX). Prior to filing the IPO, the company should have all necessary internal controls in place — without them, the company may experience issues like material misstatements that can negatively impact stock price.
   

How MGO Can Help

There’s no question that going public is an exciting “next step” in your company’s evolution. With an IPO comes additional opportunities to transform the business, but it can also come with more challenges. MGO’s team is here to support you at every stage, from IPO planning and readiness assessments to execution and post-IPO acquisition services.

With today’s rapidly evolving technology, you want to stay at the forefront of developing products that transform how we work, think, and engage with the world. Reach out to our Technology team today to find out how we can help you achieve your goals.

Written by Hank Galligan and Jim Clayton. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

The post Tech IPOs: Steering Clear of Common Pitfalls on Your Path to Becoming a Public Company appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Proactive planning means focusing on the “how” instead of just the “what” — turning basic questions into actionable strategies for effective implementation.

• An ecosystem perspective involves considering the broader impact on third-party stakeholders to ensure the entire supply chain is prepared for going public.

• Holistic risk management requires cross-functional collaboration to coordinate risk mitigation, enhancing organizational resilience against new public company risks.

~ 

Preparing for your initial public offering (IPO) means investigating every facet of the business — not only to obtain the best possible valuation, but also to make the changes necessary to operate as a public company and achieve long-term growth. Asking the right questions can help you see beyond the obvious, illuminating factors you may have otherwise overlooked and setting your organization up for post-IPO success.

Here are five ways to take common IPO questions from a basic 101 level up to a more advanced 201 to deepen readiness and unlock new value.

IPO Checklist: 5 Ways to Level Up Your IPO Questions

1. Ask “How”, Not “What

Don’t plan passively. Approach key questions in a way that mandates proactive action rather than reactive changes. A seemingly small alteration — a “how” instead of a “what” — can transform a basic inquiry into a forcing function that spurs teams to take concrete steps.

• 101: What new reporting obligations will we face as a public company?

• 201: How can we resource and connect our finance, IT, and legal teams to meet new reporting requirements on time and without misstatements?

While the 101 question can establish new reporting needs and responsibilities, the 201 question goes further, pushing leaders to actively plan toward these goals.

2. Think About Your Ecosystem, Not Just Your Organization

Going public brings scrutiny from new stakeholders, such as boards, shareholders, and regulators. It is no longer enough for leaders to focus on their organization alone. Instead, they must broaden their perspective to consider the effects of all changes — new regulations, reporting requirements, cybersecurity risks, and more — on their third-party ecosystem.

• 101: What new laws and regulatory bodies apply to our business as a public company?

• 201: Are we prepared to validate that our third-party providers, in addition to our own organization, are complying with any new requirements?

Answering the 201 question requires looking beyond the organization to consider the risks posed by third-party partners. Financial institutions, for example, will need to verify that any third-party service providers comply with existing consumer protection laws under Dodd-Frank.

Cutting across all industries, the Securities and Exchange Commission (SEC) adopted new rules in 2023 requiring public companies to disclose any material cybersecurity intrusions or breaches, as well as information about their cyber risk management, governance, and security. Companies pursuing an IPO must prepare to comply with these new requirements themselves and be ready to validate that any third-party providers can also remain compliant.

3. Adopt a Holistic View of Risk

Effective risk management requires cross-functional cooperation and communication. No matter the business area — cybersecurity, operations, supply-chain management — identifying risks is not enough; nor is simply naming the strategies to mitigate risks.

• 101: What new risks are most relevant to our business as we prepare for operations as a public company?

• 201: What is each department’s risk mitigation responsibility, and where are there opportunities for coordination?

Every department has a role to play in risk mitigation. Clearly defining those roles and the interconnections between them can build resilience in the lead up to an IPO and help companies adapt to new risks after going public.

4. Move from the Abstract to the Specific

Tailoring approaches to specific objectives will help you manage more variables and define what kind of public company you want to be. Whenever possible, leaders should design questions to address specific challenges, rather than using general terms.

• 101: Who are the new stakeholder audiences (e.g., board members and regulators) with whom we need to establish communications as a public company?

• 201: How will we communicate with board members, shareholders, and regulators? What tools, channels, and reporting structures will we build?

The 101 question identifies an important consideration, but it stops there. The 201 question addresses finding and filling in the gaps. You can use what you know to pave the way toward learning what you don’t.

5. Think About Your Price on Day 100

The IPO is not an end-state; it is the beginning of a new chapter. Every action taken in service of a public offering must also include a path to further growth.

• 101: How do we obtain the best possible valuation for our company?

• 201: How can we leverage our momentum to improve our valuation 100 days after going public?

The 101 question speaks to an important need, but its focus is limited. Success as a public company demands growth beyond the IPO event. Asking the 201 question can help you embed a future-focused mindset into all planning decisions. The day one valuation matters, but so does valuation on day 100 — and beyond.

How MGO Can Help 

Navigating the complexities of an IPO requires guidance and a comprehensive strategy. MGO’s Transaction Advisory Services team supports you throughout the process, from proactive planning to risk management, so that your entire ecosystem is ready for the transition. Reach out to our team today to discover how MGO can help you achieve your long-term growth objectives and post-IPO success.

The post Essential IPO Questions: Your Comprehensive Checklist appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• New SEC cybersecurity rules require public companies to disclose material cybersecurity incidents, risk management processes, and governance.
• Determining “materiality” of cyber incidents for disclosure is challenging and requires close collaboration between CISOs providing technical context and CFOs/executives making final determinations.
• To comply, companies should take steps such as designating accountable leadership, adding specialized cybersecurity knowledge, and updating financial processes.

—

For years, chief financial officers (CFOs) could afford to be removed from the daily cybersecurity efforts led by chief information security officers (CISOs). But, with new Securities and Exchange Commission (SEC) cybersecurity rules, those days are gone.

Adopted on July 26, 2023, the SEC’s “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rules recognize cyber incidents can significantly impact public companies’ operations, finances, and reputations. The requirements push companies to be more transparent and accountable about cybersecurity.

While compliance with these rules falls squarely on publicly traded organizations, the impact extends to private-owned companies as well. If your company is a vendor or partner to public firms, you can expect inquiries and audits to verify you meet their security standards. Liabilities and risks permeate the entire supply chain.

SEC Cybersecurity Disclosure Requirements

If you are a public company, what do you need to report under the new rules? Here are the main requirements:

Cybersecurity Incident Disclosure

• Report within four business days of determining the incident is “material”
• Describe the nature, scope, timing, and impacts (or potential impacts)
• Note any undetermined details at time of filing
• Compliance required for SEC registrants as of December 18, 2023; smaller reporting companies (SRCs) have until June 15, 2024, to comply

Annual Risk Management & Strategy Disclosure

• Outline processes to identify, assess, and manage material cyber risks
• Explain how these processes integrate with overall risk governance
• Detail impacts from previous material incidents
• Disclose use of third-party security consultants/auditors and procedures
• Compliance required for all registrants (including SRCs) beginning with annual reports for fiscal years ending on or after December 15, 2023

Annual Governance Disclosure

• Describe board oversight and committee responsibilities for cyber risk
• Identify management roles accountable for cybersecurity programs
• Specify escalation protocols to board/committees on cyber issues
• Compliance required for all registrants for fiscal years ending on or after December 15, 2023

Determining Cybersecurity “Materiality”

A central tenet of the SEC guidelines is the “materiality” concept regarding incident reporting. Essentially, cybersecurity events are considered “material” and require disclosure if they could sway investment decisions or shareholder votes. Think of materiality as anything significant enough to concern your board and executive team.

The tricky part is that materiality determinations do not solely rest with technology and security leaders. Corporate officers and boards make the ultimate call, despite often lacking full context into security event ramifications on financials and operations. Bridging this disconnect through close CISO collaboration is critical to set appropriate disclosure thresholds aligned with your company’s true risk profile. Ideally, final decisions should also be independently verified by an outside, nonbiased service provider.

The SEC final rule also makes extensive (more than 40) references to “third party” impacts. A breach or attack affecting a key vendor could very well represent a material event for your organization that necessitates SEC disclosure. Do not let third-party cybersecurity shortcomings undermine compliance.

Best Practices to Comply with New SEC Cybersecurity Rules

While no one-size-fits all checklist exists, your company and relevant vendors should consider these best practices on the path to cybersecurity rule compliance:

1. Designate Accountable Leadership

Empower specific business leaders as security program owners, not just technical teams. These individuals need to establish clear reporting and communication between security operations and the board/c-suite. Executive working sessions focused on cybersecurity scenario planning are also advised.

2. Add Cybersecurity Knowledge

The rules do not explicitly require it, but it is wise to have dedicated cybersecurity oversight at the board level. Bringing in third-party advisors can help boards understand cyber responsibilities and implement improved processes. This knowledge is often lacking today despite its importance.

3. Update Financial Processes

The speedy 8-K cybersecurity incident reporting necessitates updates to disclosure management procedures. Public companies should already have 8-K drafting processes, so adjusting for cyber specifics presents a modest lift. The key is removing bottlenecks to rapidly describe incident details.

4. Dedicate Compliance Resources

CISOs in many companies oversee skeletal teams lacking the bandwidth for major initiatives like interpreting new regulations, implementing new disclosures processes, conducting risk assessments, and more. Ensure your team has the resources needed to achieve compliance.

5. Build Cybersecurity Culture

Equip your leadership team, board, and financial executives with a comprehensive understanding of cyber risks and disclosure nuances. Implement ongoing education and guidance programs to keep them well-versed in cybersecurity threats, response procedures, and the latest developments in the field.

How MGO Can Expedite Your Compliance Journey

The SEC cybersecurity rules are a wake-up call to take cyber preparedness as seriously as any other existential risk to your organization. Let our team of security, financial, and regulatory professionals guide you toward proactive, comprehensive compliance. Reach out today to discuss your roadmap.

The post CFOs and CISOs: Boost Your SEC Cybersecurity Compliance with These 5 Best Practices appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• The Sarbanes-Oxley (SOX) Act established stricter financial reporting requirements for public companies, leading to increased scrutiny of Information Produced by the Entity (IPE).
• IPE carries different levels of risk depending on whether it is system-generated and manually prepared IPE. Strong documentation is key to validating completeness and accuracy of IPE.
• Best practices for IPE documentation include identifying the source, parameters, and format of reports; validating totals and counts; retaining screenshots; and having knowledgeable reviewers.

—

Passed by Congress in 2002, the Sarbanes-Oxley (SOX) Act revolutionized public company audits by introducing financial reporting requirements aimed at increasing transparency and preventing fraud. Most notably, the SOX Act established the Public Company Accounting Oversight Board (PCAOB), a nonprofit organization that oversees the audits of public companies to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.  

The PCAOB refines its auditing standards annually and, in recent years, the organization has placed greater scrutiny on the work of external auditors. To keep up with PCAOB compliance, external auditors have imposed more rigorous documentation requirements on companies. As a result, companies have felt pressure to provide more expansive Information Produced by the Entity (IPE).

If external auditors have applied greater scrutiny on your reporting, you may be wondering: What level of documentation is sufficient? How can you improve your documentation to avoid deficiencies and provide greater clarity? In this article, we will discuss: 1) what IPE is, 2) the risks associated with different IPE, and 3) how to document your IPE thoroughly.

What Is IPE?

IPE is any information created by a company used as part of audit evidence. Audit evidence may be used to support an underlying internal control or as part of a substantive audit. Although there are documentation and risk severity differences between system-generated and manually prepared IPE, the fundamental questions that need to be addressed are the same:

1. Is the data complete?  

2. Is the data accurate?

Risk Levels of Different IPE

Here is an overview of how risk levels vary for different types of information you report to auditors:  

Low Risk

“Out of the box” reports carry the lowest risk. These reports are also referred to as “standard” or “canned” reports. Standard reports have been developed by software companies — such as Oracle NetSuite, QAD, or SAP — as part of their enterprise resource planning (ERP) systems. Typically, the end user (you) and even your IT team cannot modify these reports. Given the constrained editability, greater reliance is placed on these reports.   

Medium Risk

Custom reports are typically driven by the business team and developed in-house by your company’s IT team. When your company’s ERP system does not have a report that would provide sufficient data, the in-house developers create a custom report. The IT team follows their change management process when developing the request report. If the report results do not align with your business team’s expectations, the query is refined, and the process is repeated until it does.  

High Risk

A manually prepared workbook or an ad-hoc query are inherently the riskiest documentation. A manually prepared workbook may be a debt reconciliation prepared by your staff accountant, or a list of litigations the company is involved in drafted by your legal department. Given that these are manually drafted, the margin of error may be high.  

An ad-hoc query is considered high risk since the report is not subject to IT General Controls (ITGC) testing. The end user may input any parameters to generate the report. Since no control testing is performed by your company, external auditors would need to rely on their own IT team to vet the nonstandard query. 

How to Document IPE

Your documentation will vary to a certain degree depending on whether the IPE is manually prepared or system generated. In either case, it is important to be as thorough as possible when documenting your procedures.

Manual IPE

For a manually prepared workbook, provide thorough documentation about the origins of the data. It is ideal to have someone who is privy to the information review the workbook.  

When the reconciliation is comprised of debt instruments, the reviewer should do the following:   

1. Match the list of individual debt instruments to the signed agreements.  

2. Validate the reconciliation and each individual schedule for mathematical accuracy.  

3. Confirm ending principal balances with creditors (where possible).  

If the list consists of litigations compiled by the legal department, the reviewer should do the following:   

1. Send confirmations to outside counsel (where possible).  

2. Obtain a list of commitments and contingency journal entries made to an accrual.    

These additional steps provide greater comfort that the list compiled is complete and accurate.   

System-Generated IPE

For system-generated IPE, there are a handful of questions to keep in mind:   

1. Have you identified the report or saved search that was used?   

2. What parameters were used to generate this report?   

3. In what format is the data exported?   

4. After you run your report and confirm the parameters are correct, what format should be utilized for your export?  

Exported Data

Most ERP systems allow the exporting of data in the following four formats:   

1. PDF (portable document format) 

2. Excel  

3. CSV (comma-separated values)   

4. Text file   

One major drawback in an Excel, CSV, and text file is that, by their nature, they are editable upon export. An additional drawback of a text file is that it does not contain formatting. As the volume of data grows, proving out the completeness and accuracy becomes more challenging. For these reasons, a PDF export is typically preferred.  

After the data is exported in one of the four formats, you want to ensure that it agrees back to the system (completeness and accuracy). Here are a few ways to do that:     

1. Does the exported data have dollar amount totals? If so, agree the total dollar amount to the system.  

2. Does the exported data have hash totals? An example of a hash total is employee ID numbers which in aggregate have no real value other than providing confirmation that the data is complete and accurate.   

3. Does the report have a total line count? If totals are not available, line counts may be used. However, it is important to note that while the line count may agree, the data itself could have still been inadvertently manipulated.  

Screenshots of Data

Retaining screenshots is imperative for documentation. A detailed screenshot should include some (if not all) of the following:  

1. Totals (dollar amounts, hash amounts, etc.)   

2. Lines count   

3. Parameters utilized 

4. Time and date stamp 

The first three items validate the completeness and accuracy of the exported data. The fourth item confirms when the report was run and if it was timely. There are many reports that are point-in-time and may not be recreated at a future date. Knowing the constraints of the reports you use is important. Retaining screenshots cannot be overemphasized, especially for point-in-time reports.   

Certain ERP systems or online portals do not provide a preview of the report prior to the export. This puts a constraint on the validation of completeness and accuracy, as it inhibits screenshots from being taken. In this case, as part of the review, the reviewer should re-run the report and validate that the original report used matches the information in the re-run report.

Strengthen Your SOX Compliance by Implementing Best Practices  

There is no perfect science to IPE documentation. But the end goal is to be as detailed as possible. By simply focusing on the fundamental questions and ensuring that your documentation addresses them, your documentation will inevitably improve.

Developing best practices for your team is the cornerstone for any successful audit. Ensure you have the right guidance to make it happen. Our Audit and Assurance team can tailor a SOX environment to meet your needs. Contact us today to learn more.

The post How to Elevate Your IPE Documentation to Optimize SOX Compliance appeared first on MGO CPA | Tax, Audit, and Consulting Services.