Public Company Readiness: Going Public. Being Public

Key Highlights for Finance Functions

Here are the recurring pressure points related to public company readiness and how you can think about them:

PCAOB audit “uplift” procedures cannot be underestimated

PCAOB “uplift” audit procedures are one of the most common IPO schedule risks.  If your historical audits were performed under AICPA standards, your external auditor will need to re-evaluate materiality and typically need to perform incremental substantive audit procedures in order to issue an audit opinion under PCAOB standards.  You’ll also need to consider accounting standards applicable to public companies to ensure those are adopted in accordance with the public-company effective dates (even if not required for non-public entities).  Additionally, private-company accounting alternatives that may have been adopted previously may need to be “unwound” in order to comply with public company financial statement requirements.  

Auditor independence could be a hidden roadblock

Given SEC/PCAOB independence rules are more restrictive than AICPA rules, if your auditor provided certain non-audit services in the past (even if years ago), they may not be considered independent under SEC/PCAOB requirements.  If this occurs, the financial statements of the impacted periods will need to be re-audited by a different external audit firm.  Management needs to ensure that it has visibility into non-audit procedures being performed by the external audit firm, that the auditor has performed its procedures to determine its independence under SEC/PCAOB standards and both are in lock-step as it relates to ensuring that performing future non-audit services will not impair independence under SEC/PCAOB standards.

Compliance with SEC/PCAOB independence rules gets more complicated in private-equity backed and cross-border structures because it applies to non-audit services not just for the U.S. entity, but across a broader “audit client” perimeter—often including controlled affiliates, sister entities, funds/portfolio companies, and foreign components.

KPIs must be “filing-grade,” not “board-deck-grade” and don’t use non-GAAP measures as your creative outlet

ARR/NRR/churn/bookings/usage are powerful—but they aren’t standardized like GAAP. The SEC’s 2020 interpretive guidance on KPIs/metrics in MD&A effectively sets the playbook: define the metric, explain how it’s calculated, why it’s useful, how management uses it, and disclose changes in methodology (with comparability context).

• “Adjusted EBITDA” (and related cousins) can be valuation-relevant, but it’s also a consistent SEC focus area as the SEC sets a high standard for emphasizing non-GAAP measures which by definition depart from accepted standards. Start with a written non-GAAP measure policy grounded in SEC rules/interpretations—especially prominence, reconciliation to GAAP, and consistency across documents.

Practical consideration: Compare KPIs to those of peer companies and treat KPIs like a subledger—dictionary, calculation workpapers, tie-outs to source systems, and change control. As it relates to non-GAAP measures, if an adjustment is “recurring enough to budget for,” assume it will be challenged.

Public company cadence: close and narrative must run on a clock

Public company readiness is also the ability to close fast enough to file and to explain “the quarter” without re-cutting the story. That means a close calendar, flux analysis playbooks, and KPI-to-GAAP bridges that can survive diligence and earnings Q&A and allow time for your external auditor to complete their review/audit procedures prior to your filing deadline.  Taking stock of systems, embracing artificial intelligence and technology and having a short-term as well as longer-term strategy will be a critical step in this process. The first few quarters set the reputation.

Consideration:  Ask yourself, “If we had to issue an earnings release and file a 10-Q in the next cycle, could we produce a tied-out earnings package —numbers, variance story, consider updated risks, and Form 10-Q and obtain sign off from our external auditor prior to t our filing deadline?  Further, can we do this in a repeatable fashion?”  Validate this by doing a trial run or two (or more) before the IPO.

For a company expecting to go public as a EGC/non-accelerated filer, a timeline of key financial reporting activities might look like the following (with quarter end being D 0):

Cyber disclosure mechanics: Finance needs to be in the loop

Cyber is no longer a generic risk factor exercise. SEC rules require (i) governance/process disclosure (Item 106 in Form 10-K) and (ii) incident disclosure on Form 8-K Item 1.05—generally due within four business days after determining an incident is material. This applies to incidents within the company as well as third party service providers utilized by the company if the incident affects your company in a way that could be material.

Practical consideration: run a tabletop that ties Security → Legal → Disclosure Committee → Finance (quantification and documentation).

Public company corporate governance and policies – don’t wait

This isn’t usually the hardest workstream—but it’s one of the easiest to let slip onto the critical path, because it requires the right people, formal decision rights, and repeatable processes—not just documents.  For companies contemplating an IPO, governance readiness is about getting to a Day-1 public-company operating model—board/committee structure, policies, and oversight processes that can run on a quarterly disclosure clock. On the NYSE, a key gating item is the requirement to maintain an internal audit function that provides ongoing assessments of the company’s risk management processes and system of internal control (it can be outsourced, and IPO issuers generally have a one-year transition period). In parallel, SEC rules require companies to describe the board’s role in risk oversight, so governance and risk oversight need to be real—not boilerplate.

Practical consideration: Treat governance like infrastructure, not paperwork. If you build it early, it’s rarely the pacing item. If you wait until the S-1 sprint, it can compete with (and slow) the audit, controls work, and S-1 drafting—all at the worst possible time.

ICFR/SOX readiness: evidence is the product

Pre-IPO companies often have controls in spirit, but not in evidence. The gaps show up in management review controls (no formal thresholds/precision or evidence of resolution of potential outliers), spreadsheets driving key numbers without governance, and IT-dependent controls without report integrity (logic/access/change) or controls over relevant data elements. With IT-related processes and controls prioritized in PCAOB inspections, auditors are likely to zero in on this.

Emerging Growth Company (EGC) status can defer the auditor ICFR opinion, but it doesn’t remove the need to build a sustainable control environment.  Recall that management ultimately has to assess ICFR annually even before the auditor is required to evaluate. And while some management teams can “live with” a material weakness disclosure, it still hard-codes an “ICFR ineffective” conclusion—often increasing diligence, audit effort, and the cost of credibility.

Practical consideration: Start with a top-down, risk-based approach.  Identify significant accounts/disclosures and relevant assertions.  One may want to start with a focus on order-to-cash integrity (contracts → billing → revenue → KPI reporting) as this represents the primary source of late-stage issues.   Also consider overall IT controls (e.g. key reports, access/change management) and areas that may involve significant judgements and estimates to be made by management.  Finally, areas that involve fraud-risks (e.g. management override of internal control, certain aspects of revenue recognition, etc.) should be evaluated.

For additional information related to common internal control deficiencies identified by newly public companies, click here.

IPO PMO and Interim Capacity

IPO readiness delays usually aren’t technical—they’re coordination breakdowns. The workstreams (audit uplift, ICFR/SOX, KPI governance, S-1 drafting, cyber disclosure readiness, etc.) are individually doable, but the IPO stalls when no one owns critical path, decision rights, and cross-functional dependencies. That’s the role of an IPO project management office (PMO).

Also keep in mind that day-to-day responsibilities (billing, collections, close, audit, tax, board reporting, etc.) all continue.  Without surge support, companies are more likely to either miss timelines or cut corners creating issues that surface later and require re-work or result in control deficiencies, late adjustments, or credibility hits.

Practical consideration: Consider whether there is capacity in the right roles – think controllership, SEC reporting lead, SOX/ICFR lead, technical accounting lead, KPI/RevOps analytics, and financial close optimization— and whether the current team can remain focused on their “business as usual” responsibilities such as running the business, monthly close, forecasting, board reporting, etc. and whether they have the appropriate capacity and expertise for the IPO-related efforts.

Don’t forget that the incremental requirements of being a public company don’t end with the IPO. You’ll want to ensure there is appropriate resource capacity and expertise post-IPO.

How Virtas Can Help

Virtas has significant experience with controllership, SEC reporting, internal controls and project management office execution as well as enterprise risk management and internal audit function design.  We can help teams build a repeatable “public-company finance operating system” across accounting, internal controls, information technology and internal audit.

Virtas has extensive expertise in technical accounting and financial reporting. We work alongside your team to ensure complex transactions, policies, and disclosures are properly assessed, documented, and communicated.