The special purpose acquisition company (SPAC) has become a popular vehicle for taking private companies public. The SPAC odyssey launches with a Form S-1 SEC filing, moves at light speed through the complex process of going public, and then has 18 to 24 months to acquire its target or to merge with the target (a process known as a “de-SPAC”). For the target private company, the merger injects publicly raised capital that might otherwise come from the traditional IPO process, but with less risk from poor IPO timing or inaccurate valuations.
The SPAC has taken off in the volatile markets of the pandemic. According to research by Toppan Merrill, only 28% of IPO filings in 2019 were SPACs; in 2020, that percentage jumped to 62%, and the trend continues in 2021.
The rise of the SPAC places a spotlight on compliance requirements for newly public companies. The most arduous compliance demands come from the Sarbanes-Oxley Act, as explained in a Toppan Merrill video primer featuring Elizabeth Epler Jones of consulting firm AXIA Partners. In her view, many IPO companies are unprepared for the compliance challenges of being public—and “what seems to trip up most companies is that they are caught [unprepared] when it comes to SOX.”
Three key stages of SOX compliance
Sarbanes-Oxley (SOX) has 11 sections, all of which pose compliance requirements. Three key sections, Ms. Epler Jones explains, warrant special attention for newly public companies:
- Section 302 requirements are effective with the company’s first 1934 Act filing (Exhibit 31 of Form 10-K or 10-Q). This section requires signed personal statements from the principal executive and financial officers of the company, certifying that financial statements have been reviewed and are materially correct. “They are accepting personal responsibility for establishing and maintaining disclosure controls and procedures and internal controls over financial reporting, that all significant deficiencies and material weaknesses have been properly disclosed, and that they are not aware of any instances of fraud,” observes Ms. Epler Jones.
- Section 906 requires a written statement from the CEO and the CFO declaring that the financial report “fairly presents, in all material respects, the financial condition and results of operations of the issuer.” The crux of this section involves the application of criminal penalties for failing to produce a report that matches these requirements. Prison time can result from any deliberate attempt to obfuscate information. “This is the first time that [the CEO and CFO] can get penalized for certifying a misleading or fraudulent report; it can be up to $5 million or 20 years in prison,” warns Ms. Epler Jones. “It’s a pretty big deal.”
- Section 404 requires annual reports to include the company’s own assessment of internal controls over financial reporting [Section 404(a)] and, typically after a company exits “emerging-growth status” as defined by the SEC, adds in the auditor’s attestation requirements [Section 404(b)]. Note that Foreign Private Issuers (FPIs) are also required to file SOX certifications in their annual reports on Form 20-F or 40-F.
When does SOX compliance hit?
Understanding the SOX-compliance timeline is key. The company’s executives and compliance team should
“understand the SOX requirements and then work backwards to give your company the most runway possible to get done what you need to get done,” says Ms. Epler Jones. Here are the major stages:
- Form S-1: The S-1 discloses all known material weaknesses. “Ideally, you start working through the documentation of your risk and controls about 12 to 18 months in advance of your S-1 filing,” advises Ms. Epler Jones. “You want to perform a round of walk-throughs. Catalog and manage your findings and make sure that everything has been appropriately communicated to the audit committee and, ultimately, in the S-1 document itself.”
- Initial Form 10-K: In addition to known material weaknesses, the first 10-K brings in a new layer of complexity around management’s certifications under SOX Sections 302 and 906, as explained above.
- First set of quarterly filings and second Form 10-K: While the Section 302 and 906 requirements continue, this stage adds management’s assessment of internal controls over financial reporting.
- Ongoing quarterly filings: In addition to management’s assessment, at this point the external auditors must give their opinion on the company’s internal controls. “This brings more work,” cautions Ms. Epler Jones. “You need to have more precise documentation. You have to do more testing. Definitely you are going to have more reporting and communication all the way around.”
Personnel involved in SOX compliance
The tentacles of SOX compliance extend throughout the company. They reach all the way to rank-and-file staff in several departments: accounting/finance, treasury, governance, IT, and HR/payroll. “These folks own the key controls,” Ms. Epler Jones asserts. “They ensure that their controls are in place and functioning throughout the year—working in the way they are described.” In her recommendation, these “control owners” in the various company departments should certify on a quarterly basis the same requirements that are eventually passed on to the CEO and the CFO.
At the next level, she suggests, the department heads should review the certifications from their teams, summarize the information, and deliver all of it to the CEO and the CFO. Ideally, the CEO and the CFO will have both the detailed and the summarized information, providing “a solid basis for making their own certifications.” As part of that process, they need to share the information with the audit committee, whose input helps the CEO and the CFO “form the basis of the actual certifications that go into the SEC disclosures.”
Ms. Epler Jones advises that companies build SOX compliance from the very start of the IPO process. Problems that persist from the S-1 filing through the first Forms 10-K and 10-Q can have a serious impact on business reputation in the capital markets at a crucial point in the company’s growth. “Your internal controls really should be one of the very first things you take into account,” she recommends. “It’s easy to do it on the front end. It’s hard to play catchup.” SOX-compliance technology, such as solutions available from Toppan Merrill, can help a company manage its compliance workflows, problem resolution, and communications. A series of blogs on this topic are also recommended. Remember: Control failures are generally repeated and, if not remedied, continue period to period.
To read the full article in Dimensions Vol. 2021, No. 2, click here.
Reach out to jump start a partnership that will bring speed, security, accuracy and efficiency to all of your complex content and communication requirements.