Page 60 - Initial Public Offering - An Introduction to IPO on Wall Street
P. 60
of internal initiatives to ensure compliance with regulations and laws, the CCO should
establish, interpret and track the relevant metrics.
The CCO should also make sure that principles (and ethical decision-making) are a major part
of daily business meetings, that there is a system in place to address the dynamic and rapidly
changing regulatory climate, that sufficient enforcement skills are incorporated as needed in
every role, and that staff see enforcement as part of the activity/tasks they perform each day.
4.3.10 Internal Audit
Organizations preparing for an IPO must consider the requirements for an internal audit
function.
A public corporation, regardless of sector, would usually require the following:
Policies and procedures to help senior leaders to better define, analyze and handle risk;
Risk prioritization procedures and frameworks, and allocation of resources on a risk-rated
basis;
Formal lines of contact to the board concerning regulation, risk and risk control problems;
Systems for disclosure of risk to the public; and
A structured infrastructure for enforcement, compliance policy and associated reporting
Setting up a structured internal audit feature is a valuable way to assess the risk, enforcement
and control climate of a business in light of the current requirements facing it.
Although a formal internal audit feature is only an existing New York Stock Exchange (NYSE)
prerequisite, risk, controls and enforcement are key drivers of sustainable development ,
providing businesses with the resources to meet investor, consumer and regulatory demands
and enhance risk management and operational performance.
In the C-suite, the enhancement of risk management systems and procedures begins with the
board enforcing its supervisory role by asking management to consider all applicable risks and
then seek confirmation that those risks have been adequately handled.
Risk management flows from there into the organization, where it is monitored by the different
risk and compliance roles of the firm, which may include IT, internal audit, SOX, legal, etc. It
is important to coordinate. The outcome is not only greater productivity and efficacy, but also
the opportunity to align processes, people and culture with the strategic goals of management
when the various strands of the governance, risk, enforcement and internal audit initiatives of
an organization are drawn together into a cohesive structure rather than working in silos.
In most pre-IPO organizations, risk mitigation, controls and compliance procedures are likely
to be already in place at some stage, but may not be formalized or adequately rigorous to meet
the criteria imposed on public companies.
Therefore, a business planning to go public would need to improve its risk, controls and
enforcement and internal audit mechanisms, while prioritizing the most important persons,
procedures and technologies as it traverses the IPO procedure and embraces its new obligations
as a public entity.
Another solution is to subcontract all or some of the internal audit and/or enforcement
processes of the company, including SOX compliance, to rapidly get things up and running
and to be able to optimize post-IPO internal audit and compliance capacity.
Page 60
