Intelligize Data: Large Filers Struggling with Internal Controls After Going Public

It has been more than 20 years since Congress passed the Sarbanes-Oxley Act in response to a rash of turn-of-the-century accounting scandals. But unlike those choker necklaces and Nickelback CDs you’re holding onto from the era, SOX remains relevant today. Every new wave of public companies must learn to comply with SOX guidelines aimed at beefing up internal controls over financial reporting. A recent Deloitte report asserts that for newly public companies, that can be a painful process.

We dove into the Intelligize platform and found that the data bears out that claim. If that doesn’t surprise you, this might: large public companies are having a rougher time of it than their smaller counterparts. In fact, in a review of filings from 560 domestic non-SPAC companies that went public in 2020-22, large accelerated filers reported weak internal controls at a rate (17%) more than five times higher than smaller reporting companies (3.3%).

Across all 560 companies in our sample, 7.7% have disclosed material weakness in their internal controls. That’s more than twice the rate of the 353 smaller reporting companies we studied. Emerging growth companies beat the overall average as well; only 4.7% of the 378 “EGCs” in our sample reported material weaknesses. (For those doing the math: smaller reporting companies and EGCs are overlapping groups.) The relatively low numbers for EGC should perhaps be expected, as ECGs are exempt from certain SOX-related compliance burdens, including the requirement for an “independent auditor attestation of management assessment of its ICFR.”

Regardless, the collapse of Silicon Valley Bank, which had many venture-backed clients, has focused attention on the lack of financial controls at emerging companies. One industry expert says that 80% of early-stage companies lack a CFO. That sounds like a problem. But our finding that 17% of large accelerated filers have reported weak internal controls suggests that the problems may be even greater at the large end.

So where are these companies falling down? The Deloitte report identified five “pain points” that newly public companies experience in attempting to comply with SOX. Perhaps the least intuitive of those is getting the right IT in place. The report says: “Companies should not underestimate the importance of a sustainable and reliable IT infrastructure to support operational needs and financial reporting requirements.”

But some, apparently, have. In a 10-K filed in March, Compass Inc. acknowledged that it lacked “sufficient oversight of activities related to internal control over financial reporting,” and attributed that, in part, to its failure to “design and maintain effective controls over information technology, or IT.” After going into some detail on its IT deficiencies, including inadequate “user access controls,” Compass noted that its various IT shortcomings, “in the aggregate constitute a material weakness.” Likewise, in a 10-K from December, Weber Inc. also disclosed that it failed to “maintain adequate user controls” for its “financial IT applications, programs and data.”

Other companies have pointed to issues that Deloitte did not specifically identify. Goldenwell Biotech Inc., for instance, noted the fact that its board of directors does not have a majority of independent or outside members, and characterized that as a deficiency in its internal controls over financial reporting.

Regardless of the particular weakness, the companies reporting them can only hope that they are more passing fad than long-lived pain—more Nickelback, that is, than Springsteen.