But before you start counting your stock options, consider the work ahead. An IPO puts a huge burden on you as CIO. Now, in addition to meeting your company's daily technology needs, you have a new priority: coordinating with the finance department and legions of auditors, inside the company and out, to ensure that your company can meet the stringent financial reporting and data security requirements of a public company. Before you know it, auditors will be questioning all your workflow processes. Some might even dive into dumpsters to make sure your employees are properly shredding sensitive data before throwing it out.
"If you thought you were under a lot of pressure before as an IT guy, [being CIO] of a public company is going to be a lot more pressure," says Kevin Sidders, managing director of investment bank Credit Suisse First Boston, who has helped roughly 50 companies go public.
That is, unless you're prepared. CIOs who have already developed a scalable IT infrastructure and are working with audit committees today for a possible IPO tomorrow have much less to worry about. Their years and months of work have prepared them not only for the offering but also for the company's expected growth in the years to come.
While hardly the answer for every company, IPOs remain one avenue of choice for firms on a growth trajectory. The IPO market isn't as hot as it once was but still shows activity, with firms raising an average of $201 million each in the 96 offerings this year as of early August, according to Renaissance Capital's IPOhome.com, a Web site that tracks IPOs. That number of deals is down 14% in 2004, though the amount of cash raised is slightly higher than last year's year-to-date average of $198 million.
CIOs of private midmarket companies should thus keep an eye on their companies' financing strategies and be prepared for what going public entails: scrutiny from investment bankers and auditors; late nights (and short attention spans) for IT staff; and supplying systems that can quickly deliver financial results, if not predict them. There's also the culture change from the world of private capital, where the company could run itself as its executives and investors pleased, to the world of public markets, where it suddenly finds that every financial event is subject to the scrutiny of auditors, regulators, financial analysts and investors.
The Pre-IPO Checklist
Auditors and investment bankers give companies an exhaustive list of what they need to explain and document before their IPO. For IT, the list includes a checklist of financial controls. Auditors also advise auditing nonfinancial reporting sys-tems, even though this isn't required.
What follows is a sample checklist. Actual lists vary by company and industry. For each item, you should be able to explain and document the following:
Architecture and DesignIT architecture. How does your system effectively manage business objectives, and how does it track key goals, success factors and other performance indicators, such as customer acquisition and the status of pending deals?
Data design. How does your system collect, analyze, assess, interpret and distribute the data your business needs to track the benchmarks above? Who gets the data, and what tools do they have to react to it?
Quality review. How do you ensure that data is correct?
Data protection. How do you ensure that only the correct people have access to the data? Explain segregation of duties, password policies, hacker prevention and so on.
Development and SupportApplication software. How did you acquire or develop your application software? For acquired software, show vendor information and terms of ownership or use. For developed software, fully document the process for developing, improving and maintaining it.
Infrastructure. How did you acquire technology infrastructure? Show vendor information and document software licensing agreements.
Infrastructure development. How do you develop and maintain policies and procedures for initiating the acquisition or development of technology infrastructure?
Quality assurance. How do you install and test application software and technology infrastructure?
Ongoing maintenance. How do you manage changes to software and infrastructure?
Management and support. How do you decide who gets what level of service? How do you manage third-party services, performance and capacity? Ensure systems security? Deal with problems and incidents?
Sources: The IT Governance Institute, the Committee of Sponsoring Organizations and various auditors
First Things First
After a company announces its intentions to go public, "The first thing I would do would be to sit down and talk to the company's external auditors," says Alex Munn, who was CIO of then-$107 million Pacer International Inc., a third-party logistics and freight transportation company in Concord, Calif., when Pacer went public in 2002. Munn is now COO.
If auditors discover shortcomings in the financial reporting process, and these problems can't be fixed quickly, the IPO may be postponed. Worse, the IPO might proceed and fetch a lower-than-expected valuation. Munn would nip that problem in the bud by asking external auditors to "give me a thorough review of the IT organization, which in turn would really be asking the auditors to tell me was I in compliance with Sarbanes-Oxley. I would like to know going into the IPO what I needed to do and what time frame I had."
Getting ready to go public and complying with the Sarbanes-Oxley Act (SOX) can be IT hell or just another event in a company's development. It all depends on how well the company -- and the CIO -- have planned ahead. Some companies grow so fast in the years and months leading up to their IPO that they figure they don't have time to start SOX compliance until after the IPO. "You've had situations where companies were playing catch-up from almost their first day as a public company," says Mark Jensen, a partner and the national director of the Venture Capital Services Group at the accounting firm Deloitte & Touche LLP.
Among other things, SOX requires companies to certify that their financial reports are accurate and complete and that they have the proper controls in place to quickly predict shortfalls and ferret out fraud. Given finance and operations' reliance on technology, much of this responsibility falls on the shoulders of the CIO.
SOX compliance can be especially challenging for mid-market companies that contract out various parts of their financial reporting to third-party vendors. In order for companies to prove they are compliant, they must also prove that their vendors are compliant.
Companies don't have to comply with the financial reporting provisions of SOX before they go public, but they must comply by the time they file their first annual report with the Securities and Exchange Commission (SEC), unless their market capitalization is less than $75 million.
As executives at public companies already know, a year isn't very long if you have a lot to do to get your house in order. Compliance isn't cheap, either -- it can cost millions -- and the longer you wait, the more it costs, since you need consultants to speed up the work.
The best way to avert these costs is to develop an IT strategy and the infrastructure to support it as a company grows, before (or regardless of) any IPO talk. "If you had a solid foundation before, the IPO shouldn't really be a life-changing event for you," says Dan Demeter, CIO and senior vice president of Korn/ Ferry International, the executive search firm.
Demeter knows from experience. He was CIO when Los Angeles-based Korn/Ferry, then a $373 million firm, went public in 1999. At the time, Korn/Ferry was integrating the IT system of its Web-based search service, Futurestep, with its main IT infrastructure to cut costs. Because of the upcoming IPO, Demeter had to show financial analysts that the company's existing IT infrastructure -- XML running on top of Microsoft SQL servers -- could serve as the infrastructure for Futurestep, too. (Originally, Korn/Ferry had allowed Futurestep to establish its own IT systems.) "Analysts come in and check you out. Everybody wants to make sure the technology is up to par," Demeter says. "The analysts told me they want to make sure that [IT] is never going to be a problem." He assured them it wouldn't be.
When the time came, compliance wasn't either (SOX didn't exist in 1999). Thanks to Demeter's decision to design financial software that could produce sophisticated financial reports even before they were legally required, it wasn't hard to comply with SOX after it became law. "We really didn't have that much to do in terms of preparation because we already had the solid foundation," Demeter says.
To build that foundation, a CIO must understand the financial reporting process, and the role that SOX plays in certifying financial results. Under SOX, both the CEO and the CFO must personally certify that their company's financial reports are true and accurate. To make those assertions, both parties need detailed and timely financial data. For instance, they need to know if sales are slowing or if costs are rising, since trends like these can lead to disappointing earnings. The CIO has to provide the technology, such as financial applications, business analytics tools and enterprise resource planning (ERP) systems, which serve up these numbers.
If the company discovers an upcoming shortfall, it must alert investors by filing a form 8-K with the SEC. If courts determine that a company should have filed an 8-K but didn't, the CEO and CFO could be found guilty of fraud.
Ideally, the CIO should work with the audit committee, which is a subcommittee of its board of directors, to understand what sort of events can trigger an 8-K filing. For instance, a transportation company might have to file an 8-K if energy prices spike. Once they know which triggers to look for, CIOs can ensure that the IT department gathers the data that predicts these events.
This was first published in August 2005