Manage Learn to apply best practices and optimize your operations.

IPO Pressure: Get Ready to Meet the IT Demands of a Public Company

If your company plans to go public, don't just count your options; brace yourself for the scrutiny of auditors -- and some late nights.

Big news: Your company has decided to make an initial public offering (IPO). Maybe your company's venture capitalists want to recoup their investment. More likely, your company thinks it has a hot product or service and needs the cash to expand.

But before you start counting your stock options, consider the work ahead. An IPO puts a huge burden on you as CIO. Now, in addition to meeting your company's daily technology needs, you have a new priority: coordinating with the finance department and legions of auditors, inside the company and out, to ensure that your company can meet the stringent financial reporting and data security requirements of a public company. Before you know it, auditors will be questioning all your workflow processes. Some might even dive into dumpsters to make sure your employees are properly shredding sensitive data before throwing it out.

"If you thought you were under a lot of pressure before as an IT guy, [being CIO] of a public company is going to be a lot more pressure," says Kevin Sidders, managing director of investment bank Credit Suisse First Boston, who has helped roughly 50 companies go public.

That is, unless you're prepared. CIOs who have already developed a scalable IT infrastructure and are working with audit committees today for a possible IPO tomorrow have much less to worry about. Their years and months of work have prepared them not only for the offering but also for the company's expected growth in the years to come.

While hardly the answer for every company, IPOs remain one avenue of choice for firms on a growth trajectory. The IPO market isn't as hot as it once was but still shows activity, with firms raising an average of $201 million each in the 96 offerings this year as of early August, according to Renaissance Capital's, a Web site that tracks IPOs. That number of deals is down 14% in 2004, though the amount of cash raised is slightly higher than last year's year-to-date average of $198 million.

CIOs of private midmarket companies should thus keep an eye on their companies' financing strategies and be prepared for what going public entails: scrutiny from investment bankers and auditors; late nights (and short attention spans) for IT staff; and supplying systems that can quickly deliver financial results, if not predict them. There's also the culture change from the world of private capital, where the company could run itself as its executives and investors pleased, to the world of public markets, where it suddenly finds that every financial event is subject to the scrutiny of auditors, regulators, financial analysts and investors.

The Pre-IPO Checklist

Auditors and investment bankers give companies an exhaustive list of what they need to explain and document before their IPO. For IT, the list includes a checklist of financial controls. Auditors also advise auditing nonfinancial reporting sys-tems, even though this isn't required.

What follows is a sample checklist. Actual lists vary by company and industry. For each item, you should be able to explain and document the following:

Architecture and Design
IT architecture. How does your system effectively manage business objectives, and how does it track key goals, success factors and other performance indicators, such as customer acquisition and the status of pending deals?

Data design. How does your system collect, analyze, assess, interpret and distribute the data your business needs to track the benchmarks above? Who gets the data, and what tools do they have to react to it?

Quality review. How do you ensure that data is correct?

Data protection. How do you ensure that only the correct people have access to the data? Explain segregation of duties, password policies, hacker prevention and so on.

Development and Support
Application software. How did you acquire or develop your application software? For acquired software, show vendor information and terms of ownership or use. For developed software, fully document the process for developing, improving and maintaining it.

Infrastructure. How did you acquire technology infrastructure? Show vendor information and document software licensing agreements.

Infrastructure development. How do you develop and maintain policies and procedures for initiating the acquisition or development of technology infrastructure?

Quality assurance. How do you install and test application software and technology infrastructure?

Ongoing maintenance. How do you manage changes to software and infrastructure?

Management and support. How do you decide who gets what level of service? How do you manage third-party services, performance and capacity? Ensure systems security? Deal with problems and incidents?


Sources: The IT Governance Institute, the Committee of Sponsoring Organizations and various auditors

First Things First

After a company announces its intentions to go public, "The first thing I would do would be to sit down and talk to the company's external auditors," says Alex Munn, who was CIO of then-$107 million Pacer International Inc., a third-party logistics and freight transportation company in Concord, Calif., when Pacer went public in 2002. Munn is now COO.

If auditors discover shortcomings in the financial reporting process, and these problems can't be fixed quickly, the IPO may be postponed. Worse, the IPO might proceed and fetch a lower-than-expected valuation. Munn would nip that problem in the bud by asking external auditors to "give me a thorough review of the IT organization, which in turn would really be asking the auditors to tell me was I in compliance with Sarbanes-Oxley. I would like to know going into the IPO what I needed to do and what time frame I had."

Getting ready to go public and complying with the Sarbanes-Oxley Act (SOX) can be IT hell or just another event in a company's development. It all depends on how well the company -- and the CIO -- have planned ahead. Some companies grow so fast in the years and months leading up to their IPO that they figure they don't have time to start SOX compliance until after the IPO. "You've had situations where companies were playing catch-up from almost their first day as a public company," says Mark Jensen, a partner and the national director of the Venture Capital Services Group at the accounting firm Deloitte & Touche LLP.

Among other things, SOX requires companies to certify that their financial reports are accurate and complete and that they have the proper controls in place to quickly predict shortfalls and ferret out fraud. Given finance and operations' reliance on technology, much of this responsibility falls on the shoulders of the CIO.

SOX compliance can be especially challenging for mid-market companies that contract out various parts of their financial reporting to third-party vendors. In order for companies to prove they are compliant, they must also prove that their vendors are compliant.

Companies don't have to comply with the financial reporting provisions of SOX before they go public, but they must comply by the time they file their first annual report with the Securities and Exchange Commission (SEC), unless their market capitalization is less than $75 million.

As executives at public companies already know, a year isn't very long if you have a lot to do to get your house in order. Compliance isn't cheap, either -- it can cost millions -- and the longer you wait, the more it costs, since you need consultants to speed up the work.

The best way to avert these costs is to develop an IT strategy and the infrastructure to support it as a company grows, before (or regardless of) any IPO talk. "If you had a solid foundation before, the IPO shouldn't really be a life-changing event for you," says Dan Demeter, CIO and senior vice president of Korn/ Ferry International, the executive search firm.

Demeter knows from experience. He was CIO when Los Angeles-based Korn/Ferry, then a $373 million firm, went public in 1999. At the time, Korn/Ferry was integrating the IT system of its Web-based search service, Futurestep, with its main IT infrastructure to cut costs. Because of the upcoming IPO, Demeter had to show financial analysts that the company's existing IT infrastructure -- XML running on top of Microsoft SQL servers -- could serve as the infrastructure for Futurestep, too. (Originally, Korn/Ferry had allowed Futurestep to establish its own IT systems.) "Analysts come in and check you out. Everybody wants to make sure the technology is up to par," Demeter says. "The analysts told me they want to make sure that [IT] is never going to be a problem." He assured them it wouldn't be.

When the time came, compliance wasn't either (SOX didn't exist in 1999). Thanks to Demeter's decision to design financial software that could produce sophisticated financial reports even before they were legally required, it wasn't hard to comply with SOX after it became law. "We really didn't have that much to do in terms of preparation because we already had the solid foundation," Demeter says.

To build that foundation, a CIO must understand the financial reporting process, and the role that SOX plays in certifying financial results. Under SOX, both the CEO and the CFO must personally certify that their company's financial reports are true and accurate. To make those assertions, both parties need detailed and timely financial data. For instance, they need to know if sales are slowing or if costs are rising, since trends like these can lead to disappointing earnings. The CIO has to provide the technology, such as financial applications, business analytics tools and enterprise resource planning (ERP) systems, which serve up these numbers.

If the company discovers an upcoming shortfall, it must alert investors by filing a form 8-K with the SEC. If courts determine that a company should have filed an 8-K but didn't, the CEO and CFO could be found guilty of fraud.

Ideally, the CIO should work with the audit committee, which is a subcommittee of its board of directors, to understand what sort of events can trigger an 8-K filing. For instance, a transportation company might have to file an 8-K if energy prices spike. Once they know which triggers to look for, CIOs can ensure that the IT department gathers the data that predicts these events.

Watching Out for the Boss
Since massive accounting scandals have historically involved fraud by the CFO, the CIO has another difficult task: He must install controls that target the CFO, who in many cases is his boss. For example, although CFOs manage finance, they should not be able to change certain data in a company's ledgers. Jensen suggests that CIOs work with their audit committees to design controls that can, for instance, automatically generate an e-mail to the audit committee whenever a CFO makes a ledger entry, or whenever an abnormal amount of quarterly sales are booked on the last day of the quarter, which could be a sign that someone is trying to pad quarterly sales.

"CIOs need to make sure they're working effectively with the audit committee to get the kind of information that they need to do their job," Jensen says.

Although it's possible to generate these red-flag reports manually with low-level software like Sage Software's Peach-tree brand products, auditors prefer to see these reports generated automatically with ERP systems. Migrating to an ERP system is not the kind of thing one can undertake on the eve of an IPO, but it's worth considering well in advance if business leaders plan to eventually take the company public.

In any case, what matters most is the data. "At the end of the day, what's really important is the quality of the data and the frequency of the data. It's not where it's coming from," says Credit Suisse's Sidders. Even a manually updated spreadsheet can be sufficient. "If the thing gets updated daily and it gets blasted all over the organization and they're all over it, that's better than some fancy schmancy system that gets updated every two weeks," Sidders says.

Even with a sound infrastructure, surprises are bound to crop up. CIOs can limit their exposure by getting their hands on a due diligence checklist as early as possible. This is the list investment bankers use to evaluate companies as they prepare to go public. The list contains hundreds of questions for the top officers of the company; some are specifically targeted at IT (see The Pre-IPO Checklist). Because addressing them can take several months, auditors recommend getting a list six months to a year before a proposed IPO.

Although the checklist is quite specific, it boils down to this: Investment bankers want IT to help the CFO comply with SOX, quickly track financial trends and rapidly close the quarter. "Typically, we like to see management have a very good sense of what [earnings] numbers look like within 48 to 72 hours" of a quarter's close, Sidders says.

Missing filing deadlines can bring huge penalties. "If computing infrastructure goes down because you screwed up migrating your database and you don't report your quarter on time, it's going to cost you tens or hundreds of millions of dollars of market cap, and probably your job," says Sidders. "Not that it didn't cost you your job before, but now the stakes are so much higher." In general, the checklist is difficult partly because much of it is related to SOX, and the law is so new that people are still trying to figure out its finer points. Last year, many companies audited IT components they weren't required to audit, says Everett Johnson, international president of the Information Systems Audit and Control Association in Rolling Meadows, Ill. He recommends that CIOs hire certified internal IT auditors and "look long and hard" at the control systems they're auditing to avoid unnecessary work.

The checklist is particularly challenging for midmarket companies because they usually don't have internal auditors who can help them prepare for the external audit. Some companies have tried to rely on the IT staff to perform the internal audit, with poor results. "There are clients who go out and do Sarbanes on their own and then put the entire package in front of external auditors, [who then] say, 'No, you're completely off track,'" says Karl Kispert, solutions director of the Brookfield, Wis., internal auditing firm Jefferson Wells International.

Companies that lack internal auditing staff may find themselves paying for expensive outside consultants. In this case, Johnson recommends that CIOs get internal staff to "work with the consultants and carry this process on in the future."

George Grous was chief technology officer at Odimo Inc., a Sunrise, Fla., diamond and luxury goods retailer that went public in February 2005. He recalls that his checklist was quite detailed. "There's a lot when you dig in," he says.

Grous benefited greatly from the IT infrastructure he helped build at Odimo even before the IPO was announced. "If you follow what you consider to be best practices, it will save you a lot of work," Grous says. "It's a lot easier pulling something out of a file and saying, 'Here's our process. Here's our file,'" than having to develop a process on deadline.

Still, no planning is perfect. Grous recalls having to develop more complete documentation of Odimo's software licensing agreements to show that Odimo was paying for the software it was using, and not for any software it wasn't using. He also had to produce better documentation of Odimo's vendor contracts and develop the ability to generate some new types of sales and inventory reports. He had an IT staff of 18 at the time for the $42 million firm.

As the IPO approaches, CIOs will have another pressure to deal with: cost control. Some investment bankers estimate that every incremental increase in costs translates into so many millions less in a company's opening market capitalization.

Pacer's Munn, for one, says that although he always controls costs, on the eve of Pacer's IPO he was keenly aware that investment bankers were monitoring all company expenditures, including those in IT. When the offering was announced, "we were in the early stages of a replacement system for one of our divisions," Munn says. He had to alert the bankers, who approved the transaction.

Investment bankers do say it's a mistake for pre-IPO companies to try to bolster their balance sheets by deferring expenditures. "What we'd rather see is that companies front-load expenses prior to going public," says Sidders of Credit Suisse. "While it makes the current financial picture less attractive, it makes the future picture more attractive." And public markets are always forward-looking.

People Count Too
Of course, CIOs don't just manage data; they also have to manage people. On the eve of an IPO, that often entails asking IT workers to log longer days and focus on getting the work done rather than on how their options packages compare with those of their coworkers.

Grous of Odimo recalls what that's like.

Back in 2001, he was a senior engineer at BroadLogic Network Technologies Inc., a spin-off of networking and storage company Adaptec Inc. BroadLogic had announced an IPO. Grous and his co-workers put in long hours. They were part of the fever. "There was definitely a different kind of energy before going public," he says. Ultimately, though, they were disappointed. In the tech bust of 2001, BroadLogic canceled its IPO.

Before Odimo's IPO, Grous told his workers to expect to work some long hours and reminded them how much the rest of the company depended on them. And he tried to keep them happy. "Buy them lunch, take them out to lunch, bring lunch in. Buy lots of snacks. Keep them well fed," Grous says. "You've got to keep the morale high and perky." In the end, however, the best IT in the world won't produce a successful IPO. For that, a company needs "a great business in a great market environment," Sidders says. High growth, high or expanding profitability and limited competition all help. If a company has all that, a forward-thinking CIO can complete the picture. He or she will have built a solid IT infrastructure that can withstand the rigors of regulatory compliance and investment bankers kicking the tires. When the infusion of cash scales the business, the IT will scale right along with it. And then it might be time to start counting -- or cashing in -- those options.

Joan Indiana Rigdon was a contributing writer for CIO Decisions. To comment on this story, email [email protected].

Dig Deeper on Small-business IT strategy