Of all the workstreams in an IPO preparation program, audit readiness and SOX compliance is the one that catches companies most off guard — and causes the most delays. Building a controls program that satisfies SOX Section 404 from scratch takes 12–18 months of sustained, resource-intensive effort. Companies that start this work late pay for it with either a delayed IPO, undisclosed material weaknesses in their S-1, or both.
What Is IPO Audit Readiness?
IPO audit readiness encompasses two distinct but interconnected requirements: the external audit of historical financial statements by a PCAOB-registered firm, and the internal controls assessment required under the Sarbanes-Oxley Act.
The external audit is table stakes — without PCAOB-audited financial statements, no S-1 can be filed. But the internal controls program is more complex, more expensive to build, and more time-consuming to complete. Many companies discover mid-way through IPO preparation that their controls environment is significantly weaker than they assumed — triggering remediation programs that compress or delay the filing timeline.
Why This Workstream Takes Longer Than Everything Else
Unlike hiring executives or cleaning up a cap table — which can be done in parallel with other work — building a SOX-compliant controls program requires a sequential build: design controls, document them, implement them operationally, then test them. Testing cannot begin until implementation is complete. The testing cycle itself takes months. And if deficiencies are found, remediation must be implemented and re-tested before the controls can be signed off. There is no shortcut to compressing this timeline.
The PCAOB Audit Requirement
The Public Company Accounting Oversight Board (PCAOB) is the regulatory body established by the Sarbanes-Oxley Act to oversee the audits of public companies. The SEC requires that all financial statements included in an S-1 registration statement be audited by a PCAOB-registered audit firm.
This requirement trips up a surprising number of pre-IPO companies. Many growth-stage companies use local, regional, or boutique accounting firms that are not PCAOB-registered. When these companies begin IPO preparation, they discover that their entire audit history — potentially three years of financials — must be re-audited by a qualifying firm.
What PCAOB Registration Means in Practice
PCAOB registration means the audit firm is subject to PCAOB inspection and must follow PCAOB auditing standards. All four Big Four firms (Deloitte, EY, KPMG, PwC) are PCAOB-registered, as are a number of large regional and national firms. Registration status can be verified on the PCAOB's public website.
Beyond PCAOB registration, the SEC and institutional investors have practical expectations about auditor quality based on company stage. Companies targeting large institutional investors and major exchange listings are generally expected to use a Big Four firm or a well-regarded national firm with active IPO practices. Auditor quality is consistently cited by underwriters as a factor in assessing company credibility.
Auditor Selection Timing
Auditor selection should happen 18–24 months before the anticipated IPO filing date — not 12 months, and certainly not during S-1 preparation. Big Four firms operate at capacity for IPO engagements and carry 12–18 month waitlists in some cases. Engaging a new PCAOB auditor also requires a transition period during which the prior firm's work is reviewed and the new firm gets up to speed. Starting this process early is consistently one of the highest-leverage decisions in IPO planning.
Sarbanes-Oxley — The Four Sections That Matter Most
The Sarbanes-Oxley Act of 2002 contains many provisions, but four sections have direct, material impact on IPO readiness and ongoing public company obligations.
Section 301 — Audit Committee Requirements
Requires that the audit committee of every public company be composed entirely of independent directors, with at least one qualifying as an "audit committee financial expert" as defined by SEC rules.
The audit committee is directly responsible for the appointment, compensation, and oversight of the external auditor. IPO candidates must have the audit committee fully constituted and functioning — with a qualified financial expert — before the S-1 is filed.
Required at listingSection 302 — CEO/CFO Certification
Requires the CEO and CFO to personally certify each quarterly and annual filing — confirming that they have reviewed the report, that it contains no material misstatements or omissions, and that they have evaluated and are disclosing the effectiveness of disclosure controls and procedures.
Section 302 certifications are supported by a sub-certification process in which managers below the CEO/CFO level provide written confirmations of the accuracy of information in their areas of responsibility.
Every 10-K and 10-QSection 404 — Internal Controls Reporting
Section 404(a) requires management to assess and report on the effectiveness of internal controls over financial reporting (ICFR) in the annual 10-K. Management must identify any material weaknesses and disclose them publicly.
Section 404(b) requires the external auditor to separately attest to management's ICFR assessment. EGC companies are exempt from 404(b) — one of the most valuable JOBS Act accommodations — but must still complete management's own assessment under 404(a).
EGC exempt from 404(b)Section 906 — Criminal Certifications
Requires the CEO and CFO to certify that each periodic report fully complies with Exchange Act requirements and fairly presents the company's financial condition and results of operations. Unlike the civil liability under Section 302, Section 906 violations carry criminal penalties — up to $5 million and 20 years imprisonment for knowingly and willfully making false certifications.
Section 906 certifications reinforce the personal accountability of the company's senior officers for the accuracy of public disclosures.
Every 10-K and 10-QThe COSO Framework — Foundation of IPO-Ready Controls
The Committee of Sponsoring Organizations of the Treadway Commission's 2013 Internal Control — Integrated Framework (COSO 2013) is the standard used by the vast majority of public companies to design, implement, and assess internal controls over financial reporting.
COSO defines five components of internal control, all of which must be present and functioning for management to conclude that ICFR is effective. A deficiency in any component — particularly the control environment — can affect the overall assessment even if individual controls within other components are operating effectively.
COSO 2013 — Five Components of Internal Control
All five components must be present and functioning for effective ICFR
Types of Controls — What You Need to Document and Test
A complete SOX control framework covers three categories of controls. Each plays a distinct role and requires different documentation and testing approaches.
Entity-Level Controls
Controls that operate at the company level and affect the overall control environment. They cannot prevent or detect specific misstatements on their own, but their presence (or absence) significantly affects the risk of material misstatement across the entire financial reporting process.
Process-Level Controls
Controls embedded in specific business processes that directly prevent or detect material misstatements in financial statement accounts and disclosures. These are the core controls tested in a SOX assessment and documented in process narratives and risk-and-control matrices (RCMs).
IT General Controls
Controls over the IT environment that support the reliability of application-level controls and financial reporting systems. ITGCs are foundational — if ITGCs fail, application controls that rely on those systems are also considered unreliable, which can cascade into broader control failures.
Control Deficiencies — Understanding the Severity Scale
Not every control weakness is equally significant. The accounting standards define three levels of deficiency severity, each with different disclosure and remediation implications. Understanding this scale is essential for prioritizing your remediation program.
Lowest Severity — Not Publicly Disclosed
A deficiency exists when the design or operation of a control does not allow management or employees to prevent or detect misstatements on a timely basis in the normal course of business. Control deficiencies must be communicated to management but are not required to be disclosed to the audit committee or publicly. They are remediated as part of normal control improvement activities.
Moderate Severity — Reported to Audit Committee
A deficiency, or combination of deficiencies, in ICFR that is less severe than a material weakness but important enough to merit attention by those responsible for oversight of financial reporting. Significant deficiencies must be communicated in writing to the audit committee and to the external auditors, but they are not required to be publicly disclosed in the annual report.
Highest Severity — Publicly Disclosed in 10-K and S-1
A deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. Material weaknesses must be disclosed publicly in the annual report (and in an S-1 if identified during IPO preparation) and are among the most damaging findings in the IPO process. Institutional investors, underwriters, and the SEC treat disclosed material weaknesses with significant skepticism.
⚠️ The Material Weakness Problem in IPO Filings
- Disclosing a material weakness in an S-1 does not automatically prevent an IPO — but it significantly increases investor scrutiny, may affect pricing, and requires a credible remediation plan
- The most common pre-IPO material weaknesses involve: insufficient accounting staff with technical GAAP expertise, inadequate financial close processes, missing segregation of duties due to small team size, and absent or undocumented controls over revenue recognition
- A material weakness discovered during S-1 review is far more damaging than one identified and remediated 12 months before filing — early assessment and honest gap identification is essential
- Post-IPO material weaknesses disclosed in a first 10-K are severely damaging to stock price and investor confidence — the controls program must be genuinely functional at the time of IPO, not just documented
IT General Controls — The Often-Overlooked Workstream
IT General Controls (ITGCs) are consistently underestimated in pre-IPO planning. Companies that have grown rapidly often have fragmented IT environments, multiple ERP systems, informal access management processes, and change management practices that would not survive a SOX audit. Addressing ITGC gaps requires both technical remediation and the implementation of formal processes — neither of which can be done quickly.
Access Management
Controls over who can access financial systems, what they can do, and how access is granted, reviewed, and revoked.
Change Management
Controls over modifications to financial applications, databases, and infrastructure — ensuring changes are authorized, tested, and documented.
Computer Operations
Controls over data processing, job scheduling, data backup, and recovery — ensuring financial data is processed completely, accurately, and is protected from loss.
Building a SOX Controls Program from Scratch
Most pre-IPO companies have to build their SOX controls program from the ground up. The steps below represent the standard approach — executed over 12–18 months before the S-1 is filed.
Scoping & Risk Assessment
Identify which financial statement accounts, processes, and locations are "in scope" for the SOX assessment — those where a material misstatement could occur. Perform a risk assessment to identify the specific risks of material misstatement in each in-scope area. Determine the threshold for what constitutes a "significant account." This scoping decision drives the entire scope and cost of the controls program.
2–4 weeksProcess Documentation & Control Design
Document process narratives or flowcharts for each in-scope financial reporting process. Identify the controls within each process that address the identified risks. Produce Risk and Control Matrices (RCMs) that map each risk to its mitigating control. Design new controls where gaps are identified. This is typically the most labor-intensive phase — requiring significant time from both the finance team and process owners across the organization.
8–12 weeksControl Implementation & Operationalization
Controls can only be tested once they have been operating for a sufficient period. This phase involves implementing new controls, training control owners on their responsibilities, establishing the evidence-retention practices required for audit support, and building the operational discipline of consistently executing controls on schedule. Three to six months of operating history is typically required before testing can begin in earnest.
12–20 weeksManagement Testing & Deficiency Identification
Management (typically through the internal audit function) tests each key control to assess whether it is designed appropriately and operating effectively. Testing involves selecting samples, obtaining evidence, and evaluating whether the control operated as designed. Deficiencies identified during testing are classified by severity and escalated as appropriate. Significant deficiencies and material weaknesses require immediate escalation to the audit committee.
8–16 weeksRemediation & Re-testing
Deficiencies identified in management testing must be remediated — through redesigned controls, new process steps, or organizational changes. Remediated controls must then operate for a sufficient period before they can be re-tested. For material weaknesses in critical processes, this can add 3–6 months to the timeline. This is why material weaknesses discovered late in the IPO process are so damaging — there may not be enough time to remediate and re-test before the S-1 filing date.
Variable — 4–24 weeksExternal Auditor Reliance & 404 Assessment
For EGC companies, the external auditor reviews management's ICFR assessment procedures and may rely on management testing to reduce their own audit procedures. For non-EGC accelerated filers subject to 404(b), the external auditor conducts an independent assessment and issues a separate opinion on ICFR effectiveness. Management's formal 404(a) assessment is included in the first annual 10-K filed after the IPO.
8–12 weeksEGC Accommodations — What Pre-IPO Companies Actually Get
Emerging Growth Companies (EGCs) — companies with less than $1.235 billion in annual revenue — qualify for several accommodations under the JOBS Act that meaningfully reduce the audit and SOX burden during and after the IPO.
Key EGC Audit & SOX Accommodations
- Two years of audited financials in the S-1 (vs. three years for non-EGC companies) — saves one year of PCAOB audit costs and time
- SOX 404(b) exemption — the external auditor is not required to separately attest to internal controls. Management's own 404(a) assessment is still required, but the auditor attestation — often the most expensive SOX compliance cost — is not
- Reduced executive compensation disclosure — simplified executive compensation tables and reduced narrative requirements
- Confidential S-1 submission — file the S-1 privately before going public, allowing SEC review without competitor visibility into financials
- EGC status duration — remains in effect for up to five years post-IPO, or until revenue exceeds $1.235 billion, whichever comes first
The most important of these is the 404(b) exemption. For a company at the time of IPO, the external auditor's attestation of ICFR would typically cost $500,000–$2 million in incremental audit fees and require 6–12 additional months of preparation. Avoiding that obligation for the first several years of public company life materially reduces both cost and timeline pressure.
Building the Internal Audit Function
Public companies are expected to have an internal audit function — either in-house or co-sourced with an outside firm. For most pre-IPO companies, the internal audit function needs to be built or significantly strengthened during the IPO preparation period.
The internal audit function plays three roles in the IPO context: it leads management's SOX 404 testing program, it provides independent assurance on the operating effectiveness of controls throughout the year, and it signals to investors and the audit committee that governance oversight is functioning properly.
Build vs. Co-Source
Most pre-IPO companies choose to co-source their internal audit function with a professional services firm — engaging a Big Four or national firm to provide experienced SOX testing resources while the company builds its permanent team. Co-sourcing provides immediate capacity, deep SOX technical expertise, and credibility with the external auditors who must rely on management testing. Many companies maintain a co-sourced model well beyond the IPO, transitioning to an in-house team over time as the business grows.
Audit Readiness Failures — What They Cost
DraftKings — Material Weakness Disclosed, Remediated (2020–2021)
DraftKings' experience with its first material weakness disclosure is a useful example of how a well-managed company navigates an audit readiness failure. When DraftKings disclosed its IT general controls material weakness in its 2020 10-K, the company simultaneously disclosed a specific remediation plan: hire additional IT and finance staff by a specific date, implement role-based access controls by Q2 2021, engage external SOX advisory firm to validate progress. The stock fell approximately 8% on the disclosure but recovered quickly as institutional investors assessed the disclosure as contained and the remediation plan as credible. By the time DraftKings filed its 2021 10-K, the material weakness had been remediated — a clean bill of health that the company highlighted prominently in the earnings press release. The lesson: the damage from a material weakness disclosure is manageable when the company is transparent about the root cause, specific about the remediation steps, and disciplined about delivering on the plan.
Luckin Coffee — Fraud Enabled by Inadequate Controls (2020)
Luckin Coffee's April 2020 disclosure that approximately $310 million in sales had been fabricated — discovered through an internal investigation — illustrated the most extreme consequence of inadequate internal controls: outright financial statement fraud. The control failures that enabled the fraud included: inadequate segregation of duties in the revenue recording process (the same team could both initiate transactions and record them); management override of normal review procedures; and inadequate whistleblower mechanisms that would have surfaced the fabrication to senior leadership or the audit committee. Luckin was subsequently delisted from Nasdaq. While Luckin was a Chinese company with specific audit oversight issues in the Chinese market, the case reinforced for all newly public companies that internal controls are not primarily a compliance exercise — they are the fundamental mechanism by which a company's board and audit committee obtain assurance that the financial statements they are certifying are accurate.
Ready to Build Your SOX Controls Program?
The IPO checklist covers the complete SOX readiness workstream — scoping, documentation, testing, and remediation.