ERP Compliance Requirements to Go Public


The process leading to a company's Initial Public Offering (IPO) is extremely tedious, as leaders must ensure the company meets financial reporting compliance requirements while also using extensive financial analysis to demonstrate the appeal of the enterprise to potential investors. Many private companies upgrade to a new ERP prior to going public to instill the highest amount of investor confidence in their financial statements; but how can users decipher between their needs and the requirements needed to win over investors? In this episode of The ERP Advisor, Shawn Windle will provide the playbook on utilizing ERP to go public.


ERP Compliance Requirements to Go Public

Leading an enterprise through an Initial Public Offering (IPO) is a tremendous undertaking, requiring extensive steps to ensure operations meet detailed compliance requirements. Implementing the right ERP can simplify the IPO process and assist financial executives to be in compliance with IPO demands.

What does a business need from its ERP in order to go public?

When a company begins the process of going public, it must appeal to the public, as well as other potential investors to receive the support they need. Potential investors, including investment bankers, the investment community, and other general organization institutional investors, will need to evaluate the overall financial viability of an organization to determine if they would like to invest.

Investors must look at financial statements and reports to gather the necessary information to make informed decisions. Organizations can intentionally generate fraudulent financial statements which are difficult to trace when reports are created manually. This is a major dilemma within the IPO world, as businesses in the past have intentionally misreported their financial situations, sending individuals to prison and costing investors their retirement and savings. Therefore, having solid financial statements backed up with proper internal controls built into an ERP can provide investor confidence as a company anticipates going public.

While there is not a single set of regulations or a centralized policy that indicates how your ERP must be set up to go public, there are general frameworks that can set a business up for success.

What is SOX compliance and how does it relate to ERP?

When referencing SOX compliance, individuals are referring to a set of controls that must be in place for how a public company produces its financial statements. Sarbanes Oxley Act (SOX) is a law that stemmed from the Enron and WorldCom failures in the early 2000s. From that, public companies are required to comply with various internal controls policies as verified by their auditors. The audit will investigate whether the company has accurate financial reporting and appropriate internal controls. Under SOX compliance, CFO and CEOs must sign on the dotted line that the business’s financial statements are accurate, and if they are not, they can face criminal charges.

Regardless of the size of an enterprise, fraud can be hard to detect. So, what can leaders do to prevent fraud from even occurring? To encourage legal compliance, various frameworks, including the Committee of Sponsoring Organizations (COSO) and Control Objectives for Information and Related Technologies (COBIT) can be implemented to strengthen an organization’s accounting and other IT systems' internal controls. Audit firms review a company’s books and ensure compliance, while a different firm inspects internal controls to document any issues surrounding the financial statement creation process. Therefore, the constructs of a company’s ERP can either support compliance or permit weaknesses that will lead to a deficient audit.

What must an ERP include to comply with internal controls?

At a high level, internal controls are defined as the mechanisms, rules, and procedures put in place by a company to ensure the integrity of accounting and financial information, encourage accountability, and try to prevent fraud.

Much like the steps necessary to meet SOX compliance, many organizations will bring in outside firms to run inspections on business operations. Such internal controls auditors will make recommendations regarding necessary changes to optimize the business’ internal controls framework. When organizations lack strict guidelines surrounding these processes, they put themselves at risk of fraud and miscalculations.

A few basic requirements that a business should look to for internal control requirements in regard to their ERP are:

     1. Assign ERP users to predefined roles with set permissions.
     2. Segregate cash disbursements and cash receipts duties amongst your employees.
     3. Build in and utilize journal entry approval workflows.
     4. Generate Financial Statements directly from the system, not manually.

When configuring an ERP system, there are various out-of-the-box roles you can assign users in the software. This helps leaders to control who does what when it comes to business processes. This prevents individuals from making substantial changes or approving information outside their scope.

Segregation of duties ensures that individuals do not hold conflicting positions, such as allowing the same employee to create vendors and approve payments to vendors.

Individuals need to have a basic understanding of how to account for the money coming in and out of the business. When appropriate processes are in place, businesses can better account for the flow of money within the organization. This is also where segregation of duties comes into play so that there are not too many individuals managing these processes.

Finally, businesses should have an audit trail of the key transactions and journal entries that feed into financial statements and should be able to create financial statements with as little manipulation as possible, thus boosting their appeal to investors. Statements generated with little human intervention show that an organization has the necessary controls in place to prevent human error or fraud.

What is the most practical ERP advice for businesses looking to go public?

From the start, businesses need to discover their errors, risks, internal controls, and deficiencies on their own. Doing their own thorough audit of the business to determine shortcomings and implementing some quick-hit fixes can save a business a substantial amount of money down the line and increase investor confidence.

Internal auditors, financial statement auditors, and other external auditors are likely to find processes upon which a business can improve. A business should build and clean up its internal processes early on through these audits to ensure that they are set up for future success. Building these controls into your existing ERP, or maybe even implementing a new ERP if your old system cannot support these changes, will help you immensely to pass muster for going public.

Businesses should aim to automate as many processes surrounding financial statement reporting as possible to reduce errors and ensure that they are appealing to potential investors. They must be practical about their internal controls and build as many as they can into their ERP system to reduce organizational risks.


Overall, just because your organization is going public does not mean you need to change or upgrade your ERP system. A system may be able to meet all necessary specifications for a company to appeal to potential investors, but leaders need to understand their operations to make informed decisions first and then implement appropriate processes. If your current system absolutely cannot do what you need, then yes make the change to a new ERP that has proven successful with IPO companies. In the end, it is important to do the heavy lifting upfront in an IPO process to ensure your ultimate success down the line.

Download Our Free Internal Control Guide