As emerging companies experience significant growth, they also experience more challenges, including increased exposure to risk, new compliance requirements, and adapting processes and procedures. Companies may not realize these issues as challenges until some triggering activity occurs, such as fraudulent activity or a system breakdown, or when they decide they want to prepare for listing on a public exchange.
To be listed on a U.S. stock exchange, companies have to become U.S. Securities and Exchange Commission (SEC) registrants and must comply with certain requirements, including the Sarbanes-Oxley Act of 2002 (SOX). Being publicly listed isn’t the only reason companies become SEC registrants, though. Among other reasons, it helps raise capital, teeing up potential expansion opportunities, and provides credibility to the company, which inspires confidence from investors.
Regardless of why a company registers with the SEC, it still must comply with SOX. Becoming SOX-compliant can be challenging and time-consuming for many companies by nature of its complexity and multifaceted requirements. The requirements are meant to ensure the company has the appropriate internal controls and processes in place to prepare accurate financial statements and disclosures.
SOX is a bipartisan bill created in response to the large number of financial scandals from public companies that happened around the early 2000s. The bill demanded transparency and corporate responsibility and created several layers of oversight for public companies to protect investors and to prevent Enron-size scandals from happening again, and it has proven to work.
Not All Challenges Are Built the Same, Especially for Cannabis Companies
Startups in any industry generally feel overwhelmed with SOX compliance because they usually have a lean back-office staff, in which people are wearing multiple hats and may not be used to the rigorous control environment requirements.
What these companies may not realize is SOX compliance is the responsibility of the entire company, not just the accounting function. Operational process owners may have to refresh or establish processes to accommodate the new requirements.
Service providers that cannabis companies rely upon for any financial numbers (e.g., point-of-sale systems, payroll providers and seed-to-sale systems) should ideally have a System and Organization Controls (SOC) report.
Most often and most helpfully, service providers will make available a SOC 1, Type 2 report, which gives user organizations a strong sense of comfort about the outsourced services performed by service organizations on their behalf that are relevant to their internal controls over financial reporting.
The cannabis industry has realized increased merger-and-acquisition activity, which may frame the SOX compliance conversation, too. While this is positive, an acquisition might require a company to work with disparate processes and IT systems, which can further complicate the process.
Education, Training and Collaboration Are Key
Often, some of the biggest difficulties can be addressed with training and education.
When stakeholders recognize how critical SOX is to the strategic goals and operations of the company, it helps to ease some of the evolving management challenges.
Fast growth can mean a company outgrows certain processes and procedures, but after going through the SOX compliance process, any gaps or deficiencies are identified, allowing companies the chance to fix problems before they could cause real harm.
Sometimes the issues that come to light regarding financial reporting and operational processes are actually areas of development. Typically, a few byproducts of SOX compliance that companies experience are improvements in their overall operational processes as well as in their corporate governance and accountability.
As mentioned earlier, one person may be responsible for multiple roles, which leaves a company vulnerable to fraud or just plain old mistakes. When appropriate internal controls are in place, such as segregation of duties, system access, or authorization, it helps prevent errors or fraud before they occur. Companies can see a measurable reduction in the risk of fraudulent activity by complying with SOX.
Collaborating with the external auditors early on in the SOX journey is also important to ensure the identified control environment meets expectations, and the auditors will be confident and can rely upon the work performed. This collaboration can help minimize duplication of efforts and reduce the overall cost of compliance.
SOX Success Story: Benefits Beyond Being Publicly Listed
Ayr Wellness discovered several unexpected benefits during its own journey toward SOX compliance.
The multistate cannabis operator, founded in 2017, has grown significantly over the past few years by acquiring cannabis companies, opening new dispensaries and expanding its product portfolio. In anticipation of federal legalization, the company sought to prepare for “uplisting” to one of the public stock exchanges as soon as it is allowed. To do that, the company knew it needed to solidify its SOX compliance process, Meridith Klein, Ayr’s director of risk and control, said.
Rather than strictly outsourcing the process, Ayr chose to co-source with an experienced risk advisory practice to collaborate with her team, working directly with them and providing them with additional resources, including other specialists, helpful templates and training tools.
Implementing SOX compliance did exactly what it should do for the company: It helped Ayr identify not only control gaps but also business and IT improvements, including moving from manual to automated controls and centralizing processes. Klein said since starting the initiative, the company has better insight into the business that leadership wouldn’t have otherwise, and Ayr is already starting to look at focus areas outside of internal controls where they could incorporate the function, including in other compliance matters and in its supply chain.
“It’s not necessarily issues that we’re finding, but actually opportunities for us,” Klein said.
Like any other private company going public, Ayr’s is a manual and detective control environment. However, one of the differences for cannabis companies is a lack of available IT systems and interfaces.
“Because we’re a plant-touching vertically integrated cannabis company, it limits the options that we have in terms of our IT stack,” Klein said. “We’ve worked around this with a lot of reconciliation controls and analytics. We’re optimistic that those types of controls will facilitate the next phase of growth for Ayr.”
She added that while the manual, detective controls are working for now, she’s hoping the company can increase its automation and preventive controls in the future.
Today, the company has established narratives, process flowcharts, and a risk and control matrix. Klein’s group has conducted several trainings with management, and importantly, the company is optimistic about the future of its internal controls program.
“It’s helping us from a corporate governance standpoint, in terms of having more robust policies and procedures. We’re always building SOPs, especially around the internal controls for financial reporting,” Klein said. “We have risk assessments. We’ve held trainings throughout the company. Overall, it’s just improving business practices and efficiencies all around the organization.”