Despite the recent slowdown in the once-manic pace for public offerings via a special purpose acquisition company (“SPAC”) merger, pressure remains for many recently formed SPAC entities to acquire a target. Consequently, middle-market higher-risk companies are still pursuing SPACs as a viable route to a public offering. Companies thinking about going public via a SPAC should be prepared just as they would if they were considering a traditional IPO. This includes putting internal controls in place to meet public company reporting timelines. The challenge with SPACs is the accelerated timeline, where a SPAC transaction can close within 3-4 months versus traditional IPOs which might take years. This means companies have significantly less time to identify the organization’s risk exposures, establish and document their internal controls, as well as ensure risk is mitigated by internal controls and that the internal controls are operating as designed.
Many newly public companies completed via SPAC use forward-looking statements about their target company’s financial performance which is not permitted under a traditional IPO. This has led to exaggerated growth projections for high-profile companies, many of which have not yielded the returns promised. In response, the SEC proposed new rules in March 2022 that would impose additional disclosure requirements on SPAC IPOs, as well as in business combinations involving SPACs (“de-SPACs”). The proposed rules underscore the SEC’s goal of protecting investors and closing loopholes that companies avoided by seeking a SPAC merger compared to a traditional IPO, including the requirement for target entities to be co-registrants on a registration statement.
Sarbanes-Oxley Act of 2002 (“SOX”) Compliance and Reporting Considerations
SPAC transactions target private companies, and the management at these companies is responsible for compliance with the Sarbanes-Oxley Act of 2002 (“SOX”). Before filing for an IPO via SPAC, management should follow several steps required to become SOX compliant. They should be prepared to evaluate and disclose material changes to its Internal Control Over Financial Reporting (“ICFR”) on a quarterly basis. This includes the initial design of their internal control structure, as well as an assessment of risks and strengthening of the internal control structure. They should also be prepared to provide quarterly disclosures and certification from key executives that Disclosure Controls and Procedures (“DCPs”) are effective.
Section 302 of SOX states that the CEO and CFO of the company are responsible for the accuracy, completeness and submission to the SEC of all quarterly and annual reports, as well as the company’s DCPs. The CEO and CFO should also disclose to the company’s auditor and audit committee all significant deficiencies and material weaknesses in ICFR and any fraud that involves management or other employees who have a significant role in ICFR. Section 302 is required for target companies after a de-SPAC transaction as soon as the company’s first quarterly SEC filing.
The timing of a SPAC merger during the calendar year is important to note, as once the company has gone public, SOX Section 404(a) requires management to evaluate the effectiveness of ICFR on an annual basis starting with its second annual report. If the SPAC has previously filed its first Form 10-K, the combined entity’s subsequent Form 10-K would be considered its second annual report and the target would be required to meet the requirements of Section 404(a). This may not initially require an external audit of internal controls but would require the company to perform a risk assessment and internal test of controls for design and operating effectiveness. This can be challenging for companies to perform, especially if the SPAC merger closes close to a calendar year-end.
Begin Planning Early and Address Change Management to Implement Best Practices
Regardless of the timeline for the adoption of the new SEC rules, the supply of capital in SPACs is still plentiful. Founders and senior management of companies intending to go public via SPAC must plan ahead to avoid any delays. They should implement internal controls to mitigate risks and ensure SOX compliance. BPM’s Risk Assurance and Advisory Practice helps companies understand the timeline and critical dates associated with SPAC transactions and perform a comprehensive risk assessment to ensure companies are ready with a thorough plan of action. We also help companies address change management and its impact on SOX readiness and compliance. Our professionals collaborate with founders and senior management to mitigate potential risks specific to their industry and company size, while providing industry-leading best practices.