Your First Audit: Simple Tips for a Smoother Process
Screen Shot 2018-07-20 at 3.37.01 PM.png

Your startup has officially launched, and you’ve been in business for a while now. At this point, you’re expanding your customer base, protecting your data security, improving your product, and managing your team. You’re also monitoring your balance sheets and making sure that your tax filings are accurate and your reporting procedures are in line with SEC and IRS requirements.

A smart move, because sooner or later, you’ll face your first formal audit.

If you’ve been partnering with an experienced legal team during your launch and initial growth, your team will be there for you on the day you receive notice of your audit. If not, you’ll want to respond with a critical first step: engaging with a team that can help you survive the process with minimal headaches and workflow disruptions.

But what will you do next? In order to make the most of your time, money and resources, you’ll want to prepare your team and organize your documentation as efficiently as possible. Here are a few things to keep in mind.

The importance of scheduling

Within certain parameters, you have the ability to control when your audit takes place, so focus on scheduling before you make a commitment. If you’re behind on some of your active accounts, that’s okay; you’ll just need some time to update your balance sheets. If you haven’t performed an inventory in a while, you may need to do this too. Most important, you’ll need to prepare you staff and organize a workflow and communications structure around the process, and this can take time. Factor these things into your scheduling decisions.

Your PBC list

You can ask your auditors to provide you with a PBC, or “prepared by client” list, which will include all of the documents, flowcharts, process descriptions, accounting records, HR information, and other details that the auditors will need to have in hand in order to do their jobs. Obtaining this list can save time and prevent hassles, since you can review and assemble the items on the list a long time before the audit begins. Once you have your list, provide your team with clear instructions so everyone knows which person will take responsibility for preparing which items.

Clarify issues during your preliminary meeting

In the interest of maintaining your workflows and making the process easier for the both the auditors and your company, determine well beforehand how the auditors will obtain the information they need. Will they confer with you only, or will they present certain questions directly to your staff?

Don’t worry, but move quickly

Always keep in mind that auditors (tax, financial, and/or data security auditors) are not your enemies. They are not trying to create problems for your business or hold you back. They’re just looking for compliance gaps, security weaknesses, reporting anomalies or other concerns that need to be identified so they can be addressed and fixed. Work together with your auditors and you’ll have better results. As always, keep your legal team close and you’ll know exactly what to expect and how to move forward.

Five Common Startup Mistakes

The path to successful entrepreneurship can sometimes seem uncharted, and many of the obstacles along the way can seem bewildering and completely original.

But here’s something every business owner learns in time: They aren’t. When a new company stumbles, these stumbles have almost always happened hundreds of times before, often to other entrepreneurs who found a way to resolve the issues and keep moving forward.

The secret to overcoming most common startup challenges isn’t really a secret; it’s just a matter of placing the issue in a context and knowing you aren’t alone. The right legal counsel can help. Here are some very common mistakes that a strong legal team can help you address.


1.       Turning to VCs too soon.

Venture capital can be a huge boon for your business, but if you’re not yet off the ground and making money, you may not be ready to reach for this high rung. Explore other options first, and then try this route when you’re able to test, scale and prove your profitability. VC term sheets also vary dramatically. Make sure that when you start talking to VCs, you know what terms you want, and that business interests are aligned.

2.       An unscalable business model

A successful business that can attract enterprise clients and investors at all levels should be able to scale in a smooth, elastic way. Make sure your company has built the right systems to ensure the right scalability. If you don’t, the investment money you’ve taken to scale and grow isn't going to do anything.

3.       Lack of product diversification

Trusting your entire future to one product or one limited capability can slow your growth later on. Diversity your product and service portfolio to hedge against market trends.

4.       Insufficient marketing

Marketing isn’t just about selling your product to customers. You may have total faith in what you produce and you may want to believe your product sells itself, but that’s rarely the case. You’ll need to market your idea (and/or prototype) aggressively from the earliest stages of the process to attract customers. 

5.       Hiring the wrong people

At every stage of your growth from the first day to the last, you’ll need to hire competent, personable people who can execute the tasks assigned to them. But at the very beginning, you may also need to hire team members who have the patience to endure ups and downs, the risk tolerance that startups require, and the willingness to accept compensation packages that may include articles of faith, like stock options. If you don’t actively seek these qualities, you may experience expensive turnover.

Setting your Sights on an IPO

Selling securities on a public exchange through an IPO (initial public offering) is a powerful attractor to many new startup founders. Our culture tends to celebrate IPOs as a sign of standard business “success” and this specific milestone definitely carries a certain weight as many companies never last long enough to even consider an IPO.

But not all companies are well advised to pursue this goal, and the rewards involved in the process may not take the shape some founders envision.

Here are a few reasons to consider taking your company public (or at least moving in this direction):

Raising capital

The biggest benefit of an IPO is the ability to access the public markets for capital. If you intend to scale your company to compete with other publicly traded corporations, you absolutely should consider going public.

Liquidity for founders / investors

Another benefit of an IPO is the ability to provide liquidity to founders and investors. Note, though, that many founders and early-stage stockholders will be subject to mandatory lockup provisions prior to the IPO.

Displaying market maturity.

An IPO will boost the company’s profile and set you apart from your competitors, if for no other reason than the difficulty and length of the process. Making a public offering typically means your internal controls are above reproach and you’ve passed every test put to you by compliance auditors.


Going Public: Key Steps

This is by no means a comprehensive checklist, but here are some of the initial steps you’ll need to take after you decide to follow this path:

Find banks who will back you

You’ll need to reach out to institutional investors (banks) who will consider sponsoring your goal. If these banks agree to participate, you’ll sit down with their representatives and create a due diligence checklist together.

File with the SEC

You’ll need to complete a variety of filings with the SEC and provide robust sets of disclosures. These disclosures are a necessary step if you want the public to trust you and believe in your future success.

Preparing for opening trades

Your bank will help you in preparing for the opening trade.

The road to an IPO is long and winding, but the first step is the most important: determining whether or not this decision is right for you.

Starting a new company: Timing

Entrepreneurs—especially first-time entrepreneurs—often feel anxious about the timing of their fundraising rounds and initial launch. And their concerns are sometimes valid. Here are a few timing issues to consider before launching with a new endeavor.


The state of the economy

The “state of the economy” is such a general term that pundits and policy makers can’t agree on a clear set of metrics that define what this really means. Maybe the stock market appears to be struggling as you put your plans together, and a plunge could set you back. Maybe the market is soaring as you prepare your launch, and your grand opening will coincide with an overdue correction. Maybe the job market looks great right now, so you’ll have trouble competing for talented candidates…or maybe the opposite will happen. Maybe consumers are eager to spend, or they’re about to close their wallets in anticipation of lean times. Whatever the global financial forecast looks like as you prepare to start your business, proceed. If you’re ready to go, go. Don’t let something so vague hold you back.

Market competition

If you know or suspect that a better-equipped player in your marketplace is planning a launch that will coincide with yours, it’s okay to factor this into your plans. If you can, move first. Don’t let your competitor race ahead hoping to step in later after the initial spark dies down. Even if you’re entering a marketplace that’s well populated, it’s not a bad idea to check the landscape and make strategic calculations that can leave you with a bit more market share. People open coffee shops and bars every day, and those types of companies have been around for thousands of years. So if your new app only has a couple players in the market, you may be far from a “saturated space.”

The needs of your investors

If you have an investor or potential backer who happens to be subject to timing constraints, work to accommodate that person (or entity). Opportunities for capital don’t come and go easily for most new businesses, so if small adjustments in your schedule or plans can bring you into alignment with your investors, it’s okay to assess the risks involved and then rush ahead or slow down.

Cultural trends

Right now, some games, apps, tools, products and services are heating up. Some are riding a sustained wave. Some are about to peak and fade. Some are making comebacks that didn’t seem likely when they first left the scene. Some are waiting for anticipated comebacks that aren’t showing up. Whatever you have to offer will arrive on the market at one of these highs, lows, or middles on the graph of public interest. But since none of us can predict these rises and falls with perfect accuracy, you’ll need to enter when you’re ready, not wait for the cultural landscape to be ready for you.

And the true artist, the true alchemist, also understands that her entry into the market may be the catalyst that prompts those epic cultural trends.

No company opens its doors onto a world that’s totally predictable and free of risk. But if you’re armed with a strong team, a cool head, and flexible expectations, you’ll be as ready as an entrepreneur can ever be.

Information Security: Do You Have a Risk Management Strategy in Place?

As a startup founder or a new business owner, you place a high value on protecting your data (both customer data and protected business information) from intrusions and vulnerabilities. You may even be pursuing SOC 2 compliance and your data infrastructure and management practices may align perfectly with the requirements of the GDPR, even if your business doesn’t have any European customers or partners.

But compliance and strong protections today don’t necessarily carry over into the future. As technology evolves and your company grows, you may want to develop a flexible risk management strategy that can lead you around unpredictable bends in the road ahead.

A risk management strategy is nothing more than a road map that keeps growth aligned with your business goals and your company’s risk profile.

You may find such a map invaluable when you’re faced with tough decisions two, three, and five years in the future that you can’t anticipate today.

To put a plan together, you’ll need to take three critical steps.


Step One: Assess the information landscape

First thing you need to do is conduct a “business awareness” phase. What type of challenges are presented by your market? What type of information are you gathering? And what are the risks associated with gathering, collecting, analyzing, or maintaining that type of information? Do a formal analysis of these questions and come up with answers that make sense.

Step Two: Define Your Strategy

Now that you are aware of your business activities, the second thing you need to do is assess your long term plan with respect to information management. What type of information do you expect to be collecting in 1, 3 or 5 years? Will your business practices be different with respect to information analysis? Will your products and services be different, or will you be generating new types of data that you might sell as part of your services?

Step Three: Develop Your Strategy

In this final and most important stage, you’ll want to take your plan and come up with concrete timelines and deliverables, and then, put in place an operational plan where you can best staff the vision you’ve put together. Then, it’s time to execute.

At every stage of the process, you’ll need to make sure that your capabilities and budget can keep up with your vision. If they can’t, you’ll adjust your vision or build up your capabilities. T

This is a quick oversimplification of a three-stage process that may require six months or more to complete, but the sooner you obtain the guidance you need and start moving forward, the sooner you can put your road map in place.


Company investment strategies: ICOs and Beyond

In mid-2017, the cryptocurrency market started a dizzying climb, spurred by the seemingly unassailable benefits of blockchain technology and the instant success of one homerun ICO after another.

Coin offerings faced an uncertain regulatory landscape—and they still do—but they seemed to hold wild promise for startups looking for capital. Now it’s 2018, the marketplace is evolving rapidly, and several major crypto currencies have lost value in recent months.

So the question remains: When it comes to startup funding options, are ICOs still worth the risk? And if not, are replacements available? Here are some thoughts on current market practice for the issuance of tokens and other crypto currencies.


SAFT: Simple Agreement for Future Tokens

Some companies are starting to raise millions using this pre-sale method that targets accredited investors. With SAFTs, investors accept promises of tokens—not actual tokens—until the project or company gets off the ground.

We are not fans of the SAFT. The SAFT carries too many unanswered questions, particularly from a tax perspective. When the SAFT converts into the token, is there a tax realization event? If an employee receives a SAFT that vests over time, are they able to file a Section 83(b)? Is the SAFT (which is just a promise to convert into tokens) “property” for purposes of Section 83(b)? How defensible is the typically low valuation on the SAFT that companies are using to replace the illegal pre-sales that were taking place in 2017?

Then of course there are several lingering and unanswered questions about the tokens themselves. Once the SAFT converts into the token, does that token retain its status as a security? If it remains a security, then it will be subject to the myriad of resale restrictions and other prohibitions on tradability that govern all U.S. securities. So what exactly will that token be worth if it can’t be traded?

The SAFT is the purported “best” option in a sea of terrible answers out there. We strongly encourage our clients to avoid SAFTs and to really consider the risks -- both legal and tax -- associated with purchasing one.

Securities Token Sales

Some companies are attempting to fund crypto currency and/or blockchain development by issuing two different types of tokens: one, a security token used to fundraise, and then a second, different crypto currency that the security token will convert into at some date in the future.

We believe this approach carries many of the same legal and tax risks associated with the SAFT. We have doubts that a company can really issue two different tokens, “convert” one token into another, and then maintain tradability of a non security currency thereafter.

Traditional fundraising combined with currency issuance

Perhaps the safest approach under the securities laws is for a company to do a traditional equity or debt raise (such as a sale of Preferred Stock sale, or convertible note raise) and then to use that financing as general proceeds that can go into the development of a bona fide, tradable crypto currency. Holdings of that currency could be held as any other asset of the company.

We believe this is the soundest approach under the current securities laws for companies that are looking to raise money in order to fund currency development.

Direct currency issuance

Our office is exploring with several clients the possibility of directly and immediately issuing tradable, programmable money, as the fastest way to achieve the goal of general tradability of the new crypto currency. Much of this work is confidential, but we would love to explore these issues with serious founders who want to develop a bona fide, tradable programmable money.

Attracting large targets: what enterprise clients need to see before they sign on

For an emerging business, there are going to be some clients that offer more ROI than others, and securing just one enterprise level contract can give a young startup the stability it needs to take risks, innovate, and depart from the status quo.

Once you’ve gained the interest of a global company or dominant force in the industry, you’ll be better positioned to focus on product and service development—not just making ends meet. Here are a few things to keep in mind as you set your sights at the highest level.

Regulation: aggressive reassurance

In 2018, data privacy and security have stepped into the spotlight, and most enterprise companies have no interest in taking risks or cutting corners when it comes to backing startups that handle sensitive data. Of course your GDPR compliance should be as tight as possible (even if you don’t deal directly with many European clients) and if you partner with any organization that handles private health information, your HIPAA compliance will also play a role in attracting larger clients. But don’t wait for audits and close inspections of your platform; boast about your airtight compliance and your willingness to go the extra mile. Data privacy has become more than a box to check off; it now reflects a company’s overall philosophy and approach to doing business. Be proud of the measures you’ve taken and share them proactively.

Develop thought leadership

Your business has to be a thought leader. Have a comprehensive social media strategy that includes content marketing, and make sure your executives are writing and pursuing speaking opportunities (even small local opportunities are excellent places to start). Find ways to position the company within view of your target audience and consumers. Consider every lead.


Invest in account-based marketing and vendor partnerships

It may cost more in terms of both money and time, but consider an account-based marketing strategy for enterprise clients. Instead of offering a standard service package, conduct research and tailor your product and contract details to meet the needs of one specific client at a time. While you’re at it, try to form partnerships with the company’s existing vendors in non-competitive areas. These already- established providers may give you an in or an introduction, and teaming up can give both of you the opportunity to present strategic discounts or service options.

By reaching out to the largest clients in your industry—and arranging meetings with decision-makers at the highest available level—you’ll cover vast ground at minimal cost. Reach out for more strategies that can set you up for rapid, sustainable growth.

Media Outlets and Alternatives to GDPR Compliance

Not all companies have been able to comply with GDPR as of yet; in some cases this has been due to the cost of compliance, and in other cases because these companies simply haven’t figured out how to maintain business models that rely on data sharing. During the long run-up to the GDPR compliance deadline, some companies have chosen to simply opt out of European marketplaces until they can meet the requirements in a cost-effective way. This means closing down access to their sites and services in the European Union.

This may seem like a minor issue for services that provide games or retail products…but what about news media? Several media outlets in the United States, including the Chicago Tribune, the Los Angeles Times, and the New York Daily News (all of which are owned by the same corporation: the Tronc media company) have closed off access to European readers. Their business models, which provide free access in exchange for the use of tracking software that helps them target ads, aren’t compliant with the GDPR. Their solution involves cutting European users from their consumer audience.


Unlike most other compliant news providers, who now post clear disclosures or no longer collect data from European users, these companies—and some TV broadcasters—have dropped them altogether. Could this impact on the flow of media and information between continents? Could the change have broader implications for cultural and diplomatic relations between the US and Europe? Will US citizens abroad respond in a way that impacts the bottom line for these companies?

We aren’t sure yet. The GDPR and its compliance requirements have been widely anticipated for almost two years, but questions remain as to why these companies haven’t found ways to adapt.

Not Ready for GDPR? Take Steps to Protect Your Company’s Future.

The long-awaited GDPR compliance deadline has arrived! For practical purposes, almost every company in the US and Europe can now fit neatly into either of two categories: (1) ready, or, (2) not ready. A surprising number of these companies (about 65%, according to a report by Solix Technologies) are placing themselves in the second group.

Right now, those who fail to meet the requirements of the new law may face various penalties, including possible financial penalties up to 20 million euros, or 4% of a company’s global revenue, whichever is higher.

In working with our clients on GDPR compliance, one of the biggest issues we’ve come across is that the regulations are unfortunately quite vague. We are thus advising our clients to err on the side of over protection until further clarity is obtained.

One example of this current vagueness relates to the GDPR’s “right to be forgotten”, a provision that grants data owners the right to have their data permanently deleted once they can no longer identify a compelling reason for that data to remain on file. Here are some of the most widespread and confounding questions posed by data managers on this point:


Will the “right to be forgotten” require all personal information to be purged from all systems, forever and ever?

Some organizations aren’t quite sure if the provision means that all data should be completely removed from existence, and this is a valid question, especially for healthcare providers. Moreover, this total deletion will be based on an explicit request and explicit permission provided by the individual, and some companies aren’t entirely sure what form that explicit request or permission will take.

Must personal data be protected from misuse and unauthorized access at every single stage of the lifecycle?

The answer is technically yes, but establishing a complete audit trail that follows each data point through its lifecycle from beginning to end is proving to be a difficult task for some organizations (especially smaller companies with leaner personnel and budgets). Some company tech leaders aren’t even sure where all sensitive data can be found within their systems, and a complete audit trail including consents, updates, transitions, and deletion is exceeding the reach of organizations that are likely to miss the deadline before they can resolve this issue.

Will companies be penalized for noncompliance even if the violations are unintentional?

According to survey results, some companies are still unsure if the GDPR applies to them, because they aren’t sure how many—if any—of their users and clients are EU citizens covered by the law. Like the questions above, this is a valid concern that isn’t easily resolved. And the mystery deepens for organizations that still aren’t sure where and how all personal information is stored within their own systems.

Despite the long runway leading up to the GDPR deadline, questions remain for a large percentage of organizations that simply don’t know how to proceed or how to get these issues resolved. Answers vary widely depending on each company’s business model and circumstances. If you’re facing these issues, deadline or no deadline, contact us and we’ll address any compliance gaps that still stand in your path.

The GDPR Will Bring Positive and Exciting Changes…But Maybe Not for Everyone.

As the May 25th GDPR compliance deadline inches closer, businesses are scrambling to shore up or rebuild their data security infrastructure. This new set of regulations will serve a seemingly simple and positive purpose: to protect the data of EU citizens and clients who hand over access to that data when they engage with companies online. The law ensures that users and consumers own their personal information and exercise a measure of control over what happens to it, and how it can be used, transferred, or shared. The law has been written and will be enforced by the EU Commission, but since many companies in the US—both big and small—serve EU customers, these companies are complying with the GDPR in ways that bring protections and benefits to their US customers as well.

For example, large entities like Google and Facebook are deciding that it’s more practical to apply these new tighter data protections to all of their users, not just those specifically covered by the language of the GDPR language. 

So how can this be a negative turn of events? If consumers are notified and informed about their data usage, companies act with greater transparency, alerts are provided in the event of a hack or breach, and consent documents are written in plain language that gives users the right to opt in and out, what could possibly go wrong?


Smaller Companies Struggle to Keep Up

The answer comes from smaller, independent companies and fragile startups who find themselves bogged down financially and administratively by steep compliance requirements. Digital marketing firms, online gaming companies, and other small organizations—especially those with business models that depend on data sharing—may be swallowed up by the changes taking place in this year’s data privacy landscape.

While some may consider this a kind of morality tale—a demonstration of how agility and ethical data management contribute to survival, and detriments in those areas lead to failure—the truth is not so simple. Smaller companies may end up struggling to meet compliance obligations in other markets, clearing the path for larger entities with an already disproportionate hold on market share to dominate. And any change that shifts the balance of success in favor of established firms tends to stifle a climate of opportunity, risk, and innovation.

But this age-story doesn’t have to play out along the same old lines, and in 2018, smaller firms can certainly find affordable, manageable support as they navigate this challenge. These small firms face several options, including developing innovative changes to their business models and revenue structure, data collection efforts, and other internal programs to better comply. 

If the GDPR represents an existential challenge to your company and its future, take action before the deadline.