Top Risk Areas for Internal Audit: Cannabis

Internal audit teams in cannabis companies should focus on legal and regulatory compliance, financial, operational, and technology risks in 2025.

The cannabis industry is rapidly evolving and presents complex opportunities and challenges. For internal audit teams to successfully navigate this dynamic landscape, they must have a holistic understanding of the key legal and regulatory compliance, financial, operational, and technology risks that can affect businesses. By working toward such an understanding, internal audit professionals can approach and mitigate various risks proactively and help businesses thrive in an ever-changing environment.

Legal and regulatory compliance risks

In 2025, federal legalization or rescheduling of cannabis in the U.S. continues to be an ongoing battle, with political forces on both sides exerting tremendous influence on the likelihood and timing of regulatory action. The recent change in U.S. presidential administrations has led to a period of uncertainty regarding where the industry might be heading. Understanding key risks affecting the industry from a legal and regulatory perspective is critical for internal audit functions to effectively evaluate how their organizations assess these risks and implement the necessary safeguards to navigate them. 

In the U.S., cannabis is regulated at the state level – an approach that differs from other countries. For example, Canada has federal legislation uniformly governing the cultivation, distribution, sale, and possession of medical marijuana. Even though approximately 40 states have now legalized adult-use or medical marijuana, marijuana remains illegal under U.S. federal law.

Marijuana is listed as a Schedule I drug under the Controlled Substances Act (CSA). Federal law defines Schedule I drugs as substances or chemicals that have a “high potential for abuse,” that have “no currently accepted medical use in treatment in the U.S.,” and for which there “is a lack of accepted safety for use of the drug or other substance under medical supervision.”

Further, irrespective of various states authorizing and regulating marijuana in direct conflict with the CSA, any possession, use, cultivation, and transfer of cannabis and any related drug paraphernalia remains illegal in the U.S. Strict compliance with state and local laws with respect to marijuana does not provide protection against, or a defense to, any U.S. federal proceeding brought against companies operating in the U.S. 

Over the last decade, as more states have legalized medical and adult-use marijuana, the federal government has attempted to provide clarity on the incongruity between federal law and state-legal regulatory frameworks. Cannabis companies must closely track regulatory requirements, such as lab testing, on a state-by-state basis. Guidance such as the Cole Memorandum have initially provided some direction, but as federal administrations have changed over time, so has the direction provided to businesses. For example, during the first Trump administration, then-Attorney General Jeff Sessions rescinded the Cole Memorandum in January 2018. Just a few years later, Merrick Garland, Attorney General during the Biden administration, expressed that the Department of Justice (DOJ) would revert to following the guidance laid out in the Cole Memorandum. Today, under the second Trump administration, it remains uncertain how the DOJ will treat cannabis businesses that are legal at the state level.

The cannabis industry is also subject to an array of taxes. In addition to property, payroll, sales and use, and marijuana excise taxes – which can have different rules for each state and local jurisdiction – cannabis businesses are subject to IRC Section 280E of the U.S. tax code. Section 280E disallows business deductions, which compels businesses to pay income taxes based on gross income rather than net income after deductions. As the complexity and magnitude of taxation increases across each state and municipality, so does the risk of increased illicit markets, which undermines sales from legitimate cannabis enterprises. Additionally, decriminalization of cannabis across cities and states creates another layer of complexity for the industry. 

In April 2024, the U.S. Drug Enforcement Administration (DEA) agreed with a 2023 recommendation from the U.S. Department of Health and Human Services (HHS) to reschedule cannabis to a Schedule III substance under the CSA. On Dec. 2, 2024, the DEA held a preliminary formal hearing regarding the rescheduling of cannabis. Future hearings were scheduled and then subsequently canceled by the chief administrative law judge presiding over the matter. The judge also ordered a stay in the proceedings, pending a resolution of an interlocutory appeal to the DEA.

These delays, as well as uncertainty regarding the current presidential administration’s views and priorities regarding cannabis, lead many in the industry to believe that change in the regulatory environment at the federal level is still far off. However, the prospect of rescheduling in general represents a step forward for the industry. As proposed, the scheduling change would allow cannabis businesses to be freed of the prohibitions under Section 280E and lead to a lower income tax burden and greater profitability.

In addition, rescheduling also could provide greater opportunities for further research on the medical benefits of cannabis, increase the availability of marijuana-based pharmaceuticals, and affect the likelihood of banking reform through regulatory actions such as the potential passage of the SAFER Banking Act. Among other benefits, this act would create a safe harbor for depository services allowing for operations in alignment with both state and federal anti-money laundering laws.

However, what rescheduling would not do is legalize cannabis in the U.S. Legal cannabis businesses across individual states would still operate in a federally illegal manner, as they are today. Despite any major decisions being months (if not years) away, legal and regulatory compliance trends are moving in a positive direction for the industry.

Potential internal audit efforts for 2025: 

• Enterprise risk assessment. Assess how the organization and its leadership are thinking through changes in the industry landscape and the risks they present to the company and its ability to achieve its strategic objectives.
• Tax planning and compliance. Assess how the organization is approaching and implementing its tax strategy as it evaluates the risks and uncertainty affecting the industry.

Financial risks

In 2025, the cannabis industry will continue to encounter significant challenges and risks that affect financial operations and performance. Due to the current legal standing of cannabis, most federally chartered financial services organizations view the risks and costs associated with providing banking services to the industry to be too significant for them to take on. As a result, cannabis companies have limited options for banking services and funding sources, which leads to higher interest rates and costs of capital, as well as highly cash-intensive operations. 

Further, continued focus on merger and acquisition (M&A) activity to be a source of growth can be a risky proposition for acquisition targets that do not have consistent accounting and financial records. Understanding these risks is essential for internal auditors to help prevent and detect fraud and promote organizational resilience. 

Banking and financing 

Lack of access to banking or investment capital is regularly cited by cannabis businesses as one of their most significant challenges. Due to the federally illegal status of cannabis and the regulatory impacts on any banking services provided to the cannabis industry, most federally chartered banks have not invested to build out the robust and costly programs necessary to provide services to cannabis businesses, thus limiting their options for banking, investing, lending, and payment processing. While the numbers continue to slowly increase, only a fraction of banks and credit unions are actively providing banking services in the industry. Banks that are willing to work with cannabis businesses tend to impose higher interest rates, additional fees, and compliance burdens on these customers to balance their required investment and own regulatory burden for providing cannabis banking services.

Debt financing is often preferred by many cannabis companies as compared to equity financing in which ownership stakes are diluted when raising capital. However, this reliance on debt has also led to as much as $3 billion coming due for major U.S cannabis operators by the end of 2026. This situation presents liquidity concerns for an industry that has seen profitability challenges stemming from the slowdown of rescheduling proceedings and the failure of recreational marijuana legalization in certain states, most notably Florida. As a result, many companies might focus on renegotiating and refinancing their debt, likely at the expense of even higher interest rates and more lender control and requirements. If refinancing is not an option and liquidity challenges persist, cannabis companies face the additional obstacle of operating in a federally illegal industry that, as a result, does not have access to bankruptcy courts and Chapter 11 protection. 

In addition, the lack of federally chartered banks that offer services to cannabis companies has resulted in many organizations, especially multistate operators, to use multiple state-chartered banks. As most of the banks working with the industry are state-chartered and only able to do business within certain states, cannabis companies might need to work with a different bank in each state of operation. These banks, to mitigate their own risk in working with the cannabis industry, might limit the amount of cannabis funds they will hold, which causes larger businesses with significant cash reserves to need additional banks.

While there are benefits to diversified banking (more balances covered by Federal Deposit Insurance Corp. limits and spreading the risk in case of bank failures), more administrative work is involved. When using many banks, cannabis businesses must track compliance requirements and integrate systems for each bank in their operations. For example, when an employee with bank access leaves the organization, the cannabis entity must work across all banks providing banking services to update records and access authority, which can be an effort-intensive activity. The business’s treasury and accounting departments must coordinate movement of funds between banks to cover expenditures that might be coming out of other banks, all of which creates more opportunities for fraud and errors. Additionally, the business’s treasury functions must have documented policies regarding authorizations for signers, access to accounts, and cash movement.

While potential exists for more financial networks and options to open to the cannabis industry through the passage of proposed legislation such as the SAFER Banking Act, the timing of any future initiatives and their adoption by large financial services organizations is uncertain.

Cash-based operations 

As retail cannabis sales have grown to exceed tens of billions of dollars per year, the industry remains largely cash based, due both to limited banking options and limited payment options for customers. While some cashless ATM, PIN debit, and app-based solutions are available to the industry, various issues with dependability, system integration, and customer acceptance mean that cash remains the primary payment medium in most dispensaries. Being cash based increases fraud and error risk as cash is easily appropriated by employees and is subject to counting errors at the time of the sale as well as during closeout and deposit preparation processes. Many cannabis wholesalers continue to accept cash as a payment on wholesale orders, which means the entity might accept cash payments of $10,000 or more and is therefore subject to Form 8300 reporting to the IRS.

Service providers and partners 

A significant number of professional services firms and providers (such as investment firms, accounting and consulting firms, payroll companies, and software companies) will not work with businesses in the cannabis industry due to potential regulatory and financial impacts on their business aligned to the provision of services to cannabis entities. Additionally, many insurance providers will not insure cannabis businesses and their assets. These challenges, based upon the current status of cannabis as a Schedule I controlled substance, create a lack of service providers, which leads to less choice among those that are willing to take risk on, less competitiveness in pricing, and, in some cases, a lack of providers that can perform at the level the business needs.

This issue also is significant in the case of financing partners, given the limited number of banks or lenders set up to work with the cannabis industry. Cannabis businesses then turn to alternative financing that might have significantly higher interest costs than more traditional financing and greater complications from both an accounting and administration perspective. 

M&A activity and due diligence 

While the rate of M&A activity has slowed in the current macroeconomic environment, many businesses are struggling with the impacts of past acquisitions. Quality due diligence in the form of legal reviews, accounting reviews, and quality of earnings reviews provides valuable information that can help businesses avoid unknown liabilities, confirms that pricing is appropriate, and allows for a better forecast of combined financial performance. A target might not use the same accounting policies as an acquirer or might not have the expertise needed to identify complex accounting matters, such as variable interest entities or embedded derivatives, which can have significant financial impacts. Differences in accounting policies as well as the impacts of purchase accounting can cause the combined company to yield drastically different results on an accounting basis than the stand-alone entities combined. For instance, if the acquirer amortizes its license intangibles and the target considers those as indefinite lived assets, when the intangibles are reflected at fair value in the opening balance sheet and then begin to amortize, they could significantly affect the combined company’s income statement. Additional liabilities of a tax, legal, or contractual nature might not be properly recorded and might lead to higher future expenses and cash outflows than predicted, based on a review of only the target’s financial statements. 

Financial reporting

Because cannabis is still listed as a Schedule I controlled substance in the U.S., many cannabis businesses that fully operate in the U.S. are registered in Canada,  which means they must comply with the regulations of multiple jurisdictions. In the case of publicly traded cannabis businesses, the stock is traded on the Canadian exchanges and the business might be filing financial reporting with both the Securities Exchange Commission (SEC) in the U.S. and with Canadian securities authorities. Generally, the Canadian authorities accept an adjusted version of the SEC filings, but additional regulations or reporting requirements could be involved. 

Cannabis businesses that are registered in Canada begin their financial reporting using International Financial Reporting Standards (IFRS) but could convert to generally accepted accounting principles (U.S. GAAP) later. There are several differences in the accounting standards, but the most significant to the industry are the rules governing the valuation of agriculture inventory (biological assets). Under IFRS, this inventory is adjusted to fair value each reporting period, which can generate significant swings on the income statement from prior to period due to revaluation. Under U.S. GAAP, this inventory is valued at the lower of cost or market and not revalued under normal circumstances, eliminating the variability from the constant revaluation of the inventory and lessening the noise for investors. The conversion from IFRS to U.S. GAAP can be a significant undertaking, as multiple periods must be restated, and is even more burdensome if coupled with a transition to SEC reporting. 

Potential internal audit efforts for 2025: 

• Treasury and cash management internal controls review. Evaluate the organization’s processes and systems related to cash handling, treasury operations, and financial transactions to ensure efficiency, accuracy, and compliance with regulatory standards while mitigating risk of fraud and errors.
• Cash handling and reconciliation audit. Examine the organization’s cash management processes, including the collection, storage, and disbursement of cash, to ensure accuracy and compliance with policies.
• Financial due diligence reviews. Assess the organization’s financial health and performance to identify potential risks and validate financial statements.
• Review of accounting integration issues prior to acquisition transactions. Assess the financial reporting and accounting practices of the target company to identify potential challenges and support a smooth integration process after acquisition.
• Advisory projects for IFRS to U.S. GAAP conversions. Provide guidance and support to organizations transitioning their financial reporting from IFRS to U.S. GAAP in the U.S. to maintain compliance and accuracy in financial statements.
• SEC reporting readiness services. Advise the organization to prepare for compliance with SEC regulations with accurate and timely financial reporting and disclosures. 

Operational risks

The operational risk landscape in the cannabis industry for 2025 requires careful attention from internal audit teams. Quality control, product testing, and complex supply chains present challenges for cannabis companies both from a consumer demand and regulatory perspective. Additionally, the cash-intensive nature of the industry presents risks related to workplace safety as well as employee theft. Internal audit teams should prioritize operational risks and emphasize developing effective solutions. 

Product testing

Because cannabis is illegal at the federal level, no universal testing laws currently exist with which cannabis companies must comply, which results in a patchwork of testing regulations established and maintained by each state. While many states do have stringent standards and require ISO 17025:2017 accreditation, testing methods and contaminant testing requirements can vary widely. Some states require rigorous demonstration of testing requirements before issuing licenses to testing laboratories, whereas others issue preliminary licenses prior to review. In addition, the diverse variety of cannabis products produced and sold complicates the process of implementing testing standards, as each product type should require its own unique testing method. These nuances across markets can create considerable challenges for cannabis companies that are trying to understand what their compliance obligations are across their footprint. 

In addition to a complex regulatory environment, considerable fraud risks exist, from growers colluding with labs to doctored certificates of analysis with clean test results or inflated THC numbers and, in the clinical setting, falsified claims for larger payouts from insurers. Cannabis companies must conduct the appropriate level of due diligence prior to engaging and contracting with any laboratory. Any discovery of potential wrongdoing by a testing lab often leads to product recalls, which can cause considerable reputational damage as well as financial loss.

Agricultural and environmental 

As with any agriculture-based business, growing cannabis successfully depends on the size and quality of crop yields. While the number of indoor cultivation businesses is expected to grow over the next few years, a considerable number of businesses have opted to establish and maintain operations outdoors. Both options come with benefits and drawbacks. For indoor growers, a positive is that total control can be maintained over the growing environment, which can lead to higher quality yields and higher revenue per square foot of cultivation space. The downside of an indoor operation is that it is extremely capital intensive to build or renovate a facility. In addition, the ongoing costs to maintain a growing facility to make sure environmental conditions are adequate (such as supplies of water, electricity, and irrigation) can be very costly over time. Such overhead costs are drastically reduced with an outdoor operation, and cannabis grown in its true environmental setting can help the plant to reach its full genetic potential and terpene quality. However, being exposed to the elements puts cannabis yields at risk of extreme weather patterns ranging from wildfires to early freezes, and unpredictable climate changes have prompted some outdoor growers to reconsider their approach.

Employee theft and workplace safety

Like companies in other retail industries, cannabis companies are at risk of theft and loss from their employees. However, the cannabis industry is uniquely at risk due to the cash-intensive nature of the industry and the heavy regulatory environment in which it operates. With a vast majority of retail transactions occurring through exchanges of physical cash, it is common for a retail dispensary to have tens of thousands of dollars on hand at a given time. If internal controls for reconciling and handling cash are lax or not performed, there is a greater risk of employees skimming or stealing cash without detection. Further, retail dispensaries are common targets for robbery or external theft, which presents a physical security and workplace safety risk for dispensary employees.

To combat these risks, cannabis businesses can consider designing robust internal controls over cash and inventory counts and reconciliations and investing in technology such as a point-of-sale system to manage product tracking. In addition, businesses can invest in adequate physical security measures, including, but not limited to, quality lighting and video surveillance systems, safes and vaults for storing cash, and hiring trained, armed guards to be on-site during hours of operation. 

Supply chain 

The cannabis industry encounters supply chain risks throughout the life cycle of the product, from cultivation at the growing facility through the sale to an end customer at the retail dispensary.

One of the top supply chain limitations that cannabis companies face is the inability to transport freely. Transporting cannabis internationally or across state lines is a felony because cannabis is considered a Schedule I drug under federal law. Additionally, transporting cannabis internationally or across state lines can result in seizure and impounding of vehicles and equipment, large fines, or imprisonment. Multistate operators especially can encounter frustration when inventory shortfalls or poor yields in one state cannot be rectified or mitigated through an intercompany transfer of inventory from a neighboring state.  

Similarly, the cannabis industry has been long challenged with the procurement of raw materials, tools, equipment, and other supplies for its operations, particularly those imported from foreign suppliers, due to the illegal status of cannabis at the federal level. As a result, many cannabis businesses have developed a complex labyrinth of supply chain partners while also assuming the risk of seizure, penalties, and criminal prosecution.

Even with a growing number of local and state jurisdictions moving toward legalization of medical and recreational marijuana products, U.S. Customs and Border Protection (CBP) has remained steadfast in its enforcement of seizing imports that could be used in the production of cannabis, primarily based on the supremacy clause of the U.S. Constitution. The industry has seen some potential easing of this challenge in Eteros Technologies USA, Inc. v. United States, which rebuked CBP’s position and could help pave the way for more direct importation from foreign vendors. However, even considering this development, the overall risk of trade compliance for cannabis companies remains high.

Potential internal audit efforts for 2025:

• Supply chain risk assessment. Evaluate the potential vulnerabilities and threats within the organization’s supply chain, including identifying, analyzing, and mitigating risks that could disrupt operations or affect overall business performance.
• Quality control process review. Assess the organization’s quality management systems and procedures to confirm that products or services meet established standards and regulatory requirements and identify areas for improvement.
• Internal controls review over cash and inventory. Review policies and procedures in place to safeguard cash and inventory assets, maintain accuracy in financial reporting, prevent fraud, and promote operational efficiency. 

Technology risks

Technology risks present a unique set of challenges for internal auditors in the cannabis industry largely due to the regulatory environment. Cybersecurity concerns are increasing because some systems lack sufficient security controls. Specifically, many systems common to the cannabis industry do not have System and Organization Controls (SOC) reports that are available to cannabis companies, which presents significant compliance risk. A further complication that internal audit teams must consider is that cannabis companies sometimes manage protected health information (PHI) of medical cannabis patients, which is subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA). 

Industry-specific systems 

The cannabis industry is still in its infant stages of development, particularly when it comes to the systems and applications designed to support its unique operational needs. State-mandated seed-to-sale systems and industry-specific point-of-sale applications are critical in managing compliance with state regulations, tracking product from cultivation to its sale to an end customer, and managing customer interactions. However, they often lack the robustness and proven track record of applications prevalent in more mature industries.

One of the primary risks associated with these systems is their potential lack of comprehensive security features, which can make them vulnerable to cyberattacks. As the cannabis industry often deals with sensitive personal data, including assorted customer information and health information for medical patients, a security breach or data leak could have significant consequences, including loss of customer trust, regulatory fines, and business disruptions. Additionally, these systems might not yet fully integrate with other business applications, which results in data silos and inefficiencies. This lack of integration can result in manual data entry, increasing the likelihood of human error and affecting the reliability of the data used for critical business decisions. 

Moreover, the rapid evolution of cannabis regulations creates a moving target for compliance. Systems must be agile enough to adapt and meet new regulations. Compliance risk in the cannabis industry is further compounded by the lack of SOC 1 Type 2 reports for many cannabis-specific systems. The absence of adequate SOC reports presents a significant compliance risk as there is no available third-party validation of their systems’ reliability. This gap can lead to increased audit procedures, as auditors might need to perform additional tests or engage specialists to assess the software providers’ controls directly, which can result in higher costs and potential delays in financial reporting. To mitigate these risks, cannabis companies should engage with system providers to understand the existing controls and advocate for the pursuit of SOC reports. In the meantime, businesses can strengthen their internal controls through frequent reconciliations, segregation of duties, and internal audits to verify the integrity of financial data. By proactively addressing these issues, companies can maintain trust with stakeholders and uphold the accuracy of their financial reporting amid the absence of external assurance. 

While cannabis-specific systems and applications are essential for the industry’s growth and regulatory compliance, they are not without considerable risks. Companies must implement robust security measures and contingency plans to mitigate potential system failures. As the industry matures, these systems will as well, and other applications might become available to meet the unique operations of the industry. Until then, businesses must be vigilant in managing the risks associated with their use. 

Cybersecurity

The cannabis industry is especially at risk of cyberattacks because of its historical volatility and general lack of cybersecurity sophistication, resulting in potentially critical incidents such as data breaches, ransomware, and phishing attacks.

Data collected by cannabis companies, including personally identifiable information (PII) and proprietary information, can make companies high-value targets and increase the likelihood of attack. Breaches of PII or proprietary information can lead to reputational and financial losses. Data breaches can occur when data is stored without appropriate controls in place for who can access data and how it can be managed. Strong controls must be implemented in the environment, including complex password standards, implementation of data loss protection technology, and due diligence of third parties and recent acquisitions. 

Ransomware attacks are a growing concern. For cannabis companies, ransomware attacks can occur because of a lack of safeguards, such as monitoring access on a periodic and consistent basis. Sufficient monitoring also needs to be performed over endpoints and servers to identify potentially abnormal processes and over network traffic to identify excessive activity or communications between devices that should not be in contact. Excessive privileges and access in the environment, for both administrators and general users, can lead to malicious actors encrypting drives on important company infrastructure and shutting down operations, which can be exacerbated if in the absence of offline backups. These gaps in security can be covered in part by implementation of strong monitoring and access review standards along with the necessary technology to facilitate those activities.

Email systems are also high-value targets. Sneaking in malicious software through email to gain further access to a system, or phishing, has significantly increased in recent years, and phishing emails have improved in their sophistication, which makes them increasingly harder to distinguish from legitimate communications. A compromised email can become the launch point for many other attack vectors into the internal network of a company. Cannabis companies are high-value targets due to the sensitive data they collect as well as the perceived weakness in security structures of the applications commonly used in the industry. To mitigate this risk, companies should create security standards and train employees in how to follow them. Email systems themselves should be configured to not allow any sort of relaying or spoofing, which can harm a company’s reputation. 

HIPAA 

While HIPAA is not required by law for medical cannabis companies, an industry best practice is that cannabis companies maintain compliance with HIPAA in order to promote a culture of compliance and protection of sensitive information. In addition, compliance with HIPAA also can bring the added benefit of further securing company data as the legislation requires technical, physical, and administrative controls to safeguard PHI.

Medical cannabis companies might struggle with compliance due to the large amount of oversight that is required. Regular risk assessments – a HIPAA requirement – conducted by professionals who understand the law are the best method to identify gaps in compliance. Identifying and resolving gaps can bolster company security, not just regarding HIPAA but across the digital regulatory landscape.

Potential internal audit efforts for 2025:  

• Pre- and postimplementation reviews. Evaluate the strategy and controls for a system implementation both before and after go-live to identify any issues and confirm that the organization’s business objectives are met.
• Vendor selection, management, and monitoring. Review the organization’s process of identifying, evaluating, and overseeing third-party suppliers to verify that they meet organizational standards, deliver quality products or services, and maintain compliance with contractual and regulatory requirements throughout the duration of the relationship.
• IT vendor oversight. Assess the organization’s ability to monitor and manage third-party technology service providers to confirm they meet contractual obligations, adhere to security standards, and deliver quality services that align with the organization’s goals and compliance requirements.
• Cybersecurity assessment. Evaluate the organization’s information systems, policies, and practices to identify vulnerabilities, assess risks, and ensure the effectiveness of security measures in protecting against cyberthreats and data breaches.
• HIPAA assessment. Compare the organization’s compliance practices with the requirements outlined in HIPAA, focusing on the protection of patient information and the implementation of necessary safeguards to maintain data privacy and security. 

Complex opportunities, complex risks

For internal audit teams supporting cannabis companies, understanding the top risks and challenges affecting the industry is a critical step in strategic planning. While risks are present in any industry or organization and cannot be eliminated entirely, they can present an opportunity for organizational growth and differentiation via an effective internal audit strategy. Solution leaders and internal audit teams in the cannabis industry can equip themselves with an elevated understanding of these risks and develop a strategy to combat them.

Crowe disclaimer: Qualified organizations only. Independence and regulatory restrictions may apply. Some firm services may not be available to all clients. Given the continued evolution and inconsistency of various state and federal cannabis-related laws, any company should seek competent legal advice relating to its involvement in the cannabis industry, including when considering a potential public offering as a cannabis-related company.