SOX 404 Costs
According to the final report issued by the Advisory Committee on Smaller Public Companies to the SEC on April 23, 2006, companies with revenue of $5 billion or more spent an average of .06% of their total revenue on Sarbanes-Oxley compliance, whereas companies with revenue of $100 million or less spent an average of 2.55% of their revenue on SOX compliance.3 With fewer resources to bear these disproportionate costs, non-accelerated filers find the new guidelines to be less cost-effective than large corporations, who rely heavily on strong internal controls. With lower income being reported as a result of incurring SOX 404 compliance costs, the result is what many believe to be reduced shareholder value making smaller companies less attractive as investment opportunities than the large corporations.
In a USA Today article dated July 30, 2007, Jim DeBello, CEO of software firm Mitek Systems, discussed the SOX compliance requirements. "We consider ourselves a well-run small business," he stated. "We comply with all SEC requirements and consistently filed our quarterly statements." Mitek expects to earn somewhere between $6 million and $10 million in sales next year. Costs of section 404 compliance are estimated to be at least $600,000 for them, roughly the cost of hiring four new full-time employees, DeBello argues, and "that trickles down to employment, innovation, and our ability to grow."
Along with actual costs come the effects of opportunity costs associated with these new guidelines. Michael Ryan of the U.S. Chamber of Commerce noted, "The amount of time [that] management is spending on the process to comply with Sarbanes-Oxley takes them away from running the business, increasing sales, and developing new products." Ryan also argues that SOX diminishes auditor's professional judgment because of fears of second-guessing by regulators. He says SOX "runs the risk of creating a culture of avoiding risk, and that bleeds over from the issue of trying to eliminate wrongdoing."4
Impact on Non-Accelerated Filers
Non-accelerated filers have been making adjustments to comply with the newly-issued SEC guidelines of Sarbanes-Oxley 404, but not with ease. Herb Wander, Chairman of the SEC's Advisory Committee on Smaller Public Companies and partner at the law firm of Katten Muchin Rosenman LLP , suggested, "what's going to be hardest for them is, I think, trying to sift through the varying interpretations and new rules to try and come up with a workable system that works for them and will satisfy their auditors."5 For example, in the past, there has been a reliance on outside auditors to be part of the internal controls environment and interpret new standards in order to provide guidance to management of smaller companies. Now, SOX 404 guidelines make it clear that management will need to internalize these controls.
While many are opposed to SOX section 404, others are very positive about the legislation. They argue that the costs of implementation will decrease after the first year, and in the future will be beneficial. Non-accelerated filers may incur disproportionate costs in order to "internalize" some of their controls, however, there are benefits to be gained from this. Better customer service, reduced borrowing costs, efficiency, and consistency of reputation are all expected from stronger internal controls, potentially leading to a greater stockholder value. Therefore, while SOX 404 is initially expected to have a negative impact on income, it is reasonable to expect a positive impact in the years to follow.
Further Extensions
Recently, the U.S. House of Representatives approved an amendment to extend the filing deadline again for smaller public companies. If passed by the Senate and then signed by President George W. Bush, the deadline would be moved to September 30, 2008. The SEC has already postponed this deadline twice for smaller firms and has stood by the December 15th deadline after releasing guidelines to cut compliance costs in May. Lawmakers agree that the guidelines approved in May were an important step in cutting costs, but they still do not believe they were enough.
Jeffrey Mahoney, general counsel for the Council of Institutional Investors told Governance Weekly that this measure would hurt investors, who have been waiting for better quality financial reporting from small and mid-size companies. "These [smaller companies] are where most of the fraud exists and where most of the restatements have taken place," Mahoney said. "I think they need these controls, and it is long past due to have them in place."6 Regardless of potential further extensions, non-accelerated companies should take advantage of the current guidance and begin their implementation projects.
Marcum & Kliegman's Recommendation for Implementation
Based upon the SEC's Final Interpretive Guidance for Management to improve SOX 404 implementation, there is an opportunity to make the process more efficient. The guidance highlights three general principles (in bold) and four specific principles (in italics) as areas of improvement. Using a top-down, risk-based approach, management needs to focus on risk and materiality, as well as on controls that are needed to prevent or detect material misstatements in the financial statements. In actuality, not every control in the process needs to be documented, only the controls that address the risk of a material misstatement. Management should also tailor the amount of evidence needed to determine operating effectiveness based on the risk of material misstatements. This guidance will allow management to use a variety of cost effective ways to evaluate the operating effectiveness of its controls. It also has a deficiency evaluation framework for evaluating deficiencies and outlining the material weaknesses. Finally, management will be allowed greater flexibility in the documentation of its evidence and testing. Documentation may consist of many different forms. For example, for high risk processes, documentation will remain the same under the new guidance. However, for moderate and low risk processes, documentation may be reduced — for example, through less detailed flowcharts or no flowchart, respectively. For testing, the nature, timing, and extent of what is tested will be impacted by the level of risk.
Conclusion
Small companies should coordinate with their SOX 404 consultants, external auditors, and other key stakeholders to ensure that implementation is efficient as well as effective. While there are certainly costs to implementing SOX, benefits can be obtained by making SOX a sustainable process and embedding it in the way business is conducted. As former Maryland Senator Paul Sarbanes, who was the principal draftsman of the law, reminded all public companies, small and large, going public is no cakewalk. "Companies that go public need to understand not only the benefits, but the responsibilities. It's not just a free ride."7
For further information and to discuss how Marcum & Kliegman may assist you with your Governance, Risk Management, and Compliance needs, contact Donald Browne at 212 981 3197.
End Notes
1. Sullivan, Thomas M. "Office of Advocacy - Letter Dated 05/25/07." SBA. 27 May 2007. Small Business Administration. 8 Aug. 2007 <www.sba.gov/advo/laws/comments/sec07_0525.html>.
2. Aguilar, Melissa K. "Final 404 Guidance Out; Small Cos. Now Included." Compliance Week July 2007: 12+.
3. Final Report of the Advisory Committee on Smaller Public Companies to the U.S. Securities and Exchange Commission. Securities and Exchange Commission. Washington DC: SEC, 2007. 33. 1 Aug. 2007 <sec.gov/rules/other/33-8666.pdf>.
4. Farrell, Greg. "Sarbanes-Oxley Law Has Been a Pretty Clean Sweep." USA Today 30 July 2007, sec. Money.
5. Schmidt, Kathrine. "Small Businesses Now Bracing for Hurricane SOX." Compliance Week July 2007: 45+.
6. Schmidt, Kathrine. "Small Businesses Now Bracing for Hurricane SOX." Compliance Week July 2007: 45+.
7. Farrell, Greg. "Sarbanes-Oxley Law Has Been a Pretty Clean Sweep." USA Today 30 July 2007, sec. Money.