SOX 404 Deadline LoomsDonald Browne
December 7, 2007 — 1,839 views
This article was previously published in SEC Insights which is available at www.MKLLP.com.
As the clock winds down on the December 15, 2007, deadline for managements’ internal control assessment, nonaccelerated filers are scrambling to comprehend and utilize the SEC’s Final Interpretive Guidance regarding management’s report on internal control over financial reporting. This guidance has an effective date of June 27, 2007 and is intended to ease the compliance implementation requirements of Section 404 (SOX 404) of the Sarbanes-Oxley Act. Nonaccelerated filers, as smaller companies, may face disproportionate costs related to SOX 404 compliance when compared to accelerated filers. After months of waiting for yet another extension, the time has come for nonaccelerated businesses to utilize the new guidance in their initial efforts to comply with SOX 404 and hopefully reduce the expected costs.
The U.S Senate Committee on Small Business and Entrepreneurship has been fighting for the SEC to implement an extension for smaller businesses to comply with SOX 404, but more specifically: (1) to clarify major provisions in the new guidance, (2) to examine the cost-effectiveness of the proposals and (3) to allow small public companies to apply these new provisions. These recommendations were declared by Senators John Kerry (D – Massachusetts) and Olympia J. Snowe (R – Maine), hairman and the ranking member respectively, of the Committee, who have been integral voices for these entities.1 Over the past few years, after unpleasant episodes with Enron, Tyco and WorldCom, public companies have taken major steps to develop their internal controls in order to improve the quality of financial reporting. In the July 2007 issue of Compliance Week, Senator Snowe noted that the SEC “…has provided no assurances that the new internal controls rules will actually reduce costs for small public companies.”2
SOX 404 Costs
According to the final report issued by the Advisory Committee on Smaller Public Companies to the SEC on April 23, 2006, companies with revenue of $5 billion or more spent an average of .06 percent of their total revenue on Sarbanes-Oxley compliance, whereas companies with revenue of $100 million or less spent an average of 2.55 percent of their revenue on SOX compliance.3 With fewer resources to bear these disproportionate costs, nonaccelerated filers find the new guidelines to be less cost-effective than large corporations, who rely heavily on strong internal controls. With lower income being reported as a result of incurring SOX 404 compliance costs, the result is what many believe is reduced shareholder value making smaller companies less attractive as investment opportunities than the large corporations.
In a USA Today article dated July 30, 2007, Jim DeBello, CEO of software firm Mitek Systems, discussed the SOX compliance requirements. “We consider ourselves a well-run small business,” he stated. “We comply with all SEC requirements and consistently filed our quarterly statements.” Mitek expects to earn somewhere between $6 million and $10 million in sales next year. Costs of section 404 compliance are estimated to be at least $600,000 for them, roughly the cost of hiring four new full-time employees, DeBello argues, and “…that trickles down to employment, innovation and our ability to grow.”
Along with actual costs come the effects of opportunity costs associated with these new guidelines. Michael Ryan of the U.S. Chamber of Commerce noted, “The amount of time [that] management is spending on the process to comply with Sarbanes-Oxley, takes them away from running the business, increasing sales and developing new products.” Ryan also argues that SOX diminishes auditor’s professional judgment because of fears of second-guessing by regulators. He says SOX “runs the risk of creating a culture of avoiding risk, and that bleeds over from the issue of trying to eliminate wrongdoing.”4
Impact on Nonaccelerated Filers
Nonaccelerated filers have been making adjustments to comply with the newly-issued SEC guidelines of Sarbanes-Oxley 404, but not with ease. Herb Wander, chairman of the SEC’s Advisory Committee on Smaller Public Companies, and partner at the law firm of Katten Muchin Rosenman LLP, suggested, “…what’s going to be hardest for them is, I think, trying to sift through the varying interpretations and new rules to try and come up with a workable system that works for them and will satisfy their auditors.”5 For example, in the past, there has been a reliance on outside auditors to be part of the internal controls environment and interpret new standards in order to provide guidance to management of smaller companies. Now, SOX 404 guidelines make it clear that management will need to internalize these controls.
While many are opposed to SOX section 404, others are very positive about the legislation. They argue that the costs of implementation will decrease after the first year, and in the future will be beneficial. Nonaccelerated filers may incur disproportionate costs in order to internalize some of their controls, however, there are benefits to be gained from this. Better customer service, reduced borrowing costs, efficiency, and consistency of reputation are all expected from stronger internal controls, potentially leading to a greater stockholder value. Therefore, while SOX 404 is initially expected to have a negative impact on income, it is reasonable to expect a positive impact in the years to follow.
Recently, the U.S. House of Representatives approved an amendment to extend the filing deadline again for smaller public companies. If passed by the Senate and then signed by President George W. Bush, the deadline would be moved to September 30, 2008. The SEC has already postponed this deadline twice for smaller firms and has stood by the December 15th deadline after releasing guidelines to cut compliance costs in May. Lawmakers agree that the guidelines approved in May were an important step in cutting costs but they still do not believe they were enough.
Jeffrey Mahoney, general counsel for the Council of Institutional Investors told Governance Weekly that this measure would hurt investors, who have been waiting for better quality financial reporting from small and mid-size companies. “These [smaller companies] are where most of the fraud exists and where most of the restatements have taken place,” Mahoney said. “I think they need these controls and it is long past due to have them in place.”6 Regardless of potential further extensions nonaccelerated companies should take advantage of the current guidance and begin their implementation projects.
Marcum & Kliegman’s Recommendation for Implementation
Based upon the SEC’s Final Interpretive Guidance for Management to improve SOX 404 implementation that was issued on May 23, 2007, there is opportunity to make the process more efficient. The guidance highlights three general principles (in bold) and four specific principles (in italics) as areas of improvement. Using a top-down risk-based approach, management needs to focus on risk and materiality, as well as controls that are needed to prevent or detect material misstatements in the financial statements. In actuality, not every control in the process needs to be documented, only the controls that address the risk of a material misstatement. Management should also tailor the amount of evidence needed to determine operating effectiveness based on the risk of material misstatements. This guidance will allow management to use a variety of cost effective ways to evaluate the operating effectiveness of its controls. It also has a deficiency evaluation framework for evaluating deficiencies and outlining the material weaknesses. Finally, management will be allowed greater flexibility in the documentation of its evidence and testing. Documentation may consist of many different forms. For example, for high risk processes, documentation will remain the same under the new guidance. However for moderate and low risk processes documentation may be reduced for example through less detailed flowcharts or no flowchart, respectively. For testing the nature, timing and extent of what is tested will be impacted by the level of risk.
Small companies should coordinate with their SOX 404 consultants, external auditors and other key stakeholders to ensure that implementation is efficient as well as effective. While there are certainly costs to implementing SOX, benefits can be obtained by making SOX a sustainable process and imbedding it in the way business is conducted. As former Maryland Senator, Paul Sarbanes, who was the principal draftsman of the law, reminded all public companies, small and large, that going public is no cakewalk. “Companies that go public need to understand not only the benefits, but the responsibilities. It’s not just a free ride.”7
1 Sullivan, Thomas M. "Office of Advocacy - Letter Dated 05/25/07." SBA. 27 May 2007. Small Business Administration. 8 Aug. 2007 <http://www.sba.gov/advo/laws/comments/sec07_0525.html>.
2 Aguilar, Melissa K. "Final 404 Guidance Out; Small Cos. Now Included." Compliance Week July 2007: 12+.
3 Final Report of the Advisory Committee on Smaller Public Companies to the U.S. Securities and Exchange Commission. Securities and Exchange Commission. Washington DC: SEC, 2007. 33. 1 Aug. 2007 <http://sec.gov/rules/other/33-8666.pdf>.
4 Farrell, Greg. "Sarbanes-Oxley Law Has Been a Pretty Clean Sweep." USA Today 30 July 2007, sec. Money.
5 Schmidt, Kathrine. "Small Businesses Now Bracing for Hurricane SOX." Compliance Week July 2007: 45+.
6 Schmidt, Kathrine. "Small Businesses Now Bracing for Hurricane SOX." Compliance Week July 2007: 45+.
7 Farrell, Greg. "Sarbanes-Oxley Law Has Been a Pretty Clean Sweep." USA Today 30 July 2007, sec. Money.
Written by Logan Adler and Donald Browne
For further information and to discuss how Marcum & Kliegman may assist you with your Governance, Risk Management and Compliance needs contact Donald Browne at (212)981-3197.
Marcum & Kliegman