The SEC Opens Up SarbOx

Regulatory revisions to the landmark Sarbanes-Oxley Act won't radically ease costs, but the changes will offer some legal relief

Businesses that have been agitating for less stringent oversight of financial compliance regulations will get a first taste of relief in the next two weeks, when the Securities & Exchange Commission and the Public Company Accounting Oversight Board unveil a plan for streamlining the day-to-day workings of the Sarbanes-Oxley Act of 2002.

It's an exercise designed to address businesses' core concern: Compliance simply costs too much. But when the dust settles and final rules are adopted early in 2007, any changes are likely to have a modest impact on Corporate America's bottom line. Their real value, rather, might be peace of mind.

On Dec. 13, the SEC will announce a plan to streamline its rule requiring companies to adopt internal controls and procedures for financial reporting. At about the same time, the PCAOB will make public a rewrite of its notorious accounting standard, which guides audits of those internal controls. The proposals will kick off at least two months of jockeying as businesses push for more change while investors bemoan a rolling back of industry oversight before either body adopts any final changes.

Risk-Based Auditing

Taking the lobbying lead in Washington are the U.S. Chamber of Commerce, community bankers, and organizations whose memberships are heavy in small-cap and micro-cap companies that often operate with small staffs on thin profit margins—think biotech. Business and its allies want to loosen the requirement that all internal controls be tested every year, rolling tests back on low-risk areas to every second or third year.

They also want regulators to refine the scope of external audits to make them more risk-based, and scale back overall requirements for smaller companies, which now enjoy a temporary exemption from the rule.

Technical changes in the rules would go a long way toward lowering the complexity of compliance without exposing investors to higher risk of fraud. The original regulations lacked basic definitions on key points such as which balance sheets were "material" to a company's finances or which internal controls were "significant" enough to merit scrutiny.

How Much is Too Much?

That led auditors and their clients to take a cover-your-behind approach that has contributed enormously to overall compliance costs. "There's blame at the SEC and PCAOB for the high cost of Sarbanes-Oxley compliance," says Richard T. Roth, chief research officer at The Hackett Group, a strategic consulting firm.

"But there's also blame at the senior-level executive suite. They were approaching compliance with belts and suspenders, using excessive processes to make sure there were no issues." In other words, execs and their auditors overreacted to Sarbanes-Oxley, a phenomenon that even some accounting industry insiders privately admit.

"We're not going to err on the side of not checking something," said one accounting industry lobbyist. Defining what is material and what isn't could streamline the annual oversight process by giving auditors the all-clear to focus on, say, inventory valuations while eliminating the need to track pencils in the supply cabinet.

Building Trust

That's something some auditors already are doing. A constant stream of feedback from the SEC and PCAOB over the past two years has led to changes in behavior in the C-suite (Fortune 500 company chiefs), which has seen its compliance costs shrink in the past year as administrators streamline procedures and auditors hone their approach based on input from regulators. The PCAOB in particular has been reaching out to industry and acting on feedback it gets during its annual, on-the-ground inspections of the top eight accounting firms.

And the further Enron and WorldCom recede into the past, the easier it has become to build trust between oversight agencies and the people they police.

"It's very important that we write specifically into the rule a provision to allow more judgment on the part of auditors and management," says Wayne Kolins, national assurance director at BDO Seidman, a Chicago-based financial-services firm.

But if major cost-cutting isn't on the table, what's driving the demand to tinker with the regulations? The real benefit of change could be a legal one—a shield from exposure to shareholder lawsuits. Without specific direction from regulators, companies fret that anything intimating even the slightest hint of a shortcut could leave them vulnerable to expensive shareholder litigation. It's that fear, probably as much or more than actual compliance costs, that's driving the call for change.

Cost of Compliance

Indeed, although conventional wisdom has pegged Sarbanes-Oxley compliance as exorbitantly costly, the compliance standard is not quite the crisis business has made it out to be. The now-infamous $1.4 trillion cost of the law, a figure calculated by measuring the drop in stock market capitalization during July, 2002, when the legislation was passed, has been widely discredited.

More recently, studies based on surveys of actual costs show much smaller numbers, though they continue to outpace the $91,000-per-company cost—or $1.24 billion—estimated by the SEC when it issued its guidance. Hackett's Roth puts the current average cost of compliance at 0.25% of a company's revenue, down 3% from a year ago. So-called "world-class" operations, which have less complex internal controls, spend even less—about 0.14% of revenue, including direct compliance costs and outside auditing fees.

Not Going to Capitol Hill

Political and procedural realities dictate that any final set of changes won't have a remarkably significant impact on how SarbOx is implemented. Business has pushed for reform at the agency level instead of turning to Congress for a rewrite of the law, in part, because lobbyists fear that reopening the law, especially in the new, Democrat-controlled Congress, risks making it worse.

That means regulators will have to work within the confines of the existing statute, which limits their latitude to make changes. The SEC, for example, won't likely be able to exempt smaller businesses from the most onerous sections of the audit standards without getting the law changed.

Before it's here, it's on the Bloomberg Terminal.