SOX Revisions: A Break for Small Biz?

New Sarbanes-Oxley guidelines allow companies to focus only on "high-risk" areas of financial controls, but the compliance deadline was not extended

Last month, the Securities & Exchange Commission and the Public Company Accounting Oversight Board (PCAOB) unveiled recommendations streamlining the internal-controls provisions of the Sarbanes-Oxley corporate reform act of 2002. The five-member board did not, however, extend the compliance deadline for smaller public companies, as some had hoped.

The development means that smaller public firms will be under the gun to begin SOX compliance initiatives immediately so they can meet a Dec. 15 deadline. This year, these small public companies must provide what is known as a management assessment of internal controls over financial reporting. In 2008, a second compliance phase will kick in requiring that external auditors sign off on that management assessment. Sarbanes-Oxley, commonly called SOX, was passed by Congress in response to a series of public-company accounting scandals, including Enron. Its Section 404, which requires companies to establish and maintain internal controls for financial reporting and prepare annual reports of the control processes, has been widely criticized as being more costly and time-consuming than originally forecast (see, 4/23/07, "The Growing Revolt Against the SEC").

Larger public companies, known as "accelerated filers," have had to comply with SOX since 2002. The deadline for compliance for smaller companies ("non-accelerated filers" in SEC parlance, defined as having market value of equity of less than $75 million) has been delayed four times. Critics of SOX last week urged that small public companies be given another year before they have to comply. Three of the five SEC commissioners would have to vote to authorize a further delay, but SEC Chairman Christopher Cox has said that another delay is probably not warranted.

Costly Compliance

The new guidelines give management and external auditors greater flexibility when conducting their management assessment, allowing them to focus only on those areas of a company's financial controls that are determined to be "high risk." The new guidelines also allow companies to develop efficiencies in compliance programs by allowing external auditors to place more reliance on the competent and reliable work of others and allowing them to use knowledge gained in prior-year audits, says Brian Davis, partner at management and accounting firm SC&H Consulting. "Since the inception of SOX, many companies have used an all-inclusive approach," Davis says. "This practice led to companies expending resources on areas that did not truly present a financial-statement risk. The new guidance suggests that Sarbanes-Oxley compliance programs should be properly scoped on both quantitative and qualitative risk factors to focus on only those areas that could lead to financial-statement misstatement."

The new guidelines will "right-size" the number of company key controls, keep compliance costs at a minimum, and provide the framework for a sustainable compliance initiative, Davis says, leading to significant savings in external auditor fees. Those fees, however, account for only about 30% of SOX compliance costs.

Small-business advocates argue that smaller public companies already pay a higher percentage of their revenues for legal and audit fees than do their larger counterparts. Many entrepreneurial firms have diverted sources from research and development to compliance, charges Representative Nydia Velázquez (D-N.Y.), chairwoman of the congressional Small Business Committee, which had a hearing on the matter last week. She reiterated her call for another yearlong delay that would allow time for small firms to comply with Section 404. She and others, including the Office of Advocacy and Senators John Kerry (D-Mass.) and Olympia Snowe (R-Me.), have said that compliance costs will be disproportionately high for small public companies and may cause some to return to private ownership, and squelch the plans of others hoping to enter the public capital market.

Audit Advice

Such an extension seems unlikely to happen, however, says Bob Kueppers, deputy CEO of Deloitte & Touche USA. "Several previous deferrals have been executed, so it looks like this time compliance is not going to be deferred. Also, since the nature of all of these rules that were announced represent relief, it seems unlikely that they won't be implemented."

The relief that was provided is in the form of a simpler, more straightforward audit standard that should prevent what some have called unnecessary procedures and added costs for companies, Kueppers says. He provides this advice for small public firms, gleaned from his experience in working with clients who have already come under SOX compliance:

• "Coordinate your management activities in year one with what the auditor is expecting to do in year two," he advises. "It makes a lot of sense to get the auditor in on your planning so they can review what you plan to do and give you some guidance to make sure you're taking a responsible approach."

• Make sure that both management and your auditing firm give an overview of your compliance plan to your audit committee, which is part of the board of directors of a public company. "This will serve as an oversight mechanism, so that you're coordinating with your auditor and reviewing with your committee before you get too far along in the process," Kueppers says.

• Look for some additional guidance from the PCAOB this summer. "They are in the process of developing an audit guide specifically for smaller business. It will take [the new rules] down to a smaller scale to help both auditors and management understand how to implement them in the small-company environment," he says.

• Look for additional guidance from an agency called COSO, the Committee of the Sponsoring Organization of the Treadway Commission, which publishes a framework for controls that companies have been using to measure themselves against SOX. "They have a project under way to see how monitoring can contribute to a more efficient management assessment," Kueppers notes. "That should give more relief to smaller companies."

The effective date of the interpretive guidance and rules adopted in May will be 30 days from their publication in the Federal Register.

Before it's here, it's on the Bloomberg Terminal.