It is time for the SEC to take a stand on compliance with Section 404

After months of insisting that no further delays for smaller public companies would be forthcoming, SEC Chairman Christopher Cox said in December that he would recommend still another delay in implementing Section 404(b) for companies with market caps under $75 million (“non-accelerated filers”) until fiscal years ending on or after Dec. 15, 2009.

On Jan. 31, his proposal became a reality. The newest reason for delay is that the Securities and Exchange Commission hasn’t completed its Web-based survey of companies that are already subject to Section 404 and its in-depth interviews with smaller public companies to gauge the cost/benefit relationship of Sarbanes-Oxley.

The SEC previously delayed implementation for non-accelerated filers (originally scheduled for years ending on or after April 15, 2005) until fiscal years ending on or after July 15, 2006, July 15 last year and then Dec. 15 with a delay for compliance with Section 404(b) until Dec. 15, 2008.

I find the latest reason for delay puzzling. The only companies that have implemented Section 404 of SOX are accelerated filers under the old standard of AS2.

It is well-documented that significant dollars ($39 billion total) were spent by companies complying with AS2, and those costs have declined dramatically. Since none of the non-accelerated filers have actually undergone a Section 404(b) audit, any data compiled are still purely speculative and certainly not indicative of the actual cost that non-accelerated filers will experience.

I can understand that the SEC wants to gauge the impact AS5 is having on accelerated filers, but I fail to see the relevance of the probable cost reduction on implementation for non-accelerated filers.

AT DIFFERENT STAGES

The reason for my puzzlement is that the non-accelerated filers are not at the same compliance stage as accelerated filers.

The major costs associated with compliance of Section 404 are for design, documentation and implementation of a system of internal controls over financial reporting. What the SEC failed to factor into its cost estimate of $91,000 to comply with SOX was the fact that most companies hadn’t kept up with system and procedures documentation of their internal-control efforts and had to create the documentation from scratch.

This took a major effort, and the SEC reacted by allowing the non-accelerated filers to delay implementation several times to allow them to prepare for compliance in an orderly fashion.

However, most smaller public companies failed to take advantage of this time and continue to procrastinate. Since Section 404(a) is a self-assessment, most non-accelerated filers I have talked to lack a sense of urgency to document internal controls. They seem to think that their efforts are adequate. They continue to hope that the SEC will eliminate the Section 404(b) requirement and they will never need to undergo a more-detailed documentation process.

The SEC keeps giving a mixed message to the smaller public companies so you can hardly blame them for not beginning the compliance process. Based on this, I can’t understand how the SEC will assess the cost side of the cost/benefit equation.

So what about the benefit side of the equation? No one can deny that the implementation of SOX has been a benefit to the U.S. public markets.

Many studies have proved this point, but the most compelling statistic is in U.S. initial public offering activity (the very area those opposed to SOX stated would be destroyed). According to Ernst & Young LP of New York, capital raised by U.S.-based companies in 2005 (the first year following SOX 404 compliance) reached almost $30 billion and increased 14% to $34 billion in 2006.

It is expected that capital raised by U.S. companies last year exceeded the 2006 total.

SOX has accomplished precisely what was intended, namely to restore credibility to the U.S. public markets. Companies have been forced to be more transparent in their financial reporting, resulting in numerous restatements of financial statements since SOX was enacted as well as uncovering a pervasive corporate practice of stock option backdating that may not have been discovered without SOX.

Thousands of material weaknesses in internal controls have been identified and they are being remediated. The benefits of SOX appear to be clear.

I think it is time for the SEC and Mr. Cox to take a stance and decide once and for all whether, in order to obtain public financing, all companies, regardless of size, need to have an effective, documented system of internal controls.

The SEC has studied the issue for four years, resulting in the implementation of a new standard (AS5) under which auditors will be guided to assess the effectiveness of a company’s internal controls. In addition, the financial and investment communities are embracing the control structure and recent audit pronouncements are now requiring auditors to make an assessment of (but not opine on) the effectiveness of ICFR.

It appears that the various overseers are potentially going in opposite directions. Although the SEC thinks that it is doing smaller public companies a favor by delaying compliance with SOX, I think that the apparent indecision of the commission on its direction with regard to non-accelerated filers is detrimental.

Investors don’t want a repeat of the 2001 debacle. Another major fraud would send more investments overseas.

Smaller public companies are more vulnerable to control deficiencies due to the size of their financial staff, lack of segregation of duties and the ability of management to override controls. The risk of material error in the financial statements is greater than with larger public companies, requiring more oversight.

Recent studies have confirmed that companies that haven’t complied with Section 404 or who have material weaknesses in their internal controls are paying more for their audits, thus negating any perceived cost savings through non-compliance.

Having effective internal risk controls is simply good business. Many companies that have complied with SOX have become more efficient and better managed and have increased their use of technology to improve controls.

Further, companies that are Section 404 compliant have traditionally received a higher multiple when sold.

GREATER ANXIETY

The indecision on SOX compliance has increased anxiety among the CFO community. The inability to budget and plan its resource allocations is becoming a problem.

It appears that no one wants to make a decision to rescind Section 404 for non-accelerated filers, because the impact politically will be devastating if another massive fraud takes place. If rescission of Section 404 isn’t recommended, I would like to suggest two alternative regimes for the SEC to consider.

The first:

• Require Section 404(a) compliance annually.

• Require all non-accelerated filers to comply with Section 404(b) for years ending on or after Dec. 15, 2009,

• Non-accelerated filers that receive a clean opinion on the effectiveness of internal controls over financial reporting would need to comply with Section 404(b) only every three years,

• Companies that have material weaknesses would be required to comply with Section 404(b) until all material weaknesses were remediated, then could comply every three years.

The second:

• Require Section 404(a) compliance annually.

• Make compliance with Section 404(b) optional for non-accelerated filers and permit filers to prominently display that they are 404-compliant.

Both sets of recommendations would have a positive effect on costs for non-accelerated filers. In addition, I think that most of the strong and well-managed companies will comply with Section 404 voluntarily and other companies will feel the competitive pressure to also comply.

There are no perfect solutions, but I think that these are fair and reasonable compromises.

Thomas A. Basilo is chairman and chief executive of WithumSmith+Brown Global Assurance LLC in Princeton, N.J.