The jury is still out on whether recent rule changes will make it easier for small companies to comply with section 404 of Sarbanes-Oxley. Chances are, they’ll start to find out this summer.
The House Committee on Small Businesses heard testimony Tuesday from regulators and advocates for smaller public companies about how, and when, small companies should begin complying with section 404.
Complying with 404, which required that companies report on the state of their internal controls over financial reporting, was an expensive exercise for large companies. The law was widely seen as creating a disproportionate burden for smaller companies, whose compliance date was extended several times.
Much of the blame for 404’s difficulty was placed on Auditing Standard No. 2, the standard used by auditors to guide their assessment of a company’s internal controls. The Public Company Accounting Oversight Board officially voted last month to replace the unpopular AS2 with a new standard, AS5. But many small business advocates still are hoping for yet another extension of their 404 compliance deadlines.
AS2 is not quite dead yet — the SEC still has to approve its successor, which requires a public-comment process that could take at least 35 days. If and when the SEC does approve AS5 — which it is thought it will — audit firms will no longer reference the original internal-control rule. In his testimony Tuesday, SEC Chairman Christopher Cox said that compliance for small businesses, defined as those with a market capitalization of less than $75 million, would coincide with approval of AS5. That, he noted, would mean companies would begin having to comply with the management assessment portion of 404, although companies would not be required to come into full compliance until their reports are due in March 2009.
“I expect that AS5 will be approved in final form this summer, but if it’s not, we’ll once again postpone the requirement that smaller public companies have a section 404 audit until the new auditing standard is done,” Cox said.
Still, any further postponement seems unlikely. The SEC and the PCAOB worked closely together in crafting the AS5, which is described as simpler and more principles-based. If approved, the rule would require auditors to take a top-down, risk-based approach and focus on only those areas that could lead to a material misstatement. The PCAOB also eliminated several “unnecessary” procedures, made the standard scalable for companies of all sizes and complexity; and simplified the text. The new standard also eliminates the requirement of auditors to opine on the adequacy of management’s process on evaluating internal controls — a step widely criticized by business as redundant with the auditor’s overall assessment.
“The Board is determined to make internal control audits as cost-effective as possible for companies that are required by the SEC’s rules to obtain an audit report on internal control,” said PCAOB Chairman Mark Olson.
Although Cox said he was certain that the new measures would lower compliance costs for small companies, others who testified before the committee were less confident.
David Hirschman, senior vice president of the U.S. Chamber of Commerce argued that the revised Section 404 could not be called a success until the changes are implemented and enforced. And he said smaller companies should continue to be shielded from the regulation until its impact is seen. “Until we have a full-year of experience with the new rules, we believe it would be a mistake to extend their application to smaller public companies,” Hirschman said.
Some witnesses also argued that small companies still need more guidance from the SEC and the PCAOB in order to see a meaningful reduction in the cost of complying with Section 404. “I expect that the new standards will bring down the costs of Section 404, but not as much as it could or should,” said Professor Hal Scott, director of Harvard Law School’s Program on International Financial Systems. “If the costs are still too high, the SEC should then turn the problem over to the Congress.”
Scott, who also pushed for a delay in compliance, argues that AS5 does not focus specifically enough on “materiality,” or which transactions, financial systems and controls matter most in preventing misstatements in financial documents.