Shannon Greene, CFO of Tandy Leather Factory, doesn’t want to be a Section 404 guinea pig.
As a $40 million market cap company, Tandy Leather is considered a non-accelerated filer by the Securities and Exchange Commission and thus hasn’t yet had to comply with the internal-control provision of the Sarbanes-Oxley Act. And following the past year’s adjustments to the regulations within Section 404, Greene worries about putting her staff through the trials of assembling the management and auditor-attestation reports currently required for a company of Tandy’s size.
She wonders if the changes indeed cut down compliance costs and confusion, as regulators have promised. “Non-accelerated filers who have not had to comply with Section 404 yet should not be the testing ground for the revised rules and guidance,” Greene said during a House Small Business Committee hearing on Wednesday.
Greene and her colleagues at other small businesses could get some 404 relief, however. At the same hearing, Securities and Exchange Commission Chairman Christopher Cox said he would propose a one-year delay for the auditor-attestation requirement under 404, which small companies must comply with beginning in fiscal years ending in December 2008. So, under Cox’s plan, small filers would be required to comply for fiscal years beginning in 2009. In the meantime, the SEC would conduct a cost-benefit study of 404 compliance that could be released by next June.
Small, publicly traded companies — defined as those with a market capitalization below $75 million — will still have to include 404 management reports with their 10-Ks filed on or after December 15. However, those reports will not be audited.
The Chamber of Commerce sees Cox’s announcement as a “big win” for small businesses. The biggest costs to come out of 404 for the larger companies that have already been complying for the past few years have been auditing fees, according to Michael Ryan, senior vice president and executive director of the Chamber’s Center for Capital Market Competitiveness. “Presumably it will mean small companies will get better at assessing their internal controls,” he told CFO.com. “And hopefully the auditor attestation won’t cost as much in two years.”
Another pro-business group, the Committee on Capital Markets Regulation, similarly praised the delay. The committee said the 404 reforms passed earlier this year by regulators should be examined in practice before deciding whether small companies should have to comply. Over the summer, the SEC issued management guidance on 404, and the Public Company Accounting Standards Board revised its internal-control auditing standard to focus auditors on only those areas that could lead to a material misstatement.
The American Bankers Association also chimed in with its support on Wednesday. “We applaud Chairman Cox’s leadership today in calling for the SEC to produce its own detailed study of the costs and benefits of section 404 compliance before requiring implementation for smaller businesses,” said Wayne Abernathy, executive director of financial institutions policy and regulatory affairs.
To be sure, small companies should do more than just hope for yet another delay, according to John Fodera, a partner at auditing firm Eisner LLP. Small companies should be making sure their financial house in is order, he told CFO.com.
That means conducting a thorough risk assessment and figure out where a company’s biggest perils for control lapses lie. The number of key controls companies must examine have been pared by the top-down, risk based method endorsed by the PCAOB through Auditing Standard No. 5.
If they haven’t already done so, companies should also focus on those areas that could possibly lead to a material misstatement. They should also consider their staff’s abilities.
To be sure, small companies have fewer resources than their larger brethren. Greene, for instance, has no internal-audit team. Of her 16 accounting and finance employees, only two have college educations. “As the CFO, my professional background included a number of years in public accounting as an auditor, so any internal audit function generally falls on my list of responsibilities,” she said.
Most small companies have already assessed their internal controls, according to Wade Lindenberger, director of corporate governance services at RoseRyan, a finance and accounting consultancy. But “for those companies still struggling, one of the main obstacles is the lack of understanding of the SOX process, in particular how to implement AS5,” he told CFO.com.
If Cox makes good on his word and puts a postponement of auditor attestations to a vote in January, small companies could have two years to observe AS5 in practice, Lindenberger noted.