Sometimes the difference between a big company and a small one can be revealed in the simplest of acts, like writing a check.
Take Socket Communications, a publicly traded company that took in $26 million in revenues last year. At Socket, management has an uncomplicated way to make sure its payouts are on the up and up: Every single check the company doles out is signed by hand by one of the top four executives.
In so doing, each executive authorizes the disbursement and must verify its details. In a large company, of course, many other people would be involved in the signing, verifying, and authorizing — inevitably making for a much more complex process.
Despite such hefty differences, however, practically all companies must cling to the same set of rules. Under Section 404 of the Sarbanes-Oxley Act governing internal controls over financial reporting, companies like Socket and Fortune 500 organizations both operate within the framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) — the widely accepted corporate standard for complying with the internal-controls provision of Sarbox.
Like their peers at more sizable corporations, small-company executives must also help their auditors adhere to Standard 2 of the Public Company Accounting Oversight Board (PCAOB). That’s the requirement under Sarbox 404 that external auditors must attest to and report on their clients’ assessment of internal controls.
Socket’s managers thus felt compelled to test a large sample of the company’s payout, just as a big company would. “We were comfortable that every one of our disbursements was properly authorized,” says David Dunlap, CFO of Newark, California-based Socket, which provides products that connect handheld and notebook computers to the Internet. “But under COSO, we had to do a sample of 50 to 60 cash disbursements to verify, and our auditors had to pull another sample.”
Indeed, Sarbox’s “one size fits all” internal-controls approach has rankled many small-company managers during the run-up to compliance that began last year. Much of their ire springs from the high cost of complying, which arguably falls more heavily on companies with fewer resources to support it. Calculated as a percentage of revenue, Sarbox 404 expenses are “far greater” for smaller companies than they are for larger ones, according to a scathing report issued last month by the American Electronics Association.
The AEA called the costs a “major regressive tax on small and medium companies.” Citing percentages based partly on data from Financial Executives International, the association found that a company with more than $5 billion in revenue could expect 404 costs to run at about 0.06 percent of sales, while a company garnering less than $100 million could see costs running at about 2.55 percent of sales.
Another irritation: Internal-controls guidelines don’t take into account the unique woes that small companies face in complying with the rules. The simple lack of people can be a liability, for example. “It can be more difficult to achieve a proper segmentation of duties because of limited staff,” says Miles Everson, a partner at PricewaterhouseCoopers and the head of a COSO task force working on a document advising small companies on internal-controls compliance requirements. Executives and managers at small companies “have multiple roles and responsibilities, so you have a high dependence on people doing the right thing,” he says.