Dig up evidence of document retention procedures for auditors, or work on a viable treatment for prostate cancer. Print out screen shots that support testing of general computer controls, or answer an important phone call from a high net worth client. The choice is obvious for biotech and community bank executives who contend that meeting the Sarbanes-Oxley Act’s Section 404 requirements are diverting money and attention away from conducting business in a more efficient manner.
Section 404 requires companies to detail and attest to their internal controls. And cost-benefit debate related to complying with the provision has been widely reported, with executives of smaller public companies contending that they are unfairly burdened by the law. While that may be true—or not—there is growing concern among executives within certain sectors that they too are being unfairly burdened by 404 compliance. Most notably, biotech and small banks are making such claims. (Big banks may think so too, but they haven’t complained as much, yet).
The evolution of the argument, at least for the next round of public comment on Section 404, may be a call for industry-specific exemptions. To be sure, if neither the Securities and Exchange Commission or Congress see clear to providing small company immunity, then industry lobbyists may take a different tack, this time aimed at convincing regulators and lawmakers that sector-specific 404 exceptions are needed.
For its part, the SEC acknowledges the disquietude of certain sectors, but has thus far skirted the recommendations of its Advisory Committee on Smaller Public Companies, which called for small business exemptions from 404. Even in its July 11 concept release, which asked the public for further comment, the SEC remained mum on any specific measures that speak to grievances previously expressed by the biotech and banking delegations as well as other business representatives.
Yet, the most persistent voices in the 404 exemption debate still tend to be biotech and banking constituents. “Every extra half million dollars we redirect hurts us,” said Sharon Tetlow, chief financial officer of Cell Genesys, biotech firm in the third phase of clinical trials for a proprietary cancer treatment. “Frankly it could pull us away from saving lives and while there’s been discussion on the issue, the SEC and PCAOB need more wind at their back in addressing this.”
Cell Genesys, like many biotech companies, is heavy on research and development expenditures and light on revenue. Moreover, after clinical trials, the company will encounter detailed scrutiny from the Food and Drug Administration, as well as incur heavy marketing costs. Comments made in May to the SEC by industry executives and lobbyists such as the Biotech Industry Organization, suggest that spending operating capital on “excessive” audits is detrimental given the capital-intensive nature of biotech research—so much so that 404 costs could scare venture capitalists and other investors away and create longer lead time for product deployment.
Tetlow says she understands the spirit of the Sarbanes-Oxley law but doesn’t think costs are on par with benefits. “I’m all for transparent financial statements,” she adds. “But I’m not sure we’re getting value out of auditing HR and IT. Every CFO I know has experienced this tremendous cost in money and time and it’s not like it is reducing fraud. I see very little being done to improve business and I see a lot of money going out of the door.”
Larry Ribstien, a law professor at the University of Illinois and co-author of The Sarbanes-Oxley Debacle: What We’ve Learned; How to Fix It—a book published by the American Enterprise Institute—concurs, opining that companies should be allowed to opt out of 404 provided they have shareholder approval. “SOX isn’t really designed for small firms, and start-ups are catching hell,” he says. “When you look at small biotech you can clearly see that relief is needed. If you had to start somewhere in terms of reform you should definitely start with smaller businesses.”
Rep. Patrick McHenry (R-NC), who is a member of the House Financial Services Committee, has a similar take on the matter. “Biotech and small banks are perfect examples of these small types of businesses that I feel should be exempt from some of the more onerous aspects of SOX, particularly those outlined in 404,” said McHenry, adding that there is a fervent interest among House members to delve into the issue further but not before the fall elections. According to McHenry, even Rep. Michael Oxley (R-Ohio), who co-sponsored the original bill with Senator Paul Sarbanes (D-Maryland), told a bank executive that if he did it all over again he would advocate easing up on banking institutions.
Randall Ouchi, senior vice president and head of internal audit for Wilshire State Bank, joins other banking officials in asserting that SOX testing is redundant becasue of the pre-existing Federal Deposit Insurance Corporation Improvement Act (FDICIA). Established in 1991 so that banks could prevent the type of insolvency caused by the savings and loan crisis, FDICIA is similar to section 404. It requires financial institutions exceeding $500 million in assets to evaluate and report on their internal control environment. The main difference is that 404 requires public disclosure of material weaknesses.
“Sarbanes tripled our work so it was testing one, two, three in a literal sense,” said Ouchi. “FDICIA is a lot simpler. There were very few bank failures after it was enacted. Quite frankly, it should have been enough and until 404 audits are tailored to the specific needs of small banks and more risk-based, the law will continue to be a full-employment act for external auditors, internal audit co-sourcers and CPAs.”
As CFO of Modern Bank N.A., a private bank, Steve Sabatini now sits out of the reach of 404, but got his feel of what he called a “tedious” process when he was CFO of Union State Bank. “In my opinion, banks should have been left out of this from the very beginning, or the PCAOB should have coordinated with banking regulators before issuing guidance,” he said.
Predictably, investor advocacy groups and audit firms maintain that if companies are feeling heat from 404 they should get out of the public kitchen and cool off as a private company. Further, they claim that smaller companies require even more oversight as there is a greater risk of fraud, a greater likelihood of management overriding key controls, and a virtual absence of segregation of duties related to critical processes. “We don’t see  as unreasonable and that’s how it’s been perceived by some industries,” said Ann Yerger, executive director of the Council of Institutional Investors. “Do we need special industry specific rules? I’m not sure it needs to be that prescriptive. I think that’s a case of be careful what you wish for.”
The audit firm’s perspective is that passing 404 tests are akin to obtaining a license to drive on the highways and byways of the public markets. Jason Emmons, a principal for Deloitte and Touche’s Audit-Enterprise Risk Services Practice, says the obligations under Sarbox are in many cases “things companies should be doing anyway.” Emmons contends that, “an audit was never meant to be like buying new factory equipment. It’s not that type of expense. He points out that the purpose of an audit is to “provide assurance to the public and shareholders that the financial statements are fairly stated.”
Meanwhile, as stakeholders await the new PCAOB auditor’s guidance, the SEC is taking a wait-and-see approach while soliciting comments from the public through October. “The law will continue to apply to everyone until further notice,” said SEC spokesperson John Nestor. “But it’s clear that the one-size fits all approach doesn’t achieve the desired results. We’ve heard about cost and other concerns and we’ll continue to listen. Right now it’s a bit premature to talk about special provisions of any kind.”