Statement submitted by

The Honorable Thomas M. Sullivan
Chief Counsel for Advocacy
U.S. Small Business Administration

U.S. Senate Committee on Small Business & Entrepreneurship 

April 18, 2007
Sarbanes-Oxley and Small Business:   
Addressing Proposed Regulatory Changes and their Impacts on 
Capital Markets


      	 I am submitting this written statement because a death in my family prevents 
me from presenting testimony in person.  I commend the U.S. Senate Committee on 
Small Business & Entrepreneurship for holding this hearing.  And, I thank you for 
soliciting my views.  The topic of how the Sarbanes-Oxley Act impacts small business is 
an important one and the small business community will benefit by this Committee’s 
focus on the proposals under consideration by the U.S. Securities and Exchange 
Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB).   
	Congress established the Office of Advocacy to represent the views of small 
entities before Congress and Federal agencies.  The Office of Advocacy (Advocacy) is an 
independent office within the U.S. Small Business Administration (SBA), and therefore 
the comments expressed in this statement do not necessarily reflect the position of the 
Administration or the SBA.  Advocacy takes its direction from small businesses; 
therefore my remarks will be a reflection of what small business groups have shared with 
Advocacy.  One of Advocacy’s main responsibilities is to ensure agency compliance with 
the Regulatory Flexibility Act (RFA).  The RFA’s main purpose is to make certain that 
small entities are given due consideration when agencies promulgate regulations.(1)	
	Advocacy’s involvement with the Sarbanes-Oxley Act (the Act) began in 2002, 
when our office asked Chairman Oxley and Chairman Sarbanes to include flexibility in 
the bill then being considered that would be sufficient to avoid unnecessary impacts to 
small businesses.  Since the passage of the Act, small business representatives have 
contacted Advocacy to inform us of their concerns with the new audit requirements of 
Section 404.  Advocacy has submitted numerous comment letters to the SEC and the 
PCAOB communicating these small business concerns.(2)  Small businesses are worried 
that auditors, when faced with a new requirement to sign off on a company’s internal 
controls, will employ expensive and time-consuming audit procedures.  There is a 
compelling record demonstrating that the costs of complying with Section 404 are large 
and disproportionately high for small public companies.  These entities have told 
Advocacy that changes to the requirements of Section 404 of the Act are necessary.   
Advocacy believes that the excessive cost of Section 404 internal controls reporting may 
restrict a new generation of small innovative companies from seeking capital in the U.S. 
capital markets.
      To its credit, after the passage of the Sarbanes-Oxley Act, the Commission 
quickly realized the costs inherent in complying with Section 404 and delayed the 
implementation of Section 404 for small businesses.  I would like to thank Chairman Cox 
and Chairman Olson for their leadership, hard work, and on-going dedication in the 
difficult process of implementing Section 404.  The SEC and the PCAOB should also be 
commended for their job in reaching out to small public companies to understand the 
impacts and problems with Section 404.  In 2005, the SEC chartered the Advisory 
Committee on Smaller Public Companies (Advisory Committee) to assess the impact of 
the Act on smaller companies, and make recommendations for changes.  After a year of 
deliberations and solicitation of public input, the Advisory Committee made its final 
written recommendations last year.  The SEC and the PCAOB have also held roundtables 
to solicit input from small public companies, and listened to the concerns of the small 
business community.

      Advocacy hosted its own small business roundtable in January 2007 to solicit 
input from small business representatives on the new proposals undertaken by the SEC 
and the PCAOB.(3)  This roundtable followed years of dialogue between Advocacy and 
small entities concerning the implementation of the Act.  Advocacy commends the staff 
members of the SEC and the PCAOB who attended this roundtable and explained the 
proposals, answered questions, and listened to issues of the small business community.  
Small businesses raised significant concerns with these proposals, including: (1) the need 
for further clarifications of major provisions from these proposals, (2) the need to 
examine whether these proposals actually reduce compliance costs and provide 
scalability for small public companies, and (3) the need for more time to implement the 
new requirements.
       Based on these comments, Advocacy strongly recommends that the SEC 
continue to provide further extensions for small public companies until such time as more 
cost-effective procedures for internal controls can be developed.  Additionally, Advocacy 
urges Congress to exempt smaller public companies from Section 404(b).     
I.  Background on Section 404- One Size Does Not Fit All 
	Congress enacted the Sarbanes-Oxley Act of 2002 (the Act)(4) in response to 
public concern about high-profile fraudulent financial reporting by companies like Enron 
and Worldcom.  Section 404 of the Act requires public companies to report on their 
internal controls over financial reporting, or about systems they have in place to guard 
against fraudulent transactions.  Section 404(a) requires management to establish and 
maintain an adequate internal control structure and include in its annual report to the SEC 
an assessment or a report of the effectiveness of these internal controls.  Section 404(b) 
requires that management hire an outside auditing firm to submit an audit report attesting 
to, and reporting on the management’s assessment of the company’s internal controls.(5)   
The ultimate goal of this section is to ensure the accuracy of a company’s financial 
reports, and thus improve investor confidence.  The Public Company Accounting 
Oversight Board, a non-profit corporation created by the Act to oversee the auditors of 
public companies, created Auditing Standard No.2 (AS-2) as a guide for auditors 
evaluating a company’s internal controls reporting under Section 404(b).  
      The SEC’s own Advisory Committee on Smaller Public Companies has 
concluded that a big problem with Section 404 was the implementation of AS-2, a 
prescriptive 300-page “grade book” for auditors evaluating public companies.(6)  
External auditors have applied this one-size-fits-all standard to both large and small 
companies. Companies have reported that auditors are not focusing on risks to financial 
reporting, but are auditing every process, which created redundancies and excessive 
costs.  In the absence of management guidance, companies have been obliged to use the 
complicated AS-2 as a de facto guidance.  Small public companies have experienced 
challenges in implementing AS-2, because it does not take into account the different 
characteristics that affect a company’s financial reporting risks and internal controls, such 
as differences in organizational structure, ability to segregate duties and amount of 
resources available for Section 404 compliance. 
II.  Section 404 Imposes Disproportionate Costs On Smaller Public Companies 
	Due to the problems with Section 404 and AS-2, the costs of implementing 
Section 404 have greatly exceeded those originally anticipated by the SEC.   In June 
2003, the SEC estimated that “the average annual internal cost of compliance with 
Section 404 over the first three years would be $91,000, and that cost would be 
proportional relative to the size of the company.”(7)  To the contrary, all evidence 
indicates that Section 404 compliance costs are dramatically higher.  A survey of actual 
compliance costs conducted by Financial Executives International in 2006 found that 
first-year compliance costs for Section 404 were $3.8 million for accelerated filers and 
$935,000 for smaller public companies or non-accelerated filers.(8)  
	Smaller public companies are likely to be hit especially hard by the costs of 
compliance with Section 404.  The 2005 Advocacy-funded study by W. Mark Crain, The 
Impact of Regulatory Costs on Small Firms, found that, in general, small businesses are 
disproportionately affected by federal regulations.(9)  Crain found that small firms with 
fewer than 20 employees annually spend 45 percent more per employee than larger firms 
to comply with federal regulations.(10)  Likewise, the report by the SEC’s Advisory 
Committee on Smaller Public Companies noted that Section 404 costs in relation to 
revenue will be disproportionately borne by smaller public companies.(11)  This report 
found that small public companies with a market capitalization of under $100 million are 
expected to spend 2.55 percent of their revenue on Section 404 compliance, while larger 
companies with a market capitalization of over $1 billion are expected to spend 0.16 
percent of their revenue on such costs.(12) 
	Moreover, recent studies by the Committee on Capital Markets Regulation,(13) 
McKinsey & Company,(14) and the U.S. Chamber of Commerce(15) provide evidence 
that the burdensome Section 404 requirements have already made the United States 
capital markets an increasingly unattractive environment to list shares, decreasing the 
number of initial public offerings (IPOs), and forcing companies to go private or to 
foreign stock exchanges.  In a study by Foley & Lardner LLP, 81 percent of respondents 
felt that the Section 404 requirements were too strict, and 21 percent of respondents are 
considering going private as a result.(16)  The Section 404 requirements will likely 
impose major obstacles to small public companies seeking capital, perhaps to such an 
extent that their application to small issuers would dissuade small businesses entirely 
from accessing U.S. capital markets.   
III.  Small Entities Have Expressed Serious Concerns with Both Proposals
	Advocacy acknowledges the efforts undertaken by the SEC and the PCAOB to 
make internal controls reporting requirements more cost-effective and efficient for small 
public companies.  The SEC’s proposed management guidance attempts to set forth a 
“top-down, risk-based” approach for management to complete Section 404(a).(17)   The 
PCAOB also revised the controversial Auditing Standard No. 2, incorporating the same 
“top-down, risk-based” approach.(18)   
	Despite these efforts, small businesses continue to have serious concerns about 
Section 404.  On January 26, 2007, Advocacy held a small business roundtable, including 
small business owners and representatives, trade association staff, congressional staffers, 
and personnel from the SEC and the PCAOB.  Participants raised the following concerns 
with the SEC’s management guidance and the PCAOB’s revised auditing standard:
1)  Small Businesses Request Clarification of Major Provisions in Both Proposals
	a.  The SEC and the PCAOB Must Resolve Differences Between the 
Management Guidance and the Revised Auditing Standard
	 The Institute of Management Accountants has commented that the SEC 
and the PCAOB have created two conflicting rule books for the same task of 
internal controls reporting, and this is a source of confusion and complexity.(19)  
For example, small businesses are concerned that the SEC’s management 
guidance is vague and “principles-based” to provide scalability for the 
management of small public companies, while the PCAOB’s revised auditing 
standard is more prescriptive and detailed on how auditors must evaluate a 
management’s internal controls reporting process.  Small businesses have stated 
that they will be using the PCAOB’s revised auditing standard as their de facto 
guidance, because they are afraid that following the SEC’s management guidance 
will result in a negative audit by an auditor utilizing a more detailed and 
prescriptive auditing standard.  Advocacy recommends that the SEC add practical 
information in the management guidance on how management can complete a 
scaled internal controls report.  For example, the U.S. Chamber of Commerce has 
commented that the SEC guidance could use more illustrative examples and 
feedback of how the guidance should be implemented, such as examples of 
insufficient compliance measures as well as overly conservative 
implementation.(20)  Advocacy also recommends that the SEC and the PCAOB 
work together to make the revised auditing standard less prescriptive.     
	The Institute of Management Accountants and the U.S. Chamber of 
Commerce have commented on very significant inconsistencies between the two 
documents, including the process of identifying controls and significant accounts, 
and definitions such as material weakness, significant deficiency, and 
materiality.(21)  Advocacy also recommends that the SEC and PCAOB work 
together to make sure that these inconsistencies are harmonized.   
b.  The SEC and the PCAOB Should Address Management and Auditor  
Liability 
	Participants at the roundtable raised the issue of liability in the Section 404 
process as an important factor that most impedes the ability of these proposals to provide 
a scalable and cost-effective audit.  These small business representatives stated that the 
management of small public companies needs assurances that they will not be held liable 
for completing a scaled-down report pursuant to the management guidance.  In particular, 
small businesses seek clarification of the provision which states that “the proposed 
amendments would be similar to a non-exclusive safe-harbor.”(22)  Participants of the 
roundtable asked for further details of the safe harbor, such as how this safe harbor can be 
claimed and what type of liability protection this would afford. 
	Participants noted that auditors also need assurances from the PCAOB that they 
will not be penalized for auditing and approving a scaled management report in the 
PCAOB inspections process.  One participant at the roundtable stated that auditors are 
attributing a large percentage of their auditing fees to the potential liability and litigation 
exposure for these Section 404 audits.  These new Section 404 requirements are likely 
increasing the potential liability of auditors and increasing the costs of these audits.   
2)  The SEC and the PCAOB Need to Examine Whether Proposals Reduce the 
Compliance Costs and Provide Scalability for Small Public Companies
	Participants at Advocacy’s roundtable commented that the SEC’s management 
guidance and the PCAOB’s revised auditing standard do not provide enough guidance on 
how small public companies can scale their audits to make them cost-effective.  Small 
public companies need further guidance on ways that their audit of internal controls can 
be tailored, in the form of illustrations, case studies and examples.  
	Small business representatives also suggested that the rules implementing Section 
404 not be implemented until these proposals have been fully tested to determine whether 
they will actually result in scalability and cost savings for small public companies.  Such 
testing would allow for corrections in the standard, if the testing shows that the standard 
needs revision.
 3)  Small Public Companies Need More Time to Implement New Requirements
	Small public companies expressed concern with the timing of these draft 
proposals.  Although the SEC and the PCAOB just released these proposals in December 
2006, most small public companies will still be expected to complete a management 
report on internal controls reporting by the end of the year and submit an auditor’s report 
attesting to these internal controls next year.(23)  Neither of these proposals has been 
finalized, and the SEC and the PCAOB still need to complete major revisions to their 
respective proposals.  Participants at the Advocacy’s roundtable strongly recommended 
that the SEC provide a further extension for small public companies in order to provide 
management with extra time to understand and implement these complex Section 404 
proposals.  Small entities commented that they had already planned and budgeted for FY 
2007 the prior year, and it would be difficult and costly to start a new internal control 
reporting process in the middle of spring 2007.  
	Participants at the roundtable explained that it will take a longer time for small 
public companies to create and implement any new internal controls reporting process.  
Although small public companies regularly submit annual financial reports to the SEC, 
the internal controls reporting process is time intensive because it adds the new 
requirements of identifying processes, assessing risk levels, and documenting and testing 
the internal controls.  Small companies are at a disadvantage in complying with Section 
404 because they have more informal processes and fewer personnel and accountants.  
William Zaiser, the Chief Financial Officer at a MHI Hospitality Corporation, a small 
public company with a market capitalization of $64 million, hired an external consultant, 
and it still took four months to begin the internal controls reporting process.  Zaiser stated 
that it would be very difficult if his company had to start the Section 404 process at this 
later date because his company would have to hire extra staff, or he would have to devote 
a large amount of his time to this project.(24)  According to a Government 
Accountability Office survey of small business companies in 2005, 81 percent of the 
respondents hired a separate accounting firm or external consultants to assist them with 
Section 404 requirements, at an individual cost of $3,000 to $1.4 million.(25) 
IV.  Regulatory Flexibility Act Determinations   

	Advocacy commends the SEC and the PCAOB for developing these proposals in 
an effort to make Section 404 more cost-effective and efficient for small companies.  
Advocacy strongly recommends that the SEC continue to provide further extensions for 
small public companies until such time as more cost-effective procedures for internal 
controls reporting can be developed.   
	Advocacy also recommends that the SEC complete a revised final regulatory 
flexibility analysis (FRFA) of the final reporting procedures under Section 604 of the 
Regulatory Flexibility Act.  The last regulatory analysis was completed in August 14, 
2003, and this final regulatory flexibility analysis severely underestimates the cost of 
compliance with Section 404 of the Act.  The SEC’s 2003 FRFA states that small public 
companies will be “subject to an added reporting burden of approximately 398 hours and 
the portion of that burden that is reflected as the cost associated with outside 
professionals is approximately $35,286 [per year].  We believe, however, that the annual 
average burden and costs for small issuers are much lower.”(26)  Current industry 
estimates place the Section 404 compliance burden at almost $1 million per year for 
small public companies.(27)   
	Advocacy also recommends that the SEC complete a required Small Business 
Compliance Guide for this rule.  Under Section 212 of the Small Business Regulatory 
Enforcement Fairness Act (SBREFA), “for each rule or group of related rules for which 
an agency is required to prepare a final regulatory flexibility analysis…the agency shall 
publish one or more guides to assist small entities in complying with the rule.”(28)  
V.  Legislative Recommendations  
	Advocacy suggests that Congress revise Section 404 of the Act to exempt smaller 
public companies from the requirements of Section 404(b).  This is consistent with the 
SEC’s Advisory Committee report, which recommended that smaller public companies 
be held to a different compliance standard.(29) 
	Advocacy recommends that Congress require the SEC and the PCAOB to submit 
a report with recommendations to the relevant committees of Congress, including the 
U.S. House Small Business Committee and the U.S. Senate Small Business & 
Entrepreneurship Committee, assessing the impact of Section 404 on smaller public 
companies after two years of implementation.   
VI.  Conclusion
      Advocacy has worked closely with the SEC and the PCAOB since the Sarbanes-
Oxley Act was enacted in 2002 and appreciates their continuing efforts to make the 
internal controls process less burdensome for small public companies.  Based on input 
provided by small businesses at our roundtable, Advocacy strongly recommends that the 
SEC and the PCAOB continue to seek further flexibility for small public companies and 
an extension of time to comply with the requirements. Additionally, Advocacy urges 
Congress to exempt smaller public companies from Section 404(b).
ENDNOTES
1.  Regulatory Flexibility Act of 1980, Pub. L. No. 96-354, 94 Stat. 1164 (1980) (codified as amended at 5 
U.S.C. § 601 et seq.).  
2.  Archive of Advocacy comment letters on the Section 404 of the Act, http://www.sba.gov/advo. 
3.  Small business concerns from this roundtable are summarized in a comment letter from Thomas M. 
Sullivan, Chief Counsel, Office of Advocacy, SBA, to the SEC and the PCOAB (Feb. 21, 2007), available 
at:  http://www.sba.gov/advo/laws/comments/sec07_0221.html.
4.  Sarbanes-Oxley Act of 2002, Pub. L. 107-204, Title IV, 116 Stat. 789 (2002) (codified in 15 U.S.C. § 
7262).   
5.  15 U.S.C. § 7262.
6.  SEC Advisory Committee on Smaller Public Companies, Final Report of the SEC Advisory Committee 
on Smaller Public Companies 32 (Apr. 23, 2006) (Advisory Committee Report),  available at:  
http://www.sec.gov/info/smallbus/acspc.shtml.
7.  Advisory Committee Report, at 29 (emphasis added).
8.  FEI, Survey on SOX Section 404 Implementation, Exhibit A: Costs by Filing Status (March 2006).
9.  The Impact of Federal Regulations on Small Firms, an Advocacy-funded study by W. Mark Crain, Sept. 
2005 available at: http://www.sba.gov/advo/research/rs264tot.pdf.
10. Id.
11. Advisory Committee Report, at 33.
12. Id.
13. Committee on Capital Markets Regulation, Interim Report of the Committee on Capital Markets 
Regulation (Nov. 30, 2006), available at: 
http://www.capmktsreg.org/pdfs/11.30Committee_Interim_ReportREV2.pdf.
14. McKinsey & Co, Sustaining New York’s and the US Global Financial Services Leadership (Jan. 22, 
2007), available at: 
http://schumer.senate.gov/SchumerWebsite/pressroom/special_reports/2007/NY_REPORT%20_FINAL.pdf.
15. Commission on the Regulation of U.S. Capital Markets in the 21st Century, Report and 
Recommendations (March 2007), available at:  http://www.uschamber.com/portal/capmarkets/default.
16. Thomas E. Hartman, Foley & Lardner LLP, The Cost of Being Public in the Era of Sarbanes-Oxley 
(June 16, 2005), available at: http://www.fei.org/download/foley_6_16_2005.pdf.
17. Management’s Report on Internal Control Over Financial Reporting; Proposed interpretation; 
Proposed Rule, 71 Fed. Reg. 77,635 (Dec. 27, 2006).
18. Proposed Auditing Standard-An Audit of Internal Control Over Financial Reporting that is Integrated 
with an Audit of Financial Statements and Related Proposals, Release No. 2006-007 (Public Company 
Accounting Oversight Board, Dec. 2006).
19. Comment letter from Paul A. Sharman, President and CEO, Institute of Management Accountants, to 
the SEC and the PCOAB (Feb. 13, 2007) (IMA Comment Letter), available at:  
http://www.sec.gov/comments/s7-24-06/lddevonish-mills5470.pdf.
20. Comment letter from David C. Chavern, Chief Operating Officer and Senior Vice President, to the SEC 
and the PCAOB (February 26, 2007) (U.S. Chamber of Commerce Letter), available at:  
http://www.sec.gov/comments/s7-24-06/s72406-213.pdf.
21. IMA Comment Letter, at 2; U.S. Chamber of Commerce Letter, at 4.
22.  71 Fed. Reg. at 77,649 (Dec. 27, 2006). 
23. 71 Fed. Reg. 76,580 (Dec. 21, 2006).  Under the SEC’s extensions, non-accelerated filers would submit 
a management assessment report with its annual report for the first fiscal year ending on or after December 
15, 2007.  These entities would not be required to submit an auditor’s attestation report until the following 
year, or the first fiscal year ending on or after December 15, 2008.  
24. Telephone interview with William J. Zaiser, Chief Financial Officer, MHI Hospitality Corporation, in 
Greenbelt, Md. (Feb. 13, 2007).
25. GAO, Report to the Committee on Small Business and Entrepreneurship, U.S. Senate, Sarbanes-Oxley 
Act:  Consideration of Key Principles Needed in Addressing Implementation for Smaller Public 
Companies, at 17. (April 2006) available at: http://www.gao.gov/new.items/d06361.pdf.
26. Management’s Report on Internal Control Over Financial Reporting an Certification of Disclosure In 
Exchange Act Periodic Reports, Exchange Act Release No. 3308238; 34047986; IC-26068 (Aug. 14, 
2003), available at: http://www.sec.gov/rules/final/33-8238.htm.
27. See Note 8. 
28. Small Business Regulatory Enforcement Fairness Act, Pub. L. 104-121, Title II, 110 Stat. 857 (1996) 
(codified in various sections of 5 U.S.C. § 601 et seq.).
29. Advisory Committee Report, at 4. 




12