Statement submitted by The Honorable Thomas M. Sullivan Chief Counsel for Advocacy U.S. Small Business Administration U.S. Senate Committee on Small Business & Entrepreneurship April 18, 2007 Sarbanes-Oxley and Small Business: I am submitting this written statement because a death in my family prevents
me from presenting testimony in person. I commend the U.S. Senate Committee on
Small Business & Entrepreneurship for holding this hearing. And, I thank you for
soliciting my views. The topic of how the Sarbanes-Oxley Act impacts small
business is an important one and the small business community will benefit by
this Committee’s focus on the proposals under consideration by the U.S.
Securities and Exchange Commission (SEC) and the Public Company Accounting
Oversight Board (PCAOB). Congress established the Office of Advocacy to represent the views of small
entities before Congress and Federal agencies. The Office of Advocacy (Advocacy)
is an independent office within the U.S. Small Business Administration (SBA),
and therefore the comments expressed in this statement do not necessarily
reflect the position of the Administration or the SBA. Advocacy takes its
direction from small businesses; therefore my remarks will be a reflection of
what small business groups have shared with Advocacy. One of Advocacy’s main
responsibilities is to ensure agency compliance with the Regulatory Flexibility
Act (RFA). The RFA’s main purpose is to make certain that small entities are
given due consideration when agencies promulgate regulations.(1) Advocacy’s involvement with the Sarbanes-Oxley Act (the Act) began in 2002,
when our office asked Chairman Oxley and Chairman Sarbanes to include
flexibility in the bill then being considered that would be sufficient to avoid
unnecessary impacts to small businesses. Since the passage of the Act, small
business representatives have contacted Advocacy to inform us of their concerns
with the new audit requirements of Section 404. Advocacy has submitted numerous
comment letters to the SEC and the PCAOB communicating these small business
concerns.(2) Small businesses are worried that auditors, when faced with a new
requirement to sign off on a company’s internal controls, will employ expensive
and time-consuming audit procedures. There is a compelling record demonstrating
that the costs of complying with Section 404 are large and disproportionately
high for small public companies. These entities have told Advocacy that changes
to the requirements of Section 404 of the Act are necessary. Advocacy believes
that the excessive cost of Section 404 internal controls reporting may restrict
a new generation of small innovative companies from seeking capital in the U.S.
capital markets. To its credit, after the passage of the Sarbanes-Oxley Act, the Commission
quickly realized the costs inherent in complying with Section 404 and delayed
the implementation of Section 404 for small businesses. I would like to thank
Chairman Cox and Chairman Olson for their leadership, hard work, and on-going
dedication in the difficult process of implementing Section 404. The SEC and the
PCAOB should also be commended for their job in reaching out to small public
companies to understand the impacts and problems with Section 404. In 2005, the
SEC chartered the Advisory Committee on Smaller Public Companies (Advisory
Committee) to assess the impact of the Act on smaller companies, and make
recommendations for changes. After a year of deliberations and solicitation of
public input, the Advisory Committee made its final written recommendations last
year. The SEC and the PCAOB have also held roundtables to solicit input from
small public companies, and listened to the concerns of the small business
community. Advocacy hosted its own small business roundtable in January 2007 to solicit
input from small business representatives on the new proposals undertaken by the
SEC and the PCAOB.(3) This roundtable followed years of dialogue between
Advocacy and small entities concerning the implementation of the Act. Advocacy
commends the staff members of the SEC and the PCAOB who attended this roundtable
and explained the proposals, answered questions, and listened to issues of the
small business community. Small businesses raised significant concerns with
these proposals, including: (1) the need for further clarifications of major
provisions from these proposals, (2) the need to examine whether these proposals
actually reduce compliance costs and provide scalability for small public
companies, and (3) the need for more time to implement the new requirements. Based on these comments, Advocacy strongly recommends that the SEC continue
to provide further extensions for small public companies until such time as more
cost-effective procedures for internal controls can be developed. Additionally,
Advocacy urges Congress to exempt smaller public companies from Section 404(b). I. Background on Section 404- One Size Does Not Fit All Congress enacted the Sarbanes-Oxley Act of 2002 (the Act)(4) in response to
public concern about high-profile fraudulent financial reporting by companies
like Enron and Worldcom. Section 404 of the Act requires public companies to
report on their internal controls over financial reporting, or about systems
they have in place to guard against fraudulent transactions. Section 404(a)
requires management to establish and maintain an adequate internal control
structure and include in its annual report to the SEC an assessment or a report
of the effectiveness of these internal controls. Section 404(b) requires that
management hire an outside auditing firm to submit an audit report attesting to,
and reporting on the management’s assessment of the company’s internal
controls.(5) The ultimate goal of this section is to ensure the accuracy of a
company’s financial reports, and thus improve investor confidence. The Public
Company Accounting Oversight Board, a non-profit corporation created by the Act
to oversee the auditors of public companies, created Auditing Standard No.2
(AS-2) as a guide for auditors evaluating a company’s internal controls
reporting under Section 404(b). The SEC’s own Advisory Committee on Smaller Public Companies has concluded
that a big problem with Section 404 was the implementation of AS-2, a
prescriptive 300-page “grade book” for auditors evaluating public companies.(6)
External auditors have applied this one-size-fits-all standard to both large and
small companies. Companies have reported that auditors are not focusing on risks
to financial reporting, but are auditing every process, which created
redundancies and excessive costs. In the absence of management guidance,
companies have been obliged to use the complicated AS-2 as a de facto
guidance. Small public companies have experienced challenges in implementing
AS-2, because it does not take into account the different characteristics that
affect a company’s financial reporting risks and internal controls, such as
differences in organizational structure, ability to segregate duties and amount
of resources available for Section 404 compliance. II. Section 404 Imposes Disproportionate Costs On Smaller Public Companies
Due to the problems with Section 404 and AS-2, the costs of implementing
Section 404 have greatly exceeded those originally anticipated by the SEC. In
June 2003, the SEC estimated that “the average annual internal cost of
compliance with Section 404 over the first three years would be $91,000,
and that cost would be proportional relative to the size of the company.”(7) To
the contrary, all evidence indicates that Section 404 compliance costs are
dramatically higher. A survey of actual compliance costs conducted by Financial
Executives International in 2006 found that first-year compliance costs for
Section 404 were $3.8 million for accelerated filers and $935,000 for smaller
public companies or non-accelerated filers.(8) Smaller public companies are likely to be hit especially hard by the costs of
compliance with Section 404. The 2005 Advocacy-funded study by W. Mark Crain,
The Impact of Regulatory Costs on Small Firms, found that, in general, small
businesses are disproportionately affected by federal regulations.(9) Crain
found that small firms with fewer than 20 employees annually spend 45 percent
more per employee than larger firms to comply with federal regulations.(10)
Likewise, the report by the SEC’s Advisory Committee on Smaller Public Companies
noted that Section 404 costs in relation to revenue will be disproportionately
borne by smaller public companies.(11) This report found that small public
companies with a market capitalization of under $100 million are expected to
spend 2.55 percent of their revenue on Section 404 compliance, while larger
companies with a market capitalization of over $1 billion are expected to spend
0.16 percent of their revenue on such costs.(12) Moreover, recent studies by the Committee on Capital Markets Regulation,(13)
McKinsey & Company,(14) and the U.S. Chamber of Commerce(15) provide evidence
that the burdensome Section 404 requirements have already made the United States
capital markets an increasingly unattractive environment to list shares,
decreasing the number of initial public offerings (IPOs), and forcing companies
to go private or to foreign stock exchanges. In a study by Foley & Lardner LLP,
81 percent of respondents felt that the Section 404 requirements were too
strict, and 21 percent of respondents are considering going private as a
result.(16) The Section 404 requirements will likely impose major obstacles to
small public companies seeking capital, perhaps to such an extent that their
application to small issuers would dissuade small businesses entirely from
accessing U.S. capital markets. III. Small Entities Have Expressed Serious Concerns with Both Proposals Advocacy acknowledges the efforts undertaken by the SEC and the PCAOB to make
internal controls reporting requirements more cost-effective and efficient for
small public companies. The SEC’s proposed management guidance attempts to set
forth a “top-down, risk-based” approach for management to complete Section
404(a).(17) The PCAOB also revised the controversial Auditing Standard No. 2,
incorporating the same “top-down, risk-based” approach.(18) Despite these efforts, small businesses continue to have serious concerns
about Section 404. On January 26, 2007, Advocacy held a small business
roundtable, including small business owners and representatives, trade
association staff, congressional staffers, and personnel from the SEC and the
PCAOB. Participants raised the following concerns with the SEC’s management
guidance and the PCAOB’s revised auditing standard: 1) Small Businesses Request Clarification of Major Provisions in Both
Proposals a. The SEC and the PCAOB Must Resolve Differences Between the Management
Guidance and the Revised Auditing Standard The Institute of Management Accountants has commented that the SEC
and the PCAOB have created two conflicting rule books for the same task
of internal controls reporting, and this is a source of confusion and
complexity.(19) For example, small businesses are concerned that the SEC’s management guidance is vague and “principles-based” to provide
scalability for the management of small public companies, while the
PCAOB’s revised auditing standard is more prescriptive and detailed on
how auditors must evaluate a management’s internal controls reporting
process. Small businesses have stated that they will be using the
PCAOB’s revised auditing standard as their de facto guidance,
because they are afraid that following the SEC’s management guidance
will result in a negative audit by an auditor utilizing a more detailed
and prescriptive auditing standard. Advocacy recommends that the SEC add
practical information in the management guidance on how management can
complete a scaled internal controls report. For example, the U.S.
Chamber of Commerce has commented that the SEC guidance could use more
illustrative examples and feedback of how the guidance should be
implemented, such as examples of insufficient compliance measures as
well as overly conservative implementation.(20) Advocacy also recommends
that the SEC and the PCAOB work together to make the revised auditing
standard less prescriptive. b. The SEC and the PCAOB Should Address Management and Auditor
Liability
Addressing Proposed Regulatory Changes and their Impacts on Capital Markets
The Institute of Management Accountants and the U.S. Chamber of Commerce
have commented on very significant inconsistencies between the two
documents, including the process of identifying controls and significant
accounts, and definitions such as material weakness, significant
deficiency, and materiality.(21) Advocacy also recommends that the SEC
and PCAOB work together to make sure that these inconsistencies are
harmonized.
Participants at the roundtable raised the issue of liability in the Section 404 process as an important factor that most impedes the ability of these proposals to provide a scalable and cost-effective audit. These small business representatives stated that the management of small public companies needs assurances that they will not be held liable for completing a scaled-down report pursuant to the management guidance. In particular, small businesses seek clarification of the provision which states that “the proposed amendments would be similar to a non-exclusive safe-harbor.”(22) Participants of the roundtable asked for further details of the safe harbor, such as how this safe harbor can be claimed and what type of liability protection this would afford.
Participants noted that auditors also need assurances from the PCAOB that they will not be penalized for auditing and approving a scaled management report in the PCAOB inspections process. One participant at the roundtable stated that auditors are attributing a large percentage of their auditing fees to the potential liability and litigation exposure for these Section 404 audits. These new Section 404 requirements are likely increasing the potential liability of auditors and increasing the costs of these audits.
2) The SEC and the PCAOB Need to Examine Whether Proposals Reduce the Compliance Costs and Provide Scalability for Small Public Companies
Participants at Advocacy’s roundtable commented that the SEC’s management guidance and the PCAOB’s revised auditing standard do not provide enough guidance on how small public companies can scale their audits to make them cost-effective. Small public companies need further guidance on ways that their audit of internal controls can be tailored, in the form of illustrations, case studies and examples.
Small business representatives also suggested that the rules implementing Section 404 not be implemented until these proposals have been fully tested to determine whether they will actually result in scalability and cost savings for small public companies. Such testing would allow for corrections in the standard, if the testing shows that the standard needs revision.
3) Small Public Companies Need More Time to Implement New Requirements
Small public companies expressed concern with the timing of these draft proposals. Although the SEC and the PCAOB just released these proposals in December 2006, most small public companies will still be expected to complete a management report on internal controls reporting by the end of the year and submit an auditor’s report attesting to these internal controls next year.(23) Neither of these proposals has been finalized, and the SEC and the PCAOB still need to complete major revisions to their respective proposals. Participants at the Advocacy’s roundtable strongly recommended that the SEC provide a further extension for small public companies in order to provide management with extra time to understand and implement these complex Section 404 proposals. Small entities commented that they had already planned and budgeted for FY 2007 the prior year, and it would be difficult and costly to start a new internal control reporting process in the middle of spring 2007.
Participants at the roundtable explained that it will take a longer time for small public companies to create and implement any new internal controls reporting process. Although small public companies regularly submit annual financial reports to the SEC, the internal controls reporting process is time intensive because it adds the new requirements of identifying processes, assessing risk levels, and documenting and testing the internal controls. Small companies are at a disadvantage in complying with Section 404 because they have more informal processes and fewer personnel and accountants. William Zaiser, the Chief Financial Officer at a MHI Hospitality Corporation, a small public company with a market capitalization of $64 million, hired an external consultant, and it still took four months to begin the internal controls reporting process. Zaiser stated that it would be very difficult if his company had to start the Section 404 process at this later date because his company would have to hire extra staff, or he would have to devote a large amount of his time to this project.(24) According to a Government Accountability Office survey of small business companies in 2005, 81 percent of the respondents hired a separate accounting firm or external consultants to assist them with Section 404 requirements, at an individual cost of $3,000 to $1.4 million.(25)
IV. Regulatory Flexibility Act Determinations
Advocacy commends the SEC and the PCAOB for developing these proposals in an effort to make Section 404 more cost-effective and efficient for small companies. Advocacy strongly recommends that the SEC continue to provide further extensions for small public companies until such time as more cost-effective procedures for internal controls reporting can be developed.
Advocacy also recommends that the SEC complete a revised final regulatory flexibility analysis (FRFA) of the final reporting procedures under Section 604 of the Regulatory Flexibility Act. The last regulatory analysis was completed in August 14, 2003, and this final regulatory flexibility analysis severely underestimates the cost of compliance with Section 404 of the Act. The SEC’s 2003 FRFA states that small public companies will be “subject to an added reporting burden of approximately 398 hours and the portion of that burden that is reflected as the cost associated with outside professionals is approximately $35,286 [per year]. We believe, however, that the annual average burden and costs for small issuers are much lower.”(26) Current industry estimates place the Section 404 compliance burden at almost $1 million per year for small public companies.(27)
Advocacy also recommends that the SEC complete a required Small Business Compliance Guide for this rule. Under Section 212 of the Small Business Regulatory Enforcement Fairness Act (SBREFA), “for each rule or group of related rules for which an agency is required to prepare a final regulatory flexibility analysis…the agency shall publish one or more guides to assist small entities in complying with the rule.”(28)
V. Legislative Recommendations
Advocacy suggests that Congress revise Section 404 of the Act to exempt smaller public companies from the requirements of Section 404(b). This is consistent with the SEC’s Advisory Committee report, which recommended that smaller public companies be held to a different compliance standard.(29)
Advocacy recommends that Congress require the SEC and the PCAOB to submit a
report with recommendations to the relevant committees of Congress, including
the U.S. House Small Business Committee and the U.S. Senate Small Business &
Entrepreneurship Committee, assessing the impact of Section 404 on smaller
public companies after two years of implementation.
VI. Conclusion
Advocacy has worked closely with the SEC and the PCAOB since the Sarbanes-Oxley Act was enacted in 2002 and appreciates their continuing efforts to make the internal controls process less burdensome for small public companies. Based on input provided by small businesses at our roundtable, Advocacy strongly recommends that the SEC and the PCAOB continue to seek further flexibility for small public companies and an extension of time to comply with the requirements. Additionally, Advocacy urges Congress to exempt smaller public companies from Section 404(b).
ENDNOTES
1. Regulatory Flexibility Act of 1980, Pub. L. No. 96-354, 94 Stat. 1164 (1980) (codified as amended at 5 U.S.C. § 601 et seq.).
2. Archive of Advocacy comment letters on the Section 404 of the Act, http://www.sba.gov/advo.
3. Small business concerns from this roundtable are summarized in a comment letter from Thomas M. Sullivan, Chief Counsel, Office of Advocacy, SBA, to the SEC and the PCOAB (Feb. 21, 2007), available at: http://www.sba.gov/advo/laws/comments/sec07_0221.html.
4. Sarbanes-Oxley Act of 2002, Pub. L. 107-204, Title IV, 116 Stat. 789 (2002) (codified in 15 U.S.C. § 7262).
5. 15 U.S.C. § 7262.
6. SEC Advisory Committee on Smaller Public Companies, Final Report of the SEC Advisory Committee on Smaller Public Companies 32 (Apr. 23, 2006) (Advisory Committee Report), available at: http://www.sec.gov/info/smallbus/acspc.shtml.
7. Advisory Committee Report, at 29 (emphasis added).
8. FEI, Survey on SOX Section 404 Implementation, Exhibit A: Costs by Filing Status (March 2006).
9. The Impact of Federal Regulations on Small Firms, an Advocacy-funded study by W. Mark Crain, Sept. 2005 available at: http://www.sba.gov/advo/research/rs264tot.pdf.
10. Id.
11. Advisory Committee Report, at 33.
12. Id.
13. Committee on Capital Markets Regulation, Interim Report of the Committee on Capital Markets Regulation (Nov. 30, 2006), available at: http://www.capmktsreg.org/pdfs/11.30Committee_Interim_ReportREV2.pdf.
14. McKinsey & Co, Sustaining New York’s and the US Global Financial Services Leadership (Jan. 22, 2007), available at: http://schumer.senate.gov/SchumerWebsite/pressroom/special_reports/2007/NY_REPORT%20_FINAL.pdf.
15. Commission on the Regulation of U.S. Capital Markets in the 21st Century, Report and Recommendations (March 2007), available at: http://www.uschamber.com/portal/capmarkets/default.
16. Thomas E. Hartman, Foley & Lardner LLP, The Cost of Being Public in the Era of Sarbanes-Oxley (June 16, 2005), available at: http://www.fei.org/download/foley_6_16_2005.pdf.
17. Management’s Report on Internal Control Over Financial Reporting; Proposed interpretation; Proposed Rule, 71 Fed. Reg. 77,635 (Dec. 27, 2006).
18. Proposed Auditing Standard-An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements and Related Proposals, Release No. 2006-007 (Public Company Accounting Oversight Board, Dec. 2006).
19. Comment letter from Paul A. Sharman, President and CEO, Institute of Management Accountants, to the SEC and the PCOAB (Feb. 13, 2007) (IMA Comment Letter), available at: http://www.sec.gov/comments/s7-24-06/lddevonish-mills5470.pdf.
20. Comment letter from David C. Chavern, Chief Operating Officer and Senior Vice President, to the SEC and the PCAOB (February 26, 2007) (U.S. Chamber of Commerce Letter), available at: http://www.sec.gov/comments/s7-24-06/s72406-213.pdf.
21. IMA Comment Letter, at 2; U.S. Chamber of Commerce Letter, at 4.
22. 71 Fed. Reg. at 77,649 (Dec. 27, 2006).
23. 71 Fed. Reg. 76,580 (Dec. 21, 2006). Under the SEC’s extensions, non-accelerated filers would submit a management assessment report with its annual report for the first fiscal year ending on or after December 15, 2007. These entities would not be required to submit an auditor’s attestation report until the following year, or the first fiscal year ending on or after December 15, 2008.
24. Telephone interview with William J. Zaiser, Chief Financial Officer, MHI Hospitality Corporation, in Greenbelt, Md. (Feb. 13, 2007).
25. GAO, Report to the Committee on Small Business and Entrepreneurship, U.S. Senate, Sarbanes-Oxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies, at 17. (April 2006) available at: http://www.gao.gov/new.items/d06361.pdf.
26. Management’s Report on Internal Control Over Financial Reporting an Certification of Disclosure In Exchange Act Periodic Reports, Exchange Act Release No. 3308238; 34047986; IC-26068 (Aug. 14, 2003), available at: http://www.sec.gov/rules/final/33-8238.htm.
27. See Note 8.
28. Small Business Regulatory Enforcement Fairness Act, Pub. L. 104-121, Title II, 110 Stat. 857 (1996) (codified in various sections of 5 U.S.C. § 601 et seq.).
29. Advisory Committee Report, at 4.