February 21, 2007

Via Electronic Mail 

The Honorable Christopher Cox, Chairman
U.S. Securities and Exchange Commission
Attn: Nancy M. Morris, Secretary  
100 F Street, NE
Washington, DC 20549 
Electronic Address:  rule-comments@sec.gov

The Honorable Mark W. Olson, Chairman
Attn:  Office of the Secretary
Public Company Accounting Oversight Board 
1666 K Street, N.W.
Washington, D.C. 20006-2803
Electronic Address:  comments@pcaobus.org


Re:   SEC File Number S-7-24-06; Management’s Report on Internal Control Over 
Financial Reporting (71 Fed. Reg. 77,635);
     PCAOB Release No. 2006-007; Proposed Auditing Standard 

Dear Chairmen Cox and Olson: 

The Office of Advocacy (Advocacy) of the Small Business Administration (SBA) 
respectfully submits this comment letter on the U.S. Securities and Exchange 
Commission’s (SEC) proposed interpretative guidance and proposed rule, Management’s 
Report on Internal Control Over Financial Reporting,(1) and the Public Company 
Accounting Oversight Board’s (PCAOB) proposed revised auditing standard, An Audit of 
Internal Control Over Financial Reporting.(2)  Advocacy acknowledges the efforts 
undertaken by the SEC and the PCAOB to make the internal controls reporting 
requirements under Section 404 of the Sarbanes-Oxley Act (SOX)(3) more cost-effective 
and efficient for small public companies.

Advocacy hosted a roundtable on Friday, January 26, 2007, to solicit input from small 
business representatives on the new proposals by the SEC and the PCAOB.  Advocacy 
applauds the many dedicated members of the SEC and the PCAOB who attended this 
roundtable and explained the proposals, answered questions, and listened to the concerns 
of the small business community.  This comment letter discusses a few of the major 
problems raised by small businesses, in particular:  1) the need for further exemptions 
due to the recent receipt of the guidance and the revised auditing standard, 2) the request 
for clarifications of major provisions in these proposals, and 3) the issue of whether these 
proposals actually “fix” the problem of scalability and high costs in internal controls 
reporting for small public companies.  

Based on small business comments, Advocacy believes that the Section 404 requirements 
may still impose large and disproportionate costs on small public companies after these 
proposals are finalized, which may restrict the ability of a new generation of small, 
innovative companies from seeking capital in the U.S. capital markets.  Advocacy 
strongly recommends that the SEC continue to provide further exemptions for small 
public companies until such time as more cost-effective procedures for internal controls 
reporting can be developed.   
  
I.  The Office of Advocacy 

Congress established the Office of Advocacy in 1976 by Pub. L. 94-305 to represent the 
views and the interests of small business within the federal government.  Advocacy is an 
independent office within SBA, so the views expressed by Advocacy do not necessarily 
reflect the views of the SBA or the Administration.  The Regulatory Flexibility Act 
(RFA),(4) as amended by the Small Business Regulatory Enforcement Fairness Act 
(SBREFA),(5) gives small entities a voice in the rulemaking process.  For all rules that 
are expected to have a significant economic impact on a substantial number of small 
entities, federal agencies are required by the RFA to assess the impact of the proposed 
rule on small business and to consider less burdensome alternatives.(6)  Advocacy 
regularly hosts small business roundtables to solicit feedback and information from small 
business representatives on regulatory proposals.

II.  Background

In 2003, the SEC adopted rules implementing Section 404 of SOX, which required public 
companies to submit reports on their internal controls, or systems in place in a company 
to guard against fraudulent or mistaken transactions and to ensure the accuracy of annual 
financial reports.(7)  Section 404(a) requires that management provide a report assessing 
the effectiveness of their internal controls.  Section 404(b) requires an external auditor to 
submit one report on whether the management’s assessment is fairly stated and another 
report on whether the company’s internal control is effective.(8)   The Public Company 
Accounting Oversight Board (PCAOB), a non-profit corporation created by SOX to 
oversee the auditors of public companies, created Auditing Standard No. 2 (AS2) as a 
guide for auditors evaluating a company’s internal controls reporting under Section 
404(b).(9)  

The SEC divided public companies into two categories, non-accelerated filers (small 
public companies with a market capitalization of below $75 million); and accelerated 
filers (companies with a market capitalization of above $75 million).  The SEC estimates 
that there were over 4,000 small public companies that make up 44 percent of the listed 
public companies in 2005.(10) 

In the absence of management guidance in 2004, accelerated filers complying with 
Section 404 had to utilize the complicated auditing standard AS2.  These entities testified 
that AS2 was a one-size-fits-all standard that had onerous requirements and resulted in 
excess costs and redundancies.  In April 2006, the SEC’s Advisory Committee on 
Smaller Public Companies (“Advisory Committee”) recommended that the SEC provide 
exemptions from the internal control requirements of Section 404 for smaller public 
companies, unless and until a cost effective framework was developed that recognizes the 
characteristics and needs of these companies.(11) 

On December 15, 2006, the SEC extended the compliance deadlines to Section 404 for 
non-accelerated filers (small public companies).(12)  In this same month, the SEC 
released their proposed interpretative guidance and proposed rule, and the PCAOB 
released their proposed revised auditing standard.  The SEC’s proposed interpretation sets 
forth a “top-down, risk-based” approach for management to complete Section 404(a), 
which is supposed to make this process more effective and efficient.  The SEC’s 
proposed rule states that management can fulfill Section 404(a) by following the 
interpretative guidance.  The SEC is also proposing to change Section 404(b) by 
requiring only one auditor attestation report on the effectiveness of management’s 
internal controls reporting.(13)   The PCAOB’s revised auditing standard also 
incorporates this “top-down, risk-based” approach.  

III.  Small Entities Have Expressed Serious Concerns with Both Proposals  

Over 35 people participated in Advocacy’s small business roundtable, including small 
business owners and representatives, trade association staff, congressional staffers, and 
personnel from the SEC and the PCAOB.  Participants raised many concerns with the 
SEC’s management guidance and the PCAOB’s revised auditing standard, in particular: 
1) the need for further exemptions due to the recent receipt of the guidance and the 
revised auditing standard, 2) the request for clarifications of major provisions in these 
proposals, and 3) the issue of whether these proposals actually “fix” the problem of 
scalability and high costs in internal controls reporting for small public companies.  

1)  Small Public Companies Need Further Exemptions Due to Recent Receipt of 
Management Guidance and Revised Auditing Standard

Small public companies expressed concern with the timing of these draft proposals.  The 
SEC and the PCAOB just released these proposals in December 2006, but most small 
public companies are expected to complete a management report on internal controls 
reporting by the end of the year and submit an auditor’s report attesting to these internal 
controls next year.(14)  Participants at the roundtable strongly recommended that the 
SEC provide a further extension for small public companies, to provide management with 
extra time to understand and implement these complex Section 404 proposals.  Small 
entities commented that they had already planned and budgeted for FY 2007 the prior 
year, and it would be difficult and costly to start a new internal control reporting process 
in the middle of spring 2007.

Participants at the roundtable explained that it will take a longer time for small public 
companies to create and implement an internal controls reporting process.  Although 
small public companies regularly submit annual financial reports to the SEC, the internal 
controls reporting process is time intensive because it adds the new requirements of 
identifying processes, assessing risk levels, and documenting and testing the internal 
controls.  Small companies are at a disadvantage in complying with Section 404 process 
because they have more informal processes, fewer personnel and accountants and have 
no experience complying with Section 404 of SOX.  William Zaiser, the Chief Financial 
Officer at a small public company with a market capitalization of $64 million, hired an 
external consultant, and it still took four months to begin the internal controls reporting 
process.  Zaiser stated that it would be very difficult if his company had to start the 
Section 404 process at this late date, because his company would have to hire extra staff 
or he would have to devote a large amount of his time on this project.(15)  According to 
the Government Accounting Office survey of small business companies in 2005, 81 
percent of the respondents hired a separate accounting firm or external consultants to 
assist them with Section 404 requirements, at an individual cost of $3000 to $1.4 
million.(16) 

2)  Small Businesses Request Clarifications of Major Provisions in Proposals

a.  The SEC and The PCAOB Must Resolve Differences Between the Management 
Guidance and Revised Auditing Standard

The Institute of Management Accountants (IMA) has commented that the SEC and the 
PCAOB have created two rule books for the same task of internal controls reporting, and 
this is a source of confusion and complexity.(17)  Small businesses at the roundtable 
were concerned that the management guidance is “ambiguity disguised as flexibility,” 
because the standard is so vague that it does not provide any practical guidance that the 
management of small public companies need on how to complete internal controls 
reporting under Section 404(a).   The SEC guidance seeks to provide flexibility and 
scalability for small public companies, and therefore “does not prescribe a particular 
methodology for the identification of risks and controls.”(18)   In contrast, the PCAOB’s 
revised accounting standard is very prescriptive, and contains detailed bullet points on 
how auditors must evaluate a management’s internal control reporting process.  The IMA 
has also commented that it has identified three very significant differences and/or 
inconsistencies between the two documents, on topics such as the control environment 
evaluation, identifying significant accounts and strong indicators of material 
weakness.(19)  

Small business representatives have stated that they will be using the PCAOB’s revised 
auditing standard as their de facto guidance, because they are afraid that following the 
SEC’s vague and flexible management guidance will result in a negative audit by an 
auditor utilizing the more detailed and prescriptive revised auditing standard.  Advocacy 
believes that the SEC and PCAOB must work together to resolve any differences or 
inconsistencies between the management guidance and the revised auditing standard.  
Participants have also recommended that additional information be provided in the 
management guidance, without being overly prescriptive.  For example, the SEC 
guidance should provide examples and case studies of sample or successful audits of 
different types and sizes of companies. 

b. The SEC and the PCAOB Must Address Management and Auditor Liability  

Participants at the roundtable raised the issue of liability in the Section 404 process as an 
important factor that most impedes the ability of these proposals to provide a scalable and 
cost-effective audit. 

Roundtable participants stated that the management of small public companies needs 
assurances that they will not be held liable for completing a scaled-down audit pursuant 
to the management guidance, because the incentive is for management to complete extra 
work to protect themselves and their company from liability.  In particular, small 
businesses seek clarification of the provision which states that “the proposed amendments 
would be similar to a non-exclusive safe-harbor.”(20)  According to this proposed 
amendment, if management chooses to follow the management guidance, they will have 
complied with Section 404(a).  Normally, a safe harbor affords some protection from 
liability or a penalty.  Participants of the roundtable asked for further details of this safe 
harbor, such as how this safe harbor can be claimed and what type of liability protection 
this would afford. 

Participants noted that auditors also need assurances from the PCAOB that they will not 
be penalized for auditing and approving a scaled management report in the inspections 
process. Auditors have every incentive to complete a larger audit, since they could charge 
extra fees and protect themselves from liability in PCOAB inspections.  One participant 
at the roundtable stated that auditors are attributing a large percentage of their auditing 
fees to the potential liability and litigation exposure for these Section 404 audits.  These 
new Section 404 requirements are likely to increase the potential liability of auditors, and 
increase the costs of these audits. 

3)  Small Public Companies Question Whether Proposals Will Actually Fix 
Problems of Scalability and High Costs

Many small business representatives at the roundtable commented that there needs to be a 
further exemption to test if these two proposals will actually result in scalability and cost 
savings for these small public companies.  Laura Phillips, Deputy Chief Auditor at the 
PCAOB, told participants at the roundtable that the PCAOB is currently conducting a 
field test of accelerated filers with their revised auditing standards in 2007 to see if this 
standard results in cost savings, in preparation for the 404(b) audit of small public 
companies in 2008.  Small businesses commented that a further exemption would allow 
for corrections in the standard, if the testing shows that the standard needs to be revised.  
One participant at the roundtable asked how the SEC and the PCAOB would measure the 
benchmarks or effectiveness of their proposals in providing scalability and cost savings to 
small public companies.  This small business representative commented that “if the cost 
of the full audit continues to be disproportionately high for small companies, the 
incremental benefit of this full blown audit to investors should be separately evaluated 
using rigorous quantitative methods rather than vague notions of investor protection.”
While these proposals are helpful, Advocacy believes that the SEC and the PCAOB have 
overestimated the cost savings these proposals would create.




IV.	  Section 404 Requirements Will Still Impose Large and Disproportionate Costs            
        on Small Public Companies

Based on these comments made by small business representatives at the roundtable, 
Advocacy believes that the Section 404 requirements will still impose large and 
disproportionate costs on small public companies.  

In June 2003, the SEC estimated that the average annual internal cost of compliance with 
Section 404 would be $91,000, and that the cost would be proportional relative to the size 
of the company.(21)  Surveys of actual Sarbanes-Oxley Section 404 costs indicate that 
non-accelerated filers spent approximately $935,000 to comply with Section 404.(22)   
According to the SEC’s Advisory Committee Report, costs in relation to revenue will be 
disproportionately borne by smaller public companies.  To comply with Section 404 
requirements, smaller public companies with a market capitalization under $100 million 
are expected to spend 2.55 percent of their revenue, while larger companies with a market 
capitalization of over $1 billion are expected to spend 0.16 percent of their revenue.(23)   
A study by W. Mark Crain found similar disproportionate costs borne by small entities, 
finding that very small firms with fewer than 20 employees annually spend 45 percent 
more per employee than larger firms to comply with federal regulations.(24)   

Recent studies backed by Treasury Secretary Henry Paulson,(25) New York City Mayor 
Michael Bloomberg, and U.S. Senator Charles Schumer(26) provide evidence that the 
burdensome SOX requirements have already made the United States capital markets an 
increasingly unattractive environment to list shares, decreasing the number of initial 
public offerings (IPOs), and forcing companies to go private or to foreign stock 
exchanges.  In a study by Foley & Lardner LLP, 81 percent of respondents felt that the 
SOX requirements were too strict, and 21 percent of respondents are considering going 
private as a result.(27)  SOX requirements will likely impose major obstacles to small 
public companies seeking capital, perhaps to such an extent that their application to small 
issuers would prevent small businesses entirely from accessing U.S. capital markets.   




V.  Regulatory Flexibility Act Determinations  

Advocacy commends the SEC and the PCAOB for developing these proposals in an 
effort to make Section 404 more cost-effective and efficient for small companies. 
Advocacy strongly recommends that the SEC continue to provide further exemptions for 
small public companies until such time as more cost-effective procedures for internal 
controls reporting can be developed.   

Advocacy also recommends that the Securities and Exchange Commission complete a 
revised final regulatory flexibility analysis (FRFA) under Section 604 of the Regulatory 
Flexibility Act.  The last regulatory analysis was completed in August 14, 2003, and this 
final regulatory flexibility analysis severely underestimates the cost of compliance with 
Section 404 of SOX.  The SEC’s 2003 FRFA states that small public companies will be 
“subject to an added reporting burden of approximately 398 hours and the portion of that 
burden that is reflected as the cost associated with outside professionals is approximately 
$35,286.  We believe, however, that the annual average burden and costs for small issuers 
are much lower.”(28)  Current industry estimates place the Section 404 compliance 
burden at almost $1 million for small public companies.(29)   

Advocacy also recommends that the SEC complete a required Small Business 
Compliance Guide for this rule.  Under Section 212 of the Small Business Regulatory 
Enforcement Fairness Act (SBREFA), “for each rule or group of related rules for which 
an agency is required to prepare a final regulatory flexibility analysis…the agency shall 
publish one or more guides to assist small entities in complying with the rule.”(30)  

VI.  Conclusion 

The Office of Advocacy has worked closely with the SEC and the PCAOB since the 
Sarbanes-Oxley Act was enacted in 2002, and appreciates the continuing efforts of these 
entities to make the internal controls process cost-effective and efficient for small public 
companies.  Small businesses provided input at our roundtable, and were concerned about 
the timing of the proposals, the need for further clarifications and the commented that 
these proposals will not fix the problems of scalability and high costs in internal controls 
reporting.  Advocacy strongly recommends that the SEC provide further flexibility for 
small public companies.  

Advocacy is pleased to forward the comments and concerns of small businesses.  Please 
feel free to contact me or Janis Reyes at (202) 619-0312 (Janis.Reyes@sba.gov) if you 
have any questions or require additional information.

Sincerely,

//signed//
Thomas M. Sullivan 
Chief Counsel of Advocacy 

//signed//
Janis C. Reyes
Assistant Chief Counsel


cc:	Steven D. Aitken, Acting Administrator, Office of Information and Regulatory Affairs

ENDNOTES

1.  Management’s Report on Internal Control Over Financial Reporting; Proposed 
interpretation; Proposed Rule, 71 Fed. Reg. 77,635 (Dec. 27, 2006). 
2.  Proposed Auditing Standard-An Audit of Internal Control Over Financial Reporting 
that is Integrated with an Audit of Financial Statements and Related Proposals, Release 
No. 2006-007 (Public Company Accounting Oversight Board, Dec. 2006), available at: 
http://www.pcaobus.org/Rules/Docket_021/index.aspx.
3.  Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002).  
4.  Regulatory Flexibility Act of 1980, Pub. L. No. 96-354, 94 Stat. 1164 (1980) (codified 
as amended at 5 U.S.C. § 601 et seq.).  
5.  Small Business Regulatory Enforcement Fairness Act, Pub. L. 104-121, Title II, 110 
Stat. 857 (1996) (codified in various sections of 5 U.S.C. § 601 et seq.).
6.  5 U.S.C. § 603.   
7.  Sarbanes-Oxley Act of 2002, Pub. L. 107-204, Title IV, 116 Stat. 789 (2002) (codified 
in 15 U.S.C. § 7262).   
8.  SEC Advisory Committee on Smaller Public Companies, Final Report of the SEC 
Advisory Committee on Smaller Public Companies 31 (Apr. 23, 2006) (Advisory 
Committee Report),  available at:  http://www.sec.gov/info/smallbus/acspc.shtml.
9.  15 U.S.C. § 7262.
10.  Advisory Committee Report, at E3.  The data on this graph was from the Center for 
Research in Security Prices.  It lists 4,171 public companies that had a market 
capitalization of up to $75 million in 2005. 
11. Advisory Committee Report, at 6. 
12. Internal Control Over Financial Reporting in Exchange Act Periodic Reports of Non-
Accelerated Filers and Newly Public Companies, 71 Fed. Reg. 76580 (Dec. 21, 2006).  
13. 71 Fed. Reg. 77,635 (Dec. 27, 2006).
14. 71 Fed. Reg. 76,580 (Dec. 21, 2006).  Under the SEC’s extensions, non-accelerated filers would submit a management assessment report with its annual report for the first fiscal year ending on or after December 15, 2007.  These entities would not be required to submit an auditor’s attestation report until the following year, or the first fiscal year ending on or after December 15, 2008.  
15. Telephone interview with William J. Zaiser, Chief Financial Officer, MHI Hospitality 
Corporation, in Greenbelt, Md. (Feb. 13, 2007).
16. GAO, Report to the Committee on Small Business and Entrepreneurship, U.S. Senate, 
Sarbanes-Oxley Act:  Consideration of Key Principles Needed in Addressing 
Implementation for Smaller Public Companies, at 17. (April 2006) (GAO Report) 
available at: http://www.gao.gov/new.items/d06361.pdf.
17. Comment letter from Paul A. Sharman, President and CEO, Institute of Management 
Accountants, to the SEC and the PCOAB (Feb. 13, 2007) (IMA Comment Letter), 
available at:  http://www.sec.gov/comments/s7-24-06/lddevonish-mills5470.pdf.
18. 71 Fed. Reg. 77,635 (Dec. 27, 2006).
19. IMA Comment Letter, at 2.  
20.  71 Fed. Reg. at 77,649 (Dec. 27, 2006). 
21. Advisory Committee Report, at 29. 
22. FEI, Survey on SOX Section 404 Implementation, Exhibit A: Costs by Filing Status 
(March 2006). 
23. Advisory Committee Report, Page 33.
24. The Impact of Federal Regulations on Small Firms, an Advocacy-funded study by W. 
Mark Crain, Sept. 2005 available at: http://www.sba.gov/advo/research/rs264tot.pdf.
25. Committee on Capital Markets Regulation, Interim Report of the Committee on 
Capital Markets Regulation (Nov. 30, 2006), available at: 
http://www.capmktsreg.org/pdfs/11.30Committee_Interim_ReportREV2.pdf.
26. McKinsey & Co, Sustaining New York’s and the US Global Financial Services 
Leadership (Jan. 22, 2007), available at: 
http://schumer.senate.gov/SchumerWebsite/pressroom/special_reports/2007/NY_REPOR
T%20_FINAL.pdf.
27. Thomas E. Hartman, Foley & Lardner LLP, The Cost of Being Public In the Era of 
Sarbanes-Oxley 1 (June 16, 2005), available at: 
http://www.fei.org/download/foley_6_16_2005.pdf.
28. Management’s Report on Internal Control Over Financial Reporting an Certification 
of Disclosure In Exchange Act Periodic Reports, Exchange Act Release No. 3308238; 
34047986; IC-26068 (Aug. 14, 2003), available at: http://www.sec.gov/rules/final/33-
8238.htm.
29. See note 22.
30.  Small Business Regulatory Enforcement Fairness Act, Pub. L. 104-121, Title II, 110 
Stat. 857 (1996) (codified in various sections of 5 U.S.C. § 601 et seq.).



3