There’s an old story about a championship basketball game in the animal kingdom between the Ants and the Elephants. Late in the game, with the Elephants up by one, the Ants had possession, and were heading down the court looking to score. As the star Ant dribbled forward, the Elephant guarding him lifted his foot and crushed the Ant. The referees blew their whistles, called a foul and one official asked: “What’s the big idea? What did you think you were doing, stomping on an opposing player?” The offending Elephant shrugged haplessly and said he wasn’t trying to crush the ant, “I was merely trying to trip him!”
A large number of small companies are feeling like the beleaguered Ants basketball team these days. Trying to make sense out of the current regulatory environment isn’t easy for anyone, but it’s especially difficult for small- and mid-cap sized public companies. When Sarbanes-Oxley was passed, Congress rejected the recommendation of the SEC and eschewed an approach of expressly allowing the SEC to tailor the Act’s requirements to different types of companies. It also declined to permit individual companies to tailor the Act’s provisions to each company’s specific circumstances, as it had done in the Foreign Corrupt Practices Act in 1977.
Instead, the Act applies a “one-size-fits-all” approach, and that’s created enormous difficulties, both domestically and globally. The SEC has effectively been relegated to an “all-or-nothing” approach, given the poor craftsmanship that ultimately characterizes this important legislation. Particularly with internal controls, the SEC has deferred the applicability of its requirements, giving smaller companies (and foreign public companies) an opportunity to employ a longer lead time to prepare for the ultimate day of reckoning. Unfortunately, many smaller companies haven’t really taken advantage of the SEC’s largesse, instead choosing to defer spending and implementation until they’re certain they’ll have to comply. This is short-sighted at best, and potentially counterproductive, at worst. The provisions of SOX are becoming “best practices” for all companies, whether publicly-traded or not, whether for profit or not. Smaller companies that defer considering and implementing SOX best practices also runs the significant and costly risk of losing the all-important “compliance premium” when and if their company is sold.
When companies seek to sell themselves, or are acquired, there are only two possible outcomes—they can sell themselves to a public company (or a company desirous of becoming a public company), or they can be sold to public investors. In either case, if the company to be acquired is not SOX compliant, any thoughtful acquirer must deduct the anticipated costs associated with implementing SOX requirements and best practices. This results in a loss of revenue upon an anticipated sale. Even worse, it could prolong and defeat a potential transaction, depending on the nature of the assessment made of the company to be acquired.
Even beyond Section 404’s difficult implications, companies that have fewer resources than the Fortune 500 are legitimately worried about the costs of SOX compliance, given the statute’s one-size-fits-all bias. But many smaller companies are missing an opportunity to seize control of their own situations by developing thoughtful approaches to the myriad regulatory requirements SOX imposes. To try and sort through some of these issues, this month’s column offers some rules of thumb smaller and mid-cap companies may want to consider in an effort to get ahead of the regulatory curve.
Marketplace forces now require companies to pursue full transparency and state-of-the-art compliance policies. Companies that don’t set, then meet, higher standards, will be abandoned or turned on by investment banks, big four accounting firms, insurance companies, commercial banks and rating agencies, and will find it hard to attract both capital and quality directors. This means that, one way or another, wittingly or not, corporations and financial institutions will be compelled to meet new governance standards in order to survive and prosper.
Develop a thoughtful SOX methodology. The starting point in any analysis is to develop a customized summary of the Act, and its applicability to the operations of a specific company. This is not the place for one-size-fits-all checklists that many companies and their advisors use to create the illusion of diligence and security. Checklists, especially in the area of regulatory compliance, are usually not worth the paper on which they’re printed. The goal is to divide the requirements of SOX into major categories (e.g., internal controls, governance, ethics and transparency), and then articulate, from a businessperson’s perspective, what the statute and the SEC’s implementing regulations are attempting to achieve.
Establish an internal compliance team. While outside assistance is ultimately likely to be necessary, every company should have its own internal compliance team. This offers the prospect of a team that really knows the company best, and also promises to save money by coming up with pragmatic approaches that fit a company’s particular profile. Members of the internal compliance team should include the company’s internal general counsel, the head of internal audit functions, the head of the company’s disclosure committee, staff personnel who work with the company’s audit committee, and others.
Develop a game plan. Consideration of the requirements of SOX should not be haphazard or rely on serendipity. It is essential that every requirement of SOX be examined, along with the best means of implementing them. Where there are alternative approaches, all such possibilities should be considered. The key to avoiding later difficulties is ensuring that the company gives thoughtful consideration to a wide variety of issues and alternatives.
Identify all alternatives considered; explain all approaches modified or rejected. If a review process is well-structured, companies can benefit by having detailed notes of their review, the reasons that certain alternatives were rejected or modified, and the rationale for approaches taken. Having this kind of contemporaneous record of the efforts undertaken, and the results reached (as well as the rationales employed) is invaluable if regulatory or class-action scrutiny should occur.
Companies should pay careful attention to the ramifications of proposed best practices, not merely their legality or necessity. While adherence to statutory and regulatory fiats is necessary, they’re not sufficient. It’s in a corporation’s self-interest to look beyond specific legislative and regulatory mandates, and think about effecting real governance and transparency reforms that can position the company for greater success and distinguish the company from the pack.
It is critical to have a compliance/ethics board committee that plays a central role in establishing corporate best practices. The assessment of what is required, and what is desirable, under SOX, cannot be left exclusively to senior management, although they play a critical and important role in the process. Rather, public companies should establish Qualified Legal Compliance and Ethics Committees, whose functions include assessing compliance with SOX, evaluating how a company compares with its core group of competitors, and overseeing decisions made to implement some best practices and/or forego others.
Companies would do well to create a senior compliance officer position and an ombudsman post. Compliance and ethics have become the watchword since Enron and its progeny spawned SOX. While public companies (other than financial services firms) are not specifically required to have a Senior Compliance Officer, it is a false saving, and a huge mistake, not to create such a position. Equally significant is the need to permit employees and other corporate constituencies to report conduct they believe is troublesome. Although SOX requires this type of process for financial reporting issues, companies do well to extend it to all manner of potential misconduct. Creating the opportunity to learn of misconduct first can save a company millions and millions of dollars, and senior management their jobs.
Companies should consider developing compliance and ethical disclosures that truly inform investors. Unfortunately, in today’s environment, disclosure is often seen as a means for avoiding liability down the road, not as a method of informing readers. Particularly for mid- and small-cap companies, the effort to analyze compliance with SOX, and the decisions reached about adopting (or rejecting) certain best practices, should form clear and concise disclosures. By doing this, companies can avoid liability for misleading investors who, in the absence of such disclosure, will believe every company is complying with best practices.
Mid- and small-cap companies should work together to develop approaches to the requirements, costs, burdens and benefits of SOX. There is definitely truth to the old saw that if we don’t all hang together, we will surely hang separately! Mid- and small-cap companies should review their compliance and regulatory programs with comparably situated companies on a regular and periodic basis, to make sure that they have considered best practices as those practices evolve and develop.
Mid- and small-cap companies should track the costs associated with their compliance and regulatory regimes. Government regulators have heard a great deal of complaining about the huge costs of compliance, but few companies are in a position to back up their “sense” of the actual costs with hard data. This could prove important. Regulators and prosecutors will definitely want to review a company’s decisions, costs, burdens and potential rewards before bringing an enforcement action complaining about a purported failure to comply with some provision of SOX or another.
Good ethics and compliance policies will always prove profitable. Companies that have good governance and transparency have been empirically shown to outperform their core group of competitor companies, and outperform the market as a whole. Although there are a lot of expenses associated with SOX, there are benefits as well.
Mid- and small-cap companies have more flexibility than they realize in tailoring the requirements of SOX and the SEC’s rules thereunder to each company’s specific circumstances. Using the analogy with which I opened, if one is going to get tripped up or crushed, it’s better not to have that happen because of one’s own mistakes, neglect or misfeasance.
Click here for over 20 Harvey Pitt columns exclusively available at Compliance Week, including his thoughts on executive compensation, dealing with employee complaints, the changing face of transparency, guidelines for directors, and more.
This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.
No comments yet