Small Cos. Escape SOX 404, Not Audit Scrutiny

The smallest of public companies may have won their long-fought battle to escape an audit of internal controls—but that doesn’t mean they are free from scrutiny.

The Dodd-Frank Wall Street Reform and Consumer Protection Act gave small public companies (those with a market capitalization below $75 million) a permanent exemption from the Sarbanes-Oxley Section 404(b) requirement to obtain an audit of internal controls over financial reporting. The audit requirement was due to take effect for fiscal years ending on or after June 15, following numerous delays granted by the Securities and Exchange Commission as larger companies and regulators worked their way through monumental implementation issues.

The legislation also requires some further study of the costs and benefits related to SOX compliance. The SEC is required to report to Congress within nine months how to “reduce the burden” of the audit of internal control over financial reporting even further for companies in the market cap range of $75 million to $250 million. Specifically, Congress wants to know if companies in that space would be more inclined to list their initial public offerings on U.S. exchanges if the audit requirements were either reduced or removed entirely.

The Dodd-Frank bill also tasks the Government Accountability Office to study how the 404(b) exemption will impact restatements, cost of capital, and investor confidence. Congress is looking for some further guidance on the costs and benefits of voluntary compliance with the audit of internal controls and whether exempted companies should be required to disclose to investors that they are not providing a 404(b) audit report. The GAO has a three-year timeframe to work on that study.

Martin

While the recent legislation exempts smaller companies from the audit of internal control, it doesn’t relax any of the requirements for companies to establish and maintain an effective control environment or to report on the effectiveness of controls, says Alyssa Martin, an executive partner with audit firm Weaver.

That’s because the Dodd-Frank bill does not exempt smaller companies from Section 404(a), which is the requirement for management to produce its own report on the effectiveness of controls to mitigate errors in financial statements. “It doesn’t really change the role of management,” says Alyssa Martin. “They still have to understand the design of internal control and assess the effectiveness.”

“It’s not a cake walk. If you’re not documenting anything or doing anything, you’re not following the SEC’s guidance.”

—Jim DeLoach,

Managing Director,

Protiviti

The exemption from the audit does give management for smaller companies some newfound flexibility, Alyssa Martin says. Companies may not have to produce as much documentation or perform as much testing to produce management’s assertion as they might have had to produce for the sake of the audit, she says.

“They can use other measures, like ongoing monitors or their own personal experience, to assess internal controls when they don’t have to have the external auditor auditing their process or leveraging their process in performing the audit of internal control,” notes Weaver’s Martin.

Yong Xu, CFO for Jingwei International, says he was grateful to see the audit requirement lifted, even though the company voluntarily produced the audit for its 2009 financial statements and is planning to have the audit again in 2010. Jingwei International is a China-based technology services provider listed on Nasdaq with a market cap in 2009 of less than $75 million.

Xu

The allocation of resources to produce the audit is difficult for a smaller company, says Xu, but the exemption provides a further benefit to smaller companies: certainty. They no longer will face the uncertainty of a pending requirement that kept moving further into the future as regulators and larger companies worked through the implementation issues. “Now the uncertainty is lifted,” he says.

Jingwei decided to produce the audit even when it wasn’t required in hopes it would help the small, China-based company gain favor and credibility in U.S. markets, says Xu. He’s not certain whether the company will continue to provide the audit going forward, but he applauds Congress for making it optional. “I still think the attest report for a smaller reporting entity should be an option,” he says.

SOX 404(b) PROVISIONS

The following excerpt from Protiviti’s Flash Report details the SOX 404(b) provisions contained in the Dodd-Frank Act:

While there are many provisions in this new legislation that are commanding the headlines, one provision of interest to smaller public companies relates to Section 404(b) of the Sarbanes-Oxley Act. The new legislation provides that companies with a public float below $75 million (the so-called “non-accelerated filers”) will be exempt from complying with the attestation requirements of Section 404(b) of the Sarbanes-Oxley legislation. Under Section 404(b), the companies’ auditors are required to issue an opinion on the effectiveness of the audit client’s internal control over financial reporting (ICFR). Section 989G of Dodd-Frank provides that:

Subsection (b) of Section 404 shall not apply to non-accelerated filers, and

The Securities and Exchange Commission (SEC) shall conduct a study to determine how to reduce the burden of applying Section 404(b) to companies with a market capitalization between $75 million and $250 million “while maintaining investor protections for such companies. ”

The study is required to be completed no later than nine months following enactment of the bill.

The Dodd-Frank bill commissions a second study with the Comptroller General of the United States on the impact of the above amendments to Section 404(b). This study is to include an analysis of the following:

Whether the exempt issuers have fewer or more restatements of published financial statements than issuers which must comply with the attestation requirements of Section 404(b);

How the cost of capital of issuers exempt from Section 404(b) compares to the cost of capital of issuers that are required to comply with Section 404(b);

Whether there is any difference in the confidence of investors in the integrity of financial statements of issuers that comply with Section 404(b) and issuers that exempt from such compliance;

Whether issuers that do not receive an attestation of ICFR should be required to disclose the lack of such attestation to investors; and

The costs and benefits to issuers that are exempt from Section 404(b) that voluntarily have obtained an attestation from their external auditor.

This study is required to be completed no later than three years following enactment of the bill.

Source

Protiviti Flash Report on SOX 404(b) (July 17, 2010)

Neil Pinchuk, a partner with audit firm Bernstein & Pinchuk, which signed on as Jingwei’s auditor in 2009, says under the exemption, “nothing changes.” Management is still required to produce its own assessment, which smaller companies have been doing for a few years now. And auditors are still required to consider the control environment when they plan their audit of financial statements.

Pinchuk

Although smaller companies have lobbied hard for delays and exemptions since SOX became law in 2002, Pinchuk says many smaller public companies have nonetheless taken measures to improve controls. “Definitely not every company,” he says, “but a good substantial number of companies have taken steps and hired outside consulting firms.”

Burczyk

Andrew Burczyk, regional attest practice leader with audit firm Mayer Hoffman McCann, says the exemption improves relations between audit firms and their smaller public company clients. “The perceived value versus the cost of implementing (the internal control audit) was nebulous at best,” he says. “As a result, it wasn’t a service we really felt great about providing to our clients.”

Burczyk says he expects, whether consciously or not, some smaller companies will ease up on controls now that they are free of the audit requirement. “Having less focus on controls by human nature is going to lead to less time spent on it and probably, as a result, weaker control environments,” he says. “Is it going to be dramatic? No. It’s going to be incremental.”

Martin

Burczyk and others, like John Martin, a director at MorganFranklin, says companies can be assured auditors will still be considering controls as part of the audit of financial statements. “Auditors are still going to have to look at the control environment for other purposes,” says MorganFranklin’s Martin. “Auditors still need to approach the audit in a risk-based manner. The way you look at risk is by looking at controls.”

/>

Markowitz

Says Alan Markowitz, an assurance partner with East Coast audit firm Marcum: “We’re still required to evaluate management’s philosophy, operating style, effectiveness of internal controls, integrity, ethical values, and tone at the top. We have to gain an understanding of the system of controls so we can plan the actual audit.”

DeLoach

Jim DeLoach, managing director at Protiviti, says small companies would be wise to review the SEC’s interpretive guidance explaining how management should assess and report on controls, which points out that management’s documentation of controls is key to any assertion that controls are effective. “It’s not a cake walk,” he says. “If you’re not documenting anything or doing anything, you’re not following the SEC’s guidance.”