March 2, 2006
The cost of Section 404 assessment and associated audit fees is inordinately high in banks with assets under $500 million and market capitalization below (often far below) $50 million. This process in markedly out of proportion to the benefits to current and potential stockholders. This is particularly true when considering that they in a highly regulated industry. These banks are subject to regulatory examination, mandatory internal auditing and independent audits without the requirements of the SOX Sec 404 assessment IN THE FORM CURRENTLY REQUIRED.
It is understood that the requirement for appropriate internal controls over financial reporting are required under SOX regardless of the degree of formal assessment. Failures of internal control would still subject the issuer to regulatory action regardless of the formality of the assessment. Banks, their Boards and management are subject to regulatory sanctions of the Federal - and in some cases, state - regulators as well.
The issue is NOT one of whether such banks should maintain good internal controls - in all areas. The issue is whether the cost of assuring that controls are sound should become such a burden that it reduces profitability and return to the shareholders. If the cost of assurance becomes a significant reduction of return to shareholders the assurance becomes a paradox.
This is particularly true where the issuer is thinly traded and a very small cap corporation. Surveys by the North Carolina Bankers Association and a national accounting firm show that the cost of compliance is running as high as 25% in small banks. This is Sec 404 assessment cost which generally has to be outsourced to meet the current requirements AND increased audit fees. One must observe that the PCAOB Standards require significant audit work for an opinion on the Sec 404 assessment. (PCAOB AS #2 Para 13-18 and particularly 19)
This comment is to urge the Commission to consider the fact that the cost of compliance can be reduced significantly WITHOUT reducing the risk of poor controls over financial reporting by the following:
1. Eliminate the need for the formal assessment in small cap issuers -particularly those in highly regulated industries
2. Work with the PCAOB to modify the auditing standards (para 13-19) in parallel with #1 above to eliminate the requirement for assessment of the 404 assessment and opinion thereon so the independent audit can employ less expensive procedures - the procedures must still require the auditor to opine on internal controls as well as the financial statements
3. Clearly require that the maintenance of the control standards is still the law and failures in controls will be subject to the same sanctions with or without formal 404 assessmens and
4. The CFO and CEO must still affirm the condition of the control system and they will continue to be liable if the controls are less than sound, thus they must make their own assurance that their statement is accurate.
As a passing observation, more banking organizations have failed because of conditions that are NOT being included in independent auditor considerations than by matters than are currently included. An issue such as interest sensitivity management has not been viewed as internal controls over financial reporting though it is the genesis of more failures and earnings damage than any other single cause. However, because it is not a "reportable" item is is not included in the auditors' evaluation of internal controls over financial reporting.
Another observation concerns the fact that the Commission staff has stated that the SOX requirement was based on the FDICIA requirement for reports on internal control. The FDICIA structure has a bright line exemption of smaller institutions because of the cost of compliance and the fact that the regulatory examiners take a more penetrating approach in smaller banks.
Thank you for the opportunity to enter these comments for your consideration.