Speech by SEC Commissioner:
Remarks Before the Meeting of the International Organization of Securities Commissions
Standing Committee No. 1
Commissioner Roel C. Campos
U.S. Securities and Exchange Commission
March 30, 2006
Good morning. I'd like to welcome you all to the IOSCO Standing Committee No. 1 meeting here in Washington, DC. We may not be able to offer you the things that were available in some of our other venues - the canals of Amsterdam, the palaces of Madrid, or even the Great Wall of China. But we can share with you something that you will only be able to experience here - a perfect Washington, DC spring day framed by our cherry blossom trees, which of course originated as a gift from our friends in Japan.
On to the task at hand. I know that you will be discussing the IOSCO survey on internal control requirements today and we are nearing the end of the first calendar quarter of 2006. Thus, I know that financial reporting and related internal controls may be at the forefront of your minds. This also is a topic that I am keenly focused on now. Just open the newspaper these days and you can see that internal controls are one of the key regulatory priorities for this agency. That is why I would like to focus my remarks today on what is currently the most controversial topic in this area - Section 404 of Sarbanes-Oxley and related Auditing Standard #2. However, before I begin, I must give the standard SEC disclaimer that my remarks today represent my personal views and not those of the SEC.
As you know, Section 404 requires management of public companies to assess the effectiveness of a company's internal control over financial reporting as of the end of the most recent financial year and to include in the annual report management's conclusion regarding the effectiveness of the company's internal controls. Once management asserts that the internal control system is either effective or ineffective, the auditor attests to the integrity of management's conclusion pursuant to guidelines set forth by the PCAOB - most of which are set out in the PCAOB's Auditing Standard #2.
I think it is fair to say that every major principle of Sarbanes-Oxley has been adopted or is converging through all jurisdictions except for the auditor attestation portion of Section 404. While European directives have imposed rules regarding internal controls, this will be left to management disclosure and will not require outside auditor certification. Moreover, the Canadian Securities Authority recently decided to not mandate auditor reporting on management's assertion relating to effectiveness of internal controls (even though it did determine to expand the scope of application of the management reporting obligation from TSX listed entities only to all reporting issuers, regardless of where they are listed). Of course, every jurisdiction has to balance the benefits and costs of regulatory requirements against their own particular needs and risks, and it is because of these differences that I do not expect convergence on this particular issue. As a U.S. regulator, however, I do care tremendously about Section 404. I care because it is important to me that the U.S. remains a comfortable place for raising capital, and I believe that Section 404 has been absolutely fundamental in restoring investor confidence in our markets and our public companies.
However, I have to confess that Section 404 is one of the most difficult regulatory issues that I have dealt with in my role as a Commissioner of the SEC. To me, Section 404 represents a classic policy conundrum: What should a regulatory agency do when confronted with a law that has had tremendous benefits, but that also has resulted in significant costs?
As many of you may know, our agency will soon be sponsoring a joint roundtable with the PCAOB on May 10, 2006 to discuss second-year experiences with Section 404. This roundtable discussion will include issuers, auditors, investors and other interested parties. We also are seeking written feedback regarding experiences with complying with the Section 404 requirements. Thus, you can imagine that the last several months have been quite a blur of Section 404-related activity for me. I have met with scores of auditors, issuers and institutional investors. I have reviewed several articles, congressional testimony and research reports. I have held numerous sessions with the PCAOB as well as the SEC's own accounting staff. And all of this has been completely necessary, because we absolutely must get this right.
Section 404 and Auditing Standard #2 have without a doubt enhanced and improved the integrity of the financial reporting process. We have heard from numerous investors, issuers and accountants that Section 404 has fundamentally reformed and strengthened the internal compliance, reporting and monitoring structures surrounding the financial reporting process. A recent study supports this anecdotal evidence and strongly suggests that Section 404 compliance has helped companies identify and remedy hundreds of financial reporting problems. According to this study, the number of restatements by U.S. and foreign public companies in 2005 nearly doubled from the previous year! There were 1,295 restatements in 2005 compared with 650 in 2004 - presumably due, in part, to the reforms mandated by the Sarbanes-Oxley Act. These restatements have not only given investors a truer picture of the companies that they are investing in, it has given them greater confidence in their investments.
The value of accurate financial information must not be understated. Financial statements provide investors with essential company information. They are a fundamental cornerstone behind all investment decisions. Financial statements allow investors to compare a company's performance to management expectations, similar competitors and the global markets. This information also allows investors to evaluate and analyze company growth and performance over time. Because of the critical importance of such information to investors, public trust in these financial statements is critical not only to the solvency of a particular company, but to the liquidity and growth of our overall capital markets. For when investors lose trust in the markets, they stop investing.
However, it is undisputed that the costs of complying with Section 404, have been very high - in fact, much higher that we originally estimated. The first year of Section 404 implementation resulted in an overall increase in audit fees of 45.8% for companies with market capitalizations of greater than $3 billion and 67.9% for companies in the $100 to $500 million dollar range. The audit fees of 3,988 publicly companies with less than $100 million in revenues increased by $217.2 million from 2003-2004. Even the smallest companies - those defined as small business issuers by the SEC - saw their audit fees rise from $95.1 million to $115.3 million during that same time.
Fortunately, a recent study commissioned by the largest accounting firms indicates that these costs should go down significantly beginning in Year 2 of Section 404 implementation. This study estimates that average Section 404 costs are expected to decline by 39% (down to $900,000 from $1.5 million) for smaller companies and 42% (down to $4.3 million from $7.3 million) for larger companies in Year 2 alone. A great portion of this reduction will result from the fact that these companies will not need to duplicate the documentation done in Year 1. However, the study also attributes some of this decline to increased efficiencies, including relying more heavily on the work of others and reducing the number of key controls that are tested.
Moreover, recent information indicates that the Section 404 compliance has not deterred small business from accessing our public markets. A record 881 (up from 435 in 2003) small companies filed with the SEC in 2005 to register new stock issues and raise $16.3 billion in new capital according to research done by SME Capital Markets. CFOs of smaller companies also claim that they would have gone public even if Section 404 compliance was required, because they saw no better option for raising capital.
However, strong concerns continue to be voiced by the small business community. This community tells me that the costs of Section 404 compliance remain disproportionately burdensome on smaller companies in Year 2. As you all know, the SEC's advisory committee on smaller public companies recently recommended that micro-cap and smaller public companies be partially or wholly exempted from the main requirements of Section 404. This proposal recommended that public companies with market cap of less than $100 million and revenue of no more than $125 million be exempt completely from Section 404 requirements, while companies with a market cap of less than $700 million and revenues of no more than $250 million be exempt from the requirement that an independent, outside auditor test the internal controls.
Having been a business executive in a past life, I am extremely sensitive to the concerns raised by our small business issuers. I have stood in their shoes, and I have sweated their sweat. In fact, I may be the only SEC official who in a prior life worried about making payroll.
On the other hand, I am concerned that adopting the recommendations of the SEC's advisory committee on smaller public companies - which would create a two-class system under Section 404 - will actually have the unintended consequence of hurting not only investors but also perhaps the smaller companies themselves. First, from a pure "Business Administration 101" perspective, I fear that an exemption may actually hinder small business growth. Establishing robust internal control systems companies actually helps companies discover and correct inefficiencies that will result in significant operational cost-savings over the long-run. Conversely, removing the incentives to create and maintain these systems will make it more difficult for small companies to identify material weaknesses and grow efficiently in a global and highly competitive market.
Second, I fear that exempting smaller public companies - which represent 80% of all public companies today - from all or part of the requirements of Section 404 could severely undermine investor confidence and trust. Already, smaller companies are perceived as riskier and less transparent investments. Moreover, many of the internal control problems that I have seen as a Commissioner have taken place in smaller companies that have less robust compliance and surveillance infrastructures. According to one major source, in the five years before 2004, nearly ¾ of all financial restatements were reported by companies with annual revenues of less than $500 million. Even more troubling, a recent study seems to indicate that these smaller companies are more likely to try and "confess quietly" in the hopes of avoiding investor attention. This study found that about 2/3 of so-called "stealth restatements" in 2005 - by this, I mean restatements that were not accompanied by amendments to previously filed investor notices - occurred at companies with market capitalizations of less than $75 million.
More rigorous emphasis on internal controls already has prevented or remedied the much too frequent scenario of "bad" financial statements that are the result of inadequate internal controls. Certainly, this has fostered greater trust by investors in both financial statements and the companies issuing those statements. While an exemption for smaller companies may have the appeal of possible cost savings in the short-term, I believe that the stigma of being part of a "less transparent" and "less regulated" class may actually make it more difficult for these companies to attract investors and raise capital and may produce reputational damage to small businesses as a class. This would have the perverse effect of escalating, rather than reducing, the costs to them of attracting and raising capital.
I note that I am not alone in these concerns. To date, several commenters - including a member of the SEC's small business advisory group, a former Federal Reserve Chairman, four former SEC Chairman, former SEC Chief Accountants, the former U.S. Comptroller General, institutional investors and former CEOs for two major fund complexes (the Vanguard Group, Inc. and TIAA-CREF), have come out in strong opposition to such a move. Most notably, former SEC Chairman Arthur Levitt provided an op-ed piece in the Wall Street Journal just this past January suggesting that small companies should not be exempted from Section 404, and that regulators should instead be thinking of other ways to provide meaningful relief.
So what, exactly, should be done at this juncture with respect to Section 404 and smaller companies? I have to admit that while I am very concerned about these disproportionate costs, I also am troubled by what seems to be a "disproportionate" focus on costs in the overall 404 dialogue. While these costs are indeed significant, the benefits of Section 404 compliance also are enormous and widely lauded. These benefits have been so great, in fact, that several investor groups have publicly stated that - as shareholders in these companies - they happily bear the costs of Section 404 compliance. As a result, I fear that the current exemptive approach being proposed by the smaller business community may be too blunt a tool to effectuate their goals. For although it will certainly reduce costs, it also would have the dramatic effect of eliminating or significantly reducing the benefits of Section 404 for 80% of all U.S. public companies.
Any actions that the Commission takes with respect to Section 404 must therefore take into account both costs and benefits. In fact, given the clear preference from many investors for continuing Section 404 compliance, I believe that it would be inappropriate for the Commission to not take into account the very real and tangible benefits of Section 404 alongside the significant costs. I applaud the Small Business Advisory Committee for beginning the daunting task of identifying and analyzing Section 404 costs in the small business community. However, I believe that the information gathering is not yet complete. In order to make an informed and rational decision that is consistent with our mandate to protect investors, we need much more information - cold, hard data - on the actual Section 404 costs that are being incurred by issuers, particularly smaller companies, as well as the actual benefits that are flowing to the market. Accordingly, I favor further study, together with a delay in the implementation of Section 404 for non-accelerated filers. In fact, I think that a sensible approach to dealing with the Section 404 issues would be to take a multi-pronged approach:
- Pilot Program: We need more quantitative and qualitative information and analysis regarding how internal control audits are being performed in smaller companies and where exactly in these audits that Section 404 costs are being generated. Such analysis could take the form of a small issuer pilot program in 2006 that would allow a representative sample of smaller companies and their auditors to share their real-life Section 404 experiences with other small companies, auditors, the SEC, PCAOB, COSO and others. The pilot would gather data, information and experiences from smaller companies with respect to Section 404 before compliance is required by all non-accelerated filers. The information gained from such a pilot would, among other things, help the SEC and PCAOB to analyze, better understand and address the issue of compliance costs-and-benefits. In a perfect world, I would anticipate that this pilot program would be conducted by the very auditors who are conducting these audits in the real world, but with oversight and analysis provided by a neutral and experienced third-party. Perhaps an experienced academic or a former SEC official?
My hopes for this type of pilot program are three-fold: First, we simply need more objective data in order to make rational policy decisions. Clearly, our initial estimates were too low. So where are these additional costs being generated? In the documentation? In the testing? In the walkthroughs? What types of controls are the costliest to test? And where can we look to reduce the burden of testing without sacrificing the integrity and accuracy of the audit itself? These are just some of the questions that I believe must be answered before we can make any policy decisions with respect to Section 404.
Second, this type of information gathering and sharing will certainly help other small companies and accounting firms prepare to go through implementation for the first time. As we are seeing from the larger companies, experience and familiarity with Section 404 are leading to double digit percentage cost reductions in Year 2 and beyond. Similarly, I hope that the experiences and efficiencies gained through a pilot program can help ease the burden and costs of compliance when Section 404 is fully implemented across all smaller companies.
Third, I believe that a forensic analysis of how internal control audits are actually being performed in the smaller company sector can provide the necessary information to formulate a tailored, reasonable and cost-efficient framework for auditing smaller company's internal controls. One of the biggest complaints that I have heard is that small company internal control audits are being applied with a "one-size-fits-all" approach. I imagine that some of this is driven by the fact that auditors - fearing liability in connection with their internal control assessments - have adopted a fairly conservative approach to these audits across-the-board. Hopefully, specific small company guidance that is based on concrete data and created with the joint input from the PCAOB, SEC, investors, issuers and auditors will provide auditors with enough assurance to apply a more tailored and cost-effective approach.
- Guidance: I know that the PCAOB and the SEC staff have already done much work in providing guidance to issuers and auditors on Section 404 compliance and the application of Auditing Standard #2. However, I continue to hear from issuers that additional specific guidance, and possibly precise and surgical modifications to Auditing Standard #2, may be necessary to further reduce Section 404 compliance costs. I agree that better guidance is one way in which we can provide significant cost relief to all issuers while also preserving many of the benefits that come out of the internal controls assessment process. I am in constant communications with our own accounting staff as well as our colleagues over at the PCAOB and I look forward to their recommendations in this area. Some of the specific issues that I hope to see greater guidance on are the following:
- Reduced Testing: One area that I look forward to discussing with our accountants and the PCAOB is whether there are ways to appropriately narrow the scope of testing required under Auditing Standard #2. Auditing Standard #2 requires an auditor to obtain evidence about the effectiveness of controls for all relevant assertions related to all significant accounts and disclosures in the financial statements every year. This requirement has fundamentally enhanced the financial reporting process in U.S. public companies and I continue to support its principles wholeheartedly. However, given the breadth and scope of this requirement, this is one area in which better guidance will most certainly result in a reduction of costs. I know that several issuers concerned with limiting costs, had strongly advocated some form of reduced testing of controls during the comment period for Auditing Standard #2. Moreover, I have heard from some issuers that reduced testing in areas of low risk and greater use of "representative sampling" may significantly ease the testing burden without sacrificing the integrity of the audit. Some relevant guidance has already been given by the PCAOB when it issued its FAQ last year clarifying, among other things, that "benchmarking" could be used for reduced testing of certain automated controls and that each year's audit does not have to include the same scope of testing. However, in order for costs to come down in a meaningful way, there need to be additional guidance specifying which controls can be subject to reduced or narrowed testing in subsequent years.
- Controls: Because proper identification of and reliance on company-level controls can greatly reduce the need for detailed transaction testing, this is another area in which better guidance can result in reduced costs. One way that this could be accomplished would be to provide greater guidance on when an auditor can appropriately rely on company-level monitoring controls to make the audit process more cost-efficient. Specifically, additional PCAOB guidance could advise auditors on how they could use effective monitoring controls to reduce the number of detailed transaction level controls that will have to be tested.
- Work of Others: Auditing Standard #2 also permits an auditor to use the work of others to alter the nature, timing, or extent of the work he or she otherwise would have performed. If utilized appropriately, this provision could significantly reduce the costs of the internal control audit by allowing auditors to make more efficient use of their own time. However, the PCAOB's report on the initial implementation of the standard stated that some auditors did not use the work of others to the extent permitted. While I anticipate that some of this was due to first year implementation difficulties, I also think that additional guidance will further facilitate auditors' abilities to rely on the work of others. To date, most of the guidance has focused on the use of an issuer's internal audit staff. However, I understand that many small companies do not have a dedicated internal audit staff. Perhaps this is yet another area in which data from the field test described above can better inform the application of Auditing Standard #2 to smaller companies. Such data may indicate specific work by non-internal audit that would be appropriate for an auditor to rely upon.
- Delayed Implementation: Finally, given our current need for additional data on the costs and benefits of Section 404 with respect to smaller companies, further compliance relief may also be warranted. Given that investors have clearly relied on and benefited from the implementation of Section 404, I am reluctant to provide any sort of compliance exemption - even a temporary one - for those companies that have already complied with Section 404. I am hopeful however that the combination of the expected reduced costs in Year 2 combined with the benefit of the pilot analysis and additional guidance will work to significantly ease the burden on complying companies. Nevertheless, because investors have not yet relied on the protections of Section 404 with respect to non-accelerated filers, I would support a further delay in compliance for those issuers for a period of up to 18 months until we have had the opportunity to gather and analyze additional data from the pilot described above.
I also believe that this multi-pronged approach can benefit foreign companies who are listed in our domestic markets. The additional data that is gathered in a field test together with any guidance or relief that may be provided under Accounting Standard #2 will equally benefit the many foreign companies who are or soon will be complying with Section 404. Moreover, foreign issuers will recognize an immediate benefit from many of the enhanced efficiencies and cost reductions that are anticipated in Year 2 of Section 404 implementation.
I understand that a big question right now on the international front is whether Section 404 reduces the willingness of foreign issuers to come or stay in the U.S. capital markets. These are serious concerns which we are looking at, and accordingly the Commission has extended the deadline for compliance with the internal control over financial reporting requirements for foreign issuers to their first fiscal year ending on or after July 15, 2006. This additional time will give foreign issuers an opportunity to benefit from the experiences and increased efficiencies gained from last year's internal control audits of their U.S. counterparts. Moreover, it will allow the Commission to carefully consider the trade-offs between relaxing standards for foreign issuers in areas like comparability, investor protections, and fundamental fairness between the regulatory treatment of domestic and foreign companies. In the meantime, I am greatly encouraged by how well many of the recent foreign issuer IPOs - such as several of the recent Chinese company offerings - have performed in our markets. What this reminds me is that while the costs of entering our markets may be very significant so too are the rewards.
That is why I would like to conclude my remarks by emphasizing that costs - while very important - should never be the sole determinative factor in our policy making. Rather, it is our job as regulators to ensure that the very delicate balance between investment growth and protection remains patently fair, but always tipped towards the protection and safeguarding of our investors. I look forward to working with each of you in furthering this mission.
Thank you for your time and attention.