Reporting on the Internal Controls of Small Businesses Under Section 404 of the Sarbanes-Oxley Act of 2002
by Chairman Christopher Cox
U.S. Securities & Exchange Commission
Before the Committee on Small Business & Entrepreneurship, United States Senate
April 18, 2007
Chairman Kerry, Ranking Member Snowe, and Members of the Committee:
Thank you for inviting me to testify on behalf of the Securities and Exchange Commission concerning the application of section 404 of the Sarbanes-Oxley Act to small business.
This committee's charge is a vitally important one, both to the millions of small businesses in America, and to our economy. For our part, the SEC is charged by statute with the promotion of capital formation, upon which our small businesses depend. Like you, we are therefore completely committed to fostering the climate of entrepreneurship that is the key to small business growth, and to the creation of so many jobs and so many goods and services in our country.
For a small business, raising private capital often depends upon the future viability of tapping the public markets. It isn't just the company that is ready to go public today that benefits from a healthy market in publicly traded securities. Every startup, every new business idea, every determined woman with a dream and every man striking out on his own need a flourishing IPO market.
America creates far more new businesses than does Europe. And our capital markets have a far higher percentage of individual owners of securities. So it's essential for the vitality of our economy that we protect both the opportunity for small businesses to raise the capital they need to innovate, and the savings of individual investors that are invested in the securities of public companies.
Today, four years after the Sarbanes-Oxley Act was signed into law, over 6,000 public companies still aren't required to provide the audited internal control reports required by section 404. Generally, every public company with securities registered with the Commission, if it has less than $75 million in public equity, falls into this category. They have not been required to comply with section 404 because the Commission has been very sensitive to the special concerns of smaller public companies. All other public companies in the United States already have three years of reporting on internal controls behind them.
The Commission has delayed section 404 compliance for smaller companies because of the disproportionately higher costs they face compared to larger companies. Our experience of the first three years told us that the way 404 was being implemented was too expensive for everyone - and imposing that system on the smallest companies would impose unacceptably high costs from the standpoint of the companies' investors, who would have to pay the bills.
So the Commission and the Public Company Accounting Oversight Board (PCAOB) set out to address the unique concerns of small business. We further delayed the implementation of 404 for smaller public companies until Chairman Olson and I, working together with the full Commission and PCAOB, could replace the current inefficient system of 404 implementation with a more streamlined approach that focuses on material risks - but that still provides for effective and meaningful internal control audits to protect investors.
The focus of this hearing is on the proper implementation of section 404. Focusing on the implementation of 404, rather than changing the law, is consistent with the SEC's view that the problems we've seen with 404 to date can be remedied without amending the Sarbanes-Oxley Act. And despite the unduly high costs of implementing section 404 of the Act, I believe that the Act overall - including section 404 - may be fairly credited with correcting the most serious problems that beset our securities markets just a few years ago, and with restoring investor confidence in our markets.
One reason the Congress can be confident that the law you wrote is having the desired effect of improving the integrity of financial reporting is that many of its provisions are being replicated by other nations around the world. That is true even for section 404, albeit not the audit requirement. Variations of the law's internal control reporting requirements are being adopted in Japan, France, China, Canada, and several other countries. Still other nations, including the United Kingdom, have adopted a comply-or-explain approach to managements' assessments of internal controls and auditor reports on those assessments.
So as the Commission and the PCAOB move forward with our plans to make the application of section 404 workable for smaller companies, it is important to remember that Congress's focus on internal controls was not a mistake - it was, and remains, exactly the right thing to do.
It's also important to keep in mind that the Congress didn't invent these internal controls disclosure requirements out of thin air. SOX 404 was not the first effort by Congress to focus public companies on the need for strong internal controls over their financial reporting and accounting.
The very first legislation in this area was enacted in 1977, in response to the discovery that a number of companies had falsified financial records in order to disguise or conceal the source and use of "slush funds." Those slush funds were used to make questionable or illegal payments to foreign officials, and for a number of other illegal purposes. The year before that law was passed, in a report on these cases that the SEC made to the Senate Committee on Banking, Housing and Urban Affairs, we stated that:
The almost universal characteristic of the cases reviewed to date by the Commission has been the apparent frustration of our system of corporate accountability .... Millions of dollars of funds have been inaccurately recorded in corporate books and records to facilitate the making of questionable payments. Such falsification of records has been known to corporate employees and often to top management, but often has been concealed from outside auditors and counsel and outside directors.
So in January 1977, the Commission proposed four rules to address the issues covered in that report to Congress.
Two of the Commission's four proposals eventually resulted in the accounting and internal control provisions of the Foreign Corrupt Practices Act. Among other things, these two provisions require each public company to make and keep books, records, and accounts which, in reasonable detail, accurately and fairly reflect the transactions and disposition of the assets of the company. In addition, the company must maintain a system of internal accounting controls to provide reasonable assurances that transactions are recorded as necessary for the preparation of financial statements according to generally accepted accounting principles.
The remaining two proposals were adopted as rules by the Commission. One prohibits anyone from falsifying corporate books and records. The other prohibits officers and directors from lying to auditors.
Following adoption of the Foreign Corrupt Practices Act in 1977, various private sector commissions and task forces recommended that companies and their auditors issue public reports on their level of compliance with the internal control provisions of the new law. And some companies voluntarily issued management reports about their system of internal controls. Some of those reports, typically from larger companies, also expressed views regarding the effectiveness of the company's system of internal controls.
On two occasions, in 1979 and again in 1988, the SEC proposed rules that would have required reports from both management and the auditors on a company's internal control system. Although those proposals weren't adopted, the Commission encouraged private sector initiatives to review the need for this kind of disclosure.
Meanwhile, both through additional legislation and continued private sector efforts, the concept of an internal controls review was given sharper definition. In 1988, Congress amended the Foreign Corrupt Practices Act to define "reasonable assurances" to clarify that the standard does not require an unrealistic degree of exactitude or precision. Then in 1991, in response to a financial institution crisis following many savings and loan association failures, Congress enacted the Federal Deposit Insurance Corporation Improvement Act-FDICIA. That Act includes an internal control provision that is nearly identical to Section 404. And in 1992, the Committee of Sponsoring Organizations, or COSO, funded the publication of a framework for companies to use in developing internal control systems. COSO emphasized that internal controls should include the processes designed by a company to test whether its financial reporting objectives are being met. Organizations in other countries, as well as academics and professional associations, also helped in the 1990s to define and explain what is meant by an effective system of internal controls over financial reporting.
With all of this as background, it wasn't surprising that five years ago, when Congress was again faced with the problem of egregious financial reporting and governance failures, one of the solutions at hand was to revisit the rigor of internal controls. In section 404 of Sarbanes-Oxley, Congress mandated that managements disclose their own conclusions about the effectiveness of their internal controls. And section 404 enhanced the credibility of that disclosure by also requiring that auditors attest to and report on the assessment made by management. The clear antecedents for this provision were FDICIA and the Foreign Corrupt Practices Act. Since the internal control requirements in those Acts had not resulted in unacceptably high costs, it was reasonable for Congress to assume that section 404 would not be disruptive, either. In the case of FDICIA, of course, the banking regulators did not adopt a prescriptive standard to implement the statute's internal control section.
In order to meet the requirements in section 404 of Sarbanes-Oxley, however, in 2003 the PCAOB adopted its very different Auditing Standard Number 2 under section 404. The SEC approved it for use by auditors starting with 2004 internal control attestations.
Following the implementation of AS 2, many companies increased the documentation of their controls, and formalized the procedures they use to identify, test, and analyze the effectiveness of those controls. The cost of this exercise far outstripped all expectations - including the formal estimate made by the SEC when the reporting requirements for 404 implementation were approved. It's undoubtedly true that some of these higher-than-expected costs reflected long-neglected maintenance of internal control systems. But it is also undeniable that much of the extra cost was, and continues to be, attributable to excessive, duplicative, or misdirected efforts.
The Commission is determined to see to it that all waste of investors' money is eliminated from reporting under section 404. We and the PCAOB are working to re-focus 404 on the statutory purpose of informing investors about weaknesses in a company's internal controls that are truly material and really matter. The information conveyed to investors about the nature of those weaknesses has to be helpful to them in making investment decisions.
It was, of course, never intended that the 404 process should become inflexible, burdensome, and wasteful. Following the Commission's adoption of rules to implement section 404 in May 2003, we indicated that the methods used to evaluate the effectiveness of internal controls would, and should, vary from company to company. Early on, the SEC recognized that the approach taken by a Fortune 500 company wouldn't be right for a small company. The operating and financial environments in a small business are very different from those in large companies. That concern was one of the reasons that, even now, smaller companies are not yet required to comply with section 404.
But in 2004, when Auditing Standard No. 2 went into effect, it laid out in too-elaborate detail what an audit of internal control over financial reporting should look like. And because AS 2 contained language that created auditor expectations for the way management would conduct its evaluation process, AS 2 became the de facto guidance for management's evaluations and assessments. The resulting lack of flexibility for companies to design the internal controls best suited to their circumstances is one of the fundamental flaws in AS 2 that we are now working to address.
In a moment, Chairman Olson will talk about the particulars of the proposed new auditing standard the PCAOB is working on to replace AS 2. But it isn't just the auditing standard that is being refashioned. The SEC is simultaneously writing guidance specially directed to the company's management, to give them a truly scalable approach to designing controls that will work in their particular circumstances - especially for smaller companies. And we are coordinating the two proposals by eliminating from the new auditing standard any language that would create an expectation that the controls would be designed to fit the audit, rather than the audit being designed to fit the controls.
The proposed standard, and the Commission's proposed management guidance, would also make clear that auditors are not opining on the methods or on the procedures management uses to evaluate its internal controls. Rather, they are opining on the effectiveness of the internal control structure and procedures.
During the first few years of SOX implementation, we've learned a great deal from both the companies and the auditors who have had to implement section 404. We've listened at roundtables, studied comment letters, and paid close attention to the hearings and studies conducted by this Committee and the rest of the Congress. We have benefited from a great many academic and private sector studies. Almost all of them have concluded that the cost of compliance with section 404 has thus far exceeded the benefits that we've achieved.
In July 2006, the Commission issued a concept release covering potential reforms of section 404 implementation, and in reply we received over 150 comment letters. Many suggested specific areas that we should cover in our guidance and the type of guidance that would be most helpful.
After considering those comments carefully, last December the Commission formally proposed the new interpretive guidance I just mentioned to assist managements in developing a process for evaluating their internal controls over financial reporting.
An overarching objective of the Commission's proposed guidance is to allow managements to focus on the areas that present the greatest risk of material misstatements in the financials. This is what the law has always intended we be focused on. It's also what investors care about. It is, in short, what's important for achieving reliable financial reporting.
The guidance we proposed allows each company to exercise significant judgment in designing an evaluation that is tailored to its individual circumstances. Unlike external auditors, management in a smaller company tends to work with its internal controls on a daily basis. They have a great deal of knowledge about how their firm operates. Our new guidance would allow management to make use of that knowledge.
Our proposed guidance also recognizes that those companies that are already complying with section 404 have invested considerable resources in the design and implementation of their processes. The Commission's proposed guidance should not disrupt or require any changes to those companies' processes. At the same time, we believe that not only small businesses but companies of all sizes will benefit from our proposed new guidance. We also expect that, over time, even some larger companies may choose to adjust their 404 evaluations in response to the guidance.
When the Commission proposed its guidance, we also made clear that it provides one, but not the only, way to comply with the 404 requirement for an annual assessment of internal controls. We've made it clear that management can follow other reasonable approaches, too. For those managements that do follow the basic approach described in our guidance, we've proposed a rule that gives them the comfort of knowing that by doing so they have satisfied their obligation to evaluate their internal controls.
It is our intention that the proposed auditing standard and our proposed guidance for management will work together to clearly delineate the auditor's responsibility for opining on management's assessment, on the one hand, and the company's responsibility for the methods and procedures it uses in its internal controls evaluation process, on the other hand. In combination, the Commission's proposed guidance and the PCAOB's proposed auditing standard should result in management using a top-down, risked-based approach to its evaluation of internal controls. And they should shift discussions between managers and auditors away from management's evaluation process to what matters most to investors - the risk that material misstatements in the company's financials won't be prevented or detected in a timely manner.
By the way - managers and auditors should talk. And not just managements, but audit committees should have a healthy and ongoing dialogue with their auditors about the company's internal controls. There is no auditor independence rule, or any other rule or standard, that stands in the way of this kind of useful communication.
The comment periods for both the Commission and the PCAOB proposals closed on the same day - February 26 of this year. The Commission received 205 comment letters from a broad cross-section of investors, small companies and large companies, accountants, lawyers, regulators, and academics. About 70% of the respondents to the Commission's proposed guidance also provided comments to the PCAOB on its proposed auditing standards. The percentage that commented to both of us would have been higher, except that we received 48 letters from a class at the University of Wisconsin, who apparently found writing to the SEC a more appealing assignment than commenting to the PCAOB.
In our outreach to small business throughout this process, the SEC has been aided by the exceptional work of our Office of Small Business Policy in the Division of Corporation Finance. The Office of Small Business Policy is focused on making sure that the unique needs of small business are reflected in our rules, and in the interpretations and guidance we provide to the public. The Office of Small Business Policy served as the secretariat for the Commission's Advisory Committee on Smaller Public Companies, which issued its report to the Commission in April 2006. That report was the first to focus on the problems with section 404 implementation in a systematic way, and it has informed many of the solutions that we are now preparing to put into effect.
While the Commission hasn't yet made any final decisions based on the comments we've received, there are a few recurring themes in the letters that stand out.
First, there is overall support in the comment letters for the principles-based nature of the Commission's management guidance. Many commenters believe that this will encourage a healthy use of judgment and common sense in formulating the procedures companies use to evaluate whether material weaknesses exist in their internal control systems.
A significant number of commenters, however, are concerned that the principles-based guidance from the Commission may not be well-aligned with the more prescriptive auditing standards proposed by the PCAOB.
These commenters expressed concerns that having a more detailed auditing standard could drive managements to perform procedures or create documents during their evaluation process that would be unnecessary under the Commission's guidance. They believe managements may feel compelled to perform this unnecessary work, or to create documents solely so the auditors will have them during the subsequent audit process. Essentially, the commenters are concerned that having a more prescriptive auditing standard will needlessly drive up costs, especially for smaller companies. It would mean that the company and its investors either have to pay the auditor to do additional testing and documentation that wasn't required by the SEC's guidance, or the company will have to do that otherwise unnecessary work itself, so that it can be relied upon by the auditors.
Several suggestions were made in the comment letters about how to better align the Commission and PCAOB documents. Many of the comments focused on the need to insure that after all of this effort we do not simply end up with, once again, an auditing standard that drives a significant amount of management's work. In particular, commenters suggested that the PCAOB allow auditors to use more professional judgment in determining the necessary amount of testing and documentation. In other words, they suggested making the audit standard less prescriptive by removing requirements that could lead to unnecessary documentation and testing.
Several commentators also noted that differences in certain definitions and terms in the proposals could be sources of confusion. These discrepancies between the SEC and PCAOB definitions of the same terms, they said, could also lead to over-documentation and over-testing. As a result, they asked that the Commission and the PCAOB more closely align our terminology.
Of special significance to this Committee is that the comments from the small business community generally were consistent with those received from other commenters. Almost three-fourths of the comment letters from small business interests (31 of 42) indicated that our proposed guidance would allow managements to tailor their evaluations to the facts and circumstances of their particular companies and focus on the areas that are most important to reliable financial reporting. Many of these commenters also noted the need to better align the Commission and PCAOB documents and to reduce the prescriptive nature of the PCAOB document, and suggested additional areas to be covered in the Commission's guidance.
Sixteen of the 42 comment letters representing the small business community also emphasized the need to allow sufficient time for smaller companies to consider the final guidance issued by the Commission, and the final revisions to the auditing standard adopted by the PCAOB, before they're required to implement the 404 reporting requirements.
We take all of the comments we've received seriously, and we're working hard to address these concerns.
Very recently, on April 4th, the Commission held an open meeting to review the general nature of the public comments and the work that remains to be done to address them. Chairman Olson and Jeff Steinhoff, the Managing Director for Financial Management and Assurance at the Government Accountability Office, also participated in that meeting. At the meeting, the Commission made it clear we're very pleased with the progress that we and the PCAOB are making in our collaboration, and we focused on just four remaining areas where we believe additional work is necessary:
- First, we need to better align the proposed PCAOB audit standard and the Commission's proposed guidance, as I just described.
- Second, we need to improve the discussion in the proposed auditing standard of how auditors can scale the audit procedures, which will be a particular benefit for smaller companies.
- Third, we need to do further work to insure it's crystal clear that auditors should use their professional judgment in determining audit procedures and testing based on their assessment of risk.
- And fourth, the auditing standard needs to use broader principles rather than prescriptive rules to describe when auditors may use the work of others. This last will ensure that auditors can rely, for example, upon work obtained from management's risk assessments and monitoring activities when those are found to be competent and objective.
In addition, in furtherance of the integrated audit that is contemplated by section 404, the Commission directed our staff to work with the PCAOB to ensure that there is better integration of the financial statement audit (which itself includes an assessment of internal controls) with the internal control audit required by the PCAOB.
We're pedal-to-the-metal on finishing this work, and we won't require smaller public companies to have a section 404 audit until the new guidance and the new auditing standard are available to them with plenty of time to prepare. As this Committee is aware, the Commission has carefully phased in application of the 404 reporting requirements. We have continued to defer 404 compliance for small companies. The result of our determination to phase in 404 for smaller companies is that we've had the opportunity to field test the requirements first. Now, we're using what we've learned to lessen the burden not only for smaller companies that will eventually comply with the requirements, but for companies presently subject to the requirements as well.
The rules the Commission adopted in December 2006 will permit smaller public companies - those with $75 million or less of public float - to postpone their first 404 audit until the first fiscal year ending after December 14, 2008. For calendar year end companies, this would mean March 2009.
In the meantime, those smaller companies can begin to get ready for full SOX 404 compliance by undertaking the less burdensome part of 404 beginning with their SEC reports the year after next. Specifically, smaller companies would file management reports on their internal controls along with their annual report for their first fiscal year ending after December 14, 2007. For calendar year end companies, this would mean March 2008.
One of the suggestions that has been made is that, even though as things now stand smaller companies won't be required to come into full compliance with SOX 404 until March 2009, the Commission should provide for a further extension of an additional year. If we were to do that, the first 404 audit reports wouldn't be filed until three years from now, beginning in March 2010.
In the Commission's release last December, when we issued the latest rules on the timing of these requirements, we stated that if we have not issued additional guidance for management on how to complete its assessment of internal controls in time to be of sufficient assistance in connection with annual reports for 2007, we will consider whether we should further postpone the requirement. That remains true today.
We also stated that we would consider further postponing the requirement of eventual 404(b) compliance after considering the PCAOB's anticipated revisions to the auditing standard - and that remains true as well.
But that's not Plan A. As I described, we're working diligently to provide both guidance for managements and a new auditing standard in time for companies and their auditors to use them in connection with annual reports to be filed in 2008. In the next few weeks, we intend to finish our work on management's guidance, and to coordinate those efforts with what should be a new AS 5 adopted by the PCAOB. We aim to implement section 404 just as Congress intended: in the most efficient and effective way to meet our objectives of investor protection, well-functioning financial markets, and healthy capital formation by companies of all sizes. We won't forget the failures that led to the passage of the Sarbanes-Oxley Act in the first place. And we won't forget that for small business to continue to prosper in America, both strong investor protection and healthy capital formation must go hand in hand.
The reforms we're making to the SOX 404 process are intended to be of direct benefit to America's small businesses - and the millions of Americans who work for them, invest in them, and benefit from all that they provide to our economy. We're re-orienting 404 to focus on what truly matters to investors - and away from expensive and unproductive make-work procedures that waste investors' money and distract attention from what's genuinely material. No longer will the 404 process tolerate procedures performed solely so someone can claim they considered every conceivable possibility.
Mr. Chairman, these next few weeks are a critical time for small business as we approach the finish line in our work to rationalize 404. We look forward to working with you in the days ahead on these issues, as well as on the other important issues facing our nation's small businesses. Thank you again for the opportunity to speak on behalf of the Commission. I would be happy to answer any questions that you may have.