From: Pat Clements
To the Advisory Committee on Small Public Companies:
I would like to commend the Advisory Committee on Small Public Companies (ACSPC) for their efforts on the proposed recommendations (specifically: III.P.1 and III.P.2) to modify the Sarbanes-Oxley Act of 2002, Section 404 (“SOX 404” or “the Act”) requirement for the microcap and smallcap companies. I strongly support laws related to requiring effective controls over financial reporting for all public companies; however, I believe that such laws or requirements should only be made at costs that will not significantly impact a company’s financial and human resources. It would appear as though this message is finally getting through.
The cost of complying with the Act on small companies is overwhelming. I am the controller for a “smallcap” publicly-traded software company. Our company has incurred approximately $3.5 million and $3.0 million in SOX 404 related accounting and audit fees in 2004 and 2005, respectively. These amounts represented approximately 5% and 3% of total revenue and 40% and 84% of net income, in 2004 and 2005, respectively. I might add this reflects only the external auditor and outside consulting fees incurred and does not include any accounting for the time and effort required of our financial, operational and executive resources. Of course, the irony in all of this, the CPA firms, who are at least partially to blame for this regulation in the first place, are the ones raking in these fees. Even more interesting and almost humorous is that, for the most part, they are the few voices in opposition to this proposal (i.e. see Grant Thornton’s comment letter). This, in and of itself, may be saying a lot about where the profession’s true interests lie. To this end, I am a bit wary of what the audit firms will still “need” even with if attestation requirement is removed for smallcap companies.
I do believe that additional guidance to the spirit of the law should be provided so as to put more focus on the integrity and accuracy of the financial statements rather than providing a forum whereby registrants might be discouraged from coming forth with additional information subsequent to the start of audit or review procedures out of the fear that a significant deficiency or material weakness will result. Case in point, over the past two years, we have encountered circumstances whereby our significant deficiencies and a material weaknesses have been identified based on the fact that we, the registrant, came forth with better information, resulting in adjustments proposed by us, subsequent to the commencement of field work but prior to the filing of the requisite public documents. It would seem to me that, while adjustments such as this might be an indication of a control deficiency with regard to timeliness, the fact that we, identified the necessary adjustments prior to the filing of public documents without the assistance of the auditors would certainly be an indication that there were, in fact, controls in place to ensure the accuracy of the financial statements. If the priority is the integrity and accuracy of the financial statements prior to informing the investing public, then it seems clear that only those adjustments resulting directly from the review or audit procedures performed should be considered as significant deficiencies or material weaknesses. As it is, we are forced to report on items when actually all we are doing is our respective jobs.
In the area of identified controls within processes subject to review – more specifically, the financial reporting and disclosure cycle – my understanding is that a registrant cannot consider their respective auditor’s review process as a part of the overall control environment. Yet, a registrant cannot file public documents without such a review and, typically, will seriously consider any and all comments or recommendations resulting from their auditor’s review. Once again, if the spirit of the Act is to, among other things, ensure the accuracy and integrity of publicly filed documents, it would seem to me that a registrant should be encouraged to take whatever steps are necessary to make certain this objective is achieved. Such steps should include the solicitation of any and all available expertise. In the case of most smallcap companies (and likely, a significant number of midcap and largecap companies) that cannot afford to employ a building-full of accountants and financial analysts, such expertise is often limited to either hiring external CPA/consulting firms which can be costly, or placing some degree of reliance on the review process of their external auditors of record which, as previously mentioned, is not allowed. I understand the independence rules preclude direct auditor involvement in the decision making process, but not considering their review as a component of the overall control environment seems a bit hypocritical when their review is required. With this in mind, I would strongly encourage ACSPC to revisit this area with a view toward the real intent of the Act, how practical is its current form and what is the true definition of a control environment, be it internal or external, within a given cycle.
Along these lines, a reasonable alternative to the existing rules and requirements might be for ACSPC to consider developing a “COSO-Lite” that takes into account the aforementioned issues as well as what I am certain are many other issues raised by other concerned registrants. While I firmly believe the actions proposed by ACSPC are a definite step in the right direction, clearly, much work remains to be done to create an environment that not only ensures compliance with the sprit of the law, but also does not place an undue burden on what amounts to the vast majority of registrants that have nothing but the best of intentions. A formidable task? Absolutely. But an equally worthy task.
Thought for the day: