Section 404 of the Sarbanes-Oxley Act and Small Business
by Chairman Christopher Cox
U.S. Securities & Exchange Commission
Before the Committee on Small Business, U.S. House of Representatives
June 5, 2007
Chairwoman Velázquez, Ranking Member Chabot, and Members of the Committee:
Thank you for inviting me to testify on behalf of the Securities and Exchange Commission concerning the application of section 404 of the Sarbanes-Oxley Act to small businesses.
This Committee's charge is a vitally important one, both to the millions of small businesses in America, and to our economy. For our part, the SEC is charged by statute with the protection of investors, fostering efficient markets, and the promotion of capital formation. Small business needs all of these to survive. Like every Member of this Committee, we are completely committed to fostering a climate of entrepreneurship that helps promote small business growth, and the creation of the many jobs and goods and services in our country that are produced by small business.
For a small business, raising private capital often depends upon the future viability of tapping the public markets. It isn't just the company that is ready to go public today that benefits from a healthy market in publicly traded securities. Every startup, every new business idea — every determined woman with a dream, and every man striking out on his own — needs a flourishing IPO market.
America creates far more new businesses than does Europe. And our capital markets have a far higher percentage of individual owners of securities. So it's essential for the vitality of our economy that we protect both the opportunity for small businesses to raise the capital they need to innovate and the savings of individual investors that are invested in the securities of public companies.
Today, nearly five years after the Sarbanes-Oxley Act was signed into law, over 6,000 public companies still aren't required to provide the audited internal control disclosures required by section 404. Generally, every public company with securities registered with the Commission, if it has less than $75 million in public equity, falls into this category. They haven't been required to comply with section 404 because the Commission has been very sensitive to the special concerns of smaller public companies. All other public companies in the United States already have three years of reporting on internal controls behind them.
The Commission has delayed section 404 compliance for smaller companies because of the disproportionately higher costs they face compared to larger companies. Our experience of the first three years told us that the way 404 was being implemented was too expensive for everyone — and imposing that system on the smallest companies would impose unacceptably high costs from the standpoint of the companies' investors, who would have to pay the bills.
So the Commission and the Public Company Accounting Oversight Board set out to address the unique concerns of small business. We further delayed the implementation of 404 for smaller public companies until Chairman Olson and I, working together with the full Commission and the PCAOB, could replace the current inefficient system of 404 implementation with a more streamlined approach.
Our intention all along has been to re-focus 404 compliance on the specific problem that Congress had in mind: material risks to the financial reporting system. In that way, we will better protect investors and companies will more wisely spend their money on more meaningful internal control audits. And I am pleased to report to you today that the Commission and the PCAOB have voted to completely replace the inefficient system you have heard so much about with new guidance for management and a completely new standard for auditors.
In a moment, Chairman Olson will talk about the particulars of the PCAOB's new auditing standard, Auditing Standard No. 5 (AS 5), which, if approved by the SEC, will replace Auditing Standard No. 2 (AS 2). But I can tell you that the SEC and the PCAOB worked closely together on the development of this new standard to eliminate any language that would create an expectation that a small business's controls would have to be designed to fit the audit, rather than the audit being designed to fit the controls. AS 5, and the Commission's recent revisions to certain rules in Regulation S-X, also make clear that auditors are not opining on the methods or on the procedures that a small business uses to evaluate its internal controls. Rather, they are opining on the effectiveness of the internal control structure and procedures.
The replacement of AS 2 with a completely new auditing standard is vitally important to small business, because the prospect of being required to undergo the same kind of expensive internal control audit that large companies faced under AS 2 was the part of the 404 process about which smaller companies had complained of the most.
The SEC and the PCAOB also worked together on something brand new, that small business and companies of all sizes have never had before: specific guidance for management about its role in assessing internal controls, as distinct from the role of the auditor. This kind of guidance simply did not exist before. Rather, companies were forced to rely on standards for auditors, not companies, and those standards were themselves heavily criticized for being overly complex.
As a result, we now have SEC guidance expressly intended for management that is already finalized. And in a matter of months, I expect that the nation will also have a new SEC-approved auditing standard for auditors to use in their implementation of SOX 404.
The focus of this hearing is on whether the SEC's new guidance for management, and the PCAOB's new standard for auditors, will lower compliance costs for small companies. The answer is yes.
We expect the unduly high costs of implementing section 404 of the Act under the previous auditing standard will come down. They should come down because now, a company will be able to focus on the areas that present the greatest risk of material misstatements in the financials. This is what the law has always intended we be focused on. It's also what investors care about. It's what's important for achieving reliable financial reporting.
Compliance costs should come down because the new SEC guidance that's been developed specifically for management will allow each small business to exercise significant judgment in designing an evaluation that is tailored to its individual circumstances. Unlike external auditors, management in a smaller company tends to work with its internal controls on a daily basis. They have a great deal of knowledge about how their firm operates. Our new guidance allows management to make use of that knowledge, which should lead to a much more efficient assessment process.
Compliance costs should also come down for the minority of smaller public companies that had already complied with section 404 under the old auditing standard. In recognition of the fact that many of those companies have already invested considerable resources in the design and implementation of their processes, the Commission's guidance does not disrupt or require any changes to what they are now doing. While these smaller companies should benefit from the top-down, risk-based, materiality-focused, and scalable nature of both the SEC's new guidance and the PCAOB's new auditing standard, they should not have to expend new resources to do so.
The Commission has also made clear that our new guidance for management provides one way, but not the only way, to comply with the 404 requirement for an annual assessment of internal controls. We've made it clear that management can follow other reasonable approaches, too. For those managements that do follow the basic approach described in our guidance, we've adopted a rule that gives them the comfort of knowing that by doing so they have satisfied their obligation to evaluate their internal controls.
It is our intention that the SEC's new 404 guidance for management and the PCAOB's new AS 5 will work together to clearly delineate the company's responsibility for the methods and procedures it uses in its internal controls evaluation process, on the one hand, and the auditor's responsibility for opining on management's assessment, on the other hand. In combination, the Commission's guidance and the PCAOB's new auditing standard should result in management using a top-down, risked-based approach to its evaluation of internal controls. And they should shift discussions between managers and auditors away from management's evaluation process to what matters most to investors — the risk that material misstatements in the company's financials won't be prevented or detected in a timely manner.
By the way — managers and auditors should talk. And not just managers, but audit committees should have a healthy and ongoing dialogue with their auditors about the company's internal controls. There is no auditor independence rule, or any other rule or standard, that stands in the way of this kind of useful communication.
The comment periods for both the Commission and the PCAOB proposals closed on the same day — February 26 of this year. The Commission received 205 comment letters from a broad cross-section of investors, small companies and large companies, accountants, lawyers, regulators, and academics. About 70% of the respondents to the Commission's proposed guidance also provided comments to the PCAOB on its proposed auditing standards. The percentage that commented to both of us would have been higher, except that we received 48 letters from a class at the University of Wisconsin, who inexplicably found writing to the SEC a more appealing assignment than commenting to the PCAOB.
In our outreach to small business throughout this process, the SEC has been aided by the exceptional work of our Office of Small Business Policy in the Division of Corporation Finance. The Office of Small Business Policy is focused on making sure that the unique needs of small business are reflected in our rules, and in the interpretations and guidance we provide to the public. The Office of Small Business Policy served as the secretariat for the Commission's Advisory Committee on Smaller Public Companies, which issued its report to the Commission in April 2006. That report was focused on the problems with section 404 implementation in a systematic way, and it has informed many of the solutions that we are now preparing to put into effect.
Two months ago, as we neared the completion of our work on our 404 implementation reforms, the Commission held an open meeting to review the general nature of the public comments and the remaining open items that needed to be addressed. Chairman Olson and Jeff Steinhoff, the Managing Director for Financial Management and Assurance at the Government Accountability Office, also participated in that meeting.
Now that the SEC and the PCAOB have finished this collaborative work, and the SEC's new guidance for management is approved, all that remains is for the new PCAOB standard to be exposed for public comment under the SEC's own approval process. I expect that AS 5 will be approved in final form this summer, but if it is not, we'll once again postpone the requirement that smaller public companies have a section 404 audit until the new auditing standard is available, with plenty of time for them to prepare.
Of course, the reforms that we have made can be successful only if they are implemented properly by companies and their auditors. The manner in which the PCAOB conducts its inspections of auditors will be of critical importance in influencing how auditors implement the new AS 5. The Commission will be carefully monitoring the implementation to ensure that the sought-after cost savings are achieved.
As this Committee is aware, the Commission has carefully phased in application of the 404 reporting requirements. We have repeatedly deferred 404 compliance for small companies. The very positive result of our determination to phase in 404 for smaller companies is that we and they have had the opportunity to field test the requirements first. Now, we're using what we've learned to lessen the burden for smaller companies that will eventually have to comply with 404.
We have little doubt the SEC's new guidance and the new PCAOB standard will be of significant help to small companies when, beginning with their SEC annual filings in 2009, they eventually comply with the audit provisions of 404. In the meantime, for their filings in 2008, they will have to comply only with the management assessment portion of 404. And for this purpose, our new guidance will be especially helpful. It's written in plain English. It suggests that certifying officers at small companies ask themselves two basic questions:
First, do my employees understand what they need to do to prepare reliable financial statements?
Second, what information do I need to be sure they've done those things?
The answers to these questions needn't be complicated or costly. And certainly our guidance won't make them so. In fact, the guidance clearly highlights the areas where cost-effective implementation has been a challenge for small companies in the past, so that these pitfalls can be avoided. And it explains how a small company might approach 404 differently than a large company. For example:
- A smaller company would probably follow fewer and different steps in evaluating whether its controls will provide reasonable assurance about the reliability of its financial reports.
- Management in a smaller company can go about obtaining information on whether its controls operate as designed in different and less elaborate ways than would be necessary in a large company.
- The documentation needed to provide reasonable support for a smaller company's controls will normally be less than what's required in a larger company.
None of this should be unduly difficult for most small companies, and it most certainly does not require the 404 audit that has had smaller companies so concerned about cost. As we meet here in mid-2007, the requirement of an internal control audit under section 404 won't apply to smaller public companies with calendar-end fiscal years until their filings in the spring of 2009, almost two years from now. In the meantime, those smaller companies can begin to get ready for full SOX 404 compliance by undertaking the company's own assessment of its internal controls, beginning with their SEC reports in 2008.
So in response to suggestions that the Commission should extend 404 compliance for another year, the answer is that smaller companies won't be required to come into full compliance with SOX 404 until their reports due in March 2009.
This schedule gives smaller companies the benefit of doing an initial internal assessment of their controls without the added burden and cost arising from an external audit. We fully expect that, by the end of 2008, management's familiarity with the 404 process, and its documentation of internal controls, will make it easier and less expensive to do an external audit than it would have been under the previous system.
The goal of our collective efforts in this area is to implement section 404 just as Congress intended: in the most efficient and effective way to meet our objectives of investor protection, well-functioning financial markets, and healthy capital formation by companies of all sizes. We won't forget the failures that led to the passage of the Sarbanes-Oxley Act in the first place. And we won't forget that for small business to continue to prosper in America, both strong investor protection and healthy capital formation must go hand in hand.
The reforms we're making to the SOX 404 process are intended to be of direct benefit to America's small businesses — and the millions of Americans who work for them, invest in them, and benefit from all that they provide to our economy. We're re-orienting 404 to focus on what truly matters to investors — and away from expensive and unproductive make-work procedures that waste investors' money and distract attention from what's genuinely material. No longer will the 404 process tolerate procedures performed solely so someone can claim he considered every conceivable possibility.
These past few weeks have witnessed several positive steps for small business at the SEC. Not only are we approaching the finish line in our work to rationalize and improve the 404 process for smaller companies, but also we're tackling several other issues of importance to our nation's small businesses. The most important of these is our initiative to broaden small business access to the U.S. capital markets.
In the last few weeks, the Commission has voted to propose six separate measures to modernize and improve capital raising for small business, and to simplify SEC reporting for small business. Many of these proposals would implement key recommendations made by the Commission's Advisory Committee on Smaller Public Companies. The small business improvements that the SEC has very recently proposed include:
- Giving small businesses access to the expedited "shelf" registration process for their own securities offerings, which previously was available only to big companies.
- Cutting paperwork for thousands of small businesses, by allowing them to raise capital in a private offering after filing a simplified Form D online.
- Establishing shortened holding periods for restricted securities, making it easier for small business shareholders to put their securities on the market sooner and hopefully reducing the discount that small businesses must absorb to sell restricted securities.
- Giving issuers the benefit of a new, limited offering exemption from Securities Act registration requirements for offerings and sales of securities to a newly defined category of "qualified purchasers" in which limited advertising would be permitted.
- Eliminating the limit on the number of employees who can receive stock options from their fast-growing private firms, improving the ability of emerging growth companies to attract and retain talent without prematurely triggering the requirements of the Exchange Act.
- Providing a simplified system of disclosure for almost 1,600 additional smaller public companies, an increase of over 45% in the number of small companies that are currently eligible.
This focus on capital formation and the removal of obstacles to the growth of small businesses is appropriate given the historic importance of small business in the United States as a driver of economic activity, innovation, and job creation. Our concerns for small business go hand in hand with our responsibility to protect investors. It is, after all, investors who are injured and whose money is lost when the small businesses in which they invest can't get affordable access to new capital.
Madam Chairwoman, the SEC takes equally seriously each element of its tripartite mission: investor protection, efficient markets, and healthy capital formation. The 404 reforms, the capital raising improvements, and the reporting simplifications we've proposed to benefit small business will, I am certain, help our country to accomplish all three of these objectives.
Thank you again for the opportunity to speak on behalf of the Commission. I would be happy to answer any questions that you may have.