Sarbanes-Oxley Section 404: New Evidence on the Cost for Small Companies
by Christopher Cox
Chairman, U.S. Securities & Exchange Commission
Before the U.S. House of Representatives Committee on Small Business
December 12, 2007
Chairwoman Velázquez, Ranking Member Chabot, and Members of the Committee:
Thank you for inviting me to testify on behalf of the Securities and Exchange Commission concerning the costs and benefits of section 404 of the Sarbanes-Oxley Act for small businesses.
The Commission and this Committee share an abiding concern for America's smaller public companies. Since the Sarbanes-Oxley Act became law in 2002, large public companies have come into compliance with section 404 regarding internal controls. But to address concerns from smaller public companies, the SEC has not applied section 404 to smaller companies. In addition, we recently issued guidance intended to make the process for smaller public companies more economical and efficient when eventually they do come into compliance.
The Commission's decision to proceed cautiously in deference to smaller public companies and their investors is due in significant part to the fact that the cost of regulation falls heaviest on smaller companies. As the Members of this Committee well know, smaller firms spend far more per employee than larger firms to comply with federal regulations, including those of the SEC.
It would be impossible to succeed in our mission of promoting capital formation if we did not focus directly on the needs of small business. For that reason, the SEC has a long history of listening to smaller public companies and assisting them in their efforts to raise capital. For more than a quarter century now, we have been sponsoring an annual forum on small business capital formation, and I was honored to open the most recent forum just three months ago. Our focus in these forums has been on the removal of obstacles that can impede the growth of small companies. This responsibility to promote small business capital formation goes hand-in-hand with our responsibility to protect investors.
Just three weeks ago, we adopted new rules designed to make it much simpler and easier for smaller companies to raise capital. We expanded the number of companies who can use the Commission's scaled disclosure and reporting requirements for smaller companies. Now, companies with a public float of up to $75 million can use these simpler rules, compared to the $25 million cap that was in place under the old rule. That means another 1,500 public companies will be eligible to use our simplified disclosure and reporting requirements.
We also further simplified the rules themselves. We eliminated five forms, and 36 separate items that used to make up Regulation S-B.
We made it more economical for smaller companies to sell restricted securities under Rule 144 of the Securities Act. We reduced the holding period from one year to six months, and eliminated many of the other restrictions on using Rule 144. And non-affiliates won't have to file forms any more — a change we expect will reduce the number of Form 144s filed with the Commission by nearly 60%. This is a way to cut the cost of capital for smaller companies without sacrificing investor protection.
We also changed the rules to protect private companies with stock option plans for their employees, who have been worried that they might accidentally be required to register as public companies, even though they don't have any public shareholders.
In taking these steps, we were responding to several key recommendations of the SEC's Advisory Committee on Smaller Public Companies, which issued its final report in April 2006. The Advisory Committee focused on ways that the Commission could ensure that the benefits of regulation for smaller companies under the federal securities laws outweigh the costs. We greatly appreciated the recommendations that we received from the Advisory Committee, and with these actions we are continuing to implement them.
One of the Advisory Committee's key recommendations was that smaller companies should not be made to comply with section 404 of the Sarbanes-Oxley Act, and in particular the requirement of external auditor involvement, "[u]nless and until a framework for assessing internal control over financial reporting for such companies is developed that recognizes their characteristics and needs." With that very recommendation in mind, the Commission delayed section 404 compliance for smaller public companies, and set to work on providing guidance for smaller public company managements that would recognize that their needs were different than those of larger companies. Our experience of the first three years under Sarbanes-Oxley 404 had convinced us that the way it was being implemented through Auditing Standard Number 2 was too expensive for everyone — and imposing that system on the smallest companies would impose unacceptably high costs from the standpoint of the companies' investors, who would have to pay the bills.
Now, more than five years since the Sarbanes-Oxley Act was signed into law, there are roughly 5,000 firms in the smaller public companies category that still aren't required to provide an auditor's report on their internal controls, as required by section 404(b). Generally, this is every public company with securities registered with the Commission, if it has less than $75 million in public equity. We call them "non-accelerated filers" because larger public companies are required to file their annual and quarterly reports with us on a comparatively accelerated basis.
During the last few years, the Commission and the Public Company Accounting Oversight Board (PCAOB) have worked together to specifically address the unique concerns of small business in the "non-accelerated filer" category. We completely repealed the old inefficient system of implementing section 404. The SEC published guidance specifically for management, not auditors, which had never been done since the passage of SOX. Both we and the PCAOB approved a completely new standard for auditors — Auditing Standard Number 5 — that is top-down, risk-based, materiality-focused, and scalable for companies of all sizes. And we will undertake a serious cost-benefit study of the costs of 404 compliance under the new management guidance and auditing standard, to reliably estimate the costs to small business.
Our SEC management guidance intended for the company's own use will relieve smaller companies from having to rely on the audit standard as their de facto rulebook. It encourages cost-effective compliance. It is designed to eliminate unnecessary make-work that does little to further the goal of providing reliable financial statements to investors.
For smaller public companies, the guidance will be in place the very first time they come into compliance, so that they can avoid wasteful and unnecessary compliance efforts that others have had to endure under the old standard. And the guidance was specifically written with smaller companies' unique control systems in mind. It encourages management to tailor their documentation and evaluation approaches to their particular business. This is meant to put an end to the one-size-fits-all, check-list approach that many larger companies have bristled under as they tried to comply with 404 under the old standard.
When, eventually, smaller public companies do come into full compliance, the new audit standard will encourage the scaling of all audits to reflect each company's circumstances rather than a single check-list for all situations.
And to ensure that this is what actually happens, the SEC will conduct a study of the costs and benefits of 404 compliance under the new auditing standard and management guidance. Currently, under the direction of the Office of Economic Analysis, the SEC staff is preparing to gather and analyze real-world data. The study will seek to identify trends and provide a comparison to costs under the old auditing standard. The study will also pay special attention to those small companies that are complying with section 404 for the first time.
This survey of costs and benefits is expected to have two main parts — a web-based survey of companies that are subject to section 404, and in-depth interviews with a subset of companies including those that are just now becoming compliant. This dual approach will allow us to gather data from a large cross section of companies, while providing more detailed information about what drives the costs and where companies derive the benefits, especially for newly compliant companies. Because we are intent on using real data based on companies' actual experiences, this survey will be taking place in the coming months as companies for the first time prepare their financial statements and undergo external audits under the new auditing standard and internal assessments with the aid of the new management guidance.
We anticipate that the study and analysis of the results will be completed no earlier than June 2008. Under the current schedule, smaller public companies would be expected to begin complying with Sarbanes-Oxley section 404(b) for fiscal years ending after December 15, 2008, with the result that unless there is an additional deferral, companies will incur compliance costs before the SEC has the benefit of the study and analysis. As a result, I intend to propose to the Commission that we authorize a further one-year delay in implementation for small businesses in order to base our decision on final implementation of section 404(b) on the best available cost data.
Since I last testified before the Committee this summer, the SEC and PCAOB have undertaken comprehensive outreach to help the small business community prepare to meet their obligations under section 404(a) of Sarbanes-Oxley. This outreach has included a half dozen forums around the country. To make sure that our guidance is useful and understandable for smaller companies, we have also published a brochure designed specifically for management of small businesses that explains — in plain English — how to evaluate internal controls and determine whether they are effective. We've spent a lot of time distilling the key principles of our management guidance into this easy-to-read brochure, and we hope that all companies, small and large, will read it.
Madam Chairman, it is the SEC's intention that our new guidance for management, and the PCAOB's new standard for auditors, will lower overall compliance costs for companies of all sizes, and significantly so, compared to the old standard. We expect the unduly high costs of implementing section 404 of the Act under the previous auditing standard will come down for those larger companies that will comply with section 404(b) this year. They should come down for the very best of reasons: because now, a company and its external auditor will be able to focus on the areas that present the greatest risk of material misstatements in the financials — the areas that investors truly care about. This is what the law has always intended.
We expect that compliance costs under section 404(a) should come down disproportionately for small business because the new SEC guidance that's been developed specifically for management will allow each small business to exercise significant judgment in designing an evaluation that is tailored to its individual circumstances. Unlike external auditors, management in a smaller company tends to work with its internal controls on a daily basis. They have a great deal of knowledge about how their firms operate. The new guidance allows management to make use of that knowledge, which should lead to a much more efficient assessment process. We state clearly in our brochure for small business that under normal circumstances they do not need to hire extra help to do their assessment. They certainly do not need to engage an outside auditor for this purpose, as opposed to auditing their financial statements. The normal company personnel who are responsible for this work should be able to do it as a part of their routine duties.
With management now able to scale and tailor their own evaluations, one important step remains. The SEC and the PCAOB expect greater efficiencies from the audit firms who are responsible for attestation under the new 404(b) procedures. To that end, the PCAOB's inspection program will monitor whether audit firms are implementing the new auditing standard in a way that is designed to achieve the intended results. And the SEC, in our oversight capacity, will monitor the effectiveness of the PCAOB's inspections, also with a view to 404 efficiency. So both the SEC's and the PCAOB's inspectors will be focused on whether audit firms are achieving the desired efficiencies in the implementation of 404(b) while maintaining the effectiveness of the present process.
The goal of all of these efforts is to implement section 404 just as Congress intended: in the most efficient and effective way to meet our objectives of investor protection, well-functioning financial markets, and healthy capital formation by companies of all sizes. We won't forget the failures that led to the passage of the Sarbanes-Oxley Act in the first place. And we won't forget that for small business to continue to prosper in America, both strong investor protection and healthy capital formation must go hand in hand.
The reforms we have made to the SOX 404 process will be of direct benefit to America's small businesses — and to the millions of Americans who work for them, invest in them, and depend upon all that they provide to our economy. We're re-orienting 404 to focus on what truly matters to investors. We've wrenched it away from expensive and unproductive make-work procedures that waste investors' money and distract attention from what's genuinely material. And still, we intend to be cautious and attentive to real-world cost data before phasing in the final compliance requirements for smaller companies.
Thank you again for the opportunity to speak on behalf of the Commission. I would be happy to answer any questions that you may have.