The Sarbanes-Oxley Act of 2002, Section 404(a) requires smaller public companies (non-accelerated filers ) with fiscal years ending after December 15, 2007 to document a Management Assessment of their Internal Controls over Financial Reporting (ICFR). Outside auditors of non-accelerated filers however, are not required to opine or test internal controls under PCAOB (Public Company Accounting Oversight Board) Auditing Standards until years ending after December 15, 2008.
Lord & Benoit
Despite the timely issuance of the Securities and Exchange Commission (SEC) Interpretive Guidance on June 27, 2007 and the issuance of the related PCAOB Auditing Standard No. 5, the House Committee on Small Business expressed concern that the cost of Section 404(b) of the Sarbanes-Oxley Act of 2002 (SOX 404) on small companies is still unknown and could therefore be disproportionately high for smaller publicly held companies. Costs estimates of the Section 404(b) were therefore requested prior the law being enforced.
In response to this, SEC Chairman Christopher Cox indicated in a hearing to the House Committee on Small Business that he was considering extending the delay in the auditor attestation requirement of Section 404(b) for non-accelerated filers until years ending after December 15, 2009 in order to gather cost estimates associated with the new standards.
In an effort to help understand the costs of a non-accelerated filer complying with Section 404(a) and Section 404(b) for the first time, Lord & Benoit, LLC, a SOX Research and Compliance firm has gathered empirical cost data to answer the timely question:
What exactly is the cost for a smaller public company to comply with Sarbanes-Oxley Section 404(a) and Section 404(b) regulations using the latest guidance issued by the SEC and PCAOB?
The following were the results of the research:
1. The average cost of complying with Section 404(a) Management Assessment for non-accelerated filers was $53,724. Total costs of complying with Section 404(a) ranged from as low as $15,000 for a smaller software company to as high as $162,000 .
2. The average projected cost of complying with Section 404(b) Auditor Attestations of ICFR for all of the non-accelerated filers were $24,750. The range of audit fee increases was as low as $7,517 and as high as $86,417.
3. The total average cost of complying with both SOX Section 404(a) and Section 404(b) amounted to $78,474. The initial prediction by the SEC was a cost of $91,000 for all public companies. Costs were also broken down by industry and are presented later in this analysis. The results were consistent with expectations: companies with multiple in-scope locations with complex purchasing, inventory and IT systems in industries such as manufacturing and distribution incurred the highest compliance costs. Conversely, biotech companies in one location, with little revenue, few employees and no inventory had the lowest costs. The following chart illustrates total average costs:
The average market capitalization of these companies as of December 14, 2007 was $24,702,000. The average revenue of the companies in this study was $9,702,000. The average cost of complying with both Sections 404(a) and (b) in this study was 0.3% of market capitalization and 0.8% of revenues.
4. A potential paradox in professional standards was noted while assembling this data. It appears that AICPA Auditing Standards (standards for non public companies) may require even greater attention to internal control attestation on an audit of the financial statement of a NON PUBLIC company than for an audit of a smaller PUBLIC company, due to delays in Section 404(b) to years ending after December 15, 2008 (and possibly 2009 should the SEC grant another extension).
The highly-publicized scandals at Enron, WorldCom, and Tyco exposed several significant incidents of corporate fraud which ultimately contributed to over $500 billion in market value declines. This very visible shaking of public confidence in the national securities markets led Congress to create the Public Company Accounting Reform and Investor Protection Act of 2002, also known as the Sarbanes-Oxley Act of 2002. Both branches of Congress voted on it without change, producing an overwhelming margin of victory: 423 to 3 in the House and 99 to 0 in the Senate. On July 30, 2002, President George W. Bush signed it into law.
Since its enactment, complaints of spiraling compliance costs have flooded the halls of Congress. In response to this outcry, the Securities and Exchange Commission (SEC) voted unanimously on December 13, 2006 to take action to improve the cost-effectiveness of the implementation of Section 404 of the Sarbanes-Oxley (SOX) Act. One of the Commission's actions was to propose interpretive guidance to assist management in planning and performing its annual evaluation of internal control over financial reporting (ICFR). On June 27, 2007, the SEC issued this long awaited interpretive guidance to enable management to conduct a more effective and efficient evaluation of ICFR. The guidance was designed to vary from company to company and eliminate a one-size-fits-all approach. The SEC's evaluation process is a top-down, risk-based approach which the Commission believed to be more efficient and effective than what generally has been applied in practice.
The House Committee on Small Business however continued to express concern over the possible disproportionate costs associated with complying with Section 404(b) auditor attestation of the Sarbanes-Oxley Act of 2002. The Committee therefore requested audit fee estimates before the law is enforced. However actual costs are impossible to obtain unless the audits are allowed to be performed. Audit Analytics however released a recent study of Section 404(b) audit fees to help us understand what auditors may charge to comply with the law based on research of the audit fees of nearly 5,500 companies. The results are presented in this study.
The Unintended Paradox
While gathering cost information for this research study we observed an unusual paradox. Because of the heightened awareness of corporate frauds, and nearly five years of delays in complying with the Sarbanes-Oxley Act of 2002, it appears that the accounting standards surrounding internal controls for NON PUBLIC companies are now stricter than those of smaller PUBLIC companies (with market cap under $75 million).
The AICPA (American Institute of Certified Public Accountants) who regulates the accounting standards for non public companies, recently enacted Statements of Auditing Standards (SAS) 107 through 112 that require auditors OF NON PUBLIC COMPANIES to take a top-down, risk-based audit approach to assessing internal controls. SAS 109 specifically requires that auditors of NON PUBLIC companies evaluate the design of controls relevant to the financial statements and determine whether or not the control has been implemented. Auditors are therefore required to test controls when the auditors' risk assessment assumes the operational effectiveness of a control or the auditor intends to rely on indentified controls in order to reduce audit risk and further procedures . This Standard is effective for audits of non public companies with periods beginning on or after December 15, 2006 .
Conversely, it is not clear if auditors of smaller PUBLIC COMPANIES are exempt from these internal control assessment standards given the implementation delays of PCAOB Auditing Standard No.5 (also known as Section 404(b)). Therefore one might conclude that smaller PUBLIC COMPANIES are now subject to lower level of internal control work than for PRIVATE companies.
Parameters of the Study
- The costs of twenty-nine (29) non-accelerated registrants were studied . More respondents were expected, but many companies apparently chose to delay their compliance efforts due to the widespread belief that another extension could be granted. Similarly, a recent Lord & Benoit survey of PCAOB Registered CPA Firms indicated 89% of the CPAs who responded were not satisfied with their clients SOX compliance progress.
- The companies included in the survey followed both the SEC Interpretive Guidance and the COSO Guidance for Smaller Public Companies for complying with Section 404(a) of the Sarbanes-Oxley Act. These were top-down, risk-based, right-sized approaches recommended for both internal controls and IT controls.
- Companies were non-accelerated filers that documented a complete management self-assessment of ICFR under Sarbanes-Oxley Section 404(a) for the first time, with fiscal years ending after December 15, 2007.
- All companies were based in the United States with some having foreign subsidiaries.
- Companies varied in size, revenues, market capitalization and number of in-scope locations.
- Compliance costs associated with in-scope locations were included in the analysis. The costs of complying with Section 404(a) included all additional internal labor costs, objective third party assistance, testing tools, drafting policies and procedures, documenting enterprise and fraud risk assessment, review of company level controls, review of Generally Accepted Accounting Principles and Estimates, meetings with audit committees and outside auditors, documenting compliance with COSO, review of design of controls, testing operating effectiveness of controls and report writing. We found remediation costs to be negligible due to the fact that most weaknesses were addressed by simple procedural adjustments rather than major investments in systems and software.
- Industries noted in this study were diverse and included: Banking, Finance, Biotech, Distribution, Energy, Food & Beverage, Manufacturing, Mining, Real Estate, Semiconductor, Services, Software, Telecommunications and Transportation.
- Other information needed to gather Section 404(b) costs, such as company revenues, market cap and audit fees was obtained using www.AuditAnalytics.com .
- Cost savings of using the new PCOAB Auditing Standard No. 5 were excluded from this study, because audits under this standard have not yet been begun for non-accelerated filers. Companies should expect to see greater audit fee savings because the PCOAB standard does not require the outside auditor to express an opinion on management's assessment. They just express an opinion on the controls, which is certain to save on audit fee costs.
Importance of the Guidelines
It is important to note that this study only includes companies that chose to implement with the new SEC Interpretive Guidelines and the COSO Guidance for Smaller Public Companies. The reason was to specifically address the House Committee on Small Business question as to whether the new professional guidance would truly save companies money in implementing Section 404(a) and Section 404(b) of the Sarbanes-Oxley Act of 2002. The following is a brief summary of each guidance.
- The SEC Interpretive Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 was released to provide guidance for management regarding its evaluation and assessment of internal control over financial reporting. The guidance set forth an approach by which management can conduct a top-down, risk-based evaluation of internal control over financial reporting. The interpretive guidance addresses the following topics:
A. The Evaluation Process
1. Identifying Financial Reporting Risks and Controls
2. Evaluating Evidence of the Operating Effectiveness of ICFR
3. Multiple Location Considerations
B. Reporting Considerations
1. Evaluation of Control Deficiencies
2. Expression of Assessment of Effectiveness of ICFR by Management
3. Disclosures about Material Weaknesses
4. Impact of a Restatement of Previously Issued Financial Statements on Management's Report on ICFR
5. Inability to Assess Certain Aspects of ICFR
Costs of Section 404(a) Management Assessment
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S. private-sector initiative whose primary objective is to identify various factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. The COSO Guidance has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems. The companies in this study used the 2006, COSO published Internal Control over Financial Reporting-Guidance for Smaller Public Companies that focuses on guiding smaller business entities in implementing sufficient internal controls over financial reporting.
The average costs of complying with Section 404(a) Management Assessment of all of the non-accelerated filers included in the study was $53,724. Total costs of complying with Section 404(a) ranged from as low as $15,000 for a smaller software company to as high as $162,000 for a semiconductor manufacturer with locations throughout the United States.
The Lord & Benoit Report continued to break down the average cost of Section 404 compliance by industry. As the chart below indicates, the Group 1 companies in the manufacturing and distribution industries incurred higher internal control compliance costs ranging from $65,000 to $162,000. Market capitalization of these companies ranged from $19.7 million to $48 million. Revenues ranged from $1.5 million to $24.7 million. The companies typically had robust purchasing, multiple subsidiaries in the U.S. and overseas, inventory controls, complex IT systems and large capital expenditures. All of these factors contributed toward higher costs to perform their management assessment.
The Group 2 companies shown above spent an average of $48,000 to $57,000 for their first year SOX 404 compliance. Market capitalization of these companies ranged from $13.5 million to $32.7 million. Revenues ranged from $0 to $38.5 million. The industries included Banking & Finance, Real Estate, Food & Beverage, Transportation and Mining. When observing this mix of companies, a surprising result was seeing banks positioned in this middle group. One might conclude that banks with the additional internal controls mandated to run a banking operation, would rank at the higher end of the cost scale. However, this was not the case. In fact, we observed that when SOX Section 404 was done properly (i.e., less-prescriptive, top-down, risk-based approach), evaluators focused only on internal controls over financial reporting to the public (i.e. SEC reporting) rather than retesting operational controls that are tested by FDIC, internal auditors and/or other regulators. As a result, more focused attention was given to examining company level controls such as the income tax provision and accounting for options, etc. that generate the majority of Section 404 material weaknesses. For additional information about the Impact of SOX on Banking Industry , go to www.section404.org in the Industry Research Section.
The Group 3 companies were in the Software, Energy, Services and Biotech industries. Their costs ranged from an average of $26,000 to $42,000. Market capitalization of these companies ranged from $12.3 million to $23.3 million. Revenues ranged from $1.5 million to $10.6 million. Again, it is interesting to note that companies in the biotech industry experienced the lowest SOX 404 costs. When investigated further, we found these entities often had little revenue, one location, few employees, no inventory and little capital spending. Therefore testing processes were less time-consuming as well as being scaled back to properly reflect the size, scope and risks of the entity. Their compliance efforts were therefore swift and cost effective. Similarities were noted in the Services, Software and Energy companies.
Costs of Section 404(b) Auditor Attestation
The average projected costs of complying with Section 404(b) Auditor Attestations of ICFR for all of the non-accelerated filers included in the study were $24,750. The range of audit fee increases was as low as $7,500 and as high as $86,000 . Audit fees increases related to Section 404(a) were derived by taking the actual 2006 audit fee of each company times the projected audit fee increase that was obtained from an exhaustive study by AuditAnalytics entitled, The Audit Analytics 2006 Audit Fee Briefing Paper that indicated audit fees for smaller accelerated filers increased by 27% from Section 404(b). The audit fee increases however were determined under Auditing Standard No. 2, which was a more complex standard than Auditing Standard No. 5 (AS5). AS5 allows auditors to be more flexible in approaching the audit of internal controls, therefore companies are likely to experience even greater savings than those noted here.
The purpose of audit fee increase study was to "compare the audit fee increases of the 404 Filers with that of the Non-404 Filers with the intent to shed light on what percentage of the increase appears to be attributable to the SOX 404 implementation/adherence and what percentage appeared to be attributable to other environmental pressures and economic forces that are common to both the 404 Filers and Non-404 Filers. The 404 Filers comprise of 3,130 companies and the Non-404 Filers comprise of 2,555 companies, a group that includes both non-accelerated filers and many large foreign registrants."
The goal was to "identify, at least in part, the overall effect that Sarbanes Oxley Section 404 requirements have had on external audit fee changes. The Non-404 Filer fee increases could be viewed as a benchmark for audit fee increases that resulted from influences other than those directly attributable to SOX Section 404 related services."
The results of the audit fee analysis:
The Audit Analytics report indicated that "since auditors were required to perform sufficient testing to independently assess a company's internal controls over financial reporting, one would have reasonably expected a much bigger spread in audit fee increases. In addition, with respect to smaller accelerated filers, the fact that Section 404 work required a higher percentage of the overall audit fees should be expected as a lesser priority had been given to their internal controls in the past."
- Overall there was a slightly less than 15% increase in average audit fees that were specifically related to Section 404(b) last year .
- The equivalent percentage audit fee increase was 11% for large accelerated filers
- And 27% audit fee increase for small accelerated filers .
The Audit Analytics study also noted that "the costs were not without corresponding benefits. The improvement in procedures had removed volatility in reporting and this, in turn, has contributed to the recent dramatic decrease in security class action claims against companies. In addition, the Market Capitalization to Revenue Ratio of companies with good financial reporting procedures and filings experience higher stock values in return."
Combined Costs of Section 404(a) and Section 404(b)
The total average combined cost of complying with Section 404(a) and Section 404(b) in this study of non-accelerated filers was $78,457. These average Section 404 costs are lower than the $91,000 the SEC had originally predicted .
The research also showed that the range of total costs for a complete Sarbanes-Oxley Section 404(a) and Section 404(b) effort (management assessment and auditor attestation) were as little as $23,000 for a small software company and as high was $197,000 for a manufacturer/distributor with locations in the United States and two other countries.
- Is the average added cost of Section 404(a) compliance of $53,700 (about 0.8% of revenue or 0.3% of market cap) worth the confidence to investors, increased efficiencies, fraud prevention, and confidence in growing future market capitalization?
- Is the average cost of complying with Section 404(b) of $24,750 too high of an additional cost to bear for smaller public companies for auditor attestation of internal controls**?
- Should a delay in auditor attestation be granted? Or would another delay in applying Section 404(b) put auditors in a compromising position of following standards lower than those of its profession?
- Research of the share price movement of 2,481 companies* showed SOX compliant companies outperformed the stock market by nearly 10%. Would a smaller public company however share the same benefits that accelerated filers received in share price growth? Or is share price irrelevant due the small number of investors in a smaller public company?
- Besides share price growth are there in any significant benefits to a smaller public company establishing controlled growth?
* The Lord & Benoit Report: The Benefits of SOX 404 Exceed the Cost - Share Price Movement
** The Lord & Benoit Report: SOX 404 Disclosure Control Gap
The Lord & Benoit Report: Ten Threats to Compliance for Smaller Public Companies
Lord & Benoit
Bob is President and Director of SOX Research at Lord & Benoit, LLC, one of the most influential SOX Research and Compliance firms for smaller public companies.
In addition to his position with Lord & Benoit, Bob serves on the COSO Monitoring Project Task Force. He has also served on the AICPA Peer Review Acceptance Board in MA for past 11 years, has taught Complying with Sarbanes-Oxley Section 404 throughout the country through the State CPA Societies and is the author of the Lord & Benoit Reports, which have been referenced by the SEC, PCAOB, COSO, AICPA, CHH, RIA, BNA, Wall Street Journal, all of the "Big 4" firms and over 120 legal, educational and trade journals around the world.
Bob is the first evaluator to use the COSO Guidance for Smaller Public Companies, the inventor of Virtual SOX taught on the AICPA website and research contributor to the SEC Subcommittee, SEC Concept Releases and SEC/PCAOB Internal Control Roundtables