As smaller public companies hold out hope that Congress will exempt them from compliance with the external auditor provision of Section 404(b) of the Sarbanes-Oxley Act, an academic paper may provide ammunition to the exemption’s supporters.
A paper published by University of Texas accounting professor William Kinney and research student Marcy Shepardson suggests that there are less expensive ways to gauge a company’s control effectiveness short of a full external audit of internal controls over financial reporting, as Section 404(b) requires.
“Unaudited management internal control reports and traditional financial audits may be a cost-effective disclosure alternative for small public companies,” the authors write in the paper, titled: “Do control effectiveness disclosures require internal control audits? A natural experiment with small U.S. public companies.” They say the analysis of accounting mistakes alone could yield substantial disclosures at low incremental cost for auditors and issuers.
In other words, for smaller companies, compliance with Section 404(a)—which only requires management to review and disclose the state of internal controls—might be sufficient, without the cost and effort of compliance with Section 404(b). That would be the situation if the exemption currently proposed in Congress becomes law.
Endean
Small filers have already had to comply with Section 404(a) since last year, and the idea of freezing SOX compliance burdens there has support from at least some business leaders. “I believe most people in the business community and certainly in my membership would agree,” says John Endean, president of the American Business Conference.
The true cost of Section 404(b) compliance for small filers still remains a mystery, since they haven’t yet had to comply with it. But a 2009 study of SOX compliance costs done by the Securities and Exchange Commission found that of the smallest companies that were complying with Section 404(b), the average amount spent equalled 0.79 percent of total assets. In contrast, while larger companies spent more in absolute terms, they spent substantially less as a proportion of their assets in their first year of compliance: 0.14 percent, on average.
Another widely assumed, but not definitively verified, rule of thumb in compliance circles is that SOX compliance costs roughly 1 to 2 percent of total annual revenues—and that for smaller companies, the percentage can go higher.
To conduct their study, Kinney and Shepardson reviewed changes in disclosure rates and audit fees under various management reporting and audit regimes in effect from 2003 through 2008. They found “substantial and statistically significant increases” in material weakness disclosure for small firms undergoing initial SOX-based audits, and “quantitatively and statistically similar increases” for initial unaudited management reports of small firms currently exempt from those audits.
At the same time, small companies’ audit fees more than doubled for initial SOX-based audits and then remained high, while exempt companies’ fees grew about 10 percent annually.
Kinney
Kinney and Shepardson’s study could not arrive at a more climatic moment. Currently, non-accelerated filers (companies with market capitalization below $75 million) must start complying with Section 404(b) for fiscal years ending on or after June 15, 2010. They managed to avoid compliance for years thanks to annual extensions from the Securities and Exchange Commission, but the SEC has now vowed to stand firm on the June 15 deadline.
‘Unaudited management internal control reports and traditional financial audits may be a cost-effective disclosure alternative for small public companies.’
—Kinney and Shephardson paper
Congress, meanwhile, has begun final debate on regulatory reform legislation that may well exempt small companies from Section 404(b) after all. The House passed a reform bill in December that included a permanent Section 404(b) exemption. The Senate bill passed in May does not. But U.S. Rep. Barney Frank, chairman of the House Financial Services Committee, said at Compliance Week 2010 last month that he expects the exemption to be included in a final bill hashed out this month and signed into law by President Obama by the Fourth of July.
As the legislation currently stands, compliance with Section 404(a) would remain in place for all public companies. Large filers would also continue compliance with both parts of Section 404, as they have since 2004.
Schapiro
The SEC declined to comment on either the study or the legislation. Spokesman John Nester referred to a March 19 letter from SEC Chairman Mary Schapiro to Senate Banking Committee Chairman Chris Dodd (D-Conn.), which states that the requirement for independent auditor assurance creates “incentives for a more effective system of controls than might otherwise exist.”
Pros and Cons of Audits
Opponents of the exemption contend that smaller companies are more likely to have poor internal controls—and without that check from external auditors, the companies that need internal control the most would have little incentive to invest in them.
SUMMARY AND CONCLUSION
Below is an excerpt from the paper by William Kinney and Marcy Shepardson on disclosure of internal controls.
In drafting SOX 404, members of Congress seem not to have been aware of
practical implementation of then extant auditing standards regarding either internal control testing (AU 319) or financial auditor oversight of “other information” that accompanies audited financial statements (AU 550). Concerns about the costs of management reports and ICFR audits for small public companies led to staggered and bifurcated by size implementation and changing interpretive guidance over time, thus enabling an analysis of changes in material weakness disclosure rates and audit fees under multiple reporting and audit regimes. We conduct such analyses for 2004 – 2008.
For four of the five years (2004 – 2007), we find that small firms undergoing first-time ICFR audits experience a significant increase in material weakness disclosure rates. As to audit fees, we find that for first-time ICFR audits in 2004, audit fees are about twice what they were in 2003 but that the increases decline to about 150 percent by 2008. For small firms that first implement unaudited management reports in 2007 we find that they
also experience a large and statistically significant increase in material weakness disclosures that is comparable to that of first-time accelerated filers for the same year and that audit fees increase by about ten percent. Further, we find that firms implementing unaudited management reports in 2007 followed by audited management reports in 2008 experience a nominal decline in disclosure rate in 2008 although audit fees increase by about 50 percent.
Overall, our results indicate that, for smaller public companies, management
assessment of internal control effectiveness with financial auditor oversight of management’s report may be a cost-effective material weakness disclosure alternative to annual audits of ICFR. Furthermore, data from Audit Analytics and other sources are consistent with the possibility that 30 percent to 80 percent of small public companies with ineffective internal controls could be identified without the cost of management reporting
on internal control and with only a modest increase in financial audit effort regarding the cause of known misstatements.
Source
Control Effectiveness Disclosures (June 9, 2010).
Kinney and Shepardson, however, say evidence suggests that up to 80 percent of small public companies with ineffective internal controls could be identified without the cost of a full external audit of controls, or even management’s assertions on internal control.
Shepardson
“It’s not an all-or-nothing proposition,” Shepardson says. “It’s not that either you do a full internal controls audit or investors get no information about internal controls. There are other ways to get similar types of information at cheaper cost.”
For example, Kinney says one solution would be to enhance existing financial auditing standards to require auditors to identify the cause of known misstatements, and to disclose material weaknesses found during the financial statement audit.
“If what you’re after is to inform investors about control weaknesses”—which, he says, is the intent of the ICFR requirements—“you can get most of that almost free from the financial audit.” Kinney says the key is the application of auditing standard AU 550, “Other information in documents containing audited financial statements.” That standard directs auditors to read other information included in a document containing audited financial statements.
His example: A company is subject to Section 404(a) but not Section 404(b). Management asserts in its Section 404(a) report that internal controls are effective. The auditor, however, detects a misstatement that requires adjustment, and concludes it resulted from a material weakness in internal controls for financial reporting. The auditor could then note the material misstatement of fact and make sure it’s fixed before issuing an audit report, causing management to disclose a material weakness under either Section 302 or Section 404(a).
Kinney and Shepardson also say an audit of larger, entity-level controls could identify more weaknesses without the burden of a full audit of all internal controls. “If auditors did a little more work on top-level controls, they might get a bigger bang for their buck,” Kinney says.
Carcello
Not all agree. Former SEC Chief Accountant Lynn Turner, now a managing director in the forensic accounting practice at LECG, says auditors “won’t say anything about lousy controls or press management to say anything unless there is a reporting obligation.” And Joseph Carcello, research director at the University of Tennessee’s Corporate Governance Center, says investors can’t rely solely on management’s claims about internal controls.
“Where management is honest and competent, that works fine—but the small subset of companies where that isn’t the case can have a huge impact on the market,” he says.
/>
Fornelli
Cindy Fornelli, executive director of the Center for Audit Quality, cites a November 2009 study from Audit Analytics that found that companies that hadn’t yet had the auditor review under Section 404(b) had a restatement rate 46 percent higher than those companies that had. She says the study is evidence that all public companies “should have the protection of both 404(a) and (b).”
Turner
Additionally, Turner says most institutional investors already avoid non-accelerated filers because they tend to have low liquidity in the market, poor performance, and poor analyst coverage. Giving them an exemption from Section 404(b) will give investors one more reason to steer clear, making it harder to attract capital.
“It will be like wearing a scarlet A,” he says. “Investors … have said they’re willing to pay the cost of Section 404(b). Why should Congress say they can’t have it? Companies can avoid SOX 404(b) by choosing not to go public.”
Carcello adds that auditing and reporting of internal control is still an immature practice. “Auditors have only been doing this for about five years,” he says. “To me the answer isn’t to eliminate the requirement; it’s for regulators to push the profession, through standards, inspections and enforcement, to get better at it.”
No comments yet