Solar Integrated Technologies, a California company currently listed on London’s increasingly popular (and less regulated) AIM exchange, has always had its sights on being listed in the United States. The worry: regulatory considerations, such as Sarbanes-Oxley compliance.


Not anymore, says Randall MacEwen, chief executive officer of the $81 million solar roofing systems company. “Compliance is now more of a modest consideration for us than it’s ever been,” he says. “We’re definitely considering listing in the more relaxed U.S. environment.” (The company has no specific plans for a public offering, MacEwen stresses.)

That relaxed environment is the result of significant reforms the Securities and Exchange Commission enacted last year, to ease the burden of small public companies coming under the auspices of Sarbanes-Oxley’s Section 404 for the first time this spring. Small filers now have to include an assessment of their internal controls over financial reporting in their annual reports; in 2010, those internal controls will also need to be audited.

The SEC began surveying companies in February to see how much help the Section 404 reforms really are. That will be difficult to determine for small filers since they haven’t had to comply until now. Still, small businesses say it’s important to assess the benefits of compliance strategy under the new Section 404 regime rather than just going through the motions ahead of filing.


Joseph Simrell, chief executive and financial officer of $2 million Primal Solutions, says the days of a checklist mentality are over. “Like many small businesses, limited financial resources prevented [us] from hiring an outside consultant that had prior 404 experience,” he says. “And even to this day I’m not sure an outside consultant would have been of much value, because of their learning curve with our business.”

Simrell says the first time around for his company included issues such as managers simply understanding the process of risk assessment, controls mapping, and testing and then documentation.

“It’s very easy to lose sight of the end objective and get sidetracked with peripheral issues,” he says. “Meeting the need to balance daily work load with 404 tasks can be challenging. Auditors proved to be of limited value in the initial exercise, because they weren’t a paid resource.”

Simrell’s advice to first-time filers is first to understand your business. “Educating staff about 404 requirements is a second-year issue, one we are just now experiencing,” he says. He adds that the first year at Primal Solutions involved a “substantial resource commitment … to get up to speed with the requirements and make sure we were compliant.”

“We were lucky that our operations are centralized and there were not a lot of competing projects that would have competed for our limited resources,” he says. “Going forward, we do not expect this to be a problem. We do expect a resource drain and significant additional costs when the outside auditors have to review our 404 efforts, so they can opine on this area in 2010 or later.”

Eliminating Busy Work With IT

One of the big complaints over the years for smaller companies has been the emphasis on general computer controls or IT audit reviews in less-complex environments. Such reviews, critics say, tend to prolong audits and drive up costs.

“Certainly with the SEC management guidance and the benefit of having learned from the mistakes of those before them, small first-time filers shouldn’t be all that terrified.”

— Chris Fox,

IT Expert,


Chris Fox, an IT audit expert with the consulting firm eDelta, says this doesn’t have to be the case. In fact, he adds, material risks are easier to identify at smaller businesses than at large ones, because larger companies typically have intricate networks of systems, processes, control environments, and organizational charts of process owners and management.

“I think everyone is still defining what a small business is, because, clearly, most of these businesses, when compared to companies in the rest of the world, are conglomerates,” says Fox. “But for compliance purposes, the level of documentation is going to be simple and the risks more clear. Certainly with the SEC management guidance and the benefit of having learned from the mistakes of those before them, small first-time filers shouldn’t be all that terrified.”

Fox, who is currently working on a project that maps the COSO internal control framework to various enterprise risk scenarios, says small companies have little need to test things that can’t be remedied because of sheer size.

“In some IT shops you’ve got one person manning a computer, and that person is maybe a sales person in his spare time,” he says. “The same goes for a programmer who is also a developer who is also a systems administrator. When you know that you aren’t going to pass muster with segregation of duties, it shouldn’t be a headache for you if you can demonstrate ways to mitigate clear risks.”

With lack of time to understand compliance requirements fully and limited internal resources to execute compliance, managers at small companies find themselves wearing many hats. And if it wasn’t for SOX, observers argue, there would be no need at many small businesses for internal control reviews by external auditors. Both audit firms and finance executives agree that testing of trial balances, rather than testing the controls around them, would be much more effective for small-cap and micro-cap businesses.

‘Work With What You Have’

With SOX here to stay, however, how do first-time filers integrate that sort of streamlined mentality?


Work with what you have, says Sai Huda, CEO of consulting firm CompliancePal. “A small company should formulate a SOX compliance team and leverage existing people, systems, and processes,” he says.

Given that no one-size-fits-all approach exists, there’s no need to apply methodology other than what works for a company’s specific risks, needs, industry, and strategic vision, Huda contends. “The penalties for non-compliance are too high a risk to not take this seriously and get it right the first time.”

As SOX is in its sixth year, experts continue to believe that despite ongoing challenges, compliance today is easier than in past years. Companies can consider many precedents and decide what works for them, so there’s no real excuse for procrastination.

“Don’t wait until the last minute,” Huda cautions. “SOX compliance will take more time than one would think, even for a small company and especially the first time.”

“Remember, there is a silver lining,” he adds. “If you do it right and do it smart, you will find cost savings and revenue enhancements through the compliance process, because the process will force you to assess risk and document and validate processes and internal controls, and within these walls lie hidden and untapped opportunities to make the business leaner, meaner, and more effective.”