More grist for smaller reporting companies unhappy with your compliance burdens: Although companies of all sizes continue to invest in Sarbanes-Oxley compliance, smaller companies still report less benefit from the effort.
Recent survey results released by Protiviti showed 58 percent of companies reporting increased audit fees, and 45 percent planning moderate to significant automation upgrades in relation to SOX. Only 52 percent of small companies, however, reported moderate to significant improvements in their financial reporting structure since implementing SOX, compared to 70 percent of larger businesses.
“The whole Sarbanes-Oxley compliance exercise is annoying and a very big expense,” says Adam Remis, CFO of InnSuites Hospitality Trust, a real estate trust for hotel properties decidedly in the small-cap range. Remis believes the emphasis on control testing and risk-rating under SOX is a return to practices more prevalent when he began his career 20 years ago, that had slipped over the years. At the same time, he says, smaller companies do have special cost considerations since auditors rely less on internal controls.
Chris Jeffrey, a partner at Baker Tilly who works on internal auditing engagements for corporate clients, says he has seen a sharp increase in the number of companies that need to be SOX compliant, driven by M&A activity and more companies looking to become foreign private issuers.
Yes, he says, small filers also take advantage of the exemption from Section 404(b) of SOX allowed under the Dodd-Frank Act.. “On the flipside,” he says, “we are still seeing where many of their external auditors want to get an understanding of, and have some say on, what their internal controls framework looks like.” That means the need to design, implement, test, and document internal controls remains important for smaller public companies, even without the SOX 404(b) requirement.
“Because smaller companies have fewer controls, you would say those types of controls are more important, so the impact of the PCAOB is proportionately greater on smaller public companies.”
Les Sussman, Senior Practice Director, Resources Global Professionals
Les Sussman, a senior practice director at Resources Global Professionals, frames the situation of smaller companies this way: Given the smaller size of their business, the CFO tends to know most of what’s going on. That means an outsized reliance on management review controls: reviewing gross margin on a quarterly basis, for example, and investigating variances above a certain amount. The burden of documentation and testing at smaller companies lies on the controller or CFO, where larger companies may have a project management office or SOX compliance group.
The Public Company Accounting Oversight Board, Sussman says, wants to ensure that relying on such internal controls is feasible. “The PCAOB was hammering at: We understand why a company would rely on those controls, but is there enough evidence, and at a sufficient level of precision?” Sussman said. “What questions are the auditors asking, what answers did they get, how did they follow up on exceptions?”
Jeffrey concurs with Sussman on the effect of the PCAOB. “I will say SOX compliance has gotten more challenging in the past two years, mainly because of some comments the PCAOB has made related to some of their inspections done with some of the external audit firms,” he says.
He agrees that the PCAOB has called for “more rigor” around controls testing. “If management is interested in having their external audit firm rely upon the work of internal audit or management, then management has to go through those same rigorous steps,” he says.
Enter COSO Implementation
The general consensus in the Protiviti report (and among those interviewed) was that implementation of the new COSO 2013 framework “wasn’t as big a deal as companies were fearing when it first came out,” Sussman says. He notes the new framework’s explicit requirement to comply with 17 principles requires a more robust approach, and somewhat less flexibility, to prove a company has addressed all five components of internal control.
The table below from Protiviti asked respondents to answer: “How has internal control over financial reporting structure changed since Sarbanes-Oxley Section 4049b) was required for your organization?”
Remis recounts that COSO adoption at InnSuites “wasn’t as bad as some feared.” He estimates that his team needed about 120 hours to understand how to implement COSO 2013, and another 120 hours to map its control principles to InnSuites’ existing controls matrix. Actual implementation took much less time once the initial groundwork was done.
“We had enough controls covering all the bases from a SOX perspective,” he says. “The new COSO did not require adding any controls and didn’t have a big impact.”
The updated COSO framework does focus more on third-party service providers and the need to obtain Service Organization Control (SOC) reports. That can be significant for smaller companies, Sussman says, since they tend to rely more on third-party service providers and may run more of their accounting systems in the cloud. “If they don’t get those SOC reports, they’re in a world of hurt,” he quips.
Without a SOC report for appropriate third parties, a company will need to demonstrate explicitly that it has the requisite controls. Sussman cautions companies to pay attention to obtaining SOC reports, and the timing of those reports, as part of due diligence when signing or renewing contracts with service providers.
One persistent, and difficult, question for smaller companies is whether to invest in new software to help manage SOX compliance costs.
Susan Parcells, director of finance transformation at BlackLine Systems, says she sees companies “biting the bullet” to invest in compliance solutions that also help contain increases in audit fees. “They’d rather have a robust compliance platform, ensuring they have good risk analysis, risk mitigation, and strong preventative controls as that would benefit the organization in more ways than one.”
On the other hand are executives like Remis. He notes that earlier in his career as a consultant, “We used Excel and plowed through it, company after company; you don’t necessarily need to buy proprietary software.” He currently uses Word and Excel to manage and document controls.
That dynamic of “if it ain’t broke, don’t fix it,” can still be a powerful one for smaller companies: If the auditors are happy and systems work, changing the status quo can be hard to justify to your board.
Sussman says benefits can be found not just by automating the controls process, but also the compliance process—that is, the underlying documentation, which can sometimes even provide limited, password-protected access to the auditors.
Cost is always an issue for smaller companies, Sussman says, and if a company has gone public more recently, odds are that the business has established a more automated accounting and control environment than an older small company. “If the auditors are happy,” with the status quo, he says, smaller companies will ask “why incur the expense” of automating manual systems that work.
Jeffrey advises companies embarking on SOX to start the process “plenty early” and make sure they understand what their key processes, key accounts, and key controls actually are. For companies already in the SOX compliance groove, Jeffrey stresses having touch points throughout the year, treating it as a year-long process, not just a year-end exercise.