If costs to comply with Section 404 of Sarbanes-Oxley are finally starting to decline because of relaxed standards and corporate adaptation to the rule after five years, Calvin Yu hasn’t noticed.

Yu, financial reporting manager for $1.4 million Cell Genesys in San Francisco, says that despite the advent of Auditing Standard No. 5 and a recent report suggesting that compliance costs for small public companies is falling, he isn’t holding his breath.

The study, titled “Sarbanes-Oxley Investment: A Section 404 Cost Study for Smaller Public Companies,” examines the compliance costs of 29 small public companies. It reaches the startling conclusion that the total average cost for complying with SOX amounts to $78,474—far lower than the millions larger companies spend, and lower even than the infamous original estimate from the Securities and Exchange Commission that SOX compliance would only cost about $91,000.

The report was published by the auditing firm Lord & Benoit, which specializes in working with small public companies. The report also states that the biotech industry in particular—Cell Genesys’ line of work—had the lowest average cost at $26,875.

Yu doesn’t buy it. His company spends as much as $80,000 per year for SOX readiness alone, he says, and he fiercely disagrees with the notion that compliance burdens are easing.

“Fluctuations in fiscal expenditures are open to interpretation, but I can say with certainty that the small guys are still doing much more than they should,” he says. “In a small operation like we have, when you look at cost versus benefit, the benefits aren’t that great whether costs are coming down or not.”

The SOX compliance burden for small companies is a point of considerable interest these days. Non-accelerated filers—that is, public companies with market capitalization below $75 million—must comply with Section 404 for the first time this year and make assessments of their internal controls over financial reporting. The SEC is debating whether to delay the second half of that law, requiring auditors to attest to those internal controls, for another year.

Yu contends that despite the perceived reduction in monetary cost overall, intangible costs such as time and effort to comply with Section 404 remain a major concern for smaller firms. Cell Genesys, for example, tests 50 to 60 key controls over 10 major processes used to capture trial balances for financial reporting. Yu works alone managing the controls and oversees third parties to help with internal audits and works with the company’s external auditors as well.

The Burden of Being Small

For small companies with low market valuations, low revenue, and marginal profits, complying with Section 404 has long been a scary prospect. Even with the multiple extensions the SEC has granted to non-accelerated filers and the relaxed compliance rules and auditing standards it approved last year, small companies still have a steep hill in front of them, experts say.


“As far as compulsory compliance is concerned, we should be focusing on companies in the billions instead of those in the millions,” says Mitchell Mertz, a partner at the New York auditing firm Weiser. “If you have $270 million in market cap and less than $5 million in revenue then what? The force of costs, real and intangible, monetary and otherwise, is going to be a lot higher.”

Mertz and other auditors say that’s because many small businesses don’t have the resources to handle even the scaled-down provisions for the non-accelerated filer. Specifically, process documentation, controls testing, and monitoring can leave such businesses flummoxed, because they often can’t establish the necessary segregation of duties.

In one-man compliance shops such as Yu at Cell Genesys, for example, the person designing the controls is often the person testing them. Even with an independent internal auditor or an outsourced IA consultant on site, reasonable assurance of controls is often in question.

M. Salzman

Jennifer Mieselman-Salzman, a managing partner at BDO Consulting, believes that regardless of any new findings or steps by regulators, costs for smaller businesses remain relatively high.

“A lot of surveys just don’t tell the whole story,” she says. “And if you look at the current SEC guidance, it still isn’t saying what controls to implement—so the onus is back on management, which in many cases doesn’t even have documented policies and procedures. This is especially true with small firms.”

Indeed, before many companies can even get started on testing, they must perform risk assessments, followed by an evaluation of entity level controls and then risk mapping and controls benchmarking.

“You got costs for risk-based financial statement audits, you also have costs for outsourcers and software because you don’t have the extensive internal staff that a large company has, and a consultant then has to come in and make sense of it all,” Mieselman-Salzman says. “It may be small business, but it’s no small job.”

Controlling Costs in the Future


A summary of the results from Lord & Benoit’s research is below.

1. The average cost of complying with Section 404(a) Management Assessment for non-accelerated

filers was $53,724. Total costs of complying with Section 404(a) ranged from as low as $15,000

for a smaller software company to as high as $162,000. The initial prediction by the SEC was a

average cost of $91,000 for public companies complying with Section 404(a).

2. The average projected cost of complying with Section 404(b) Auditor Attestations of ICFR for all

of the non-accelerated filers were $24,750. The range of audit fee increases was as low as $7,517

and as high as $86,417.

3. A potential paradox in professional standards was noted while assembling this data. It appears

that AICPA Auditing Standards10 (standards for non public companies) may require even greater

attention to internal control attestation on an audit of the financial statement of a NON PUBLIC

company than for an audit of a smaller PUBLIC company, due to delays in Section 404(b) to years

ending after December 15, 2008 (and possibly 2009 should the SEC grant another extension).

4. The total average cost of complying with both SOX Section 404(a) and Section 404(b) amounted

to $78,474. Costs were also broken down by industry and are presented later in this analysis.

The results were consistent with expectations: companies with multiple in-scope locations with

complex purchasing, inventory and IT systems in industries such as manufacturing and

distribution incurred the highest compliance costs. Conversely, biotech companies in one location,

with little revenue, few employees and no inventory had the lowest costs.


Lord & Benoit (Jan. 9, 2008.)

Despite persistent grumblings from the small-business sector, there is little doubt that SOX compliance costs for Corporate America as a whole are falling, mostly because companies and auditors are adjusting their testing processes. According to an Institute of Internal Auditors survey released in late 2007, 26 percent of 130 respondents said their total SOX costs were in the $1 million to $5 million range, down 40 percent from three years earlier. Cost ranges above and below those figures also decreased markedly.

One intriguing detail from the IIA report is that the number of respondents who cited costs in the $100,000 to $500,000 ranges more than doubled from fiscal 2004 to fiscal 2006. That’s the range most small businesses would be in, according to the IIA and other sources. Whether that surge is from smaller companies seeing their costs rise or larger companies seeing their costs fall isn’t entirely clear, but respondents who cited costs at $100,000 or below only increased from 17 percent to 18.6 percent.

Auditors say that preparedness will be the key to lowering costs in the future. “For companies that had already been diligent in identifying, documenting, and testing their internal controls over financial reporting, compliance with SOX may not have been as costly as compared to others that had lots of work to do in that area,” says Susan Lione, vice president of professional practices at IIA.

Results of a 2007 study by KPMG’s 404 Institute reveal that companies of all sizes can reduce costs by having a higher degree of centralized processing and automated, preventative controls rather than manual, detective controls.

The report also said cost savings can come from management taking a broader view of risk, based on transactional volume and materiality rather than trial balances. Refocusing internal audit departments on risk assessment rather than direct testing can also lighten the load, KPMG said.

Yu, of Cell Genesys, says all those notions are good, but difficult to implement at his small company. “When I did compliance work at Hewlett-Packard, something along the lines of streamlining controls and divvying up work would be much easier,” he says. “But we’re not HP, and I think that’s the whole point here.”