Print this article | Return to Article | Return to CFO.com
A recent study on the costs of Section 404 compliance for small companies was woefully understated, observers agree.
Alix Stuart, CFO.com | US
January 29, 2008
How much will complying with Sarbanes-Oxley Section 404 cost small companies when the regulatory burden fully descends upon them? A recent study estimating that figure has sparked heated debate. As CFO.com reported, Worcester, MA-based accounting firm Lord & Benoit put the average total cost of compliance, including management assessment of controls and audit fees, at $78,457, based on a study of 29 small companies where management had already completed their reports on controls.
Finance executives, however, say they expect the price tag to be far higher.
"When we aggregate [the cost of] our own time, the hiring of additional staff and the internal auditor's cost, it will be probably three times that number," says George Aronson, vice president of finance and accounting for P&F Industries. The company is now paying an internal auditor a six-figure salary plus benefits to shoulder the burdens of Sarbox compliance, he added, noting that that's cheaper than the expense of signing up consultants to do the job.
P&F, a $112 million manufacturer and importer of tools and hardware with a market cap of $28.7 million, falls into the Securities and Exchange Commission's non-accelerated filer category (companies with $75 million or less of market cap) and as such, has not yet had to have its controls formally audited. Last year, however, the company began internal efforts to comply with 404, including documenting its controls and having management assess them. That process alone led to the hiring of a new internal auditor.
Currently, the SEC requires non-accelerated filers to file the management report on internal controls, but does not yet require the auditor’s assessment. When the audit becomes mandatory — which won’t be until 2009 if SEC chairman Christopher Cox is able to clinch a one-year delay he is proposing to the other SEC commissioners — Aronson expects that his audit fees will rise by at least $75, 000, putting his 404 price tag way over the recent estimate.
Consultants agree that the number seems too low. John Gailey, an IT auditor who has consulted with six small and micro-cap companies on 404 compliance, says costs at those companies have ranged from $140,000 to $235,000 for IT preparations alone. Internal IT staffs are usually small and overworked, and rarely have formalized controls or testing procedures in place.
Lord & Benoit stands by its estimate, however. In a letter to CFO.com, president and director of SOX research Bob Benoit said companies could easily see lower fees if they follow the new SEC interpretive guidance on management’s report on internal controls and the COSO Guidance for Smaller Public Companies, both of which say executives can take a "risk-based" approach when assessing controls, rather than probing each one in detail.
"Following the new guidance was a very important part of the study," Benoit writes. Accountants and IT specialists "who continue to approach SOX as it was established four years ago are not approaching it efficiently" and hence won't offer prices within the range of his report.
The 404 audit should add only an average $24,750, according to the Lord & Benoit study. That estimate is derived in part from a study that AuditAnalyticsperformed last year. The earlier study compared audit fee increases at 404 filers to those at non-404 filers and found that 404 audits added an average 27 percent to the bill of smaller companies (those with public floats between $75 million and $700 million).
Benoit's report predicts further cost containment as Audit Standard 5, a new rule that essentially allows auditors to take a risk-based approach, takes effect this year.
Again, though, folks in the field aren't so sure. Aronson says his audit firm, Grant Thornton, has said AS5 may shave 10 to 15 percent off the cost of an audit at most. And AS 5 may not make a difference at all for some. "Most, if not all" of the software systems at small cap companies are related to expense or revenue data, making them a "high or moderate risk to financial reporting," says Gailey.
So who’s right? Only time will tell. But as the SEC and Cox are considering whether the audit costs associated with 404 merit delaying the compliance deadline until 2009, more groups will surely be crunching the numbers. As they do, finance executives at small companies would do well to get a jump on the process, if for no other reason than to weigh in on the costs. "Most small companies don’t realize the volume of work that needs to be done," says Aronson. "If they haven’t started they're in trouble."