Growth Strategies

Internal Controls Flummox Small Companies

For their first year of Section 404 compliance, smaller companies were twice as likely to have ineffective controls as large ones, a study shows.
Sarah JohnsonSeptember 10, 2008

More than one-third of small, publicly traded companies reported they had ineffective internal controls this year, the first in which they had to comply with the controls provision of the Sarbanes-Oxley Act. Only half that many larger companies said the same about their first experience with Sarbox compliance, according to consultancy Lord & Benoit.

The firm reviewed the Section 404(a) assertions of 3,321 small companies whose fiscal years ended between last December and the end of January. They were the first of the so-called non-accelerated filers (companies with a public float below $75 million) required to say whether their internal controls were up to snuff, four years after the largest U.S. companies had to do so.

While 65 percent of the small companies reported that they did have effective controls, Lord & Benoit speculates that number would be lower had those reports been subject to auditor review.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Unlike the accelerated filers, smaller companies are not yet required to have their auditors opine on their internal-control reviews. The Securities and Exchange Commission has repeatedly delayed the auditor-attestation requirement for small companies after several years of confusion over how much 404 truly costs companies. Section 404(a) requires company management to assess the effectiveness of its internal controls over financial reporting, and 404(b) requires an auditor attestation on that assessment.

Earlier this year, the SEC extended the 404(b) deadline for smaller companies, which now must comply for fiscal years ending after December 15, 2009. The regulator is also working on a cost-benefit analysis of 404(b) implementation for smaller companies.

Lord & Benoit itself added to the debate over 404 costs when it came out with a study earlier this year claiming that 404(a) and 404(b) cost companies $53,724 and $24,750, respectively, in the first year of compliance. Many observers called those numbers unrealistic and said they were based on a sample with too few companies.

For its most recent report, the firm looked at thousands of companies’ financial data culled by research firm Audit Analytics and concluded that the SEC’s four-year reprieve for small businesses has had little affect on improving these companies’ internal controls or preparing them for making their assessments. “For some non-accelerated filers, the continuous delays appear to have emboldened them not to do any work at all in either coming to an understanding of what was required and/or satisfying any of the Section 404 requirements,” the report says.

Nearly 20 percent of the small companies did not comply with Sarbox, by either not filing a 404 report or failing to actually express an opinion about their internal controls, Lord & Benoit says.

If larger companies’ experience with 404 is any indication, improvements to smaller businesses’ internal controls will be made over time, Lord & Benoit suggests. Whereas about 17 percent of accelerated filers reported ineffective controls their first year of Sarbox compliance, only 10 percent had weak controls in the second year and 8.6 percent in the third.

The 575 smaller companies that reported ineffective controls gave a myriad of reasons for the material weaknesses, with problems with competency and tone at the top of the list (78 percent). Next came departures from generally accepted accounting principles (69 percent) and overreliance on external auditors, the latter contradicting Sarbox’s demand for auditor independence (33 percent).