Risk & Compliance

Smaller than a Sarbox?

Finance executives at small public issuers contend that the current broad-brush approach to Section 404 compliance isn't fair to their companies. B...
David KatzMarch 24, 2005

Sometimes the difference between a big company and a small one can be revealed in the simplest of acts, like writing a check.

Take Socket Communications, a publicly traded company that took in $26 million in revenues last year. At Socket, management has an uncomplicated way to make sure its payouts are on the up and up: Every single check the company doles out is signed by hand by one of the top four executives.

In so doing, each executive authorizes the disbursement and must verify its details. In a large company, of course, many other people would be involved in the signing, verifying, and authorizing — inevitably making for a much more complex process.

Despite such hefty differences, however, practically all companies must cling to the same set of rules. Under Section 404 of the Sarbanes-Oxley Act governing internal controls over financial reporting, companies like Socket and Fortune 500 organizations both operate within the framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) — the widely accepted corporate standard for complying with the internal-controls provision of Sarbox.

Like their peers at more sizable corporations, small-company executives must also help their auditors adhere to Standard 2 of the Public Company Accounting Oversight Board (PCAOB). That’s the requirement under Sarbox 404 that external auditors must attest to and report on their clients’ assessment of internal controls.

Socket’s managers thus felt compelled to test a large sample of the company’s payout, just as a big company would. “We were comfortable that every one of our disbursements was properly authorized,” says David Dunlap, CFO of Newark, California-based Socket, which provides products that connect handheld and notebook computers to the Internet. “But under COSO, we had to do a sample of 50 to 60 cash disbursements to verify, and our auditors had to pull another sample.”

Indeed, Sarbox’s “one size fits all” internal-controls approach has rankled many small-company managers during the run-up to compliance that began last year. Much of their ire springs from the high cost of complying, which arguably falls more heavily on companies with fewer resources to support it. Calculated as a percentage of revenue, Sarbox 404 expenses are “far greater” for smaller companies than they are for larger ones, according to a scathing report issued last month by the American Electronics Association.

The AEA called the costs a “major regressive tax on small and medium companies.” Citing percentages based partly on data from Financial Executives International, the association found that a company with more than $5 billion in revenue could expect 404 costs to run at about 0.06 percent of sales, while a company garnering less than $100 million could see costs running at about 2.55 percent of sales.

Another irritation: Internal-controls guidelines don’t take into account the unique woes that small companies face in complying with the rules. The simple lack of people can be a liability, for example. “It can be more difficult to achieve a proper segmentation of duties because of limited staff,” says Miles Everson, a partner at PricewaterhouseCoopers and the head of a COSO task force working on a document advising small companies on internal-controls compliance requirements. Executives and managers at small companies “have multiple roles and responsibilities, so you have a high dependence on people doing the right thing,” he says.

The guidelines also don’t take into account the few compliance advantages that small companies enjoy. Executives at those companies are closer to day-to-day transactions than their peers at bigger companies, but smaller corporations “get no recognition in the standards for auditors” for their inner transparency, says Dunlap.

Size Matters

Regulators and standard-setters, however, have begun to hearken to such gripes. Besides the COSO small-business project, the Securities and Exchange Commission late last year set up an Advisory Committee on Smaller Public Companies to focus on internal-controls frameworks and assessment methods, among other issues.

What’s more, earlier this month the SEC took pity on extra-small issuers. The commission provided “non-accelerated filers” — generally, companies with a public float of less than $75 million — with a one-year extension to comply with 404. Last November, the SEC also gave issuers with between $75 million and $700 million in public float some breathing room. In addition to the usual 75 days after fiscal year-end in which they must file their 10-K, those companies received a one-time extension of 45 days to come up with the management report on internal controls.

By giving diminutive issuers the chance to do more work in-house, the commission might have saved them cash when it put off the deadlines. While the three-person compliance task force at non-accelerated filer Sonic Foundry doesn’t intend to stint on its efforts, the one-year delay enabled the company to hold off on hiring a consultant, says chief financial officer Kenneth Minor. That, he says, would greatly cut Sonic Foundry’s $75,000 to $100,000 internal-controls compliance bill — a not insubstantial consideration for a company that spent just $60,000 on its routine annual financial audit.

While the deadline extensions are being welcomed by top executives at smaller companies, though, they say that guidelines must also be trimmed down to fit the needs of their organizations. The checking done on the various stages of a transaction could be scaled down by removing some compliance steps, according to Anthony Abbate, president and chief executive officer of Interchange Financial Services Corp., a single-bank holding company with $77 million in revenues. For a transaction that must be evaluated at each of eight different steps, for instance, “if you check at the first and fourth and eighth, you don’t have to check in between,” he suggests.

Another possibility is to free small companies of the requirement that their auditors must attest to their clients’ internal-controls reports. Socket Communications’ Dunlap favors going back to the pre-Sarbox system for companies of his size. In those good old days, he notes, auditors reviewed internal accounting controls as part of their routine financial reporting and didn’t have to report separately on them.

Under the current system, however, Socket’s managers “had to document, in great detail, narrative walk-throughs” of company audit tests to make its internal controls intelligible should the company someday change auditors, the CFO says, adding that the small companies’ processes are too slim to justify such effort and cost. Of the $250,000 the company shelled out for 404 compliance, $160,000 went to Jefferson Wells, the consulting firm that helped the company with internal-audit tasks — nearly twice the $90,000 Socket paid to its auditor, Moss Adams.

The case can be made, of course, that when it comes to Section 404, large and small companies should be handled the same way. Internal-controls mishaps at small issuers can hurt their shareholders and businesses as much as errors at big companies — sometimes more.

The consequences of a major reporting error based on a controls glitch at a fast-growing company like Sonic Foundry can be huge, for example, even though it’s small enough to have just 50 employees. Sonic, which focuses on selling a single, high-end product (a device for recording presentations live on the Internet that goes for $20,000 a pop), has seen its revenues mount from $1.3 million in 2003 to $4.4 million in 2004 and now projects $10 million for this year. “We’re growing quickly, and we’re excited about that, but a material misstatement could have an effect on suppliers’ and potential shareholders’ [opinions] about where we’re going,” says finance chief Minor. Perhaps more important, he notes, the customers of its costly products could be deterred.

Small Is Complex

If regulators do begin to treat companies differently, based on size, that begs for one consistent definition of the word “small.” To many, the most useful gauge is revenue. The AEA, for instance, contends that 404 requirements should be temporarily suspended for public companies that reported revenue of less than $1 billion in their last annual SEC filing. (The suspension, according to AEA, should last until the PCAOB provides small and midsized companies with enough “appropriate and specific guidance” to drop compliance costs to $91,000 per company — the cost estimated by the SEC in June 2003, when it implemented the 404 rules.)

The association noted that its research found that above the $1 billion mark, the annual cost of 404 compliance falls below 0.2 percent of revenue. Though the cost is high at that level, according to AEA, it doesn’t “fundamentally affect a company’s strategic investments and employee benefits.”

Few, though, would agree that a company with $1 billion in revenues is small. In spelling out the scope of COSO’s new internal-controls project, Larry Rittenberg, the committee’s chair and a University of Wisconsin accounting professor, uses a more typical figure. Rittenberg points out that about 5,000 of the SEC’s 9,000 business registrants have annual sales of less than $200 million. Such companies need special guidance in how to evaluate their controls, he said in a press release announcing the project.

But factors other than size, whether measured in revenues, market cap, assets, or number of employees, could also be used. Complexity — in terms of a company’s products, distribution network, or financial strategies — can be a strong indicator of a company’s internal controls needs, according to PwC’s Everson.

For instance, a company that deals in intricate financial instruments such as derivatives probably would require more extensive controls, he says. Geography could suggest another cutoff point: A company that distributes in one small part of the United States, for example, is likely to require a lot less in the way of controls than one that distributes in 20 countries.

The most commonly proposed differentiator, however, is simply the number of people available to do the job. Being short-staffed in finance and accounting can have compliance implications for both good and ill. At Safety Components International, a Greenville, South Carolina, maker of fabrics for automobile airbags, executives had to improvise a compliance team on the fly in the run-up to 404’s deadline. “As a smaller company, we don’t have an internal-audit function,” says controller William Nelli. “In a larger company, that’s where a majority of the work comes from.”

To cope with the many challenges that Safety Components faced in getting up to snuff with Sarbox 404, Nelli put together what amounted to a rolling, part-time compliance squad. He feels lucky that he and the two other members of his finance team were experienced in internal auditing and control. But he also had to draw on people to manage and direct the work coming from the finance operations of the company’s two operating locations in North America (in Greenville and San Diego) and three in Europe (in Germany, the Czech Republic, and Romania).

The ramp-up to full compliance has taken a considerable toll on the company. “This is not a project you do for two or three months, and then it goes away,” says Nelli. “This is a non-stop project that began in March [2004]” and continued through the end of the company’s fiscal year in December. All told, Nelli, his two accounting managers on the corporate finance team, and three accounting managers from their operating units worked nearly 5,000 hours on the project.

The work ended up “taking away valuable resources from day-to-day operations to do compliance work for what’s basically a government report,” complains Nelli, who acknowledges that “in terms of investor confidence, there is great value” to the requirements.

Nevertheless, help may be on the way from Congress as well as from rulemakers. Sen. Richard Shelby (R-Ala.), chairman of the Senate Banking Committee, recently told The New York Times that he was aware of criticism that Sarbox been expensive, particularly for small businesses, and that he intends to hold hearings this year to find out whether legislative or regulatory fixes are needed in some provisions.

Small and midsized companies could aid their cause considerably by demonstrating the virtues of their own, home-grown ways of complying with Sarbox 404. At such companies, the chief executive officer and the board are likely to have a more comprehensive view of the company and better knowledge of its customers than their peers at bigger corporations do, thinks Everson. “From order backlog to shipping forecasts to actual shipping to receivables, it’s possible for management to have a full line of sight,” he adds.