Risk & Compliance

A Small Uproar over 404

Two CFOs sound off about the disconnect between the costs and benefits of complying with the internal-controls provision.
Marie LeoneMarch 17, 2006

For at least two years, CFOs have been complaining about the costs and labors of complying with Section 404 of the Sarbanes-Oxley Act. To date, however, only two have voiced their concerns in the form public comments related to the upcoming Securities and Exchange Commission roundtable on Sarbox’s internal-controls provision.

Yet their views about the schism between the costs and benefits of complying with the provision echo the views of a broad swath of their peers. Hailing from smaller companies, both of the finance chiefs who have posted views on the commission’s website think that 404 “continues to miss the boat,” in the words of Robert Gallagher.

In his comment letter Gallagher, the CFO of Stratasys Inc., a prototyping systems manufacturer that took in $83 million in revenue in 2005, stresses that the SEC and Public Company Accounting Oversight Board (PCAOB) should consider a more analytical approach to controls reviews of smaller companies. He’d like the regulators take business decisions—as well as the application of generally accepted accounting principles—into account when testing and reviewing internal controls.

In the letter, Gallagher asserts that auditors, focusing on the literal meaning of the rule because they fear being second guessed by regulators, can miss a company’s commitment to solid and transparent reporting. “Many small companies are spending enormous sums looking for signatures and it’s hard to convince auditors these signatures are not necessary,” says Gallagher, referring to the internal-controls certifications required by the act under Section 302 as well as 404. Although Sarbox “has a great intent” concerning internal controls, it’s poorly applied, he adds.

The notion that smaller companies are overburdened by Section 404 compliance will be a major topic of discussion at the SEC roundtable, which is slated for May 10. The provision requires companies to document and test internal controls each quarter and hire an independent auditor to certify the adequacy of the controls.

Hosted by the SEC and attended by the PCAOB, the roundtable will focus on companies’ second-year Section 404 compliance experiences. “The costs of complying with Section 404 [continue] to outweigh the benefits it creates,” complains John Nelson in a brief, but pointed, comment letter to the SEC. Nelson is CFO of Ames National Corp., a multi-bank holding company with $820 million in assets and a market capitalization under $750 million.

Like senior executives at many small companies, Nelson has found the hiring of auditors disproportionately time-consuming and expensive in light of the risks Ames faces. He says that Sarbox compliance has nearly doubled audit fees since 2003. For 2004, the latest year for which numbers are available, Ames’s audit and related fees totaled $187,000, a big jump from the $98,000 it paid out the year before.

The effects of rising fees caught the attention of the bank’s audit committee, and on February 8, Ames announced that it would dismiss its current independent auditor, McGladrey and Pullen LLP, and hire Clifton Gunderson LLP, a slightly smaller company. “We were happy with McGladrey,” asserts Nelson, but the decision to replace the auditor was, “entirely expense driven.”

To be sure, the audit committee of the Ames, Iowa-based holding company puts its independent auditing services out to bid every three years, says Nelson. This year, Clifton Gunderson returned the most competitive bid.

Despite cutting costs by hiring a different auditor, Nelson still believes that the level of involvement of external auditors currently required by Section 404 doesn’t gibe with the internal-control exposures at smaller companies.

Experts who have the SEC’s attention agree. In a February draft report on the subject, the SEC’s Advisory Committee on Smaller Public Companies noted that documentation, testing, and attestation “are of less certain value for smaller companies, who rely to a greater degree on ‘tone at the top’ and high-level monitoring controls, which may be undocumented and untested, to influence accurate financial reporting.”

The preliminary report also notes that the “cost/benefit equation that, many believe, diminishes shareholder value, makes smaller public companies less attractive as investment opportunities and impedes their ability to compete.” That’s particularly problematic because smaller public companies play a crucial role in job creation and economic growth, say the authors of the report, which is slated for final release on April 14.

In short, small companies operate differently than large ones do, the advisory committee concluded. Further, the authors of the draft report propose that the SEC set up different Section 404 compliance requirements according to company size.

Regardless of size, however, all companies should be required to maintain a system of internal controls that provides reasonable assurance that transactions are recorded in a way that makes conforming to GAAP possible, the committee contends. All companies should still be required to disclose modifications to internal controls and to certify such disclosures.

But smaller companies should be granted some relief, according to the report. For example, the committee would exempt microcap businesses—those with annual revenues less than $10 million—from most Section 404 requirements. And small-cap companies (under $250 million in annual revenues) could sidestep independent audits of internal controls tests.

Nelson likes the idea of setting up 404 compliance alternatives for smaller companies. But such changes, he contends, must go hand-in-hand with the proposals concerning PCAOB that are outlined in the report: if Sarbox 404 exemptions are approved, then the PCAOB would be required to develop new audit standards specifically for smaller public companies.

Those new standards should provide guidance for auditors on their clients’ design and implementation of internal controls, according to the report. But the PCAOB shouldn’t mandate a quarterly audit of controls testing, the authors contend.

In the meantime, more than 98 percent of public companies are “striving hard to provide accurate information, yet we are spending time on non-value-added items to comply” with Sarbox, according to Gallagher. And such efforts lead to a waste of shareholders’ money, the finance chief thinks.

4 Powerful Communication Strategies for Your Next Board Meeting