As a backdrop for Tom Cruise in Mission: Impossible III, satellite images of “enemy surveillance” and “global reconnaissance” are scattered about a dimly-lit, futuristic control room. The set may be a Hollywood fantasy, but the software generating the clandestine images is real, and supplied by defense contractor Analytical Graphics Inc. (AGI), a small ($250 million market capitalization) company based in Exton, Pa.
While Cruise’s character, Ethan Hunt, has his hands full dodging explosions and bullets, AGI’s chief financial officer William Broderick faces another impossible mission: going public under the burden of Section 404 of the Sarbanes-Oxley Act, the internal controls provision of the investor protection law.
At a Congressional hearing last week held by the House Committee on Small Business, Broderick testified that 404 compliance for small companies “has the effect of being penny-wise but pound-foolish,” because the current regulations lack reasonable cost-benefit analysis. Instead of protecting shareholders, investors are “significantly harmed” from a shareholder value perspective, said the CFO.
Using a back-of-the envelope calculation, he figured that some 7,400 small companies would lose an aggregate $60 billion in equity valuation on a permanent basis by complying with 404 in its current form. He bases his numbers on a report issued in April by the Securities and Exchange Commission’s Advisory Committee on Smaller Public Companies.
In the report, the committee estimated that for companies with market caps between $75 million and $700 million, compliance with 404 averages $900,000 annually. Thus, as a percentage of revenue, the cost is 16 times greater for small companies than for larger ones (market caps between $1 billion and $4.9 billion. “Congress did the right thing [passing Sarbox], but they can’t bury their head in the sand when it comes to the unintended consequences,” Broderick told CFO.com in a separate interview. “They have to correct it.”
Hefty Sarbox compliance bills are the main reason AGI did not issue an initial public offering in 2004, says Broderick. Although the company was being pushed by a venture investor to go public, the management team decided it would have been the wrong move, given the additional cost and management time that would have been required on top of public company rigors, like attracting analysts and investors to the stock.
Because the investor was eager to cash out, AGI liquidated the venture company’s full stake in Jauuary 2005, for $28 million, which amounted to a 33 percent compounded annual return for the backer. A significant gain for the investor on its original $2.5-million outlay made in 1995. To buy out the investors, the once debt-free AGI had to take on $15 million in bank debt and use $13 million in cash.
The capital drain, says Broderick, makes investment in advanced research and development “difficult.” It also squelches other growth objectives, such as investments into sales and marketing and business development. Further, low cash reserves forces the software maker to operate much more conservatively, a competitive disadvantage in the high-tech industry.
Broderick’s ideas for a Sarbox fix are simple, but controversial. Auditors and others who oppose a scaling back of Sarbox for small companies argue that if companies want to be in the public company game, they have to follow public company rules.
Comments like that are made in a vacuum, says Broderick, contending that the notion lacks common sense, fundamental cost-benefit analysis, and business judgment. “The big misperception,” contends Broderick, “is that small companies don’t have any controls, and that is just not the case.”
He believes that until companies hit a market cap of $500 million, they don’t have the “critical mass” to absorb full Sarbox costs. Those companies, Broderick says, should get an exemption from Sarbox until the rules are scaled back.
Large company CFOs have a similar view about 404 overkill. For example, in a letter to the SEC commenting on second-year Sarbox experiences, Mike Coke, finance chief of AMB Property Corp. suggests moving toward a Canadian model, which eliminates the need for a separate audit of internal controls by external auditors. External auditors would still be required to form an opinion on management’s assessment of controls, but the second controls audit would be dashed.
AMB is a real estate investment trust with a $4.5 billion market cap. By Coke’s lights, management’s assessments of the design and operating effectiveness of internal controls, and the audit committee’s oversight of the functions, meet the objectives of the law.
Other large company CFOs are fans of the Canadian model too, including CIT Group’s Joseph Leone. CIT has a market cap over $10 billion. In his comment letter to the SEC, Leone threw support behind using risk-based concepts to determine the scope of controls testing. In that way, a strong controls environment — one with best-in-class governance practices, codes of conduct, anti-fraud programs, and internal audit functions — would require less process-level testing than those with weak programs.
Among other changes, Leone also promotes replacing the “as-of date” requirement of the attestation with a “for-the-period-ended” requirement because internal controls should be functioning continuously, and “auditing to a specific date has created a logjam of work to provide comfort over the effectiveness of internal control as close as possible to the ‘as-of’ date.”
Along with supporting his colleague’s positions, Brian Ferguson, finance chief of Calgary’s Encana Corp. would like to see “rotational testing” of controls. The concept is to require only periodic testing, possibly every three years, for medium- and low-risk controls that don’t have a track record of problems. The oil and gas company with the $44 billion market cap is listed on the New York Stock Exchange.
The risk-based approach and the elimination of auditor attestations is also cited in William Sheridan’s comment letter. Sheridan is the CFO of Sotheby’s Holdings, the $2-billion (market cap) auction house company. He also prescribes rescinding the auditor walkthrough requirement because it’s “duplicative.” The rule mandates that external accountants examine systems and processes that may not be “key,” as defined by management. According to Sheridan, less critical controls are already tested by management as part of the key controls assessment.
In line with the recommendations of other financial executives, Stephen Dickins, controller and chief accounting officer of Media General Inc. also calls for “additional clarity on materiality thresholds. Specifically, he urges the Public Company Accounting Oversight Board to provide guidance for what constitutes a significant deficiency and a material weakness, rather than continue to rely on the “rule of thumb” percentage of net income limits that are now used, notes his comment letter about second year experiences.
Dickins writes that external auditors usually apply the 1 percent and 5 percent net income thresholds to significant deficiencies and material weaknesses, respectively. “Given the large degree of subjectivity around controls exception evaluations, such thresholds “unfairly and severely penalize companies in low net income or negative net income situations.”
In addition to using a risk approach to determine the scope of a controls audit, Michael Keane, CFO of Computer Sciences Corp., contends that a materiality measure may be another way to achieve controls testing efficiencies. In his comment letter, submitted with CSC’s Corporate Vice President Leon Level, the executives suggest allowing “tolerable errors” that represent 5 percent of before tax earnings, rather than the more aggressive 2 percent to 2.5 percent thresholds currently used by auditors. Tolerable errors are self-correcting or ones that don’t reoccur.
Keane also notes that using SAS 70’s “baselining” approach to test information technology controls would also improve 404 efficiency. Essentially, once satisfactorily tested, companies would only have to test IT system changes.
Further, Keane asserts that an undocumented process should not automatically classify attendant controls as ineffective, as is the common practice among auditors. In certain cases, the results of a test should be enough to determine whether a control is effective.