SOX and Small Company Exemption 1490
John_Maleckar_CPA last edited by
Also, from today’s WSJ article in re SOx costs dropping in 2005…
The SEC’s advisory panel has proposed exempting the smallest public companies from the rules entirely, while saying slightly larger public companies should have to attest to having such systems in place but not be required to have an auditor sign off on them. The advisory panel is comprised of private-sector representatives.
Four of the SEC’s five commissioners, including Chairman Christopher Cox, have indicated they would oppose a wholesale exemption from internal-controls rules. In letters sent to the SEC about the proposed rule changes, small companies have said the current requirements provide little benefit to shareholders.
The small public company advisory committee met last week in a tel. conf. to discuss tomorrows proposal to the Commission. Maybe it was me, but it seemed like they were more interested in confirming the time that their group photo was going to be taken before the meeting tomorrow.
And, with some amount of schadenfreude, I read in today’s NY Times that, as it turns out, one of the co-chairs of the committee is on the Board of a public company:
The committee has been led by Mr. Wander, a Chicago lawyer who is one of the more vocal critics of the law’s impact on small companies. For about 30 years he has served as a director of Telephone and Data Systems Inc., the parent company of U.S. Cellular, and for a shorter period he was on its board’s four-member audit committee. Even if the changes were adopted, however, T.D.S. itself is large enough that it would continue to be subject to the full Sarbanes-Oxley rules.
Still, it was the latest bit of bad news from the company when it disclosed last week that it had received a delisting notice from the New York Stock Exchange, where its debt trades. It has also said that it has not complied with the rules of the American Stock Exchange, where its stock trades. And it has said it is unable to file an annual report until it straightens out its books and financial controls.
As you know, SOx compliance begins with the tone at the top.
Maybe it was me, but it seemed like they were more interested in confirming the time that their group photo was going to be taken before the meeting tomorrow.
lol – Now we know what takes precedence
More seriously, maybe the solution for smaller companies would be to create a ‘SOX Lite’ standard. Here you would use the 80/20 rule to get the best benefits out of SOX without having to go the extra miles in testing, sampling, and other requirements. The SEC could recommend some of the most important elements of control without making the process burdensome for smaller companies. Certainly 302 controls should be there, a lighter version of 404, and maybe not all the rigorous sampling and testing of financial controls. There are benefits to the process and as you recently shared even the government is looking at partial 404 standards themselves.
John_Maleckar_CPA last edited by
I think that former Chairman Donaldson’s intent was to have the committee propose a SOx-lite, as you suggest, Harry. Why pack the committee with small-company types otherwise?
However, I am not convinced that SOx is all that complicated, anyway, for a small company.
However, I am not convinced that SOx is all that complicated, anyway, for a small company.
Agreed - Misinterpretations and improper application of the regulatory requirements are what’s making this burdensome in many companies.
milan last edited by
All,%0AThanks for the feedback. I was having technical issues this morning and offline almost all day so the timely info really helped.%0AAfter I finally got online…%0AAn SEC Meeting is scheduled for 10a tomorrow. The Meeting will be audio Webcast on the Commission’s Website:%0Asec.gov%0AThe Final Report Discussion Draft is below:%0Asec.gov/info/smallbus/acspc/acspc-finalreport_discdraft_041806.pdf In short, The Securities and Exchange Commission Advisory Committee on Smaller Public Companies (Committee) proposes classifying companies as follows:%0A1. Microcap companies: referring to public companies with equity capitalizations of approximately USD128 million or less. (1% of Total US Market Equity Capitalization)%0A2. Smallcap companies: public companies with equity capitalizations of approximately USD128 million to USD787 million. (5% of Total US Market Equity Capitalization)%0ASmaller public companies: public companies with equity capitalizations of approximately USD787 million and less, which includes BOTH microcap and smallcap companies. (6% of Total US Market Equity Capitalization)%0AKey Points:%0AThe Committee is proposing that the SEC consider all companies comprising the lowest 6% (-and-lt;USD787 million market capitalization) to be considered for scaled or proportional regulation.%0AThe Committee will ask that the SEC consider providing immediate exemptive relief from the Section 404 requirements of the Sarbanes-Oxley Act to smallcap companies with less than USD250 million in annual revenues.%0AThus, the Committee is pushing for relief to the lowest 6% (-and-lt;USD787 million market capitalization) first and adopting the scaled or Proportional Regulation for Smaller Public Companies. This seems to provide the greatest regulatory relief with minimal risk to investors.%0AThere is alot more on the discussion agenda, but the above are some key points. The Final Discussion Document is about 151 pages.%0AMilan
I think that such a subjective law as SOX can fit in the same way in a large company than in a small company. And the worse interpretations of the law are been made by auditors. The Advisory Committee of Small Public Companies have done a good job, although the ‘financial community think tank’ is not going to let the recommendations go forward. How can you apply an adequate segregation of duties when you have few resources?. Can anyone exply me with understandable words how to apply the ‘top-down’ risk approach in control testing?. I’ve been coordinating the SOX implementation since October 2004 and by now were going to start control testing. My forecast is that it is going to take us at least 7 months to develop the control testing (3 persons involved). I don’t think it is reasonable. The main problem is the use of the company’s work by auditors. I think they must be oblied to express an opinion about how the company has developed the assessment and not letting them to test and conclude with the base of such a subjective law.
I hope SEC (which is supposed to discuss ACSPC recommendations in May) will give significant weigh to the proposed recommendations. If not I will think that is all a question of money.
A small FPI soxer
And the worse interpretations of the law are been made by auditors … %0AThat was an excellent post and the subjectivity of SOX guidelines are a key issue … As a starting point, I have the upmost respect for audit professionals. However, when one audit firm interprets SOX compliancy far more strictly differently than another that’s where some of our issues lie. With SOX compliancy being subject to interpretation, one firm could have significantly more work than another similar one, just because of the external audit firm that’s guiding them. %0AI think the audit firms mean well, but SOX compliancy needs to be more of a science than an art. Maybe even clearer guidelines are needed, so that if any 2 audit firms were to guide their customers, they would not arrive a vastly different solutions. Both audit firms may mean well, and it’s almost analogous to the strict or easy teachers we had in college for the same course. %0AFor example, one company I worked with in the past required you to physically print everything, wasting tons of paper – even though we had the identical information and printouts in electronic formats. The reason for printing was to ensure no one forged the information (even though there was both timestamp information and security controls in place). Nevertheless, I did what I had to do in these circumstances :(%0AIt’s not just audit alone, as we also wrestle with what qualifies as a financial system, how to sample, and other things subject to interpretation. It’s always best to err on the side of doing more to achieve compliancy, than skipping gray areas. We may need better working models from the SOX regulators that more clearly define the situations we see in the ‘real world’ (e.g., what constitutes a financial system, how/when to sample, etc).%0AI agree with John’s earlier point that SOX compliancy could work for smaller companies. Still if horror stories circulate and it adds a 10-20% overhead on small businesses, I’d also be resistant myself.
SP last edited by
The final recommendation was given yesterday.
I agree with harrywaldron. A lot depends on the audit firms. While a lot of my colleagues didnot like SOX work, I had no problems with it, until…I joined a company as the Compliance Manager recently.
I have previously worked on SOX for a bigger company, with PwC as auditors, as a consultant from management side. Then I briefly worked with PwC as an auditor involved in integrated audits. All along, I had no problems with the SOX work. But, for my current company, we have KPMG as auditors, and they demand way too much details in our documentation. This is the second year, and they had assessed a significant deficiency for us in the first year. I had shared my documentation with some of my colleagues in bigger companies who have much more general documentation, and their auditors are fine with it.
I realized that it is the auditors’ attitude which has made people think that SOX is horrible. Ours is a Smallcap company, and I am waiting for the recommendations of the SEC Committee to be implementd.
A lot depends on the audit firms …
I’ll share from a business perspective some ideas that might help:
- First, ensure Internal Audit (IA) is fully trained on SOX. It’s worth the investment in training, as too much or too little controls are VERY costly to the company.
- Get IA’s blessings on every aspect of meeting SOX compliance. Invite them to the ‘take off’ rather than ‘crash landing’. As an IT professional, I always have a great partnership with IA. You’re far better served to have them as a friend, rather than advisary.
- Have IA work with External Audit (EA) on SOX compliancy. They normally will anyway as the key contact point during engagements.
- If the EA sends incompenent or untrained auditors in, then work with the IA team to constructively advise them. If IA also feels the EA audit team is sending incompotent auditors to service the firm. They can give feedback to the EA management and even request new auditors. This tactic should only be used when EA team members are incompotent, and shouldn’t be to debate issues that need to be worked out.
- EA is there to provide a service for your organization – not to mandate how you do business or apply controls. Certainly, they will point out weaknesses and have a job to do in assessing controls. You don’t want a ‘yes person’ as you want these professionals to find weaknesses that you can turn into strengths. However, if one EA firm is not meeting the needs properly than it might be benefical to suggest to IA to change firms. Cheapest is not always ‘least expensive’ because if an EA firm mandates too much control that is not needed – it’s VERY costly to your business.
Im my 34 years of IT experience, I’ve worked with all firms (including all the named organizations above). I’ve seen mostly great individuals in EA firms . Most are reasonable, very knowledgeable, and add value to the business
Still like most of you have shared, I’ve seen a few that want to score points or they are too meticulus and won’t apply ‘common sense to the issue’. We’re all human, so that’s a factor.
ceocomp last edited by
The major objection to Sarbanes Oxley seems to be that it is a one size fits all solution to the criminality of a relatively small percentage of ethics deficient individuals sensationalized by the Enron, World Comm and Arthur Andersen scandals and the general dot com boom and bust of the late 90s. %0AArbitrary controls aimed at the few and applied to the many carry with them a certain amount of injustice and to that degree are usually counter-productive.%0A %0ABut what if it is simply another planned control mechanism aimed at reigning in American Free Enterprise? If this is the case, what are the chances that the Securities and Exchange Commission or the growing number of regulatory agencies including the relatively new Public Company Accounting Board will support efforts to make the law less burdensome for smaller public companies? Apparently four of the five SEC commissioners, including Chairman Christopher Cox, have said they oppose the idea of an audit exemption for smaller companies and would prefer to revise the requirement to make it less costly for all companies. In other words keep the control mechanism but somehow make it less burdensome for smaller companies perhaps until the time when controversy lessens and the control mechanism can be ratcheted to the appropriate optimum notch. %0AThe stock market is a game where for every winner there is a loser. So who received the trillions of dollars in transferred wealth in the crash of 2000? Certainly not the small investors or their self-directed retirement plans. The global elite financial interests pay their fines, build the cost into their numbers and carry on with the game. For example, according to MSNBC News, J.P. Morgan Chase, on 21 April 2006, agreed to pay USD425 million to settle civil charges for IPO fraud and convincing plaintiffs to purchase stocks at inflated prices during the stock market manipulation of the late 90s. JPM stock decreased 14 cents or .33 % on the day the settlement was announced but easily maintained its six month strong uptrend in stock price. Their latest reported profits 9.23 billion on sales of 84.4 billion. JPM profits were more than 9 times the announced settlement amount. According to Bloomberg News, a JP Morgan spokesperson, referring to the settlement, stated It would have no material adverse effect on our financial results . %0AIronically, the JPM settlement and the recommendations to the SEC on easing the SOX burden for small business occurred on the same day. OK, maybe it is not irony, maybe it is arrogance. %0ABut in any event, to survive at all in business, one should understand the rules of the game even if they are rigged in favor of the ethics challenged parasites among us. Anyone employed in a public company cannot help but be the effect of legislation such as Sarbanes Oxley unless the act itself is read and understood. But this poses a problem. Most legislative acts are made complex enough to give a statue a headache. Simplifying the act would seem to be a good idea. %0AThe least one can do is study and know the rules. Any public company of whatever size should treat Sarbanes Oxley as an opportunity to refine and improve internal financial controls and processes. You may find, as many companies have, that you will have better, more effective and timelier financial information with which to expand your business.
The least one can do is study and know the rules. Any public company of whatever size should treat Sarbanes Oxley as an opportunity to refine and improve internal financial controls and processes.
Why the Canadian regulators have decided to stop the SOX process?. I don’t think that they haven’t read the USA SOX rules. In fact I think that they realize that the SOX was a complete mess of internal control recipes. This extraordinary forum would not even exist if the SOX rules were a little bit comprenhensive. I worked for a Big-Four for nearly five years. Now i’m in charge of the internal audit departament of a SOX-scope Group of companies. I’ve read a lot about SOX (nearly two hours per day for the last 2 years), and as a consequence of these knowledge I state that it was done/implemented too quick (this state is reinforced by the fact that the financial community righ now is very worried about how to ease the compliance). Nobody doubts that in the long-term the law is going to improve the internal control of public companies. But please, don’t state that you have a complete knowledge of how to apply SOX, because every opinion is a refutable point of view.
As everybody can see I’m not an expert in using the ‘quote’ option.
ceocomp last edited by
Thanks very much for your feedback foreignsoxer. And good for you on following this vital topic. The point is that one should read and understand the actual act whether pro or con. The problem is that any Congressional act is complex enough to give a statue a headache. Simplifying the act and making it understandable would seem to be a good idea. Thanks again. Larry - [url]sarbanesoxleysimplified.com[/url]
As everybody can see I’m not an expert in using the ‘quote’ option. %0AWe won’t quote you on that - lol :)%0A The least one can do is study and know the rules. Any public company of whatever size should treat Sarbanes Oxley as an opportunity to refine and improve internal financial controls and processes. %0AOn a more serious note, I agree 100% with the great post FS shares … This is truly an EXCELLENT perspective of seeing the glass as ‘half full’. If a company goes in with a negative outlook on SOX, (e.g., burdensome, adds expense, slows things down, more controls, more documentation, etc), they’ll most likely do the minimum to become compliant. %0ATreating SOX with the attitude FS describes can yield some beneficial results for an organization. An organization can gain better controls, improved financial results, and even streamlining workflows for better business efficiencies.
Continuing with what I think about SOX, I think that when the SEC and the PCAOB published the answers to FAQ’s about SOX (I remember that both of these organisms published twice answers to FAQ’s, being the last one from May 16th 2006) they do not made good use of the opportunity. The top-down risk approach that they recommended, in my opinion, do not resolve any problem. The ‘company-level’ processes cannot be ‘controlled’ (except for the preparation of regulatory filings process and for fraud issues) by a Board of Directors or by the existence of group policies. And if someone tells me how to prove that a good ‘entity-level’ internal control, by itself, mitigates the risks related to (for example) contigency liabilities completeness, I would be completely amazed. The ‘entity-level’ controls sounds to me as the audit methods which weren’t based on substantive procedures, which were based on interviews with CFO’s, CEO’s… and which (in my humbleness opinion) contributed to the Enron, Worldcom… financial fraud.
Post-data: please apologise me for my poor english; is not my maternal language