The SEC on May 17 announced their plans for smaller companimes and their auditors in implementing Section 404 relating to the effectiveness of internal controls. The Commission moved quickly in defining the next steps. This announcement comes only one week after a public roundtable discussing the second-year experiences of those who have reported under Section 404. And less than one month after receiving recommendations from an SEC advisory committee on smaller public companies which, if adopted, would have exempted some of those companies from parts of the Section 404 requirements.
The answer is - "No U.S. public company will be exempted from Section 404."
Smaller company proponents have been putting forth that Section 404 is too onerous and expensive for their limited resources. Investor proponents have indicated that the investing public should have the same assurances in smaller company internal controls that larger companies provide. And just about everyone was in agreement that the auditing standards for Section 404 were too demanding and resulted in excessive efforts by both companies and their auditors. These arguments are not new, and in fact the SEC first addressed some of these concerns when they provided statements last year that the assessments should be more risk-based, top down, and allow better focus on critical areas and provide solutions for efficiencies.
After taking all the vast public comments into consideration, the SEC has decided that all public companies must comply with the management assessment and audit requirements under Section 404. This had been anticipated, as some of the Commission members had indicated this much in recent speeches. However, the SEC recognizes that there is significant room for improvement and has drafted action plans to address the deficiencies.
First in the minds of everyone is the timing of the assessments and audits of internal control for smaller companies. Previously, non-accelerated filer public companies had to comply with all of the Section 404 requirements for years ending after July 15, 2007. This announcement indicates that there may be a two part change in the dates for compliance; managements' assessment will be required for fiscal years beginning on or after December 16, 2006, which means there will be no change for calendar year 2007 companies. However, the Commission expects to also issue a postponement for the audit of management's assessments to a date that was not yet specified, opening the possibility that smaller companies may need to perform assessments in periods before their auditors review.
In the meantime, the SEC will pursue additional efforts critical to the support of smaller public companies prior to their adoption. Some of those initiatives include:
Specific guidance for all companies from the SEC, which will follow a concept release soliciting further public comments;
Finalization of additional implementation guidance from COSO, which was issued in draft a few months ago and is pending completion following a comment period;
Revisions to the auditing standards to better align the objectives of Section 404 with the auditors and management, and hopefully reduce some of the excesses now experienced;
Consideration of the inspections of auditors by the PCAOB to assure effectiveness of the implementation guidance provided by the SEC.
These initiatives clear up an uncertainty that has hung over the smaller public company markets for some time. We now know that all companies will need to comply with Section 404, and soon. How management and their auditors get there will depend on the additional guidance, but it's clear that the SEC understands things need fixing. With this quick action, the SEC has given notice that they've heard the public's concerns and believe that Section 404 can work to the benefit of all if the experiences can be turned into a better process.
The SEC's announcement may be found at www.sec.gov/news/press/2006/2006-75.htm.
Neil Goldenberg is Partner in Charge of Eisner Corporate Governance Services.