Following a flurry of meetings earlier this year, the SEC and PCAOB have spent the last few months drawing up plans to make it easier for smaller public companies to comply with SOx 404.
In April 2006, the SEC Advisory Committee on Smaller Public Companies issued its final report, which included several recommendations relating to internal control assessment. Around the same time, public roundtable SOx 404 discussions were held by the SEC. Generally, while there has been public support of the spirit of the Act, there is also high criticism of the associated implementation costs and implied disadvantages to US companies. This is proving to be very influential on the SEC as they reconsider the requirements. In May, the SEC quickly announced a phase-in plan for smaller companies, under which management would need to assess internal control, generally starting in 2007, and auditors will need to audit internal control the following year. While smaller companies wait, both the SEC and PCAOB are issuing new and improved guidance for management and their auditors. We should expect to see these in draft form in December, with final forms in the spring of next year.
What will really change in 2007? Larger companies do not want too much change, other than audit efficiencies, as they've now implemented SOx 404 into their processes and will be in their fourth year. Management and directors of larger public companies have for the most part accepted the responsibilities under Sarbanes-Oxley, including Section 404. The focus now is on system controls and risk assessment.
But what will become of smaller companies? The most likely changes can be traced to the SEC Advisory Committee on Smaller Public Companies. Their report suggested a scaling of companies, wherein non-accelerated companies would be defined as the smallest 'micro-cap,' with the remaining termed 'small-cap' companies. They further suggested that until a suitable framework for SOx 404 implementation is developed, micro-cap companies be exempted and small-cap companies be subject to only an auditor assessment over the design of internal controls. The committee's conclusions were grounded in the belief that smaller companies do not have the resources to maintain rigorous internal control and complete an effective assessment, and the investing public would be accepting of these risks.
So here we are, just about to hear what changes will be made to make SOx 404 easier. Most likely the changes will look pretty much like the advisory committee report recommendations. We can probably expect some separation of management's assessment from the auditors' report, with the auditors auditing only the effectiveness of internal control. Auditors will then assess management's design, which is something less than an audit of management's process. This should reduce complications and costs for those companies. Also, implementation guidance from the SEC and revisions to the auditing standard will help all public companies.
Odds are that SOx 404 will not go away. We should not expect any change in law; the recent election results probably took care of that. Also the SEC does not want SOx 404 to go away, as they're sensitive to new corporate scandals. And, scandals have a way of reinventing themselves, as option backdating has this year. Finally, when looking at material weaknesses and financial restatements, there is a disproportionately large number in smaller companies. Investor protection will keep SOx 404 around. This brings us back to the recommendations of the advisory committee as the most viable solution.
Management and boards of smaller companies should be getting prepared for 2007. Even in the absence of an audit, a company's assessment of internal audit should be consistent with their auditors'. Most of the implementation guidance has been out for some time, such as a top-down risk-based approach for efficiency. Other changes will further allow auditors to reduce work if they can rely on some of management's assessment, as well as use the experience of prior-year audits. The theory is, the better the job done by management, the more efficient the work will be for auditors, thereby reducing fees. It is recommended that company management discuss the company's plans with their auditors and advisors in order to make the path easier.
Neil Goldenberg, Partner-in-Charge, Internal Audit & Risk Management Services, has more than 19 years of experience providing audit and audit-related services to public companies, as well as business advisory services to start-up and established entities. He can be reached at (212) 891-4204.