Hip Hip Hooray! Permanent exemption from 404(b) for Small Business is Possible!

Permanent Exemption PossibleRecently, the House Financial Services Committee passed H.R. 3817, the Investor Protection Act. The bill includes an amendment, which would permanently exempt small public companies from complying with Section 404(b) of the Sarbanes-Oxley Act of 2002. The bill must still be voted on by the entire House of Representatives, but it is nice to know that there is hope.

As noted in the October 19th blog post by Mark Bailey, the 404(b) requirement for small business issuers is not beneficial in most cases and thus the passing of this act by the House Financial Services Committee is welcome news.

10 thoughts on “Hip Hip Hooray! Permanent exemption from 404(b) for Small Business is Possible!”

  1. My question is who has the shareholders’ interest in mind here? Does the finance committee understand that part of the problem with our economy is lack of investor confidence. Just because a small company can not generate a higher return over EPS than a larger company doesn’t mean that they shouldn’t be regulated. Exactly how much do these smaller company’s pay to have an audit firm opine on controls? Fee’s are commenserate to size. Is this the best excuse D.C. lobbyist’s can come up with? The only way that the House will see that regulation is beneficial is to take it away. Then the small public businesses will see even less investor activity since their is no regulatory body ensuring that fraud or executive mis-management is monitored. Let’s face it. Audit firms change partners on an engagement every 4 to 5 years but that doesn’t mean that they look at the company differently each year. Especially if it is a strong relationship. Small businesses are not paralyzed by the cost of an internal control review. Small businesses are paralyzed by lack of sales, poor business acumen, lack of board involvement, and stiff government, state and local taxes. Let’s put the onus on the real issues instead of creating another way that the investor gets screwed.

  2. Thank-you for the thoughtful comment and excellent points made. I’d like to assure you that I did not flippantly make my post. I made it as an auditor of several small business issuers from whom I genuinely don’t see a benefit to them or investors from an audit of internal control over financial reporting. A business that has a few number of employees (as most of our small business clients do) has a difficult time maintaining segregation of duties and most likely will not receive an audit opinion that states the company maintains effective internal control over financial reporting. Why should a small business issuer pay $10,000-$50,000 (depending on size) for such an opinion? This may seem minimal to some, but $10,000-$50,000 is a lot for a struggling business and it’s nearly impossible to do a quality audit for anything less, for as auditors, we are required to have detailed documentation and several levels of review in order for us to be in compliance with auditing standards.

    Typically, investors in small business are venture minded (not institutional) and should be aware of the risks of such an investment. Investment decisions in such companies are based on the quality of management and the business plan, not what the internal controls look like.

    Currently there is no 404(b) requirement for small business issuers, so I’m not sure that your point regarding taking it away and losing investor activity is valid. Small businesses seem to be doing just fine with the current rules and regulations. Finally, internal controls will not fix a business with a lack of sales, poor business acumen or stiff taxes.

  3. Private companies are not subject to SOX? Why? Because they obtain their equity without utilizing the SEC or going to novice investors. I’m not independently wealthy but I have chosen to place my hard earned dollar into companies to (1.) earn a return and (2.) to see small business’ grow and become large businesses. Small (public) businesses as you mentioned above have a cost to an internal control opinion. What is the cost then of an executive of a public company who decides to override a decision of the board? What if there were no process of keeping board minutes? Then the board has no recourse to protect me in the event the executive used “poor business acumen.” How do I regain my lost investment? My comment on what is really causing the costs of business to rise is the fact that not all CEO’s or CFO’s of these small companies make good choices for those who are investing in their company. Maybe they don’t utilize their sales staff appropriately because of a lack of control over their staff. Audit specifications recognize the issues that small companies face in the wrelm of “segragation of duties” and at best should only report it in a list of occurrences. You will not earn a poor opinion based off of that information. Investors as well as auditors should be concerned, however, that a company does not have processes that preclude “management override” or identify significant accruals. Then, from your comments, you are basically saying that small businesses should not be burdened with regulation. As an investor, that would be concerning and if I knew that, i would place my confidence in your company.

  4. With regard to JR Crowe’s comments, public companies with less than a $75M market cap should NOT be wasting their limited resources on excessive compliance. Investors buy shares in these companies because of their extensive upside potential. These companies include more warnings in their SEC filings as to the risk involved than you would find on a carton of cigarettes, specifically that you can easily lose your entire investment. If this is not an acceptable level of risk for you, simply choose not to invest.

    I invested in a penny stock (market cap was about $35M), and several of us believed the chairman was acting in an unethical manner (he was fined and barred for one year from public company participation for antics in another company for which he served as chairman). We filed a complaint with the SEC, and they all but laughed at us. They simply lack the time and resources to pursue issues with these small public companies, so if you can’t get enforcement, what is the value in regulation?

  5. I think there are clearly two schools of thought being expressed here. Let’s all keep in mind one very significant point, which is :

    SOX 404b is the external auditor’s opinion requirement on Management’s assertions regarding the effectiveness of the internal control environment.

    I believe the requirement date for Management to disclose it’s assertion on this dates back to FYE’s after 12/15/07. All SEC filing registrants since then have been required to provide this disclosure, and since that point are bound by the covenants of the SOX Act and Sec.404.

    The missing piece is having the auditors agree or disagree on Management’s assertions via the annual audit.

    So why are small company filers complaining?

    Go read their SOX 404 assertion disclosures regarding evaluating the IC environment effectiveness, tracing back to 2007. My guess is you will find that Management has been complying with the disclosure requirements, with the CEO’s and CFO’s signing off on Sec. 302 and 906.

    What are they afraid of? My guess is they really have done nothing or little to actually document, assess, and fix their IC. Those signing off should be worried. Back then economic times were different – how quickly things change. Now it’s a catch up situation, and they are pressed against the economic burden today.

    Those that have taken the proper steps already have made the most significant financial investment to properly comply with SOX.404 compliance requirements and process in place. If so, they really should then have nothing to fear.

    Ask yourself the question, would you like to be a sitting CEO or CFO that has signed off on SEC filings, but has no evidential substance to support this?

    They only relief that would help smaller SEC filers would be to get fully exempted from the SOX.404 requirements. Just exempting 404b seems silly to me.

    What surprises me? The current legislation that proposes exempting smaller filers from SOX.404 compliance requirements. I’m not sure if it’s everything or just the external audit 404b requirement. In either event, this bill was authored by a Republican.

    Given the state of the economy and the events over the past 12-18 months, and having the Democratic party in control beating the more gov’t regulation drum, I didn’t think this could even get out of the committee, but it has. So who knows where this goes. Wonder what the Vegas over/under is on this passing?

    This delay originally was because of the change from Audit Standard #2 to AS#5. From what I’ve seen, from the SEC filer perspective, the potential cost reduction really does not happen in the year#1 audit. The auditors need to create their audit baseline in year#1.

    The external auditors are regulated by the PCAOB, they will make sure they comply with requirements. Don’t expect them to compromise on this, they have to CYA themselves -logically so.

    AS#5 gives auditors the ability “rely” on the work of others. Also allows them to not have to retest areas that have not changed year over year. Example : Application controls with IT systems. Places emphasis on the Entity level environment and materiality, lack there would lead to deeper review at the process levels – logically so.

    I’ve been doing SOX projects from the early days, ending up through 2007. From the consultant side, clearly the market has dried up since, really this all concerns the SEC and PCAOB sliding the audit date.

    Times up.

    There is a considerable amount of documented guideance from COSO and the Big firms – directed at the smaller company filers – taking into consideration AS#5 requirements and changes. These outline the requirements, really gives a roadmap of related risks and what should have been addressed. Good thing to follow, it’s what the auditor will do.

    The main observation I would suggest to the smaller filer is to determine how important it is to continue being an SEC registrant. If they trade on one of the major exchanges or OTC, they are required to file with the SEC. If they only trade on the pink sheets, they can effectivety avoid the reporting and compliance requirements with the SEC. The downside is limiting the avenues for their stock to be traded.

    If this is not an issue, it is an alternative. Example would be where the company’s stock is closely held, limited shareholders, not eventually looking for analyst coverage,.etc.

    But if the company wants continued access to the capital markets, then the rules of the game are clear, and smaller filers have been given ample time to absorb the cost to comply – in my opinion.

  6. I understand J.R.’s frustration, but my experience as an audit partner for public companies indicates that the audit of management’s assertions required under 404(b) isn’t going to provide him that warm fuzzy feeling he’s looking for and he shouldn’t rely on it for that purpose.

    Randal is dead on with respect to his historical perspective and the exposure to CEOs and CFOs, but I still have to ask “What is the hoped for benefit of making these small issuers jump through the 404(b) hoop?”

    In my post in this space on October 19, SOX 404(b) -The Tar Baby and the SECI linked to a discussion of cost, as well as the SEC’s own survey wherein the unanimous opinion of the issuers polled was that 404 did nothing to enhance investor confidence.

    Candidly having an auditor opine that management’s assertion that their internal control system has material weaknesses or significant deficiencies is accurate does nothing to forestall fraud.

    So if not to reduce the risk of fraud, or increase investor confidence I ask “what is the benefit being sought, can it be achieved through this process, and does this potential benefit justify the cost?”

  7. Mark. Good points. There is an addage out there that goes like this, “If you can’t see it, it must not be there.”

    The benefit sought is accountability. True to Larry’s comment about enforcement of violations but where would the breakdown be in that example? The breakdown is in both the executive’s action and the PCAOB / SEC’s response. Does that mean we should just say, “Hey, no benefit here….no enforcement either. Guess we should just file 13 the whole concept.”

    My contention as I mentioned earlier is this. Take away regulation of small public companies. Let’s see how long they can go without having prior period adjustments or violations from the SEC on the GAAP side. The real cause of GAAP issues or proper financial reporting stems from a “lack” of internal controls. As an investor, I am looking at the financial stability and promise (FIRST). The fact that I can look at the company’s disclosures and see that there were NO material weaknesses or deficiencies in the internal controls is only an added bonus. As I mentioned earlier as well, audit firms are not going to catch everything but the benefit is that “someone is looking.” Giving management the responsibility of telling the auditors that their internal controls are A.OK without verification (404(b)), is like me telling you at a job interview that I am a CPA and you just take my word for it.

  8. JR, you are missing a key concept here. There is still an independent audit of the financials as there alway has been. Actually, the PCAOB has strengthened the rules for independent audits. What they are hopefully conceding is that the 50k to conform to the rules governing controls are better for the company and its investors being spent on hiring additional workers or equipment or advertising.

    It is in no way saying that you are claiming to be a CPA and anyone taking your word at it. It is you claiming you are a CPA and providing your membership card and your state board identification number as well. This is an audit and you will still provide back up. You will NOT have to buy 3rd party software and hire specialists to prove you are a CPA.

    That is just my opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *