Last month the SEC Advisory Committee on Smaller Public Companies adopted the following three recommendations concerning oft-maligned Sarbanes-Oxley Section 404:
1. Exempt Microcap companies from S404, subject to certain conditions
2. Exempt Smaller Public Companies from the external audit requirement of S404, subject to certain conditions.
3. The subcommittee strongly endorses recommendation #2. However, if the Commission believes that public policy requires some level of auditor reporting on Smaller Company controls, preventing the adoption of recommendation #2, then as an alternative, we recommend the SEC changes its rule for the implementation of the external audit requirement of S404 to a cost-effective standard (ASX) providing for an external audit of the design and implementation of internal controls.
These recommendations were put forth by the Internal Controls Subcommittee. Click here for the power point slides used by the subcommittee to present its recommendations. Note that I assume the recommendations were adopted as presented in the slides, but I have been unable to verify this point.
Microcap companies are those with market capitalizations in the lower 1% of all U.S. public companies (below approximately $100-125 million) and last fiscal year revenues no greater than $125 million. Smaller Public Companies (which includes Microcap companies) are those with market capitalization in the lower 6% of all U.S. public companies (below approximately $700-750 million) and last fiscal year revenues no greater than $250 million. Approximately 50% of all U.S. public companies fall under the definition of Microcap companies, and approximately 80% fall under the definition of Smaller Public Companies.
The committee based the above recommendations on the following conclusions:
1. Microcap and Smaller Public Companies proportionately represent a significantly smaller risk to the capital markets than large public companies.
2. The costs of S404 compliance have been much higher than anticipated
3. There are fundamental differences between larger and smaller companies
4. The cost and amount of resources necessarily devoted to S404 compliance is not proportional for Microcap and Smaller Public Companies
5. Based on our consultation with COSO, clear guidance does not exist for Microcap and Smaller Public Company managers on how to develop and support proper S404 assertion
6. Investors recognize that smaller companies carry greater investment risk
7. In smaller companies, the risk of management override is significant; internal controls over financial reporting are not as effective as other techniques to detect and prevent fraud by senior executives
8. There are multiple ways to help and ensure good internal controls at smaller public companies
9. Disproportionate compliance burden will likely have a negative effect on the competitiveness and capital formation ability by smaller companies, thus hurting the U.S. economy
Smaller companies have limited resources which are being allocated to internal processes for S404 compliance, and, as these processes are not relied on for financial reporting, this unnecessary effort results in diminished shareholder value.
Conclusion 9. is obviously the clincher and embodies most of the others. I have run across most of these conclusion before in one form or another. Conclusion 6., however, is new for me, and I find it somewhat curious, at least standing alone. Are they saying investors know small company stocks are more risky and therefore should be comfortable with less safeguards? This seems to contradict the reasons for the SECâ€™s enactment of various regulations (see below).
Of course, the key conclusion missing here is that the costs of S404 outweigh the benefits. The obvious reason for the omission is that it is difficult, if not impossible, to quantify the benefits of S404. As an aside, at the recent AALS section on securities law, a former SEC chief economist stated that the SEC does little cost benefit analysis (he characterized it as “back of the envelope”).
The slides linked to above provide varying degrees of support for each of the nine conclusions. They also include some additional recommendations.
Iâ€™m all for exempting smaller companies from S404. But I would be surprised if the SEC does so for two reasons.
1. Itâ€™s not clear to me that they have the legal authority to do so. S404 provides:
The Commission shall prescribe rules requiring each annual report required by section 78m(a) or 78o(d) of this title to contain an internal control report, which shall–
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) Internal control evaluation and reporting
With respect to the internal control assessment required by subsection (a) of this section, each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
I donâ€™t see any exemptive authority conferred to the SEC under the above language. The next section of SOX (S405) does specifically exempt investment companies from compliance with S404, but it says nothing about small companies and again does not confer any exemptive authority on the SEC.
The easy fix would be for Congress to amend SOX to give the SEC the necessary authority. As I noted in this post, however, Rep. Oxley indicated in an October ’05 speech that Congress is unlikely to intervene.
2. Exempting small companies would be inconsistent with SEC practice and policy. The SEC has consistently subjected small companies to greater regulation based in or whole or in part on the fact that smaller companies carry greater investment risk. See for example enactment of the penny stock rules, exclusion of securities traded on the Nasdaq Capital market (f/k/a Nasdaq Small Cap market) and from the definition of covered securities and for S-3 resale registration eligibility, and tightening of Rules 504 and 701, to name a few examples. While the SEC has made special provisions for small companies in some areas (see for example adoption of Regulation S-B in 1992 which established slightly less onerous disclosure requirements for â€œsmall business issuersâ€?), Iâ€™m not aware of it adopting a blanket exemption for small companies for something on the scale of S404.
I think recommendation 3. indicates that the subcommittee has anticipated these problems. My guess is that the SEC will adopt less onerous S404 rules applicable to small companies, similar to what it did with the adoption of Regulation S-B. I hope Iâ€™m wrong, and the SEC concludes it has the legal authority to adopt recommendations 1. and 2. (would anyone challenge the conclusion?), and that breaking with past practice and policy is warranted because weâ€™ve never before seen anything as costly as S404.