In draft recommendations submitted Feb. 22, the Advisory Committee on Smaller Public Companies suggested that companies with market values and revenue of less than $125 million, or micro-caps, be exempted from Section 404, the part of the law requiring a company to explain its internal controls and have them certified by external auditors on an annual basis. Companies with market value of less than $750 million and less than $250 million in revenue would be exempt from the external audit requirements of Section 404, provided they meet certain conditions. The two groups make up 80% of public companies.
Passed in the wake of the WorldCom collapse, Enron and other corporate scandals, Sarbanes-Oxley aims to prevent the sort of accounting frauds that cost investors millions. Complying with SOX, however, has proved costlier than predicted -- 20 times more so by some estimates -- with the toll on smaller companies especially heavy. The Advisory Committee on Smaller Public Companies, a 21-person panel of executives, lawyers, accountants, investors and academics, was appointed by the SEC to examine the complaints and help fine-tune the law.
"The advisory board shirked its duties. I look at these recommendations and say, 'My goodness I hope we weren't paying these people to meet because I want my money back,' " Caldwell said.
In the 1980s and 1990s, the SEC took the attitude that problems at smaller companies "can't hurt that many people," and juries wouldn't be able to understand the transgressions anyway, Caldwell said. "Both were proven wrong. Juries are smart enough, and small companies can turn into bigger ones," he said, adding that SOX might not have been necessary had the SEC been enforcing existing law on those smaller violators.
Lawyer Frederick Lipman, a member of the Association of Audit Committee Members Inc., a not-for-profit organization focused on developing national best practices for audit committees, was among many who expressed support for the panel's draft recommendations in letters posted on the SEC Web site. "If clever management of a public company is determined to commit financial fraud, it is unlikely that the external audit requirements of Section 404 will prevent such fraud," he wrote. Reached by phone, he said he was not concerned that a rollback of Section 404 for smaller companies would re-open the door for fraud.
"Section 404 merely deals with so-called internal controls. There has been no empirical evidence that had such internal controls existed that they would have prevented any of the frauds. Management also has the ability to override a lot of the controls," Lipman said.
Lipman said the cost of compliance with 404 outweighs the benefit. "Are the shareholders going to get that much more protection compared to the loss of income to the auditing firms?" he said. A more effective way to protect investors, he said, would be management fraud insurance, which is not currently available. "If a lower-level employee embezzles money, you can get a bond to cover it. But if a CEO commits financial fraud, that is not covered," he said.
Caldwell, whose firm has estimated that SOX regulations will account for a median 15% of IT budgets in 2006, up from 3.3% in 2004, said there is no debate that compliance is expensive and siphons money from other projects.
But the companies that get hit the hardest are the midsized companies, with revenue of $250 million and more, that have the complexity of a large company but not the resources. Small companies of less than $200 million in revenue "are just not that complex." He agrees with Lipman that the advisory board should consider other ways to modify SOX requirements.
"I thought they would have come with some recommendations that actually reduce the burden -- maybe, you'll only have to, say, audit a third of the controls in any given year," Caldwell said. "Or maybe they would have come with some clarity on what are effective controls, a problem for all-sized companies."