SEC Conference – SOX 404(b)Posted: December 10, 2012
I recently attended the AICPA SEC and PCAOB Developments Conference in Washington DC. This three day conference is so full of information that I will spend more than one blog talking about my perspectives on the topics covered. Today I want to discuss the Sarbanes-Oxley Act. This conference marked the tenth anniversary of the SOX Act and while there are many provisions that have deeply changed the CPA profession, one of the most significant to preparers of financial statements was section 404. This section required all companies to report on and have an audit of their internal controls.
Anyone who went through the implementation of Sox 404(a) reporting from management and 404(b) reporting from auditors knows how overwhelming an endeavor it was. It took several years and two audit standards (AS 2 and AS 5) before we all figured out how to really focus on the internal control process around external financial reporting. There have been numerous studies of the impact of section 404 – in terms of cost and in terms of benefits – and SEC Commissioner Luis Aguilar shared his conclusions from those studies.
He believes the studies show conclusively that section 404 works. It has lowered the cost of capital and, now with mature processes in place, the cost of compliance has come down significantly. But he went further and made the point that it is really section 404(b) that deserves the credit. Companies that have 404(b) reports have less misstatements and an even lower cost of capital than those companies that only do a section 404(a) report.
It was clear that Commissions Aguilar as well as James Doty, Chairman of the PCAOB and other regulators believe the delays and now permanent injunction on extending the 404(b) requirements to smaller public companies puts investors at needless risk that the SOX Act was intended to prevent.
Personally I have always found it disingenuous to exclude smaller public companies from the requirement. Even before the SOX Act was passed, there was substantial data that showed smaller companies were more likely to have misstated financial statements, in part due to weak internal controls. If the intent was to protect investors, then smaller companies should have been the first to comply with 404(b), not the last. I understand the cost argument but that is, or should be, a cost of being a public company. If it is too costly for small companies, then maybe those companies are too small to be publically traded.
I am sure there are some, if not many, of you that will disagree with me, but my position is that if you buy into the need for section 404 to apply to any company because it benefits investors, then it should focus first and foremost on reducing the risk from the riskiest of the investments available to those investors. That is, investor protection requirements should be based on risk, not size.