Sunday, November 8, 2009
This week the House Financial Services Committee, in the now somewhat ironically called "Investor Protection Act of 2009," added an amendment that would permanently exempt companies with $75 million or less market capitalization from the SOX 404(b) certification requirement, despite the fact that the SEC Chair announced earlier this fall that the current exemption would expire so that investors of these companies would finally receive the protections against accounting fraud that SOX contemplated when it was enacted since 2002. Can anyone seriously argue that post-SOX events have shown that internal controls are not needed for all publicly traded corporations? SEC Commissioner Aguilar addressed the problem eloquently in a recent speech:
Everyone knows about the Sarbanes-Oxley Act, which contains a set of hard-won reforms made necessary by Enron, WorldCom, and other frauds. One clear lesson learned from those frauds was that many public companies had weak internal controls. The Sarbanes-Oxley Act tackled these problems by requiring the top executives of all public companies to take responsibility for their internal controls, and, importantly, for an independent auditor to come in and examine these controls. In the financial press, this independent audit requirement is referred to as "404(b)," after the section of Sarbanes-Oxley that requires the audit.
The Investor Protection Act of 2009 in its current form would repeal this important requirement of an independent audit for public companies with a market cap under $75 million. Some are describing this repeal of Sarbanes-Oxley as relief for "small businesses." I think people are confused when they hear the words "small business." The companies that would be exempted are not mom and pop neighborhood stores. These are publicly traded companies that offer their shares to all types of investors. And just so you know, this repeal has wide-ranging ramifications and would appear to affect the majority of public companies. Although the SEC generally does not track companies based on market cap, the SEC does have data on companies that generally have $75 million or less in public float, and our staff estimates that over 6,000 public companies may fall under that threshold.
To repeal this part of Sarbanes-Oxley now is to throw away a substantial amount of work done by regulators, companies, and private organizations to make compliance with 404(b) more cost-effective. Since the passage of Sarbanes-Oxley, the SEC has repeatedly deferred smaller public company compliance with the independent internal control audit requirement. During the period of the SEC deferrals, the SEC and the Public Company Accounting Oversight Board (PCAOB) were active in developing rules and guidance to allow 404(b) to be implemented in a manner that would work for both large and small public companies. A central goal of this work focused on making sure that costs for smaller public company were not overly burdensome.
The SEC alone has held roundtables, chartered an advisory committee, and engaged in a number of other regulatory and staff actions targeted at applying 404(b) to smaller public companies, and followed all of that with a staff study which found these efforts made compliance more cost-effective. In addition, private organizations like the Committee of Sponsoring Organizations of the Treadway Commission (COSO) have published guidance on internal control frameworks specifically targeted at smaller public companies. It is particularly ironic that, if 404(b) is undercut now, we will never see the benefits for investors of all the work by the SEC, PCAOB, COSO and others, and the opportunity for smaller public companies to take advantage of the practical lessons learned from companies that are already complying.