Sarbanes-Oxley: Is 2006 the Year of the Non-Accelerated Filer? November 30, 2005 What
exactly is SOX compliance? As we read the law, it specifies
a requirement for transparency of disclosure and an acceptance of
responsibility for same by management. The attestation
requirement in a nutshell is (1) once a year tell the SEC about your internal
controls system, (2) once a year disclose where your systems are weak, and (3)
once a quarter, report any material changes you have made to your internal
controls. SOX does
not specify a minimum level of implementation for “internal controls” per
se. Only that the framework for evaluation should follow one
established by a body or group that has followed due-process. Our
analysis of potential legal liability indicates that criminal infractions
and even the risk of shareholder litigation are probably elevated by a
failure to disclose the true condition of internal controls. Regulators,
managers and investors all want the same thing: to know what’s going on.
Thus we see a push from the audit community for “minimum implementation
levels.” But this seems to be driven more by some sort of chicken
and egg trap that perplexes more than it solves. Audit
firms need to certify an “accepted framework” with the Public Companies
Accounting Oversight Board (PCAOB) in order to receive certification as a
public company auditor. This seems to have resulted in due-process
that has created a one size fits all solution, a solution that fits like a
straight jacket. According
to anecdotal reports, the institutionalization of SARBOX procedures makes
internal controls more opaque than ever before. They seem far more
attuned to protecting auditors and consultants from their own risks of
litigation leaving the SEC registrant to produce new
mountains of paper and add non-operations staff to repeatedly fill out lengthy
questionnaires. Many
companies report that they actually knew more about what was going in inside
their companies before all these frameworks were adopted. Some boards of
directors we have heard from report that they have added a new line item to
their G/L’s called “Compliance.” They now track two sub-ledger categories.
Specific costs incurred to execute compliance tasks and incremental costs added
to existing functions because of compliance. These Activity Based
Costs are not pleasantly received by corporate Consider
that the 2004/2005 generation of compliance procedures were constructed in an
environment of high paranoia, something to be expected following any new and
far reaching law. Consider further that these early procedures were
aimed at exploring tools for use by accelerated filers with essentially
unlimited budgets. The
biggest SOX implementation consultancies charge using a billing rate model
measured in $100K per $1 billion of revenue increments, a mere 1/100th
of a percent. Small change they say in the grand scheme of
things. But these implementation costs do not scale down,
making smaller companies bear a grossly disproportionate burden in terms of
carrying the consultants. Estimated SOX Implementation Business Potential 2004 Annual
Operating Revenues-- All US Public Companies
* Based upon 1/100th of 1% of revenues If
the SOX cost numbers scaled down, compliance for a company with annual revenues
less than $1 billion would average about $1,300.00 vs. $4.4 million for the 20%
of all filers above $1 billion in revenue. This is clearly not the
case. Public company filers with less than $1 billion in revenue
have to contend with “generally used practices” for attestation compliance that
price as high as $100K per $1M of revenue once direct and incremental costs are
factored in. No
wonder that smaller companies in the non-accelerated filer community see only
pain, heartache and bankruptcy in SOX. The affordability issue for
non-accelerated filers therefore boils down to a simple question.
How much is enough to get the attestation job done without bankrupting the SEC
registrant in the process? Law
firms, when asked, do point out that legal compliance is based on accurate
disclosure but most companies have to date relied on implementation guidance
from their accounting firms and SOX process consultants who seem to have
largely missed this nuance. A key issue we see for 2006 is to
refine what the appropriate interplay is between the legal and audit sides of
the coin in this process. There
remain forces in play that push SOX in the direction of the onerous and
unaffordable. There is fear mongering within certain branches of the
research and investment community that threaten CEO’s with stock price
collapses if they comply and accurately disclose the status of their internal
controls. These fear mongers hope only to take advantage of the arbitrage
and indeed stand to make more money if things stay opaque. We see waves
of investment in non-attestation costs driven by this fear – a waste of
resources under already difficult economic circumstances for many companies --
a sad state of affairs. So
what can the SEC do? The Commission can encourage reporting the
status of internal controls by registrants and discourage overspending on
cleaning up the scorecards. The PCAOB can help as well by encouraging the
audit community to adopt procedures that focus more on verifying the state of
their client’s internal controls rather than holding their clients hostage to
checklists of “one size” systems implementations. Developing
an affordable reporting environment without forcing public companies into the
proverbial straight jacket should be the regulatory community’s
objective. If the preponderance of the market complies with the law and
discloses the condition of internal controls along the same general lines of
reporting, there would be no net arbitrage for fear mongers to feed on.
Transparency would be increased. And the public good, national interest
objective of SOX will be achieved after all. The Institutional Risk Analyst is published by Lord, Whalen LLC (LW) and may not be reproduced, disseminated, or distributed, in part or in whole, by any means, outside of the recipient's organization without express written authorization from LW. It is a violation of federal copyright law to reproduce all or part of this publication or its contents by any means. This material does not constitute a solicitation for the purchase or sale of any securities or investments. The opinions expressed herein are based on publicly available information and are considered reliable. However, LW makes NO WARRANTIES OR REPRESENTATIONS OF ANY SORT with respect to this report. Any person using this material does so solely at their own risk and LW and/or its employees shall be under no liability whatsoever in any respect thereof. |
A Professional Services Organization Copyright 2016 - Lord, Whalen LLC - All Rights Reserved |