SOX Extension Granted, but Auditor Role Still Unclear
By Shamus McGillicuddy, News Writer
19 Dec 2007 | SearchCIO-Midmarket.com
Election-year politics may have had a hand in the federal government’s reversal on enforcing accounting rules for smaller public companies. But at the end of the day, experts say, it doesn’t change much — and the onus is still on the accounting industry to make this work.
For several years, the Securities and Exchange Commission (SEC) has pushed back the compliance deadline for smaller public companies (companies with less than $75 million in public float) with the accounting rules of Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) because of worries over how much it would cost them to comply with the regulations.
However, the SEC spent most of 2007 warning smaller companies that no more extensions were forthcoming. In 2008, small companies would have to demonstrate compliance with SOX, the SEC said.
Then earlier this month, SEC Chairman Christopher Cox offered small businesses a Christmas present. Never mind 2008 compliance, he said. Let’s push it to 2009.
"My first thought was, this isn’t even worth a Gartner prediction," said French Caldwell, research vice president at Gartner Inc. in Stamford, Conn. "2008 is an election year. Who couldn’t predict this? Giving small businesses a break on Sarbanes-Oxley at this time? We’ve known this was coming for a long time."
With the economy shaky and many members of Congress facing re-election in 2008, Caldwell said the federal government is looking to avoid any controversy over the costs small businesses would incur from compliance.
"I think this is essentially a move that gets them beyond the election, and gets them a little bit of cover to come out with some additional rules that make it a little easier on small businesses," Caldwell said. "They’re not going to have this blow up in their faces in an election year."
Liza Warner, internal audit and controls solutions director at Jefferson Wells International Inc., said the SEC "has been getting a lot of pressure from various parties. For smaller companies to comply with Section 404 of Sarbanes-Oxley is very expensive. With the SEC creating additional guidance for compliance they have been proposing and providing since midyear, they rightfully have to give smaller companies time to absorb to those changes." Milwaukee-based Jefferson Wells is a professional services company that specializes in internal audit and controls, finance and accounting, tax, operations and technology risk management.
Warner said the cost of SOX compliance for smaller businesses varies, but she estimated that it can range from $100,000 to several hundred thousand dollars. Much of these are first-year costs, according to Warner. Once a company has its internal controls in place, the costs will go down as companies focus their compliance spending on audits.
U.S. Rep Nydia Vel´zquez, chairwoman of the House Small Business Committee, recently published a report that claimed small businesses could spend up to 3% of their net income complying with Sarbanes-Oxley.
"This is not the SEC’s fault," Caldwell said of the compliance costs small businesses are facing. "It’s the auditors’ faults. The auditors have never sat down and said, ‘Here is the standard by which we are going to do the audits [for small public companies].’ They’ve never done it. It borders on near negligence."
Caldwell said the country’s leading auditing firms should take this newest deadline extension as an opportunity to mitigate this "negligence."
"I think it’s about time, and I think these audit firms should take it on as a New Year’s resolution, that they should sit down and come up with a standard way to do these internal audits and negotiate this with regulators," Caldwell said. "They really ought to do that in 2008. They need to publish an open letter about how they’re going to audit small businesses. Let’s do that. And they need to do it in detail."
In the meantime, there are steps CIOs at small public companies can take during this latest extension. They should get their change management and application development processes documented and tested. They should also tighten up their identity management and access management processes and ensure a segregation of duties for financial applications, Caldwell said.
He added that many CIOs at small companies are on top of this. And compliance isn’t as tough as one would think.
"I’ve talked to a lot of small businesses who are really starting to get a handle on this,’ Caldwell aid. "They’re financial services are simpler. They’re not distributed all over the world."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer.