Thomas Brandt Jr., CFO of Telecommunication Systems Inc., a $143 million producer of wireless software, keeps in his office a paper-based reminder of his first-year compliance under Section 404 of Sarbanes-Oxley, even though everything is also stored on computer systems. Despite the Annapolis, Md.-based company's relatively small size, the 404-compliance project fills 18 ringed binders with all the process documentation, records of testing, interim testing and follow-up testing. "It was documented to an extreme, which is not to fault our auditing group that made the judgments," says Brandt. "They had to cover their exposures and err on the safe side."

Telecommunication Systems' recurring audit and related fees more than doubled during year one compliance, to $768,000, and as year two reporting winds to a close, Brandt expects those costs to be down by less than 10% at best. And Brandt, a Wharton School MBA and former PricewaterhouseCoopers auditor, considers his company one of the luckier ones, given that he had on hand a number of finance employees with Big Four backgrounds who could help guide the company through the new requirements, including Auditing Standard 2 (AS2), the guideline for Section 404 audits, which, like most aspects of Sarbanes-Oxley, only comes in one size. "It was the only comprehensive written guidance, and that meant it was for GE, IBM, Exxon and also me," says Brandt.

All that would change under a new set of recommendations working its way to the Securities and Exchange Commission (SEC) later this year. In December, an internal controls subcommittee established by the SEC to recommend changes to Sarbanes-Oxley released several sweeping suggestions: Exempt many microcap companies with annual revenues below $125 million from all Section 404 requirements, and for a set of larger companies it calls "smaller public companies," with revenues generally below $250 million, remove the external audit requirements of Section 404. Telecommunication Systems would fall into the second category, so should the recommendations, as they stand, be approved by regulators, Brandt and his crew would still need to produce a managerial assessment of internal controls, but it would no longer be subject to an outside audit. "This is the only way to provide relief to smaller companies, and I don't think the capital markets will be impaired," says Brandt, who points out that the recommendations don't strip away all accountability. "Section 302 isn't going away," he adds, referring to the requirements that CEOs and CFOs sign off on their companies' financial reports.