For Darryl Baker, it's hard to tell which is worse: the sheer cost of complying with Section 404 of Sarbanes-Oxley or the aggravation. Baker, controller of Mobility Electronics Inc., a Scottsdale, Ariz.-based company with $85.5 million in revenues, has had to go through the auditing process every year since SarbOx went into effect. During that time, auditing fees have more than doubled, to $633,000. But simply enduring the excruciating process itself has proved equally painful. "I've seen auditors spend most of their time on lower-level controls, like making sure vouchers for purchases of supplies were properly authorized," he says. "They focus on things that ultimately have little real impact."
Now, thanks to new proposed guidelines from both the Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB), Baker and executives at other small-and-midsize public companies might experience some relief. The pertinent question, of course, is how much.
The proposals--both of which came out in December 2006--are aimed at making Section 404's internal control stipulations more efficient and less burdensome for companies and auditors. Both sides of the audit--management and auditor--would now be able to rely more on their own experienced judgment rather than having to show every dotted i and crossed t in duplicate. (Separately, the SEC also issued another extension for non-accelerated companies--those with less than $75 million in public float--to comply with Section 404. It also added that audit reviews will not have to be completed until the year after management files their assessments.)
Both documents--the SEC Proposed Interpretive Release on Management's Report on Internal Control and the PCAOB Exposure Draft of Proposed Auditing Standard on Internal Control--have a similar philosophy. Of course, the SEC's effort is targeted at issuers, while the PCAOB's is aimed at auditors. But they both use what they call a "top-down, risk-based approach," meaning that management and auditors should focus on the aspects of the financial statement that pose the most risk.
As important for smaller companies, the proposals "recognize that one size does not fit all," says James Thyen, co-head of the SEC's small company advisory subcommittee on SarbOx and CEO of Kimball International, a Jasper, Ind., maker of furniture and electronics. For example, according to the PCAOB, auditors would be required to take into consideration the size and complexity of companies when doing their jobs--and could rely on their own judgment of the risks involved when evaluating management assessments. It also lists six areas in which an audit of a smaller enterprise might differ from an investigation of a bigger one. Two significant elements: the PCAOB specifies which controls should be given priority and it suggests that auditors consider inquiry or observation when documentation is insufficient. In contrast, the SEC's guidelines don't include sections explicitly oriented toward small companies. Still, Mobility Electronics' Baker points out, "for the first time, the SEC has issued rules and guidelines for how to approach this process."
Many small companies welcome the two proposals, both of which have comment periods ending Feb. 26. At the same time, the jury is still out, they say, on whether the new guidelines will make much of a difference. "I work with quite a few managers of companies [with revenues] under $500 million who are not convinced this will help," says Victoria Whitlock, governance practice manager for Enpria, a Seattle consulting firm. Why? For one thing, there's the matter of the professionals who generally conduct smaller- company audits. According to Whitlock and other observers, they tend not to be the veterans available to larger businesses. "These smaller companies get second and third-tier accountants," says Whitlock. The auditors probably won't have sufficient experience--and confidence--to make the kind of judgment calls necessary in top-down reviews, she argues. And while audit firms will undoubtedly revise the checklist of activities that auditors should follow, the less-seasoned who work with smaller organizations are far more likely to follow those instructions as assiduously as they did their previous guidelines. "Auditors will come in with a checklist. It just will be a different checklist," says Whitlock.
Those aren't the only potential problems. According to these critics, audit firms--which have benefited financially from the lengthy audits--might not have much economic incentive to reduce their hours. In addition, certain stipulations in the PCAOB proposal could actually lead to more work for auditors. Take the section discussing the tendency for smaller companies to have less stringent segregation of duties in areas affecting internal controls. "It might be that auditors merely end up figuring out new tests to do to make sure that the lack of segregation of duties doesn't lead to any problems," says Robert Hirth, managing director of Protiviti, a San Francisco-based independent risk consultancy. The bottom line: If audit costs come down, it probably won't be more than 5% to 10%, Baker predicts.
Some ambiguities could be cleared up over the next year by a PCAOB working group of small-company auditors. The group, which started meeting in 2006, has defined "six or seven areas that need to be addressed," says Sharon Virag, assistant chief auditor at the PCAOB. The goal is to provide examples of typical real-life situations involving small companies and how auditors should handle them.
Of course, while compliance with Section 404 tends to be a nightmare for many small companies, it also has its benefits. Whitlock points to a client, a $125 million business, as one example: When the CFO insisted that the auditor use the company's internal control document system and threatened to file a report with the PCAOB if the individual refused, the auditor reluctantly agreed. The result: The auditor ended up finding ways to save $5 million in inefficiencies. Says Whitlock: "The cost of the audit was offset by the business process improvements." Just remember that the next time your auditor comes calling.