The Public Company Accounting Oversight Board's Auditing Standard 5 (AS5) is about to be put to the test. Again. Securities and Exchange Commission Chairman Christopher Cox has launched a comprehensive cost-benefit analysis comparing AS5 to predecessor AS2 to determine if costs have come down enough to make small business compliance with Sarbanes-Oxley's Section 404 economically feasible. Cox also postponed the deadline for small business compliance for another year, to 2009, by which time the results will be in.
This puzzled some observers. "I was really surprised," says Trent Gazzaway, managing partner of corporate governance at Grant Thornton LLP. After all, he notes, the standard was created so the audit fees would be affordable for all size companies. When principles-based AS5 was introduced in July, it was hailed as deliverance from the clumsy and costly provisions of risk-based AS2, which Cox admitted included "wasteful and unnecessary" clauses. Surveys already have shown that AS5 reduces audit costs--the major problem for small business. So why another evaluation, ask some, who reckon small business compliance is inevitable anyway. John McLaughlin, senior managing director of risk services for Smart Business Advisory and Consulting suggests that smaller companies use the delay to adopt the COSO framework for establishing solid controls that meet some of the objectives of SOX--minus the mandatory external audits.
Not surprisingly, COSO chairman Larry Rittenberg agrees. "It's clear that companies that have good controls perform better over time," says Rittenberg, also an accounting professor at the University of Wisconsin at Madison. He points out that COSO introduced a principles-based approach to establishing strong controls in 2006, before AS5 was written. The COSO approach also helped scale implementation dodown for small businesses. But don't expect a battle between COSO and SOX. Rittenberg sees them as complementary.