The debate over how to change Sarbanes-Oxley requirements for small and midsize companies, or whether to change them at all, will heat up over the coming months. A final list of recommendations is expected from the Advisory Committee on Smaller Public Companies in April, and then it will be up to the five SEC commissioners to move the process ahead. What is clear is that many in the business community believe the current regulatory scheme, where AS2 applies to all companies, no matter their size, nature of operations or complexity, is too costly and in need of reform at some level.

But the move to strip away key provisions of Section 404 for many of the smallest publicly traded companies is meeting stiff resistance from corporate governance experts and others. Hammering out a set of reforms that reduce the cost of compliance without watering down the effectiveness of internal control reforms won't be easy. "These are the companies that [have] had the vast bulk of fraudulent activities over the last 25 to 30 years," says Patrick McGurn, senior vice president and special counsel at Institutional Shareholder Services. "Enron and WorldCom were the anomalies. Investors will have to make a decision upfront as to whether to invest based on not getting some level of scrutiny of internal controls that you would get from a large company."

Chairing the subcommittee that produced the sweeping 404 reform recommendations is Janet Dolan, former CEO and president of Tennant Co., a $500 million producer of industrial cleaning equipment. She stepped down late last year after 20 years with the company, but remains active as a director on two other New York Stock Exchange-listed company boards, St. Paul Travelers Co. and Donaldson Co., and has recently been named as non-executive chairwoman of Wenger Co., a privately held manufacturing company.

In 2004, then-SEC Chairman William Donaldson approached Dolan about serving on the small company advisory group. She was an interesting choice, given that her name was considered following her relatively critical remarks in the press against 404. She's no doubt qualified, having been through Tennant's compliance efforts during the last two years. As she describes the 404 audit, the project required a lot of effort but produced very few "ah-has" when it came to risks involving financial reporting. Minneapolis-based Tennant completed its first-year 404 reviews with no material weaknesses uncovered, but external audit fees jumped to $1.4 million in 2004 from $500,000 in 2003. "For global competition in the 21st century, we better not over-regulate," says Dolan. "What we need is smart regulation."

On the other hand, Dolan isn't entirely anti-reform. In fact, she considers many governance reforms of recent years, including board independence, whistleblower requirements and Section 302 sign-offs, very helpful to investors in smaller companies. She draws the line at 404 because in her view it is written for larger organizations that rely more on processes, rather than smaller ones where a handful of people could be very close to most of the transactions. "The value of a 404 audit becomes less and less the smaller the company, but the cost gets greater and greater," says Dolan. Her work over the past year has involved interactions with corporate executives, auditors and regulators and she remains convinced that serious reforms are needed. "The concern of how 404 has been implemented has been significant, [so] it didn't require tinkering around the edges," says Dolan. "I think among companies it is pretty universally believed that the cost, both the out-of-pocket cost and hours, is way out of proportion to the value it created."

The two-tiered approach of the current proposals may involve relatively small public companies, but in terms of sheer numbers, the group represents 80% of all companies listed on U.S. exchanges, according to SEC estimates. By market capitalization, however, it accounts for just 7% of the markets. Cutoffs were determined by using a combination of revenue size and market capitalization.

The smaller group, referred to as "microcaps" in the December reform proposals, would be exempt from Section 404, but to qualify, a company would have to have revenues below $125 million in the last fiscal year and a market capitalization of less than $125 million. These companies would still be subject to Section 302 certifications, external financial statement audits and all corporate governance requirements. In addition, although they would be exempt from Section 404, they would still be required to disclose all material weaknesses management is aware of, including those found by external auditors that are reported to the audit committee. According to SEC estimates, half of all public companies would fall into this category, but the class of company represents just 1% of total U.S. public company market capitalization.

The second group, referred to as "smaller public companies" by the report, would still be required to perform Section 404 internal controls testing, but management's assertions would not be subject to review by external auditors as the law currently requires. This group would also be subject to Section 302 and other requirements, including disclosing known material weaknesses. To qualify for the group, a company would have to have revenues below $250 million in the last fiscal year and a market capitalization of below $750 million. This second category represents about 30% of all public U.S. companies, but just 6% of total U.S. market capitalization. The subcommittee led by Dolan offered a third recommendation: The SEC should produce a new auditing standard for a more cost-effective audit review of these companies, in place of the current AS2. But Dolan makes it clear that this alternative should only be considered if the SEC rejects its preferred solution of exempting smaller public companies from 404 external audit reviews entirely.

AT LEAST SOMEONE SHOULD BENEFIT

Even executives at some midsize companies too large to be subject to the reform recommendations support the drive to change Section 404 and AS2. Ann Marie Hunker, controller and principal accounting officer at $1.2 billion M/I Homes Inc., has seen audit fees and internal audit cost tripled under Sarbanes-Oxley. "One-size-fits-all is not cost- beneficial for a company of our size," says Hunker, who has day-to-day oversight of a five-person internal audit staff. "A Microsoft of this world can absorb it, but for our company it's a significant hit in terms of both cost and use of time of our internal resources."

Perhaps Hunker's biggest frustration involves the requirement for the Columbus, Ohio-based company and the independent auditors to spend significant time testing IT internal controls. She says 20% of the auditor's time was devoted to IT controls, but given the nature of M/I's operations, which involve single-family homebuilding and some mortgage financing, and given M/I's centralized financial reporting controls, she believes the cost of time spent on IT controls is not justified by the level of risk. Hunker is also frustrated by some of the firm-wide standards the independent audit firms have implemented. "It seems as though the company can't do a new accounting transaction without it going through our auditor's national office. Local decision making appears to be gone and it [takes] a week or two to get an answer." Although M/I's market capitalization falls within the bounds of the current reform proposals, on a revenue basis the company is far too large and would receive no relief–a situation Hunker would like to see replaced by a trigger that focused more on market capitalization.

The clearest sign that the SEC will seriously consider making some changes is that even critics of the current reform proposals concede that the regulations now in place are far from perfect. "There clearly have been issues about the implications of 404," says Ann Yerger, executive director of the Council of Institutional Investors in Washington D.C. But she sees giving different sized companies a different set of standards as a dangerous policy precedent. "There are investors in these companies and we don't want to forget they need protection as well."

What she believes makes more sense is for the Public Company Accounting Oversight Board and the SEC to address the many issues small companies have with 404 within the current framework rather than consider exempting whole classes of companies. "The biggest challenge for the investment community is [that] it is easy to quantify the costs [of 404], but more difficult to quantify the benefits."

The lower level of outside oversight that smaller public companies tend to attract could also present problems to any large-scale 404 overhaul. "These are companies that have thinner layers [of oversight]," says ISS' McGurn. Smaller companies are less intensely followed by the analyst community, if at all; the largest, most experienced auditing firms may give them a pass in favor of larger clients and they may not get the same level of scrutiny from the credit rating agencies or the SEC. "You have restrained watchdogs, fewer of them surrounding these companies, so they don't have the level of scrutiny that larger firms have," adds McGurn. "So internal controls are key [so] these things don't go off-kilter."

It's not just corporate watchdogs who are troubled by the proposals as they stand. "My view is any public company that has other people's money should provide the management assessment required by section 404," says Robert Hirth, managing director and head of internal audit services at independent risk consultants Protiviti Inc. "To many the relationship between Section 302 and 404 remains somewhat unclear." At issue is whether a CFO and CEO team that signs off on 302 certifications are also attesting to the soundness of a company's internal controls as fully as they would under 404 attestations. Short of clarification from the SEC, that issue may have to be resolved in court. Another point that Hirth is troubled by is the fact that the reform recommendations don't contain penalties for companies that are given exemptions. For example, he agrees with the idea that smaller companies could be exempted from having annual external audits of their internal controls, as long as management makes its own 404 attestation. But when such a company issues a restatement of its financials or when a fraud is uncovered, such a company should then lose its audit exemption, he says.

FOCUS ON THINGS THAT WORK

One part of the dialogue should contain information sharing between companies on cost-effective compliance techniques that are effective. "Having a whistleblower hotline is inexpensive," says M/I Homes' Hunker, who says that outsourcing the function costs her company about $2,000 a year, including regular reports to the audit committee. "It's a good control because people feel comfortable." She also believes auditors should put more focus on areas that could be subject to abuse at smaller companies. "I sign off on non-routine journal entries," says Hunker. "That's an area where I believe a company could [fraudulently] adjust financial statement results." Protiviti's Hirth adds that the movement toward greater automation in traditional manual-based processes can greatly cut down on required testing. "Automating those controls makes the control itself that much cheaper and the documentation and testing cheaper as well."

Focusing on the most efficient, cost-effective compliance techniques won't end the debate over how much documentation, testing and retesting small public companies should be required to do. But while companies wait on a regulatory outcome, a focus on what works best for them is a place to start.