The Sarbanes-Oxley Act of 2002 was supposed to help investors, not sink companies.
But Section 404 of the sweeping law - certifying the integrity of corporate internal controls - may be threatening the financial health of smaller public companies. And Auditing Standard No. 2 of the Public Company Accounting Oversight Board - on auditing internal controls - hasn't made the situation any easier.
After receiving an avalanche of complaints, the Securities & Exchange Commission appointed an advisory committee to examine the impact of Sarbanes-Oxley on smaller SEC issuers. The Committee of Sponsoring Organizations of the Treadway Commission also swung into action with a new project on implementing the COSO Control Framework in Smaller Businesses. COSO has engaged Big Four firm PricewaterhouseCoopers to develop the project.
"The SEC wanted COSO to take a look at this because of the number of complaints they had from small businesses about the constraints of PCAOB Standard 2 and their expectation that they are probably never going to pass a control assessment by a public accounting firm because a control weakness can throw the whole audit into a negative opinion," said David Richards, president of the Institute of Internal Auditors, which is a member of COSO. "Small businesses have a much harder time complying with some of the basic internal controls because they don't have the staffing and sophistication of larger companies."
The COSO task force has already begun a search and analysis to find a way for smaller companies to meet SEC requirements. The 20-member task force includes representatives from the IIA, the American Institute of CPAs, the Institute of Management Accountants, the American Accounting Association, and Financial Executives International, plus observers from the SEC and the PCAOB, and the PwC team.
"The problem is one of uncertainty among small businesses as to how they achieve the internal control objectives in a cost-efficient manner," said Larry Rittenberg, Ph.D., CIA, CPA, COSO chairman and Ernst & Young Professor of Accounting at the University of Wisconsin. "That's not unique to small businesses, but it's small businesses that have unique problems, given their size and difficulties in staffing up to meet some of the basic, fundamental control concepts."
Rittenberg explained that the biggest problems the COSO task force is addressing deal with the control environment, such as the "tone at the top," checks and balances over management, basic segregation of duties, and controls over information technology. He said that many of these problems are more readily solved in larger companies, but that it is not impossible for smaller companies to solve them cost-effectively. Some companies may need to hire new staff or consultants.
Creating a different kind of risk
Larry White, deputy chief financial officer of the U.S. Coast Guard and chair of the IMA, said that he was hearing companies complain that the Sarbanes-Oxley solution to investment risk was actually creating a different kind of risk.
"Small public companies are inherently risky," White said. "When they have to devote significant resources to financial reporting on risk, it may have bigger impacts on other types of business risk. Many management accountants tell me, 'We were on this path, doing a lot of business analysis, partnering with operations, and now all of a sudden we're walking around putting inspection schemes in place.' They aren't happy about this, and they feel they are adding less value than they were previously. That's the trade-off. The operations side of the company isn't getting the same attention from the financial side because resources are now diverted to compliance issues."
The task force's objective is not to change COSO's control framework, which the SEC and the PCAOB accept as a standard, but to write guidance that helps smaller companies implement the framework within their relatively constrained resources. Some companies, he said, have already found ways to apply the principles in the small business context.
"There are solutions," Rittenberg said. "They may not be the solutions that people want to hear, but there are solutions. Otherwise, we would not have taken the project on. I don't think any of the problems are intractable. ... We are going to lay out the objectives of the framework and suggest alternative ways that companies are achieving and can achieve these objectives. The report will be constructive and should help small businesses meet the challenges of good internal control."
Benchmarks, best practices
The guidance that the task force produces will likely take the form of benchmarks and best practices that have worked for certain companies. Rittenberg said that the chances of the task force recommending changes to the framework are "very, very remote."
The task force plans to hold a one-day forum on May 5 in Chicago so that a variety of companies can discuss the explicit problems that they are having. Rittenberg invited all small companies to express their frustrations and share their solutions with COSO via their Web site or with him directly via e-mail to lrittenberg@bus.wisc.edu.
The group hopes to issue an exposure draft of a guidance document by late summer.