There has been a lot of fulminating over the Sarbanes-Oxley Act (SOX) in the week or so since the a House subcommittee added a provision to the consumer protection act legislation that would permanently exempt all companies with a market float of less than $75 million from compliance with section 404 of SOX. This has been described as “gutting” the legislation by some commentators, columnists and bloggers in major news outlets. I think that assessment is just wrong.
It’s possible that those hyperventilating on the exemption simply don’t understand the nature of these entities. Companies with a public float less than $75 million are typically mid-size corporations with somewhere between $20 and $70 million in annual revenues and between 150 to 500 employees, of which maybe a dozen or two may be in the finance department. Fortune 500 they’re not. For many of these companies, the cost of a section 404 audit is a burden in the time spent by employees and fees paid to auditors. I don’t think it’s unreasonable to exempt these micro-capitalization companies from bearing the burden of section 404 compliance at the possible cost of failing to protect people who are determined to lose money in the stock market chasing hot tips and penny stocks. (It’s unclear to me how section 404 would protect these folks anyway.)
The purpose of the Sarbanes-Oxley Act was to protect investors (especially individual investors) by reducing the risk they would get fraudulent (or at least materially misleading) financial statements from companies they invest in (See “Sarbanes Oxley, Risk Management and Internal Audit). Most individual investors do not own stock in companies with market floats of $75 million or less unless (1) they own the company or a big part of it, (2) they inherited a big position in it from Grandpa Gus or Aunt Louise who started it, (3) a very close pal or business associate is running the company or (4) they are a complete idiot, very likely on the receiving end of a pump-and-dump scheme. Professional money managers also deserve protection, to be sure, but they have more resources and training and have a diversified portfolio. Moreover, a fraud in a $50-million market cap company is not going to have the economic and social repercussions that frauds like Enron, WorldCom and Quest had (companies with multi-billion dollar market floats).
That noted, it’s clear that these 404 audits are not as burdensome as they used to be. For those who may not have been paying attention, a couple of years ago the Public Company Accounting Oversight Board made an important change to its interpretation of section 404, resulting in Accounting Standard (AS) 5. The big problem with SOX release 1.0 was that it confused the need for financial statement governance with finance department governance. Auditors (being auditors) saw the logical possibility that (for instance) poor travel and entertainment reimbursement procedures might cascade into the next Enron and so everything was fair game. AS 5 restored some sanity to the audit, explicitly forcing auditors to focus only on material risks directly related to the financial statements. It’s not an annual boil-the-ocean routine anymore. But I’m still willing to go along with the exemption because even if it costs less money than it used to, it’s still more money than these businesses can afford.
It’s true that after some study of the matter, the exemption may be expanded to those companies with a public float of $250 million or less. But that will happen because the cost of compliance is too burdensome for these companies relative to the potential benefit of the audits. Since those costs have come down considerably, this fear may be misplaced.
So unless I’m missing something, it’s hard to see the SOX exemption for the smallest public companies as anything more than vigorous exfoliation; not evisceration.
Let me know your thoughts or come and collaborate with me on Facebook, LinkedIn and Twitter.
Robert D. Kugel CFA - SVP Research