Small public companies that held out hope for a permanent exemption from the Sarbanes-Oxley corporate reform law were disappointed last week when the Securities and Exchange Commission proposed to ease -- not eliminate -- the law's requirement for annual reports on internal financial controls.
As early as next year, small businesses with public stock or public debt worth $75 million or less probably will have to conduct the assessment, remediation and reporting of internal financial controls that have been required of large public companies since 2003.
In 2008, small businesses also will have to hire external auditors to conduct a separate evaluation of their financial security controls unless the Dec. 15 deadline for filing that year is extended again.
Companies of all sizes have complained about the cost and time required to create, assess, test and report on these controls, which often cover processes including payroll, background checks on employees and the formulas used to compute figures on financial spreadsheets.
Small companies in particular have worried about costs to comply with the rules.
"They are hoping it will just go away," said John Golisch, a partner in the Los Angeles office of accounting firm BDO Seidman.
The SEC has issued several extensions for small companies, which now have until Dec. 15, 2007, before they are required to include a report on their controls with their annual financial filings.
Some corporate executives have gotten a head start. Among them is Lance Kintz, chief financial officer of Inn of the Mountain Gods, a resort and casino in Mescalero, N.M. The private company, which has publicly traded debt, decided to overhaul internal controls to comply with Sarbanes-Oxley requirements when it added two casinos and doubled in size a few years ago.
"The way we've treated it here is that the control processes, the documentation, the training that we have benefit the organization," Kintz said.
The Mescalero Apache tribe owns the enterprise, which posted $115 million in revenue for its fiscal year ended April 30. Kintz's predecessor hired Protiviti Inc., which has an office in Phoenix, to build its internal audit functions.
That continues to be a good outlay in part because investors seek out the company and pay a premium for its debt because of its commitment to corporate governance, Kintz said.
He is less laudatory about the four paragraphs in the law known as Section 404 that require annual testing of internal controls and an outside audit of the effectiveness of those controls.
Kintz has budgeted about $1 million a year to pay for Sarbanes-Oxley expenses, 70% of which he estimated would cover what he hoped would eventually be "less rigid 404" requirements. Like most other corporate executives, Kintz would rather spend the money on other business needs.
To address such concerns, the SEC proposed last week to allow management to use its own judgment to decide which of its financial processes carry the most risk for possible fraud and should be the target of most of its efforts.
Companies have been relying on the judgment of outside auditors, who have often erred on the side of caution and have included items that may not have a large effect on the bottom line. That has made the law more costly and time-consuming to implement than expected.
Because smaller companies typically have simpler internal systems than large companies do, the proposed change is expected to allow them to use less complicated and thus less costly evaluation methods and controls.
The SEC last week also proposed dropping another costly requirement: that companies pay for outside accountants to evaluate how they assessed their internal controls. Companies would still have to use outside auditors to evaluate the effectiveness of their internal controls.
The commission, which is required to enforce Sarbanes-Oxley and provide guidance for companies, will seek public feedback on its proposed changes and is expected to issue a final version in the spring. Additional changes are possible as regulators attempt to balance the needs of investors for strong financial controls with the potential negative effect on businesses.
Audit professionals caution small companies against waiting for final rules before tackling compliance issues.
"This has been the challenge since inception for all companies," said Stephen J. Giusto, chief financial officer and executive vice president of Resource Global Professionals, a Costa Mesa-based professional services company that has an audit arm. "If you waited long enough for the regulators to get guidance out, it was too late for you to actually comply."
Golisch of BDO Seidman estimated that it would take a small business about six months to do the work necessary to comply with current Sarbanes-Oxley rules, starting with a top-down assessment of internal controls and how they were communicated to employees.
A small company with a single location typically has 13 transaction processing cycles to consider, he said.
Under current rules, a company would trace a transaction from its origins, such as the original sale of a product, to when the revenue generated is rolled into a company's financial statements. That could include checking security controls along the way, such as who opens the mail and how a payment is deposited at the bank.
Small companies have to give themselves time to follow a complete cycle, check for problems, make fixes and then retest the cycle, Golisch said.
Jeff Newcom, associate director of Protiviti, recommends that companies avoid a last-second jam to comply, which costs more and doesn't allow a company to reap the potential benefit of creating a strong internal control system.
"It's what we call moving from project to process," Newcom said, "so it's baked into how they do business."