Section 404(a) of the Sarbanes-Oxley Act, together with SEC rules implementing the provisions of the Act, require management to assess and report on the effectiveness of internal control over financial reporting (ICFR). It took a few years for the SEC to phase everybody in, but all public companies, large and small, are now subject to the requirement.
As pretty much everyone knows, however, S-0X 404 doesn't stop with a management report. Auditors get in on the action in Section 404(b). Therein is the lucrative requirement that an independent auditor attest to management's assessment regarding the effectiveness of their internal controls over financial reporting (ICFR). One person testifying before Congress has called the provisions of S-OX 404(b) the largest windfall to audit firm partners in history, and as I will soon describe, 6,000 more public companies await a new 'service' for which the benefits are, to be charitable, unclear.
Why S-OX 404(b) is Little More than Chicken Salad for Auditors
The corporate corruption scandals that got politicians moving on the Sarbanes-Oxley Act of 2002 were the result of fraud by CEOs and CFOs. ICFR can have little to no impact on the actions of the top executives, because they always possess the power to override internal controls, or sometimes to orchestrate collusive schemes that circumvent those controls. Thus, Section 404 cannot possibly do much to mitigate these particular sources of fraud risk; and there is no better example of that than Enron itself. I have been told (but have not verified) that Enron was the only public company to disclose with much pride and pomp that it paid its world-class, independent auditor to perform a separate evaluation of internal controls. Andersen's report was, of course, clean as a whistle.
No one should doubt as well, that Enron's relationship with its auditors wasn't much cozier than the norm, either. No matter who the client is, and especially if it is a big one, material weakness are generally only reported after an error has occurred; i.e., after a control has obviously failed. Thus, all the machinations to test ICFR, and prevent a control from failing, don't add much beyond the testing of account balances that occurs as part of the regular financial statement audit.
So, it remains questionable at best, that S-OX 404(b) has created a safer environment for investors to trade their shares. Auditors, on the other hand have been champing at their bits, waiting for the SEC to throw them some fresh meat: the 6,000-odd smaller public firms (technically, "non-accelerated filers) who are not yet required to pay for an ICFR report.
Chicken Salad Days Appear on the Horizon
The auditors received some good news on that front a few days ago when the SEC announced that the stay of execution for non-accelerated filers would be extended only until their annual reports for fiscal years ending on or after June 15, 2010. Chair Schapiro and one other commissioner also issued statements to 'assure investors' that no further extensions would be granted.
Indeed, the SEC's Office of Economic Analysis has completed the last of the SEC's go-through-the-motions machinations to steer S-OX 404(b) through the gauntlet of thousands of irate registrants who resent the additional audit fees imposed upon them -- and the additional hoops they must jump through. And, what did OEA's report have to say? As it turns out, not much at all. Although changes to SEC and PCAOB guidance may have reduced the cost of S-OX 404(b) implementation for companies that currently must comply, OEA did not even address the key question: whether the costs of complying with S-0X 404(b) has been less than the benefits, or whether benefits can be expected to exceed the costs of compliance for the 6,000 companies in line to be plucked. It must surely be the case for non-accelerated filers that initial implementation costs are most onerous, especially in an economic down cycle. But nothing so obvious and significant was to be found in the OEA's report.
The Skinny on the Costs and Benefits of Section 404(b)
If I were writing OEA's report, I might have begun and ended with the following modest, albeit virtually dispositive, back-of-the envelope calculation: The total value of all public traded equities in the U.S. is very approximately $14 trillion, based on information available from indexes published by Wilshire Associates. Let's conservatively assume that each and every non-accelerated filer has a total market cap of $75 million, which is the maximum market cap for a non-accelerated filer. Even under that very conservative assumption, 6,000 non-accelerated filers comprise (at the very most) only 3.2% of aggregate equity values.
In the best of worlds (i.e., assuming that there is real information in an auditor's attestation report) can the new fees that auditors will charge these 6,000 smaller companies provide loss protection that will cover the billions of dollars in aggregate fees? Don't bet on it.
In fairness, the SEC would say that their hands are tied; S-OX directs the SEC to require ICFR attestation reports from all public companies. So, what should really happen is for Congress to wake up and amend S-OX to permanently exempt non-accelerated filers from the requirements of Section 404(b). Will it happen? Don't bet on that one, either.
What upsets me the most is that chair Schapiro is once again catering to the wishes of the Big Four instead of affecting much needed reform, as she has pledged to do. Schapiro should use her bully pulpit to inform Congress that they have created an obvious case of excess regulation. Notwithstanding the sorry fact that S-OX 404(b) has devolved into a waste of time for all issuers, to extend it to non-accelerated filers would be nothing less than criminal.
Instead, of rushing to require ICFR audits, why don't we just sit back and wait to see how many non-accelerated filers will voluntarily submit to an examination of their ICFR – just like Enron did.