Study Finds SOX Delays Were of Little Benefit to Non-Accelerated Filers
Smaller public companies did not take full advantage of multiple deadline extensions for Sarbanes-Oxley Section 404 compliance, according to a new study by SOX research and consulting firm Lord & Benoit.
In “First Year SOX Results for Small Business: Benefits of the Delays,” which was published in September, the firm studied all 3,321 smaller U.S. public non-accelerated filers with fiscal year-ends between Dec. 15, 2007 and Jan. 31, 2008. They aimed to determine whether or not these companies benefited from the continuous delays in compliance deadlines.
For companies with a public float under $75 million, delays for complying with Section 404 (a) moved from year ends after July 2005, to July 2006, then July 2007 and finally Dec. 15, 2007. Section 404 (b), auditor attestation, has been extended to years ending Dec. 15, 2009 or later.
The logic behind the delays was to give smaller companies time to identify and correct internal control weaknesses over four years, rather than forcing them to attempt to do so in one year as was required of their larger counterparts. Too, the extensions would allow smaller companies to spread the costs of compliance over a four-year period.
For the year ended Dec. 31, 2007, non-accelerated filers were required for the first time to file a Section 404 (a) assertion about the effectiveness of their Internal Controls over Financial Reporting (ICFR). Based on the results of those filings, the Lord & Benoit report sought to answer two questions:
- What can be ascertained about the four year delay?
- What can be asserted about the wisdom of additional Section 404 (b) extensions?
What they found, based on data provided by Audit Analytics, was that the time companies bought with the four-year delay was not, for the most part, used wisely. Of the Section 404 (a) reports filed by first-year non-accelerated companies, 18.6 percent were non-compliant. Of those, nearly 7 percent failed to file a report at all, while nearly 4 percent filed a faulty report. Nearly 8 percent disclosed inadequate segregation of duties without any evidence of complying or indicating in their report that they did not comply.
“The results are obviously disappointing. Perhaps the four years of delays lulled companies into thinking 404 (a) would go away. Unfortunately, only a small majority used the time wisely to establish QA measures in financial reporting,” said the report’s author, Bob Benoit, president and director of SOX research for Lord & Benoit.
The study also found that:
- 34.4 percent had an ineffective controls assertion, an amount more than double those of accelerated filers who filed their first time reports four years earlier (16.9 percent) and approximately four times greater than those of accelerated filers today (8.6 percent).
- An examination of 242 late filers revealed that only 50 had submitted a Section 404 (a) report as of Sept. 1, 2008; of these, only 19 (38 percent) disclosed ineffective internal controls over financial reporting. The remaining 62 percent said their controls were effective.
- An average of just one in eight smaller public companies filers had consistent reporting under Section 404 (a) and Section 302 the quarter before.
- Compared to accelerated filers, the rate of non-compliant audit committees in smaller public companies was 10 times greater (19 percent) compared to the percentage of accelerated filers with adverse reports resulting from non-compliant audit committees.
- More than 78 percent of companies that filed adverse Section 404 reports cited material weaknesses from “tone at the top/ethics” and “competency/training,” while 68.5 percent cited “GAAP departures” and 54.4 percent cited “ineffective design of controls.”
“I believe we have just seen the tip of the iceberg,” said Benoit. “Once auditor attestation is required, we'll see another surge of material weaknesses reported to investors. Many companies are still not taking SOX 404 (a) seriously and perhaps won’t until external auditors have a direct means of communicating material control weaknesses to investors.”
At least one of the report’s findings was a surprise to OXiGENE Corporate Controller Jeffrey Ammons, who has worked with 10 companies on SOX and was corporate project manager on four clean opinions.
“The fact that 7 percent didn’t file a 404 report at all is surprising. I’m not entirely sure how that could happen. The requirement is for a company to report in item 9A of their 10K on the effectiveness of the design and operation of their internal controls. If there is a problem, the company should identify [it] and comment on the action plan to remediate. I would think if the company failed to meet that requirement, it would lead to a qualified financial statement opinion by the auditors in the 10K.”
Ammons cites as an example discussions he had with one non-accelerated filer that was looking for assistance to correct a material weakness identified by their audit firm as part of the financial audit prior to the filer’s requirement for SOX.
“The auditors were concerned about this company’s lack of qualified accounting staff and the complexities of their financial reporting. Based on that, the auditors could not opine on the quality of the financial statements,” he said.
Overall, however, Ammons said the findings were consistent with what one would expect from smaller public companies. With fewer financial resources to invest in policies, procedures and processes, non-accelerated filers are more likely to have immature internal controls.
Smaller companies are also less likely to have access to – or choose to invest in – financial talent with the SOX and public accounting experience necessary to guide them through the process.
“It’s all very consistent with lifecycle thinking,” he said. “As a company grows and gets more complex, it needs to invest in the infrastructure. Often times, it takes a breakdown to create breakthrough.”
Ammons does believe that compliance delays benefited non-accelerated filers, in direct contrast to the original implementation of the SOX Act of 2002 for accelerated filers.
While it may be true that non-accelerated filers took little proactive action based on the delays, “at least the requirements are better understood and companies are regaining some leverage in dealing with the auditors on issues,” he said.
He also pointed out that, with guidance provided by the PCAOB under AS-5 Risk Based Approach, SOX projects should be less costly.
“When the SEC delayed the initial implementation of the Sarbanes Oxley Act of 2002, auditors would not answer questions about SOX requirements. It created over-engineering of control objectives, flow charts, narratives, and entirely too many cycles and key controls. From that was created a requirement to manage version control and maintenance of all this time consuming documentation,” he said. “Much of that is [now] simplified and there are financial people who now have valuable experience that can help non-accelerated filers manage their projects much more efficiently.”
Also In This Month's Issue: