SOX 404 Deadline Looms

What do you think about this article? Rate it using the stars above and let us know what you think in the comments below.
As the clock winds down on the December 15th, 2007, deadline for management's internal control assessment, non-accelerated filers are scrambling to comprehend and utilize the SEC's Final Interpretive Guidance regarding management's report on internal control over financial reporting (

The U.S Senate Committee on Small Business and Entrepreneurship has been fighting for the SEC to implement an extension for smaller businesses to comply with SOX 404, but more specifically: (1) to clarify major provisions in the new guidance, (2) to examine the cost-effectiveness of the proposals, and (3) to allow small public companies to apply these new provisions. These recommendations were declared by Senators John Kerry (D - Massachusetts) and Olympia J. Snowe (R - Maine), Chairman and the Ranking Member respectively, of the Committee, who have been integral voices for these entities.1 Over the past few years, after unpleasant episodes with Enron, Tyco, and WorldCom, public companies have taken major steps to develop their internal controls in order to improve the quality of financial reporting. In the July 2007 issue of Compliance Week, Senator Snowe noted that the SEC "has provided no assurances that the new internal controls rules will actually reduce costs for small public companies."2

SOX 404 Costs

According to the final report issued by the Advisory Committee on Smaller Public Companies to the SEC on April 23, 2006, companies with revenue of $5 billion or more spent an average of .06% of their total revenue on Sarbanes-Oxley compliance, whereas companies with revenue of $100 million or less spent an average of 2.55% of their revenue on SOX compliance.3 With fewer resources to bear these disproportionate costs, non-accelerated filers find the new guidelines to be less cost-effective than large corporations, who rely heavily on strong internal controls. With lower income being reported as a result of incurring SOX 404 compliance costs, the result is what many believe to be reduced shareholder value making smaller companies less attractive as investment opportunities than the large corporations.

In a USA Today article dated July 30, 2007, Jim DeBello, CEO of software firm Mitek Systems, discussed the SOX compliance requirements. "We consider ourselves a well-run small business," he stated. "We comply with all SEC requirements and consistently filed our quarterly statements." Mitek expects to earn somewhere between $6 million and $10 million in sales next year. Costs of section 404 compliance are estimated to be at least $600,000 for them, roughly the cost of hiring four new full-time employees, DeBello argues, and "that trickles down to employment, innovation, and our ability to grow."

Along with actual costs come the effects of opportunity costs associated with these new guidelines. Michael Ryan of the U.S. Chamber of Commerce noted, "The amount of time [that] management is spending on the process to comply with Sarbanes-Oxley takes them away from running the business, increasing sales, and developing new products." Ryan also argues that SOX diminishes auditor's professional judgment because of fears of second-guessing by regulators. He says SOX "runs the risk of creating a culture of avoiding risk, and that bleeds over from the issue of trying to eliminate wrongdoing."4

Impact on Non-Accelerated Filers

Non-accelerated filers have been making adjustments to comply with the newly-issued SEC guidelines of Sarbanes-Oxley 404, but not with ease. Herb Wander, Chairman of the SEC's Advisory Committee on Smaller Public Companies and partner at the law firm of Katten Muchin Rosenman LLP , suggested, "what's going to be hardest for them is, I think, trying to sift through the varying interpretations and new rules to try and come up with a workable system that works for them and will satisfy their auditors."5 For example, in the past, there has been a reliance on outside auditors to be part of the internal controls environment and interpret new standards in order to provide guidance to management of smaller companies. Now, SOX 404 guidelines make it clear that management will need to internalize these controls.

While many are opposed to SOX section 404, others are very positive about the legislation. They argue that the costs of implementation will decrease after the first year, and in the future will be beneficial. Non-accelerated filers may incur disproportionate costs in order to "internalize" some of their controls, however, there are benefits to be gained from this. Better customer service, reduced borrowing costs, efficiency, and consistency of reputation are all expected from stronger internal controls, potentially leading to a greater stockholder value. Therefore, while SOX 404 is initially expected to have a negative impact on income, it is reasonable to expect a positive impact in the years to follow.

Further Extensions

Recently, the U.S. House of Representatives approved an amendment to extend the filing deadline again for smaller public companies. If passed by the Senate and then signed by President George W. Bush, the deadline would be moved to September 30, 2008. The SEC has already postponed this deadline twice for smaller firms and has stood by the December 15th deadline after releasing guidelines to cut compliance costs in May. Lawmakers agree that the guidelines approved in May were an important step in cutting costs, but they still do not believe they were enough.

Jeffrey Mahoney, general counsel for the Council of Institutional Investors told Governance Weekly that this measure would hurt investors, who have been waiting for better quality financial reporting from small and mid-size companies. "These [smaller companies] are where most of the fraud exists and where most of the restatements have taken place," Mahoney said. "I think they need these controls, and it is long past due to have them in place."6 Regardless of potential further extensions, non-accelerated companies should take advantage of the current guidance and begin their implementation projects.

Marcum & Kliegman's Recommendation for Implementation

Based upon the SEC's Final Interpretive Guidance for Management to improve SOX 404 implementation, there is an opportunity to make the process more efficient. The guidance highlights three general principles (in bold) and four specific principles (in italics) as areas of improvement. Using a top-down, risk-based approach, management needs to focus on risk and materiality, as well as on controls that are needed to prevent or detect material misstatements in the financial statements. In actuality, not every control in the process needs to be documented, only the controls that address the risk of a material misstatement. Management should also tailor the amount of evidence needed to determine operating effectiveness based on the risk of material misstatements. This guidance will allow management to use a variety of cost effective ways to evaluate the operating effectiveness of its controls. It also has a deficiency evaluation framework for evaluating deficiencies and outlining the material weaknesses. Finally, management will be allowed greater flexibility in the documentation of its evidence and testing. Documentation may consist of many different forms. For example, for high risk processes, documentation will remain the same under the new guidance. However, for moderate and low risk processes, documentation may be reduced — for example, through less detailed flowcharts or no flowchart, respectively. For testing, the nature, timing, and extent of what is tested will be impacted by the level of risk.


Small companies should coordinate with their SOX 404 consultants, external auditors, and other key stakeholders to ensure that implementation is efficient as well as effective. While there are certainly costs to implementing SOX, benefits can be obtained by making SOX a sustainable process and embedding it in the way business is conducted. As former Maryland Senator Paul Sarbanes, who was the principal draftsman of the law, reminded all public companies, small and large, going public is no cakewalk. "Companies that go public need to understand not only the benefits, but the responsibilities. It's not just a free ride."7

For further information and to discuss how Marcum & Kliegman may assist you with your Governance, Risk Management, and Compliance needs, contact Donald Browne at 212 981 3197.

End Notes

1. Sullivan, Thomas M. "Office of Advocacy - Letter Dated 05/25/07." SBA. 27 May 2007. Small Business Administration. 8 Aug. 2007 <>.

2. Aguilar, Melissa K. "Final 404 Guidance Out; Small Cos. Now Included." Compliance Week July 2007: 12+.

3. Final Report of the Advisory Committee on Smaller Public Companies to the U.S. Securities and Exchange Commission. Securities and Exchange Commission. Washington DC: SEC, 2007. 33. 1 Aug. 2007 <>.

4. Farrell, Greg. "Sarbanes-Oxley Law Has Been a Pretty Clean Sweep." USA Today 30 July 2007, sec. Money.

5. Schmidt, Kathrine. "Small Businesses Now Bracing for Hurricane SOX." Compliance Week July 2007: 45+.

6. Schmidt, Kathrine. "Small Businesses Now Bracing for Hurricane SOX." Compliance Week July 2007: 45+.

7. Farrell, Greg. "Sarbanes-Oxley Law Has Been a Pretty Clean Sweep." USA Today 30 July 2007, sec. Money.
If this article has helped you in some way, will you say thanks by sharing it through a share, like, a link, or an email to someone you think would appreciate the reference.

Popular tags:

 investments  Compliance Week  small businesses  compliance requirements  managers  assessments  Sarbanes-Oxley  controls  annual reports  USA Today

I found a new job! Thanks for your help.
Thomas B - ,
  • All we do is research jobs.
  • Our team of researchers, programmers, and analysts find you jobs from over 1,000 career pages and other sources
  • Our members get more interviews and jobs than people who use "public job boards"
Shoot for the moon. Even if you miss it, you will land among the stars.
ComplianceCrossing - #1 Job Aggregation and Private Job-Opening Research Service — The Most Quality Jobs Anywhere
ComplianceCrossing is the first job consolidation service in the employment industry to seek to include every job that exists in the world.
Copyright © 2024 ComplianceCrossing - All rights reserved. 21