Diagnostics & Imaging Week Washington Editor

WASHINGTON – The Sarbanes-Oxley Act of 2002 (SOX) was roundly applauded in the financial press as promising more transparency and enabling stock traders to buy and sell with more confidence. However, smaller firms soon found – and have since vociferously expressed their view – that the reporting requirements are burdensome and put them at a further disadvantage against their larger rivals.

In response to those complaints, the Securities and Exchange Commission (SEC) recently suspended the rollout of SOX Section 404 for "smaller businesses," which addresses corporate management's responsibility for setting up and maintaining internal controls and procedures for financial reporting for firms that offer their stock for public sale.

And the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has now released a guidance on small business use of its framework for compliance with Section 404. Section 404 also requires an annual report on the effectiveness of those controls.

The new guidance further describes the components of internal control, including risk assessment, information and communication, and monitoring. Each is defined and described in some detail and offers "real-world examples of how smaller companies have effectively applied the principles," according to the guidance's executive summary.

In the summary, COSO states that the guidance, released yesterday, "is directed at smaller public companies . . . using the Framework in designing cost-effective internal control over financial reporting."

The Framework in question is COSO's 1992 document titled Internal Control – Integrated Framework, a response to a series of financial scandals erupting in the late 1980s.

The executive summary indicates that it is not practical to establish a "bright line" that defines smaller businesses but offers a list of characteristics, including "fewer personnel, many having a wider range of duties" and "limited ability to maintain deep resources in line as well as [in] support staff positions," including accounting and auditing staff.

The document further notes that while "it may be difficult to measure impacts associated with inaccurate financial reporting, market reactions . . . clearly signal that the investment community does not readily tolerate inaccurate reporting."

The fact that "many smaller businesses are dominated by the company's founder or other leader who exercises a great deal of discretion" does not mean that internal controls are unavailable, but such circumstances may require protocols to ensure that normal controls are not overridden without just cause.

The summary recommends that smaller firms look at several mechanisms that may enable cost-effective compliance, including the use of a board of directors and implementation of electronic reporting.

On the latter subject, COSO comments that "software developed and maintained" by an entity outside the company "still require[s] controlled implementation and operation, but many of the risks associated with in-house developed systems are avoided."

The COSO guidance runs parallel to an effort by the SEC to boost widespread compliance with section 404 of SOX.

On May 17, the SEC reported that it would postpone briefly the small-company requirements, "although ultimately all public companies will be required to comply. SEC Chairman Christopher Cox added that "we will consider the special concerns of all companies that fall under our jurisdiction."

Scott Taub, acting chief accountant at the SEC, said that the open-period comments "added significantly to the development of the guidance" and expressed the hope that it will "help smaller companies ore efficiently and effectively implement" Section 404.

The Biotechnology Industry Organization (BIO; Washington) chimed in as well on the new guidance.

Jim Greenwood, association president and CEO, said that the guidance indicates that the SEC "understands the heavy cost burdens associated with the one-size-fits-all approach" and expressed his appreciation for the work by the SEC to "incorporate practical, risk-based reform of Sarbanes-Oxley."

In testimony to the House Government Reform subcommittee on regulatory affairs, David Lawrence, chief financial officer at Acorda Therapeutics (Hawthorne, New York), said that in a May report, the Government Accountability Office indicated that "smaller public companies at the bottom 6% of total U.S. market capitalization pay up to $1.4 million on external auditors for Section 404 compliance," resulting in significant opportunity costs by "draining resources away from innovation and research."

Lawrence also noted that under the original Section 404 requirements, "microcap and small-cap companies . . . will be required to implement internal processes and organizational changes that are completely contrary to the rapidly changing and highly competitive markets in which we operate."

COSO's "Treadway Commission" nomenclature derives from the 1985 founding of a private-sector effort to reform financial reporting called the National Commission on Fraudulent Financial Reporting. This organization's first chairman was James Treadway Jr., then the executive vice president and general counsel for Paine Webber, now part of financial services behemoth UBS (Zurich, Switzerland).

Treadway also served as chairman of the SEC from September 1982-April 1985. The Treadway Commission's founding was the work of five organizations: the American Institute of Certified Public Accountants (New York), the Institute of Internal Auditors (Altamonte Springs, Florida), the Financial Executives Institute (Floreham Park, New Jersey), the Institute of Management Accountants (Montvale, New Jersey) and the American Accounting Association (Sarasota, Florida).