Those companies with market value of $787 million or more were the first that had to prove compliance with Section 404 of the Sarbanes-Oxley act, which requires annual assessment and reporting of internal financial controls. But now despite a deadline extension for those with a market value of $75 million or less, time is running short for Section 404 compliance. Starting with fiscal years ending December 15, 2007 or later, small firms must prove the validity of their internal controls. The previous deadline was on or after July 15, 2007. And by December 15, 2008, they must have an auditor sign off on management’s annual reports. An exception is made for newly public companies, which are exempt from meeting SOX requirements in their first annual report after going public.
But SOX compliance is no easy task, especially for small firms with limited resources. It takes time and planning to implement new policies and procedures. The cost and work required to modify existing software or implement new applications can be a big burden on small firms.
“While all companies incur incremental costs to design and report on internal control over financial reporting, costs can be proportionally higher for smaller companies,” says one report, “Internal Control over Financial Reporting – Guidance for Smaller Public Companies,” published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO is the creator of a widely used and highly regarded framework for SOX compliance, which it recently tailored just for small firms.
The COSO report contains good news too. It’s a methodology for compliance and one in a growing list of small business compliance resources. For instance, the Securities and Exchange Commission has a small business advisory panel. Consultants such as PricewaterhouseCoopers (PWC) and trade groups such as the Institute of Internal Auditors (IIA) offer reports and tips to help. And software providers, including SAP, offer a wealth of compliance applications.
Compliance spending and COSO principles
AMR Research estimates that companies will spend $6 billion on SOX compliance this year, the same as they did in 2006. Total governance, risk management and compliance (GRC) spending should reach $29.9 billion the researcher says, up 8.5 percent from 2006.
As well, PWC reports in its “2006 State of the Internal Audit Profession Study” that more than 50 percent of companies surveyed say SOX requirements have led to an increase in internal audit resources, such as hiring more people or installing new software.
To help small companies address increased auditing needs and at the same time control costs, COSO’s report offers 20 specific principles. And it places those principles within the five components of its standard compliance framework. The components are the creation of a control environment and the performance of risk assessment, control activities, information and communication tasks and monitoring activities.
COSO’s 20 principles advise companies to be competent in financial reporting, to have a sound organizational structure and to identify, analyze and manage risk. They also contain advice about technology, such a suggestion that small companies design and implement software controls that support financial reporting. “The reality of limited internal information technology resources often can be dealt with through the use of software developed and maintained by others,” the report says.
COSO also suggests that companies focus on quantitative and qualitative factors that could affect financial reporting. It suggests that monitoring systems be used to back up risk management processes. The idea is to put in place procedures that enable companies to evaluate the quality of financial reporting and require them to report in a timely fashion if deficiencies are found.
And COSO also lists a range of benefits for small companies that comply with SOX. Benefits include better ability to access capital markets since they are able to prove their financial status. They can make better decisions since management will have insight into and oversight of financial processes. And they can improve the speed, reliability and accuracy of transaction processing, which can help keep compliance costs down in the long run.
“With the use of this guidance, management of smaller companies can meet the challenges of their unique environments, lessening incremental costs and achieving the benefits of effective internal control,” the report says.
Benefits for private companies
Even small firms that are privately held should strive for SOX compliance, researchers say. Especially if management ever intends to take the company public, it’s beneficial to have regulatory compliance systems already in place. PWC wrote a report specifically focused on this topic, “Private companies: are your internal controls supporting your business strategy?”
“Although the law [SOX] and its supporting regulations apply only to public companies, putting aside the compliance factor, private companies usually derive the same benefits from enhanced controls as public companies,” the PWC report says.
It goes on to list benefits including heightened credibility with stakeholders, reduced risk of errors or irregularities, greater control over the management of business growth, reduced costs obtained from greater operating efficiency, and lowered risk of employee or customer litigation. AMR highlights this idea, noting in its research that 42 percent of companies surveyed report that streamlining business processes is the primary benefit of good governance.
Software companies, including SAP, offer tools too. SAP Business One, for instance, enables managers to receive “alerts” to identify situations that require attention, such as variance from budget or cash flow issues, for example.
Peter Russo, the director of the Entrepreneurial Management Institute at Boston University, wrote this about SAP Business One: “Implementing SAP will not ‘solve’ an emerging growth company’s regulatory or compliance issues. On the other hand, I can see how this product can be a valuable tool for management as it tries to address the increasingly complex demands that it will face.”