“Many smaller companies don’t have the in-house expertise to design and assess their internal control procedures, so they have to engage outside consultants to assist them,” he says. “Often smaller companies operate informally and their financial controls, while effective for companies of their size, are not well documented.”
Smart Business spoke with Martinez about the requirements of the Sarbanes-Oxley Act on smaller public companies and what those companies should be doing in the internal controls area.
In your practice, you advise public companies on their obligations under the securities laws. What issues do smaller public companies face under Sarbanes-Oxley?
There are a number of provisions of Sarbanes-Oxley that require companies to implement procedures that most people acknowledge are good corporate governance practices. However, the most controversial provision is Section 404, requiring public companies to certify their internal financial controls are effective in providing reasonable assurance that transactions are properly authorized and recorded according to applicable accounting rules, and that assets are safeguarded from unauthorized use. A company’s auditors are also required to separately audit management’s certification and provide their own conclusions as to the effectiveness of the company’s internal controls. In addition to the out-of-pocket costs incurred when hiring outside consultants and auditors to comply with these requirements, companies have to devote a significant number of employee man-hours to handle this process.
Is the SEC doing anything to reduce the burdens on smaller public companies in this area?
There has been a lot of discussion about how to resolve some of these issues and relieve smaller companies of the burdens in this area. On several occasions, the SEC has delayed the application of these internal control requirements for smaller companies, with the current requirement to comply starting with their 2007 fiscal year. Another delay may be forthcoming.
What should small public companies be doing now in the internal controls area?
Because of postponements by the SEC, many companies have put off the cost and effort of assessing and improving their internal controls, most hoping that these requirements will eventually be rescinded. However, despite the delays, it appears the requirement to certify and audit the company’s internal controls will not go away. Therefore, smaller public companies should not delay their plans to assess and improve their existing controls and to implement new internal controls to meet the SOX 404 requirements.
Companies should take advantage of the available time to adopt a well-planned 404 compliance strategy that factors in the need for greater operational efficiencies and allows them sufficient time to test and operate their improved systems to compile ample evidence of the effective operation of their improved controls. The conventional wisdom is that companies should start developing their plan for compliance 12 to 18 months before the requirement kicks in.
What are the consequences of failing your SOX 404 audit?
If it is determined that a ‘material weakness’ exists in a company’s internal controls, then the company and its auditors are required to conclude that the company’s internal controls are not effective and the company is required to publicly disclose these facts. Such disclosures may cause an adverse reaction by the investment community, often leading to a decline in share price. In addition, the lack of effective controls may result in the company’s auditors being reluctant to issue their audit report on the company’s financial statements, which in turn could lead to the delisting of the company’s stock.
From a liability standpoint, while the disclosure of ineffective internal controls in and of itself may not be cause for a law suit, any resulting misstatements in the company’s financial statements due to ineffective controls can lead to shareholder litigation and action by the SEC against the company and its officers and directors.
Finally, the conclusion that the company’s internal controls were ineffective at year-end could also raise questions as to whether the CEO’s and CFO’s prior quarterly certifications as to effective disclosure controls were accurate when made.
The prudent action is to begin preparing now for the day that your company is required to fully comply with SOX, especially Section 404.
JOSEPH G. MARTINEZ joined the Business & Technology Team of Procopio, Cory, Hargreaves & Savitch LLP after 12 years in private practice in two Los Angeles law firms, followed by seven years as in-house general counsel of a San Diego public technology company. Reach him at (760) 496-0778 or firstname.lastname@example.org.