NEW YORK — Complying with Section 404 of the Sarbanes-Oxley Act is turning out to be a heck of a headache, and an expensive one — especially for smaller-sized companies.
Section 404 requires managers of public companies to establish and maintain internal controls with regard to financial reporting. The section also requires the auditing firms to not only sign off on the financial reports, but attest that the management of the audited company made the necessary internal assessments.
According to a study published by Korn/Ferry International, complying with Section 404 cost companies an average of $5.1 million. Moreover, ongoing compliance to the law trims, on average, $3.7 million from a company’s bottom line.
“It’s a very expensive, very complicated thing,” said Laurence Leeds Jr., chairman of Buckingham Capital Management in New York. “The dollar amount, in addition to the time required to comply, has and will continue to affect the bottom line.”
In a separate study and survey by Financial Executives International, companies with sales of $5 billion or more spent an average of $4.4 million to implement Section 404, which is “39 percent more than they had budgeted. In addition, 94 percent of all respondents said the cost of compliance exceeded the benefits,” according to the National Retail Federation, citing the survey.
Compliance to Section 404 couldn’t come at a worse time. Retailers were caught off guard earlier this year when the Securities and Exchange Commission changed the way companies account for their leases.
The result of these two changes have caused dozens of companies to delay the filing of their annual reports.
Earlier this month, the NRF sent a letter to the SEC expressing its concerns while encouraging the commission to review the regulations.
“It has been too costly,” said Carleen Kohut, chief financial officer of the NRF. “We have heard talk of some companies wanting to delist as a result of the complexities of Section 404. I would imagine that for every hard dollar spent in complying, there are probably two soft dollars lost in terms of resources and staffing.”
Recent data supports the NRF’s claim. In a published study from the Wharton School of Business, 198 American companies had deregistered from exchanges in 2003. This is nearly three times as many deregistrations as in 2002, which was one year after Sarbanes-Oxley was passed.
“We support the principles of sound and transparent financial reporting and the underlying importance of effective internal controls,” said NRF president and chief executive officer Tracy Mullin in a letter to SEC chairman William H. Donaldson. “We have concerns, however, that confusion about and inconsistent application of the act have undermined its objectives and effectiveness. We further question whether the initial intent of this act — to restore investor confidence — has been balanced against the cost of its implementation.”
In the letter to the SEC, the NRF urged the commission to lay out clearer guidance “to ensure consistency of Section 404 application by the public accounting firms,” while also providing “direction on the use of materiality when determining tests of controls, and allow independent auditors to place more reliance on internal audit and management’s internal control testing.”
The NRF went on in the letter that “auditors have long used risk-based assessment to determine the scope of a financial statement audit. The practice allows the auditor to focus on areas that have the greatest potential for misstatement, error or abuse.” This is the same approach used in the internal control assessment by the reporting company.
“Our members believe that independent auditors did not use this tool as effectively as possible in their compliance testing,” the NRF said in the letter. “Rather than focusing on the areas that posed the greatest level of risk — such as the ethical culture of the company, entity-wide controls, nonroutine transactions, new markets, areas of rapid growth or new technology implementation — auditors seemed to treat the entire business as a more risky venture and insisted on testing an inordinate number of medium- and low-risk controls.”
The NRF went on to say that the independent auditors “tested routine transactions at multiple locations with the same rigor and resources as those transactions or judgments that posed substantial financial statement risks.”
In short, the NRF believes the intention of Section 404 was to prevent material fraud, and that “it was not intended as a mechanism to identify and prevent every single error that could occur.”