TCS Daily

The $1.4 Trillion Mistake

By Dominic Basulto - June 7, 2005 12:00 AM

Now that William Donaldson has resigned as SEC Chairman, it's time to re-think the costs and benefits of the Sarbanes-Oxley Act that was endorsed by the Donaldson SEC as a way to renew investor confidence in American capitalism and improve corporate accountability. With the expected confirmation of California Representative Chris Cox as a replacement for Donaldson this summer, it is perhaps only natural to ask which of the most burdensome SOX compliance requirements -- such as the much-lamented Section 404 -- can be rolled back, or at least reinterpreted in a way that focuses attention on the true causes, not just the symptoms, of corporate governance weaknesses.

According to Section 404 of Sarbanes-Oxley, public companies must include a full disclosure of their internal controls in their annual reports. In addition to reviewing their system of internal controls and procedures for financial reporting each year, companies must provide a written confirmation from management that these internal controls and procedures are in place and are being maintained. Finally, the company's outside auditors must report publicly on the adequacy of the company's internal controls and opine as to management's opinion about internal controls. One goal for the Cox-led SEC should be to find ways to provide relief to companies from the most burdensome of these rules while staying within the legislative mandate of SOX.

Compliance with Section 404 has, by all accounts, been a big problem for both small and large companies. As TCS Contributor Stephen Bainbridge pointed out in April ("SOXing It to Small Business"), the costs to U.S. business of complying with Section 404 have been truly staggering -- both in terms of time and expense. A number of studies have already confirmed, for example, that the number of staff hours to comply with section 404 will be as many as ten times the number originally projected by the SEC. According to a new study from the business school at the University of Rochester, the net private cost of SOX compliance amounts to a whopping $1.4 trillion.

Most disturbingly, Section 404 unfairly punishes small companies, which lack the sophisticated internal controls of larger companies and, correspondingly, are forced to bear a disproportionate share of the regulatory burden. William McDonough, head of the PCAOB (Public Company Accounting Oversight Board), has noted on several occasions that small companies should not have to shoulder the same burden as large Fortune 500 companies. At a Harvard Law School panel in March, McDonough noted that, "It is insane for small companies to have the same internal controls as General Electric."

In addition, full compliance with Section 404 hampers risk-taking in the private sector. Instead of focusing on ways to grow a business, executives are forced to devote too much time and too many resources to internal controls, including the endless review and signing of papers. In some cases, private companies are not going public in order to avoid the burdensome regulatory requirements of SOX.

Finally, Section 404 does not encourage real accountability, only the creation of a prodigious paper trail. As SEC commissioner Cynthia Glassman pointed out in a February 24 speech, "I have been concerned from the beginning that Section 404 would become an expensive, short-term, check-the-box exercise." The SEC has even acknowledged this problem, recently chastising auditors for becoming "too inflexible," "overly cautious" and "mechanical" in their application of Section 404. Thus, it is not only the companies that are becoming more risk-averse - it is the whole auditing and regulatory establishment that sprang up in response to SOX.

In May, CFO Magazine examined whether the benefits of Sarbanes-Oxley are worth the cost, highlighting aspects of SOX that are worth reconsidering. In April, companies had a number of opportunities (such as an SEC roundtable event) to vent their frustrations with Section 404, resulting in a number of reasonable recommendations and suggestions that could be acted upon by the Cox-led SEC. For instance, the SEC can act to reduce the reliance on signing and dating documents as proof that a particular internal control was effective. Moreover, the SEC could create a tiered compliance system, such that smaller companies face less of a burden than larger companies. The SEC could also raise the threshold for what constitutes a "significant deficiency" in internal controls, thereby enabling companies to focus on the most serious of internal control problems. Finally, instead of annual reviews for items like IT systems that do not change significantly year-to-year, it might be possible to conduct less frequent compliance checks.

While a full rollback of SOX is not possible, the SEC with Christopher Cox at the helm will be able to perform a careful review of the aspects of SOX that no longer make business sense, such as Section 404. With Donaldson stepping down at the end of June, the SEC now has a real opportunity to address a number of regulatory issues that were left to fester over the past 2 ½ years. Until then, business leaders across America will continue to dread the thought of a §404 Error in the same way that Internet users dread the thought of those annoying "404 Error" messages on their computer screens.

Dominic Basulto is a TCS contributing writer who focuses on business, technology and venture capital markets.


TCS Daily Archives