U.S. House of Representatives Small Business Committee

Sarbanes-Oxley 404: Will the SEC’s and PCAOB’s New Standards
Lower Compliance Costs for Small Companies?

Statement of Hal S. Scott
Nomura Professor of International Financial Systems, Harvard Law School
Director, Committee on Capital Markets Regulation

June 5, 2007

Chairwoman Velazquez, Ranking Member Chabot, and Members of the Committee.  Thank you for giving me the opportunity to testify on this important issue on behalf of the Committee on Capital Markets Regulation (“CCMR”).

The CCMR is independent and bipartisan, composed of twenty-three corporate and financial leaders drawn from the investor community, business, finance, law, accounting, and academia.  The CCMR issued its Interim Report on the state of the U.S. public equity capital markets on November 30, 2006.  The CCMR’s purpose is to explore a range of issues related to maintaining and improving the competitiveness of U.S. capital markets.

The question posed by this Committee—will the new standards of the SEC and PCAOB lower Sarbanes-Oxley (“SOX”) 404 compliance costs for small public companies—is crucial to the well-being of Main Street, the bedrock of the U.S. economy.  The answer to your question about compliance cost reduction is simply that we do not know.  Unfortunately, neither the PCAOB nor the SEC, at least based on what has been publicly released, has done any quantitative analysis of the cost reductions they expect to achieve through their new standards.  Nor have they indicated that they would do field tests to determine achievable cost reduction before applying these revised standards to small companies.

My own guess is that costs will come down but only moderately because, even after a lengthy deliberative process, the agencies have failed to give enough precise guidance as to what internal controls management and auditors should look at—that is, what is “material.”  We  should not, however be operating on guesses.  Before we move full speed ahead on applying Section 404 to small companies we should have a much better idea of what the cost reduction will actually be.

As stated in our Interim Report, the CCMR believes that maximizing the competitiveness of U.S. capital markets is critical to ensuring economic growth, job creation, low cost of capital, innovation, entrepreneurship, and a strong tax base.  The issue of the competitiveness of our capital markets is essentially an issue for Main Street, not Wall Street. Wall Street can move to London, Main Street cannot.  Indeed, Bloomberg news recently reported that so far this year investment banks have earned $1.1 billion in fees from European initial public offerings (“IPOs”), compared with only $1.4 billion from U.S. IPOs.  In 2002, investment banks earned five times as much taking companies public in the United States as they did in Europe.

Our market is becoming less attractive to foreign companies.  In the late 1990s, the U.S. exchange-listed capital markets were attracting forty-eight percent of the value of all global IPOs (where a company raises funds outside its home country).  By 2006, the share of U.S. exchanges had fallen to 7.2 percent.  Our market is also becoming unattractive to U.S. companies.  In 2000, every IPO by a U.S. company took place in the United States; in 2006, 17 percent of the funds raised by U.S. companies in IPOs were raised abroad.  And this is despite the fact that a U.S. company doing a public offering abroad is restricted from selling its stock to U.S. residents for a year.  Both U.S. and foreign companies find the U.S. private market (that is, the Rule 144A market which is restricted to large institutions) more attractive than the public market.  Straight public equity offerings on the three largest U.S. stock exchanges raised $154 billion last year, while 144A offerings raised $162 billion.

Our report also documents the tremendous growth in private equity capital and going-private transactions.  One of the reasons for the increasing attractiveness of private equity markets is concern over the costs of going or remaining public.  Between 2001-2006, the number of venture capital (“VC”) backed acquisition exits with disclosed values has exceeded the number of VC-backed IPO exits by more than ten-to-one (1919 to 171), with a difference of value of $95 billion as compared to $12 billion (albeit that this comparison should be adjusted for the fact that IPO exits, unlike private exits, typically involve the sale of only a portion of the company).

Our Committee believes that the U.S. public markets are clearly becoming less attractive to companies, both foreign and domestic.  While there are many factors responsible for this development, including better foreign markets and more capital available abroad, our Committee, as well as other studies, has concluded that the cost of U.S. regulation, as well as the prospect of class action lawsuits, has played a significant role.  And one of the significant costs of regulation is the cost of SOX 404.

Our Committee believes that Section 404 has provided significant benefits to both investors and businesses by increasing the reliability of financial statements, strengthening internal controls, improving the efficiency of business operations, and helping to reduce the risk of fraud. The CCMR strongly supports the need for effective internal controls.  However, the CCMR also believes that this objective can be achieved at a much lower overall cost than the average SOX implementation cost per company of $4.4 million in the first year, and $3.8 million and $2.9 million in the subsequent two years, as reported by Financial Executives International (FEI).  Despite the reduction of costs, 78% of the 200 executives surveyed by FEI said the costs of SOX 404 still outweigh the benefits.

These cost estimates are only for direct costs, and ignore important indirect costs such as diversion of scarce management resources and time and the increased risk aversion of companies and boards.  The burden for smaller companies is obviously greater than for larger companies since costs are not generally proportionate to size.  The costs under the present regime, particularly for small companies, remain very substantial.

Small companies that are already public may not be able to absorb such costs or remain solvent, let alone competitive.  Indeed, they may be forced to exit the public markets to avoid such costs.  More importantly, small companies in the future may find themselves starved for venture capital, and this could have a profound effect on the U.S. economy.  Venture capitalists seek to exit their investments by going public—the dream of every start-up.  According to the National Venture Capital Association, in 2006, venture-backed companies accounted for 10.4 million U.S. jobs or approximately 9 percent of total private sector employment, and $2.3 trillion in U.S. revenues, 17.6 percent of GDP.  A majority of these venture-backed companies are now public.  Less attractive public markets means less investment in small business.

As I have said, I expect that the new standards will bring down the costs of Section 404, but not as much as it could and should.  This judgment must to some extent be tentative.  While the PCAOB’s proposal for a new Auditing Standard, AS5, is public, the SEC has yet to release the language of its own new standards, although it did provide some information in its release announcing changes (SEC Release 2007-101, May 23, 2007).  I will assume the SEC standards are basically the same as set forth in its proposal of December 20, 2006 (SEC Release No. 33-8762), and consistent with the new proposal of the PCAOB.

Certain important improvements have been made that were called for by our Committee, We strongly support a top-down, risk-based approach that allows auditors and management to make use of their judgment in tailoring their evaluations of controls to the individual circumstances of the companies they audit, so-called “scalability.”  We also support the elimination of the requirement for an auditor to examine management’s evaluation process.  We further support the increased flexibility provided for auditors to rely upon the work of others and to limit the testing of low-risk controls.  Auditors will be more able to adjust the nature, timing, and extent of their procedures based on knowledge obtained during previous audits, particularly as such knowledge impacts the auditor’s assessment of risk.  We also commend the PCAOB’s focus on fraud controls.  We applaud the work done by the agencies on these issues.  We hope all of these measures will bring down costs for companies, including small companies.  We just do not really know how much.

We also believe, however, that there are two serious defects in the SEC-PCAOB approach: failing to set a precise standard for materiality and deciding to apply the new standards to small companies before doing a thorough cost-benefit analysis of how these revised standards will affect small companies.

The question of materiality is at the heart of the SOX 404 problem.  Management and auditors should only be looking at things that matter.  The high costs of Section 404 are in significant part due to the fact that there is no clear guidance from either the PCAOB or SEC as to what does matter.

Under current guidance, a material weakness is defined as a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.  Materiality itself is determined by a broad range of qualitative considerations.

In the PCAOB’s proposed AS5 (p. A7), a material weakness is defined as “a deficiency or a combination of deficiencies, in internal control over financial reporting, such that there is a ‘reasonable possibility’ that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”  The SEC used the same formulation of material weakness in the release announcing adoption of its new standards.

The change from “more than a remote likelihood” to a “reasonable possibility,” if it is an improvement at all, is a minor one.  Indeed, the PCAOB itself says in its proposal that “as a definitional matter, ‘reasonable possibility’ and ‘more than remote’ describe the same threshold….” More importantly, while companies and auditors are instructed to look at deficiencies which have a “reasonable possibility” of causing a material misstatement, they are given only very imprecise guidance as to what controls are material.  The PCAOB guidance continues to provide a qualitative standard for materiality—the same qualitative standard it now uses for financial statements (Proposed A5, A-1, ¶19)—and the SEC appears to take the same approach.

There is no reason to examine internal controls that, even if deficient, could have no material impact on the financial statements of the company.  Unfortunately, this appears to be happening today.  As the CCMR’s report shows (Figure V.3, p. 123), an analysis by Mercer Oliver Wyman of the 2006 GAO study indicates that between 2002-2005, fifty-three percent of restatements, using the same qualitative definition of materiality for internal control and financial statement weaknesses, had either a negligible negative (less than one percent) or a positive impact on company market value.  The market clearly does not think most of these restatements involve truly material weaknesses.

Our Committee has recommended that materiality for internal control reviews should be defined consistently with the definition of materiality in financial reporting, as it is today, but that both definitions should be more precise.  Specifically, the CCMR recommended that materiality for scoping an assessment should be defined, as it was traditionally, in terms of a five percent pre-tax income threshold.  This standard would be consistent with the overall risk-based approach advocated by both the SEC and PCAOB.  In cases where the five percent test would not be meaningful, the agencies should allow companies and their auditors to exercise their reasoned judgment in choosing other measures to evaluate materiality in ways that are relevant to investors.  We are very concerned that without a presumptive quantitative standard, the costs of compliance with Section 404 will not be sufficiently reduced.  There is no need to look at things that do not matter.

Our second concern is the decision announced by the SEC to apply its new management standards to financial statements filed in 2008 to both large and small companies, and the decision of the PCAOB to apply its new auditing standards to both types of companies with respect to financial statements filed in 2009.  The CCMR recommended that the application of Section 404 to companies with less than $75 million of market capitalization should continue to be deferred until the standards were revised.  This has been done.  However, we also recommended that after the revision of the standards, the SEC should reassess the costs and benefits of extending Section 404 to small companies.  This could be done by field testing the new standards on large companies, as well as on small companies that voluntarily decided to adopt the new standards, and on the smallest of the companies already subject to Section 404, those between $75-$100 million in market capitalization.  In-depth interviews could also be had with a sample of smaller companies and their auditors to assess the potential cost impact.  Bear in mind that for small companies that have not yet been required to apply Section 404, the issue is how much the new standards will bring down first year costs, historically an average of $4.4 million.

To the extent that the SEC found that, even with the adopted reforms, the costs were still too high relative to the benefits, it should ask Congress to consider exempting small companies from the auditor attestation requirement of Section 404 while at the same changing the management certification requirement to one requiring reasonable belief in the adequacy of internal controls.  Without the comfort of auditor attestation, management would not be able to make a stronger certification.

When the SEC implemented SOX 404 in 2003 it did so through a rule-making in which it estimated the costs of compliance with Section 404 would be $91,000 per company (SEC Release No. 33-8238, June 5, 2003).  That estimate was, we now know, off by a factor of over 48.   In reformulating AS5, the PCAOB has done no publicly available analysis of how much costs will be reduced by AS5 generally, or for small companies.  The SEC in its proposed new rule changes and guidance (SEC Release No. 33-8762, December 20, 2006), provided only a cursory discussion of cost-benefit analysis with no quantitative estimates of cost.

The National Securities Market Improvements Act of 1996 requires the SEC to consider in any rulemaking process “in addition to the protection of investors, whether the action will promote efficiency, competition and capital formation.”  In Chamber of Commerce of the United States v. SEC, 412 F.3d 133 (D.C. Cir. 2005), the court struck down the SEC’s proposed rule requiring that 75% of a mutual fund board be composed of independent directors and have an independent Chairman on the ground that the Commission provided insufficient analysis of the costs of its proposal.  The court stated that “uncertainty may limit what the Commission can do, but it does not excuse the Commission from its statutory obligation to do what it can to apprise itself—and hence the public and the Congress—of the economic consequence of a proposed regulation before it decides whether to adopt the measure.”  Id., at 144.  The Sarbanes-Oxley Act added an additional requirement for SOX rules, that the SEC “promulgate such rules and regulations, as may be necessary or appropriate in the public interest or for the protection of investors, and in furtherance of this Act.” 15 U.S.C. §7202(a) (2007).  These requirements would clearly apply to the rule-making portion of the new SEC standards.  While it is less clear that such obligations extend to “guidance,” the SEC still should have provided a cost-benefit analysis of its guidance as a matter of policy, particularly when the guidance involves the application of its own rules.

These cost-benefit obligations should be complied with ex ante, before the SEC adopts a rule, so that whatever analysis is done by the SEC is open to public scrutiny.  Unfortunately, this was not done.  Further, we have no reason to believe that such analysis has even been done ex post, in the rule as adopted.  We would hope the SEC would remedy this matter.

The SEC must still approve the new guidance of the PCAOB.  This would appear to require an SEC rule-making procedure, with notice and comment.  In addition, it may require the SEC to do a cost-benefit analysis since the SEC is approving a PCAOB rule.  The law on this is not clear.  However, the right policy is clear.  Before allowing this new PCAOB standard to become operative, the SEC or the PCAOB should do a cost-benefit analysis with respect to PCAOB’s revisions of its standards.

Everyone—companies, Congress, and the public—is entitled to know and comment on what cost reductions the two agencies expect to achieve consistent with investor protection, since this was a major objective of the exercise.  We should not proceed on such an important matter without a more solid foundation.

What is the rush?  The SEC has already deferred applying its rules to small companies four times, first in February 2004, and then in March 2005, September 2005, and December 2006.  We think it would be prudent to continue to do so, until a rigorous cost-benefit analysis justifies applying the new rules to small companies.  If the costs are still too high, the SEC should then turn the problem over to the Congress.