We’re going to argue a lot in coming months about whether to exempt many more companies from compliance with Section 404(b) of the Sarbanes-Oxley Act. Personally, I’m torn between those people who believe 404(b) compliance is crucial to good governance; and those who say expanding the exemption will allow more companies to go public.
I can’t decide which side misses the point more.
First, the background. Section 404(b) requires an annual audit of a company’s internal control over financial reporting, to determine whether those controls are effective. All public companies must comply with Section 404(a), which says management must assess the effectiveness of ICFR. Right now, only non-accelerated filers (those with a market cap of $75 million or less) are exempt from Section 404(b), the annual audit of ICFR.
Republicans have complained about Section 404(b) almost since the day they enacted SOX in 2002. They claim that for most companies the compliance costs far outweigh the benefits, and it discourages pre-IPO companies from going public. They have tried to expand the exemption multiple times since then, and failed.
Now Rep. Jeb Hensarling is at it again, with language in his proposed Dodd-Frank reform legislation that would expand the exemption from $75 million market cap to $500 million—that is, almost all public companies except for large accelerated filers. (Those with $750 million or more in market cap.) Grant that exemption, Hensarling’s logic goes, and the IPO window in U.S. markets will be wide open. America will be made great again.
On the other side are the governance purists, who see ICFR audits as indispensable to accurate financial reporting and investor protection. The research favors them; numerous studies have found that companies exempt from 404(b) audits are more likely to experience a financial restatement.
And on the sidelines are internal control and audit professionals, wondering how a 404(b) exemption might affect their careers. After all, if your title is “SOX project manager,” you’re allowed some unease at the notion of SOX compliance going away.
Let’s all try to be a bit more cynical. If there were ever a field where “the more things change, the more they stay the same” rings true, it’s corporate compliance.
The Urge to Audit Is Eternal
First, we should appreciate how much audits have changed in the last 15 years, to appreciate how little they’re likely to change no matter what Congress might do with Section 404(b). In many ways, audits of internal control for any purpose—financial reporting or otherwise—have blended together into one mass that can’t be undone.
For example, an audit of ICFR will include an examination of your IT general controls. Well, if your company handles personally identifiable information (PII) or you support companies that handle PII—you’re going to test your IT general controls anyway, as part of any effort to be PCI compliant. Call it whatever you want. The audit work will remain.
Second, the technology for effective ICFR has advanced dramatically since 2002. Companies that provide accounting systems via the cloud already have ICFR baked into their operations. Continuous monitoring and auditing may have been pipe dreams in 2004, but they’re a whole lot more real today. They make audits of ICFR easier than anything we saw a decade ago.
We also need to acknowledge that for middle-market companies (the ones that might benefit from an expanded 404(b) exemption), the toothpaste is already out of the tube. If you’re a company that has been public for years and complying with 404(b)—you’re now going to stop auditing ICFR? You’re really going to tell institutional investors and analysts that effective ICFR isn’t a priority?
If a company in that middle territory plans to stay public, it can’t drop ICFR audits without annoying institutional investors—and those investors are crucial to maintaining your liquidity, since retail investors won’t provide enough liquidity. If you’re a company in that middle territory planning to go public—well, you still need to compete for liquidity with those companies that already are 404(b) compliant.
In other words, the more I look at Hensarling’s idea to expand the 404(b) exemption, the more I can’t help but wonder: who cares? It’s not like his idea will make much difference to investors or companies. The work, and cost, of auditing ICFR will just show up in other ways.
If Hensarling, a right-wing ideologue, wants to tilt at this particular windmill, he can have at it. The windmill won’t topple. And all of this assumes Congress does adopt a 404(b) exemption. With this Congress, that’s a big gamble.
The Urge for Money Is Eternal Too
This brings up the question of why Hensarling wants an expanded 404(b) exemption, and whether it would pave the way for more companies go to public.
Of course curtailing 404(b) would help more companies go public. Plenty of middle-market companies have come into existence in recent years thanks to M&A deals funded by private equity. They have a half-dozen accounting systems, and their ICFR is all over the map. The hurry-up remediation work to clean up that mess for an IPO isn’t worth it, when the PE backers could just sell to another private buyer and redecorate the office. Section 404(b) is a brake on the drive to go public.
But is that what’s important here? The people who benefit from more companies going public are bankers, lawyers, and early-stage investors looking to cash out. Companies themselves and retail investors benefit more from staying public. That’s a different set of concerns.
For example, the biggest problem for many small companies that go public will be the lack of analyst coverage after the IPO. Repealing SOX 404(b) won’t help with that. Nor would expansion of the JOBS Act’s loosey-goosey governance provisions, or anything else rumored to be in Hensarling’s legislation. But the companies themselves would still have plenty of burdens to remain public, even without ICFR audits.
It’s true that fewer companies are going public, and that U.S. capital markets have fewer publicly traded companies generally. But to assume that our high standards of financial reporting and governance are the culprit—well, that’s just incorrect.
Don’t take my word for it. Read the presentations made earlier this month at the SEC’s Advisory Committee on Small and Emerging Companies. More companies are staying private because they can. That is a world apart from staying private because you have no other choice.
The world is awash in private equity, willing to pay very pretty pennies for a solid small company. VC-backed firms are selling to private equity who sell to mutual funds or sovereign wealth funds. A healthy secondary market exists now for employee-owned private shares (which didn’t exist 15 years ago). Those high-flier companies that do going public have hugely favorable terms to owners. Case in point is Snapchat, whose IPO filing insists that mere mortal shareholders won’t actually have the right to vote.
Loosening compliance standards ignores all that. It does alleviate the challenges to going public. Lots of M&A bankers and lawyers—such as Donald Trump’s nominee to chair the Securities & Exchange Commission—will make more money taking companies public. But will that make up for the new risks investors would face from new, less-governed companies being public? Nope.
Then again, like I said above—who cares? It’s not like repealing 404(b) in word will make 404(b) go away in spirit. That’s just not happening. If you’re an auditor with extensive SOX experience, your career prospects are still in fine shape.