SEC Preps SOX 404(b) Rollback
The Securities and Exchange Commission will move forward next week with long awaited, but totally not surprising, plans to raise the threshold for accelerated filer status — a move that will pave the way for more companies to avoid outside audits of their internal control over financial reporting.
The SEC posted a notice that it will meet on May 9 to discuss “whether to propose amendments to the accelerated filer and large accelerated filer definitions to promote capital formation for smaller reporting issuers.” Translated from bureaucracy-speak into plain English: the SEC wants to raise the ceiling for non-accelerated filers, so more firms are exempt from compliance with Section 404(b) of the Sarbanes-Oxley Act.
Section 404(b) requires all publicly traded firms to get an outside audit of their internal controls over financial reporting. Only non-accelerated filers are exempt. Current SEC rules set the ceiling for non-accelerated filer status at a market cap of $75 million; any firm under that is exempt.
So next week’s meeting will “propose” (read: move forward with) amendments to raise that $75 million limit, and therefore exempt many more companies from annual audits of their internal controls.
This is no secret. SEC chairman Jay Clayton has long wanted a larger 404(b) exemption. Last summer Clayton explicitly directed SEC staff to develop recommendations “that, if adopted, would have the effect of reducing the number of companies that qualify as accelerated filers.”
Exactly what will transpire at next week’s meeting? Recall that last summer, the SEC raised threshold for smaller reporting companies from $75 million to $250 million. Smaller reporting companies are exempt from a host of required disclosures — but Section 404(b) is not among those exemptions. 404(b) compliance hinges on whether you are an accelerated or non-accelerated filer, rather than a smaller or larger reporting company. (You gotta love the arcane quirks of federal securities law.)
My bet is that the SEC will raise the accelerated filer threshold to $250 million, so that those two definitions are harmonized.
How many companies would gain a 404(b) exemption from that move? SEC staff will probably present an estimate of that number at next week’s meeting. As a yardstick, however, roughly 965 firms gained disclosure exemptions from last year’s move on the smaller reporting company threshold. So a similar change in 404(b) thresholds would presumably be in the same ballpark.
Why Do This?
Clayton’s stated reason for raising the 404(b) threshold is to help more small firms go public earlier in their lifecycle. The theory is compliance burdens such as SOX drive startups away from IPOs, and thus make the U.S. capital markets less competitive. Clayton also likes to say he worries about “Mr. and Mrs 401(k),” who miss lucrative investment opportunities because startups like Lyft, Uber, Pinterest, or others go public much later in their corporate lives — after venture capitalists and private investors got into investment early, and reaped all the growth in value.
Therefore, Clayton and his ilk say, if we wave away rules like 404(b), more companies will go public and everyone will get richer.
This is not actually true, of course. This decade the U.S. IPO market has fluctuated generally between 150 and 200 IPOs per year, with one or two exceptions either way. As you can see from the chart at right, the IPO market moves in cycles, and 2019 seems to be on an upswing now. We are not at a competitive disadvantage with Hong Kong, London, or anyone else.
Moreover, the premise here is that if we remove the costs for an IPO, more firms will buy the product. There’s no proof of that. On the contrary, study after study has shown that more firms are staying private for longer periods because they can. Private funding is plentiful, interest rates are low, and bigger corporate buyers on an M&A binge are abundant.
So if you’re a small startup looking for cash, would you really want an IPO simply because the cost of 404(b) compliance went away? Or would you seek private funding, which inflates the value of your firm without all the other governance obligations of being public? Or just sell to a bigger firm and walk into the sunset with a pile of cash?
Meanwhile, eliminating 404(b) compliance increases the risk of fraud or other weak financial reporting to investors — exactly the Mr. and Mrs. 401(k) whom Clayton professes to care about.
I wonder if Clayton truly understands that most people have few financial assets, and that Mr. and Mrs. 401(k) want stability in their retirement holdings, more than they want wider investment opportunities. If the latter is Clayton’s goal, he could just relax the accredited investor definition and give people more access to whatever private investment schemes they want.
There’s no need to risk people’s fortunes on a frothy stock market full of startup firms with half-baked ideas and poor internal control. We went through that in the 1990s dot-com boom. It’s what brought us Sarbanes-Oxley and 404(b) in the first place.
404(b) Compliance Will Endure
When Clayton and fellow Republican commissioners do push through their proposal, compliance professionals should also remember: on a practical level, you’ll have many incentives to keep up with ICFR audits anyway.
For example, all firms are still required to comply with Section 404(a), where management attests to the effectiveness of internal control. So if you’re a smaller firm that has been going through 404(b) audits for years, and then stop those audits because you no longer need them — you still need to attest to whether your internal controls are effective or not.
If your firm then experiences a restatement or some other fraud in the future, that decision not to continue with 404(b) audits will haunt you. It will be a giant target on your corporate rear end, saying, “We were so confident in our internal controls we believed we didn’t even need and audit! And oh, we were wrong.” Every plaintiff lawyer in the country will then train their sites on that target.
Likewise, if you’re a small firm looking to sell yourself to a strategic buyer, that buyer will want to see effective internal controls. Any firm that has been passing 404(b) audits will have an easier time proving that point, and will command a premium over other targets that can’t.
And never forget the role audit firms play here, including their endless quest to impose more fees. In many ways, audits of internal control for any purpose—financial reporting or otherwise—have blended together into one mass that can’t be undone.
For example, an audit of ICFR will include an examination of your IT general controls. Well, if your company handles personally identifiable information (PII) or you support companies that handle PII — you’re going to test your IT general controls anyway, as part of any effort to be PCI compliant.So call it whatever you want; the audit work will remain. It always does.