SEC officials dropped a few more hints this week about their thinking on Sarbanes-Oxley compliance, including when we’ll see the agency move to exempt more companies from Section 404(b) of the law — the provision that requires annual audits of a company’s internal control over financial reporting.
Said hints came from Bill Hinman, director of the SEC’s Division of Corporation Finance. Speaking at the AICPA’s annual conference on corporate reporting, Hinman said a final new rule should be reaching the SEC soon, and yes, it will exempt more companies from 404(b) audits.
Right now, publicly traded companies with a market cap below $75 million are exempt from 404(b) audits already. So are newly public companies still classified as Emerging Growth Companies according to other SEC rules.
Last May the SEC proposed also to exempt public companies with less than $100 million in revenue — mostly as a favor to biotech firms, which often go public to raise capital but don’t see revenue for many years while they develop their drug compounds. Those firms can then fall into a scenario where they have a relatively large market cap but no significant revenue, and they’re spending precious capital on audits of internal control.
Well, you can imagine how that idea goes over among Republicans. They have long argued that smaller companies, such as biotech firms, devote a disproportionately higher percentage of revenue to those audits, when most investors have most of their retirement savings locked up in large companies that can manage Section 404(b) compliance much more efficiently.
So where’s the sense in forcing small companies to devote more money to internal control audits, when they could instead devote that money to, say, product development? Especially since all filers are still subject to Section 404(a) of SOX anyway, which requires management attestation to internal controls.
That’s the Republican argument these days. Hinman hit all the politically correct notes during his talk, when he said SEC chairman Jay Clayton wants to consider “is there a way to look at this again to strike the right balance” between investor protection with an outside audit, versus lower costs with a management attestation only.
The logic, Hinman said, is that smaller reporting companies have less complicated financials, “and therefore the added value of an outside auditor’s attestation, on top of management attestation, would be different as well… We’re excited about it and can save lots of folks money.
OK, let’s take a closer look at some of these statements.
Fees vs. Fees
First, Hinman is correct when he says smaller firms do pay relatively more in audit fees, and those fees are indeed at least partly driven by Section 404(b) compliance costs. Moreover, the challenge of higher audit costs for smaller companies is getting worse.
I asked the financial data gurus at Audit Analytics to look at corporate audit fees as a percentage of total revenue, grouping companies by revenue. The result is Figure 1, below.
As we can see, smaller companies devote much more of their revenue to audit fees. For example, if you’re a firm with $10 million in annual revenue, for every $1,000 that comes in the door, $29.70 goes back out to your audit firm. For a company with $50 billion in revenue, that amount is just 57 cents.
What’s interesting is that Audit Analytics also sent me a similar analysis it ran in 2007. Those numbers are in Figure 2, below.
When you compare those 2007 numbers to our first chart of what companies are paying today, without question the audit burden for smaller companies has gone up.
That is, back in 2007 our hypothetical $10 million firm was devoting $17.73 to audit fees for every $1,000 in revenue. Today that amount is $29.70.
Even if you adjust for inflation, that $17.73 would still only be $21.99 in today’s dollars. By any definition, the burden of paying for audits has risen much more swiftly for smaller companies than for larger ones.
We do have some caveats here. First, financial reporting has changed enormously since 2007. We have new accounting standards for goodwill impairment, hedging, revenue recognition, leasing, and more. Lots of those new standards require companies and audit firms alike to use more judgment. That costs money.
Second, we don’t know how much the increase in audit fees has been driven specifically by SOX compliance, versus financial auditing generally. And so many companies now get one integrated audit of both financial statements and internal control, we may never really know.
Regardless, Hinman isn’t wrong when he says that in relative terms, smaller companies pay much more for audits than larger ones. They do.
404(b) Controls, Not Costs
Where I disagree with Hinman is in his statement that smaller reporting companies have less complicated financial reporting. They probably do — but, um, so what? Smaller companies are also more likely to have weaker systems of internal control, and that’s what Section 404(b) audits are meant to address.
After all, we’ve seen plenty of research showing that companies not subject to outside audits of their internal control are more likely to experience financial restatements than companies that do get 404(b) audits. That should be no surprise. When management doesn’t have an independent viewer peering over its shoulder at financial processes, management is more likely to make mistakes in financial reporting or even commit fraud.
This is especially true for smaller companies, because they tend to rely more on management estimates and manual processes, where large companies use sophisticated IT systems that automate away more of the potential for error.
So when Hinman talks about “saving folks lots of money,” his implicit assumption there is that the “folks” are CFOs looking to hold down costs. Eliminating 404(b) compliance for more companies will indeed achieve that goal.
It won’t, however, save lots of money for investors. It will put more restatement risk on their shoulders — and sooner or later, for at least some of them, that risk will move lower and take a bite out of their behind.