Coping with Sarbanes-Oxley: bane of small business isn't going away.
Apparently the U.S. Securities and Exchange Commission recognizes some of the problems. In March, it extended the deadline for some aspects of compliance with the new securities law. It was the second time the agency extended deadlines related to Sarbanes-Oxley, or SOX as the law is being called. Named for its two congressional sponsors, Sen. Paul Sarbanes, D-Md., and Rep. Michael Oxley, R-Ohio, SOX is the federal government's answer to the need for corporate financial accountability in the wake of the Enron and the WorldCom accounting scandals. The act lays out extensive financial reporting, oversight and audit controls for public companies.
"SOX compliance is like Y2K every year," says Dave Guevara, president of IdealCMS, a Centennial-based consulting firm specializing in leveraging SOX data to accelerate earnings. "It will not go away."
Few people question the intent of the law, but many executives are objecting to the scope of its implementation. A company with $16 million in revenues, for example, must meet the same requirements as one with $16 billion in sales. The result can be devastating for small- and midsize businesses, according to AeA, formerly the American Electronics Association, a Santa Clara, and Washington, D.C.-based industry group. AeA estimates that businesses will pay a total of $35 billion just to comply with one part of Sarbanes-Oxley: Section 404--Management Assessment of Internal Controls. Section 404 calls for companies to provide annual reports by management on the company's internal control over financial reporting and an accompanying auditor's report.
In a February report on the unintended impact of Section 404 on small business, AeA estimated that larger businesses will spend close to $5 million on compliance, and many smaller companies "well over $1 million" each.
Eric Balzer is one of those Colorado executives who agree with the intent of Sarbanes-Oxley, but not its overwhelming cost, particularly for small businesses. He's CFO of Colorado Springs-based Ramtron International Corp., which develops and markets semiconductor memory and includes Denver-based subsidiary Mushkin Enhanced Memory Systems. The company never has had to restate its earnings, nor had any disputes over its earnings, Balzer points out.
"It's critical that financials fairly represent what's happening at the company, and that the financials don't include any misrepresentation of fact; that the business is run to where there is no fraud. So I agree with the intent of the rules," says Balzer. "(But) because Bernie Ebbers (a former WorldCom CEO who was convicted of fraud) and some of these other people allegedly willfully defrauded the public, is it appropriate to put this level of regulatory impact and cost on all the companies in the United States and any company that trades stock in the U.S.?
"What does that do for us as a competitive entity or competitive country in the world? I think it kills us," says Balzer. "'Kill' is probably an overstatement, but it does not help."
Ramtron, which last year had $57 million in revenues and $3.7 million in earnings, expects to spend about $500,000 on Sarbanes-Oxley compliance for 2004. Plus, says Balzer, it took him and his staff of five accountants--along with outside auditors--from August 2004 to February 2005 to complete compliance procedures. It will take that long for 2005, too, he said.
"That's absurd," adds Balzer. "The regulatory side of the house, in other words the government, needs to step back and really evaluate the cost (of Sarbanes-Oxley) to the economy, to our kids and our kids' kids, because this is going to further adversely impact the competitive stance of the United States."
Sarbanes-Oxley is well-intended, agrees Doug Payne, Denver-based regional managing partner for Tatum Partners, a nationwide partnership of veteran C-level executives specializing in finance and information technology. It's a step in the right direction, he says. "(But) is it overkill? Possibly .... It's a disaster for small-cap public companies because it's so much cost in relation to their EBITDA (earnings before interest, taxes, depreciation, and amortization)."
"It gets worse the smaller the company gets," adds Dave Guevara, the consultant. "Costs don't come down in proportion to ... revenue so the impact of a $100,000 (cost) to a small company is substantially greater than the impact of $100,000 to a billion dollar company, and yet that small company is going to see a minimum of $400,000 to $500,000 in terms of total cost to comply annually," Guevara said. Costs aren't going down any time soon either. All indications are that companies will just continue to dig deeper into their pockets to pay for the cost of SOX compliance, says Michael Rasmussen, a Wisconsin-based compliance-management analyst for Forrester Research Inc. "Part of the problem is there is no clear play-book on what in the world in IT is governed by Sarbanes-Oxley," says Rasmussen. "There is no clear guidance on the exact specifics of where things start and stop with IT."
That means an auditor may or may not decide that the law, with its extensive documentation and oversight requirements, applies to things that inadvertently protect financial and accounting systems like perimeter security, firewalls, intrusion detection or anti-virus protection. "In the purest definition, the scope of Sarbanes-Oxley is going to be around accounting processes and systems, so this can include anything from the desktops to the accountants to the infrastructure that supports them to their file servers, applications servers, financial servers and so forth .... This is an open checkbook for (auditors)."
That's a prime example of how interpretation of SOX has gone too far, adds Marie Lee, Washington-based AeA tax counsel. The Public Company Accounting Oversight Board, the quasi-governmental group charged with regulating SOX, actually mentions information technology only once in its rules, and that reference is to the extent that IT directly impacts the financial statement. "I don't think regulators want to define exactly what has to be done in the area of IT or other areas because they want to keep it flexible," says Lee. "But auditors are just creating a one-size-fits-all approach, so they are requiring a $20 million company to basically go through the same process that a $20 billion company has to go through."
Meanwhile, auditors, who are from separate companies, wield that open checkbook in ways that leave companies like Ramtron struggling with what Balzer points out are multiple layers of oversight. Internal auditors review the books, then external auditors review the internal auditors, then another group of auditors review the external auditors. Everyone is looking over everyone else's shoulder. Consequently, says Balzer, the time and money that a company needs to spend on new research, product and sales development instead is spent on SOX compliance. His company, for example, needs to implement a new computer system, but hasn't had the time to do it.
Balzer and Ramtron aren't alone in their struggle with SOX.
"I have heard this so many times," says Lee. "Executives have said they have been working on almost nothing but SOX compliance for the last several months and it's turned into a situation where they are worried about the ability of their companies to compete .... I honestly believe that the way the rules are being interpreted and the amount of extra work that's generated violate the intent of Congress, the SEC, the PCOB. I don't believe it was ever meant to go this far."
Mark Pougnet agrees. He's CFO of HyperSpace Communications Inc., a Greenwood Village-based software company specializing in data and applications acceleration. The vagueness of SOX, in conjunction with the corporate accounting scandals that have occurred over the last few years, have led companies and CPAs to interpret SOX quite onerously, he adds. "I think if Congress understood that this is how companies would be interpreting all this, certainly this is not what they intended."
For example, the actual cost of Sarbanes-Oxley compliance for companies in general is 10 times initial estimates, adds Pougnet.
Hyperspace, which had $1 million in revenues last year, went public in October last year with a $10 million initial public offering. It's considered a small-business filer and therefore hasn't yet had to comply with Section 404, yet it already has spent "well into six figures" on just one part of compliance. "And," says Pougnet, "as we go down the path of complying with Section 404, which is the next step, it certainly will be well into six figures added to the initial ... six figures."
Pougnet's company, considered a "nonaccelerated filer," is one of those affected by the SEC's action to further postpone compliance with Section 404 to July 15, 2006. "It's a help," he says, "but they still insist on implementing 404. It's just a year later."
The delay does appear to mean that the SEC is going to take another look at 404, he adds. "I think that's a good thing." Pougnet suggests that what he calls a "404 lite" might apply more appropriate to smaller businesses.
But Sarbanes-Oxley is here to stay. So, companies need to accept it as a cost of doing business, says Payne, of Tatum Partners.
"The fact is that the audits are going on right now, and they are what they are," adds Jim Barnett, a Dallas-based partner of Payne who just finished helping a $75 million technology company with its SOX compliance.
Barnett says one of the most pressing problems with smaller companies is they generally do not have anything written down. These companies may follow processes that contain elements of control, but without documented procedures and logging of the work, auditors are hard-pressed to determine whether controls are effective.
SOX compliance requires companies to have a defined approach, frameworks and mapping controls in place, agrees Rasmussen. Then, they can document controls for auditors, and the auditors in turn are responsive instead of leading a charge into that open checkbook. Exacerbating problems and often running up compliance costs is a lack of project management controls at smaller companies, says Payne. SOX is a huge project and companies need to designate somebody to manage it as such.
Experts offer these suggestions to ease the SOX-compliance nightmare:
* Communication internally and with auditors is essential, says Payne.
* Software can help automate some of the documentation and reporting process, but talk to your auditors to be sure a piece of software has the right features and functionality to fit the need, says Rasmussen. And be careful that the software isn't just something you already have that's repackaged, adds Guevara.
* IT departments, if they haven't already, need to select frameworks and document controls, says Rasmussen. That's people, processes and technology. "Some of the hot areas we see that get a lot of scrutiny (by auditors) are the segregation of duties on IT systems, the change-management processes, identity management and role-based access controls, and the monitoring and reviewing of log files and audit trails."
* Consider hiring outside consultants with SOX compliance expertise. "We have found that the more effective a company is in doing work up front, the less time auditors spend with them," says Barnett. "You may not need someone full-time, but someone to guide you through the process will be important."
* Pay attention to SOX deadlines. "One of the biggest problems that companies large and small have run into is that they wait until it is too late," adds Barnett. "Audit guidelines state that you need, for example, ... two quarters of history to validate the control. Therefore, waiting until the last minute can get you a qualified (audit) opinion, even if you have put an effective control in place."
WRITTEN BY SUSAN J. MARKS
|Printer friendly Cite/link Email Feedback|
|Author:||Marks, Susan J.|
|Date:||Jun 1, 2005|
|Previous Article:||Top 100 Colorado-based Public Companies.|
|Next Article:||Denver innovator pushes hydrogen-powered train.|