SOX 404: Does small biz exemption mean more fraud?
It all sounds like a great idea on the surface, doesn't it?
I'm talking about a proposal floating around Congress to exempt small public companies from having to comply with the onerous and expensive requirements found in Section 404 of the Sarbanes-Oxley Act.
You remember Section 404, right? That's the one that requires finance executives to sign off on their companies' internal controls over financial reporting. When Sarbanes-Oxley was enacted in 2002, Section 404 was at the center of a contentious debate. Small businesses protested, saying the monetary and manpower costs involved in complying with 404 were too steep. In those scandal-ridden post-Enron days, though, those companies had few friends in their corner, so they bit their tongues and took it.
Now, seven years later, along comes the Investor Protection Act and, more importantly, an amendment that would exclude smaller public companies from having to comply with Section 404(b) of the Sarbanes-Oxley Act, "which requires companies to include in their 10-K reports an independent auditor's opinion on their internal controls," writes CFO.com's Sarah Johnson. The amendment also would "require the SEC to study how the regulator could reduce the cost-of-compliance burden for companies with market caps between $75 million and $250 million."
Suddenly, everything seems to be balancing out for small companies, who felt from Day 1 that they were paying an unfairly exorbitant amount to comply with Section 404.
But there's an elephant in the room.
The Association of Certified Fraud Examiners says such an exemption "would lead to a higher incidence of fraud and an increase in the amount of fraud losses."
Talk about your kill-joys.
“At a time when the economic downturn has heightened the risk of fraud for organizations large and small, it simply does not make sense to weaken accounting rules that are in place to protect investors,” said ACFE President James D. Ratley, CFE. “The bottom line is that internal controls are one of the best fraud prevention tools for any organization to have in place. Providing exemptions for some public companies from the SOX 404 requirements only leads to an increased risk of fraud.”
So who's right -- the companies trying to stay in business or the folks trying to prevent fraud? Or is there some kind of middle ground that we haven't considered yet? Let us know what you think, then check out these related resources:
- MACPA program, Nov. 25: Auditing Bits in Bytes, Session 3: Internal Control Considerations
- MACPA program, Dec. 4: Internal Control Procedures for QuickBooks Users
- MACPA program, Dec. 23: Auditing Bits in Bytes, Session 7: Identifying, Evaluating and Communicating Internal Control Deficiencies