“But I don’t want to go among the mad people,” Alice remarked.

“Oh, you can’t help that,” said the Cat: “We’re all mad here. I’m mad. You’re mad.”

“How do you know I’m mad?” said Alice.

“You must be,” said the Cat, “or you wouldn’t have come here.”

Of what relevancy is Alice’s frustrating dialogue with the Cat?

If you optimistically awaited COSO’s Guidance on Smaller Company Compliance with Section 404 (“Guidance”), you now have the gnawing sensation that you are slightly insane.

Section 404 of the Sarbanes-Oxley Act of 2002 (“404”) requires public companies to report annually concerning efficacy of their internal financial controls. SEC regulations require quarterly assessments, an annual management report in the 10-K and quarterly reports as to changes.

Public companies which are “accelerated filers” (with common stock floats in excess of $75 million) already have complied with these reporting requirements. Their reports have disclosed a wide range of defects, defined as a “deficiency,” a “significant deficiency,” or the much-dreaded “material weakness” (which in turn requires a conclusion that internal financial controls are not “effective”).

Internal financial controls are assessed pursuant to a “framework” which tells a company how to establish such controls. The normative framework is that established by the Committee of Sponsoring Organizations (COSO), whose board includes accountants, businessmen, and a representative of the American Institute of Certified Public Accountants.

Public outcry is that the costs of 404 compliance for larger companies were much greater than anticipated, and disproportionate to the benefits. The SEC has held conferences on these issues. In January 2005, COSO undertook a project to provide guidance for smaller companies in reaching 404 compliance

Input was obtained from companies, from accounting firms, from the COSO board, and from AICPA’s major firm group of the 50 largest public accounting firms other than the “Big 4.” PricewaterhouseCoopers was engaged to conduct this project, and in October 2005, the draft “Guidance” was promulgated for public comment. (See www.coso.org). The comment period expired Dec. 31, 2005.

SEC Wild Card

While COSO has been pursuing the perfect “Guidance” to promulgate, the SEC has pursued its own course, and has managed to throw the entire 404 area into confusion. No doubt concerned with the cost of compliance, and likely under political pressure from the business community, the SEC has established its own independent 404 agenda for smaller companies.

The SEC twice has extended the time in which smaller companies (under $75 million market cap) must comply with 404. The lengthy period required for COSO to issue its Guidance played a role in the SEC’s decision this fall to delay internal control reporting requirements to the first fiscal year ending on or after July 15, 2007.

On Dec. 5, 2005, Jennifer Burns of the SEC’s accounting staff, noting the debate over how (or if at all) to apply 404 “to smaller public companies in a cost-effective manner,” predicted SEC recommendations on 404 applicability around April 2006.

On Dec. 14, 2005, the Section 404 Internal Controls Committee (“Subcommittee”) of the SEC’s Advisory Committee on Smaller Public Companies published its preliminary report, which would rewrite the regulatory framework substantially.

The suggestions of the Subcommittee are startling:

Fully exempt from 404 would be most companies with less than $125 million of market cap and revenues.

“Smaller public companies” (with market caps below $750 million and revenues below $250 million, which is about 80 percent of all public companies) would have lesser compliance requirements, and no 404 report by auditors would be required.

Obviously, the Subcommittee was not impressed with the cost-saving potential of the Guidance (which was issued six weeks prior to the Subcommittee report). The Subcommittee chairperson noted that “there is no way to right size . . . [current 404 reporting requirements] for small and micro companies.”

No binding SEC action will occur until well into 2006. The Subcommittee meets again in January 2006 and sends formal recommendations to the full Advisory Committee, which then sends its recommendation to the full Commission for action, presumably next April. The Commission must formally publish proposed new rules which will have their own comment period.

Expectations v. Reality

Although a close reading of the “professional” commentary on the process during 2005 warns against expecting too much, many smaller registrants (and their counsel) hoped that the Guidance would provide a less expensive compliance road map. This was one of the themes of the April 13, 2005 public roundtable discussion held by the SEC.

The SEC Release issued on Oct. 26, 2005 (in conjunction with COSO’s issuance of the Guidance), authored by both SEC chief accountant Donald Nicolaisen and corporate finance division director Alan Beller, echoed this theme: “Concerns have been expressed that . . . frameworks are not appropriately tailored to a small business . . . and that, as a result, the costs and burdens of internal control assessments may fall disproportionately on smaller businesses. Due to these concerns, the SEC staff encouraged COSO to develop guidance on the use of their framework to address the needs of smaller businesses.”

The theme that the Guidance will prove cost effective is echoed in the COSO website, which solicits comments on the Guidance. The second “question” asks for your judgment as to whether “this document will help smaller organizations strengthen their internal controls processes in a more cost effective manner.”

A lawyer reading the Guidance will be disappointed. The road to cost savings is not apparent. The themes seem simplistic:

Smaller companies will spend less money because they are smaller and there will be fewer things to police.

In a smaller company, top management is more hands-on, and can assess effectiveness of controls in the course of performing normal tasks.

Since it may be too expensive to institute front-end controls, there should be a greater (and less expensive) emphasis on back-end analysis (reviewing numbers for anomalies and discrepancies).

Selective Review of the Draft Guidance

There are 26 fundamental principles in COSO, and they are equally applicable to larger and smaller businesses. If the ground rules are the same, how does a smaller issuer reduce costs?

According to the Guidance’s Executive Summary, a company can broaden its pool of audit committee members, build controls into the culture, sharpen risk focus, use software and information technology, use management to monitor, and outsource some activities. Are these approaches practical and will they save money?

The summary states: “This document . . . does not provide relief in the form of a short cut to achieving effective internal control over financial reporting. All components of internal control and the related 26 principles should be in place in order to achieve effective internal control over financial reporting; however, the scale of the approaches to implement the principles may be different for a small company.”

The bulk of the Guidance discusses the six categories into which the COSO framework organizes its 26 principles:

1. Control Environment. The board and management must understand its legal obligation to control financial reporting. It can do so internally or through outsourcing (which is assumed to be less expensive). The majority of examples indicate specific action on the part of the board or the CEO (“the CEO initiated a project to define the authority and responsibility of each member . . .”).

If your company is so small as to lack the infrastructure necessary to implement controls, then senior management must do the job. Is that realistic in a small company where senior management has not only strategic but also substantial operational responsibilities?

2. Risk Assessment. The Guidance states: “Risk assessment in smaller companies can be particularly effective because the in-depth involvement of the CEO and other key managers often means that risks are assessed by people with both access to the appropriate information and a good understanding of its implications.”

There is extensive discussion of the manner of risk assessment, including identification of mapping and IT tools. None of the examples relate to the size of an enterprise, and most require active management or audit committee involvement.

3. Control Activities. “Smaller entities can achieve effective control over financial reporting through a combination of controls that include oversight controls applied by management, and can prepare and maintain a level of documentation that allows for the effective transition of job responsibilities,” according to the Guidance. Policies are to be established to create specific controls.

Compensating controls (review of results) can be relied upon in lieu of more expensive upfront monitoring. However, the detail of the text is not comforting. For example, in discussing the manner in which a simplified system might track inventory and consequently relieve the requirement of counting, there is emphasis on the necessity that the inventory control be “rigorous.”

4. Information and Communication. A company must identify, capture and distribute necessary information, and all personnel must receive a clear message from senior management. How?

Examples revolve around active involvement of the CEO or CFO: daily meetings and activities “in which the CEO and top management participate;” “the CEO . . . has all department heads . . . meet quarterly to validate and document all key assumptions . . . ;” “the CFO . . . determines that for his company there were five key performance/control indicators” and he establishes both controls and management reports for each; a CEO of a small manufacturer “continually reviews risks of the company;” “the CEO . . . has a communications program that includes a newsletter, personal visits to work sites and to employee common areas . . . .”

5. Monitoring. Ongoing monitoring activities of smaller companies are more likely to be hands on and to involve the CEO, CFO and other key managers, according to the Guidance. There is no abatement of standards. The flat organization of the enterprise can facilitate senior management in monitoring tasks.

6. Roles and Responsibilities. The Guidance goes on to state that management, the board, audit committees and employees must understand their responsibilities. The CEO and management must provide oversight. There is recognition that there may not be enough employees adequately to segregate duties and establish tiers of control. One suggested solution is to pass the task to the audit committee.

Templates, We Have Templates

About one-third of the Guidance consists of templates with page after page of detailed charts. These documents list the steps to apply the 26 principles of the COSO framework. These steps are equally applicable to large companies and small companies, and do not contain a road map to cost savings.

However, they do represent, for the first time in one place and in a format with “official sanction,” checklists for establishing 404 controls.

Much of the content of these templates could have been collected from a variety of prior sources, and accounting firms could no doubt provide their own, analogous formats. But for a small company, seeking to establish internal financial controls through its own efforts, the availability of complete templates represents a significant benefit.

To the extent that going off in wrong directions may be avoided, there is cost saving to smaller companies in just having those templates available.

The Bottom Line

The business community expected financial relief. The Guidance gives numerous examples of 404 compliance techniques, but, notwithstanding the detail and but for the templates, scant practical suggestions that relate to cost. Will accountants take this Guidance, as it is finally promulgated in 2006, and actually attempt to use it as a tool for cost savings?

Certainly the numerous suggestions that more functions be performed by CEOs, CFOs, directors and audit committees are not going to be solace to smaller companies. While Sarbanes-Oxley makes it clear that the buck stops at the top, and that 404 requires that both senior management and the board have significant involvement in financial controls, that is different from placing upon these people the task of directly implementing those controls. Establishing policy and leadership is very different from a CEO personally attending a daily meeting with an eye toward financial control.

Travis Drouin, a CPA with an extensive 404 practice for mid-market companies, believes that “it’s unrealistic that the COSO would look for cost saving opportunities; their obligation is to the development of a sound control environment, regardless of size.” He sees the Guidance as common sense implementation, but not much of an advance on the practical advice that accounting firms already have been giving to the middle market.

The attitude of a managing partner in one Big 4 Firm is revealing: 404 is “a cost of doing business these days,” and he expects no 404 changes in the foreseeable future. Never once did the PCAOB say to his firm, “you over-did it” in dealing with 404 compliance.

The final say in this matter likely will be the SEC action promised for next spring. Unable to push the accountants back from the intensity (and cost) of the 404 process under COSO, the Commission seems poised to issue the majority of public companies a lifetime free pass.

Stephen M. Honig is a member of Duane Morris’ corporate department in the firm’s Boston office. You can reach him at [email protected]. Travis M. Drouin, CPA, a partner with Moody, Famiglietti & Andronico, LLP of North Andover, Mass. assisted in this column. Mr. Drouin leads MFA’s Sarbanes-Oxley practice and advises clients listed on all major exchanges.