September 15, 2006 Via Electronic Mail The Honorable Christopher Cox, Chairman U.S. Securities and Exchange Commission Attn: Nancy M. Morris, Secretary 100 F Street, NE Washington, D.C. 20549 Re: File Number S7-11-06; Concept Release Concerning Management’s Reports on Internal Control Over Financial Reporting (71 Fed. Reg. 40,866). The Office of Advocacy (Advocacy) of the Small Business Administration (SBA) is pleased to submit these comments on the U.S. Securities and Exchange Commission’s (SEC) release, Concept Release Concerning Management’s Reports on Internal Control Over Financial Reporting.1 Advocacy commends the SEC for the forthcoming management guidance on Section 404 of the Sarbanes-Oxley Act of 2002.2 Advocacy also supports the SEC’s proposed extension of Section 404 compliance deadlines for non- accelerated filers and newly public companies, to provide these entities with the benefit of this guidance.3 Advocacy believes that the new Section 404 requirements will still impose large and disproportionate costs on smaller public companies, and urges the SEC to continue to provide flexibility to these small entities until such time as more cost- effective procedures for audits can be developed. The Office of Advocacy, created in 1976, monitors and reports on agency compliance with the Regulatory Flexibility Act of 1980 (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA).4 The RFA requires federal agencies to determine a rule’s economic impact on small entities and consider significant regulatory alternatives that achieve the agency’s objectives while minimizing the impact on small entities. Because it is an independent office within the SBA, the views expressed by the Office of Advocacy do not necessarily reflect the views of the SBA or the Administration. 1 Concept Release Concerning Management’s Reports on Internal Control Over Financial Reporting, 71 Fed. Reg. 47,866 (July 18, 2006). 2 Sarbanes Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002). 3 Internal Control Over Financial Reporting In Exchange Act; Periodic Reports of Non-Accelerated Filers and Newly Public Companies, 71 Fed. Reg. 47,060 (August 15, 2006). 4 Pub. L. No. 96-354, 94 Stat. 1164 (1980), (codified as amended at 5 U.S.C. §§ 601-612). I. Risk and Control Identification The Sarbanes-Oxley Act of 2002 was created to avoid fraudulent or mistaken financial reports by public companies, thereby protecting investors.5 Section 404(a) requires that management assess the effectiveness of its company’s financial reports, by identifying any risks to financial reporting and designing appropriate internal controls that address the risks. Section 404(b) requires an external auditor to report on whether the management’s assessment is fairly stated and to attest to whether the company’s internal controls are effective.6 Advocacy suggests that the SEC discuss the “top-down, risk-based” approach that it recommends that public companies utilize, because this term is not defined in the concept release.7 In a top-down approach, the auditor identifies the company’s internal controls in a sequential matter, starting from the top organizational controls to focusing on related accounts controls and finally down to the transactional level controls.8 This approach prevents companies from “spending unnecessary time and effort documenting a process or testing a control that is unlikely to assist in detecting fraud or a mistake in a company’s financial reports.”9 In the absence of any management guidance, public companies have followed Auditing Standard No. 2 (AS2) of the Public Companies Accounting Oversight Board (PCAOB),10 a guide for external auditors to assess standard public companies. 11 Auditors and consultants conservatively have applied this one-size-fits-all accounting standard to both large and small companies complying with Section 404.12 Many companies utilizing the broad AS2 framework have found that “it does not effectively identify the risks and the internal controls needed by a company, which ultimately leads to the identification, documentation and testing of an excessive number of controls that may not be important or may be risky to the integrity of a company’s financial statements.”13 Advocacy anticipates that revisions to the AS2 accounting standard will take into account the different characteristics that smaller companies have from larger companies that affect a company’s financial reporting risks and internal control, such as differences in organizational structure, ability to segregate duties and amount of resources available for Section 404 compliance. 5 Id. 6 Id. 7 71 Fed. Reg. at 40,870. 8 Patrick O’Brien, Reducing SOX Section 404 Compliance Costs Via a Top-Down, Risk-Based Approach, The CPA Journal (April 2006), (available online at http://www.nysscpa.org/cpajournal/2006/806/essentials/p36.htm). 9 71 Fed. Reg. at 40,870. 10 SEC Advisory Committee on Smaller Public Companies, Final Report of the SEC Advisory Committee on Smaller Public Companies, at 30(April 23, 2006) (Advisory Committee Report) (available online at http://www.sec.gov/info/smallbus/acspc.shtml). 11 Id. 12 Id. at 32. 13 71 Fed. Reg. 47,866 (July 18, 2006). 2 II. Management’s Evaluation In the absence of guidance, management at small public companies used AS2, a complicated reference material produced by the PCAOB that is over 160 pages long and was designed for external auditors and accountants.14 Advocacy believes that the SEC should develop management guidance that is easily accessible and understandable to members of the small business community. Management teams continue to have problems identifying risks and internal controls to address those risks, which results in high costs due to testing and documenting low-risk areas. Advocacy spoke to auditors and consultants for small public firms, to get their insight on ways to create an informative and useful guidance to the management at these small entities. One auditor suggested that instead of the vague principles in AS2, the guidance should have definitions, illustrative examples, case studies, and practice sets.15 For example, the guidance could have case studies of public companies with different factors (such as amount of equity, number of locations), and what adequate internal controls those companies established. A compliance consultant suggested that companies look at Section 404 reports of other companies in their industry to find common high-risk areas and internal control problems.16 Advocacy also recommends that the SEC management guidance define terminology like “entity-level controls,” “transaction-level controls,” “significant deficiency” and “material weakness.”17 The SEC should provide illustrative examples and case studies to clarify these ambiguous and complicated accounting and legal terms. III. Documentation to Support the Assessment Many companies in their first year of compliance with Section 404 identified too many internal controls due to their application of AS2, and incurred excessive documentation costs.18 Advocacy is concerned that small public companies utilizing AS2 will also incur these large documentation costs, and recommends that the level of documentation to support a management assessment report should be scaled to the size of the company. Small companies should not be expected to have the same level of documentation as a large company, because these entities have a smaller organization structure, establish a lower amount of internal controls and utilize more informal modes of communication. Advocacy spoke to members of the small business community, who voiced their concerns about the amount, the nature and the cost of documentation that would be 14 Public Company Accounting Oversight Board, Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements (March 9, 2004) (available online at: http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_2.pdf). 15 Telephone interview with John C. Malone, JD, CPA, Malone-Bailey PC, Houston, Tx. (Sept. 11, 2006). 16 Robert Benoit, Lord & Benoit MicroSox Implementation Framework (2006) (available online at: http://www.sec.gov/news/press/4-511/bbenoit3806.pdf). 17 71 Fed. Reg. at 40,871. 18 Id. at 40,872. 3 required under Section 404. An auditor for small businesses suggested that the SEC provide guidelines and timelines for documentation.19 A representative from the banking industry noted that companies incur large costs due to duplicative documentation for the management assessment report and the auditor’s attestation reports.20 Advocacy recommends that the SEC clarify the documentation requirements, and evaluate lower cost documentation alternatives for smaller entities. IV. Conclusion Advocacy praises the SEC for developing the forthcoming management guidance on Section 404, and for gathering comments and input from the small business community. Advocacy believes that the Section 404 requirements will still impose large and disproportionate costs on smaller public companies, and urges the SEC to continue to provide flexibility to these small entities until such time as internal control audits can be completed in a cost-effective manner. Advocacy is pleased to submit these comments on behalf of small businesses. If you should have any questions on this letter or related issues, please feel free to contact me or Janis Reyes at Janis.Reyes@sba.gov or (202) 619-0312. Sincerely, //signed// Thomas M. Sullivan Chief Counsel of Advocacy //signed// Janis C. Reyes Assistant Chief Counsel cc: Steven D. Aitken, Acting Administrator, Office of Information and Regulatory Affairs 19 Telephone interview with John C. Malone, supra note 15. 20 Telephone interview with Sharon Ann Haeger, Regulatory Counsel, America’s Community Bankers (Sept. 11, 2006). 4