SEC Rule Change Provides Potential SOX Costs Relief for Smaller Companies

The US Securities and Exchange Commission (SEC) released a final rule that amends the filing status definitions for SEC issuers. The amendments were effective as of April 27, 2020.

The rule change expands the number of issuers that will no longer require an auditor attestation of internal control over financial reporting (ICFR) in accordance with Sarbanes–Oxley Act (SOX) 404(b). It provides much needed relief in compliance costs for those companies that qualify under the amended filer definitions, and allows those companies to focus their budgets and efforts on research and commercialization—especially in the pre-revenue, development, and discovery phases of their company.

For more specific details about the rule change itself, please see SEC Amends the Accelerated Filer and Large Accelerated Filer Definitions.

Learn how the rule change could provide certain companies with relief from SOX compliance and audit costs.

Management Considerations

If your company has been required to get an attestation as part of 404(b) compliance historically, a change in filing status may no longer requires a 404(b) opinion.

A company can electively choose to obtain a 404(b) attestation beyond the compliance requirements in order to provide greater assurance to the users of the financial statement.

However, the company could also reduce the time and costs associated with pulling auditor documents by taking advantage of compliance cost and effort relief from 404(b) during the current year.

How does a company justify either decision and proceed?

Explore some considerations below.

Interpretive Release 33-8810

The SEC’s Interpretive Release 33-8810 provides guidance for management regarding its evaluation and assessment of ICFR that satisfies the evaluation requirements of Rules 13a-15(c) and 15d-15(c) under the Securities Exchange Act of 1934 and the management assessment requirements of 404(a).

The release specifies while management is responsible for maintaining reasonable evidential support for its assessment, management’s daily interaction with its controls—including ongoing direct involvement and supervision of their execution based on risk assessments—could provide management with sufficient knowledge to assess ICFR.

The SEC guidance caveats a company must assess its own particular facts and circumstances when determining whether its daily interaction with controls is sufficient. For a smaller reporting company (SRC), the smaller market capitalization and the lack of significant revenue support results in a likelihood the company has centralized operations with low complexity and few levels of management.

Management, as an SRC, will still have the same control activities in place and operating, but generally won’t be required to provide as much documentation to meet the auditor’s need under Public Company Accounting Oversight Board (PCAOB) scrutiny.

Choosing an approach to ICFR includes an assessment of the risks specific to your company.

Risk Tolerance

Consider the decision in context of risk and return—an entity should manage risk at an optimal level that maintains or enhances the enterprise value.

The purpose of performing a top-down SOX risk assessment is to identify significant risks that could materially impact financial reporting, then focus attention on those identified risks. 

If a company employs insufficient risk-taking, management activities focus on the minutiae, tend to have minimal impact, and become diluted and ineffective. For example, a large accelerated filer shouldn’t apply the same diligence to petty cash as it does to revenue recognition.

Conversely, an organization shouldn’t take on excessive risk and create an unstable control environment. An organization should find a balance where risk taking is at an optimal level that can be easily supported or justified to stakeholders.

This balance will look different for every company.

404(a) vs 404(b): No Change to Controls

It’s important to re-affirm a company moving from 404(b) to 404(a) doesn’t inherently experience changes to its internal control environment and activities. The same controls should remain in place to address the in-scope risk; there shouldn’t be changes to the processes, people, and systems that support these control activities.

Regardless of whether the company is 404(a) or 404(b), an external auditor must conduct procedures over processes—typically as walkthroughs—in order to fully understand and identify the likely sources of potential misstatements where a necessary control is missing or ineffectively designed.

For an entity required to comply solely with 404(a), the extent of internal control design and operating effectiveness ends here. Auditors may find it more efficient to rely on substantive testing to support the financial audit opinion.

An auditor that isn’t required to issue the integrated opinion isn’t obligated by PCAOB standards to test the internal controls for operating effectiveness to support its audit opinion on the entity’s financial statements, unless it can’t obtain the necessary evidence through substantive procedures alone.

Auditors may choose to test internal controls, including information technology general controls, where the approach would be the most efficient and effective audit approach. Auditors may need to test information technology controls to obtain evidence relating to information that is dependent on an entity’s information systems.

An entity should work with its auditors when scaling its SOX compliance program during the period when an integrated audit is no longer required to understand the accounts and cycles your auditor will continue to test. A thoughtful approach to scaling an entity’s SOX compliance allows for good risk management while reducing overall compliance costs as intended by the SEC’s new rules.

Key Takeaways

The objectives the SEC presented in the release are as follows:

  • Reduce SOX compliance costs by providing relief for smaller companies by expanding the number of issuers that qualify as non-accelerated filers
  • Maintain investor protection by affirming, even with reduced compliance oversight, the rule change won’t adversely affect the ability of investors to make informed investment decisions on non-accelerated filers

The SEC states the effects of the rule change are unlikely to result in an increased rate ICFR issues. The historical, self-reported rate of ICFR ineffectiveness for non-accelerated filers averaged around 40%; the ineffective ICFR rate for large accelerated filers subject to 404b audits had rates of ineffective ICFR around 4%.

Based on this new rule change, there’s an opportunity to scale your SOX compliance program, to the specific elements of consideration for your organization. Non-accelerated filers can avoid incurring disproportionately significant compliance costs to comply with 404b, and instead repurpose finances to internally-generated, value-enhancing capital for investment, research, or hiring.

Note, relief from the external auditor 404b audit doesn’t relieve management of performing their own 404a assessment. Change in filing status shouldn’t impact the risks and controls nor accounts and disclosures that were in scope for SOX. 

Your approach to risk management and SOX should be based on your specific circumstances and risk appetite. Work with your accounting professional to identify an approach that balances risk and compliance to cost-benefits.

We’re Here to Help

If you have any questions regarding the SEC rule change and how to scale your SOX compliance program, please contact your Moss Adams professional.

Note on COVID-19

During this unparalleled time, we’re closely monitoring the COVID-19 situation as it evolves so we can provide up-to-date guidance and support to help you combat uncertainty. For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: