At a recent Two Step Software webinar entitled “Lessons Learned in 2007: A Recap of Stock Option Reporting Updates,” more than half the audience of financial executives responded that they had not taken any steps to prepare for the new risk assessment auditing standards that apply to non-public companies (Statement on Auditing Standards 104-111) despite the fact that according to Dan DeVasto, the CEO of Wolf & Company, P.C., these changes to the audit standards are some of the most significant in two decades.
As explained by his partner Scott Goodwin, although non-public companies are not required to provide the same types of certifications and management reports as public companies, since they are not subject to the Sarbanes-Oxley Act, the audit standards by which the internal controls of non-public companies are going to be reviewed are now relatively similar to those of public companies (SAS 104-111 from the AICPA for non-public companies; Auditing Standard 5 from the PCAOB for public companies). In both cases, auditors will be using a COSO type framework to assess whether a company’s internal controls over financial reporting are sufficient and will need to advise the audit committee if they are not. Of course, for a non-public company there is no requirement that the executives provide a Sec. 302 certification, that management provide a Section 404(a) report, or that the auditors provide a Sec. 404(b) opinion (which is not yet required for smaller public companies).
Question: Why are public companies spending significant amounts of money addressing their internal controls to comply with Sec. 404 of SOX and satisfy AS 5 while GAAP reporting venture-backed companies are largely paying little attention to satisfying SAS 104-111, although the exercise that their auditors will be going through evaluating the sufficiency of the internal controls over financial reporting for both types of companies will largely be the same.
Answer: For a non-public company, there is no threat of public embarrassment, lower share price, and criminal penalties for the company and management if they do not satisfy the internal controls requirements. There is only the risk that an audit will take longer, become more costly, and the audit firm will be required to document and communicate any material weaknesses to management and “those charged with governance” (SAS 112).
Let’s Ask: With the impact of SOX clearly being felt by non-public companies already, whether based on pressure and covenants from investors, lenders, insurers, and other stakeholders, is it really necessary to add the threat of criminal sanctions to encourage companies that plan to be acquired by publicly-held companies in the near future to raise the level of their internal controls over financial reporting?
I hope not. Maybe by sufficient education on the benefits that companies receive by adopting good corporate governance and appropriate internal controls over financial reporting, we can avoid “SOX Lite” from becoming mandatory for companies without public investors. Hopefully, instead, sufficient oversight can be provided by audit committees and directors of venture-backed companies that hope to one day become public themselves or be acquired by publicly-held companies. Better internal controls over financial reporting are relevant to any company that is looking to increase its value in the financial marketplace. Every venture-backed company finds this out during the business due diligence process which is eventually when the “rubber meets the road.”