News Stay informed about the latest enterprise technology news and product updates.

SOX 404 compliance costs are lower than expected after first year

As it turns out, you may not be paying as much as you expected for your foray into SOX compliance -- at least not according to a new study of a handful of smaller firms.

New research suggests that smaller companies are paying on average about 14% less to comply with Sarbanes-Oxley Section 404 (a) and Section 404 (b) regulations than pundits predicted -- and far less than some small business advocates are claiming.

More on Sarbanes-Oxley
Sarbanes-Oxley compliance costs drop, better processes credited

Compliance strategies for the midmarket

SOX extension granted, but auditor role still unclear
Lord & Benoit LLC, a Sarbanes-Oxley Act (SOX) research and consulting firm based in Worcester, Mass., found that for nonaccelerated filers (those under $75 million in market cap) the average first-year cost for management assessment and additional audit fees is $78,474. That's 13.8% less than the $91,000 tab estimated by the Securities and Exchange Commission (SEC).

"I think the report just dispels the myth that costs are out of control," said Robert Benoit, president, Lord & Benoit. "[The report] doesn't really have an agenda beyond it. This is what it really costs, and these numbers are nowhere near what people have been saying it costs."

The Lord & Benoit report, "The Sarbanes-Oxley Investment: A Section 404 Cost Study for Smaller Public Companies," is based on a cross-section of 29 smaller public companies in 12 industries, including manufacturing, distribution, banking and finance, and biotech. The report is also based on an analysis of actual audit fees reported by nearly 5,500 public companies.

Passed in 2002, SOX was intended to prevent the corporate accounting scandals that bankrupted giant public companies such as Enron Corp. and WorldCom Inc. SOX 404 requires that a public company explain its internal controls and have those controls certified by an external auditor.

Opponents have claimed from day one that the SOX 404 compliance costs of are disproportionately unfair to smaller companies. Pressured by groups such as the House Committee on Small Business, the SEC pushed back the Section 404 compliance deadline for smaller public companies. Throughout 2007, however, it warned smaller companies that there would be no more extensions and that they would have to step up to the SOX plate, as their larger brethren have before them. Then in December, SEC Chairman Christopher Cox offered small businesses another reprieve by granting an extension on SOX Section 404 (b) -- that's the auditor requirement -- until 2009.

I think the report just dispels the myth that
costs are
out of control.

Robert Benoit
presidentLord & Benoit LLC
But the actual cost of compliance to small business is debatable. Benoit argues that the numbers being used by groups such as the House Committee on Small Business are "notoriously high" and merely estimates.

U.S. Rep. Nydia Velázquez, chairwoman of the House Committee on Small Business, recently published a report that claimed small businesses could spend up to 3% of their net income complying with SOX. But even Velázquez has asked the SEC to provide a hard dollar estimate on compliance costs for small firms, stating in a Dec. 12 press release that "without solid data we cannot truly understand the possible effects these regulations will have on small public companies and on the economy."

Other groups, such as Jefferson Wells International Inc., a professional services company that specializes in internal audit and controls, estimate the first-year cost of SOX compliance for smaller businesses could range anywhere from $100,000 to several hundred thousand dollars.

Regardless, whether it's $78,000 or $100,000, the cost is still too high, according to some experts in SEC regulations.

"From what I've been able to gather from conversations with clients and others, a 15% reduction in costs is good, but it's still a lot of money," said John Hagerty, an analyst at Boston-based AMR Research Inc. "It's still cost prohibitive. The number would have to be down to about $25,000 to $35,000 before the squawking would stop."

Moreover, these findings are not likely to persuade the SEC to change its mind about the deadlines. "Once the decision is made," Hagerty said, "the SEC will not backtrack on it."

Let us know what you think about the story; email:

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.