Smaller Reporting Companies and Section 404(b): Where are We?

by Craig Butler on April 5, 2010

If you are an officer or director of a small public company with a fiscal year end of December 31st, as you read this you are about one year away from requesting an auditor attestation report in compliance with Section 404(b) of Sarbanes-Oxley from your company’s independent auditor.  If your company has a fiscal year end of June 30th, you are much closer as the independent auditor attestation reports mandated under Section 404(b) are schedule to kick in for smaller reporting companies starting with the end of their first fiscal year after June 15, 2010.  The purpose of the article is to answer some of the most common questions we are being asked by our clients, as well as, provide a brief overview of what Section 404(b) mandates, determine if any relief is in sight, make suggestions as to what officers and directors of smaller reporting companies should be doing now, and then a brief opinion regarding what this author thinks our legislature should do with Section 404(b) as it applies to small public companies.

            Section 404(b) of Sarbanes-Oxley

            I won’t fully recite the history of Section 404(b) and what it mandates in this article as that information can be found in innumerable sources on the Internet.  However, a brief overview is helpful.  Under Section 404(b) of the Sarbanes-Oxley Act of 2002, companies are required to get an attestation from their independent auditors regarding the effectiveness of the company’s internal control over financial reporting.  Companies that are “large filers” had to start complying with Section 404(b) in 2004, but the Securities and Exchange Commission has repeatedly extended the deadline for non-accelerated filers (including smaller reporting companies).  On October 2, 2009, the SEC announced another extension for small public companies, which is set to expire beginning with the annual reports of those companies for their fiscal years ending on or after June 15, 2010.  In granting this extension SEC Chairman Schapiro indicated no further SEC extensions would be forthcoming and all companies needed to “act with deliberate speed to move towards full Section 404 compliance.”


            Is There Any Possible Relief From Section 404(b) After This Last Extension?            

            Possibly, but officers and directors of small public companies should not be relying on any relief.  In November 2009, the U.S. House Financial Services Committee voted to approve the “Investor Protection Act of 2009.”  If this bill is eventually signed into law, without major revisions, it would include a permanent exemption from the auditor attestation requirements of Section 404 (b) for smaller public companies (those with less than $75 million in market capitalization – which would include smaller reporting companies).   

What are the chances of success for this legislation?  Tough to tell but as of the date of this article it has not come before the whole House for consideration or a vote.  Considering this bill has opposition from SEC Chairman Schapiro and investor advocacy groups, but support from the Treasury Department and some White House officials, this bill could go either way.  However, in order to become law the bill must pass the House, get through the Senate, and then be signed by the President.  Additionally, even if the bill becomes law the particular provision that relates to exempting small public companies from Section 404(b) must survive any changes made to the bill prior to the time it is actually signed into law.  Considering it is early March 2010 and the bill has not been considered by the House yet, much less the Senate, and there are many other pressing matters before Congress, I am not too hopeful that this bill passes and becomes law before the June 15, 2010 date comes and goes.


             What Should Officers and Directors of Smaller Public Companies Be Doing?
             Based on the above, officers and directors of smaller public companies should not be relying on the Investor Protection Act of 2009 to save them from complying with the requirements of Section 404(b) for their next annual report on Form 10-K.  As such, officers and directors of smaller public companies should be taking the steps necessary to prepare for this requirement.  Among these steps, first, talk with the company’s auditor.  See if they are auditing any large public filers that are already complying with this requirement.  If they are, ask if they will provide you with a checklist or outline of what it is they are requiring of those companies in order to issue the required auditor attestation.  Also, have them give you at least an estimate of the percentage increase in the audit bill for their clients complying with Section 404(b) compared to before those companies were required to comply with Section 404(b).  Obviously, most auditors will not give you a dollar figure for any other clients, but they may help you by giving you a percentage increase in their average client’s audit bill post-404(b) v. pre-404(b), or their anticipated percentage increase for small public companies needing 404(b) auditor attestations.  Based on our informal poll of auditors, 404(b) compliance is likely to add 20% to 50% to a company’s annual audit expenses, but this could vary widely.  Regardless of the amount though, a company’s second step should be preparing financially for the impact of 404(b).  This financial impact is likely to arise in two primary ways.  First, the cost of internal compliance may go up (the company may need to hire additional personnel to satisfy an auditor that the company’s internal controls are effective and be will be willing to attest to it), and, second, the company’s audit bill is likely to go up (based on the additional work to be done by the auditor to check the effectiveness of the company’s internal controls).  Third, a company needs to put into place whatever changes are necessary to ensure that they not only have effective internal controls, but also that the auditor will be willing to sign an attestation regarding the effectiveness of those controls.  The changes could include hiring additional qualified personnel, putting new written policies and controls in place, updating software or computer programs, and/or changing who or how the oversight over your company’s financial processes.  Keep in mind the deadlines for 404(b) are quickly approaching and if your company has not already started with the process of complying with Section 404(b) it needs to be, and quickly. 

             My Two Cents


             I have been asked a few times by companies and auditors regarding what I believe will happen with Section 404(b) as it relates to small public companies, as well as what I believe should happen.  As to the first issue, although it is getting pretty late in the game for SEC extensions or legislation, it is not too late as we sit here today.  However, given Ms. Schapiro’s comments in the October 2009 SEC press release granting the last extension regarding Section 404(b), as well as her opposition to the “Investor Protection Act of 2009, I do not believe the SEC will be granting any further extensions.  This leaves us with Congress and the President.  Given some of the other provisions in the legislation, I believe there is still a chance that the “Investor Protection Act of 2009” passes Congress and is signed into law, but I don’t know that the exemption to Section 404(b) for small public companies will be part of the final legislation. Given the nature of the current political climate, doing anything that could be construed to lessen the oversight of any public companies is going to be difficult for politicians to justify, even if it makes logical sense.  For that reason I am not holding out hope that the exemption will pass as legislation.

            As for what I think should happen?  I have read various blogs and heard certain commentary along the lines that company “fraud” and “lack of transparency” has cost investors millions and therefore as much regulation as can be placed on public companies, including small public companies, is a good thing.  I disagree.  As it stands now small public companies have their annual financial statements audited by a PCAOB-approved auditor (who itself is audited by the PCAOB), have their quarterly financial statements reviewed by a PCAOB-approved auditor, are responsible for disclosing the internal controls over financial reporting they have in place, must give an attestation by management regarding the sufficiency of such internal controls, and have their CEOs and CFOs sign Section 302 and 906 certifications for each annual and quarterly report filed by the company.  Do these requirements completely stop fraud?  No, but I argue nor would 404(b) compliance.  And what additional benefit is being gained by 404(b) auditor attestations?  And at what cost?  Additionally, investors investing in small public companies realize these investments come with increased risk over large public companies, just by virtue of the fact the companies are typically younger, more in the start-up phase, and have riskier businesses.  My argument is that the risk of investing in these companies is greater based on their lack of operating history than the chances of fraudulent activity.  And as many large public companies have proven through history, especially the last decade, if they are fraudulent companies and individuals no amount of third party oversight is going to prevent wrongdoing and investors being harmed.  In the end I do not believe the increased cost small public companies will incur to comply with 404(b) is buying that much additional protection, if any at all.  As a shareholder in numerous smaller public companies I would rather have the companies spending the money on growth rather than complying with the requirements of Section 404(b).  But that is just my opinion.

 * * *

             The Lebrecht Group, APLC provides comprehensive advice on a variety of corporate and securities law matters.  Please contact us if you have any questions.

             To view other articles written by Mr. Butler, please follow this link or cut and paste it in your Internet browser:               

             Craig V. Butler, Esq. is an attorney with The Lebrecht Group, APLC, located in Irvine, California and Salt Lake City, Utah.  He can be reached at (949) 635-1240 or via e-mail at with questions or comments.  Please visit our website at for future updates and other information.

Previous post:

Next post: