Testimony Concerning the Sarbanes-Oxley Act of 2002 and its Impact on Small Businesses

Chairman Kerry, Ranking Member Snowe, and Members of the Committee:

I am pleased to appear today on behalf of the Public Company Accounting Oversight Board ("PCAOB" or the "Board"). to speak about the impact of the Sarbanes-Oxley Act of 2002 (the "Act") on small business, and, in particular, the PCAOB’s oversight of small audit firms. I am also pleased to join Chairman Cox before you today. The PCAOB works closely with the Securities and Exchange Commission ("SEC") to achieve our shared goal of protecting the interests of the investing public in the preparation of informative, accurate and independent audit reports on public company financial statements.

I. Introduction and Background

This Committee’s focus on small business and entrepreneurship and the Committee’s particular focus today on the impact of the Act are both appropriate and very timely. The PCAOB, along with our colleagues at the SEC, are in the final stages of replacing Audit Standard 2, which I will later describe in greater detail. A priority concern that triggered our current efforts is the desire to assure that the audit standard mandated by the Act can be conducted in a manner consistent with the size and complexity of America’s small publicly traded companies.

Mr. Chairman and Committee members, we see two important dimensions to the PCAOB focus on small business. First, of the 1,000 plus domestic audit firms that have registered with the PCAOB, the overwhelming majority are small firms. While our experience in examining these firms varies to some extent, we are reassured to PCAOB Testimony Page 2 April 18, 2007 discover that many very small firms provide audits of consistently high standard for their clients, many of whom are small businesses.

The second dimension of our small business focus is our recognition that these small businesses constitute the largest segment of entities impacted by our audit standards, and we need to be cognizant of their needs as we develop the standards.

With more than half of all American households invested in U.S. public companies,[1] the discoveries of financial reporting and auditing improprieties at numerous public companies earlier this decade swelled in 2002 to a national crisis in confidence in the integrity and reliability of public companies’ financial statements. Widespread investor risk aversion across markets adversely affected innovation and the economy more broadly.[2] This led to a predictably strong response on the part of the investing public, as well as boards of directors at public companies, the accounting profession, regulators, and Congress. There was an increased recognition of the need to bolster internal controls over financial reporting and bring an enhanced focus to corporate governance. Congress reacted by passing the Act, which among other things established the PCAOB to replace the audit profession’s self-regulatory model with an independent oversight system.

The PCAOB’s mandate is to oversee the auditors of public companies, in order to protect the interests of the investing public in the preparation of informative, accurate and independent audit reports on public company financial statements. The PCAOB does not set accounting standards or regulate disclosures by public companies; rather, its role is to enhance the quality of the audits of those companies. Simply put, the PCAOB’s job is to improve the quality and reliability of public company audits, so that investors can have more confidence in audited financial statements. High quality financial disclosure by public companies is a cornerstone of U.S. capital markets and is necessary for the continued growth and competitiveness of the U.S. economy.

With that brief history as context, I would like to devote my time today to describing the PCAOB’s programs, with a particular focus on the PCAOB’s approach to small audit firms. In addition, I will describe the PCAOB’s efforts, together with the SEC, to implement the provisions of the Act related to internal control, again with a particular focus on preparations for small companies and their auditors to implement those provisions, according to the timetable established by the SEC.

II. The PCAOB’s Auditor Oversight Programs Foster a Dialogue with Small Audit Firms to Help Them to Improve Their Audits and Compete in the Market to Provide Public Company Audit Services.

Subject to the oversight authority of the Securities and Exchange Commission, the Board is responsible for --

  • Registering audit firms that prepare audit reports for U.S. public companies;
  • Establishing, by rule, auditing and related professional practice standards relating to the preparation of audit reports for U.S. public companies;
  • Conducting inspections of registered firms;
  • Conducting investigations of, and imposing appropriate sanctions where justified upon, registered firms and associated persons of such firms.

I will focus my remarks today on the PCAOB’s oversight and interaction with small firms in particular.

A. More Than 1,700 Accounting Firms Have Registered with the PCAOB.

Early concerns that independent oversight might deter firms, particularly smaller firms, from continuing to audit public companies have not been borne out. On the contrary, since the PCAOB opened its doors in January 2003, it has registered more than 1,700 accounting firms that audit, or wish to audit, U.S. public companies. Of these firms, about 1,000 are U.S. firms. The firms vary dramatically in size. Some are multi-office regional firms with several, and sometimes a great number of, partners and professional staff, and others are sole practitioners with no professional staff. Only about 125 of these firms had more than five public company clients at the time they registered. In addition, more than 450 of these firms registered even though they were not the auditor of record for a public company at the time they registered..[3]

The PCAOB has observed that the market is improving for small audit firms registered to audit U.S. public companies. While the Big Four firms audit most public companies, they have reduced their public company audit client base over the past few years. At the same time, the next four and even smaller firms have increased the number of public companies that they audit.[4] Indeed, within the last year, two registered firms have grown their audit practices to such an extent that they now issue audit reports for more than 100 public companies, which triggers the requirement under the Act and the Board’s rules that the Board conduct annual inspections of those firms.

Smaller firms are likely to continue to seize opportunities to expand their businesses by taking on new clients appropriate to the size and sophistication of the firms’ practices. At the same time, for their business growth to reach its full potential, the firms must understand and know what is expected of them within the Sarbanes-Oxley and PCAOB framework. For smaller firms, the adjustment to that framework can give rise to issues and questions different from those for the larger firms.

B. The PCAOB Uses Outreach to Small Firms and the Small Business Community to Provide Information About PCAOB Activities and Seek Insight on Small Business Concerns and Challenges.

The PCAOB has established an ambitious outreach effort directed toward small registered firms and their audit clients to address their unique issues and questions. These one- and two-day discussion sessions, called Forums on Auditing in the Small Business Environment, follow an in-depth curriculum on PCAOB activities and developments. They have provided an avenue for small registered firms and small public companies to obtain a better understanding of the workings of the PCAOB, and they have fostered a robust dialogue that has given the PCAOB valuable insights to apply in its programs. In addition, I believe the Forums have better equipped firms with information to address the challenges of the new regulatory environment.

To date, the PCAOB has held 19 Forums in 14 metropolitan areas across the country. Nearly 2,000 people involved in the small business community have attended the Forums, including about 1,400 auditors from smaller public accounting firms. Based on positive feedback from participants, the PCAOB intends to continue to hold Forums to further the PCAOB’s dialogue with such firms and companies.

C. The PCAOB’s Supervisory Inspection Program Helps Small Firms Focus on Audit Quality Necessary to Compete in the Market to Provide Public Company Audit Services.

While the Forums reach small firm auditors in a group environment, PCAOB inspections foster an even deeper, one-on-one dialogue between the PCAOB and small registered firms. Under the Act and the Board’s rules, firms that audit the financial statements of 100 or fewer public companies are subject to inspection at least once every three years. The PCAOB has taken a supervisory approach toward implementing its inspection program. In these inspections, the PCAOB has observed first-hand how some small firms distinguish themselves professionally and competitively by performing high-quality audits. In other cases, PCAOB inspections identify areas in which firms should do better. For those firms that strive to improve the quality of their audits and their ability to compete for public company audit clients, the supervisory dialogue throughout the inspection process helps them to do so.

While the PCAOB’s inspection program is the core of its supervision of registered firms, these inspections take place largely outside the public view. This is because the Act mandates a significant degree of confidentiality relating to inspection information. One particular provision relates to any portion of a PCAOB inspection report that describes criticisms of the firm's system of quality control. Under the Act, a firm has one year to show that it has satisfactorily addressed those criticisms, and if it does so those criticisms remain nonpublic. This remediation mechanism reflects Congress’s policy decision to use the possibility of public disclosure as an incentive to firms to address systemic problems.[5] It has proven to be a key tool to motivate firms to do better. When the PCAOB identifies problems, firms typically take those criticisms seriously and make substantial changes within a year.

Under the Board’s supervisory approach, it is able to use its inspection process to address most of the individual, or isolated, auditing problems identified, without the need to invoke its disciplinary authority to enforce applicable laws and standards. For example, when an individual audit is not up-to-grade, inspectors discuss with the firm precisely what the deficiency is. Sometimes this means a firm will perform additional audit procedures to shore up a weak audit. When the problem relates to an individual auditor, a firm may provide additional training to or supervision of the person involved or take other action the firm determines is appropriate. Thus, the PCAOB inspection process has been able to prompt and facilitate firms' achievement of significant realtime improvements, often even before an inspection is concluded.

D. The PCAOB Develops Auditing and Related Professional Practice Standards with the Needs and Challenges of Small Firms in Mind.

The Act directs the Board to establish certain standards for use by auditors of public companies. Those include standards for auditing and related attestation work, standards for quality controls, ethics standards, and independence standards. In order to ease firms’ transition to independent oversight, early in the Board’s first year of operation, in 2003, the Board adopted as interim standards certain auditing and related professional practice standards that had been developed and adopted by the auditing profession prior to the establishment of the PCAOB. These are standards with which audit firms large and small were already familiar, as they existed on April 16, 2003.[6]

Since adopting this body of pre-existing standards, the Board has adopted four new standards[7] as well as new ethics and independence rules relating to tax services and contingent fees. To develop new standards and rules, the Board uses a standardssetting process that provides for public input at a variety of stages. In particular, three times a year the Board holds a public meeting with its Standing Advisory Group.[8] The advisory group’s 31 members are drawn from a cross-section of the nation’s companies – small and large – as well as auditors from small and large accounting firms, investors and their advisors, academics, and others. These individuals share their informed opinions on how the Board, consistent with its mandate, can improve the quality of audits, including by advising on best practices and emerging issues. Many of the advisory group’s discussions have focused on matters related to small business and the audits of small registered firms. On occasion, they have also included dedicated panels of small firm auditors who can offer their insights on best practices and their experiences with the unique challenges the small business community faces.[9]

In addition to seeking the views of its advisory group members and other interested persons, the Board seeks public comment on proposed new standards and rules, makes those comments publicly available on its Web site, and considers them before adopting final standards or rules. Board standards are also subject to SEC review, and they do not go into effect unless they are approved by the SEC.[10]

III. The PCAOB’s Role in Implementing the Act’s Internal Control Requirements

I would like to devote the remainder of my time today to the PCAOB’s role in implementing, through its auditing standards, the provisions of the Act related to internal control over financial reporting. In particular, Section 404 of the Act requires public companies annually to provide investors an assessment of their internal control over financial reporting, accompanied by an auditor’s attestation on the same subject.

A. The Act’s Internal Control Reporting and Auditing Requirements

The term “internal control over financial reporting” refers to a company’s system of checks and processes designed to protect corporate assets, keep accurate records of those assets as well as its financial transactions and events, and prepare accurate periodic financial statements. Investors can have much more confidence in the reliability of a company’s financial statements if management demonstrates that it maintains adequate internal control over bookkeeping, the sufficiency of books and records for the preparation of accurate financial statements, adherence to rules about the use of company assets, and the safeguarding of company assets. Indeed, research shows that disclosures about the reliability of internal control have a significant effect on companies’ cost of capital.[11]

Companies have been required to have internal control over their accounting since Congress enacted the Foreign Corrupt Practices Act in 1977. There is no doubt, however, that the Sarbanes-Oxley Act’s requirement for annual assessments, and auditor attestations to those assessments, took corporate responsibilities for internal control over financial reporting to an entirely different level.

As directed by Section 404(a) of the Act, in June 2003 the SEC established rules describing companies’ required assessments. In March 2004, the PCAOB implemented Sections 103, requiring an auditing standard on internal control, and 404(b) of the Act by establishing a new auditing standard – Auditing Standard No. 2 – to provide for an audit of internal control over financial reporting integrated with the audit of the financial statements themselves. The SEC approved Auditing Standard No. 2 in June 2004.[12] For large, established companies – which the SEC calls accelerated filers – the initial assessments and attestations were required by SEC regulations to be included in their annual Form 10-K filings for fiscal years ending after November 14, 2004.[13]

The SEC has delayed implementation for smaller companies, i.e., the nonaccelerated filers. Such companies have until they file financial statements for a fiscal year ending on or after December 15, 2007, to file their first management assessments of internal control. In addition, the SEC will not require such companies to file audit reports on such assessments until they file financial statements for a fiscal year ending on or after December 15, 2008.[14]

B. Although the Act’s Internal Control Reporting Requirements are Not Yet Applicable to Small Companies, the PCAOB Has Used Its Experience Monitoring Large and Mid-Cap Company Implementation to Revise Its Auditing Standard and Develop Tailored Guidance with Small Companies In Mind.

Notwithstanding this delay, there is considerable concern among small public companies about implementing the Act’s internal control reporting requirements. For its part, the PCAOB has monitored implementation by companies that are subject to the requirements, among other things with a view toward easing implementation challenges smaller companies may face. To this end, based on that experience, the PCAOB recently proposed a revision of its auditing standard on internal control and is developing specialized guidance and training for auditors of small companies.

1. The PCAOB Has Monitored Auditors’ Implementation of Auditing Standard No. 2 and, as Needed, Provided Guidance.

In the nearly three years since the SEC’s rule on management assessments of internal control and the Board’s related auditing standard went into effect for accelerated filers, the Board has closely monitored the challenges that those companies and their auditors have faced. As appropriate, the PCAOB has provided additional guidance to facilitate implementation. In this regard, the Board’s staff has issued five sets of interpretive guidance that answer 55 frequently asked technical questions on the implementation of Auditing Standard No. 2.[15] In addition, on May 16, 2005, the Board issued a policy statement describing ways auditors can make their internal control audits as effective and efficient as possible.[16]

The PCAOB has also used its inspections of larger firms to monitor firms’ implementation of the Board’s auditing standard on internal control. To this end, the PCAOB issued a report on its inspections and other monitoring, on November 30, 2005. That report describes best practices and provides additional guidance on how auditors can make their work more efficient.[17]

The PCAOB's monitoring has also included participating, along with the SEC, in two roundtable discussions with representatives of public companies, auditors, investor groups, and others; meeting with its Standing Advisory Group; receiving feedback from participants in the Board's Forums on Auditing in the Small Business Environment; and reviewing academic, government, and other reports and studies, including the Government Accountability Office’s April 2006 report to this Committee on Sarbanes-Oxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies, and the Final Report of the SEC’s Advisory Committee on Smaller Public Companies issued the same month.[18]

2. The Board Has Proposed a Revision of Its Standard, to Promote Efficiency and Eliminate Unnecessary Procedures.

The Board is determined to make internal control audits as cost-effective as possible for companies that are required by the SEC’s rules to obtain an audit report on internal control. Therefore, based on its experience monitoring implementation, on December 19, 2006, the Board proposed a revision of its auditing standard on internal control, along with related amendments and rules.[19] Among other things, the proposed standard includes explicit guidance on scaling audits to reflect the attributes of smaller, less complex companies. In addition, the proposal is designed to –

  • Focus the audit on the matters most important to internal control by, among other things, directing the auditor's testing to the most important controls; emphasizing the importance of risk assessment; revising the definitions of significant deficiency and material weakness, as well as the "strong indicators" of a material weakness; and clarifying the role of materiality, including interim materiality, in the audit;
  • Eliminate unnecessary procedures by, among other things, removing the requirement to evaluate management's process; permitting consideration of knowledge obtained during previous audits; refocusing the multi-location testing requirements on risk rather than coverage; removing barriers to using the work of others; and recalibrating the walkthrough requirement;
  • Simplify the requirements by, among other things, reducing detail and specificity; better reflecting the sequential flow of an audit of internal control; and improving readability.

The Board has received thoughtful public comment on the proposal and, after considering those comments, expects to finalize a new standard in the near future.

3. The Board Plans Guidance for Auditors of Small Companies.

Based on the experience of small companies and auditors who have been – and are currently going – through the process of evaluating internal control, the Board is also working with practitioners to develop tailored implementation guidance for audits small public companies. This guidance should emphasize the scalability of internal control audits at a practical level, by providing auditors with examples of how the internal control audit process can and should be scaled to fit the relative sizes of small companies, from those that are on the cusp of accelerated filer status to those that have merely a handful of employees. The PCAOB is targeting publication of this guidance later this year, after the proposed revised standard is finalized.

Finally, the Board is exploring various means of facilitating training for auditors of smaller public companies on auditing internal control. With constructive, practical guidance, the Board hopes that small companies and their investors will be able to reap the benefits of internal control reporting without unnecessary costs.

IV. Conclusion

The PCAOB works hard to achieve the objectives Congress set for it in the Act. The oversight program it has in place is reducing the risk of financial reporting failures and renewing confidence in the financial reports of public companies and, ultimately, in the U.S. securities markets. The Board continues to assess its oversight programs, however, and in doing so it takes into account the effect on, and perspective of, the small business community. As I have described, the Board has and will continue to make appropriate adjustments to assure that it achieves the objectives of the Act in the most effective and efficient manner possible. In particular, the Board is committed to ensuring that its standard on internal control lays the foundation for efficient audits that are cost-effective for small business and maintain the benefits intended by the Act.

Thank you. I will be pleased to answer any questions.


[1] Due to the expansion of defined contribution plans and other incentives, nearly 57 million U.S. households own stocks directly or through mutual funds, according to a study by the Investment Company Institute and the Securities Industry Association. See Equity Ownership in America: 2005 (November 2005), available at http://www.ici.org/pdf/rpt_05_equity_owners.pdf 

[2] By all measures, the forward risk premium for the S&P 500 swelled in October 2002 to nearly double the historical mean. The forward risk premium reflects the additional risk that investors perceive exists in the stock market, as compared to the bond market. See Monthly Earnings Report, Lehman Brothers, at p. 72 (April 7, 2004). The effect of this risk aversion was not limited to U.S. markets. For example, in 2002 it led to the collapse of Germany’s Neuer Markt, a young stock market designed to provide capital opportunities for small European companies and thus to compete with U.S. markets for shares of new "dotcoms" and other technology companies. See Benoit, B., Skorecki, A., and Stafford, P., "Deutsche Borse to Close Neuer Markt Next Year," Financial Times (September 27, 2002).

[3] Importantly, the PCAOB’s rules related to registration were designed with care not to impose unnecessary impediments for small firms. Thus, while a registering firm must demonstrate that the Board’s approval of its application is consistent with the Board’s responsibilities under the Act to protect the interests of investors and to further the public interest in the preparation of informative, accurate, and independent audit reports, firms need not have a current public company audit client in order to register.

[4] See Yellow Card Trend Alert, Glass, Lewis & Co., at 1 (Feb. 15, 2005). According to this study by Glass, Lewis & Co., in 2004, Big Four firms reduced their public company audit clients by 400, the next four firms added overall, net, 117 public company audit clients, and all other accounting firms had a net gain in public company audit clients of 217.

[5] In order to give the public an understanding of how this incentive works, last year the Board described its experiences in monitoring firms’ efforts to address problems identified in the first year of inspections. See PCAOB Release No. 104-2006-078 , Observations on the Initial Implementation of the Process for Addressing Quality Control Criticisms within 12 Months After an Inspection Report, March 21, 2006, available at http://www.pcaobus.org; see also PCAOB Release No. 104-2006-077 , The Process for Board Determinations Regarding Firms’ Efforts to Address Quality Control Criticisms in Inspection Reports, March 21, 2006, available at http://www.pcaobus.org.

[6] In summary, these are: Generally Accepted Auditing Standards (or, "GAAS") as previously established by the American Institute of CPAs ("AICPA"); Attestation Standards and related interpretations and Statements of Position as previously adopted by the AICPA; the AICPA’s Statements on Quality Control Standards and certain AICPA SEC Practice Section membership requirements; certain provisions of the AICPA’s Code of Professional Conduct on integrity and objectivity, and the standards and interpretations of the Independence Standards Board.

[7] Specifically, the Board’s Auditing Standard No. 1 relates to references in auditors’ reports to the standards of the PCAOB; Auditing Standard No. 2 relates to audits of internal control over financial reporting; Auditing Standard No. 3 relates to audit documentation, and Audit Standard No. 4 relates to auditors’ reporting on whether a previously reported material weakness continues to exist. They are available on the Board’s Web site at http://www.pcaobus.org, along with the Board’s new ethics and independence rules.

[8] The Board convened its Standing Advisory Group pursuant to Section 103(a)(4) of the Act. The Group consists of experts in auditing and financial reporting, including individuals with experience at institutional investors, accounting firms, and public companies.

[9] The Board also participates as an observer of other agencies’ initiatives to examine issues germane to the small business community, including the SEC’s Advisory Committee on Smaller Public Companies, the Committee of Sponsoring Organization’s Task Force on Guidance for Smaller Public Companies, and the Financial Accounting Standards Board’s Small Business Advisory Committee.

[10] In most cases, applicable securities laws and rules provide for the SEC to publish PCAOB rules and standards for public comment as part of the SEC’s consideration and approval process.

[11] See Ashbaugh-Skaife, Collins, Kinney and LaFond, The Effect of Internal Control Deficiencies on Firm Risk and Cost of Equity Capital (April 2006, updated February 2007). Specifically, the researchers found that when companies report they have corrected a previously reported material weakness in internal control, their cost of capital goes down on average 1.5 percent. Conversely, when companies report material weaknesses in audited financial reports after they had previously reported in unaudited statements that internal control was effective, their cost of capital goes up on average almost 1 percent (93 basis points).

[12] See SEC Release No. 34–49884, Order Approving Proposed Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (June 17, 2004).

[13] Accelerated filers (and large accelerated filers) generally include companies with an aggregate market value of voting and non–voting common equity held by non-affiliates of the issuer (referred to as "public float") of $75 million or more, as of the last business day of the issuer’s most recently completed second fiscal quarter. See SEC Exchange Act Rule 12b-2, 17 C.F.R. 240.12b–2; see also SEC Release 33–8644, Revisions to Accelerated Filer Definition and Accelerated Deadlines for Filing Period Reports (December 21, 2005) (amending definition of "accelerated filer" to distinguish between "accelerated filers" and "large accelerated filers," which have a public float of $700 million or more). According to the SEC, approximately 44% of domestic companies filing periodic reports are non-accelerated filers. See SEC Release No. 33–8760, Internal Control over Financial Reporting in Exchange Act Periodic Reports of Nonaccelerated Filers and Newly Public Companies (December 15, 2006), at 11.

[14] See SEC Release No. 33–8760, Internal Control over Financial Reporting in Exchange Act Periodic Reports of Non–accelerated Filers and Newly Public Companies (December 15, 2006).

[15] These questions and answers are available at

[16] See PCAOB Release No. 2005-009, Policy Statement Regarding Implementation of Auditing Standard No. 2 (May 16, 2005)

[17] See PCAOB Release No. 2005-023 , Report on the Initial Implementation of Auditing Standard No. 2 (November 30, 2005), available at http://www.pcaobus.org. Importantly, in the first of those reports, issued after the first year of implementation, the Board found that many auditors faced tight deadlines, staffing and other resource constraints, and significant training needs. Moreover, their clients faced similar hurdles that were, in many cases, exacerbated by having to make up for deferred maintenance on internal control systems that had not kept up with the company’s growth and development.

[18] See GAO, Sarbanes-Oxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies (April 2006, GAO-06-361); Final Report of the Advisory Committee on Smaller Public Companies (April 23, 2006), available at http://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf

[19] At the same time, the SEC has proposed guidance that can be used by management in making the assessment required by Section 404(a) of the Act. See SEC Release No. 33-8762, Management’s Report on Internal Control Over Financial Reporting (December 20, 2006).

Related Information