Last week, AeA, the high-tech trade association, released a report titled
"Sarbanes-Oxley Section 404: The ‘Section’ of Unintended Consequences and its Impact on Small
Business
."  Most readers will find that this paper is worth a
look.  The paper argues that:

  • Section 404 is more expensive than anyone anticipated — so much so that
    the costs far outweigh any possible benefits.
  • The Section 404 compliance burden is disproportionately large for smaller
    companies.
  • External auditors are taking a "one size fits all" approach to
    assessing the effectiveness of internal controls.

AeA’ assertions about the impact on small and mid-sized companies are really
striking.  For example …

What became clear during our companies’ discussions on Section 404 is that the cost burden for smaller companies as a percentage of revenue is far greater than for large companies. For multibillion dollar companies, the cost may run at approximately 0.05 percent of revenue, but
for small companies with revenues below $20 million, the costs can rapidly approach three percent of revenue.

This is a striking number.  I have no idea how precisely accurate these
results are — but the general thrust of the argument seems plausible: Smaller
companies typically start with less in the way of sophisticated internal control
systems, and the costs of creating such systems must come out of a
proportionately smaller pool of revenue.

Does this report match up with experiences that any of you are having? Send email
or post a comment …