The Sarbanes-Oxley Act of 2002 had a curious, unexpected effect: it spawned a brand new industry of software companies, consultants and accountants dedicated to helping public companies implement the act’s numerous requirements. This entrepreneurial activity is testament to the complexity and – let’s face it – pure misery of Sarbanes-Oxley.
The act, otherwise known as SOX, has been a bitter pill for public companies to swallow. It was notoriously expensive and time consuming to implement and, in many cases, forced companies to recruit new board members – just to name of few of the oft-heard complaints.
But large and mid-sized companies can look back, more than five years later, with a sense of accomplishment. Most public companies have met the deadlines for compliance with all of the act’s requirements. However, small public companies (those with less than $75 million in publicly traded shares) are facing imminent deadlines for filing their first audited internal control reports with the Security and Exchange Commission (SEC).
Before we delve into these infamous internal control reports, it is important to note that Christopher Cox, chairman of the SEC, has proposed giving these small companies one more year to comply with Section 404 (b) of SOX.
So, with a little extra breathing room, small companies can take a lesson from those who have gone before.
The biggest SOX mistake companies make is that “they take too long to implement the internal controls that are necessary,” says Wayne Swan, a shareholder and chair of the Corporate and Securities Section with Durham Jones and Pinegar. “There are thousands of smaller companies that just didn’t do it, and now they face the problem of coming up with a report.”
Ah, the internal controls. Of all the difficult reforms required by SOX, internal controls that have been signed off by an auditor seem to be the thorniest.
"Internal controls are the checks and balances and procedures that accountants use to make sure money is being handled correctly and not misused,” Swan explains. Public companies must have internal controls in place, complete an organizational evaluation of the controls, solicit an external audit of the controls and then file a report with the SEC.
The task is daunting.
Swan estimates that it takes at least one year – but more often two – to fully evaluate internal controls and prepare an SEC report. Companies generally need to hire additional accountants, possibly an entire new department depending on the size of the company. Then each existing procedure must be analyzed and, all too often, revamped.
Many companies rely on outside consultants through this process. And after the new internal controls are functioning, the company must hire an auditor to evaluate the controls.
“The biggest impact [SOX] has had on public companies is it has doubled or even tripled the cost of being public,” says Swan. “An outside auditing firm now has to be paid thousands of dollars to verify or confirm the statement of the company.”
Cost is not the only pain associated with the outside audit. Auditing firms bear some liability for the integrity of a client’s internal controls, as proved by the case of accounting firm Arthur Andersen, which dissolved in the aftermath of the Enron scandal. “The huge, global firm Arthur Andersen fell apart because it was sued and held liable for the mistakes and fraud that were found [at Enron],” says Swan. “The auditing firms are just running scared. They need to protect themselves.” As a result, the firms are now ultra-thorough in their evaluations, erring on the side of caution and filing sometimes overly harsh reports.
External auditing proved to be an extremely expensive component of becom-ing a public company for Nu Skin, a skin-care products company based in Provo.
Nu Skin operated as a privately held company until about 2002, when the board decided to change its two-tiered system of stock options. Previously, a small group of investors held “super-voting” shares and therefore had majority control of the company. After the board eliminated the practice of super-voting stock, the investor group held minority control and the company effectively became public – and subject to the requirements of SOX.
The audits were, by far, the most vexing part of complying with SOX, says Matt Dorny, general counsel and Chief Legal Officer for Nu Skin. “It took a tremendous amount of time and resources,” he says.
Prior to becoming public, Nu Skin spent around $800,000 annually on auditing fees. In 2004, the first year Nu Skin needed to file audited reports with the SEC, the company spent $2.8 million – a painful hit to the bottom line.
“It’s come down in recent years because the auditors have become more efficient,” Dorny says. But the company is still spending nearly $2 million each year in auditing fees. And that is only one of the costs of complying with SOX.
The purpose of all this auditing is to ensure the company’s internal controls are strong and functioning well. Nu Skin has always had internal controls, as does every established company, so Nu Skin didn’t have to create a set of controls from scratch. The demands of SOX necessitated the company “make sure they were properly documented for external auditors,” says Dorny. “The real change that SOX required was to add the review of the auditors.”
That doesn’t mean the company didn’t have a lot of work to do in documenting its internal controls.
“It impacted all our departments because managers throughout the organization have to make sure the internal controls are implemented,” Dorny says. The extensive process involved hiring new staff, identifying and documenting policies and procedures, and training management-level employees.
Another significant change mandated by SOX was corporate governance restructuring. Essentially, “every public board of directors needs to have a majority of directors who are independent – who do not have an interest in the company or who are not paid employees,” explains Swan. “It can be hard to find people willing to serve.”
Independent board members don’t have vested interest in the company and therefore don’t have a compelling reason to give up personal time or take on the liability of being a director. And many companies restrict the amount of time executives can spend serving on outside boards.
Nu Skin, formerly controlled by a small group investors, had to reach out for new blood. “We did have to seek new board members so we had more independent directors,” Dorny says. “There is a lot of competition out there to find board members who are able to give the time.”
But the company was able to fill its board slots and live through the first few rounds of grueling auditing. “Now that we’re four years past, it’s a little bit easier,” Dorny says. But only a little bit.
Now that SOX has become old hat for Nu Skin, compliance has almost become a matter of keeping up with the paperwork. Quarterly reports, annual reports – some reports even have to be filed within days of a financial activity.
“There’s no doubt that the decision to go public these days is going to require a lot more preparation and a lot more thought into the costs and risks,” Dorny says.
The Ripple Effect
But private companies don’t have to worry about SOX, right? Well, it depends on what your plans for the future are.
In the world of venture capital, it’s all about the future. Investors expect to eventually see a return on their investment – generally through a lucrative buyout or a successful initial public offering (IPO).
This means that even the smallest startup companies must keep SOX on their radar. “It starts companies thinking about internal controls and processes right from the beginning,” says Kent Madsen, managing director with EPIC Ventures, a Salt Lake-based venture capital firm.
There’s no doubt that SOX has im-pacted the world of venture capital. Investors are seeing fewer IPOs, which require the offering companies to be SOX compliant, and more mergers and acquisitions.
“It’s harder to go public now, and that’s unfortunate,” Madsen says. “Access to capital is necessary for companies to grow. And companies need to grow in order to keep the economy growing.”
To make it more likely for them to go public, Madsen counsels his portfolio companies to implement the SOX corporate governance regulations and begin developing solid internal controls as early as possible.
And that is exactly the strategy that American Fork-based Mozy, Inc. followed. “We worked closely with our legal department to lay the foundation for [an IPO],” says Josh Coates, founder of Mozy, an online virtual data storage company and a former EPIC Ventures portfolio company. “We were certainly in a position to offer our stock to the public market.”
But rather than continue on that path, Mozy was acquired by a larger public company, EMC Corporation, in the early October 2007. Although the company was working toward an IPO, “we were about a year away from going down the SOX checklist,” Coates says.
The $76 million acquisition was not a way to avoid SOX, he says, but rather a golden opportunity for investors.
“Around the board table, [an IPO] was an option that was certainly thought of as a future opportunity. Fundamentally, it comes down to risk and reward. We gave our investors a 13-times return in less than two years.”
Bottom line, working toward an IPO and SOX compliance put the company in excellent shape and made it more attractive to potential purchasers. According to Coates, every tech startup should set their compass toward an IPO from the earliest days.
“The requirements to go public are fantastic goals for any company to achieve,” Coates says. “Aiming for a quick sellout – that’s not the best way to go. Each company should be able to stand on its own and grow.”
“Some companies have decided that it is not worth it to comply with Sarbanes-Oxley to remain public,” says attorney Swan. “That’s a hard decision for companies to make.”
“You see a lot of big companies now go private,” concurs Madsen.
Just in the past year, 1-800-CONTACTS and Mity Enterprises, both formerly Utah-based public companies, have been acquired by large, private equity firms. Neither company has publicly indicated that ducking SOX was motivation for the buyouts, but they nevertheless seem part of a national trend to drop out of the public market – to “go dark.”
In 2006, the RAND Corporation issued a report that found the very smallest companies – those with less than $20 million in publicly traded shares – were more likely to be acquired by private equity in the first year after SOX was passed. The likelihood of small firms to be purchased increased by 53 percent during the first year.
Acquisition by a privately held company or by private equity is not the only way to evade the burden of SOX. Smaller companies can be purchased by a larger public company –
and thus retain access to capital but shift the SOX responsibility to the larger entity. Or companies can apply to be de-listed from their exchange and appear solely on the so-called Pink Sheets.
Delisting, however, is not an attractive option.
Companies that de-list suffer a loss of prestige in the financial markets, says Swan, because de-listing makes it look like they have something to hide. “Their stock price might drop due to a perception of lower value,” he says. De-listing also makes it harder for shareholders to liquidate their investment – to sell quickly – and it can make it more difficult for the company to complete a merger or acquisition, again due to a perception of shaky financials.
But instead of going dark, the vast majority of public companies are continuing to slog through the complexities of SOX.
“Does the cost of these new regulations far exceed the benefit the public and shareholders are seeing?” asks Swan. That’s a question yet to be answered.