SMBs Should Not Rely on 'Possible' Sarbox 404(b) Delay

Lora Bentley

It's no big secret that the House of Representatives passed sweeping financial reform legislation last month, nor that the legislation includes a provision that would at least delay Sarbanes-Oxley 404(b) compliance for U.S. public companies with a market capitalization of less than $75 million. It might even exempt them altogether.


It's also clear that unless the Senate acts on its own version of financial reform quickly, the June 15 deadline for non-accelerated filers to begin complying with Sarbanes-Oxley 404(b) will arrive before that delay or exemption can take effect.


More than that, though, those opposed to the exemption may have a little more ammunition with which to fight. Monday, Vibato's Teresa Bockwoldt alerted me to the $31 million theft headphone maker Koss allegedly suffered at the hands of its then-VP of finance. She noted that some observers may argue that a Sarbox exemption for smaller companies could lead to similar losses.


If you're like me and missed the Koss story when it first hit, here's the short version, courtesy of

The well-known manufacturer of headphones reported $38.3 million in sales last year, so a $31 million theft, even over five years, suggests some serious problems with internal controls...Koss fired its accounting firm, Grant Thornton, [which] responded by pointing out that Koss is among those companies not yet subject to Sarbox's Section 404(b)... 'The company did not engage Grant Thornton to conduct an audit or evaluation of internal controls over financial reporting,' says a spokesperson.


So even with President Obama urging legislators to press forward on financial reform, they may decide to wait on the Sarbox delay/exemption. Whether the legislation passes soon without the exemption, or the legislation is still pending when the June 15 deadline rolls around, Bockwoldt says SMBs should be preparing for 404(b) now.

Add Comment      Leave a comment on this blog post
Feb 9, 2010 1:50 AM Bob Benoit Bob Benoit  says:

The Koss fraud clearly should have been detected in a properly executed SOX 404(a) management assessment (even without SOX 404(b) auditor attestation). 

The specific fraud risk here was clearly 'in scope' by its amount alone.  It would have been identified through inquiry-namely a person having access to both accounting transactions and the cash (credit cards, wire transfers, signing checks).  This is a basic fraud 101.

Are companies responsible for checking for fraud under SOX 404(a)?  Yes, the SEC Interpretive Guidance specifically states, 'Management's evaluation of the risk of misstatement should include consideration of the vulnerability of the entity to fraudulent activity.'

One might ask, was the fraud portion of the SOX 404(a) assessment performed by a competent and objective party? 

Or a bigger question arises, was the SOX 404(a) management assessment in fact done at all (which is likely the case here)?

Shifting to a global perspective, why haven't companies been complying with SOX 404(a), which has been required for ALL public companies with years ended after 12-15-07?  Probably because SOX 404(b) is not required (the outside auditor attestation). 

Many companies and their Audit Comittees simply refuse to comply with SOX 404(a) until SOX 404(b) is required.  Without it, there is no accountability.

Apr 23, 2010 1:31 AM stinger stinger  says: in response to Bob Benoit

what is the ruling now regarding the auditor attestation on the effectiveness of internal contols? Is it still a requirement? or is it still at a preliminiary discussion stage where the attestation is required for both small and large companies? Would appreciate if you could let me know how this legisslation has changed, and what is the delceration or attestation the auditor needs to give after the change?

Thanks a lot


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.