The Rich Are Different

'Let me tell you about the very rich. They are different from you and me,' F. Scott Fitzgerald once wrote. To which Hemingway retorted, 'Yes. They have more money.'

A similar clash of attitudes colors the current debate over the extent to which the Sarbanes-Oxley Act of 2002 (SOX) should apply to small public companies. The most visible argument is that small companies should not have to shoulder the same compliance burdens as large companies do, simply because they can't afford to. But that premise is being challenged by studies, derided by a number of commentators, and viewed with public skepticism even by some SEC Commissioners. It assumes that were money no object, small and large companies should be regulated the same. If that assumption is true, then any argument for relaxed compliance that hinges on expense is vulnerable. Cost seldom satisfies as a reason for not doing something that ought otherwise be done. However, it is wrong to assume that the main difference between small and large companies is how much money they have. Large and small companies play very different roles in the national economy and in the minds of investors. The very large companies really are different than their smaller brethren, and not just because they have more money.

The centerpiece of the SOX compliance scheme, as we know, is ' 404, which requires corporations to adopt and continually assess the effectiveness of internal accounting controls, and requires their auditors to report on management's assessments and opine on the effectiveness of the controls themselves. The assessments and the auditor opinions have generated a lot of work for corporations and accounting firms.

Section 404's requirements are tailor-made for large corporations, which is not surprising when one considers that Congress had Enron, WorldCom, Tyco and HealthSouth in mind when drafting it. For one thing, the only extant standard for internal controls was designed for large businesses. It was then and still is the 1992 Internal Control Integrated Framework developed by the Committee of Sponsoring Organi-zations of the Treadway Committee (COSO), a private group sponsored by several major accounting and management organizations. The SEC specifically identified the COSO Framework as the de-facto standard for internal controls in promulgating its first round of rules under ' 404.

The COSO Framework

The COSO Framework is an excellent treatise on the theory and practice of principle-based internal accounting controls, and as a theory it ought to be applicable to all companies. But as a framework, it works only for large enterprises because it assumes a management that is procedure-based. The idea behind the COSO Framework is to subject an enterprise's internal procedures to testing by persons outside the ambit of the procedures. The Framework thus assumes divisions of responsibility and systems of checks and balances within the company. That is how a large enterprise must be run, and the Framework has evolved over the past decade as large corporations have adopted it, to the point where, for a large company, SOX compliance does not present much of an added burden.

However, the Framework is not applicable to smaller companies precisely because smaller companies, where managers wear many hats and change direction quickly to respond to market conditions, do not have those internal checks and balances to the same degree. The Framework acknow-ledges as much. Its executive summary states that 'Although the components [of internal control] apply to all entities, small and mid-size companies may implement them differently than large ones. Its controls may be less formal and less structured ' ' But only after 2002 did COSO attempt to deal with the control issues of smaller companies, and even so, COSO's recently issued Guidance for Smaller Public Companies has met with mixed reaction. In short, procedure-based testing makes little sense to a smaller business in which 'seat-of-the-pants' management often prevails over 'by-the-book' governance.

Thus, whatever may be said of the ability of large companies to deal with ' 404 compliance, smaller companies feel they are being asked to fit square pegs in round holes. Many leaders of small companies were quick to denounce the new requirements as both unnecessary to small businesses and so costly that many businesses feared for their very survival. By some estimates, ' 404 compliance would cost smaller companies as much as 2.5% of their revenues, compared with less than 0.3% for a large company. Few small companies can sacrifice that much gross profit margin.

The SEC's Draft Report

To address the problem of SOX compliance by small public companies, the SEC extended the date by which small companies need to comply, and also commissioned an Advisory Committee on Smaller Public Companies to study the problem. After about a year of information gathering and analysis, the Committee exposed a draft of its final report in the Federal Register on March 3, 2006. The Draft Report makes a number of recommendations in four broad areas, the collective gist of which is that smaller public companies should be treated differently from large public companies. Much of the report is dedicated to ' 404, and the report's primary recommendations are that smaller public companies be exempt from one or more aspects of ' 404 compliance in certain circumstances.

The SEC did not specify which companies count as 'smaller public companies.' The Committee set its own parameters based on market capitalization. It looked at an ordinal ranking by market capitalization of 9428 public companies listed on the New York and American Stock Exchanges, the NASDAQ Stock Market, and the OTC Bulletin Board, and worked from the bottom of the list up. The Committee labeled 'microcaps' those companies that collectively accounted for the bottom 1% of total market capitalization. It labeled 'smallcaps' those that collectively accounted for the next lowest 5% of total market capitalization. Microcap companies were defined as those with market capitalizations of less than $128.2 million, and smallcap companies those with market capitalizations between $128.2 million and $787.1 million. By definition, microcap and smallcap companies represent only 6% of the total market capitalization of all public companies in the country.

However, what this group lacks in market dominance it more than makes up for in numbers. The Committee reports that microcap companies make up 52.6% of all public companies, and smallcaps 25.9%. Thus, by the Committee's definition, 78.5% of all the public companies in the country are small businesses, and the number jumps to about 85% if one includes the 4500 companies that trade only on the Pink Sheets. It is a vast constituency by any measure, and that itself is part of the problem. On the one hand, ' 404 of SOX is a misfit for the vast majority of U.S. public companies, but on the other, is it not too much to expect that the SEC can, with political correctness, exempt 85% of the country's public companies from complying with the core provision of SOX?

Yet that is, in essence, the Committee's primary recommendation. If it is to be adopted ' and it should be ' more study and thought needs to be given to why small companies are different than large ones, and the telling differences have to be more than that the large companies can better afford the new compliance regime. To its credit, the Committee did recognize many factors differentiating small public companies from large ones, but it neglected others that are equally important. It did a good job of describing how small companies operate differently from large companies; how their managers work in many overlapping roles so as to make it impossible to isolate processes from their direct influence; how management's ability to override established procedures to respond to market conditions increases the cost of documenting, assessing and auditing internal controls; how a small company's need to be flexible will by diminished by full ' 404 compliance. Still, many of the Committee's findings appear aimed at explaining why it is so much more expensive for small companies to comply with ' 404, rather than why ' 404 ought not apply to them in the first place.

Other Differences

Other important differences should also be discussed. The Committee alludes that the collapse of a large public company will have greater repercussions than that of a small company, but attributes that impact to size alone. There is more to it. The stock of large public companies is mostly owned by institutions and funds. That stock is directly and indirectly owned by banks, pension plans, mutual funds, insurance companies, college and charitable endowments. Consequently, the collapse of a large public company will impact other investment entities, and its effect will multiply throughout the economy and have consequences far removed from the company itself. Because of this pivotal role that large companies occupy, they comprise an essential public trust. Congress has historically recognized this, and has from time to time arranged bailouts and other forms of public assistance to prevent large and key public companies from collapsing. SOX should properly be viewed as another attempt to protect the public wealth that is invested in the stocks of large public companies. To ensure that this public wealth is properly deployed, the financial statements of large public companies should be highly reliable, and SOX ' 404 will greatly contribute to that.

But small public companies do not play the same institutional role as large ones. Banks, insurance companies and mutual funds generally do not invest in the companies comprising the bottom 6% of market capitalization. Small companies are not stewards of our national wealth in the same way as large companies. The risk to the economy from the collapse of a small public company is limited not only by its size, but also because the effects of such a collapse would not ripple very far out into the economy. Even a major Enron-style debacle at a small company ' indeed, even the failure of a fair percentage of such companies ' would hardly affect the wealth of the nation at all.

We know this because it happens all the time. Many small companies die a natural death each year without notice, but at the same time many small companies are born each year to take their place. This natural cycle of renewal among small companies is the nation's great source of new ideas and new jobs. The development of new businesses should be nurtured, not hindered by regulations appropriate only to companies large enough to be small countries. Smaller public companies should be largely unfettered by regulation, because their crucial role in the economy is to be a locus of risk-taking, and regulation, which necessarily carries second-guessing and 'looking-over-the-shoulder' reticence in its wake, inhibits risk-taking.

What About Investor Protection?

But, we are asked, should not investors in small companies be provided the same protections against fraud as investors in large companies? No, they should not. Nor do they expect it. The Committee itself documented that the flow of capital to smaller public companies and to foreign companies appears unaffected by whether those companies even have internal controls. That empirical evidence is not surprising. No one invests, or should invest, in a small public company as a safe bet. Just the opposite, people invest in small public companies in the hope of a large reward. It has long been known that investments in smaller companies yield, on the aggregate, higher returns than those in large companies. It is true that many investments in small public companies fare badly, but those few
microcaps that break into the ranks of large companies perform spectacularly better than anyone should ever expect a large company to perform. They are the stuff of legend ' names like Microsoft, Apple Computer, Intel. Yet high reward is just the positive face of risk, the obverse side being loss. Among investors in small public companies, every big winner stands next to many losers. Both the winners and the losers exist because they took a risk on an uncertain venture. For investors in small public companies, generally individuals and venture capitalists, the stock certificate they hold may be the equivalent of a ticket and a dream, but that dream of high reward is just what keeps capital flowing to small companies.

It is a mathematical certainty that by reducing the risk of investing in small public companies, one will also reduce the aggregate available returns. Section 404 compliance may result in better internal controls, and thereby may reduce the risk that small public company financials will be misleading. However, the risk of fraud has always been an inherent part of betting on smaller public companies. Much, maybe most, of that fraud risk does not even implicate the financial statements, but stems from stock manipulators operating independently of the company. But it is all part of the risk of investing in small companies, and reducing even that risk may so change the cost/benefit equation in investors' minds that they will choose to put their money elsewhere.

Or perhaps not. Investors in small companies face many risks, and fraud is only one of them, and not the one they care most about, as the Committee's evidence shows. Thus, ' 404 compliance might not by much diminish the promise of high returns from, and therefore the flow of capital to, small public companies. But on the other hand, if ' 404 compliance will not change the total risk profile of small company investing, then what is the point of requiring it?

'Fraud Deterence'

The answer generally given is simply that it deters fraud, but this needs to be further explored. There already are plenty of laws against fraud. The difference is that existing laws deter by punishing fraud after it occurs. Section 404 imposes an internal regime that in theory prevents fraud from going undetected long enough to do serious damage ' like a circuit breaker. While
' 404's fraud detection scheme may be prudent with large institutional public companies, it seems like overkill ' both inefficient and inappropriately paternalistic ' when applied to small companies where only the companies themselves and their private investors are at risk. Nor is it at all clear that it would even be a good thing to prevent all misleading accounting practices by small companies. Most accounting irregularities have less to do with larceny than with simply buying time, staying alive until some event occurs ' a big contract, a new approval, a sales benchmark ' that allows the company to progress to real profitability. Although empirical evidence is lacking, many a now successful and stable business, with well-satisfied investors, can recall a time when, if the truth of its finances had been fully disclosed, it would have had to shutter its doors.

This is not to say that fraud should be tolerated. It should be punished whenever it causes loss, and vigorously, so as to render it very risky behavior indeed. But in the end, unlike large public companies, small public companies should not be preempted from taking even the severe risks inherent in cooking the books. If small companies are to continue successfully in their singular role as the messy incubators of new business, they must have wide freedom to take all the risk they dare. That, more than how much money they have, is the essential difference between small and large public companies, and ought to be more seriously considered in determining the extent to which ' 404 should apply to small companies.

Aegis J. Frumento ([email protected]) is a partner in the Securities Litigation and the Broker-Dealer and Securities Regulation Practice Groups in the New York office of Duane Morris LLP. A frequent author and speaker on securities topics, he mostly represents clients facing investigations and administrative and civil proceedings by securities regulators, including the SEC, the NYSE and the NASD.

'Let me tell you about the very rich. They are different from you and me,' F. Scott Fitzgerald once wrote. To which Hemingway retorted, 'Yes. They have more money.'

A similar clash of attitudes colors the current debate over the extent to which the Sarbanes-Oxley Act of 2002 (SOX) should apply to small public companies. The most visible argument is that small companies should not have to shoulder the same compliance burdens as large companies do, simply because they can't afford to. But that premise is being challenged by studies, derided by a number of commentators, and viewed with public skepticism even by some SEC Commissioners. It assumes that were money no object, small and large companies should be regulated the same. If that assumption is true, then any argument for relaxed compliance that hinges on expense is vulnerable. Cost seldom satisfies as a reason for not doing something that ought otherwise be done. However, it is wrong to assume that the main difference between small and large companies is how much money they have. Large and small companies play very different roles in the national economy and in the minds of investors. The very large companies really are different than their smaller brethren, and not just because they have more money.

The centerpiece of the SOX compliance scheme, as we know, is ' 404, which requires corporations to adopt and continually assess the effectiveness of internal accounting controls, and requires their auditors to report on management's assessments and opine on the effectiveness of the controls themselves. The assessments and the auditor opinions have generated a lot of work for corporations and accounting firms.

Section 404's requirements are tailor-made for large corporations, which is not surprising when one considers that Congress had Enron, WorldCom, Tyco and HealthSouth in mind when drafting it. For one thing, the only extant standard for internal controls was designed for large businesses. It was then and still is the 1992 Internal Control Integrated Framework developed by the Committee of Sponsoring Organi-zations of the Treadway Committee (COSO), a private group sponsored by several major accounting and management organizations. The SEC specifically identified the COSO Framework as the de-facto standard for internal controls in promulgating its first round of rules under ' 404.

The COSO Framework

The COSO Framework is an excellent treatise on the theory and practice of principle-based internal accounting controls, and as a theory it ought to be applicable to all companies. But as a framework, it works only for large enterprises because it assumes a management that is procedure-based. The idea behind the COSO Framework is to subject an enterprise's internal procedures to testing by persons outside the ambit of the procedures. The Framework thus assumes divisions of responsibility and systems of checks and balances within the company. That is how a large enterprise must be run, and the Framework has evolved over the past decade as large corporations have adopted it, to the point where, for a large company, SOX compliance does not present much of an added burden.

However, the Framework is not applicable to smaller companies precisely because smaller companies, where managers wear many hats and change direction quickly to respond to market conditions, do not have those internal checks and balances to the same degree. The Framework acknow-ledges as much. Its executive summary states that 'Although the components [of internal control] apply to all entities, small and mid-size companies may implement them differently than large ones. Its controls may be less formal and less structured ' ' But only after 2002 did COSO attempt to deal with the control issues of smaller companies, and even so, COSO's recently issued Guidance for Smaller Public Companies has met with mixed reaction. In short, procedure-based testing makes little sense to a smaller business in which 'seat-of-the-pants' management often prevails over 'by-the-book' governance.

Thus, whatever may be said of the ability of large companies to deal with ' 404 compliance, smaller companies feel they are being asked to fit square pegs in round holes. Many leaders of small companies were quick to denounce the new requirements as both unnecessary to small businesses and so costly that many businesses feared for their very survival. By some estimates, ' 404 compliance would cost smaller companies as much as 2.5% of their revenues, compared with less than 0.3% for a large company. Few small companies can sacrifice that much gross profit margin.

The SEC's Draft Report

To address the problem of SOX compliance by small public companies, the SEC extended the date by which small companies need to comply, and also commissioned an Advisory Committee on Smaller Public Companies to study the problem. After about a year of information gathering and analysis, the Committee exposed a draft of its final report in the Federal Register on March 3, 2006. The Draft Report makes a number of recommendations in four broad areas, the collective gist of which is that smaller public companies should be treated differently from large public companies. Much of the report is dedicated to ' 404, and the report's primary recommendations are that smaller public companies be exempt from one or more aspects of ' 404 compliance in certain circumstances.

The SEC did not specify which companies count as 'smaller public companies.' The Committee set its own parameters based on market capitalization. It looked at an ordinal ranking by market capitalization of 9428 public companies listed on the New York and American Stock Exchanges, the NASDAQ Stock Market, and the OTC Bulletin Board, and worked from the bottom of the list up. The Committee labeled 'microcaps' those companies that collectively accounted for the bottom 1% of total market capitalization. It labeled 'smallcaps' those that collectively accounted for the next lowest 5% of total market capitalization. Microcap companies were defined as those with market capitalizations of less than $128.2 million, and smallcap companies those with market capitalizations between $128.2 million and $787.1 million. By definition, microcap and smallcap companies represent only 6% of the total market capitalization of all public companies in the country.

However, what this group lacks in market dominance it more than makes up for in numbers. The Committee reports that microcap companies make up 52.6% of all public companies, and smallcaps 25.9%. Thus, by the Committee's definition, 78.5% of all the public companies in the country are small businesses, and the number jumps to about 85% if one includes the 4500 companies that trade only on the Pink Sheets. It is a vast constituency by any measure, and that itself is part of the problem. On the one hand, ' 404 of SOX is a misfit for the vast majority of U.S. public companies, but on the other, is it not too much to expect that the SEC can, with political correctness, exempt 85% of the country's public companies from complying with the core provision of SOX?

Yet that is, in essence, the Committee's primary recommendation. If it is to be adopted ' and it should be ' more study and thought needs to be given to why small companies are different than large ones, and the telling differences have to be more than that the large companies can better afford the new compliance regime. To its credit, the Committee did recognize many factors differentiating small public companies from large ones, but it neglected others that are equally important. It did a good job of describing how small companies operate differently from large companies; how their managers work in many overlapping roles so as to make it impossible to isolate processes from their direct influence; how management's ability to override established procedures to respond to market conditions increases the cost of documenting, assessing and auditing internal controls; how a small company's need to be flexible will by diminished by full ' 404 compliance. Still, many of the Committee's findings appear aimed at explaining why it is so much more expensive for small companies to comply with ' 404, rather than why ' 404 ought not apply to them in the first place.

Other Differences

Other important differences should also be discussed. The Committee alludes that the collapse of a large public company will have greater repercussions than that of a small company, but attributes that impact to size alone. There is more to it. The stock of large public companies is mostly owned by institutions and funds. That stock is directly and indirectly owned by banks, pension plans, mutual funds, insurance companies, college and charitable endowments. Consequently, the collapse of a large public company will impact other investment entities, and its effect will multiply throughout the economy and have consequences far removed from the company itself. Because of this pivotal role that large companies occupy, they comprise an essential public trust. Congress has historically recognized this, and has from time to time arranged bailouts and other forms of public assistance to prevent large and key public companies from collapsing. SOX should properly be viewed as another attempt to protect the public wealth that is invested in the stocks of large public companies. To ensure that this public wealth is properly deployed, the financial statements of large public companies should be highly reliable, and SOX ' 404 will greatly contribute to that.

But small public companies do not play the same institutional role as large ones. Banks, insurance companies and mutual funds generally do not invest in the companies comprising the bottom 6% of market capitalization. Small companies are not stewards of our national wealth in the same way as large companies. The risk to the economy from the collapse of a small public company is limited not only by its size, but also because the effects of such a collapse would not ripple very far out into the economy. Even a major Enron-style debacle at a small company ' indeed, even the failure of a fair percentage of such companies ' would hardly affect the wealth of the nation at all.

We know this because it happens all the time. Many small companies die a natural death each year without notice, but at the same time many small companies are born each year to take their place. This natural cycle of renewal among small companies is the nation's great source of new ideas and new jobs. The development of new businesses should be nurtured, not hindered by regulations appropriate only to companies large enough to be small countries. Smaller public companies should be largely unfettered by regulation, because their crucial role in the economy is to be a locus of risk-taking, and regulation, which necessarily carries second-guessing and 'looking-over-the-shoulder' reticence in its wake, inhibits risk-taking.

What About Investor Protection?

But, we are asked, should not investors in small companies be provided the same protections against fraud as investors in large companies? No, they should not. Nor do they expect it. The Committee itself documented that the flow of capital to smaller public companies and to foreign companies appears unaffected by whether those companies even have internal controls. That empirical evidence is not surprising. No one invests, or should invest, in a small public company as a safe bet. Just the opposite, people invest in small public companies in the hope of a large reward. It has long been known that investments in smaller companies yield, on the aggregate, higher returns than those in large companies. It is true that many investments in small public companies fare badly, but those few
microcaps that break into the ranks of large companies perform spectacularly better than anyone should ever expect a large company to perform. They are the stuff of legend ' names like Microsoft, Apple Computer, Intel. Yet high reward is just the positive face of risk, the obverse side being loss. Among investors in small public companies, every big winner stands next to many losers. Both the winners and the losers exist because they took a risk on an uncertain venture. For investors in small public companies, generally individuals and venture capitalists, the stock certificate they hold may be the equivalent of a ticket and a dream, but that dream of high reward is just what keeps capital flowing to small companies.

It is a mathematical certainty that by reducing the risk of investing in small public companies, one will also reduce the aggregate available returns. Section 404 compliance may result in better internal controls, and thereby may reduce the risk that small public company financials will be misleading. However, the risk of fraud has always been an inherent part of betting on smaller public companies. Much, maybe most, of that fraud risk does not even implicate the financial statements, but stems from stock manipulators operating independently of the company. But it is all part of the risk of investing in small companies, and reducing even that risk may so change the cost/benefit equation in investors' minds that they will choose to put their money elsewhere.

Or perhaps not. Investors in small companies face many risks, and fraud is only one of them, and not the one they care most about, as the Committee's evidence shows. Thus, ' 404 compliance might not by much diminish the promise of high returns from, and therefore the flow of capital to, small public companies. But on the other hand, if ' 404 compliance will not change the total risk profile of small company investing, then what is the point of requiring it?

'Fraud Deterence'

The answer generally given is simply that it deters fraud, but this needs to be further explored. There already are plenty of laws against fraud. The difference is that existing laws deter by punishing fraud after it occurs. Section 404 imposes an internal regime that in theory prevents fraud from going undetected long enough to do serious damage ' like a circuit breaker. While
' 404's fraud detection scheme may be prudent with large institutional public companies, it seems like overkill ' both inefficient and inappropriately paternalistic ' when applied to small companies where only the companies themselves and their private investors are at risk. Nor is it at all clear that it would even be a good thing to prevent all misleading accounting practices by small companies. Most accounting irregularities have less to do with larceny than with simply buying time, staying alive until some event occurs ' a big contract, a new approval, a sales benchmark ' that allows the company to progress to real profitability. Although empirical evidence is lacking, many a now successful and stable business, with well-satisfied investors, can recall a time when, if the truth of its finances had been fully disclosed, it would have had to shutter its doors.

This is not to say that fraud should be tolerated. It should be punished whenever it causes loss, and vigorously, so as to render it very risky behavior indeed. But in the end, unlike large public companies, small public companies should not be preempted from taking even the severe risks inherent in cooking the books. If small companies are to continue successfully in their singular role as the messy incubators of new business, they must have wide freedom to take all the risk they dare. That, more than how much money they have, is the essential difference between small and large public companies, and ought to be more seriously considered in determining the extent to which ' 404 should apply to small companies.

Aegis J. Frumento ([email protected]) is a partner in the Securities Litigation and the Broker-Dealer and Securities Regulation Practice Groups in the New York office of Duane Morris LLP. A frequent author and speaker on securities topics, he mostly represents clients facing investigations and administrative and civil proceedings by securities regulators, including the SEC, the NYSE and the NASD.