Should Sarbanes-Oxley Reforms Extend to Nonpublic Companies?

By Rita Czaja

E-mail Story Print Story

Some arguments against applying SOA rules to nonpublic companies apply only to the smallest of companies. Other arguments may be true in some cases but lack broad applicability. SOA also addresses some threats to auditors’ independence that are at least as great for nonpublic companies as for public companies. Stronger arguments or alternative solutions could help convince state regulators to adopt rules that make sense for small companies while still providing appropriate protection to the users of small companies’ financial statements.

Public Versus Nonpublic Companies

The AICPA, notably in a group of briefs, reports, and white papers titled “The State Cascade—An Overview of the State Issues Related to the Sarbanes-Oxley Act” (www.aicpa.org/statelegis/index.asp) has stated that the restrictions needed for large (public) companies are not needed for small (nonpublic) companies. The AICPA gives three primary reasons for this assertion.

First, the AICPA states that the problems in recent years occurred at large public companies; “no problems that harm the public have been encountered” at nonpublic companies. Problems with financial reporting at small companies would not be expected to make the national news, and the lack of news about small companies does not support the conclusion that such problems have not occurred. An analysis of claims by CNA (which underwrites the AICPA’s professional liability insurance program) showed that only 2% of claims involved public company audits; 14% involved nonpublic company audits (Anderson and Wolfe, Journal of Accountancy, 2002). It is reasonable to believe that some of these cases involved the kinds of situations seen at public companies: clients pressuring auditors, auditors going along to “help” a client in a bind, etc. While relatively few users may have been harmed in each instance, the harm could have been significant.

Second, the AICPA argues that the owners of small companies are closely involved in day-to-day operations and have access to the company’s financial records. Their knowledge about the company would not be limited to its financial statements. Although this may be true for companies with two or three owners, companies can have up to 300 shareholders before they are required to register with the SEC. It is unlikely that dozens of shareholders, much less a few hundred shareholders, would be actively involved in a business. Those shareholders need an auditor to provide independent assurance about the financial statements.

Furthermore, according to law professor Robert B. Thompson, quoted by Steven C. Bahls and Jane Easter Bahls in “Could You Be Liable for Your Corporation’s Bad Decisions?” (Entrepreneur, March 1997): “Lawsuits among shareholders are regular and common,” even in very small companies. It would be risky to assume that the financial statements of nonpublic companies will be used only by a handful of people who agree with and trust each other.

Third, according to the AICPA, investors in public companies may be less sophisticated than users of nonpublic companies’ financial statements. The AICPA appears to be comparing an average individual investor in public companies with the lenders and private-equity investors that use nonpublic companies’ financial statements. However, the shareholders in public companies include sophisticated institutional investors as well as less-sophisticated individuals. Both types of investors were victims of Enron and other frauds. Also, the users of nonpublic companies’ financial statements may include dozens or hundreds of shareholders as well as bankers and private-equity investors. Some of those shareholders are likely to be unsophisticated investors.

Lenders and private-equity investors are likely to be sophisticated investors who are very familiar with the company’s operations and strategies. They are often the users who require audited financial statements. It is difficult to conclude that they would accept a lower-quality audit (i.e., one performed under weaker standards of independence and objectivity).

The AICPA could strengthen its case by providing data on the number of companies affected by the scope-of-service issue and whose financial statement users fit the assumed profile—in other words, how many clients receive both attest services and services restricted by SOA, and how many of those clients have investors that are actively involved in the business. Some evidence suggests that lenders are comfortable with auditors providing information systems and internal audit services (see “Independence and the Users of Closely Held Companies’ Financial Statements,” by Nicholas J. Mastracchio Jr., The CPA Journal, June 2002). More research is needed, and some issues should be more fully explored.

Rules to Enhance Auditor Independence

SOA contains provisions on the scope of services provided by CPA firms, as well as on audit committees, auditor reports to audit committees, audit partner rotation, and employment conflicts of interest. The related SEC rules include a restriction on audit partner compensation.

Scope of services. SOA prohibits CPA firms from providing various services to audit clients registered with the SEC. The prohibited services are: 1) bookkeeping or other services related to the accounting records or financial statements of the audit client; 2) financial information systems design and implementation; 3) appraisal or valuation services, fairness opinions, or contribution-in-kind reports; 4) actuarial services; 5) internal-audit outsourcing services; 6) management functions or human resources; 7) broker-dealer, investment adviser, or investment banking services; 8) legal services and expert services unrelated to the audit; and 9) any other service that the PCAOB determines, by regulation, is impermissible. CPA firms commonly provide some of these services to small, non-SEC audit clients. If small companies are required to use different firms for these nonaudit services, the AICPA foresees a possible loss of synergy, less efficiency, and higher costs. In some parts of the country, companies may have difficulty finding other nearby firms to provide the desired services.

The scope of services was restricted because of concern that high fees from nonaudit services threatened auditors’ independence. The fear was that auditors might accept a client’s inappropriate accounting or reporting in order to avoid losing its nonaudit work. This economic incentive can exist for auditors of small clients as well as auditors of large clients.

In considering the motives for CPAs’ behavior, it is important to recognize that multiple factors often drive behavioral choices, and these motives may conflict. The economic incentive created by nonaudit fees could be counterbalanced by strongly held professional values, such as integrity and objectivity.

People may also identify with a role or group they are in (e.g., auditor or consultant) and define themselves in terms of that role. They will act in ways that fit the role or fit in with the group’s behavior. Consultants are expected to be advocates for a client, so identifying with management does not pose a conflict. An auditor cannot, however, identify with a client; professional standards require an auditor to be independent and objective. An auditor’s first responsibility is not to the client per se but to the users of the financial statements. Identification with management can impair, or give the appearance of impairing, an auditor’s objectivity.

Research shows that increased contact increases the salience of membership in one group relative to other groups (see “Identification of Accounting Firm Alumni with Their Former Firm: Antecedents and Outcomes,” by Venkataraman M. Iyer, E. Michael Bamber, and Russell M. Barefield, Accounting, Organizations, and Society, April 1997.) Partners and staff who spend most of their time working on one client are particularly at risk of identifying with that company. Being the partner on an account could become a more important part of the CPA’s identity than being a partner in the firm or being a CPA. This situation may be more likely to occur with large public companies than with small nonpublic companies, in which case states might not need to restrict the scope of services offered to nonpublic companies.

Certain comments by CPAs with nonpublic clients suggest that these CPAs are also at risk of overidentifying with clients. In a 2003 interview with the Journal of Accountancy, S. Scott Voynich, then–AICPA chair, talked about his firm’s family-business clients and said, “It’s our responsibility to keep an eye out for their best interests in everything we do.” That statement is very close to language the SEC used in 2003 (“Strengthening the Commission’s Requirements Regarding Auditor Independence, Section II.B.9,” www.sec.gov) to explain why legal work is considered to impair CPAs’ independence: “In the exercise of professional judgment, a lawyer should always act in a manner consistent with the best interests of the client.”

Similarly, James C. Metzler, AICPA vice president of small firm interests, said in the Journal of Accountancy (March 2004): “Each client wants a trusted advisor, business partner, confidant, quarterback and mentor.” If CPAs think of themselves as partners with their attest clients, then their objectivity is at risk. Thus, being too closely aligned with management can occur with clients of any size.

Restricting auditors’ scope of allowable services is one way to address the problem, but, as noted, that solution could create hardships for nonpublic clients. An alternative approach is to strengthen CPAs’ identification with the profession so that it outweighs any identification with management. Convincing state boards of accountancy of the effectiveness of that approach could be difficult, however, because motives are not observable. A state board of accountancy cannot see whether a CPA’s judgments are independent and unbiased. Restrictions on the scope of services are easier to enforce.

Earlier SEC independence rules also prevented CPAs from providing certain services for public clients that were allowed under AICPA rules for nonpublic companies. State regulators must decide if those AICPA rules adequately protected users of the financial statements of nonpublic companies. If so, regulators could continue to allow CPAs to provide a wider range of services for nonpublic clients than for public clients.

Other Areas

Audit committees and auditor reports to audit committees. SOA requires audit committees to preapprove both audit and allowable nonaudit services. It also requires auditors to discuss critical accounting policies and alternative treatments of financial information with the audit committee. The intent is to support the auditor’s independence from management by strengthening its relationship with members of the board of directors, which is a valid objective for both public and nonpublic companies. The directors represent financial statement users, and the financial statements of a nonpublic company (even a small one) might be used by more people than just the single owner/manager. The business might have several active owners, as well as lenders, prospective buyers, and dozens or hundreds of nonactive owners. Although there would be additional costs (e.g., compensation for directors’ time), the benefits include more-knowledgeable directors—which can provide more-effective oversight—as well as a reduced threat to the auditor’s independence.

Statements on Auditing Standards (SAS) that refer to audit committees typically state that if a company does not have an audit committee, then the board of directors should fill that role. State regulators could follow this model if they were to extend these provisions of SOA to nonpublic companies.

Audit partner rotation and compensation. SOA includes a requirement for audit partner rotation, and the SEC has recognized that rotation would be impractical for small CPA firms. SEC rules now also prohibit audit partners’ compensation from being based on selling nonattest services; that requirement could be more of a hardship for small CPA firms. Accordingly, firms with less than five SEC clients and less than 10 partners are exempt from these requirements. If state boards of accountancy were to adopt the SOA rules for CPA firms with nonpublic clients, it would be reasonable for them to provide a similar exemption based on firm size.

Employment conflicts of interest. Under the SEC rules implementing SOA, a CPA firm will not be considered independent if a member of an engagement team is hired by the issuer for a financial reporting oversight role before the end of a one-year “cooling-off” period. The independence issue applies to both public and nonpublic companies. The SEC’s discussion of the rule, including its costs and the public comments received, did not indicate that this requirement would be a hardship for small CPA firms.