Couldn't go past this Wall Street journal piece from former Securities and Exchange Commission chief Harvey Pitt that came out earlier this month. He says the biggest problem with SOX is its one-size-fits-all approach, and he recommends making it part of the 1934 Securities Exchange Act, so that its rules can can be fine-tuned to suit different sized companies, and also give Congress and administration more freedom to move.
Here is the entire piece, for those who don't have a subscription to the WSJ:
"The Sarbanes-Oxley Act is a lot like the weather: Everyone talks about it, but no one does anything about it. That's too bad. The statute was hastily — and, therefore, badly — drafted; but it was, and remains, necessary. In particular, it did two important things. It provided a framework for private-sector regulation of the accounting profession in the form of the PCAOB, and it mandated that all public companies (and their outside auditors) annually attest to the quality of corporate systems of internal controls.
"The former provision is now under a legal challenge, with a threat that the entire statute may be dismantled in the bargain. The latter provision is the subject of a great deal of complaint about the costs, with the concomitant proposal from an SEC Advisory Committee that nearly 80% of all public companies be exempted from SOX requirements, and others suggesting the SEC redefine the concept of materiality.
"The most significant problem with SOX is its "one-size-fits-all" approach to regulation. Those who complain about the disproportionately high costs on small- and mid-cap companies are correct. But the solution shouldn't be to thrust out the internal controls requirements for smaller-cap companies. Many of those companies pose significant risks for investors — they often lack outside accountants who fall within the first or second tier of the audit profession, and they often find it difficult (if not impossible) to get adequate research coverage. Nor is the solution to hope that the costs of a meaningful risk-based audit will ultimately recede. We've tried that approach, and it still hasn't worked.
"The first component of any solution is to amend SOX by making it part of the Securities Exchange Act of 1934. This would have the advantage of allowing the SEC to tailor SOX's requirements to the size and economic burden imposed upon public companies — not to mention affording the SEC the opportunity to make distinctions between domestic and foreign registrants — without eradicating the protections served by the statute. It would also enable Congress and the administration to move quickly without raising concern that any substantive provision of the statute was being modified — so those who don't want to be seen as pandering to corporate miscreants won't be subject to that charge, while those who want to promote greater rationality in SOX won't be tagged with loosening substantive protections afforded by the law. Finally, this reform would eliminate legal questions about the SEC's ability to craft effective solutions.
"Ironically, this is what we urged when I chaired the SEC, but then-Senate Banking Committee Chairman Paul Sarbanes explicitly rejected that approach. He feared that making SOX a part of the 1934 act would enable the SEC to fine-tune some of the absolute judgments his committee had fought to make. Instead we have a law that is reviled here and abroad, and is threatened with judicial and legislative attack.
"Once SOX is clearly made part of the 1934 act, the next step should be for the SEC to promote a careful phase-in of the applicability of the internal controls requirements to companies of different sizes. The SEC could start by proposing to take the next 33% of public companies, not now subject to these requirements during a several-year deferral period, and require them to have their internal controls reviewed but not audited by outside auditors.
"Under our present system, outside auditors review but do not audit quarterly financial reports required to be published by public companies. The same approach could, and should, be applied to the next tier of public companies. After adequate experience with this requirement, this first group of companies newly subject to internal controls review could move on to formal audits of their internal controls, while another 33% of those companies not now subject to these requirements would become subject to outside auditor review — but not an outside audit.
"The advantage of this process would be to ensure that all investors are protected by having public companies attest to the adequacy of their internal controls, but eliminate the most burdensome element of the cost of this new requirement. As more experience is gained with the application of these requirements, judgments can be made whether some companies should never be subject to a formal audit, and if so, at what breakpoint those companies will be excused. Significantly, however, all companies would undergo an annual review of their internal controls, which will provide important protections to the investing public.
"Similarly, the SEC could give foreign companies the same treatment for SOX requirements as it does with regard to accounting principles. The SEC now allows such companies to use IFRS — international accounting principles — instead of U.S. Generally Accepted Accounting Principles, without requiring a reconciliation. The SEC could take the view that different regulatory systems provide comparable protections for investors, and there is no need to impose our version of protections on these registrants. This would eliminate the serious concern that foreign companies are no longer interested in registering their securities on U.S. exchanges. Investors, meanwhile, would be told that these companies are subject to different regulatory standards.
"Unlike the weather, there is a lot that can be done to imbue SOX with fewer burdens, while providing the same measure of protection to investors that its framers intended. So, isn't it time to find a simple solution to this problem?"