Thyen's warnings that smaller companies faced an uphill battle hardly came as news to the SEC. Even before Thyen's appointment, the agency had demonstrated sensitivity to the particular problems of resource-strapped smaller companies when it suddenly decided last November to grant companies with market capitalizations between $75 million and $700 million and fiscal yearends between Nov. 15, 2004 and Feb. 28, 2005 45 extra days to file internal control reports. At the time, the SEC said it provided the extra month and a half to help small and midsize companies secure the services of auditors and consultants who also found themselves with not enough staff to respond to unprecedented demand from companies of all sizes for internal and external audit services.

While the extension should provide relief to as many as 2,000 of the close to 4,000 accelerated filers, extra time doesn't redress smaller companies' biggest complaint–the whole process costs too damn much. So for the SEC, the question remains: How far would it be willing to go to establish two standards of behavior, based on size, which would provide meaningful financial relief to middle market companies? Thyen and his colleagues on the committee will certainly test the agency's flexibility as they explore potential problem areas, including everything from standards of audit to how often managements at smaller companies should be asked to sign off on internal controls. "I believe [cost] proportionality is something that has to be looked at," says Thyen.

THE LAUNDRY LIST OF HEADACHES

In the meantime–as Thyen and his co-chair, securities lawyer Herbert Wander, a partner at Katten Muchin Zavis Rosenman in Chicago, begin to select committee members–experts and executives are already suggesting possible areas of the law that the committee should consider overhauling to help smaller public companies. Among the most fundamental: Eliminate or at least reduce the number of checks and double-checks of a company's internal controls. "The problem with Sarbanes-Oxley is that it applies across the board, regardless of the size of the company," says Robert Hirth, managing director and head of internal audit at risk consulting group Protiviti Inc. "Why not have bigger companies have the auditor attestation and smaller companies rely on the management assessment of internal controls without the attestation?"

A similar, though less drastic, change could see external auditors providing, in place of a full-blown attestation, a "negative assurance" review report on smaller company internal controls. Negative assurances state in effect that "nothing came to our attention" as a result of a less intensive review. Another approach could be requiring small companies to get an attestation on their internal controls every other year. With any of these modifications, such relief could be withdrawn, as a form of corporate punishment, should a company issue a restatement or be the subject of an SEC action.

The headaches from 404 do not all involve the law itself. Another major criticism from companies of all sizes is the lack of explicit guidelines provided by regulators. This, according to experts, has promoted overkill by companies and auditors in an effort to reduce any potential exposure. "A lot of companies have gone way overboard on the amount of process documentation," Protiviti's Hirth says. "What is more important is the nature and quality of the controls." While this pushes up costs for big and small companies alike, smaller companies with limited resources are the ones having the most trouble duplicating their bigger brethren's efforts, which will likely be considered the benchmark.

To the rescue: the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which released the influential framework on internal controls in 1992. Recently, COSO announced it would compile detailed guidance for smaller companies to use within the existing internal controls framework. "One of the areas that does not receive enough attention in the [current] COSO model is information and communications and monitoring," says Larry Rittenberg, an accounting professor at the University of Wisconsin and COSO chairman. "Small and large companies have to establish the controls and assure themselves they are effective, then they can move to communications and information and monitoring on a regular basis. There are effective ways to monitor control systems in an organization, that is, control systems that may be underutilized by large and small companies. It includes reports or processes organizations have in place that will signal to them when there is a breakdown in basic controls."

From a recent survey of chief audit executives, Rittenberg uncovered many instances in which companies were not even bothering to carry out basic reconciliations or not doing them in a timely manner. As a result, the controls that would have uncovered a problem, such as when details that underlie a company's A/R do not agree with details in the financial statements, were never implemented. The new COSO project is expected to be completed by midsummer, and the committee will work in cooperation with the SEC and the Public Company Accounting Oversight Board (PCAOB).

In the meantime, executives just have to "muscle through," as Rob Fisher, director of financial systems at Kansas City Life Insurance Co., a $475 million insurance provider, so aptly puts it. Among the most challenging tasks: setting controls around IT systems, given that certain tech employees must have access to sensitive financial information and that could expose a company to a security breach. Fisher, for instance, recounts how his staff had to resort to manual fixes to set up security tables and the problems they encountered with the many connections between processes and systems that complicated the task. "We got though it, and I think we're in a better place because [our systems] were wide open [before]," he says.

NOT ENOUGH BODIES

Another resource challenge for midsize companies is their limited ability to achieve true segregation of duties–that is, a situation in which the same person overseeing a function (such as payroll) isn't being asked to test the controls for that function as well. According to some consultants, it would help tremendously if regulators would define where such segregation is absolutely necessary or how a company can put in place other mitigating or compensating controls where segregation is impossible. "Under the current framework, the ability for small companies to operate in a less formal control environment is not completely clear," says Trent Gazzaway, national director of corporate governance services at accounting firm Grant Thornton LLP. More detailed guidance on control setting could also help to minimize the number of restatements that small companies produce. According to a study by Huron Consulting Group, of the 414 public company financial restatements issued in 2004, 81% were from companies with annual revenues of less than $1 billion, and 39% were from those with revenues under $100 million.

Longer term, small and midsize companies may achieve their greatest cost savings by following a best-practices framework, such as the one COSO could issue. One of the practices that Protiviti's Hirth and others believe all companies should use at the start is taking a proactive approach with their external auditors. "Know what your areas of exposure are and discuss them with your auditors beforehand," says Malcolm Schwartz, one of four principal contributors to the original COSO framework and head of the compliance practice at Technology Solutions Co., a consulting firm based in Chicago. "There are various industry parameters that can help you define the important areas and then company characteristics that can follow behind that. It will save a lot of effort in the level of documentation." A telecom company would be most interested in detailed controls on their accounting for fixed assets, such as their depreciation and capitalization records, while controls on payrolls might be less important. But for a packaged food company, advertising and promotional expense accounting would be among the most critical areas to control and monitor tightly. The point is that not every process is of equal importance for all and that companies should reach out to their auditors early in the process.

Such a proactive approach helped to smooth the compliance efforts at Huttig Building Products Inc., a St. Louis-based distributor of building materials with 2003 revenues of $980 million. In mid-2003, company executives had the smarts to hire Rick Baltz, a director of internal audit at KPMG LLP, as vice president of internal audit. Baltz and the rest of the management team created a framework document early in the process based on the PCAOB's auditing standard No. 2 that worked through their own internal program, its main areas of focus and materiality levels. "Then we shared that information with [our external auditors] in terms of significant accounts we would be looking at, controls objectives and controls around that," says Baltz.

With more than 40 U.S. locations, inventory management controls were central to Huttig's compliance efforts and its external auditors agreed. Baltz also credits the company's senior management for taking the controls process seriously from the start, including taking time to educate all employees about what was needed and why it was important. He estimates that the company's audit fees have risen by 50% and other internal compliance costs are up 40% since 2003. Baltz also credits new software called Certainty from Movaris Inc. for helping his staff of five manage the controls self-assessment process at each of its disparate locations. "It gave us the ability to not only document controls, but also the tests against those controls, so you really have one repository for your whole process."

SIZING DOWN SOLUTIONS

The fact that more technology vendors are targeting the specific compliance shortfalls of small and midsize companies is clearly a good thing. What remains uncertain, and varies from company to company, is whether new levels of automation add enough efficiency and control to justify their cost. It paid off for Viasys Healthcare Inc., a $397 million developer and marketer of medical devices in Conshohocken, Penn. In early 2003 the company installed a consolidated management and financial reporting system by business performance management tool vendor Cartesis SA. John Imperato, vice president of finance at Viasys, credits the system with helping set controls and accelerating the data-gathering process across the company's operations in the U.S. and five other countries during the last year. Still, he says Viasys's bills for internal and external audits have easily doubled during that time. "I think our process went well but it was very tough. A lot of us are out of large public companies and we think the pressure of getting this done is disproportionate for a company the size of Viasys." He adds that despite the burdens, the company has clearly benefited from the process, with the establishment of a set of common policies across all entities and confidence that the processes in place are working.

It will be up to the SEC to balance the necessity of good governance practices at all companies against an affordable framework. The job will require a lot of careful listening and analysis in the weeks and months ahead on the part of the advisory committee and regulators themselves. "We are going to stay true to the view of protecting investors and try to determine cost proportionality to benefit, define methods where we can maybe minimize costs but maximize benefits," says co-chair Thyen. "One of the real dangers of Sarbanes-Oxley is exactly what occurred at WorldCom and Enron, if we allow laws to drive our companies to get so focused on the rules that they start to think about how do I get around the rules…We are guarding against the danger in 404 that the rules become the issue. Truly it's the spirit and intent that we are after."