Financial Services

SarbOx Small Firm Mitigation:
The SEC Chimes In, Ringing the Bell for Community Banks

August 2006

By Christopher C. Gallagher*

In late 2005, the FDIC amended the annual report section of Part 363 (which implements Section 36 of FDICIA), raising the financial institution asset-size threshold from $500 million to $1 billion. This provision requires reports on internal controls by management and external auditor attestation of same. In so doing, the Corporation made a sincere effort to eliminate costly compliance inefficiencies for a number of non-public community banks.

Its amendment commentary acknowledged the on-going discussion of similar issues roiling at the Securities and Exchange Commission (SEC), as it wrestled with its own rulemaking relative to Section 404 (a) (of the Sarbanes-Oxley Act of 2002 (75 U.S.C. 7262) (SarbOx), which was based upon Section 36. Indeed, the FDIC left its Part 363 regulatory door open for even more relief, presumably waiting for its sister agency, the SEC, to resolve its rulemaking deliberations. (See 70 Fed. Reg. 71,227 (2005). Also see Gallagher, Christopher. "The FDIC and Part 363: Flexibility Without Forbearance." ) Citing a need for small business relief from similar requirements, the SEC has now moved in the same direction.

On July 11, 2006, the SEC issued a Concept Release expressing its concern over the cost/benefit impact on smaller firms of the accounting attestation procedures built into SarbOx Section 404. Now under new leadership, it appears that its deliberate and cautious implementation with respect to smaller public companies may now result in a Rule that offers them relief. More important, the SEC has suggested that in the execution of its new responsibilities under SarbOx, the accountants' tail may be wagging the dog of our nation's small business. Significantly, these agency developments may signal a momentum shift in federal agency "group think" that could lead to a better balance for community banks between the costs of conducting their business and their internal controls systems.

The size of companies required by the 1934 Act (15 U.S.C. 78a et seq) to file annual reports pursuant to Section 13(a) or 15(d) (15 U.S.C. 78m (a) or 78o (d)) has been the subject of intense analysis and discussion in SEC circles for some time. The "Concept Release"1 is designed to elicit commentary from the field. Of interest to banks, within the Concept Release, the SEC expressly references the Section 36 FDICIA process (on which Sarbanes-Oxley was based).

"35 12 U.S.C. 1831m. Section 112 of the Federal Deposit Insurance Corporation Improvement Act of 1991 added Section 36, "Independent Annual Audits of Insured Depository Institutions," to the Federal Deposit Insurance Act. Section 36 required the Federal Deposit Insurance Corporation, in consultation with appropriate federal banking agencies, to promulgate regulations requiring each insured depository institution with at least $150 million in total assets, as of the beginning of its fiscal year, to have an annual independent audit of its financial statements performed in accordance with generally accepted auditing standards, and to provide a management report and an independent public accountant's attestation concerning both the effectiveness of the institution's internal control structure and procedures for financial reporting and its compliance with designated safety and soundness laws."2

The SEC goes on to say,

". . . we have anecdotally heard that this documentation, in many cases, substantially exceeded that normally produced by financial institutions under the Federal Deposit Insurance Corporation Improvement Act of 1991, notwithstanding substantially similar statutory language to that found in Section 404."3

The SEC has acknowledged the reality that because of uniform and widely-applied audit standards by accountants and other practical realities (such as finding an auditor or reaching "reasonable" engagement agreements), community banks may have been saddled with needless reporting inefficiencies. This indirect expression of regulatory agency comity echoes the FDIC's earlier hint that its own regulatory door was open to further change. Let this agency harmony continue! It is music to the ears of community bankers because it can lead to significant cost savings and operational relief.

The fact is, SarbOx effectively applies to any entity that obtains an audit, public or private. The PCAOB's Auditing Standard No. 2 (A.S. 2) applies to audits and is routinely applied by accountants everywhere, in no small part because it provides accountants with a uniform safe harbor in the increasingly litigious atmosphere surrounding publicly traded securities. Its "one size fits all" application is efficient. A.S. 2 is based upon the COSO framework, so called, a structure drafted by and for the accounting profession's review of financial controls, and is designed to respond to its understandable concerns about liability. Through the uniform application of A.S. 2, public and non-public banking entities alike have been subjected to the same internal controls review and assessment standard. As a result, the individualized and customized "scalability" so often touted by SarbOx advocates has been buried in the process, imposing needless costs and inefficiency on community banks. Moreover, financial service regulators are also yoked together as a practical matter by the political reality that acting inconsistently can expose them to undesirable Congressional criticism. Washington "group think" around SarbOx is very real indeed. Accordingly, these SEC statements to the auditing profession are significant.

The accounting profession continues its push for universal applicability of the existing attestation process, irrespective of asset-size. A recent "report" by Grant Thornton indicates that auditor review is "critical" to assuming adequate controls for every firm. Indeed, in arguing for a uniform process, David Richards, President of the Institute of Internal Auditors, says, "It does not matter what your size is."4 Delaying its rulemaking, the SEC has stalled the permanent application of this uniform legal approach so far, first by postponement, then by awaiting an Advisory Committee Study, sensing that the expense and operational costs impact on small business may not be justified. But de facto , in the audit and attestation process, through A.S. 2, the accountants are already imposing uniform internal control requirements. Elevating the importance of "scalability," in the compliance process, the recent Concept Release expressly finds a need for auditing procedures that accommodate the structure and needs of smaller firms. The SEC in effect directs auditors to conform their review to the control structures put in place smaller firms rather than imposing on them their own uniform system through their attestation process.

Accordingly, this SEC proposal is important to community banks that are already deeply engaged in implementing internal controls that must be integrated across their entire operation, not only for financial reporting, but for compliance and for risk assessment. Each time auditing standards are altered or elevated by their accountants, the bank's entire integrated controls system must be altered as well. And with bank regulators already looking over their shoulder, the cost/benefit impacts to community banks seem even more inappropriate when uniform accountancy-driven audit attestation procedures are pushed into the process. Scalability and expansion of Part 363 exemptions can offer much needed relief.

Initiating its own cost/benefit analysis in this Concept Release, the SEC offers another opportunity to push back against the "one size fits all" proclivities of the accounting profession. Common sense risk analysis suggests that when it comes to community banks, whose internal controls are regularly scrutinized by federal and state examiners, a fortiori Section 404 accountant attestation is even less worth the cost. The FDIC has done its part. The SEC has responded with its own shift toward meaningful scalability. Bankers should take note. When the SEC chimed in, the bell rang for community banks.


America's banking community should respond to this most recent SEC Concept Release process, and should respectfully encourage the newly-led FDIC to stay engaged in the on-going interagency dialogue concerning this issue. Costly compliance in an era of compressed operating margins is a serious issue. Better internal controls are here to stay, and should be, but the costs of uniform, over-structured compliance systems imposed for the convenience of the accounting profession have no place in community bank regulation, where scalability based upon the unique characteristics of each community bank is critical. And while the future implications of "sexier" issues (like the Wal-Mart ILC) may be presently attracting the attention of the banking community, community bankers would do well to focus their attention on what is going on at the SEC. For some, its outcome will directly affect their bottom lines this year. For the rest, it can keep the ball rolling in the right direction, toward creating a better balance of operating input among banks, their auditors, and their examiners. Restoring the right balance is in the best interest of community banks and the public they serve.

Concept Release Concerning Management's Reports on Internal Control Over Financial Reporting, Securities and Exchange Commission, Release No. 34-54122. Available at:


1 Concept Release Concerning Management's Reports on Internal Control Over Financial Reporting, Securities and Exchange Commission, Release No. 34-54122. Available at:

2 Ibid, p. 26

3 Ibid, p. 26

4 Floyd Norris, "S.E.C. Looks to Cut Costs of Meeting Audit Rule," The New York Times, July 12, 2006.

*Christopher C. Gallagher is admitted in New Hampshire.

Return to Financial Services articles
Return to Resources index

You may contact
the author at