The "SOX" Effect on Small Companies
an interview with Paul Vallone of Montgomery & Co.
Stephanie Carpenter | University of California, Davis, School of Law
Katie Rowe | University of California, Davis, School of Law
Posted Sunday, May 1, 2005
5 U.C. Davis Bus. L.J. 19 (2005)

Paul Vallone serves as Vice President of the Communications and Electronics Practice for Montgomery & Co. Since 1992, Mr. Vallone has provided investment banking expertise to growth companies in the communications, software and semiconductor industries. Mr. Vallone advises companies on mergers and acquisitions, corporate finance, strategic advisory assignments and private placements in the communications equipment, enterprise infrastructure and telecommunications services sectors.

Prior to joining Montgomery & Co. in September 2003, Mr. Vallone served as a Vice President at SG Cowen in San Francisco. While there, he focused on the communications industry, with particular emphasis on data networking, optical components and systems, wireless infrastructure, and cable equipment technologies. Before that, Mr. Vallone was with the technology investment banking group at Prudential Securities. He joined the firm's New York office in 1992 as an analyst and was later promoted to associate in the San Francisco office.

Mr. Vallone has played an active role in numerous corporate finance, merger and acquisition, and private equity deals for leading technology companies including Alcatel, Motorola, Lucent, LSI Logic, Vitesse Semiconductor, Pericom Semiconductor and Network Solutions. Additionally, he has participated in more than twenty IPOs for companies including Lightbridge, inSilicon, Novatel, iPass and Alliance Fiber Optic Products.

Mr. Vallone received his M.B.A. in finance and marketing from the A.B. Freeman School of Business at Tulane University, and currently serves on the advisory board for Burkenroad Reports, an equity research program at the business school. He holds a B.S. degree in strategic management from California State University, Chico.


For many companies, one of the most challenging components of Sarbanes-Oxley Act (SOX) compliance is Section 404. This regulation requires that management file an internal control report that demonstrates adequate internal controls over financial reporting have been established and maintained. The report must also include management's conclusion on the effectiveness of these internal controls. External auditors are then required to attest or provide an independent opinion as to the adequacy of these controls.

This new emphasis on internal controls and the immediacy of disclosure has placed tremendous pressure on internal auditors, business process managers, and corporate executives to work together to ensure both the presence and effectiveness of the company's controls.[1]

Q: What do you see as the biggest problem with SOX with respect to small public companies? What about for small private companies?

A: I think the biggest problem is definitely for small public companies. SOX has not had much of a direct impact on private companies unless they are intending to go public.

It has an impact on any private company planning to go public in one year's time. First, a company must establish a completely independent board of directors that is SOX compliant. For a private company looking to go public, that is a big issue and takes a lot of time. The second biggest issue for a private company wanting to go public is implementing the internal controls to become SOX compliant. There are many different internal controls, which may need to be implemented, including: hiring additional staff, new accounting software, and all types of control around the company's financial reporting not required prior to SOX. Another major cost of going public is outside auditors and how much companies have to pay them in fees to make your company SOX compliant. These are all significant costs for a company wanting to go public within one year.

The biggest problem is for small public companies. Once the act was passed they had a certain amount of time to become SOX compliant. That time is up for some companies and is almost up for others depending on when they end their fiscal quarter. I recently met with a small public company in San Jose, CA that is starting the audit process for the first quarter. I spoke with the CEO about the added burden of SOX, and he said that the impact it has on my company from both a time and cost perspective is unbelievable.

We have been asking a lot of small companies what the actual dollar cost on the annual basis and it ranges from one to four million dollars per year. The cost depends on where they started from and where they had to go. However, it is not just the actual dollar cost; it is the internal drain on the employees. The effects of SOX run throughout the organization and include the financial managers, controllers, CFO, and all the way down the line. The additional work that is created takes away from what companies do best - sell products and make money. It's definitely a time problem and a financial cost problem. For the board and corporate level employees it is a dependence problem. These people have to sign on the line indicating that as far as they know everything is accurate. If it is not accurate, those employees are to blame and the government can go after their personal finances. This is a big deal.

Q: Do you think SOX is preventing private companies from going public?

A: I do. I think companies will think twice. Typically companies have two paths to liquidity, either sell the company or go public. If a company is making the choice of whether to go public or sell, SOX has a big role in the decision-making process. SOX makes it much more difficult for a company to go public than it would be to sell. SOX influences company owners to sell, rather than go public. It is easier to sell the company than go through the hassle of going public. If you asked this question six years ago, everyone wanted to go public, but now people may think twice about it.

Q: Do you think you have seen a general change in the industry for better or worse since SOX was enacted from your perspective as an investment banker?

A: Not personally. I have not seen a difference in the way the senior level managers act. They do not manage their business differently because of SOX, as far as I know.

From an investor's perspective in public companies overall, I have seen a general change. Anything that gives more transparency to what is going on inside the business is a good thing. But look at the costs. Consider a small cap investor in a company that earns a profit every year. The CFO of this company, says that direct compliance with SOX is costing four to five cents per share per year. The cost is net income dollars that could either be helping the company grow, or going back to shareholders. So there is a cost to the transparency.

There has absolutely been a change in the services business. SOX has changed the auditing function of the "Big Four" - KPMG, Deloitte & Touche, etc. They are now swamped. SOX has put a huge workload on their table. Auditing firms are firing public companies as clients because the firms cannot keep up with the work. Generally, before SOX was implemented, it was very rare that a public company would have a tier two, or tier three auditing firm. Most public companies had one of the Big Four auditing firms because of the brand name recognition. Now many small public companies have to look elsewhere. These auditing firms are spending so much time with their large clients (IBM, Cisco, etc), they can't support the small companies. Small companies are having to switch to smaller auditing firms because the demand has become so great.

Q: Do you think SOX has swung the pendulum too far in the direction of regulating companies with SOX? Is this Act manageable?

A: I think there needs to be a common ground. In my personal opinion, the pendulum tends to swing too far the other way, and it rarely gets agreed upon. In this case, I think the government has gone too far in the opposite direction for the benefit of a lot of companies. There will have to be some modifications at some point. I don't know when that will be, but there has been a lot of talk about it. The SEC hears the complaints from the companies implementing SOX. The SEC is paid by fees that public companies pay every year. Small companies are upset that they are being burdened by the service, the SEC and SOX, for which they are paying for. The SEC is starting to drive some of this discussion to help small companies. What Enron did was wrong and what Worldcom did was wrong, and they deserve punishment. However, it seems that a couple of bad apples ruined it for the whole bunch.

Q: Although SOX may be incredibly hard to initially implement, it seems that after some time, private companies will be aware of SOX and hopefully will be compliant from their company's conception. Do you think that this is realistic or possible? And if so, does it create an advantage for private companies?

A: Most private companies that I know of, who are just getting started and not thinking about going public, are not concerned with SOX. They can't be. It is too hard to worry about this and become successful. I deal with growth companies, i.e. technology and health companies, who are venture-backed. When venture capitalists (VC's) are putting money into a company to get started, the last thing you are thinking of is SOX. It is a small group of closely held investors, it is not a publicly held company, and they are not requiring the company to have all of this disclosure that is SOX compliant. It is not a liquid security, so the added costs would never be recouped for years to come, so it is not an issue. When it does become an issue is when a company is on a trajectory to go public.

Q: Is SOX essentially keeping bad companies from going public?

A: "Bad companies" is a tough term. I think it would certainly prevent some companies from going public. In the process of becoming SOX compliant, a business may realize they have a different looking business than they thought they had. This is because most businesses are now international. Technology companies are bringing business overseas to China, Japan and India. If, in doing the SOX mandated checks and balances, a company realizes they have been running their business in one way and they find out that they are not compliant for certain things, it can delay their attempt to go public.

Another example is a large private company that wants to go public. They project to outlay at least $300,000 to $400,000 in becoming SOX compliant before even filing to go public. This company is also thinking about doing an acquisition in China before they go public. However, they don't have anything close to SOX in China because it is run completely differently there than in the US. SOX becomes another huge roadblock. In trying to integrate all of their operations into your own and make it SOX compliant, it is a huge task. Really, at the end of the day if the company is solid, they will go public. It will not deter all companies, but it is another hurdle and it is an expensive hurdle.

Q: Do you think SOX provisions that link executive compensation to company performance may deter more qualified individuals from wanting to take positions in smaller public or private companies?

A: There is certainly much more risk. Typically with smaller public or private companies a senior executive in a large public company will be recruited to have its first CEO position in a small company. Recruiting from large companies to smaller companies still happens. I don't know anyone who has turned something down just because of SOX. But I do think it is a concern. If I was taking the risk, that personal risk, to become a CEO of a public company that needed to be SOX compliant, it would definitely be a serious consideration.

Q: Most commercial loan agreements require some sort of compliance certification from borrowers relating to financial statement and compliance with financial covenants. There are similar requirements for certain types of insurance. We've read that lenders and insurers may attempt to apply more stringent certification standards, like those required by SOX, to privately held companies. What are the effects that these standards have on privately held companies, in particular smaller companies? Do you think this is a real concern or just speculation?

A: That's a really good question. I suspect that lenders will always try to take as much risk off the table when lending to private companies. If there are very few liquid assets in a private company that they are lending against, they will try and be as protective as they can. For private companies that are not cash flow positive, it is very tough to get equity lines and to get loans. Most of the private companies I know of never go down the route of getting lending. It is not the right model for a lender. They are burning more money than they are bringing in. There is no way a venture investor would allow his money to be used to pay back debt rather than grow the company.

To answer your question, I'm sure that commercial lenders are certainly thinking about more stringent certification standards where they can. I have not seen it in practice yet. It certainly makes sense if I'm lending to a larger private company that would ordinarily be a decent candidate to lend to it. But if the company turns out not to be a great candidate, then perhaps you would require certain other provisions in your loan and have heavier protection in case something bad happens.

Q: SOX emphasizes the importance of independence in the auditing process. It forbids auditors of public companies from providing non-audit services and requires them to report certain matters to audit committees. This seems like it will have an effect on privately held companies because the auditing profession is likely to impose SOX rules no matter if they are dealing with a private or a public company. Do you see the independent auditing processes as a threat to small businesses?

A: I have not seen it yet. Most private companies don't use auditors for anything other than auditor services. Most private companies look for outside services, whether it be with folks like myself (investment banking), or a consulting firm. I haven't seen this be an issue, particularly with smaller companies. It may become an issue in larger companies on the public side. These larger companies may have been using Deloitte & Touche for other things besides auditing. But to be honest, finding good service companies, whether it's consulting, auditing or banking is not hard to find. It's not a huge issue for companies.

Q: SOX and other new regulations focus on the importance of director independence in corporate governance. Some of these rules are that members of committees need to be independent, that the board must have a majority of independent directors, and the independent directors meet periodically without the inside directors. The rules are fairly extensive. How do you see these rules effecting privately held companies? What effects do these rules have on small companies, public or private? Do you think it will be harder for small or private companies to find truly independent directors that are willing to serve on the board?

A: The only effect on private companies is when they get into the stage where they want to go public. For example, a venture-backed company might start to think about going public. When you have a venture backed company - you have your board made up of about five VCs and one CEO. Obviously, they are all insiders and not anywhere near independent. When the company has to diversify that board because they want to 1) go public, or 2) bring some outside people in to bring in new life and ideas to the company, then there are effects. What does SOX do directly? SOX makes the company reorganize the board completely. The company needs to have the independent guys and the guys with auditing experience on that board. This takes time and also costs money. Companies have to pay for board members' travel and time. They don't work for free. The effect on small companies is that they have to deal with the SOX regulations, and that takes a lot time. A lot of times companies will often use a search firm to help them find these board members, and that is an extra cost as well. At the end of the day, it does help the company to have an independent board, and it is the only way to do it if you want to go public. In my opinion, having an independent board is the least threatening part of SOX. I think this is a good thing. While it requires more work and thought, it is a good thing overall.

Q: Do you think that the independent board aspect of SOX is more attractive to investors?

A: I think the independent board, but particularly the auditing function within the board is more attractive to investors. There is an independent board, but then you have an auditing committee of the board that is also independent. There are outside members of the board, and there is also a subset of the members that are on the auditing committee. The auditing committee deals with the outside auditors.

Hypothetically, there is a board of seven people with five outsiders and two insiders. One of the five outsiders is an Auditing Chair with financial experience, for example, some CFO of a public company for thirty years who is now retired. The Auditing Chair has a subset of three other people on the auditing committee. This committee meets with the auditing firm independently to review the financials. The committee is required to meet independently with the auditing firm to make sure everything is in compliance. Personally, I think all of that is very good. And yes, I think it does give investors another level of comfort.

Q: How practical are SOX and these new regulations? Will the regulations have different impacts depending on the relative size of the company?

A: Let's put it this way, SOX poses a much greater burden on a small business than it does on large business. But everyone is feeling the effect of SOX because it ripples through the organization of every company. Is there a bigger impact on smaller companies? Sure. Small companies have much less cash than large companies. A two million dollar charge to a fifty million dollar company is much more punitive than a five million dollar charge to a twenty billion dollar company. SOX affects all companies, but it affects the small companies much more than the big companies.

However, I think SOX does a lot of good things with regard to transparency. Now there is more transparency with investors, and SOX is making people think very hard about how they run their business and how they report their business. But, to the same degree, there are certain pieces of SOX and certain associated costs that are very punitive for small companies. I think SOX fails to take into consideration the liquidity of the company, financial stability of the company, size of the company and its internal controls, and how many people these companies employ to support these regulations. Therefore, some companies are penalized more than others. Furthermore, SOX penalizes those companies that have been successful for a long time without any reporting issues, those companies that are "squeaky clean."

Q: You talked about the "ripple effects"of SOX and how they go all the way through the company. In your experience, have you noticed a major impact on the "lower-level" employees? Have you noticed companies hiring staffs at all levels to ease the burden?

A: Absolutely. These companies have no choice. It is an added overhead, no question about it - auditing people, internal auditing people, financial managers, and controllers. You're absolutely right. Let's put it this way, we had a meeting with a CFO of a public company and a CEO of a private company. The public company has a small market cap, about eighty to ninety million dollars. The CEO of the private company mentioned the desire to take the company public and the opportunities it entails. The CFO of the public company said to the CEO of the private company, "If it were me, I would never take my company public. There is just no way I would do it. It is not worth the headache, the time, the personal liability, and the costs. If I had that strong of a company and someone interested in buying it, I would sell my company ninety-nine times out of hundred." Now that's just one man's opinion, but I think it represents the general feeling.

Another issue involves the greater likelihood for a failure or a hiccup in a small company due to the disclosure requirements as opposed to a large company. These hiccups for small companies are magnified more so than they are for large companies. If you take a few hundred small public companies that have to report their finances every quarter, and these companies lose a big customer or in general something negative happens to the company, check how many law firms are out there filing shareholder lawsuits. For example, XYZ Company releases that it's projected it would take in twenty million dollars this quarter, but it actually is only receiving twelve million dollars because two of its biggest customers did not purchase as much as the company thought they would, and the company has extra inventory. Immediately, there are five lawsuits from firms claiming, "You misled shareholders, and now we're suing you." It is a big impact when you add SOX on top of that since there is a lot of risk for a CEO. So, if I were a CEO of a private company that could either sell or go public, and I knew there was a high risk in my model, which route do you think I would take if I have a wife and a family to support? It is no longer the situation that a CEO can say, "Ok, I messed up. The company will go away but I've made money." This is just not the case anymore. Now,these CEOs are being held personally liable for their mistakes.

Q: Do you think this might lead to companies underestimating or undervaluing quarterly performance?

A: Of course. Many small companies will not even give guidance anymore. For example, a company that did ten million dollars last quarter may present last quarter's results, and decline to give any projections for the upcoming quarter. As a result, an investor will not want to invest in that company because he or she will have no basis to estimate a company's future performance.

It can certainly hurt liquidly for a smaller company. If a smaller company is afraid or unable to give guidance, then it really constrains them from being a public company. A public company must pay money for SOX compliance and yet, it does not receive a benefit. If the company informs investors about its projected profits, and if these projections are positive, then investors will buy the company's stock. However, if the company cannot release their opinions about future performance, then people will shy away from buying the stock. The company ends up with no liquidity, the stock price decreases, and the value of the company diminishes. In addition, the cost of capital increases because the company has to raise additional funds and it will be much more expensive for the company. On top of these expenses, a company must pay SOX and all other regulatory expenses just to become public. It's not even worth it.

One thing I expected to occur as a result of SOX is an increase in companies going from public to private. We have seen it in some instances, and it is mostly with large private equity funds that are completing large buyouts of companies. But, I would have expected a greater number of smaller public companies to go private. I have seen a few but not many. I think SOX essentially makes people that want to go public think twice. For example, Microsoft bought a company out of registration that had filed to go public, called Sybari Software, Inc. Sybari had filed and issued statements that it was going public, but before it did, Microsoft swooped in and bought the company. It may have not had anything to do with SOX but it might have had some relation. It is possible that the company considered at the end of the day, that the valuation it got from Microsoft made it think twice about wanting to run or be a public company. In general, I think that as we go forward there is a lot more to be seen here, and there could be a lot more take-privates, in my opinion.

Q: Is there anything else you would like to add?

A: We've covered quite a bit. My final comments are that SOX is a tough act on small public companies. It puts a lot of burden on senior management, but it also affects the entire company. Some aspects of SOX need be reevaluated. In general, the intent was good, but in practice it is a big burden. I think the effect is that companies pay greater costs, and this in turn, affects shareholder returns. As a result, there is a lot less interest in companies going public. Certainly, SOX will preclude some companies from wanting to go public, and it precludes small companies from growing, and even stagnates growth in some cases.

[1] See Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002).