Shostack + Friends Blog Archive


Sarbox and Venture Capital

The Sarbanes-Oaxley act is driving up the costs of being a public company. Its driving up both direct costs, in terms of investing in assurance technologies, audit, and new processes to produce (slightly) more reliable accounting. But much more important, it imposes a highly risky cost on CEOs and financial officers who must sign off on their company’s periodic reports to the SEC. If they “should have known” that their statements were inaccurate, they can go to jail. This is new, and much more expansive than the fraud which Enron, Worldcom, Sunbeam and others engaged in. (Such fraud was already criminal.) This new set of risks, being highly personal, is causing companies to both over-invest in “Sarbox” compliance, and to go private. That is, to de-list themselves from the public stock markets.

That choice may or may not be rational based on compliance costs. It may not be rational for the company’s shareholders. But it sure is rational for the CEO and CFO, who don’t want to spend time in jail. (This is an example of the principal agent problem, where you hire someone to do something for you, and their motivations are different from yours. For example, Alice hires Bob to sell her car. Bob sells the car to Charlie. How does Alice know that Bob isn’t buddies with Charlie, and they’re conspiring to rip her off?) This acts as a drag on the company; there are probably companies for whom it’s rational to go private, but there are probably also edge cases where management’s interests are overriding those of the shareholders.

I’d like to look at another class of companies, one near and dear to my heart, which is startups. The most prominent mental model of startup is where two guys have an idea and start building it in their garage in Silicon Valley. They struggle for years, and finally IPO, making bazillions of dollars. Despite being the most prominent, these are relatively rare. Of funded startups, more go bust than get bought, and more get bought than go public. But venture investors really like the economics of going public: They tend to get a higher return on their investment that way.

Now lets return to those increasing costs of being a public company. Going public, traditionally, has cost 7% of a firm’s market capitalization, between the bankers, lawyers, accountants, and everyone else. Google managed to keep that at around 1 or 2%, but they were an exception. I expect this number to increase, as accountants go backwards in more and more depth to redo the books from day 1. Because these costs increase, as well as the increased cost of staying public, the “bar” which a company needs to reach to go public will move upwards. In particular going public being appropriate will mean more revenues and more consecutive quarters of predictable and increasing profits. (Not that bankers won’t try to take companies out early. After all, there are those fees, and Sarbox doesn’t send bankers to jail for poor underwriting judgment.) All of this means that fewer companies will IPO as an exit strategy. Now, that’s going to make venture investors sad. It changes their model of what sort of investments they need in their portfolio. If they’re clever, it may also change the way they look for returns.

I’m now going to speculate on what might happen. What we’d like is a way that investors, founders, and maybe even employees are compensated for the value they’ve created. (Not the risk they’ve taken.) Given the US tax relief on dividend payments, special one time dividends may be appropriate. The structure of Venture partnerships becomes important here, and I don’t know enough about that to compare one time dividends to ongoing large payments to certain shareholders, or the interaction of specific bits of law, like the special, poor treatment of dividends paid into Employee Stock Plans. Perhaps stock buy-backs would be useful?
The company may take on substantial debt, with the expectation that future revenues will cover them. This is similar to a leveraged buy out of existing investors. In any event, I’m confident that investors and startups will work out new exit strategies. I’m less confident that they’ll be fair to all parties involved, and as efficient as the ways that have evolved over the past 50 years.

11 comments on "Sarbox and Venture Capital"

  • sama says:

    Consider this: Sarbox does not distinguish between companies of different size, or being public or not. So an entrepreneur who solicits investment in his company based on exaggerations or over-enthusiastic statements about the state of affairs in his company, he can go to jail too…

  • Hi Adam—
    Sarbox will definitely change how startups get valued when they’re looking to be acquired. If you’re a small startup, and you want to get bought out by a larger company, that larger company is probably public. To decrease the perceived and actual costs of integrating (and therefore increase your deal size), there will be increasing pressues to pre-emptively get compliant before shaking the tin cup. How much pressure will this exert on startups? Hard to tell.

  • Accepting that Sarbanes-Oxley actually improves the effectiveness of internal controls… perhaps the effect is to raise the bar to be a public company. (Isn’t this the intent – that investors will have more faith in the reports of a public company than some other investment opportunity?)
    I will speculate that most small businesses have atrocious security and internal controls (close to parity with home computer systems that almost baseline at ‘normally compromised’). If you are a large public company you are almost forced to do business with other large companies that can afford the controls and security just to reduce the risk that small companies present.
    If you accept this scenario, then small companies usually carry a lot of potential risk. Large companies used to also to varying degrees but now that playing field has been somewhat levelled. And smaller companies will have to invest (increase costs) to do business with large companies or have the large company find an intermediator (or firewall) the risk (at a cost).
    If you accept that Sarbanes is effective…
    Looking forward to reading more of your blog.
    Thanks you are covering a great gap.

  • DM says:

    Sama, where does SOX apply to non-public companies? Everything I’ve been able to find indicates that it only applies to public companies.
    Andrew, small startups are usualy the easiest to integrate. You patch the machines you desperately need. Hand over their financials to your internal team, then swap out all the rest of the equipment for ones you know and trust. This obviously gets harder with the size of the company being aquired but I don’t see it as being a huge barrier.
    Stuart, there is always some risk in dealing with smaller companies but I fail to see what this has to do with SOX. Who I do business with has little to no bearing on my SOX status unless I’m letting them have direct access to my financials or related systems and then the risks are the same as for anyone else.
    In my experience SOX doesn’t directly drive up the costs of anything but the bills to E&Y, PWC and KPMG. Many of the controls that are tested by these groups aren’t even required by SOX. In fact, if you look at the typical IT audit performed by these groups and at their SOX audits a huge percentage of them is exactly the same. The difference is that now when you aren’t compliant _and_ you can’t convince your auditors that you have a remediation plan in place, you are potentially in big trouble.

  • I have noticed for some time now that when a Fortune 500 company gets a RFP from another F500, there are reams of questions about security. I suspect that this is due to the ‘ecosystem’ consideration of whether the two companies are secure enough to do business with one another and expose their electronic systems to each other.
    Small companies usually do not have the staff or resources to provide the assurances that large companies are looking for (without added expense).
    This in effect raises the bar (cost) to enter into a relationship with a large company giving a decided advantage to larger companies. Large companies may be able to produce goods and services with less cost due to economies of scale, but there are these other costs (SOX) which reduce those savings and also are a barrier to entry for smaller companies.
    If SOX is effective – then it becomes a standard that helps companies measure one another as to governance. It also levels the playing field for publicly traded companies. As a large company you may take into consideration why some potential partner had to run away from SOX. (Sort of like saying some company ran away from the US to some island because they didn’t like the taxes – if we can afford to pay the taxes, why can’t you?) Before SOX you had to rely on those reams of questions and any other measurements you could obtain to assess the internal security controls of a company and whether they had adequate security in place.

  • Adam says:

    Thanks for the comments!
    Stuart, could you expand on how SOX helps companies measure each other’s governance? Isn’t SOX a pass/fail that allows you to aim security at a lowest common denominator that will pass the auditors?

  • The auditors statements are a little more verbose than that. You get a disclosure of deficiencies and within those deficiencies you get levels of non-compliance such as a ‘material deficiency’. Most F500 companies that have reported reveal some deficiencies – so long as they aren’t material it isn’t severe plus you have another year to clean those up and then another…
    You are right about it being a coarse filter (and certainly there are ways to cheat the system) but it offers the potential to separate those companies that are competent from those that aren’t or to my point those who are in the club and those who aren’t. Purely hypothetical – if I am Cisco and am looking to have a telco integrate into my system to provide me with a variety of services including phone, network, provisioning, billing, etc… I will prefer the telcos that pass muster with SOX – that is worth real money (just as there is real cost involved).

  • Catallarchy says:

    Carnival of the Capitalists

    Welcome to this week’s Carnival of the Capitalists hosted by Catallarchy. It’s always a pleasure to participate in the best “carnival” in the blogosphere, and the entries have only gotten better this second time around. We have 40 outstanding ent…

  • Keith says:

    No person who is right of mind would sign the financial statement assurances required of CEO’s and CFO’s by SOX. The “should have known” standard means the officers are relying on good luck and the hope that some crook down in the depths of a subsidiary isn’t smart enough to get around the internal controls or that someone isn’t out to scuttle them. The five year statute of limitations and the fact that D&O insurance is of the “claims made” policy type leaves the individual officer exposed beyond any reasonable level. Momma’s, don’t let your children grow up to be CPA’s, let them be lawyers and engineers and such.

  • My kids' Dad says:

    InfoSecurity Magazine Feb 05

    Review of Information Security Magazine February 2005 issue – Anish Bhimani, MSSP, Frank Abagnale, spyware, hacker sentences

  • Some useful information about the content of Sarbanes reports can be found here:
    Two PDFs available online about reported are described:
    Internal Control Over Financial Reporting: An Investor Resource
    Designed as a broad overview of Section 404 of the Act, this brochure explains the background and rationale for the new reports, provides a brief description of what the new reports will include, and explains the meaning of control deficiencies, management’s report and the independent auditor’s opinion.
    Perspectives on Internal Control Reporting: A Resource for Market Participants
    More detailed and in depth, this publication, in question and answer format, is designed for investors and other market intermediaries including brokers, analysts and rating agencies interested in additional information on specific topics related to internal control reporting, material weaknesses, and the potential marketplace implications of the new reporting.

Comments are closed.