The Sarbanes-Oxley Act
In response to numerous corporate failures arising from corporate mismanagement and fraud, Congress passed the Sarbanes-Oxley Act of 2002. Generally recognized as one of the most significant market reforms since the passage of the securities legislation of the 1930s, the act is intended to help protect investors and restore investor confidence by improving the accuracy, reliability, and transparency of corporate financial reporting and disclosures, and reinforce the importance of corporate ethical standards.
Public and investor confidence in the fairness of financial reporting and corporate ethics is critical to the effective functioning of our capital markets. The act’s requirements apply to all public companies regardless of size and the public accounting firms that audit them.
The act established the Public Company Accounting Oversight Board (PCAOB) as a private-sector non-profit organization to oversee the audits of public companies that are subject to securities laws.
PCAOB, which is subject to oversight by the Securities and Exchange Commission (SEC), is responsible for establishing related auditing, quality control, ethics, and auditor independence standards.
The act also addresses auditor independence and the relationship between auditors and the public companies they audit.
The act requires public companies to assess the effectiveness of their internal control over financial reporting and for their external auditors to report on management’s assessment and the effectiveness of internal controls.
The act also contains provisions intended to make chief executive officers (CEO) and chief financial officers (CFO) more accountable, improve the oversight role of boards of directors and audit committees, and provide whistleblower protection.
Finally, the act expanded the SEC’s oversight powers and mandated new and expanded criminal penalties for securities fraud and other corporate violations
While regulators, public companies, auditors, and investors generally agree that the Sarbanes-Oxley Act has had a positive impact on investor protection, available data indicate that smaller public companies face disproportionately higher costs (as a percentage of revenues) in complying with the act, consistent with the findings of the Small Business Administration on the impact of regulations generally on small businesses.
While smaller companies historically have paid disproportionately higher audit fees than larger companies as a percent of revenues, the percentage difference between median audit fees paid by smaller versus larger public companies grew in 2004, particularly for companies that implemented the act’s internal control provisions (section 404).
Smaller public companies also cited other costs of compliance with section 404 and other provisions of the act, such as the use of resources for compliance rather than for other business activities.
Moreover, the characteristics of smaller companies, including resource and expertise limitations and lack of familiarity with formal internal control frameworks, contributed to the difficulties and costs they experienced in implementing the act’s requirements.
This situation was also impacted by the fact that many companies documented their internal control for the first time and needed to make significant improvements to their internal control as part of their first year of implementing section 404, despite the fact that most have been required by law since 1977 to have implemented a system of internal accounting controls.
Smaller public companies and accounting firms noted that the complexity of the internal control framework and the scope and complexity of the audit standard and related guidance for auditors on section 404 issued during rather than prior to the initial year of implementation contributed to the costs and challenges experienced in the first year of implementation.
It is generally expected that compliance costs for section 404 will decrease in subsequent years, given the first-year investment in documenting internal controls.
The act, along with other market forces, appeared to have been a factor in the increase in public companies deregistering with SEC (going private)—from 143 in 2001 to 245 in 2004.
However, these companies were small by any measure (market capitalization, revenue, or assets) and represented 2 percent of public companies in 2004.
Based on our survey responses and discussions with smaller public companies that implemented section 404, it appears that the act has not adversely affected the ability of those smaller public companies to raise capital.
However, it is too soon to assess fully the impact of the act on access to capital, particularly because of the large number of smaller public companies—the more than 5,900 small public companies considered by SEC to be non-accelerated filers—that have been given an extension by SEC to implement section 404.
In response to concerns that smaller public companies raised about Sarbanes-Oxley Act requirements as implemented, particularly section 404, SEC and PCAOB have undertaken efforts to help the companies meet the requirements of the act.
SEC initially provided those smaller public companies that are non-accelerated filers with additional time to comply with section 404 and subsequently extended the deadline several times, with the latest extension to July 15, 2007.
SEC also formed an Advisory Committee on Smaller Public Companies to examine the impact of the act on smaller public companies.
On March 3, 2006, the committee issued an exposure draft of its final report for public comment that contained recommendations that, if adopted by SEC, would exempt up to 70 percent of all public companies and 6 percent of U.S. equity market capitalization from all or some of the provisions of section 404, “unless and until” a framework for assessing internal control over financial reporting is developed that recognizes the characteristics and needs for smaller public companies.
Specifically, the committee proposed that “microcap” companies (companies with market capitalization below $128 million) with revenues below $125 million and “smallcap” companies (companies with market capitalization between $128 million and $787 million) with revenues below $10 million would not have to comply with section 404(a) and section (b), management’s and the external auditor’s assessment and reporting on internal control over financial reporting, respectively.
“Smallcap” companies with revenues between $10 million and $250 million would not have to comply with section 404(b), the external auditor’s attestation on management’s internal control assessment and the effectiveness of internal control over financial reporting.
Following a public comment period, the committee is scheduled to issue its final recommendations in April 2006, at which time the recommendations would be considered by SEC.
Additionally, SEC asked COSO to develop guidance designed to assist smaller public companies in using COSO’s internal control framework in a small business environment.
COSO issued a draft for public comment in October 2005, and plans to finalize the guidance in early 2006.
While not specifically focused on small business issues, SEC held a public “roundtable” in April 2005, in which GAO participated, that gave public companies and accounting firms an opportunity to provide feedback to SEC and PCAOB on what went well and what did not during the first year of section 404 implementation.
In response, SEC and PCAOB issued additional section 404 guidance in May 2005.
PCAOB also issued a report on November 30, 2005, that detailed inefficiencies companies experienced in the implementation of its auditing standard on internal control. SEC and PCAOB plan to hold another roundtable on the second year of section 404 implementation in May 2006. However, because many efforts—particularly SEC’s response to the exemption recommendations and COSO’s efforts to provide guidance on using its internal control framework in a small business environment—are ongoing, smaller public companies may be deferring efforts to implement section 404 until such issues are resolved.
While the act does not impose new requirements on privately held companies, companies choosing to go public must realistically spend time and funds in order to demonstrate their ability to comply with the act, section 404 in particular, to attract investors who will seek the assurances and protections that compliance with section 404 provides.
Such requirements, along with other factors, may have been a contributing factor in the reduced number of initial public offerings (IPO) issued by small companies.
However, the overall performance of the stock market and changes in listing standards also likely affected the number of IPOs.
From 1999 through 2004, IPOs by companies with revenues of $25 million or less decreased substantially from 70 percent of all IPOs in 1999 to about 46 percent in 2004.
For those privately held companies not intending to go public, our research and discussions with representatives of financial institutions suggested that financing sources were generally not imposing requirements on private companies similar to those contained in the Sarbanes-Oxley Act as a condition for obtaining access to capital or other financial services.
While a number of states proposed legislation with provisions similar to the Sarbanes-Oxley Act following its passage, three states passed legislation calling for private companies or nonprofit organizations to adopt requirements similar to some of the act’s corporate governance provisions.
In addition, our interviews and review of available research indicate that some privately held companies have voluntarily adopted some of the act’s enhanced governance practices because they believe these practices make pragmatic business sense.
Specifically, they have adopted practices such as CEO/CFO financial statement certification, appointment of independent directors, corporate codes of ethics, whistleblower procedures, and approval of nonaudit services by the board.
Smaller public companies have been able to obtain access to needed audit services since the passage of the act; however, data show that a substantial number of smaller public companies have moved from the large accounting firms to mid-sized and small firms.
Many of these moves resulted from the resignation of a large accounting firm.
The reasons for these changes range from audit cost and service concerns cited by companies to client profitability and risk concerns cited by accounting firms, including capacity constraints and assessments of client risk.
As a result, mid-sized and small accounting firms increased their share of smaller public company audits during 2002–2004.
Our analysis of the risk characteristics of the companies leaving the large accounting firms shows that mid-sized and small accounting firms appear to be taking on a higher percentage of public companies with accounting issues such as going concern qualifications and other “risk” issues.
Overall, mid-sized and small accounting firms conducted 30 percent of the total number of public company audits in 2004—up from 22 percent in 2002.
However, the overall market for audit services remains highly concentrated, with companies audited by large firms representing 98 percent of total U.S. publicly traded company sales (revenues).
In the long run, the act may reduce some of the competitive challenges faced by mid-sized and small accounting firms.
For example, mid-sized and small accounting firms could increase opportunities to enhance their recognition and acceptance among capital market participants as a result of operating under PCAOB’s registration and inspection process.
We have two concerns with certain draft recommendations from the Advisory Committee on Smaller Public Companies related to internal control.
Our first concern relates to lack of specificity in the recommendations.
While calling for an internal control framework that recognizes the needs of smaller public companies, the recommendations do not address what needs to be done to establish such a framework or what such a framework might include.
In reviewing the implementation of section 404 for larger public companies, we noted that many, if not most, of the significant problems and challenges related to implementation issues rather than the internal control framework itself.
We think it is essential that public companies, both large and small, have appropriate guidance on how to effectively implement the internal control framework and assess and report on the operating effectiveness of their internal control over financial reporting.
Our second concern relates to the ambiguity surrounding the conditional nature of the “unless and until” provisions of the recommendations and the potential impact that may result for a large number of public companies that would qualify for either full or partial exemption from the requirements of section 404.
Our concerns also include the additional time that may be needed to resolve the concerns of smaller public companies and the impact any further regulatory relief may have in delaying important investor protections associated with section 404.
When SEC begins its assessment of the final recommendations of its small business advisory committee, it is essential that SEC balance the key principle behind the Sarbanes-Oxley Act—investor protection—against the goal of reducing unnecessary regulatory burden on smaller public companies.
In considering the concerns of the Advisory Committee on Smaller Public Companies regarding the ability of smaller public companies to effectively implement section 404, SEC should
(1) assess whether the current guidance, particularly guidance on management’s assessment of internal control over financial reporting, is sufficient or whether additional action is needed to help smaller public companies meet the requirements of section 404;
(2) coordinate with PCAOB to help ensure that section 404-related audit standards and guidance are consistent with any additional guidance applicable to management’s assessment of internal control and identify additional ways in which auditors of public companies can achieve more economical, effective, and efficient implementation of the standards and guidance related to internal control over financial reporting; and
(3) if further relief is deemed appropriate, analyze and consider the unique characteristics of smaller public companies and their investors in determining categories of companies for which additional relief may be appropriate so that the objectives of investor protection are adequately met and any relief is targeted and limited.
Study of the Sarbanes-Oxley Act of 2002 Section 404, Internal Control over Financial Reporting Requirements
This is a report by members of the Office of Economic Analysis, U.S. Securities and Exchange Commission. The Commission has expressed no view regarding the analysis, findings, or conclusions contained herein.
The Public Company Accounting Reform and Investor Protection Act, otherwise known as the Sarbanes-Oxley Act (the “Act”), was enacted in July 2002 after a series of high-profile corporate scandals involving companies such as Enron and Worldcom.
Section 404(a) of the Act requires management to assess and report on the effectiveness of internal control over financial reporting (“ICFR”). Section 404(b) requires that an independent auditor attest to management’s assessment of the effectiveness of those internal controls.
Because the cost of complying with the requirements of Section 404 of the Act (“Section 404”) has been generally viewed as being unexpectedly high,1 efforts to reduce the costs while retaining the effectiveness of compliance resulted in a series of reforms in 2007.
The analysis of the survey data is designed to inform the Commission and other interested parties as to whether changes occurring since 2007 are having the intended effect of facilitating more cost-effective internal controls evaluations and audits, especially as they may apply to smaller reporting companies.
The findings of the analysis relating to efficiency include evidence on the total and component compliance costs, the changes in costs over time, and the factors that help to explain why costs are lower or higher for some companies than for others.
These findings include evidence of direct and indirect effects that management ascribes to Section 404 compliance, including evidence on intended benefits.
The 2007 reforms that are the focus of this inquiry include the SEC’s June 2007 Management Guidance and its order approving the Public Company Accounting Oversight Board’s (PCAOB) Accounting Standard No. 5 (AS5) (collectively referred to as the “2007 reforms”).
We are primarily interested in whether and how companies’ experience with Section 404(b) compliance changed following the reforms, yet this report also presents evidence on the implementation of both Section 404(a) and Section 404(b).
This reflects the interrelationship between the two requirements.
The survey was open to all reporting companies with relevant experience in complying with Section 404, recognizing that only large accelerated filers and accelerated filers are currently required to comply with both Section 404(a) and Section 404(b) and, thus, have information on the overall cost of compliance with these sections.
These experienced filers that responded to the survey tend to have public float in excess of $75 million, which is large compared to that of non-accelerated filers that are not yet required to comply with Section 404(b).
The evidence on the experiences of larger companies may be useful in evaluating the extent to which additional improvements to the implementation of Section 404(b) should be undertaken before it becomes applicable to non-accelerated filers.
Notwithstanding, it is important to highlight that the analysis in this report is not designed to provide compliance cost estimates for companies that have yet to comply with the relevant requirements of Section 404.
The general conclusion from the analysis of survey data is that compliance costs vary with company size (increasing with size), compliance history (decreasing with increased compliance experience), and compliance regime (lower after the 2007 reforms).
Larger companies tend to incur higher compliance costs in dollar terms (“absolute cost”), while smaller companies report higher costs as a fraction of asset value (“scaled cost”).
The evidence suggests that companies bear some fixed start-up costs of compliance that are not scalable.
Some of these costs are recurring fixed costs, while others are one-time start-up costs borne in the first years of compliance that tend to dissipate over time. For companies complying with both parts of Section 404, the cost of complying with Section 404(b) is reportedly similar to the incremental cost of complying with Section 404(a) alone.
The resource requirements of Section 404(a) and Section 404(b) compliance are quite different, however.
The Section 404(a) cost is borne through increased internal labor and outside vendor expenses, while the Section 404(b) cost is experienced primarily through increased independent-auditor fees, according to the survey evidence.
The evidence also indicates that there is an economically and statistically significant reduction in Section 404 compliance costs following the 2007 reforms.
This reduction is most pronounced among larger companies.
More than half of survey participants (henceforth also referred to as “respondents”) who answered explicit questions about the effects of the 2007 reforms report that the reforms led to a decrease in compliance costs, consistent with the objectives of the reform and the reported cost reductions.
Nearly all respondents indicated that they relied on the Management Guidance and, of those, a majority found it to be useful.
As a result of the Management Guidance, there has been a shift of effort among smaller companies toward evaluating the effectiveness of ICFR and away from the tasks of identifying risks to the company’s financial reporting and identifying controls that address identified risks.
These respondents, however, had a less favorable response to a question about the SEC’s responsiveness to concerns about compliance costs.
The Web survey also included questions about respondents’ perceptions of other potential effects of Section 404 compliance, including potential beneficial effects.
Respondents ascribe some beneficial effects to Section 404 compliance.
In particular, respondents were more likely to report direct benefits of compliance with Section 404 rules (i.e., improvements directly related to a company’s financial reporting process, such as the quality of the company’s ICFR), rather than indirect benefits of compliance (i.e., improvements indirectly related to a company’s financial reporting process, such as the company’s ability to raise capital).
Respondents from larger companies and Section 404(b) companies tend to regard Section 404 compliance more favorably than those from their counterparts in almost every respect.
Before turning to a more detailed outline of findings, it will be useful to provide some background on the size and compliance categories of the companies that are the subject of the study.
Throughout the analysis, respondents are partitioned based on the size of their company using the size thresholds that parallel the SEC’s reporting thresholds.
Under SEC regulations— typically—non-accelerated filers have public float of less than $75 million; accelerated filers have public float between $75 million and $700 million; and large accelerated filers have public float of $700 million or more.
The evidence on the costs and benefits of Section 404(b) compliance is almost entirely from the last two groups, which are termed “large” and “medium/mid-sized” companies in this report, because “small” companies (with public float less than $75 million) were typically not yet required to comply with Section 404(b) at the time of the survey.
Following previous research, in some instances, the analysis of smaller companies focuses on those having a public float falling within a band above and below the $75 million threshold that distinguishes non-accelerated from accelerated filers.
In addition, to separate the effects of Section 404(a) compliance from those of Section 404(b), when appropriate the analysis partitions companies that were compliant with both Sections 404(a) and 404(b) in the relevant fiscal year (henceforth “Section 404(b) companies”)6 from those that are compliant with Section 404(a) only (henceforth “Section 404(a)-only companies”).
Q1. How does the cost of complying with Section 404 vary across companies, and what factors influence a company’s compliance cost?
The total cost of complying with Section 404 varies across companies depending on (1) the company’s size, (2) whether the company is complying with Section 404(a) only or also with Section 404(b), (3) the company’s experience in complying with Section 404(b), and (4) whether compliance occurred before or after the 2007 reforms.
Specifically, the absolute compliance cost in dollar terms tends to increase with company size (measured by public float), but the cost scaled by asset value tends to decline as company size increases. As one would expect, total compliance costs are typically larger for companies complying with Section 404(b) in addition to Section 404(a).
Longer experience with Section 404(b) compliance, however, is associated with a decrease in the typical reported costs (scaled by company assets).
The cost of compliance tends to be lower after the 2007 reforms than before and this decrease is most pronounced among larger companies.
Q2. What is the observed trend in Section 404 compliance cost before and after the 2007 reforms?
The Web survey collected response data on audit fees, outside vendor fees, non-labor costs, and internal labor hours.
These cost components were aggregated using conservative assumptions in order to obtain a dollar estimate of the total cost of compliance (see Section IV.a).
The evidence generally indicates that the typical total compliance costs have decreased from the year prior compared to the one after the 2007 reform and are expected to decrease further in the fiscal year in progress at the time of the survey.
Among Section 404(b) companies, the mean total Section 404 compliance cost drops significantly from $2.87 million pre-reform to $2.33 million post-reform, representing a 19 percent decline in the total compliance cost
The compliance cost is expected to be lower still, with a mean cost of $2.03 million, representing a combined decline of 29 percent.
When reporting compliance costs by size category, the mean total compliance cost decreases from $769,000 to $690,000 among filers with public float lower than $75 million, but this difference is not statistically significant.
The reduction in compliance costs is more pronounced among the medium and large companies that are already required to comply with Section 404(b).
The medians reveal similar patterns for the typical company in our sample.8 The median total Section 404 compliance cost declines significantly from $1.19 million pre-reform to $1.04 million post-reform, a 13 percent decline.
The median expected cost for the fiscal year in progress is lower still, at $905,000, a combined decline of 24 percent relative to the pre-reform median cost.
For non-accelerated filers, the median total compliance cost decreased from $579,000 to $439,000, but, as with the means, the difference for these companies is not statistically significant.
When analyzing first-time compliance costs before and after the 2007 reforms, the results are mixed and the mean decrease in total costs is not statistically significant. In contrast, for companies in their second year of compliance with Section 404(b), both the mean and median compliance costs are significantly lower after the 2007 reforms than before.
Meanwhile, among Section 404(a)-only companies, the mean total cost also decreased from $425,000 pre-reform to $336,000 post-reform, but the difference is not statistically significant, and the median cost actually increased from $111,000 to $162,000.
Both the mean and the median, however, are expected to decrease for the fiscal year in progress at the time of the survey
Q3. How do the component costs of complying with Section 404 compare, and how have they changed since the 2007 reforms?
For Section 404(b) compliant companies, the largest cost component is internal labor costs— which can comprise more than 50 percent of the total compliance cost—followed by the estimated portion of total audit fees attributed to ICFR (404(b) audit fees), outside vendor fees, and non-labor cost.
In general, every component cost declines after the reforms compared to the year before, and is projected to decline further in the fiscal year in progress. The most notable changes in the cost components between pre-reform and post-reform are observed in the outside vendor fees and the percent of the total audit fees attributable to ICFR.
The mean outside vendor fee decreases by 29 percent from $438,000 pre-reform to $311,000.
The median outside vendor fee decreases by 10 percent from $100,000 to $90,000. Both differences are statistically significant, and the outside vendor fees are expected to decrease significantly to a mean cost of $222,000 and median cost of $55,000 in the fiscal year in progress at the time of the survey.
The mean portion of the audit fee that respondents attributed to the ICFR audit also decreases significantly by 21 percent from $821,000 to $652,000. This decline is expected to continue. Similarly, the median audit fee decreases by 13 percent from $358,000 to $311,000 and is expected to decrease to $275,000.
Q4. What are the benefits of complying with Section 404, as reported by company executives, and how do they compare against the costs of compliance?
The survey asked the respondents to comment on the impact of Section 404 compliance on twelve characteristics relating to internal governance and investor confidence, of which six were considered direct effects of compliance and the remaining six indirect effects of compliance.
The respondents recognized Section 404 compliance as having a positive impact on various dimensions of the financial reporting process, but were less inclined to recognize these improvements as affecting the companies’ dealings with other capital market participants.
Furthermore, in an optional section of the survey, respondents provided their assessment of the cost-benefit trade-off of Section 404 compliance.
The majority of respondents to this section perceive the trade-off to be negative to varying degrees. This perceived trade-off is more favorable among larger companies and, independently of size, improved following the 2007 reforms.
Among the characteristics that are most widely reported benefiting from Section 404 compliance is: the quality of the respondent company’s internal control structure (73 percent), the audit committee’s confidence in the company’s ICFR (71 percent), the quality of the company’s financial reporting (49 percent), the company’s ability to prevent and detect fraud (48 percent), and the respondent’s confidence in the financial reports of other companies complying with Section 404 (40 percent)
The majority of respondents recognize no effect of Section 404 compliance on: the company’s ability to raise capital, investor confidence in the company’s financial reports, the company’s overall firm value, and the liquidity of the company’s common stock.
Finally, the perceived effect of Section 404 compliance on the efficiency of the operating and financial reporting processes and the timeliness of the company’s financial statement audit varies widely: while a majority of respondents perceive no effect on these dimensions, non-trivial portions of respondents recognize a negative effect—that is, a reduction in the efficiency of the operating and financial reporting processes and/or the timeliness of financial statement audit (see Table 14).
In the cross-section, larger companies were more likely to ascribe positive direct and indirect effects to Section 404 compliance than were smaller companies.
Q5. What are the reported benefits of Section 404 compliance from the perspective of financial statement users?
In order to obtain a more complete picture of the effects of Section 404 implementation, staff members from the SEC’s Office of the Chief Accountant conducted separate in-depth phone interviews of a sample of 30 users of financial statements—including lenders, securities analysts, credit rating agencies, and other investors.
Although the sample is admittedly smaller than that of issuers participating in the survey, the evidence gathered is useful because it provides the perspective of financial statement users on the effects of Section 404 compliance.
In general, financial statement users regard ICFR disclosures to be beneficial and indicated that Section 404(a) and Section 404(b) compliance has had a positive impact on their confidence in the companies’ financial reports.
The users generally indicate that Section 404 compliance leads management to better understand financial reporting risks, put in place appropriate controls to address financial reporting risks, and address internal control deficiencies in a more timely fashion than in the absence of the disclosure requirement.
Although, users offer divergent opinions regarding the extent to which disclosures of material weakness affect their decision-making process, most agree that severe weaknesses that could take years to remediate are likely to negatively affect their decision-making.
Users tend not to perceive the benefits of Section 404 compliance to vary with the size of the reporting company. Instead, many indicate that these benefits depend on a company’s complexity and industry affiliation.
At the same time, the users agree that variations in compliance requirements based on complexity and/or industry would likely be impractical.
Finally, most users indicate that the benefits they perceive from Section 404 compliance have not changed substantially over time. This is an important finding since it indicates that the 2007 reforms, while intended to reduce certain duplicative efforts in conducting the evaluation of ICFR, did not at the same time change financial statement users’ perception of the effectiveness of Section 404.
Regarding the Section 404(b) requirement, the general consensus is that the auditor’s report on ICFR required under Section 404(b) provides an incremental benefit beyond the management’s report because many respondents perceive the audit requirement to provide necessary discipline to the reporting process.
Although some users express the concern that ICFR evaluation may divert management’s attention from other important areas of their businesses, these respondents continued to believe that strong ICFR is necessary and that financial statements need to be of high quality and reliable.
Most users interviewed indicate that the process of compliance with Section 404 has become more efficient since the initial implementation in 2004 due to:
(i) reduction in the level of documentation,
(ii) improved communications between auditors and management,
(iii) increased use of professional judgment in scoping and testing,
(iv) more focus on higher risk areas, and
(v) streamlining of audits subsequent to the first-time effort required by Section 404 compliance.
Q6. In what ways have the Commission’s 2007 reforms affected the companies’ procedures of complying with Section 404?
Nearly all respondents who completed an optional section of the survey requesting feedback on management’s Section 404(a) experience responded that they used Management Guidance and found it to be useful (see Table 16).
Those who responded indicate that both Management Guidance and Auditing Standard No. 5 have helped reduce the total cost of compliance, for companies in every size category.
The respondents also indicate on average that Auditing Standard No. 5 resulted in a small decrease in the time it takes to complete the independent audit of ICFR.
The perceived impact of AS5, however, varies with the size of the company and its experience with Section 404(b) compliance. Specifically, the perceived impact of AS5 on the time it takes to complete the independent audit of ICFR is significantly smaller among small filers and among companies with no previous experience with Section 404(b) compliance.
When asked to compare the changes in activities associated with management’s evaluation of ICFR, the respondents indicate a slight decrease on average from pre-reform to post-reform in the number of risks subject to testing, the number of controls tested, but a slight increase in the level of documentation, the use of management’s interaction with controls as evidence, reliance on evidence gained from self-assessment, and reliance on evidence from direct testing.
Like much of the previous results, the responses varied significantly depending on the respondents’ size. While smaller companies typically report an increase in every component, the changes reported by medium and large filers are not homogenous.
Interestingly, however, the evidence suggests that the compliance process across companies of different size has become more homogenous following the 2007 reforms.
Finally, the survey evidence indicates that companies are increasingly structuring their evaluations of ICFR with the intent of allowing the independent auditor to rely on their internal work (see Table 22), which is consistent with one of the goals of the 2007 reforms through Auditing Standard No. 5.
Some caveats about the analysis of Web survey data on Section 404 implementation
There are a number of caveats to consider when interpreting the evidence presented in this study, some of which are due to the inherent nature of survey data, while others are the result of the particular context in which the Section 404 survey takes place.
First, most, if not all, analyses of survey data are affected to various degrees by the following potential difficulties:
» Self-Selection Bias (i.e., Non-response Bias):
Participation in survey research is generally voluntary. The process by which survey participants “select” to participate in a survey can bias the inference based on survey data, if the participants’ (self-) selection process is such that particular segments of the population are systematically over- or under-represented.
We conduct extensive analyses to test for the presence and the potential severity of the problem, particularly by investigating the extent to which key characteristics of the sample of respondents to the survey coincide or diverge from those of the list of companies identified as the target population (see Part III).
We find that respondent companies are representative of the initial list of public companies identified for this study, particularly among Section 404(b) companies or within company size groups.
We also find that the typical responses of voluntary participants in the survey are not significantly different from those of a randomly selected, stratified sample of companies that were the target of follow-up efforts to induce their participation.
Overall, the evidence is consistent with the notion that the voluntary nature of the participation introduces no bias in the responses, at least relative to the separate treatment group where part of the decision to participate is a result of the follow-up effort.
» Response Bias: If there are no penalties for misrepresentation and survey participants have systematic incentives to be less than fully truthful, inference based on survey data (or any other self-reported information that meets those criteria) may not be accurate.
A similar problem arises when survey questions are designed to elicit the participant’s subjective perceptions on a particular subject and the participants’ views are systematically biased. The portion of survey data that we could independently verify (i.e., audit fees) indicates that the participants’ representations do not deviate substantially from what is reported in official SEC filings.
Aside from this exercise, it is virtually impossible to assess the extent to which the remaining survey data may not be accurate.
The nature of the survey questions varies, with some questions focusing on quantifiable items (e.g., internal labor hours) and others on directional perceptions (e.g., assessment of the effect of Section 404 on the quality of ICFR) and others still on directional/ordinal perceptions (e.g., assessment of the effect of AS5 on the amount of time it takes to complete the independent audit under Section 404(b)).
The common element, however, is that these data cannot be independently verified, either because companies are do not keep a separate record of the figures provided (e.g., costs) or because the information provided is based on the respondents’ perceptions which by their very nature are not verifiable.
The analysis in this report provides a characterization of companies’ experiences with Section 404 compliance that is based on survey participants’ representations of their experiences.
Other caveats are specific to the analysis presented in this report, as they depend on the nature and timing of the survey. In particular:
1. The number of respondents from Section 404(b) companies that are non-accelerated filers and have usable data is relatively small—approximately 100 companies versus over 1,600 accelerated filers in the most recently completed fiscal year (see Table 9)—and there are reasons to believe the experience of these companies may not extend to other non-accelerated filers that are yet to comply with Section 404(b).
Specifically, non-accelerated Section 404(b) companies that participated in the survey are either voluntary compliers or have been required to comply in the past as accelerated filers and must continue to do so because their float has not dropped below $50 million since.
To the extent that these factors affect companies’ experience with Section 404(b) compliance, one should be careful when extrapolating the results to non-accelerated filers that are yet to comply.
2. Non-accelerated filers were required to start complying with Section 404(a) at the end of 2007—after the reforms.
Yet, a number of non-accelerated filers responding to the survey reported bearing Section 404 compliance costs prior to the reform. These respondents were contacted after the survey was closed to inquire about the nature of the information provided.
These respondents indicated that their company began complying with Section 404 requirements prior to the Commission’s public announcement that the compliance deadline had been extended and, thus, they viewed the resulting pre-reform costs reported in the survey as appropriately ascribed to Section 404(a) compliance.
The analysis of non-accelerated filers’ experience prior to the reforms should be interpreted with the caveat in mind that it may not be representative of what the typical non-accelerated filer would have experienced.
3. The characteristics of the internal governance structure and financial reporting process are likely to be important determinants of the companies’ compliance experiences, including costs and benefits and the nature of the audit services they obtain under Section 404(b).
To the extent that accelerated and non-accelerated filers display significant differences in these dimensions, it may not be appropriate to extrapolate the analysis of accelerated filers to non-accelerated filers.
4. All the cost figures presented in this analysis are based on survey respondents’ characterization of the resources devoted to Section 404 compliance. As such, the general caveats above apply. Moreover, there are some aspects specific to our analysis:
a. All estimates presented in this report are based on non-audited numbers based on the respondents’ perception provided in the survey.10 Moreover, the nature of the estimates is limited by the scope of the survey.
b. There are reasons to question the ability of respondents to provide an accurate breakdown of audit fees into Section 404(b) fees versus financial statement audit fees.
Auditors interviewed by the SEC’s OCA staff highlight this difficulty on the basis that, for Section 404(b) companies, the two audits are integrated and audit firms do not typically provide a breakdown of the fees.
Based on conversations with issuers, however, it seems routine for them to request and obtain audit fee quotes that account for the incremental auditor’s work under Section 404(b) requirements before the company begins complying with this section of the Act.
Thus, it is possible that respondents’ attribution of audit fees to Section 404(b) may be inaccurate, to the extent that they are based on quotes provided by auditors upon first-time compliance with this section and that such a breakdown does not apply in subsequent years of compliance
c. It is important to note that the estimates of internal labor costs presented in this report are based on an assumption about a reasonable hourly rate.
The rate adopted for internal labor is $121 per hour, consistent with the rate quoted as of September, 2008 for a junior accountant cited in a report on salaries prepared by the Securities Industry and Financial Markets Association (SIFMA), to which the Commission frequently refers in its rulemakings.
This is at the low end of cost estimates that are provided in the SIFMA report for accounting and related services, and above the rate of $50/hour (or $100,000 for 2000 hours) that is assumed in a series of Financial Executives International (“FEI”) reports of survey findings relating to the costs of compliance with Section 404 that date back to 2005.
Although our assumed rate is within the range of reasonable estimates for evaluating the overall costs of compliance, it is not intended for use in estimating the cost to an individual company.
We have provided information sufficient for determining how the internal labor costs are affected by changes in the hourly rate—e.g., doubling (halving) the rate to $242 ($60.5) per hour doubles (halves) the associated labor costs— and by changes in internal labor hours, each of which may vary across companies.
d. Coates (2007), among others, highlights that implementation of the Sarbanes-Oxley Act “created new incentives for firms to spend money on internal controls” even where companies were required to invest such resources under the previous regulatory regime.
This observation is particularly relevant in the context of Section 404 implementation. In particular, Section 13(b)(2) of the Exchange Act requires companies to maintain effective ICFR, while Section 404 requires management to report on the effectiveness of ICFR.
By this reasoning, it is conceivable that Section 404 may have given issuers incentives to spend more resources to meet the requirements of the Exchange Act, causing companies to bear “deferred maintenance” expenses to bring ICFR into compliance with those requirements.
It is possible that survey participants include these costs in their assessment of the incremental costs due to Section 404 compliance.
Whether this is the correct measure of the incremental costs of Section 404 compliance depends on the objective of the analysis. For example, issuers were required to be in compliance with Section 13(b)(2) of the Exchange Act prior to SOX, so the ICFR maintenance costs might not seem pertinent.
From this perspective, Section 404 cost estimates that include the ICFR maintenance expenses overestimate the cost of compliance with Section 404—by including more than just the cost of reviewing ICFR and preparing the mandated disclosures.
Alternatively, if the argument above is correct, in the sense that companies systematically shirk in complying with the Exchange Act requirements absent SOX, then the incremental economic cost of Section 404 compliance should include the aforementioned maintenance expenses that would not be borne absent Section 404.
Similarly, it is worth noting that a parallel logic applies to the benefits of Section 404 compliance.
That is, from an economic perspective, the incremental benefits of Section 404 include the improvements in ICFR resulting from the deferred maintenance that would not have occurred absent the new disclosure requirements of Section 404.
5. Participants in the survey provided their perceptions of the effects of Section 404 compliance, both on the financial reporting process and their company’s interaction with capital market participants. The following caveats should be kept in mind for this part of the analysis:
a. The assessment of the benefits is qualitative in nature, given the intrinsic difficulty of quantifying the benefits of Section 404 compliance in monetary terms, and not directly comparable to the cost estimates provided by the same respondents.
b. In addition to lack of comparability with cost estimates, the analysis of the survey responses about the benefits of compliance may be subject to response bias.
In particular, the response bias would seem to be especially relevant when participants provide their assessment of how Section 404 compliance affects subjects outside the corporation (e.g., investors’ confidence in the company’s reports).
The resulting analysis may be biased if the respondents’ perception or their representation of those perceptions is biased.
With this caveat in mind, the staff of the SEC’s Office of the Chief Accountant (OCA) conducted in-depth interviews with individuals representing a variety of external users of financial statements to gather their views on the effects of Section 404.
This effort complements the analysis of the views expressed by the companies participating in the survey, in combination providing a broader and more complete assessment of the effects of Section 404 on capital market participants.
6. In various parts of the survey, the participants provided information about their experience with Section 404 compliance over several years: the most recently completed fiscal year; the fiscal year prior to that, and the fiscal year in progress at the time of the survey.