The Sarbanes-Oxley Act - United States Government Accountability
In response to numerous corporate failures arising from corporate
mismanagement and fraud, Congress
passed the Sarbanes-Oxley Act of 2002.
Generally recognized as one
of the most significant market reforms since the passage of the
securities legislation of the 1930s,
the act is intended to help protect investors and restore investor
confidence by improving the accuracy, reliability, and
transparency of corporate financial reporting and disclosures, and
reinforce the importance of corporate ethical standards.
Public and investor confidence in the fairness of financial
reporting and corporate ethics is critical to the effective
functioning of our capital markets. The act’s requirements apply
to all public companies regardless of size and the public
accounting firms that audit them.
The act established the
Public Company Accounting Oversight Board (PCAOB)
as a private-sector non-profit organization to oversee the audits of
public companies that are subject to securities laws.
PCAOB, which is subject to oversight by the Securities and Exchange
Commission (SEC), is responsible for establishing related
auditing, quality control, ethics, and auditor independence
The act also addresses auditor independence and
the relationship between auditors and the public companies they
The act requires public companies to assess the effectiveness of
their internal control over financial reporting and for their
external auditors to report on management’s assessment and the
effectiveness of internal controls.
The act also
contains provisions intended to make
chief executive officers (CEO) and chief financial officers (CFO)
more accountable, improve the oversight role of boards of
directors and audit committees, and provide whistleblower
Finally, the act expanded the SEC’s oversight powers and
mandated new and expanded criminal penalties for securities fraud
and other corporate violations.
regulators, public companies, auditors,
and investors generally agree that the Sarbanes-Oxley Act has had
a positive impact
on investor protection, available data indicate that
smaller public companies face
disproportionately higher costs (as a percentage of revenues) in
complying with the act, consistent with the findings of the Small
Business Administration on the impact of regulations generally on
While smaller companies historically have paid
disproportionately higher audit fees than larger companies as a
percent of revenues, the percentage difference between median
audit fees paid by smaller versus larger public companies grew in
2004, particularly for companies that implemented the act’s
internal control provisions (section 404).
Smaller public companies also cited
other costs of compliance with section 404 and other provisions of
the act, such as the use of resources for compliance rather than
for other business activities.
Moreover, the characteristics of smaller companies,
including resource and expertise limitations and lack of
familiarity with formal internal control frameworks, contributed
to the difficulties and costs they experienced in implementing the
This situation was also impacted by
the fact that many companies documented their internal control for
the first time and needed to
make significant improvements to their internal control as part of
their first year of implementing section 404, despite the fact
that most have been required by law since 1977 to have implemented
a system of internal accounting controls.
Smaller public companies and accounting firms noted that the
complexity of the internal control framework and the scope and
complexity of the audit standard and related guidance for auditors
on section 404 issued during rather than prior to the initial year
of implementation contributed to the costs and challenges
experienced in the first year of implementation.
generally expected that compliance costs for section 404 will
decrease in subsequent years, given the first-year investment in
documenting internal controls.
along with other market forces,
appeared to have been a factor in the increase in public companies
deregistering with SEC (going private)—from 143 in 2001 to 245 in
However, these companies were small by any measure (market
capitalization, revenue, or assets) and represented 2 percent of
public companies in 2004.
Based on our survey responses and discussions with smaller public
companies that implemented section 404, it appears that the act
has not adversely affected the ability of those smaller public
companies to raise capital.
However, it is too soon to
assess fully the impact of the act on access to capital,
particularly because of the large number of smaller public
companies—the more than 5,900
small public companies considered by SEC to be non-accelerated
filers—that have been given an extension by SEC to implement
In response to concerns that smaller public companies raised
about Sarbanes-Oxley Act requirements as implemented, particularly
section 404, SEC and PCAOB have undertaken efforts to help the
companies meet the requirements of the act.
SEC initially provided those smaller public companies that are
non-accelerated filers with additional time to comply with section
404 and subsequently extended the deadline several times, with the
latest extension to July 15, 2007.
SEC also formed an Advisory Committee on Smaller Public Companies to
examine the impact of the act on smaller public companies.
On March 3, 2006, the committee issued
an exposure draft of its final report for public comment
that contained recommendations that, if adopted by SEC, would exempt
up to 70 percent of all public companies and 6 percent of U.S.
equity market capitalization from all or some of the provisions of
section 404, “unless and until” a framework for assessing internal
control over financial reporting is developed that recognizes the
characteristics and needs for smaller public companies.
Specifically, the committee proposed that
“microcap” companies (companies with market capitalization below
$128 million) with revenues below $125 million and “smallcap”
companies (companies with market capitalization between $128
million and $787 million) with revenues below $10 million would
not have to comply with section 404(a) and section (b),
management’s and the external auditor’s assessment and reporting
on internal control over financial reporting, respectively.
with revenues between $10 million and $250 million would not have to
comply with section 404(b), the external auditor’s attestation on
management’s internal control assessment and the effectiveness of
internal control over financial reporting.
Following a public comment period, the committee is scheduled to
issue its final recommendations in April 2006, at which time the
recommendations would be considered by SEC.
Additionally, SEC asked COSO to develop guidance designed to assist
smaller public companies in using COSO’s internal control
framework in a small business environment.
COSO issued a
draft for public comment in October 2005, and plans to finalize
the guidance in early 2006.
While not specifically focused on small business issues, SEC held a
public “roundtable” in April 2005, in which GAO participated, that
gave public companies and accounting firms an opportunity to
provide feedback to SEC and PCAOB on what went well and what did
not during the first year of section 404 implementation.
In response, SEC and PCAOB issued additional section 404 guidance in
PCAOB also issued a report on November 30, 2005, that detailed
inefficiencies companies experienced in the implementation of its
auditing standard on internal control. SEC and PCAOB plan to hold
another roundtable on the second year of section 404
implementation in May 2006.
However, because many efforts—particularly SEC’s response to the
exemption recommendations and COSO’s efforts to provide guidance
on using its internal control framework in a small business
environment—are ongoing, smaller
public companies may be deferring efforts to implement section 404
until such issues are resolved.
While the act does not impose new requirements on privately held
companies, companies choosing to go public must realistically
spend time and funds in order to demonstrate their ability to
comply with the act, section 404 in particular, to attract
investors who will seek the assurances and protections that
compliance with section 404 provides.
Such requirements, along with other factors, may have been a
contributing factor in the reduced number of initial public
offerings (IPO) issued by small companies.
However, the overall performance of the stock market and changes in
listing standards also likely affected the number of IPOs.
From 1999 through 2004, IPOs
by companies with revenues of $25 million or less decreased
substantially from 70 percent of all IPOs in 1999 to about 46
percent in 2004.
For those privately held companies not intending to go public, our
research and discussions with representatives of financial
institutions suggested that financing sources were generally not
imposing requirements on private companies similar to those
contained in the Sarbanes-Oxley Act as a condition for obtaining
access to capital or other financial services.
number of states proposed legislation with provisions similar to
the Sarbanes-Oxley Act following its passage, three states passed
legislation calling for private companies or nonprofit
organizations to adopt requirements similar to some of the act’s
corporate governance provisions.
In addition, our interviews and review of available research
indicate that some privately held companies have voluntarily
adopted some of the act’s enhanced governance practices because
they believe these practices make pragmatic business sense.
Specifically, they have adopted practices such as CEO/CFO financial
statement certification, appointment of independent directors,
corporate codes of ethics, whistleblower procedures, and approval
of nonaudit services by the board.
Smaller public companies have been able to obtain access to
needed audit services since the passage of the act; however, data
show that a substantial number of smaller public companies have
moved from the large accounting firms to mid-sized and small
Many of these moves resulted from
the resignation of a large accounting firm.
The reasons for these changes range from audit cost and service
concerns cited by companies to client profitability and risk
concerns cited by accounting firms, including capacity constraints
and assessments of client risk.
As a result, mid-sized and small accounting firms increased their
share of smaller public company audits during 2002–2004.
Our analysis of the risk characteristics of the companies leaving
the large accounting firms shows that
mid-sized and small accounting firms
appear to be taking on a higher percentage of public companies
with accounting issues such as going concern qualifications and
other “risk” issues.
Overall, mid-sized and small accounting firms conducted 30 percent
of the total number of public company audits in 2004—up from 22
percent in 2002.
However, the overall market for audit services remains highly
concentrated, with companies audited by large firms representing
98 percent of total U.S. publicly traded company sales (revenues).
In the long run, the act may reduce some of the competitive
challenges faced by mid-sized and small accounting firms.
For example, mid-sized and small accounting firms
could increase opportunities to enhance
their recognition and acceptance among capital market participants
as a result of operating under PCAOB’s registration and inspection
We have two concerns with certain draft recommendations from the
Advisory Committee on Smaller Public Companies related to internal
Our first concern relates to lack of specificity in the
While calling for an internal control framework that recognizes the
needs of smaller public companies, the recommendations do not
address what needs to be done to establish such a framework or
what such a framework might include.
In reviewing the implementation of section 404 for larger public
companies, we noted that many, if not most, of the significant
problems and challenges related to implementation issues rather
than the internal control framework itself.
We think it is essential that public companies, both large and
small, have appropriate guidance on how to effectively implement
the internal control framework and assess and report on the
operating effectiveness of their internal control over financial
Our second concern relates to the
ambiguity surrounding the conditional nature of the “unless and
until” provisions of the recommendations and the potential impact
that may result for a large number of public companies that would
qualify for either full or partial exemption from the requirements
of section 404.
Our concerns also include the additional time that may be needed to
resolve the concerns of smaller public companies and the impact
any further regulatory relief may have in delaying important
investor protections associated with section 404.
When SEC begins its assessment of the final recommendations of
its small business advisory committee, it is essential that SEC
balance the key principle behind the Sarbanes-Oxley Act—investor
protection—against the goal of reducing unnecessary regulatory
burden on smaller public companies.
In considering the concerns of the Advisory Committee on Smaller
Public Companies regarding the ability of smaller public companies
to effectively implement section 404,
(1) assess whether the current guidance, particularly guidance on
management’s assessment of internal control over financial
reporting, is sufficient or whether additional action is needed to
help smaller public companies meet the requirements of section
(2) coordinate with PCAOB to help ensure that section 404-related
audit standards and guidance are consistent with any additional
guidance applicable to management’s assessment of internal control
and identify additional ways in which auditors of public companies
can achieve more economical, effective, and efficient
implementation of the standards and guidance related to internal
control over financial reporting; and
(3) if further relief is deemed appropriate, analyze and consider
the unique characteristics of smaller public companies and their
investors in determining categories of companies for which
additional relief may be appropriate so that the objectives of
investor protection are adequately met and any relief is targeted
Top 10 risk and compliance management related news stories and
Do you want to receive every Monday the
risk and compliance management related
that (for better or for worse) shaped the week's agenda,
and what is next?
You may submit the form that follows.
We meet strict national and international privacy standards. You
can unsubscribe at any time.
Study of the Sarbanes-Oxley Act of 2002 Section 404
Control over Financial Reporting Requirements
ECONOMIC ANALYSIS UNITED STATES SECURITIES AND EXCHANGE COMMISSION,
This is a report by members of the Office of
Economic Analysis, U.S. Securities and Exchange Commission. The
Commission has expressed no view regarding the analysis, findings,
or conclusions contained herein.
Public Company Accounting Reform and
Investor Protection Act, otherwise known as the Sarbanes-Oxley Act
(the “Act”), was enacted in July 2002 after a series of
high-profile corporate scandals involving companies such as Enron
Section 404(a) of the
Act requires management to assess and report on the effectiveness
of internal control over financial reporting (“ICFR”). Section
404(b) requires that an independent auditor attest to management’s
assessment of the effectiveness of those internal controls.
Because the cost of complying with the requirements of Section 404
of the Act (“Section 404”) has been generally viewed as being
unexpectedly high,1 efforts to reduce the costs while retaining
the effectiveness of compliance resulted in a series of reforms in
The analysis of the
survey data is designed to inform the Commission and other
interested parties as to whether changes occurring since 2007 are
having the intended effect of facilitating more cost-effective
internal controls evaluations and audits, especially as they may
apply to smaller reporting companies.
The findings of the
analysis relating to efficiency include evidence on the total and
component compliance costs, the changes in costs over time, and
the factors that help to explain why costs are lower or higher for
some companies than for others.
These findings include
evidence of direct and indirect effects that management ascribes
to Section 404 compliance, including evidence on intended
The 2007 reforms
that are the focus of this inquiry include the SEC’s June 2007
Management Guidance and its order approving the Public Company
Accounting Oversight Board’s (PCAOB) Accounting Standard No. 5
(AS5) (collectively referred to as the “2007 reforms”).
We are primarily
interested in whether and how companies’ experience with Section
404(b) compliance changed following the reforms, yet this report
also presents evidence on the implementation of both Section
404(a) and Section 404(b).
This reflects the
interrelationship between the two requirements.
The survey was open to
all reporting companies with relevant experience in complying with
Section 404, recognizing that only large accelerated filers and
are currently required to comply with both
Section 404(a) and Section 404(b) and, thus, have information
on the overall cost of compliance with these sections.
These experienced filers
that responded to the survey tend to have public float in excess
of $75 million, which is large compared to that of non-accelerated
filers that are not yet required to comply with Section 404(b).
The evidence on the
experiences of larger companies may be useful in evaluating the
extent to which additional improvements to the implementation of
Section 404(b) should be undertaken before it becomes applicable
to non-accelerated filers.
important to highlight that the analysis in this report is not
designed to provide compliance cost estimates for companies that
have yet to comply with the relevant requirements of Section 404.
conclusion from the analysis of survey data is that compliance
costs vary with company size (increasing with size), compliance
history (decreasing with increased compliance experience), and
compliance regime (lower after the 2007 reforms).
tend to incur higher compliance costs in dollar terms (“absolute
cost”), while smaller companies report higher costs as a fraction
of asset value (“scaled cost”).
The evidence suggests
that companies bear some fixed start-up
costs of compliance that are not scalable.
Some of these costs are
recurring fixed costs, while others are one-time start-up costs
borne in the first years of compliance that tend to dissipate over
time. For companies complying with both parts of Section 404, the
cost of complying with Section 404(b) is reportedly similar to the
incremental cost of complying with Section 404(a) alone.
requirements of Section 404(a) and Section 404(b) compliance are
quite different, however.
The Section 404(a)
cost is borne through increased internal labor and outside vendor
expenses, while the Section 404(b) cost is experienced
primarily through increased independent-auditor fees, according to
the survey evidence.
evidence also indicates that there is an economically
and statistically significant reduction in Section 404 compliance
costs following the 2007 reforms.
This reduction is most
pronounced among larger companies.
More than half of survey
participants (henceforth also referred to as “respondents”) who
answered explicit questions about the effects of the 2007 reforms
report that the reforms led to a decrease in compliance costs,
consistent with the objectives of the reform and the reported cost
Nearly all respondents
indicated that they relied on the Management Guidance and, of
those, a majority found it to be useful.
As a result of the
Management Guidance, there has been a shift
of effort among smaller companies toward evaluating the
effectiveness of ICFR and away from the tasks of identifying risks
to the company’s financial reporting and identifying controls that
address identified risks.
however, had a less favorable response to a question about the
SEC’s responsiveness to concerns about compliance costs.
The Web survey also included questions about respondents’
perceptions of other potential effects of Section 404 compliance,
including potential beneficial effects.
Respondents ascribe some
beneficial effects to Section 404 compliance.
respondents were more likely to report direct benefits of
compliance with Section 404 rules (i.e., improvements directly
related to a company’s financial reporting process, such as the
quality of the company’s ICFR), rather than indirect benefits of
compliance (i.e., improvements indirectly related to a company’s
financial reporting process, such as the company’s ability to
Respondents from larger companies and Section
404(b) companies tend to regard Section 404 compliance more
favorably than those from their counterparts in almost every
Before turning to a
more detailed outline of findings, it will be useful to provide
some background on the size and compliance categories of the
companies that are the subject of the study.
Throughout the analysis,
respondents are partitioned based on the size of their company
using the size thresholds that parallel the SEC’s reporting
Under SEC regulations— typically—non-accelerated
filers have public float of less than $75 million; accelerated
filers have public float between $75 million
and $700 million; and large accelerated filers have public float
of $700 million or more.
The evidence on the
costs and benefits of Section 404(b) compliance is almost entirely
from the last two groups, which are termed “large” and
“medium/mid-sized” companies in this report, because “small”
companies (with public float less than $75 million) were typically
not yet required to comply with Section 404(b) at the time of the
research, in some instances, the analysis of smaller companies
focuses on those having a public float falling within a band above
and below the $75 million threshold that distinguishes
non-accelerated from accelerated filers.
In addition, to separate
the effects of Section 404(a) compliance from those of Section
404(b), when appropriate the analysis partitions companies that
were compliant with both Sections 404(a) and 404(b) in the
relevant fiscal year (henceforth “Section 404(b) companies”)6 from
those that are compliant with Section 404(a) only (henceforth
“Section 404(a)-only companies”).
Receive the New Member Orientation
You will have the
opportunity lo learn what members registered before you have
already learned. Understand better the Sarbanes Oxley environment,
projects, careers, challenges and opportunities.
Q1. How does the cost of complying with
Section 404 vary across companies,
and what factors influence a
company’s compliance cost?
The total cost of
complying with Section 404 varies across companies depending on
(1) the company’s size, (2) whether the company is complying with
Section 404(a) only or also with Section 404(b), (3) the company’s
experience in complying with Section 404(b), and (4) whether
compliance occurred before or after the 2007 reforms.
absolute compliance cost in dollar terms tends to increase with
company size (measured by public float), but the cost scaled by
asset value tends to decline as company size increases. As one
would expect, total compliance costs are typically larger for
companies complying with Section 404(b) in addition to Section
Longer experience with
Section 404(b) compliance, however, is associated with a decrease
in the typical reported costs (scaled by company assets).
The cost of compliance
tends to be lower after the 2007 reforms than before and this
decrease is most pronounced among larger companies.
Q2. What is the observed trend in Section
404 compliance cost before and after the 2007 reforms?
The Web survey
collected response data on audit fees, outside vendor fees,
non-labor costs, and internal labor hours.
These cost components
were aggregated using conservative assumptions in order to obtain
a dollar estimate of the total cost of compliance (see Section
generally indicates that the typical total compliance costs have
decreased from the year prior compared to the one after the 2007
reform and are expected to decrease further in the fiscal year in
progress at the time of the survey.
Among Section 404(b)
companies, the mean total Section 404 compliance cost drops
significantly from $2.87 million pre-reform to $2.33 million
post-reform, representing a 19 percent decline in the total
The compliance cost is
expected to be lower still, with a mean cost of $2.03 million,
representing a combined decline of 29 percent.
compliance costs by size category, the mean total compliance cost
decreases from $769,000 to $690,000 among filers with public float
lower than $75 million, but this difference is not statistically
The reduction in
compliance costs is more pronounced among the medium and large
companies that are already required to comply with Section 404(b).
The medians reveal
similar patterns for the typical company in our sample.8 The
median total Section 404 compliance cost declines significantly
from $1.19 million pre-reform to $1.04 million post-reform, a 13
The median expected cost
for the fiscal year in progress is lower still, at $905,000, a
combined decline of 24 percent relative to the pre-reform median
filers, the median total compliance cost decreased from $579,000
to $439,000, but, as with the means, the difference for these
companies is not statistically significant.
first-time compliance costs before and after the 2007 reforms, the
results are mixed and the mean decrease in total costs is not
statistically significant. In contrast, for companies in their
second year of compliance with Section 404(b), both the mean and
median compliance costs are significantly lower after the 2007
reforms than before.
among Section 404(a)-only companies, the
mean total cost also decreased from $425,000 pre-reform to
$336,000 post-reform, but the difference is not statistically
significant, and the median cost actually increased from $111,000
Both the mean and the
median, however, are expected to decrease for the fiscal year in
progress at the time of the survey
Q3. How do the component costs of complying
with Section 404 compare, and how have they changed since the 2007
For Section 404(b)
compliant companies, the largest cost component is internal labor
costs— which can comprise more than 50 percent of the total
compliance cost—followed by the estimated portion of total audit
fees attributed to ICFR (404(b) audit fees), outside vendor fees,
and non-labor cost.
In general, every
component cost declines after the reforms compared to the year
before, and is projected to decline further in the fiscal year in
progress. The most notable changes in the cost components between
pre-reform and post-reform are observed in the outside vendor fees
and the percent of the total audit fees attributable to ICFR.
The mean outside vendor
fee decreases by 29 percent from $438,000
pre-reform to $311,000.
The median outside
vendor fee decreases by 10 percent from $100,000 to $90,000. Both
differences are statistically significant, and the outside vendor
fees are expected to decrease significantly to a mean cost of
$222,000 and median cost of $55,000 in the fiscal year in progress
at the time of the survey.
mean portion of the audit fee that
respondents attributed to the ICFR audit also decreases
significantly by 21 percent from $821,000 to $652,000. This
decline is expected to continue. Similarly, the median audit fee
decreases by 13 percent from $358,000 to $311,000 and is expected
to decrease to $275,000.
Q4. What are the benefits of complying with
Section 404, as reported by company executives, and how do they
compare against the costs of compliance?
The survey asked the
respondents to comment on the impact of Section 404 compliance on
twelve characteristics relating to internal governance and
investor confidence, of which six were considered direct effects
of compliance and the remaining six indirect effects of
recognized Section 404 compliance as having a positive impact on
various dimensions of the financial reporting process, but were
less inclined to recognize these improvements as affecting the
companies’ dealings with other capital market participants.
Furthermore, in an
optional section of the survey, respondents provided their
assessment of the cost-benefit trade-off of Section 404
The majority of
respondents to this section perceive the trade-off to be negative
to varying degrees. This perceived trade-off is more favorable
among larger companies and, independently of size, improved
following the 2007 reforms.
Among the characteristics that are most
widely reported benefiting from Section 404 compliance is: the
quality of the respondent company’s internal control structure (73
percent), the audit committee’s confidence in the company’s ICFR
(71 percent), the quality of the company’s financial reporting (49
percent), the company’s ability to prevent and detect fraud (48
percent), and the respondent’s confidence in the financial reports
of other companies complying with Section 404 (40 percent).
The majority of
respondents recognize no effect of Section 404 compliance on: the
company’s ability to raise capital, investor confidence in the
company’s financial reports, the company’s overall firm value, and
the liquidity of the company’s common stock.
perceived effect of Section 404 compliance on the efficiency of
the operating and financial reporting processes and the timeliness
of the company’s financial statement audit varies widely: while a
majority of respondents perceive no effect on these dimensions,
non-trivial portions of respondents recognize a negative
effect—that is, a reduction in the efficiency of the operating and
financial reporting processes and/or the timeliness of financial
statement audit (see Table 14).
In the cross-section,
larger companies were more likely to ascribe positive direct and
indirect effects to Section 404 compliance than were smaller
Q5. What are the reported benefits of
Section 404 compliance from the perspective of financial statement
In order to obtain a
more complete picture of the effects of Section 404
implementation, staff members from the SEC’s Office of the Chief
Accountant conducted separate in-depth phone interviews of a
sample of 30 users of financial statements—including lenders,
securities analysts, credit rating agencies, and other investors.
Although the sample is
admittedly smaller than that of issuers participating in the
survey, the evidence gathered is useful because it provides the
perspective of financial statement users on the effects of Section
financial statement users regard ICFR disclosures to be beneficial
and indicated that Section 404(a) and Section 404(b) compliance
has had a positive impact on their confidence in the companies’
The users generally
indicate that Section 404 compliance leads management to better
understand financial reporting risks, put in place appropriate
controls to address financial reporting risks, and address
internal control deficiencies in a more timely fashion than in the
absence of the disclosure requirement.
Although, users offer
divergent opinions regarding the extent to which disclosures of
material weakness affect their decision-making process, most agree
that severe weaknesses that could take years to remediate are
likely to negatively affect their decision-making.
Users tend not to
perceive the benefits of Section 404 compliance to vary with the
size of the reporting company. Instead, many indicate that these
benefits depend on a company’s complexity and industry
At the same time, the
users agree that variations in compliance requirements based on
complexity and/or industry would likely be impractical.
Finally, most users
indicate that the benefits they perceive from Section 404
compliance have not changed substantially over time. This is an
important finding since it indicates that the 2007 reforms, while
intended to reduce certain duplicative efforts in conducting the
evaluation of ICFR, did not at the same time change financial
statement users’ perception of the effectiveness of Section 404.
Regarding the Section 404(b) requirement, the general
consensus is that the auditor’s report on ICFR required under
Section 404(b) provides an incremental benefit beyond the
management’s report because many respondents perceive the audit
requirement to provide necessary discipline to the reporting
Although some users
express the concern that ICFR evaluation may divert management’s
attention from other important areas of their businesses, these
respondents continued to believe that strong ICFR is necessary and
that financial statements need to be of high quality and reliable.
interviewed indicate that the process of compliance with Section
404 has become more efficient since the initial implementation in
2004 due to:
(i) reduction in the
level of documentation,
communications between auditors and management,
(iii) increased use of
professional judgment in scoping and testing,
(iv) more focus on
higher risk areas, and
(v) streamlining of
audits subsequent to the first-time effort required by Section 404
Q6. In what ways have
the Commission’s 2007 reforms affected the companies’ procedures
of complying with Section 404?
respondents who completed an optional section of the survey
requesting feedback on management’s Section 404(a) experience
responded that they used Management Guidance and found it to be
useful (see Table 16).
Those who responded
indicate that both Management Guidance and Auditing Standard No. 5
have helped reduce the total cost of compliance, for companies in
every size category.
The respondents also
indicate on average that Auditing Standard No. 5 resulted in a
small decrease in the time it takes to complete the independent
audit of ICFR.
The perceived impact of
AS5, however, varies with the size of the company and its
experience with Section 404(b) compliance. Specifically, the
perceived impact of AS5 on the time it takes to complete the
independent audit of ICFR is significantly smaller among small
filers and among companies with no previous experience with
Section 404(b) compliance.
When asked to
compare the changes in activities associated with management’s
evaluation of ICFR, the respondents indicate a slight decrease on
average from pre-reform to post-reform in the number of risks
subject to testing, the number of controls tested, but a slight
increase in the level of documentation, the use of management’s
interaction with controls as evidence, reliance on evidence gained
from self-assessment, and reliance on evidence from direct
Like much of the
previous results, the responses varied significantly depending on
the respondents’ size. While smaller companies typically report an
increase in every component, the changes reported by medium and
large filers are not homogenous.
the evidence suggests that the compliance process across companies
of different size has become more homogenous following the 2007
Finally, the survey
evidence indicates that companies are increasingly structuring
their evaluations of ICFR with the intent of allowing the
independent auditor to rely on their internal work (see Table 22),
which is consistent with one of the goals of the 2007 reforms
through Auditing Standard No. 5.
Some caveats about
the analysis of Web survey data on Section 404 implementation
There are a number of
caveats to consider when interpreting the evidence presented in
this study, some of which are due to the inherent nature of survey
data, while others are the result of the particular context in
which the Section 404 survey takes place.
First, most, if not
all, analyses of survey data are affected to various degrees by
the following potential difficulties:
Self-Selection Bias (i.e., Non-response Bias):
Participation in survey
research is generally voluntary. The process by which survey
participants “select” to participate in a survey can bias the
inference based on survey data, if the participants’ (self-)
selection process is such that particular segments of the
population are systematically over- or under-represented.
We conduct extensive
analyses to test for the presence and the potential severity of
the problem, particularly by investigating the extent to which key
characteristics of the sample of respondents to the survey
coincide or diverge from those of the list of companies identified
as the target population (see Part III).
We find that respondent
companies are representative of the initial list of public
companies identified for this study, particularly among Section
404(b) companies or within company size groups.
We also find that the
typical responses of voluntary participants in the survey are not
significantly different from those of a randomly selected,
stratified sample of companies that were the target of follow-up
efforts to induce their participation.
the evidence is consistent with the notion
that the voluntary nature of the participation introduces no bias
in the responses, at least relative to the separate treatment
group where part of the decision to participate is a result of the
Response Bias: If there are no
penalties for misrepresentation and survey participants have
systematic incentives to be less than fully truthful, inference
based on survey data (or any other self-reported information that
meets those criteria) may not be accurate.
A similar problem
arises when survey questions are designed to elicit the
participant’s subjective perceptions on a particular subject and
the participants’ views are systematically biased. The portion of
survey data that we could independently verify (i.e., audit fees)
indicates that the participants’ representations do not deviate
substantially from what is reported in official SEC filings.
Aside from this
exercise, it is virtually impossible to assess the extent to which
the remaining survey data may not be accurate.
The nature of the
survey questions varies, with some questions focusing on
quantifiable items (e.g., internal labor hours) and others on
directional perceptions (e.g., assessment of the effect of Section
404 on the quality of ICFR) and others still on
directional/ordinal perceptions (e.g., assessment of the effect of
AS5 on the amount of time it takes to complete the independent
audit under Section 404(b)).
The common element,
however, is that these data cannot be independently verified,
either because companies are do not keep a separate record of the
figures provided (e.g., costs) or because the information provided
is based on the respondents’ perceptions which by their very
nature are not verifiable.
The analysis in this
report provides a characterization of companies’ experiences with
Section 404 compliance that is based on survey participants’
representations of their experiences.
Other caveats are
specific to the analysis presented in this report, as they depend
on the nature and timing of the survey. In particular:
The number of respondents from Section
404(b) companies that are non-accelerated filers and have usable
data is relatively small—approximately 100 companies versus over
1,600 accelerated filers in the most recently completed fiscal
year (see Table 9)—and there are reasons to believe the experience
of these companies may not extend to other non-accelerated filers
that are yet to comply with Section 404(b).
non-accelerated Section 404(b) companies that participated in the
survey are either voluntary compliers or have been required to
comply in the past as accelerated filers and must continue to do
so because their float has not dropped below $50 million since.
To the extent that these
factors affect companies’ experience with Section 404(b)
compliance, one should be careful when extrapolating the results
to non-accelerated filers that are yet to comply.
2. Non-accelerated filers were required to
start complying with Section 404(a) at the end of 2007—after the
Yet, a number of
non-accelerated filers responding to the survey reported bearing
Section 404 compliance costs prior to the reform. These
respondents were contacted after the survey was closed to inquire
about the nature of the information provided.
indicated that their company began complying with Section 404
requirements prior to the Commission’s public announcement that
the compliance deadline had been extended and, thus, they viewed
the resulting pre-reform costs reported in the survey as
appropriately ascribed to Section 404(a) compliance.
of non-accelerated filers’ experience prior to the reforms should
be interpreted with the caveat in mind that it may not be
representative of what the typical non-accelerated filer would
characteristics of the internal governance structure and financial
reporting process are likely to be important determinants of the
companies’ compliance experiences, including costs and benefits
and the nature of the audit services they obtain under Section
To the extent that
accelerated and non-accelerated filers display significant
differences in these dimensions, it may not be appropriate to
extrapolate the analysis of accelerated filers to non-accelerated
4. All the cost
figures presented in this analysis are based on survey
respondents’ characterization of the resources devoted to Section
404 compliance. As such, the general caveats above apply.
Moreover, there are some aspects specific to our analysis:
a. All estimates
presented in this report are based on non-audited numbers based on
the respondents’ perception provided in the survey.10 Moreover,
the nature of the estimates is limited by the scope of the survey.
b. There are reasons
to question the ability of respondents to provide an accurate
breakdown of audit fees into Section 404(b) fees versus financial
statement audit fees.
Auditors interviewed by the SEC’s OCA staff
highlight this difficulty on the basis that, for Section 404(b)
companies, the two audits are integrated and audit firms do not
typically provide a breakdown of the fees.
Based on conversations
with issuers, however, it seems routine for them to request and
obtain audit fee quotes that account for the incremental auditor’s
work under Section 404(b) requirements before the company begins
complying with this section of the Act.
Thus, it is possible
that respondents’ attribution of audit fees to Section 404(b) may
be inaccurate, to the extent that they are based on quotes
provided by auditors upon first-time compliance with this section
and that such a breakdown does not apply in subsequent years of
c. It is important to note that the estimates of
internal labor costs presented in this report are based on an
assumption about a reasonable hourly rate.
The rate adopted for
internal labor is $121 per hour, consistent with the rate quoted
as of September, 2008 for a junior accountant cited in a report on
salaries prepared by the Securities Industry and Financial Markets
Association (SIFMA), to which the Commission frequently refers in
This is at the low end of cost estimates
that are provided in the SIFMA report for accounting and related
services, and above the rate of $50/hour (or $100,000 for 2000
hours) that is assumed in a series of Financial Executives
International (“FEI”) reports of survey findings relating to the
costs of compliance with Section 404 that date back to 2005.
Although our assumed
rate is within the range of reasonable estimates for evaluating
the overall costs of compliance, it is not intended for use in
estimating the cost to an individual company.
We have provided
information sufficient for determining how the internal labor
costs are affected by changes in the hourly rate—e.g., doubling
(halving) the rate to $242 ($60.5) per hour doubles (halves) the
associated labor costs— and by changes in internal labor hours,
each of which may vary across companies.
d. Coates (2007),
among others, highlights that implementation of the Sarbanes-Oxley
Act “created new incentives for firms to spend money on internal
controls” even where companies were required to invest such
resources under the previous regulatory regime.
This observation is
particularly relevant in the context of Section 404
implementation. In particular, Section 13(b)(2) of the Exchange
Act requires companies to maintain effective ICFR, while Section
404 requires management to report on the effectiveness of ICFR.
By this reasoning, it is
conceivable that Section 404 may have given issuers incentives to
spend more resources to meet the requirements of the Exchange Act,
causing companies to bear “deferred maintenance” expenses to bring
ICFR into compliance with those requirements.
It is possible that
survey participants include these costs in their assessment of the
incremental costs due to Section 404 compliance.
Whether this is the
correct measure of the incremental costs of Section 404 compliance
depends on the objective of the analysis. For example, issuers
were required to be in compliance with Section 13(b)(2) of the
Exchange Act prior to SOX, so the ICFR maintenance costs might not
From this perspective,
Section 404 cost estimates that include the ICFR maintenance
expenses overestimate the cost of compliance with Section 404—by
including more than just the cost of reviewing ICFR and preparing
the mandated disclosures.
Alternatively, if the
argument above is correct, in the sense that companies
systematically shirk in complying with the Exchange Act
requirements absent SOX, then the incremental economic cost of
Section 404 compliance should include the aforementioned
maintenance expenses that would not be borne absent Section 404.
Similarly, it is worth
noting that a parallel logic applies to the benefits of Section
That is, from an
economic perspective, the incremental benefits of Section 404
include the improvements in ICFR resulting from the deferred
maintenance that would not have occurred absent the new disclosure
requirements of Section 404.
5. Participants in
the survey provided their perceptions of the effects of Section
404 compliance, both on the financial reporting process and their
company’s interaction with capital market participants. The
following caveats should be kept in mind for this part of the
a. The assessment of
the benefits is qualitative in nature, given the intrinsic
difficulty of quantifying the benefits of Section 404 compliance
in monetary terms, and not directly comparable to the cost
estimates provided by the same respondents.
b. In addition to
lack of comparability with cost estimates, the analysis of the
survey responses about the benefits of compliance may be subject
to response bias.
In particular, the response bias would seem to
be especially relevant when participants provide their assessment
of how Section 404 compliance affects subjects outside the
corporation (e.g., investors’ confidence in the company’s
The resulting analysis
may be biased if the respondents’ perception or their
representation of those perceptions is biased.
With this caveat in
mind, the staff of the SEC’s Office of the Chief Accountant (OCA)
conducted in-depth interviews with individuals representing a
variety of external users of financial statements to gather their
views on the effects of Section 404.
This effort complements
the analysis of the views expressed by the companies participating
in the survey, in combination providing a broader and more
complete assessment of the effects of Section 404 on capital
6. In various parts
of the survey, the participants provided information about their
experience with Section 404 compliance over several years: the
most recently completed fiscal year; the fiscal year prior to
that, and the fiscal year in progress at the time of the survey.