Study of the Sarbanes-Oxley Act of 2002 Section 404 Internal Control over Financial Reporting Requirements
Division of Risk, Strategy and Financial Innovation
Securities and Exchange Commission (SEC)
September 1, 2009
The Public Company Accounting Reform and Investor Protection Act, otherwise known as the Sarbanes-Oxley Act (the “Act”), was enacted in July 2002 after a series of high-profile corporate scandals involving companies such as Enron and Worldcom. Section 404(a) of the Act requires management to assess and report on the effectiveness of internal control over financial reporting (“ICFR”). Section 404(b) requires that an independent auditor attest to management’s assessment of the effectiveness of those internal controls. Because the cost of complying with the requirements of Section 404 of the Act (“Section 404”) has been generally viewed as being unexpectedly high,1 efforts to reduce the costs while retaining the effectiveness of compliance resulted in a series of reforms in 2007.
This report presents an analysis of data from publicly traded companies collected from an SEC-sponsored Web survey of financial executives of companies with Section 404 experience conducted during December 2008 and January 2009. The analysis of the survey data is designed to inform the Commission and other interested parties as to whether changes occurring since 2007 are having the intended effect of facilitating more cost-effective internal controls evaluations and audits, especially as they may apply to smaller reporting companies. The findings of the analysis relating to efficiency include evidence on the total and component compliance costs, the changes in costs over time, and the factors that help to explain why costs are lower or higher for some companies than for others. These findings include evidence of direct and indirect effects that management ascribes to Section 404 compliance, including evidence on intended benefits.
The 2007 reforms that are the focus of this inquiry include the SEC’s June 2007 Management Guidance and its order approving the Public Company Accounting Oversight Board’s (PCAOB) Accounting Standard No. 5 (AS5) (collectively referred to as the “2007 reforms”). We are primarily interested in whether and how companies’ experience with Section 404(b) compliance changed following the reforms, yet this report also presents evidence on the implementation of both Section 404(a) and Section 404(b). This reflects the interrelationship between the two requirements. The survey was open to all reporting companies with relevant experience in complying with Section 404, recognizing that only large accelerated filers and accelerated filers are currently required to comply with both Section 404(a) and Section 404(b)and, thus, have information on the overall cost of compliance with these sections. These experienced filers that responded to the survey tend to have public float in excess of $75 million, which is large compared to that of non-accelerated filers that are not yet required to comply with Section 404(b). The evidence on the experiences of larger companies may be useful in evaluating the extent to which additional improvements to the implementation of Section 404(b) should be undertaken before it becomes applicable to non-accelerated filers. Notwithstanding, it is important to highlight that the analysis in this report is not designed to provide compliance cost estimates for companies that have yet to comply with the relevant requirements of Section 404.
The general conclusion from the analysis of survey data is that compliance costs vary with company size (increasing with size), compliance history (decreasing with increased compliance experience), and compliance regime (lower after the 2007 reforms). Larger companies tend to incur higher compliance costs in dollar terms (“absolute cost”), while smaller companies report higher costs as a fraction of asset value (“scaled cost”). The evidence suggests that companies bear some fixed start-up costs of compliance that are not scalable. Some of these costs are recurring fixed costs, while others are one-time start-up costs borne in the first years of compliance that tend to dissipate over time. For companies complying with both parts of Section 404, the cost of complying with Section 404(b) is reportedly similar to the incremental cost of complying with Section 404(a) alone. The resource requirements of Section 404(a) and Section 404(b) compliance are quite different, however. The Section 404(a) cost is borne through increased internal labor and outside vendor expenses, while the Section 404(b) cost is experienced primarily through increased independent-auditor fees, according to the survey evidence.
The evidence also indicates that there is an economically and statistically significant reduction in Section 404 compliance costs following the 2007 reforms. This reduction is most pronounced among larger companies. More than half of survey participants (henceforth also referred to as “respondents”) who answered explicit questions about the effects of the 2007 reforms report that the reforms led to a decrease in compliance costs, consistent with the objectives of the reform and the reported cost reductions. Nearly all respondents indicated that they relied on the Management Guidance and, of those, a majority found it to be useful. As a result of the Management Guidance, there has been a shift of effort among smaller companies toward evaluating the effectiveness of ICFR and away from the tasks of identifying risks to the company’s financial reporting and identifying controls that address identified risks. These respondents, however, had a less favorable response to a question about the SEC’s responsiveness to concerns about compliance costs.
Number of Pages in PDF File: 139
Date posted: August 24, 2012