I. The Evolution of § 404
As adopted, § 404(a) required the SEC to promulgate rules requiring reporting companies to include a statement by issuer management acknowledging their responsibility “for establishing and maintaining an adequate internal control structure and procedures for financial reporting” and assessing, “as of the end of the most recent fiscal year of the issuer, … the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Section 404(b) required the issuer’s external auditor to “attest to, and report on,” management’s assessment of the reporting company’s ICFR. It further required the PCAOB to promulgate auditing standards governing such attestations.
Compliance with § 404 proved considerably more expensive than anyone had anticipated, especially the auditor fees associated with § 404(b)’s assessment requirement. Because § 404 compliance costs scaled poorly, moreover, small issuers bore disproportionately large costs. As a result, there was considerable pressure to provide regulatory relief, especially for smaller issuers.
In 2007, the SEC approved a revised PCAOB auditing standard intended to simplify compliance obligations, eliminate unnecessary processes, and focus the audit on the most critical aspects of the issuer’s internal controls. The SEC also issued interpretative guidance intended to help issuers manage compliance costs. In the following years, the SEC repeatedly provided smaller issuers with targeted relief by deferring their obligation to comply with § 404(b). Accelerated and large accelerated filers had been required to comply with both of § 404’s subsections for fiscal years ending on or after November 15, 2004. Non-accelerated filers initially were obliged to comply with both subsections for fiscal years ending on or after July 15, 2007. The SEC extended that deadline for both subsections in 2006 and further extended the deadline for § 404(b) compliance in 2008.
In the 2010 Dodd-Frank Act, Congress provided smaller issuers with permanent relief by exempting non-accelerated filers from § 404(b). In the 2012 JOBS Act, Congress created a new class of reporting companies called emerging growth companies (“EGC”). An EGC is an issuer that, inter alia, “had total annual gross revenues of less than $1,000,000,000 … during its most recently completed fiscal year.” As long as a company remains an EGC, it is exempt from complying with § 404(b).
In 2020, the SEC provided further relief by adopting amendments exempting from the definitions of accelerated filer and large accelerated filer any issuer that is eligible to be deemed a “smaller reporting company” and that had annual revenues of less than $100 million in the most recent fiscal year for which audited financial statements are available. The SEC estimated that the additional firms thereby exempted from § 404(b)’s auditor assessment requirement “would save approximately $210,000 per year comprised of approximately $110,000 per year reduction in audit fees and an additional reduction in non-audit costs of approximately $100,000.” Although those savings may seem trivial, the SEC argued that many issuers would benefit because the “affected issuers have, on average, negative net income and negative net cash flows from operations.”
The net effect of these successive rulemaking proceedings is that all reporting companies are now required to comply with the management assessment mandated by § 404(a). Non-accelerated filers and a substantial number of accelerated filers, however, are exempt from the auditor attestation required by § 404(b). Thus, a significant number of reporting companies are subject only to § 404(a), although the precise percentage of reporting companies subject solely to § 404(a) is somewhat uncertain. A 2014 estimate claimed that “98% of all companies that have gone public since 1970” were exempt from § 404(b). But that estimate likely was considerably exaggerated. In 2014, there were 3,795 auditor attestations and 7,449 management assessments filed with the SEC. As such, it appears that only about 50 percent of all filers were exempt from § 404(b) in 2014. That ratio remains roughly the same. In 2020, there were a total of 6,205 management assessments and 3,142 auditor attestations filed with the SEC.
Section 404 had laudatory goals. Faulty internal controls contributed to many corporate scandals during the dot-com era. Empirical research of the era suggested that reporting companies with poor internal controls tended to have more frequent earnings restatements, more SEC enforcement proceedings, and poorer performance than comparable firms with strong internal controls. Congress therefore intended that § 404 “improve the accuracy of financial reporting while providing assurance for investors that the companies in which they are investing are operating with integrity and honesty.” While that goal is laudable, the difficulty has been quantifying those potential benefits so as to determine whether § 404 is delivering them in a cost-effective way.
A. Improved Accounting Quality
The capital markets are plagued by information asymmetries. Issuers and their managers know more than investors. Some investors will have better connections with issuers and thus better information than other investors. In response, poorly informed investors will demand compensation for bearing the risks associated with being uninformed, raising issuers’ cost of capital. In theory, the SEC’s mandatory disclosure regime should reduce those asymmetries, provided that the issuer’s disclosures are credible. One might try to justify § 404 by arguing that it improved the quality of issuers’ accounting processes and the resulting financial disclosures, which should credibly reduce the information asymmetries in the market.
There is no doubt that material weaknesses in ICFR are associated with low quality financial reporting. Firms with weak ICFR show “higher accrual noise and larger abnormal accruals.” A 2018 study reported that material weaknesses in ICFR information technology are associated with a higher likelihood of restatements, less accurate forecasts, and lower earnings quality. Securities analysts regard disclosure of a material weakness as a red flag warning of potential financial fraud. Accordingly, if managers promptly disclose and remediate material weaknesses, § 404 could both have considerable informative value for investors and improve accounting quality.
Determining the precise extent to which § 404 generated significant improvements in accounting quality is complicated, however, because there are important confounding factors. In particular, the CEO and CFO certification requirements under SOX sections 302 and 906 should also encourage firms to improve accounting quality, especially because section 906 adds the prospect of criminal liability for certifying misleading disclosures. Empirical research found that CEO and CFO certification improved the information environment considerably more effectively than § 404, as measured “by decreased bid-ask spread and price volatility, and increased trading volume.” This finding is not surprising, given that the CEO and/or the CFO were charged in three-fourths of the SEC cases alleging financial-statement fraud and that the amount of financial-statement fraud was significantly higher when either the CEO or CFO was involved. Deterrence aimed at the root of the problem presumably provides investors with greater confidence in the integrity of the issuer’s financial statements.
Turning to the impact of the individual subsections, there is some evidence that § 404(b), at least initially, improved accounting quality. The number of adverse auditor attestations peaked in 2005 at 480 and steadily declined to 139 in 2010. There was a steady rise in the number of adverse attestations thereafter, however, peaking at 246 in 2019. Any improvement thus seems to have been short lived.
As for § 404(a), there is evidence that accounting quality has not improved. The percentage of adverse management assessments gradually rose from 16.5 percent in 2007 to a peak of 23.9 percent in 2014. Since 2014, the percentage has fluctuated in the low twenties, most recently hitting 21.4 percent in 2020. That data captures all management reports, including those by the management of firms that are also subject to § 404(b). The percentage of adverse reports by managements of companies subject only to § 404(a) is considerably higher, steadily rising from 27.4 percent in 2007 to a peak of 42.4 percent in 2014. The percentage fluctuated in the low forties between 2015 and 2019 before dropping to 38.6 percent in 2020. A consistent pattern of four out of ten issuers reporting adverse assessments over an eight-year period is not suggestive of improved accounting quality.
An alternative assessment suggests that § 404 did not significantly improve accounting quality in the period immediately following passage. A study examining issuer behavior in the three years ending in 2006 found that 733 issuers reported a material weakness in their ICFR. Perhaps because § 404 relied on naming and shaming rather than civil or criminal sanctions, only 59 percent of those issuers had remediated the reported weakness in the year after first reporting it. Thirty percent of issuers were still reporting the same weakness three years after first reporting it. Further evidence that § 404 still provides only weak incentives to correct material weaknesses came from a study finding that most firms did not disclose a material weakness when it was identified but rather only after the firm had to issue a restatement of its financial reports. Taken together, such results suggest that, despite § 404, some firms allow substantial problems with their ICFR to persist for extended periods and some fail to timely disclose those weaknesses.
In sum, it is difficult to distinguish the impact of § 404 on accounting quality from that of potential confounding factors. Having said that, however, there is reason to doubt the significance of this alleged benefit. Data on the annual number of adverse management reports and auditor attestations suggest that § 404 has not driven them down over time. Other data suggests that many issuers report persisting material weaknesses over several years without remediating them.
B. Improved Earnings Quality
Starting in the 1980s, there was a dramatic shift in top executive pay toward equity-based compensation. Restricted stock awards, stock options, and performance-based bonuses now comprise the bulk of compensation of most CEOs. In theory, performance-based pay aligns management and shareholder interests. In practice, it creates temptations for executives to manage earnings so as to maximize their pay.
Weaknesses in ICFR are correlated with earnings management. A 2009 study, for example, reported “that a higher quality of the internal audit function is associated with reduced earnings management, as proxied by abnormal accruals and the propensity to meet or just beat analysts’ earnings forecasts.” Accordingly, if § 404 improved earnings quality, there would be a substantial benefit for investors.
Studies of the period immediately after the enactment of SOX revealed a reduction in accrual earnings management—i.e., the use of accounting practices to manipulate reported earnings—but an increase in real earnings management—i.e., the manipulation of actual transactions. As for more recent research, some studies produced results consistent with the earlier work. Other studies, however, are at least partially inconsistent with the earlier findings. Several studies found that the impact of SOX on earnings management depends on various factors, such as whether the CEO was new on the job or nearing exit, whether the firm was engaged in open-market stock repurchases, and the degree of CEO risk aversion.
Problematically, these studies focused on SOX as a whole. Again, the difficulty is disentangling the impact of § 404 from potential confounding factors. In addition to its CEO and CFO certification provisions, SOX contained several other provisions aimed at earnings management, such as the enhanced duties imposed on the audit committee and the requirement regarding the clawback of executive compensation. Likewise, a number of Dodd-Frank’s provisions impacted executive incentives to engage in earnings management, such as the enhanced compensation disclosure regime and the expanded compensation clawback mandate.
Despite that problem, several studies do suggest that § 404 has improved earnings quality. A comparison of firms just above the $75 million threshold and those just below it found that firms obliged to comply with § 404 “had significantly lower total accruals and discretionary accruals than firms just below the exemption level.” Another study found that indicia of earnings quality increased when management reported remediating material weaknesses previously disclosed pursuant to § 404. Quantifying the extent of the benefit, however, remains difficult.
C. Overall Impact on Shareholders
Do § 404’s purported benefits measurably benefit investors? Studies of the market reaction to disclosure of material weaknesses have ambiguous and contradictory results. Several studies report an association between disclosure of material weaknesses and higher cost of equity. In particular, reporting persistent material weaknesses over a period of several years has an adverse impact on cost of equity capital. Other studies, however, found no significant effect of adverse § 404 disclosures on the firm’s stock price or cost of capital. In sum, the benefit side of the equation remains unclear.
A. Direct Costs
The SEC initially estimated that compliance with § 404 would annually cost issuers $91,000 on average. A 2005 study by Charles River Associates (“CRA”) of first-year implementation costs for large accelerated filers found they averaged $7.3 million, which SOX’s critics hastened to point out was some eighty times greater than the SEC estimate. The same study found first-year implementation costs for accelerated and non-accelerated filers averaged $1.5 million, which was sixteen times greater than the SEC estimate.
The critics’ disparagement of the SEC’s prognostication skills admittedly was somewhat unfair. The widely quoted $91,000 estimate originated in a cost-benefit analysis conducted by the SEC in adopting rules implementing § 404. The analysis expressly stated that that figure represented the SEC’s estimate of the costs an issuer would incur to comply with the management attestation required by § 404(a). The analysis further expressly stated that the SEC had no basis for estimating the cost of complying with § 404(b)’s auditor evaluation requirement. In contrast, surveys, such as those conducted by CRA, included the costs issuers incurred in complying with both provisions. Critics were thus comparing “apples and oranges.”
Although the criticism to which the SEC was subjected may not have been fully warranted, there is no doubt that the first-year compliance costs were substantial. Covered issuers expended an average of 35,000 staff hours, spent an average of $1.3 million on external consultants and software, and experienced an average increase of $1.5 million in audit fees (a jump of 35 percent). To be sure, a covered issuer’s direct costs of § 404 compliance typically fall over time. Some first-year costs were one-time only expenditures, in addition to which there is a learning curve that leads to cost reductions as the firm’s experience with compliance grows. The extent of the drop in the early post-passage period was the subject of some dispute, however, with a 2007 estimate claiming a 16 percent reduction versus a 2006 estimate claiming that smaller company costs fell 31 percent.
Although individual issuers experience a decline in costs after the first year they are subject to § 404, average ongoing compliance costs have not fallen significantly over the last two decades. According to Protiviti, for example, large accelerated filers had average internal § 404 compliance costs of $1,335,000 in 2016 and $1,338,900 in 2018. Firms with more than two years of compliance experience had average internal compliance costs of $1,183,000 in 2016 and $1,105,300 in 2018. Fifty percent of large accelerated filers reported that their external audit fees went up in 2017 relative to 2016. In 2019, Protiviti reported that the hours and effort level committed to SOX compliance had not decreased significantly in the preceding decade.
Protiviti’s 2022 report found that average § 404 compliance costs had risen, as had the number of personnel hours expended on compliance. Protiviti also reported that external auditors requested greater amounts of SOX-related information in connection with § 404(b) evaluations. The average cost for companies in their first year of §§ 404(a) and 404(b) compliance was $1,477,500. Large accelerated filers had average internal compliance costs of $1,450,800 in 2022. Firms with more than two years of compliance experience had average internal compliance costs of $1,468,300. The percentage of large accelerated filers paying more than $2 million per year rose from 24 to 26 percent, while the percentage paying less than $500,000 fell from 24 to 16 percent. At least some of the increase was due to pandemic-related factors, such as labor shortage and employees working remotely, but it remains striking that twenty years after § 404 was adopted costs continue to rise.
In addition to concern about the absolute costs of complying with § 404, there long has been concern about the relative impact of § 404 on smaller firms. According to the SEC’s own Advisory Committee on Smaller Public Companies, companies with market capitalizations of less than $100 million spent an average of 2.55 percent of total annual revenue on § 404 compliance, while firms with market capitalizations between $100 and $500 million spent on average just 0.53 percent of total annual revenues. As we have seen, the Congress and the SEC responded to the disproportionate impact of § 404 on smaller companies by delaying its application to non-accelerated filers and then permanently exempting them from it, as well as tweaking the rules and auditing standards to reduce the regulatory burden on firms that must comply. According to an SEC survey, most firms reported that those changes reduced their compliance costs by 25 percent or more.
Even so, it remains the case that § 404 compliance costs do not scale well relative to firm size, so that smaller firms still bear a disproportionate burden. In 2021, smaller reporting companies averaged internal § 404 compliance costs of $1,126,000 per year, while large accelerated filers averaged $1,328,300. Issuers with a float of $500 million to $999 million averaged internal compliance costs of $1,061,500, while issuers with a float exceeding $10 billion spent $2,014,100 on average. A ten-fold increase in the size of an issuer’s float thus produces less than a doubling in its § 404(a) compliance cost.
B. Indirect Costs
In addition to the direct costs of complying with § 404, firms incurred a number of indirect costs. Director workload increased, for example, forcing firms to increase director compensation. Audit committees have been especially impacted, on average meeting more than twice as often post-SOX as they did pre-SOX.
As with direct costs, indirect costs are disproportionately borne by smaller public firms. Director compensation at small firms increased from $5.91 paid to non-employee directors on every $1,000 in sales in the pre-SOX period to $9.76 on every $1,000 in sales in the post-SOX period. In contrast, large firms increased non-executive director compensation from 13 cents per $1,000 in sales in the pre-SOX period to 15 cents in the post-SOX period. Companies with annual sales less than $250 million incurred an average of $1.56 million in external resource costs to comply with § 404, while firms with annual sales of $1–2 billion incurred an average of $2.4 million in such costs. Accordingly, while SOX compliance costs do scale, they do so only to a rather limited extent.
C. Overall Costs and Benefits
At many smaller firms, the disproportionately heavy additional costs imposed by § 404 are a significant percentage of their annual revenues. Both the recurring nature and disproportionate impact of these costs was confirmed by a 2010 study of the impact SOX had on the operating profitability of a sample of 1428 firms. Average cash flows declined by 1.3 percent post-SOX. Non-audit costs ranged from $6 million for small firms to $39 million for large firms. These costs were not limited to one-time first-year implementation expenses. Instead, substantial costs and reduced profits recurred throughout the four-year study period. In the aggregate, the sample firms incurred costs of about $75 billion over that period.
But are these costs outweighed by the benefits? An important study by Ge, Koester, and McVay found that firms exempted from § 404(b) saved an aggregate of $388 million in audit fees in the period 2007 to 2014. The authors estimated that almost 10 percent of exempted firms falsely claimed to have effective internal controls. They further estimated that those firms suffered “$719 million in lower operating performance due to non-remediation and $935 million delay in aggregate market value decline due to the failure to disclose ineffective internal controls.” Although their results are highly suggestive, Ge, Koester, and McVay focused on the costs and benefits of exempting firms from § 404(b) rather than § 404’s overall cost-benefit ratio. Their study also fails to account for costs other than audit fees. A different study concluded that § 404(b)’s costs outweigh its benefits when including social costs, such as firms delisting and going dark. Lastly, Ge, Koester, and McVay’s sample excluded exempt firms that voluntarily comply with § 404(b) and firms that are not listed on an exchange, which eliminated almost half of their potential observations. Their study thus did not (and did not purport to) determine whether § 404’s total costs exceed its total benefits. In sum, even accounting for Ge, Koester, and McVay’s results, a recent literature review concluded that the empirical evidence about § 404(b)’s cost-benefit ratio is mixed.
IV. Overall Impact
Immediately after the enactment of SOX, there were widely shared concerns that § 404 was having a substantially deleterious effect on the U.S. capital markets. As the Financial Economists Roundtable (“Roundtable”) observed in 2007, for example, there is “little reason to believe that, even [with the adoption of Auditing Standard No. 5], the benefits of § 404 will exceed the costs.” In particular, the Roundtable and other influential critics believed that § 404 was substantially distorting corporate financing decisions.
Again, § 404’s impact is difficult to disentangle from that of SOX in general. Nevertheless, several major studies of U.S. capital market competitiveness in the post-adoption period concluded that § 404 was a significant drag on those markets. The Bloomberg-Schumer Report cited the “concerns of small companies and non-US issuers regarding the Section 404 compliance costs involved in a US listing.” The Paulson Committee noted that § 404 compliance “costs can be especially significant for smaller companies and foreign companies contemplating entry into the U.S. market.” The Chamber of Commerce argued that:
European, Chinese, and Indian companies that do not list their shares on U.S. markets are not required to comply with Section 404. They can save that money—this year and for every year hereafter—and direct it toward R&D, customer discounts, or a host of other uses that serve to improve their long-term competitiveness and make it that much harder for U.S. companies to compete.
Citing the probability that the costs of compliance would continue to outweigh any benefits thereof, the Roundtable recommended that issuers be allowed to opt out of § 404. Even former Congressman Michael Oxley, for whom the Sarbanes-Oxley Act is named in part, admitted that both he and Senator Sarbanes “would have written it differently” if they had known at the time that § 404 would prove so costly.
A 2010 study supported those concerns, as it attributed the reduction in smaller firms going public after adoption of SOX in part to concerns about the cost of complying with § 404. Conversely, however, although it is true that the number of public firms going private increased substantially after SOX became law, the firms that went dark tended to be smaller and poorer performers than those that remained public. The authors of that study used natural experiments resulting from the various modifications to § 404 to isolate that section’s impact from that of potentially confounding variables. Because the types of firms that went dark as a result of § 404 tend to pose greater risk of financial fraud, it may be the case that there was a net social benefit.
Despite the various reforms intended to reduce the regulatory burden imposed by § 404, there is evidence that it continues to negatively impact some financing decisions. Some studies found that non-accelerated filers use techniques, such as increasing dividend payouts and stock repurchases, to avoid becoming accelerated filers subject to § 404(b). A recent study found that firms frequently avoid becoming subject to § 404(b) by issuing debt rather than common equity and thereby keeping their public float below the threshold at which they would no longer qualify for non-accelerated filer status. This strategy can have adverse consequences for firms opting to minimize their § 404 compliance costs. “Shifting toward debt” leads to “[a]sset substitution and debt overhang problems, loss of flexibility from debt covenant restrictions, and deadweight costs of financial distress.”
Several studies found that the burden of § 404(b) compliance reduced corporate innovation. One reported a significant decrease in the number of patents and patent citations for firms subject to § 404 compliance relative to firms that are not. Another study used the implementation of § 404(b) as the point to look for changes in innovation metrics and financial reporting quality. The authors found a significant reduction in both R&D spending and innovation outputs for young life-cycle firms after becoming subject to § 404(b), but no offsetting improvement in financial reporting quality.
On the other hand, a different study reports that SOX § 404 was not causally linked to a decline in total investment—i.e., capital expenditures plus R&D spending. The authors “compare the behavior of a sample of small firms with a public float that is just above $75 million (the ‘filers’ or ‘treatment group’) in 2002 to the behavior of firms with a public float just below this threshold (the ‘control group’).” Because the former firms had to comply with both subsections of 404 before the latter, an adverse effect from § 404 compliance should show up when investment patterns by the two groups are compared. In fact, counterintuitively, the filer group invested more than the control group in the period 2002–05.
Reviewing the empirical evidence on SOX § 404’s costs and benefits calls to mind Harry Truman’s wish for a one-handed economist. There is evidence on both sides of the debate about the statute’s merits. But there are so many potential confounding factors that all of the evidence must be viewed with a degree of skepticism. Nonetheless, a few conclusions can be drawn.
With the benefit of hindsight, it seems clear that Congress, in 2002, had no idea what it would cost companies to comply with § 404. The SEC had an estimate of what § 404(a) compliance would cost but had no idea what § 404(b) compliance would cost. Sticker shock seems the right description of the reaction once those costs became clear.
Section 404 compliance costs were substantial from the outset. Those costs were disproportionately borne by smaller firms. Section 404 compliance costs remain high and show no signs of dropping over time. It remains the case that those costs are disproportionately borne by smaller firms.
As far as achieving its main goal of reducing material weaknesses in ICFR, § 404 cannot be deemed a success. Both adverse managerial reports and auditor attestations actually rose prior to 2014 and have dropped only slightly in the subsequent period. Problems with firms failing to remediate persistent material weaknesses remain a source of concern.
For proponents of the humble-regulation approach to federal securities law, § 404 at age twenty nevertheless is something of a mixed bag. On the one hand, the unexpectedly high costs and their persistence argue in favor of congressional caution in responding to market crises, as does the ambiguity of evidence of lasting benefits. On the other hand, the success of § 404’s critics in obtaining not insignificant relief from both Congress and the SEC suggests that the ratchet effect is not as powerful as some—including the present author—may have believed. It turns out that resistance is not always futile.