chevron-down Created with Sketch Beta.

The Business Lawyer

Summer 2023 | Volume 78, Issue 3

Sarbanes-Oxley Section 404 and Its Administrative Legacy

Yoon-Ho Alex Lee

Sarbanes-Oxley Section 404 and Its Administrative Legacy

Jump to:


The passage of the Sarbanes-Oxley Act of 2002 was a watershed moment in U.S. financial history, and Section 404—which requires management assessment and auditor attestation of internal controls over financial reporting—is the most contested and expensive provision. This article reviews the administrative history of Section 404—namely, the experience of the U.S. Securities and Exchange Commission (“SEC”) in implementing Section 404. Twenty years ago, when the SEC set out to implement Section 404 provisions as rules, the agency confronted a number of administrative questions of first impression, many of which were not fully appreciated until they surfaced again in subsequent statutes, such as the Dodd-Frank Act of 2010 and the JOBS Act of 2012. But it was the Sarbanes-Oxley Act—and Section 404 in particular—that really forced the agency to deliberate on thorny issues and prepared it for more storms to come. In this sense, Section 404 left behind an indelible administrative legacy and the SEC has become far more seasoned in dealing with mandated rulemakings, proceeding cautiously within its given parameters, considering costs and benefits of its rules and regulations, and understanding the dynamics of the notice-and-comment rulemaking process.


The passage of the Sarbanes-Oxley Act of 2002 was a watershed moment in U.S. financial history, and Section 404—which requires management assessment and auditor attestation of internal controls over financial reporting—is the most contested and expensive provision within the Act. Since the passage of the Act, an army of academic scholars have studied the various economic effects of Section 404, relying on sophisticated event study designs. Thanks to these studies, we now know a great deal about Section 404, even though scholars continue to debate the provision’s overall welfare implications.

Less well-known, however, is the administrative history of Section 404—namely, the experience of the U.S. Securities and Exchange Commission (“SEC”) in implementing Section 404. Twenty years ago, when the SEC set out to implement Section 404 provisions as rules, the agency confronted a number of administrative questions of first impression. The variety of issues the SEC had to wrestle with presaged larger administrative issues the agency addressed in the trailing decades. In fact, many of the challenges and the conundrums presented by Section 404 rules were not fully appreciated until those issues surfaced again in subsequent statutes, such as the Dodd-Frank Act of 2010 and the JOBS Act of 2012. But it was the Sarbanes-Oxley Act—and Section 404 in particular—that really forced the agency to deliberate on thorny issues and prepared it for more storms to come. In this sense, Section 404 left behind an indelible administrative legacy for the SEC. The SEC has become far more seasoned in dealing with mandated rulemakings, proceeding cautiously within its given parameters, considering costs and benefits of its rules and regulations, and understanding the dynamics of the notice-and-comment rulemaking process.

This article—prepared for the Sarbanes-Oxley at 20 Conference—reviews the SEC’s administrative history of implementing Section 404 and highlights these larger administrative questions. In so doing, the article discusses how the agency learned from its early challenges. Part I reviews several practical implications for the SEC, given that Section 404 was a legislative mandate, rather than a grant of discretionary rulemaking authority. Part II considers the SEC’s role in considering the costs and benefits of Section 404 and related provisions. Part III discusses the SEC’s initiative to conduct a retrospective review of Section 404 in 2007. Part IV concludes.

I. Section 404 as a Legislative Mandate

A. Crisis-Driven Legislation

The Sarbanes-Oxley Act was not enacted in a vacuum. It was a direct response by Congress in the wake of major corporate and accounting scandals, including those involving Enron and WorldCom. Investors were quickly losing confidence in the U.S. financial markets, and the members of Congress felt pressured to act fast.

Professor Roberta Romano, an early critic of the Act, has written at length about financial regulation and made the following observation: “[F]inancial firms operate in a dynamic environment in which there are many unknowns and unknowables,” and as such, “even the most informed regulatory response … will be prone to error, and is likely to produce backward-looking regulation that takes aim at yesterday’s perceived problem, rather than tomorrow’s.” She forcefully argued that Congress should “include … in such legislation and regulation, sunset provisions requiring subsequent review …, along with regulatory exemptive or waiver powers that create flexibility in implementation and encourage … small-scale, discrete experimentation to better inform and calibrate the regulatory apparatus.” In a similar spirit, Professor Larry E. Ribstein argued that “it may be appropriate to follow a middle course of what might be called ‘humble’ regulation.”

With the Sarbanes-Oxley Act, Congress took none of those approaches. Instead, it left the difficult job of implementing the rules and regulations to the SEC. The agency found itself having to implement a statutory provision that might not have been fully thought through and one that it could not repeal or revise.

B. Discretionary Rulemaking Versus Mandated Rulemaking

It may be useful to step back and consider the SEC’s traditional rulemaking practice. The SEC is a powerful independent regulatory agency. Its primary organic statutes—the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Advisers Act of 1940, and the Investment Company of Act of 1940—grant the agency significant authority to prescribe rules as “necessary or appropriate in the public interest or for the protection of investors.” As a result, when the agency sees a need for an investor protection rule, it can adopt one based on its discretion as long as it acts within the scope of its statutory authority. This is called a discretionary rulemaking.

Typically, such a rule would go through the notice-and-comment rulemaking process under Section 553 of the Administrative Procedure Act (“APA”). The agency would issue a notice of proposed rulemaking, open a comment period, allow any interested party to submit a comment on its notice, and (perhaps) adopt a final rule based on the agency’s judgment and the comments received. An important benefit of this process is that the agency has a significant learning opportunity. For example, the agency may propose one rule based on its initial understanding of the relevant market failure, but after the comment period, it may choose to adopt a modified rule that is better suited to address the problem. Alternatively, the agency may choose not to adopt any rule.

Section 404 of the Sarbanes-Oxley Act, however, was a different species. Congress did not grant any new authority to the SEC; instead, it directed the SEC to prescribe specific rules. The original text reads as follows:


(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report … to contain an internal control report, which shall—(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment … of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer … .

As the text indicates, Congress effectively spelled out the substance of the requirements—Section 404(a) (management assessment) and Section 404(b) (independent auditor attestation)—and ordered the agency to adopt rules specifically to implement them. This was therefore a mandated rulemaking. (Note the subtle difference between the language of Section 404(a) and Section 404(b): Section 404(a) plainly mandated rulemaking by the SEC, whereas Section 404(b) arguably reads as a direct statutory requirement on issuers. We will return to this difference in Section II.C.)

To clarify, there is no question that, even without the Sarbanes-Oxley Act, the SEC already had the authority to discretionarily adopt the rules imposed by Section 404. These requirements—assessment and attestation—would fall squarely within the SEC’s traditional disclosure regulation regime. Thus, Congress required the SEC to do what it could have done on its own. The difference, however, was that, given the mandate, the agency’s hands were tied.

From this perspective, the Sarbanes-Oxley Act was a historical anomaly. Until 2002, Congress rarely (if ever) required the SEC to adopt specific rules. The provisions of the agency’s organic statutes could themselves be specific or broad. Statutory provisions could also directly impose specific requirements on issuers. But statutory provisions requiring the SEC to adopt such specific requirements were unprecedented.

By the time we get to the Dodd-Frank Act of 2010, however, mandated rulemaking would become the new norm. The Dodd-Frank Act—itself a response to a crisis—is filled with nearly a hundred mandated rulemakings and more than twenty mandated studies, which would keep the SEC busy for the next five years. Likewise, the JOBS Act of 2012 contained very specific mandates for rulemaking. The upshot of all this is that the Sarbanes-Oxley Act marked the beginning of a new era—an era of a more hands-on Congress with respect to the SEC.

C. Parameters of Discretion

An agency tasked with a mandated rulemaking still needs to go through the notice-and-comment rulemaking process. But at this point, the agency faces several immediate questions. First, what are the parameters of discretion for the agency? To what extent can the SEC be sued for being too lenient or too strict? And if there are areas in which the agency can exercise discretion, what should be the agency’s goal? To be most economical? To implement congressional intent most rigorously? These are not theoretical questions. On the one hand, in adopting a mandated rule, the agency may be sympathetic to various concerns raised by commenters. On the other hand, a potential litigant may argue that the agency’s adopted rule is inconsistent with the statutory mandate. The SEC eventually found two relatively uncontroversial—but highly impactful—parameters of discretion within the mandated rulemaking provisions of Section 404.

1. Compliance Deadlines

The first was extending compliance deadlines for smaller issuers (non-accelerated filers). In its first Section 404 rule adopted in 2003 (the “2003 Section 404 Rule Release”), the SEC delayed compliance with Section 404(b) by non-accelerated filers for about ten months. This caused little controversy given the prevalent concern that smaller companies would be disproportionately affected by the compliance costs. In fact, the SEC would go on to grant seven more extensions until 2010, at which point Congress permanently exempted non-accelerated filers from Section 404(b). All told, the SEC delayed requiring non-accelerated issuers to comply with Section 404(b) for eight years after the statute was first passed.

It is unlikely that the SEC could have permanently exempted non-accelerated filers from Section 404(b) on its own—i.e., without an act of Congress. Such a large-scale exemption to a statutory mandate arguably was beyond the agency’s authority. There is at least some account that the SEC’s cautious approach to implementing Section 404(b) (together with its retrospective review of Section 404 compliance in 2009) was motivated by the discussions surrounding Section 404(b) implementation, including those with the members of Congress.

2. Interpretive Release

The other significant way in which the SEC exercised its discretion was issuing an interpretive release. In 2007, the agency published an interpretive release to provide guidance for management regarding its evaluation and assessment of internal control over financial reporting. This came to be known as the “2007 reforms.” In the release, the SEC set forth a top-down, risk-based approach to evaluating internal control over financial reporting. Importantly, the release clarified what steps management need not necessarily take in completing its own assessment. The SEC also assured that “[a]n evaluation that complies with this interpretive guidance is one way to satisfy the evaluation requirements of [Section 404 rules].”

Issuing a guidance document as an interpretive release was a safe route because the agency did not need to adopt any new rule with the force of law. Rather, the agency merely offered its own interpretation of the requirements of the management assessment mandated by Section 404(a). Because Congress did not define the term “assessment,” the agency could provide an expedient interpretation of management assessment that served the purpose of Section 404(a) without imposing unnecessary costs or burdens. Overall, the guidance document was considered a success. The SEC’s then–Office of Economic Analysis (“OEA”) published a study in 2009 (the “2009 Study”), which documented “an economically and statistically significant reduction in Section 404 compliance costs following the 2007 reforms.”

II. Section 404 and Cost-Benefit Analysis

A. Economic Analysis of Mandated Rulemaking

Suppose an agency tasked with adopting a mandated rule is also expected to conduct a cost-benefit analysis. (We will return to the SEC’s specific statutory requirements in Section II.B.). What should the agency consider as costs and benefits of the rule it is adopting?

At first blush, there is the obvious answer: The agency should consider the aggregate costs and benefits of putting the rule into effect—as compared to the world in which no such rule is in effect. That consideration would certainly be the most informative and exhaustive analysis. Such analysis would reveal the costs of the regulation and whether they were justified by its benefits.

But cost-benefit analysis is a policy instrument used to evaluate and justify an agency’s administrative actions. Requiring an agency to consider the costs and benefits of its rules ensures that the agency is mindful of efficiency considerations of its own actions. Under this view of cost-benefit analysis, it may be inappropriate for the SEC to analyze aggregate costs and benefits of a rule that Congress has already decided should be a law. Instead, an alternative approach holds that analysis of relevant costs and benefits should only pertain to the agency’s discretionary parameters. In other words, the more appropriate inquiry may be: What are the benefits and costs of the agency’s choice of discretionary elements, given the mandate? As a third approach, one might argue that the proper analysis in the case of a congressional mandate is not a cost-benefit analysis but a cost-effectiveness analysis. The difference between a cost-benefit analysis and a cost-effectiveness analysis is that the latter does away with a benefit analysis. A cost-effectiveness analysis takes the target or the objective of the regulation as a given and considers only whether the agency has structured its rule in the most cost-effective manner to achieve the stated objective.

Recall that, when Congress passes a statute, it seldom analyzes the costs and benefits of its own action. A statute is enacted not because Congress determined that its benefits will outweigh its costs under a rigorous cost-benefit analysis, but because there are enough votes in the House and the Senate to support its passage. Thus, if Congress’s mandate was an inherently costly endeavor—but nonetheless supported by a majority—the implementing agency would be put in an awkward situation in terms of its own cost-benefit analysis.

Implementing Section 404 only hinted at such difficult considerations. Eventually, with the Dodd-Frank Act, the SEC would be given even more controversial and costly mandates. One prominent example is the Conflict Minerals provision, which directed the SEC to promulgate a rule “requiring issuers … to disclose … whether any of [their] conflict minerals originated in the Democratic Republic of the Congo or an adjoining country.” The statutory provision had nothing to do with investor protection. It was an attempt to address international human rights violations and save lives. The problem was that the Conflict Minerals rules were expected to involve staggering costs: The SEC estimated the initial cost of compliance to be approximately $3 billion to $4 billion and the annual ongoing cost to be between $207 million and $609 million. Even setting aside these high costs, critics questioned why Congress should task an investor advocacy agency with saving lives in a foreign country.

By the time the SEC adopted these rules, the agency, however, knew how to communicate its conundrum of being stuck between a rock and a hard place. The economic analysis for the Conflict Minerals rules includes the following statement: “Many of the economic effects of the rule stem from the statutory mandate, and the discussion below addresses the costs and benefits resulting from both the statute and from our exercise of discretion … .” The analysis even goes on to state: “The statute … aims to achieve compelling social benefits, which … are … quite different from the economic or investor protection benefits that our rules ordinarily strive to achieve. We also note that these objectives … do not appear to be those that will necessarily generate measurable, direct economic benefits to investors or issuers.”

The rules would eventually be struck down by the D.C. Circuit on the ground of violating the First Amendment. The consolation prize was that the court otherwise spoke highly of the agency’s economic analysis.

B. Efficiency Considerations in SEC Rulemaking

There is no formal statutory requirement that specifically requires the SEC to analyze “costs” and “benefits” of its rules and regulation. As an independent agency, the SEC is also not subject to Executive Order 12,866, which requires all executive agencies to assess costs and benefits of all of their major regulations. As such, the SEC does not need to follow the methodology of cost-benefit analysis offered by Circular A-4, which was published by the Office of Information and Regulatory Affairs (“OIRA”). Instead, the only relevant statutory requirement is that the agency must (merely) “consider” the effects of its rules on “efficiency, competition, and capital formation.” In particular, the statutory text neither requires the agency to quantify costs and benefits of its rules nor prohibits the agency from proceeding with a rule even if inefficient.

Notwithstanding the absence of any explicit requirement, the SEC voluntarily began including qualitative discussions on costs and benefits of its rules starting in the 1970s. Even so, as of the time of the Sarbanes-Oxley Act, the widely accepted wisdom was that it was not possible to do a meaningful (ex ante) cost-benefit analysis of financial regulation. As Professor Romano observed, “financial firms operate in a dynamic environment in which there are many unknowns and unknowables.” Scholars subsequently echoed this concern. Professor John C. Coates IV argued that “finance is … characterized by non-stationary relationships that exhibit secular change” and “the main units of variation and change … are … groups of people [who] … interact[] with others in non-linear, unpredictable ways.” Likewise, Professor Jeffrey N. Gordon wrote that cost-benefit analysis “will be a non-informative, even anti-informative, guide to the fashioning of nontrivial rules of financial regulation … because such rules will create a new financial system and thus change the assumptions on the basis of which the purported cost and benefits were calculated.”

If these observations are correct, it follows that any attempt to conduct a cost-benefit analysis of a financial regulation must begin with a prodigious number of heroic assumptions, none of which may prove to be true, despite how plausible they may seem initially. Indeed, the economic value of a given financial regulation may be best conceptualized as a random variable in probability, and the agency’s ex ante assessment should be thought of as determining the variable’s mean. It certainly conveys some information about the random variable, but if the variable comes with a high variance, the mean will bear no meaningful relation to any realized value.

Among legal academics, the debate over the feasibility of cost-benefit analysis of financial regulation took center stage after the SEC’s failed “proxy access” rule in 2010, and to date, no side has emerged victoriously. Nevertheless, when firms began complying with Section 404, the sheer magnitude of compliance costs, together with claims that many firms chose to go private to avoid these costs, alarmed industry participants and policymakers, such that they naturally began questioning whether the “benefits” of complying with Section 404 could justify its compliance costs, especially for smaller firms.

For this reason, another important legacy of Section 404 is that, for better or worse, it started the trend of thinking more rigorously about costs and benefits of financial regulation. This trend would take off quite quickly and would open the door for litigation on the costs and benefits of SEC rules. Just a few years after Section 404 was implemented, the SEC faced a series of lawsuits over the adequacy of the SEC’s economic analysis/cost-benefit analysis. Between 2005 and 2011, interest groups challenged various SEC rules and prevailed on the ground that the rules’ economic analyses were inadequate. The SEC was challenged and defeated in four straight cases, culminating with Business Roundtable v. SEC.

Eventually, in 2012, the SEC’s Office of the General Counsel, together with the Division of Risk, Strategy, and Financial Innovation, responded by publishing a guidance document (“Guidance on Economic Analysis”) to interpret its statutory requirement and its approach to cost-benefit analysis. For the SEC, this guidance document has become the equivalent of the OIRA’s Circular A-4. Today, the agency’s rules come with hundreds of pages of economic analysis, including consideration of costs, benefits, and the effects of its rules on efficiency, competition, and capital formation. Since the publication of the guidance document, the SEC has not faced any serious challenges on the ground of faulty economic analysis.

Whether or not a formal cost-benefit analysis of financial regulation is possible, what is clear is that the agency has taken its duty of analyzing the economic consequences of its rules far more seriously since the time of the Sarbanes-Oxley Act. From this perspective, it would not be an exaggeration to say that the Sarbanes-Oxley Act triggered an era of cost-benefit analysis of financial regulation.

C. Paperwork Burden Estimates Versus Compliance Costs

One story that is repeated countless times in the lore of Section 404 is that, at the time the SEC adopted the rules, the agency estimated Section 404 compliance costs to be approximately $91,000 per firm. This number was heavily criticized by many as grossly underestimating the true costs associated with Section 404. Critics of the SEC would routinely cite this number as evidence that the SEC had no idea just how costly complying with Section 404 was.

Despite the notoriety this figure has gained, few scholars seem to have actually examined the SEC’s basis for arriving at this figure. Several things are worth noting here. First, in arriving at $91,000, the SEC never purported to include Section 404(b) costs—the far more expensive provision. Thus, the $91,000 pertains only to Section 404(a) costs. The 2003 Section 404 Rule Release actually stresses this point in three separate places. Nevertheless, most scholars who criticized this figure seem to have missed this point, as they routinely compared this number to the actual audit fees (which pertain exclusively to Section 404(b) compliance).

Second, it is not even clear if the SEC ever intended to capture all of Section 404(a) compliance costs with this figure (although one could certainly get that sense from reading the cost discussion). The reason is that the $91,000 estimate was prepared solely for the purposes of assessing the paperwork burden hours associated with Section 404(a).

To understand the significance of this estimate and its inclusion in the 2003 Section 404 Rule Release, one has to understand the requirements of the Paperwork Reduction Act of 1995 (“PRA”). Congress enacted the PRA in 1980 (and amended it in 1995) with an express intent of reducing the amount of paperwork burden the federal government imposes on private businesses and citizens. From the outset, the PRA was not focused on the efficiency of administrative actions or even overall regulatory costs. It was primarily concerned with making sure that each agency is mindful of the hourly burdens imposed when collecting information from the public (including citizens and businesses). For this reason, when an agency proposes a rule that imposes paperwork burdens on any entity (including individual income tax returns), as a housekeeping matter, it must include its estimate of paperwork burden hours and costs in the rule proposal, collect public evaluations and comments regarding its initial estimates, and submit any revised estimates to the OMB for approval. Importantly, an agency may not enforce the collection of information unless it checks all the boxes. The rulemaking agency also must file updated paperwork burden estimates every three years.

Put differently, even if the SEC had no statutory requirement to consider the economic effects of its rules, it would still have to include PRA cost estimates for the purpose of getting OMB approval. It is noteworthy that the PRA does not provide any cause of action against the agency on the ground that the agency made errors on its estimate. Instead, the OMB serves as a check on the agency’s proposed collection of information because, if the OMB does not approve the agency’s submission, the agency is unable to enforce the regulation.

What types of costs, then, would not be included in the SEC’s paperwork burden estimate? Given that the SEC calculated the paperwork burdens by estimating hourly burdens of preparing paperwork multiplied by wage estimates, the SEC did not estimate non-labor costs, which would include travel, lodging, and meals, as well as the price of any equipment, software, hardware, or other supplies.

But that’s not all. Long before it adopted Section 404, Congress, in 1977, enacted Section 13(b)(2) of the Exchange Act. In the 2003 Section 404 Rule Release, the SEC clarified in a number of places that its definition of “internal control over financial reporting” (“ICFR”) is “consistent with the description of internal accounting controls in Exchange Act Section 13(b)(2)(B).” The Release also compared the requirements of Section 404 with those of Section 13(b)(2) by citing the Commission’s interpretive release from 1981:

We have previously stated, as a matter of policy, that under Section 13(b)(2) “every public company needs to establish and maintain records of sufficient accuracy to meet adequately four interrelated objectives: appropriate reflection of corporate transactions and the disposition of assets; effective administration of other facets of the issuer’s internal control system; preparation of its financial statements in accordance with generally accepted accounting principles; and proper auditing.”

In other words, under the SEC’s interpretation, the requirement for issuers to maintain effective ICFR was already in place. The OEA’s 2009 Study states this point more explicitly: “Section 13(b)(2) of the Exchange Act requires companies to maintain effective ICFR, while Section 404 requires management to report on the effectiveness of ICFR.”

Given the agency’s interpretation of Section 13(b)(2) in the 2003 Section 404 Rule Release, one conclusion is that any cost associated with maintaining effective ICFR, however costly, should not be attributed to Section 404, as it should count as the cost of complying with Section 13(b)(2). Accordingly, the cost of complying with Section 404(a) should only include the cost of reporting on the effectiveness of ICFR—conditional on any regulated firms having already established plans and procedures to maintain effective ICFR. Once again, the 2009 Study iterates this point: “From this perspective, Section 404 cost estimates that include the ICFR maintenance expenses overestimate the cost of compliance with Section 404—by including more than just the cost of reviewing ICFR and preparing the mandated disclosures.”

The SEC’s PRA estimate, then, should be understood on its own terms. It is the estimated hourly-burden cost of complying with Section 404(a) for the purpose of reporting on the effectiveness of ICFR, above and beyond the cost of maintaining effective ICFR and not including any non-labor costs. To the best of the author’s knowledge, no study criticizing the SEC’s estimate has ever tried to assess this value independently.

None of this is intended to suggest there is any intrinsic value to calculating $91,000 from the industry’s perspective. Indeed, $91,000 is admittedly a useless figure in just about every aspect except one: Unless the SEC received OMB approval after including the PRA estimates in the Rule Release, it would not have been able to enforce its Section 404 rules. Why then did the SEC not have to include the PRA estimates for Section 404(b)? On this point, the Release states as follows:

Our PRA estimates do not include any additional burdens or costs that a company will incur as a result of having to obtain an auditor’s attestation report on management’s internal control report because the [Public Company Accounting Oversight Board], rather than the [SEC], is responsible for establishing the attestation standards and the Sarbanes-Oxley Act itself requires companies to obtain such an attestation.

The SEC’s argument is not unreasonable. Recall that there is a slight difference between Section 404(a)’s language and Section 404(b)’s language: The former plainly mandated rulemaking by the SEC, while the latter is arguably a direct statutory requirement on issuers. Thus, the SEC appears to be reasoning as follows: Although management assessment is a burden requirement that stems from the SEC’s own rule (even though the agency was required to adopt the rule), the attestation requirement was directly imposed by Congress. In other words, the agency did not impose any paperwork burden under Section 404(b), only Congress and the PCAOB did so. Accordingly, the agency was not required to calculate PRA burden estimates in order to enforce Section 404(b).

A few observations. First, the SEC’s position on this point is consistent with its position for not including the cost of complying with Section 13(b)(2) when calculating the compliance costs for Section 404(a). Second, this nuanced division is a preview of the critical distinction between statutorily mandated component costs and discretionary component costs the agency would come to emphasize in later years. The take-away here is that context in which these figures are provided should matter, even if the figures are ultimately not the most important ones from the perspective of industry or the general public.

At any rate, the SEC seems to have learned its lesson that including the PRA estimate as the only quantified value in the discussion of compliance costs can be misleading. The agency has since made a few adjustments. First, the agency’s Guidance on Economic Analysis makes the following point:

[PRA] burdens do not necessarily characterize all compliance costs and in most cases, they are only one of many possible inputs, both qualitatively and quantitatively, into the overall analysis of costs. With most rules, the cost estimate that results from multiplying PRA burden-hours by hourly wage rates is not substitutable for the broader analysis of a rule’s likely economic consequences contained in the release’s economic analysis.

Second, the SEC’s more recent rules explicitly distinguish between paperwork-burden components and non-paperwork-burden components of compliance costs, and when possible, the SEC has also given numerical estimates of the non-paperwork-burden components of compliance costs. Third, the Guidance on Economic Analysis also emphasized the importance of specifying the economic and regulatory baseline in considering costs and benefits.

Were the SEC to conduct an economic analysis of Section 404 today, its analysis would likely look different in a number of ways. First, it would likely make clear that compliance costs were estimated against the baseline of presumed compliance with Section 13(b)(2) and thus would not include the issuers’ costs of maintaining effective ICFR as part of the compliance cost attributable to Section 404. Second, it would likely also distinguish between PRA costs and non-PRA costs when estimating the cost of compliance with Section 404. Finally, the SEC would likely identify separately the cost of complying with Section 13(b)(2) as a possible economic cost of Section 404, with a caveat that this figure would apply only to the extent issuers were not already in compliance with Section 13(b)(2). Notwithstanding all of these differences, it is unclear whether the agency’s PRA estimate for Section 404(a), if calculated today, should look much different from $91,000 (save for an inflation adjustment).

D. Compliance Costs Versus Economic Costs

Even if we take PRA requirements out of the equation and consider only a cost-benefit analysis, a whole new question emerges when an agency that was primarily tasked with regulating capital markets through mandated disclosures suddenly seeks to consider aggregate costs and benefits of its rules and regulations: What is the relationship between issuers’ compliance costs and overall economic costs?

The relationship between the two is somewhat complicated. First, economic costs of a rule can include components other than compliance costs, such as deadweight losses, indirect costs, and other opportunity costs. The SEC acknowledged this distinction in the 2003 Section 404 Rule Release:

The PRA burden estimate, however, excludes several costs attributable to Section 404. The estimate does not include the costs associated with the auditor’s attestation report … . It also excludes estimates of likely “indirect” costs of the final rules. For instance, the final rules increase the cost of being a public company; therefore the final rules may discourage some companies from seeking capital from the public markets. Moreover, the final rules may also discourage non-U.S. firms from seeking capital in the United States.

From this perspective, compliance costs can be under-inclusive. On the other hand, less obvious is the fact that, in some instances, not all compliance costs should properly count as part of economic costs.

Consider, for example, the following scenario. If Section 404(b) was a lucrative profit-generating arrangement for audit firms, should all compliance costs paid by issuers in terms of audit fees be considered as economic costs? Indeed, as Professor Romano noted, “accounting firms have … been principal financial beneficiaries of section 404” and they had an incentive to “maintain[] a lucrative revenue stream from internal control audits.” Should the SEC account for such unexpected “benefits” for the accounting firms under its cost-benefit analysis? Under traditional welfare economics, the answer would depend on whether audit firms exercised market power and thus earned rent on their service fees.

An analogy might be helpful. Consider the following. Suppose Rule A simply requires Michael to give $2 to Steve. In this case, there is no economic cost, just a transfer of $2. What is a loss to Michael is a gain to Steve, and society is neither richer nor poorer. Suppose Rule B requires Michael to purchase a box of apples for $10 and consume them. Then as long as the market for apples is perfectly competitive, this is an economic cost of $10 to society. If Steve sells apples, then Michael will pay $10 to Steve (and reap the benefits of consuming apples), and Steve will collect $10 but give up a box of apples, which should cost $10. Finally, suppose Rule C requires Michael to purchase a box of pears and consume them. Suppose, however, that Steve is a monopolist in the market for pears and can charge $12 for pears that cost him only $10 to produce. The effect of Rule C is similar to a combination of Rule A and Rule B: Rule C costs Steve $10, but the rule effectively requires Michael to pay Steve $12 because of Steve’s market power. In this case, the economic cost of Rule C is $10, not $12.

It follows that, when compliance with an SEC rule requires use of entities that exercise market power, there are at least two different economic effects. First, there will be a shift in the demand for such services. Second, at least a portion of the compliance costs will be transfers, not economic costs. The SEC’s Guidance on Economic Analysis recognized that a portion of compliance costs may be transfers. This approach of accounting for transfers is consistent with the approach of OIRA’s Circular A-4, which applies to executive agencies’ cost-benefit analysis.

Accounting for transfers does not, however, imply that the magnitudes of total compliance costs do not have significant economic implications on their own. Compliance costs and their magnitudes ought to be recognized as such for at least two reasons. First, insofar as firms are expected to bear the total compliance costs, their magnitudes can impact firms’ behavior, including, possibly, their decisions to exit the market. Second, if one views equity investors as owning the firm, then any compliance cost borne by the firm will ultimately be borne by the equity investors, affecting their economic welfare (which should matter to the SEC).

Nevertheless, from the perspective of aggregate welfare, a distinction ought to be made between transfers and economic costs. Properly accounting for transfers is important in policymaking because the existence of transfers could suggest rent-seeking behavior. In the case of Section 404(b), the fact that accounting firms may have earned profits through their audit activities suggests that certain provisions of the Sarbanes–Oxley Act may have been the result of extensive lobbying by audit firms. Naturally, “when Congress … sought to exempt smaller companies from Section 404(b), … audit groups lobbied ‘against’ such exemption.”

Another implication of distinguishing between compliance costs and economic costs is that event studies (based on market reactions to a rule announcement) can be poor approximations of the rule’s net economic benefits, even if the market correctly prices firm values. Because event studies measure stock prices, which in turn indicates the shareholders’ economic welfare, they will not include economic effects that are external to the firms. The foregoing analysis, however, indicates that, when other stakeholders are involved, the analysis of aggregate costs and benefits of a rule cannot be confined to comparing the rule’s benefits to investors against issuers’ compliance costs. This is not to suggest that event studies should not be used to inform the SEC in its rulemaking activities. Rather, it suggests that, to the extent event studies are used, the agency should also be mindful of economic effects that may not be captured by those studies.

III. Section 404 and Retrospective Review

A. Collection of Compliance Data

Due to the ongoing concern over Section 404 compliance costs, the future of Section 404(b) for smaller issuers was uncertain as of 2007. The statute remained in place, but opposition from the corporate community also remained strong. Near the end of 2007, then-Chairman Chris Cox announced to Congress that he had tasked the OEA with conducting a study based on a large-scale survey of CEOs, CFOs, or compliance officers. Although the OEA had routinely published white papers to guide SEC rulemaking, the proposed study was unusual in that the Chairman made a public commitment to its completion.

By this time, many larger firms had been complying with Section 404 rules for several years. One might therefore have thought that it would have been straightforward for the OEA to study the compliance experience of these larger firms. But that was not the case. The agency was limited because it had no immediate access to these firms’ compliance data. More generally, the SEC has no ready access to any data that its regulated entities possess except for information that is subject to specific disclosure requirements. But when it comes to the SEC’s own disclosure rules, the agency tends to limit required disclosures to information that investors would find useful for investment decisions. In other words, the agency—being mindful of disclosure burdens—does not usually extend disclosure requirements to compliance data that the agency itself would find useful for future policymaking purposes.

To be sure, there are statutory recordkeeping requirements. For example, Section 13(b)(2) of the Exchange Act requires all public companies to “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.” But such records are not required to be submitted to the SEC. Only when an issuer comes under investigation does the agency gain access to such records. But the SEC cannot access aggregate industry-wide data through this method without investigating the entire industry.

One may still ask whether the agency could try to collect compliance data expeditiously on a voluntary basis. The answer is still no. Here we are back to the PRA: An agency is not permitted to freely collect data, even through voluntary surveys, unless the sample is limited to nine or fewer individuals/entities. In most cases, if an agency wants to move quickly, it will survey at most nine entities as a matter of convenience and proceed based on the responses collected. But a data set limited to nine cannot be representative of an entire industry’s experience. If an agency needs data from more than nine entities, it must submit a formal request to OMB, which will then institute a review process that typically lasts from six to nine months (although it can also take longer). This is one of the reasons why the SEC’s commitment to conduct a study based on a large-scale survey was a big deal—it was going to be a long-term project requiring substantial resources and staff time.

B. The Office of Economic Analysis’s 2009 Study

Table 1 below describes the timeline behind the 2009 Study:

Table 1. The Timeline of the OEA’s 2009 Study

December 2007 Chairman Cox announces the plan for the study before Congress.
June 2008 The SEC obtains OMB approval to proceed with data collection.
May 2008 to September 2008 The SEC issues a request for quote and selects a contractor to help with the survey project.
October 2008 and November 2008 The OEA prepares survey questions and conducts “three rounds of cognitive interviews—both in-person and over the phone—… to obtain an initial assessment of the effectiveness of the survey instrument in eliciting the information it was designed to gather.”
December 2008 to January 2009 The OEA launches the web survey, which remains open for almost two months. Eventually, the OEA collects responses and data from 2,907 companies (out of the universe of 8,215 companies).
September 2009 The OEA publishes the 2009 Study.

At the time Chairman Cox delivered his testimony, he stated that, “We anticipate that the study and analysis of the results will be completed no earlier than June 2008.” It was unclear from his testimony how soon Chairman Cox expected the study to be completed. The OMB approval for information collection was not issued until June of 2008. As Table 1 indicates, the entire process took twenty-one months from Chairman Cox’s announcement in December of 2007 to the OEA’s publication of the study in September of 2009. Along the process, the SEC hired a contractor to assist “in designing, administering and compiling response data from a web-based survey of public companies.” Before the survey was launched, the OEA engaged in extensive testing of the survey instrument through in-person and phone interviews. The survey stayed open for almost two months in order to encourage a high level of participation from respondents. Given the number of steps involved, it is unlikely that the OEA could have completed the study significantly sooner. Administratively, the SEC’s commitment to conduct this study provided a reasonable basis to extend the Section 404(b) compliance deadline for smaller issuers while the Study was pending.

The 2009 Study confirmed many of the existing perceptions regarding Section 404 compliance. Its main findings were summarized as follows:

The general conclusion … is that compliance costs vary with company size (increasing with size), compliance history (decreasing with increased compliance experience), and compliance regime (lower after the 2007 reforms). Larger companies tend to incur higher compliance costs in dollar terms (“absolute cost”), while smaller companies report higher costs as a fraction of asset value (“scaled cost”). The evidence suggests that companies bear some fixed start-up costs of compliance that are not scalable. Some of these costs are recurring fixed costs, while others are one-time start-up costs borne in the first years of compliance that tend to dissipate over time. For companies complying with both parts of Section 404, the cost of complying with Section 404(b) is reportedly similar to the incremental cost of complying with Section 404(a) alone.

The 2009 Study also reported that “[t]he majority of respondents [who completed the optional section of the survey] perceive the trade-off [between benefits and costs] to be negative to varying degrees,” and “[t]his perceived trade-off is more favorable among larger companies and, independently of size, improved following the 2007 reforms.” Finally, the 2009 Study also discussed the perceived benefits of Section 404:

[T]he characteristics that are most widely reported benefiting from Section 404 compliance [include]: the quality of the respondent company’s internal control structure (73 percent), the audit committee’s confidence in the company’s ICFR (71 percent), the quality of the company’s financial reporting (49 percent), the company’s ability to prevent and detect fraud (48 percent), and the respondent’s confidence in the financial reports of other companies complying with Section 404 (40 percent) … .

The main value of the study—in comparison to other Section 404 compliance surveys that were conducted by trade groups—was that its findings were supported by responses from nearly 3,000 companies of all sizes. In addition, a clever component of the 2009 Study was a method the OEA introduced to test for self-selection bias (i.e., non-response bias):

We tested for differences between respondents and non-respondents, and also for differences between companies that responded voluntarily, without any reminder phone call, and a stratified sample of 500 companies that were selected at random for a follow-up call. The companies that received follow-up calls were 23 percent more likely to respond than those that did not receive a call. Yet the characteristics of the two groups of companies are quite similar, as are their survey responses. This is what we would expect to find in the absence of self-selection bias.

This result provided assurance that the survey responses could be assumed to be fairly representative of the entire universe of issuers.

The OEA’s experience of conducting the 2009 Study highlights the pros as well as the cons of conducting a retrospective regulatory review. Most importantly, the 2009 Study allowed the SEC (and Congress) to take an evidence-based approach when deciding whether to subject smaller issuers to Section 404(b). Indeed, if an agency wants to understand its regulated entities’ compliance experience, conducting a large-scale survey with a rigorous research design is one of the most promising methods. However, undertaking such a project can be costly and time-consuming, and there are legal and institutional hurdles to jump even if the data is readily available to the regulated entities. For this reason, it is not realistic to expect an agency to conduct this type of retrospective regulatory review for most of its rules.

C. Rulemaking Dynamics versus Compliance Experience

As mentioned, APA Section 553 requires the SEC to go through the notice-and-comment process even when Congress mandates rulemaking. Section 404 rules attracted many comment letters.

As a general matter, administrative law scholars have recognized that the notice-and-comment rulemaking process is prone to abuse. Strong interest groups try to influence the rulemaking by overloading the agency with extensive comments that favor their position. Meanwhile, the SEC’s experience of implementing Section 404 highlighted novel aspects of the process.

Specifically, two studies examined the commenters’ identities and their positions. The first study evaluated the net benefits of Section 404 “by studying the lobbying behavior of investors and corporate insiders … to affect the final implemented rules under [the Sarbanes-Oxley Act].” The study analyzed the identities of commenters and documented that firms that lobbied against strict implementation of Section 404 appeared to be characterized by agency problems rather than motivated by concerns over compliance costs. In retrospect, this makes sense: Managers who benefit from agency problems tend to resist rules designed to reduce agency problems. This study should be interpreted in conjunction with a second study, which made use of the OEA’s survey data and reported a curious finding: Firms that lobbied against strict implementation of Section 404 would later perceive greater compliance benefits, on average, from Section 404 requirements than respondents from non-lobbying firms. There may be multiple interpretations of this latter finding, but one put forward by the authors is that Section 404 may have been successful in reducing agency problems.

These findings have cautionary lessons for the SEC’s rulemaking process (as well as for the reviewing court if a rule is challenged). First, a corporation may choose to submit a letter to oppose an SEC rule for a number of different reasons. On the one hand, the broader interest served by the rule may not be aligned with the corporation’s private interest. In that case, the corporation is seeking to defend its own interest (and in turn its investors’ interests). On the other hand, even if its investors’ interest may be aligned with the broader interest, managers may oppose the rule in furtherance of their private interests. This pattern may be especially likely when rules are intended to reduce agency costs. In such cases, opposition to a rule may be an indication, not of the rule’s inefficiency, but of its efficiency. Evidence indicates that this was arguably the case with Section 404 rules. For this reason, it may be prudent to consider in depth the incentives and motives of commenters. Second, comments submitted during the rulemaking process will always represent an early assessment of the rule. Commenters may be driven by the sticker-shock of high start-up costs and may underestimate the rule’s long-term benefits. As time passes, however, issuers may come to recognize the benefits of the rule. The agency should be mindful of this possibility as it deliberates its policy choices, and courts should likewise be mindful of such behavior on commenters’ part as it reviews the elements of any agency rule.

IV. The Aftermath and Conclusion

The SEC extended compliance deadlines for Section 404(b) for smaller issuers until the OEA completed its study. The last extension it issued would have expired in June of 2010. In July 2010, Congress passed the Dodd-Frank Act, and the rest is history. While the Dodd-Frank Act mandated hundreds more specific rules for the SEC to adopt, it also formally exempted smaller issuers from Section 404(b). In 2012, the JOBS Act created a new category of firms—emerging growth companies—and provided them further relief from Section 404(b). In 2020, the SEC lifted the threshold for complying with Section 404(b) to $100 million in annual revenues by revising the definition of an “accelerated filer.”

Overall, the implementation of Sarbanes-Oxley Section 404 was an unusually challenging and drawn-out administrative event for the SEC. It raised a host of novel issues, many of which would only be resolved years later. Congress may have rushed to enact the statute, but the SEC’s patient and, at times, creative approach to implementing the provision helped mitigate the risk of imposing too great a burden on the economy. In the end, one may still disagree about the legacy of Section 404 in the U.S. capital markets. Nevertheless, the rich administrative legacy of Section 404—and its implications for the future of the SEC—is inarguable.

The author would like to thank Stephen Bainbridge, Allan Horwich, Randy O’Hare, James Park, Roberta Romano, Urska Velikonja, and the participants at the Sarbanes-Oxley at 20 Conference hosted by the UCLA Law School and the 2023 Trans-Pacific Business Law Dialogue. The author would like to thank Danny Damitio and Nanzhu Wang for their excellent research assistance. This research was funded by the Northwestern University Pritzker School of Law Faculty Research Program. All errors are mine.