chevron-down Created with Sketch Beta.

The Business Lawyer

Summer 2023 | Volume 78, Issue 3

SOX’s Impact on the Quality of Financial Reporting

James D Cox

SOX’s Impact on the Quality of Financial Reporting Thurston

Jump to:


The Sarbanes-Oxley Act of 2002 (SOX) was enacted with widespread bipartisan support, rarely seen today, and did so while launching the most sweeping reforms to the American securities laws since their inception in the Great Depression. Now, after more than twenty years have passed since that epic event, the time is ripe to assess whether the financial reporting system of public companies has improved.  This article reviews important studies directed to this question and in doing so reveals as well the interconnectedness of the ecology that shapes financial reporting. As captured here, we see that, even though some disclosure initiatives of SOX failed to reach their full potential—such as the auditors’ attestations of management assessment of internal control—there evolved initiatives by both the U.S. Securities and Exchange Commission and the Public Company Accounting Oversight Board that fill the gap and move the vision of SOX forward.  We therefore leave the field of view with an appreciation that SOX’s enduring contribution is pedestalizing the importance of reliable financial reporting systems by public companies.

The Sarbanes-Oxley Act of 2002 (SOX) was enacted with widespread bipartisan support rarely seen today, receiving favorable votes of 423 to 3 in the House of Representatives and 99 to 0 in the Senate on the consolidated bill that expanded greatly upon the Senate bill, which was more focused and regulatory-oriented than the House bill. The overwhelming congressional approval reflected the unceasing chain of high-profile financial reporting scandals; two of the most significant scandals—AOL-Time Warner and WorldCom, which inflated its assets by an estimated eleven billion dollars—were disclosed on the cusp of Congress adjourning for the August recess during which senators and representatives anticipated they would be pummeled by their constituents’ outrage over the untrustworthiness of the financial reporting systems. These reporting failures came on the heels of similar reports involving numerous well-established publicly traded companies, e.g., Enron and Global Crossing. These reporting gaffs and the ensuing collapse of prices across securities markets propelled Congress to make the most sweeping reforms to the American securities laws since their inception in the Great Depression.

I. Waning Restatements, Rising Revisions, and Questions of Independence

The ensuing financial crisis introduced to the public the meaning and significance of an accounting restatement. Before and especially in SOX’s wake, accounting restatements became a failure event among reporting companies. Indeed, restatements did not recede from the public attention with President George W. Bush signing SOX on July 30, 2002. They dominated the financial news, with their number steadily increasing, peaking in 2006 when 13.6 percent of reporting companies reported a restatement; since then, the percentage has declined, reaching 4.8 percent in 2020. If the story stopped there, we could easily point to the decline in restatements as evidence that SOX had demonstrated it could move an important needle in measuring the quality of financial reporting by public companies. The correlation would be hard to overstate: After the implementation of SOX’s multiple measures, there followed a significant decline in accounting restatements. Walla!

Victory is not so easily recorded. Declines in the number of accounting restatements must nonetheless be assessed against the disturbing rise in a relatively new phenomenon, accounting “revisions.” The difference between the two is legally significant. Accounting restatements, so-called “Big Rs,” reflect information that earlier financial reports were materially incorrect, can no longer reasonably be relied upon, and must be restated; the SEC requires all restatements to occur promptly via filing Form 8-K, thereby giving the change a good deal of prominence. Items that do not have a material impact on an earlier financial report are beyond Form 8-K and are usually treated through disclosure in the footnotes of the fiscal period in which the gaff is discovered. If the error is not material to previously issued financial statements, it may nonetheless be of a nature that not correcting its current effect renders the current period’s reports materially misleading so that a registrant must still correct the error. This type of correction is sometimes referred to colloquially as a revision restatement or a “little r” restatement and results in no correction to earlier released financial reports. Note that the differing treatment turns on whether the item causing the earlier misstatement is material across financial periods.

Management is not neutral between treating the matter as a restatement or a revision. As seen, restatements result in the reported item having more prominence by compelling their prompt disclosure on Form 8-K. More significantly, restatements often arise not because of an innocent mistaken judgment, estimate, or assumption, but because of “misconduct.” When this occurs, Section 304 of SOX requires the firm’s CEO and CFO to reimburse the firm for any bonus or incentive compensation received during the twelve-month period following publication of the financial report embodying the restatement. Moreover, such a clawback does not require any wrongdoing or complicity by the disgorging officer in the events giving rise to the restatement. Liability is absolute. Further concern for restatements appears in the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which amended Section 10D of the Exchange Act and mandated that the SEC prohibit public listing on any exchange unless the issuer implemented procedures to recoup from any executive incentive compensation received in the three-year period before the restatement’s publication. The SEC recently imposed that prohibition, further heightening the consequences of a correction being deemed a restatement. The SEC’s recent action evaluated whether the correction is material in more than the current period, but wisely focused on whether senior executives have been rewarded by a measurement standard later determined to have been not just erroneous, but materially erroneous. Thus, the intent of Congress behind the Dodd-Frank provision is fulfilled, finally, and without openly confronting the more controversial concern of whether revisions exist because of a lack of sufficient independence on the part of the auditor.

Such independence was questioned in a recent study of annual reports filed with the SEC from 2004 through 2015 that examined 1,842 reports that contained accounting misstatements of which 54 percent were treated as revisions and the remainder were reported as restatements. Employing a variety of tests commonly used by auditors to determine the materiality of a matter, such as whether the change is 5 percent or more of income, the study’s author concludes that one-third of the revisions were material, observing that it is “not uncommon for a firm to deem a misstatement immaterial … despite it meeting an observable materiality indicator.” She further finds that classifying a misstatement as a revision, rather than a restatement, was highly correlated with whether the firm had in place procedures for clawing back incentive compensation executives garnered during any period affected by a restatement.

Reports that companies appear to be characterizing material reporting errors as revisions shines a light on whether SOX has facilitated real progress in an area that weaves through key provisions of the Act focused on the linchpin of the trustworthiness of financial reporting: the independence of the reporting company’s outside auditor. If the prevalence of accounting restatements measures the auditor’s professional skepticism when evaluating management’s financial reports, in a world in which restatements and revisions are interchangeable in the real-time setting of the auditor’s work, we can seriously question just what SOX has achieved.

The bedrock of SOX’s mechanisms to promote the auditor’s independence is found in its first three chapters setting forth the legal foundation for accounting and audit standard setters, centralizing responsibility for the auditor in the audit committee, and introducing numerous restrictions with the intended effect to rid auditors of the powerful conflicts of interest that pervaded their historical relationships with their audit clients. The rules and conventions for reporting significant accounting information, known as generally accepted accounting principles (GAAP), have been overseen by the Financial Accounting Standards Board (FASB) for over three decades. Until SOX, the FASB was funded by contributions from the accounting firms, a practice that hardly shielded standard setting from the influence of the auditing profession’s clients. At the same time, the rules for the professional referees, i.e., auditors, to attest that management was adhering to GAAP were overseen by the auditors themselves through the professional standards body within their trade organization, the American Institute of Certified Public Accountants. It is easy to see how a wonderfully incestuous symbiotic relationship could produce the reporting meltdowns that spawned SOX. SOX addressed these organic weaknesses of the earlier standard setters.

SOX amended Section 19 of the Securities Act to require that the private sector’s accounting standard setter, then and now the FASB, must be funded exclusively by the public fisc, that a majority of that body’s members not be either current or recent members of auditing firms, and that the body could act by majority vote. Furthermore, SOX removed oversight of auditing standards and auditors from the profession and placed them under the newly created Public Company Accounting Oversight Board (PCAOB), whose five members were to be appointed by the SEC, after consultation with the Chairman of the Federal Reserve and Secretary of Treasury, and whose budget is now publicly sourced. The broad objective therefore was to insulate both standard setters from the influence of the regulated.

Recent history, however, suggests we should not be too complacent as to whether these structural initiatives are themselves sufficient. For example, the SEC’s Investor Advisory Committee recently leveled pointed criticism at the FASB for misallocating its resources on narrow technical issues that arise in financial reporting and not on thornier more sweeping questions. The significance of SEC oversight was apparent after the election of a new president and the appointment of a new SEC chair, who won headlines and plaudits for unceremoniously removing the sitting chair of the PCAOB and for swiftly underscoring the message that the previous board neglected key areas of the PCAOB’s mission. Nonetheless, concerns for true independence within this regulatory quilt persists from such facts as that, over the PCAOB’s twenty-year life, the SEC has frequently been less a governor on many of the PCAOB’s key initiatives than a cheerleader. Underscoring this is a disturbing statistic. In the last twenty years, eleven individuals have led the SEC’s Office of Chief Accountant, and each, immediately prior, had been a partner with a Big Four accounting firm, most of whom promptly returned to their former firms at the conclusion of their SEC tenure. Recent events likely reflect that the true linchpin for auditor professionalism is the commitment to that cause by the SEC’s chair, and not SOX’s provisions.

II. SOX and the Forces Girding the Lack of Auditor Independence

Firms making up the S&P 500 had a collective market capitalization, on January 31, 2023, of $35.9 trillion, or 80 percent of all publicly held firms traded in the United States. Among this elite group, only three companies were audited by a non–Big Four accounting firm in 2017. In 2022, the Big Four replicated that massive footprint, auditing almost 45 percent of all reporting companies, and were even more dominant among the largest firms, auditing more than 80 percent of so-called large accelerated filers. Concern regarding the industry’s concentration has long existed, arising from fears that the dominating Big Four auditors would misbehave as oligopolists, competing neither on the price nor the quality of their services. The lack of competition is supported by the absence of turnover of auditors by their clients. The audit firm’s relationship with its client may reflect unquestioned obedience more than robust competition among auditors on price and quality. Furthermore, there are also the sobering lessons learned from the collapse of then–Big-Five member Arthur Andersen, the demise of which disrupted the timely reporting process for—and posed regulatory and operational challenges to—hundreds of public companies. Are the continuing Big Four too big to fail? A quite different perspective is that concentration in the place of competition can steel the auditor’s independence from its clients who, because it is insulated from competition, can demand clients comply with high GAAP and generally sound reporting practices. Studies of this question, including two by the Government Accountability Office, provide mixed results on which of these two outcomes prevails within the industry.

A recent study, using a very clever research design, sheds a good deal of light on the favorable effects of competition when a firm considers changing accountants. The methodology enabled the investigators to identify SEC reporting firms contemplating a change of accountants so that the “bidding process” engaged in by the incumbent auditor and its competitors could be matched with outcomes, such as the ensuing audit fees paid by the registrant, auditor disclosure of material internal control deficiencies, and accounting restatements. The authors concluded:

We find that Big 4 competitive bidding is positively associated with audit quality as measured by a lower likelihood of misstatement. In addition, we find that Big 4 competitive bidding is associated with modest fee reductions in the two years following an auditor change, regardless of whether the incumbent auditor wins reappointment or not. Thus, we provide evidence indicating that incumbent auditors respond to competitive pressure by reducing fees without sacrificing audit quality.

The above conclusion supports regulatory policy that encourages audit clients to periodically consider changing audit firms, as even in the highly concentrated market of auditing services for large public firms, the profile of the study, the lash of competitive bidding produced statistically observable positive effects. These effects persisted even in the face of another potentially harmful development, the rise of auditors providing non-audit services to their clients.

Industry concentration is not the only force that can weaken auditor independence. SOX amended Exchange Act Section 10A to prohibit a reporting firm’s auditor from providing eight types of non-audit services, to empower the PCAOB to identify any other prohibited non-audit services, and to require the auditor to obtain preapproval from the reporting firm’s audit committee for any permissible non-audit services. These steps were clearly taken for their prophylactic effects, guided by evidence that auditors garnered a substantial part of their revenues by providing non-audit services to their audit clients and frequently the services rendered were an important focus of the audit itself. David Duncan, the Arthur Andersen partner overseeing Enron’s audits, was the poster child for such concerns, with the bulk of his compensation determined by bonuses received for cross-selling non-audit services to Enron. We can imagine that Duncan’s verve to question Enron’s many suspicious accounting practices would have been strengthened by an SEC requirement that his termination as the auditor by Enron, for whatever cause, triggered prompt public disclosure and most certainly a visit by the SEC. On the other hand, if Enron instead retaliated against Duncan (for challenging its practices) by terminating Arthur Andersen’s lucrative consulting arrangements, this would not have triggered a reporting obligation and, at the same time, would have substantially reduced Duncan’s and his employer’s financial benefits. Hence the prophylaxis now found in Section 10A(g) and (i) of the Exchange Act. The SOX-induced prohibition produced noticeable and rapid effects; among SEC reporting companies, the auditors’ non-audit fees peaked at $4.24 billion in 2002, fell by 26.4 percent to $3.12 billion in 2003 and fell another 18.3 percent to $2.55 billion in 2004, and, at the end of a nineteen-year study, stood at $1.75 billion in 2020.

The above statistics should not be read to suggest that the audit industry’s salad days are behind it. Reports of yearly revenue sources by the Big Four suggest otherwise. In 2021, the Big Four’s revenues reportedly totaled $115 billion world-wide from consulting and tax services, more than double the $53 billion received from its audit practice. Indeed, in the ten years ending in 2021, the Big Four’s global revenues from consulting and tax work rose 96 percent, eclipsing by many multiples the 17 percent growth in audit revenues. The contrasting statistics underscore the salutary impact of SOX on the provision of non-audit services to SEC-reporting companies amidst the fast-paced expansion of this feature of the Big Four’s work to non-reporting companies. Nonetheless, the amount of non-audit services provided to reporting companies of $1.75 billion dollars is not trivial. Further concern is whether, in a firm culture in which growth is enjoyed, and likely more aggressively pursued, the rendition of non-audit services will have harmful effects on the independence of those engaged in the slower growth lane of auditing. Hence, we see concern recently professed by the SEC over the growth of non-audit services.

We therefore see at play the twin forces of an anticompetitive industry structure for audit services provided to public companies and the ever-present lure of fast growth in non-audit revenues from audit clients. And the recent history with the PCAOB reflects at least that regulatory zeal is far from steady. At the same time, evidence indicates that the process of competitive bidding among auditors has enhanced the quality of reporting, even when that bidding process does not cause a change in the firm’s historical auditor. Moreover, the level of non-audit fees garnered from reporting clients appears to have stabilized, though remaining at levels that nonetheless cause pause whether they impact the engagement auditor’s independence. Thus, industry structure alone, even when joined by independently funded regulators, is unlikely to be the antidote to enhance auditor independence. This conclusion is supported by SOX containing multiple directives to improve financial reporting, each stealing the auditor’s independence from the audit client.

An important SOX intervention mandates that the engagement partner’s tenure not exceed five years. Consequently, not less frequently than every fifth year, the audit will be under the direction of “fresh eyes”; the new engagement partner by definition is not someone who has, over prior years, developed social and psychological ties to the client’s management or is associated with the numerous accounting judgments, assumptions, and estimates that were employed in preparing the earlier financial statements. A collateral benefit of the programmed “fresh eyes” is it supports independence on the part of the current, soon the outgoing, engagement partner; the advent of a change in supervisory personnel can be expected to temper the current auditor bending inappropriately to the client’s reporting decisions. In this way, rotation introduces to auditing a form of peer review with the consequential effect of stimulating the outgoing partner to conduct a higher quality audit in the year or years preceding succession. On the other hand, fear abounds that changing auditor partners will weaken audit quality because such rotation sacrifices the client-specific knowledge the departing auditor gained through her tenure. Lacking such deep knowledge regarding the client’s business and systems, the new auditor may well be less likely to identify financial reporting problems. Probing which of these two competing visions of the consequences of partner rotation dominate has generated a good deal of investigation.

Because any change in the engagement partner, while being disclosed to the PCAOB, is not otherwise public information, most research on the effects of audit partner rotation has focused on practices and experience outside the United States, where engagement partners are publicly disclosed. Within the plethora of such studies, one, which focused on Hong Kong–listed firms and which appeared in a leading American accounting journal, lends strong support for the “fresh eyes” position. Because China not only requires public companies to disclose the individual engaged in the audit, but also requires their clients to set forth their pre-audit profits, the investigators were able to assess whether changes in audit partners were associated with material differences between pre- and post-audit financial reports. The study found that “audit adjustments occur more often when the engagement partner is scheduled for mandatory rotation at the end of the year” and “that audit adjustments occur more often during the incoming partners’ first year of tenure than in other years.” Each is consistent with the earlier described twin benefits of the “fresh look” hypothesis.

It is never clear how findings about financial reporting outside the United States translate to the United States—the U.S. regulatory quilt is broader and snugger than that found in other countries, the risk of lax auditors being disciplined by regulators or in private suits is greater in the United States, and there is a deeper capital market monitoring in the United States. To this end, the recent study by Professors Brandon Gipper, Luzi Hail, and Christian Leuz is significant not just because of the comprehensiveness of its inputs (3,333 audit clients from 2008 to 2014 involving 2,385 engagement partner rotations), but because it mines PCAOB proprietary information that bears on a range of matters that include the engagement partner, the hours each logged in engagement, and the audit fees. The study finds no statistically significant association between audit partner rotation and the proxies used to measure quality of financial reporting. Restating this observation, the authors found no statistically significant evidence of adjustments, restatements, or qualifications leading up to or following a change in audit partners. Interestingly, audit fees tend to drop in the year of partner rotation but rise over the remaining tenure of the partner; the trend is different with respect to hours logged, with the hours logged by the engagement partner declining over her tenure. Apparently, the change in audit partners is an opportunity seized by the client to renegotiate the audit fees, while at the same time, the new auditor may be “low balling” to avoid the client shopping for a new firm, but understanding recovery of that discount over the remaining partner’s tenure. A further significant finding is that, certainly with respect to large and hence complex clients, the audit firm far in advance of the rotation of partners assigns the upcoming partner to “shadow” the outgoing partner, thereby seeming to moderate the earlier described concern that audits may deteriorate after a rotation because of the loss of firm-specific knowledge.

There are several threads of analysis that can explain these findings. The absence of a connection between partner rotations and the proxies for reporting failure—as found by Gipper, Hail, and Leuz—is consistent with five years being sufficiently short to prevent co-opting the auditor’s independence. Moreover, their findings are consistent with the belief that an engagement partner’s awareness that there will be a “fresh look” has a beneficial effect on the partner maintaining her independence.

III. SOX’s Quest for Auditor Independence

Auditor independence is a short-hand expression for auditors that are not just financially independent from the client, but that also demonstrate professional skepticism throughout the auditing process. This section reviews twenty years of experience with SOX provisions intended to enhance the auditor’s independence.

The pathway for every audit begins with the auditor’s assessment whether the client’s internal recordkeeping processes are sufficiently trustworthy. This inquiry focuses on whether the client’s internal reporting system has adequate procedures to assure that transactions are properly recorded within the firm’s accounting system. Congress’s first direct engagement with internal controls occurred with the enactment of the Foreign Corrupt Practices Act in 1977, which amended the Exchange Act to require not only that reporting companies “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer,” but also “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances” that those transactions were executed in accordance with management’s authorization and were recorded to permit proper accounting. The numerous accounting failures that led to SOX’s passage repeatedly reflected that they were associated with weak to no internal accounting controls. SOX addressed these failures through section 404(a) by requiring that each annual report filed with the SEC include an assessment of “the effectiveness of the [registrant’s] internal control structure and procedures of the issuer for financial reporting.” Correlative to this assessment, section 302 mandated that the SEC require that each quarterly and annual report of an SEC registrant include the certification of its principal executive and financial officers of certain matters, such as their evaluation of the firm’s internal controls and their disclosure to the auditor and audit committee “all significant deficiencies in the design or operation of internal controls.” Finally, beyond the assessment of internal controls required under section 404(a), section 404(b) requires the firm’s auditor to attest to, and report on, that assessment of internal controls.

SOX’s internal control mandates, however, soon became a painful lesson in both the economics of financial reporting and real politics. Financial reporting costs have a significant fixed cost component so that they are only scalable once the reporting company is relatively large. Hence, the burdens on smaller issuers of the new auditor’s attestation of internal controls were relatively large and sometimes significantly so. Thus, there were successive delays regarding the implementation of the attestation requirement, until Dodd-Frank amended SOX by excluding the attestation component for so-called non-accelerated filers, the JOBS Act further excluded from the requirement any “emerging growth company,” and, most recently, the SEC further limited its scope by reducing the number of firms deemed to be accelerated filers. As a consequence, nearly one-half of all domestic reporting companies whose executives are required to report whether their internal controls are deficient are not accompanied by the auditor’s attestation of that assessment. Because auditor involvement is highly correlated with the disclosure of material weaknesses in internal controls, the removal of small issuers means that issuers least likely to support robust internal controls escape this regulatory area, which is disquieting.

Below is information gathered from an eighteen-year review (2004–2021) of section 404 filings. The survey gathered yearly data on the percentage of negative internal control assessments made by the registrants’ executives in their mandated 404(a) reports, the percentages for auditors disagreeing with management’s assessment, and management negative assessments for firms exempt from auditor’s attestation. To provide insight on how these assessments and attestations have changed over time, I have restated the information into average percentages over three six-year periods.

  2004-09 2010-15 2016-21
Negative Assessment by Management (All Filers) 15.48 21.47 22.40
Negative Assessment by Management (Filers Exempt from Auditor Attestation) 29.40 7.14 40.43
Negative Attestation by Auditor 8.84 4.27 6.05

Of interest is that the percentage of auditor negative attestation for the most recent six-year period is fairly low, two-thirds of its level after the initial six-year period. At the same time, management’s negative assessment of internal controls across all 404(a) reports trends upward, averaging about one in five across all companies, but significantly about two in five among firms exempted from 404(b)’s attestation requirement. This number can be seen as encouraging, as discussed below, but still leaves an important unknown: whether the level of negative assessments across all firms would be larger had management been operating in an environment in which that assessment would be attested to by the firm’s auditor.

The high percentage of management’s negative reports in unattested reviews of internal controls can be seen as reflecting the value management places on strong internal controls. The managers’ opinions captured in the data underscore that a trustworthy reporting system is central to their stewardship in gauging the effects of management’s decisions. Abundant evidence explains, in part, that weaknesses within a firm’s financial reporting system impede firm performance. To this end, evidence reflects that weak internal controls contribute to the generation of poor information that leads to suboptimal performance. Overall, a reliable reporting system is correlated with better management stewardship.

Internal control assessments and accompanying attestations do not exist in isolation. As seen, management has powerful self-interest that is served through a trustworthy reporting system that enables managers to believe the information on which their decisions are made is reliable and that the effects of those decisions can be evaluated. But the ecology of the financial reporting environment is broader than managerial self-interest.

In addition to placing authority over the audit with an independent audit committee, then calling for management’s assessment and certification of various features of the firm’s financial reports, adding for most accelerated filers the auditor’s attestation of their assessment, SOX further mandates that auditors provide a fulsome report to the audit committee of critical accounting policies and practices used by the firm, including discussions with management of choices among competing methods used to report the firm’s results. SEC rules thus require the auditor report to the audit committee: (1) all critical accounting policies and practices used by the issuer; (2) material alternative accounting treatments of financial information within GAAP that have been discussed with management, including the ramifications of the use of such alternative treatments and disclosures, and the treatment preferred by the auditor; and (3) any other material written communications between the auditor and management. Each of these items is generically referred to as a “critical audit matter” (CAM), which is defined broadly to be items in the financial statements that are both material and involve challenging, subjective, or complex auditor judgment.

CAMs are distinct from weaknesses in internal controls; the existence of the latter does not give rise to the former unless the internal control deficiency itself relates to an account or disclosure that is material to an item reported in the financial statements. Nonetheless, a deficiency can be of such a magnitude as to move a reporting item into the category of being a CAM because the failure of controls enhances the elements of uncertainty and judgment that characterize that item as critical. More significantly, as discussed below, several post-SOX initiatives now compel these once-for-the-audit-committee-only disclosures of CAMs to be public, at least in connection with the annual report.

In 2017, the PCAOB made the most significant change in forty years for the auditor’s opinion letter by mandating the opinion discuss CAMs. Specifically, the auditor’s opinion must now fully describe any CAM; the disclosure must include the principal considerations that led the auditor to determine that the item was a CAM, identify the accounts and disclosures (including any footnotes to the financial statements) involving the CAM, and describe how the auditor addressed the CAM in carrying out the audit. By shining a light on reported matters for which there is great uncertainty, as well as the audit procedures taken to address those matters, today’s audit opinion letter has moved the auditor a good distance from the former pass-fail auditing model.

In a sense, the PCAOB’s expansion of the scope of the audit opinion letter reflected the guidance the SEC has provided since 2001, namely that the registrant’s Management Discussion and Analysis (MD&A) for its annual reports should address the critical accounting policies employed in preparing the issuer’s financial statements. In the natural progression of events, the SEC recently amended its rules regarding MD&A to require management to address accounting estimates and assumptions that are material due to their subjectivity and uncertainty.

In combination, we can see these multi-pronged developments as strengthening the independence of the entire financial reporting process. As seen, SOX calls on executives to certify their level of trust in the statements and the integrity of the procedures for their preparation. Management now has obligations to set forth their analysis of the critical accounting policies imbedded in the financial statements and to do so with an awareness that the firm’s auditor has a similar obligation regarding its relationship with the audit committee, as well as the auditor’s more fulsome reporting obligations generally. Within this web, we can speculate whether those requirements heighten the auditor’s professional skepticism, or expand the steps taken in the audit, including a deeper consideration of internal controls, or ultimately exert greater candor by management in its expanded disclosures, likely in footnotes to the financial statement’s presentation of the CAM item, that enrich the overall financial report.

A common refrain raised against expanding the auditor’s opinion to disclose CAMs was that the mandate would elicit only meaningless boilerplate and therefore not enhance the overall quantity or quality of information reaching investors. Though experience with such disclosures runs only a few years—with rules taking effect for very large SEC registrants (so-called early filers) in 2019 and all other issuers a year later—early studies support the view that, for many issuers, CAM disclosures are valued by investors and likely improve the quality of financial reporting.

We see that studies consistently document that CAM disclosures are company-specific, not vacuous boilerplate. One study reports that the CAMs reported by S&P 100 firms, the very largest and hence operationally complex issuers, detailed the cause for the auditor’s concern joined by description of the unique audit steps taken to address the reported item. The differences in subject areas identified in CAMs, as well as the specificity surrounding the discussion of the CAM, are hardly consistent with the disclosures being either boilerplate or milquetoast. Moreover, another study finds greater depth and cautionary language in the auditors’ footnotes regarding CAMs compared to footnotes for those items before auditors were required to disclose CAMs. We therefore see that CAMs impact both the content and tone of disclosure.

At the same time, these buoyant observations are qualified by the study finding no statistically significant stock price reaction associated with CAM disclosures. The study’s authors, however, proceed to test the hypothesis that many CAM disclosures are expected so that any market reaction would be to instances where the disclosure provides unexpected results. They confirm this hypothesis, using prediction models to identify such unexpected outcomes, finding negative market reactions associated with CAMs that deviate from investor expectations. Another study, while also concluding that across the large group of accelerated filers reporting CAMs, there was no statistically significant market reaction, nonetheless found that, among firms experiencing significant short-selling before the disclosure of a CAM, those firms experienced statistically negative market reaction to the revelation of a CAM. The belief is that investors are more likely to react to CAM disclosures when investors have preexisting concerns regarding the quality of the firm’s financial reporting (such as that underlying a high level of short selling for a registrant). In such a case, disclosure of the CAM confirms the preexisting suspicions that results in selling among investors.

We may believe that recent regulatory initiatives—such as including management’s discussion of accounting policies within quarterly and annual reports, as well as the expansion of the auditor’s opinion to include CAMs—salve the unease in excusing the smallest issuers, those believed to have the most problematic reporting systems due to reporting costs not being scalable, and fill the lacunae in financial reporting created by excusing these issuers from the auditor attestation requirement. This may well be the case, but the consequences of erroneous beliefs are significant, as developed in a recent study finding that more than one-third of the firms that graduated into the accelerated filer designation, so that their auditor was required to attest to management’s assessment of internal controls, garnered negative attestations of managements’ earlier assessments. The same study attempts to quantify the costs and benefits of excluding smaller registrants from the auditor’s attestation of management’s assessment of internal controls. The benefits associated with the exemption include lower audit fees associated with removing this item from the audit engagement as well as the deflection of executive time involved in discussions with the auditor relevant to their evaluation. Those benefits, however, have allied costs that include, as discussed earlier, potential adverse impacts on the reliability of the internal reporting system as a consequence of internal control deficiencies, leading in turn to negative operational effects. Such effects can be expected to impact the firm’s value and certainly adversely impact the firm’s value once disclosed. If the shareholder base were static, these costs and benefits would, of course, be borne by the same individuals. But that is not the case. In the world of publicly traded shares, the benefits of lower audit fees are not shared by investors who, soon after acquiring their shares, experience an earnings restatement linked to earlier poor internal controls. Investors who sold their shares because of operating results that were poorer than they would have been had there not been undisclosed internal control deficiencies may well have suffered losses greater than their share of the benefits of lower audit fees. The indeterminacy of this inquiry robs one of certainty, but the low marginal cost associated with expanding the auditor’s attestation of internal controls is the more precise calculation in this constellation, and it appears relatively minor.

IV. Impact of Inspections on Financial Reporting

Section 104 of SOX mandates the PCAOB maintain a continuing program of inspections of the work of auditors registered with it, thus supplanting the profession’s previous self-regulated peer-review program. Inspections occur annually for audit firms whose clients exceed 100 reporting companies and triennially for other firms. Part I of a PCAOB inspection report sets forth deficiencies in the reviewed audits. The inspection also more broadly assesses the auditor’s firm-wide quality control systems, such as protocols for preserving independence, client acceptance, and oversight of staff performance. This assessment makes up Part II of the inspection report and remains private unless the auditor fails to remediate any of the identified criticisms or defects within a year.

The inspections staff is the largest branch of the PCAOB. Since its inception, the PCAOB has:

  • Registered over 3,800 audit firms,
  • Completed more than 4,300 firm inspections in 55 countries—reviewing more than 15,000 audits of public companies and over 1,000 broker-dealer engagements,
  • Issued more than 330 settled orders, and
  • Sanctioned more than 230 firms and 270 individuals.

Even though the issuer whose audit is the focus of a PCAOB inspection is not disclosed, the inspection reports reveal significant information content. The auditor is identified in an inspection report and is required to remediate Part I findings by contemporaneously performing more audit work for the purpose of supporting its opinion and by undertaking to avoid such deficiencies in future audits. The latter has been found to lead to improvement in the quality of the auditor’s future internal-control audits. Initially, the frequency of deficiencies among larger accounting firms reflected a linear decline after PCAOB inspections commenced. More recent experiences, however, are not as sanguine.

Investors associate fewer inspection deficiencies with higher audit quality, with the consequential effect that the release of inspection reports is associated with stock price returns for firms audited by the inspected auditor. Moreover, at least among clients of non-Big Four auditors, there is evidence that auditors with quality control deficiencies noted in Part II of their PCAOB inspections garner lower fees than do firms with no or fewer such deficiencies. Hence we see a market response to the PCAOB inspections. Moreover, auditors with no deficiencies reported in Part II of their inspections become more selective in terms of the reporting risks when considering new audit clients. Finally, inspections are not the only disciplining mechanism introduced by SOX; PCAOB enforcement actions impact future practices as large audit firms tighten their standard audit practices after one of their offices has been disciplined by the PCAOB, and smaller firms do so when enforcement is against one of their competitors.

V. Sizing SOX Up

It is never easy to measure and correlate the positive contribution of a regulatory development; as the experience with the auditors’ attestation of internal controls demonstrated, costs are easily observable but their benefits are, for enumerable reasons, hard to assess within a highly interactive disclosure mechanism. In light of the evidence presented here, we should approach the question more broadly by celebrating that SOX reflects a political commitment that financial reporting is the central desideratum of our capital markets. While SOX teed up the issues that MD&A and CAM disclosures now address, section 404 engrained in debate regarding financial reporting the importance of internal controls. Similarly, audit partner rotation reminds us of the importance of the audit partner manifesting professional skepticism, even though such rotation is a second-best solution. More generally, SOX’s twenty-year history is checkered with strong and weak stewardship at all the affected agencies, most importantly, the PCAOB. Even such an uneven record, linked to leadership at the SEC and PCAOB, supports the framework in which dedicated leaders have, incrementally, moved SOX’s provisions in the direction of strengthening financial reporting.

The author is most grateful for comments from Colleen Honigsberg, as well as the participants of the “Sarbanes-Oxley at 20” conference convened at the UCLA School of Law on October 21, 2022.