The Costs of Complying with SOX’s Internal-Controls Audit Requirement

Section 404(b) of the Sarbanes Oxley Act (SOX) requires auditors to test and report on the effectiveness of internal control over financial reporting (ICFR) for accelerated and large accelerated filers. Although Iliev (2010) documents substantial costs to initially comply with 404(b), proponents of Section 404(b) argued that compliance costs would decrease over time as companies shift from implementation to maintenance mode and improve efficiency related to ICFR oversight and testing. Likewise, auditor and client experience with the requirements of Section 404(b) may improve the effectiveness of ICFR audits and their ability to detect and remediate existing material weaknesses, thus increasing the benefits associated with compliance. However, in May 2019, the Securities and Exchange Commission discussed amendments that would exempt smaller companies from compliance with Section 404(b). Given this, there have been calls for more research on the effects of Section 404(b). In our paper, we respond to these calls by examining whether the costs and reporting benefits associated with Section 404(b) have evolved since its inception.

Since the passage of SOX, compliance with Section 404(b) has largely been determined by a company’s public float in relation to a $75 million threshold. Companies above $75 million in public float are generally required to comply with Section 404(b), but companies below the threshold are generally exempt from compliance. We implement a “fuzzy” regression discontinuity design (RDD) that uses this cutoff as an instrument for compliance. Theoretically, this approach is effective if we focus on a narrow range of companies around this threshold because “the exact cutoff is not related to firm fundamentals” (Iliev 2010, p. 1165). That is, by focusing on a set of companies between $25 million and $125 million of public float, we expect that companies immediately on either side of the cutoff are largely similar except for Section 404(b) compliance status.

Using this approach, we estimate the magnitude of both internal and external costs associated with 404(b) compliance. We use selling, general, and administrative expenses (SG&A) as proxies for internal costs, as we expect that the majority of ICFR related expenses will be classified as SG&A, and we use audit fees paid to the external auditor to capture external costs. For a sample of public issuers between $25 million and $125 million in public float from 2004 to 2015, we estimate a 25 percent SG&A premium and a 50 percent audit fee premium for compliant companies relative to exempt companies. These results suggest that companies incur substantial costs as part of Section 404(b) compliance. Next, we examine how these costs have evolved over time. Although regulators have suggested that compliance costs would start decreasing as early as year two of compliance (SEC 2009; OEA 2009), our results do not support this conjecture. Even upon the 2007 extension of 404(a) to companies below the $75 million threshold (i.e., non-accelerated filers), we do not observe an immediate decrease in the SG&A or audit fee premiums for 404(b) compliant companies. However, we estimate diminished and statistically insignificant SG&A premiums as well as significantly diminished audit fee premiums in 2009 and 2010. These findings are consistent with regulators’ concerns that companies had become less attentive to ICFRs in the period between 2005 and 2009, which led to a renewed regulatory focus on the auditors’ testing of ICFR beginning in 2010 (DeFond and Lennox 2017). Consistent with auditors and companies devoting more resources to ICFR in response to the renewed regulatory focus, SG&A and audit fee premiums returned to levels similar to early SOX beginning in 2011. In further analysis, we find that 404(b) compliant issuers are slightly less likely to disclose internal control deficiencies (ICDs) than non-compliant issuers following the extension of 404(a) to non-accelerated filers, providing additional evidence that a 404(b) audit encourages companies to devote more internal resources to effective ICFRs.

Despite the substantial costs, regulators argue that auditor oversight over ICFR should increase financial reporting quality and provide more informative internal control reports that ultimately benefit investors. To test these claims, we leverage the extension of 404(a) to non-accelerated filers in 2007 and consider whether the auditor oversight over the controls process via Section 404(b) yields more informative internal control deficiency (ICD) disclosures. Following DeFond and Lennox (2017), we define “informativeness” of ICDs as whether ICDs predict subsequent restatements. While we find that companies only subject to Section 404(a) are more likely to disclose ICDs than Section 404(b) compliant companies, we find no evidence that 404(a) ICDs are less informative about financial reporting quality. Thus, despite the significant and persistent costs associated with compliance, we fail to find evidence that 404(b) improves the informativeness of ICDs.

It could be the case that 404(b) audits help clients remediate the most severe material weaknesses, making internal control reports appear less informative, as only relatively minor material weaknesses remain. However, in this case, financial statements for 404(b) compliers should be more reliable due to financial reporting improvements. To test this, we again use regression discontinuity design with restatements and abnormal accruals as measures of financial reporting reliability/quality. We find no evidence that 404(b) compliance is associated with improved financial reporting reliability or quality, consistent with Bhaskar, Schroeder, and Shepardson (2019), who document lower financial reporting quality for Section 404(b) compliant issuers.

Together, our results suggest that the costs associated with compliance remain significant and compliance does not appear to be accompanied by reporting benefits in the form of more informative internal control reports or more reliable financial statements. These results provide important insights for regulators as they consider the appropriateness of Section 404(b) and whether the requirements provide a net benefit to investors.

REFERENCES

Bhaskar, L.S., J. H. Schroeder, and M. L. Shepardson. 2019. Integration of Internal Control and Financial Statement Audits: Are Two Audits Better than One? The Accounting Review 94(2): 53-81.

DeFond, M. and C. Lennox. 2017. Do PCAOB Inspections Improve the Quality of Internal Control Audits? Journal of Accounting Research 55(3): 591-627.

Iliev, P. 2010. The Effect of SOX Section 404: Costs, Earnings Quality, and Stock Prices. Journal of Finance 65(3): 1163–1196.

Office of Economic Analysis (OEA). 2009. Study of the Sarbanes-Oxley Act of 2002 Section 404 Internal Control over Financial Reporting Requirements. Securities and Exchange Commission. Washington, D.C.

Securities and Exchange Commission (SEC). 2009. Study and Recommendations on Sections 404(B) of the Sarbanes-Oxley Act of 2002 for Issuers with Public Float Between $75 and $250 Million. Washington, D.C.

This post comes to us from professors Jenny McCallen at the University of Georgia, Roy Schmardebeck at the University of Tennessee, Knoxville, Jonathan E. Shipman at the University of Arkansas, and Robert Lowell Whited at North Carolina State University. It is based on their recent article, “Have the Costs of Sox Section 404(B) Changed Over Time? An Evaluation of the Internal and External Costs of Sox Section 404(B) Compliance,” available here.