SEC Proposes to Exempt More Firms from Required Attestation of Internal Controls

The Securities and Exchange Commission has proposed changes to its rules requiring companies to obtain attestation on their internal controls from an independent public accountant. The proposal rests on the idea that attestation’s costs often exceed its benefits. The SEC’s principal empirical support for that idea is a Journal of Finance article using data from 2004.[1] Since markets have changed since then, over 40 law and accounting professors have petitioned the SEC to replicate the Journal of Finance study using recent data before proceeding with the proposed changes.

*          *          *

The attestation requirement, known as Section 404(b), is among the most important provisions of the Sarbanes-Oxley Act of 2002. It requires that an independent auditor report on whether the company has processes in place (“internal controls”) that induce high-quality financial reporting. The SEC’s proposal would significantly narrow that requirement, limiting it only to companies with over $100 million in revenues.[2]

Internal controls are abstract in theory, but they are intuitive in practice. Consider this common scenario: A controller receives an email that appears to be from a supplier, and the email requests that the controller send payment to a new routing number. The controller remits payment according to the instructions in the email, only to later learn that he has been defrauded. The email was not from the supplier, but from a bad actor who is now millions of dollars richer.

Rather than simply wire millions of public-company dollars to a new account, the controller should have called the supplier to confirm the email’s legitimacy. And the failure to do so reflects what accountants call poor internal controls: Either the company lacks procedures requiring verification of new accounts before making payments, or the company’s controller failed to follow those procedures. Either way, the company’s controls are problematic.

Although we might expect companies to have controls to prevent fraud even without regulation, there are reasons to be skeptical. Internal controls are expensive to set up and maintain – imagine reviewing each asset in today’s public companies and considering all the ways people might try to steal it.[3] They’re burdensome, too: In the example above, the controller would have to take time to verify the accuracy of the email, creating extra work on all sides. But attestation audits come with an important benefit: They keep wayward management from using accounting gimmicks to manipulate results.

Despite legitimate concerns over the costs of internal controls, Congress decided in SOX to require greater focus on such controls.[4] SOX not only requires managers to assess the strength of their company’s internal controls, but to have their auditor report on the controls’ quality – the attestation audit. There is substantial academic debate over whether the benefits of SOX 404(b) outweigh the costs,[5] but “there is consensus that SOX Section 404 greatly contributed to the improvement of quality of financial reporting and of corporate governance as a whole.”[6] Internal controls have increased.[7] Earnings management has decreased.[8] And many executives have stated that the requirements in SOX have increased investor confidence.[9]

But valid concerns over costs remain,[10] with some suggesting that attestation may have led to the decline in IPOs we have witnessed over the past decade.[11] Among the best empirical work on the costs of attestation is a study showing that firms “bunch” below the $75 million float threshold at which the attestation requirement applies. In other words, the study suggests that firms manage their public float to avoid the attestation requirement. The study shows that this phenomenon existed in 2004 – the first year the attestation requirement was implemented.

The SEC’s proposal relies heavily on this study as evidence of the costs of attestation. Although well-done, the study uses data from 2004 – 15 years ago. Rather than rely on those data, we think a better approach would be to replicate the study using recent data to confirm that the bunching results are still present in today’s markets.[12] That analysis is straightforward, and the SEC’s economists should be able to do it without difficulty. Given that the attestation requirement also has benefits, it is important to validate the perceived costs of the requirement before rolling back a policy that provides at least some protection to investors.

Although the signatories to our petition have differing views on regulatory policy generally, we all agree that the SEC should replicate the 2004 study before moving forward with its proposal in this area. Our petition is available here. Here is the list of petition signatories:

Colleen Honigsberg Associate Professor of Law
Shiva Rajgopal Kester and Byrnes Professor
Yu Ting Forester Wong Assistant Professor of Accounting
James D. Cox Brainerd Currie Professor of Law
Robert P. Bartlett, III Professor of Law
Frank Partnoy Adrian A. Kragan Professor of Law
Jared Ellias Professor of Law
John C Coates John F. Cogan Professor of Law and Economics
Joshua Mitts Associate Professor of Law
Scott Hirst Associate Professor
Michael Klausner Professor of Law
Elisabeth de Fontenay Associate Professor
Curtis J. Milhaupt Professor  of Law
John L Campbell Associate Professor, EY Faculty Fellow, and PhD Program Director
Bernard Black Nicholas J. Chabraja Professor
Bin Li Assistant Professor of Accounting
Ed deHaan Associate Professor of Accounting
Brad Hendricks Assistant Professor of Accounting
David Veenman Professor of Financial Accounting
Jan Bouwens Professor of Accounting
Zachary Kaplan Assistant Professor
Mark Bradshaw Professor
Karan Bhanot Professor
John R Graham Professor
Dan Collins Henry B. Tippie Research Chair in Accounting
Brian J Bushee Professor
Catherine Schrand Professor of Accounting
Divya Anantharaman Associate Professor
Christina Zhu Assistant Professor of Accounting
Matthew Bloomfield Professor
Sehwa Kim Assistant Professor
Frank Zhang Professor of Accounting
Ethan Rouen Assistant Professor
Sarah McVay Professor
Joshua Madsen Assistant Professor
Brandon Gipper Assistant Professor of Accounting
CS Agnes Cheng Head and Chair Professor
Justin Hopkins Assistant Professor of Business Administration
James Naughton Assistant Professor
John Coffee Adolf A. Berle Professor of Law
Neil Bhattacharya Associate Professor
Joshua Ronen Professor
Urooj KHan Associate Professor
Jung Ho Choi Assistant Professor of Accounting
Jeff Schwartz Professor of Law
Sanjeev Bhojraj Professor of Accounting
Elizabeth Blankespoor Associate Professor of Accounting


[1] Peter Iliev  (2010). The Effect of SOX Section 404: Costs, Earnings Quality, and Stock Prices, Journal of Finance 45, 1163-1196.

[2] Currently, firms are categorized as nonaccelerated, accelerated, or large accelerated filers. Nonaccelerated filers must have public float of less than $75 million, and are exempt from the auditor attestation requirement. Under the new proposal, these firms would remain exempt and a new subset of firms would also be exempt. In particular, firms with less than $100 million in annual revenue in the most recent year that also qualify as smaller reporting companies (SRCs) would be exempt. Companies with public float of less than $250 million qualify for SRC status, so the new proposal would provide an exemption for (1) nonaccelerated filers, and (2) firms with float under $250 million and revenues of less than $100 million.

[3] Associated costs are often divided into three categories: internal labor costs, external consulting and technology expenses, and auditor attestation costs. See Jagan Krishnan, Dasaratha Rama, and Yinghong Zhang (2008). Auditing: A Journal of Practice & Theory 27, 169–186.

[4]See Section 404, Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002).

[5]For an overview, see John C. Coates and Suraj Srinivasan (2014). SOX after Ten Years: A Multidisciplinary Review. Accounting Horizons 28 (3), 627-671.

[6]Bianca Fischer, Bernadette Gral, Othmar Lehner (2014). Evaluating SOX Section 404: Costs, Benefits, and Earnings Management Journal of Finance and Risk Perspectives 3(1), 43-55.

[7]Larry E. Rittenberg and Patricia K. Miller (2005). Sarbanes-Oxley Section 404 Work: Looking at the Benefits, The IIA Research Foundation (finding through survey that internal auditors believe internal controls have increased); United States Government Accountability Office, Report to Congressional Committees, Internal Controls: SEC Should Consider Requiring Companies to Disclose Whether They Obtained an Auditor Attestation (GAO-13-582) (July 2013) (finding through survey data that 80 percent of companies reported that 404 benefitted internal controls).

[8] See, for example, Z. Singer and H. You (2011). The Effect of Section 404 of the Sarbanes-Oxley Act on Earnings Quality. Journal of Accounting, Auditing & Finance, 26(3), 556-589 (finding an increase in earnings reliability for complying firms after SOX); Iliev (2010), supra note 1 (finding that 404 led to more conservative earnings reports and less earnings management); Gopal V. Krishnan and Wei Yu (2012). Do Small Firms Benefit from Auditor Attestation of Internal Control Effectiveness? AUDITING: A Journal of Practice & Theory 31(4), 115-137 (finding that audit attestation improved revenue quality).

[9] A survey by the Financial Executives Research Foundation in 2005 found that 83 percent of large company CFOs agreed that SOX had increased investor confidence. Financial Executives International and Financial Executives Research Foundation, Special Survey on Sarbanes-Oxley Section 404 Implementation. Morristown, N.J. (2005).

[10] For a discussion of the costs, see Fischer et al. (2014), supra note 6. Concerns over costs caused the SEC to repeatedly delay the audit attestation requirement for nonaccelerated filers. A recent study found that the delay resulted in each exempt firm saving an estimated $73,165 in annual audit fees from 2007 through 2014 (aggregate savings of $388 million). However, the same study found a cost of $719 million due to lower operating performance caused by failure to remediate non-effective controls, and a $935 million delay in aggregate market value decline due to the failure to disclose ineffective internal controls. Weili Gea, Allison Koester, and Sarah McVay (2017). Benefits and costs of Sarbanes-Oxley Section 404(b) exemption: Evidence from small firms’ internal control disclosures Journal of Accounting and Economics 63(2), 358-384.

[11] Testimony of NYSE President Thomas W. Farley on behalf of the New York Stock Exchange, before the U.S. House of Representatives Committee on Financial Services Capital Markets, Securities, and Investment, Subcommittee on U.S. Equity Market Structure (July 18, 2017).

[12] As an example of why costs may be different, consider that SOX 404(b) significantly increased demand for audit services when it was enacted, but that supply remained relatively constant. Thus, audit fees increased in that year even for firms not subject to SOX 404(b). Fifteen years later, supply may have increased to meet the heightened demand, thus reducing costs. Research has also found evidence of a learning curve and of greater acceptance of Section 404 over time. See Coates and Srinivasan (2014), supra note 5.

This post comes to us from Colleen Honigsberg, an associate professor at Stanford Law School, and Shivaram Rajgopal, the Roy Bernard Kester and T.W. Byrnes Professor of Accounting and Auditing at Columbia Business School.