• Heritage Action
  • More
WebMemo #3380 on Labor

September 30, 2011

Congress Should Repeal or Fix Section 404 of the Sarbanes–Oxley Act to Help Create Jobs

By

Americans need jobs. The private sector of the American economy will create jobs when government removes the obstacles it has placed in the way of job creation and when the demand for goods and services rises. The government should promptly review the vast increase in government regulation of the economy that has occurred in recent decades and modify or repeal statutes and override regulations that discourage the private sector from creating jobs. Congress could start by reviewing and fixing section 404 of the Sarbanes–Oxley Act of 2002, as amended in 2010 by the Dodd–Frank Wall Street Reform and Consumer Protection Act.[1]

Section 404 Imposes Unwarranted Costs on the Private Sector

Section 404 of the Sarbanes–Oxley Act, as amended, requires the Securities and Exchange Commission (SEC) to issue rules to require companies whose stock is publicly traded (for example, on the New York Stock Exchange) and whose aggregate worldwide value is $75 million or more, to:

(1)   include in its annual report filed with the SEC a statement of the responsibility of the company management for “establishing and maintaining an adequate internal control structure and procedures for financial reporting” ;

(2)   include in its annual report filed with the SEC an assessment of the effectiveness of the company’s internal control structure and procedures for financial reporting; and

(3)   have the registered public accounting firm that does the company’s audit report “attest to, and report on, the assessment made by the management . . . .”[2]

To acquire and verify the accuracy of information needed to write an assessment of internal controls in an organization of any significant size and, further, to get an auditing firm to attest to that assessment, costs money—lots of it. As New York City Mayor Michael Bloomberg and U.S. Senator Charles E. Schumer said jointly, referring to the U.S. regulatory framework as “a thicket of complicated rules” in 2007, “[t]he flawed implementation of the 2002 Sarbanes–Oxley Act (SOX), which produced far heavier costs than expected, has only aggravated the situation . . . .”[3] Later that year, in calling for changes in the implementation of section 404 rather than changes in section 404 itself, then-President George W. Bush said that “complying with certain aspects of the law, such as Section 404, has been costly for businesses and may be discouraging companies from listing on our stock exchanges . . . .[4] The Heritage Foundation conducted a study in 2008 that showed major increases in the audit fees companies paid as a result of section 404.[5] The costs of implementing section 404 were many multiples of what the SEC had estimated.[6]

Congress Started Fixing Section 404 but Has Not Completed the Job

Congress waited patiently from 2007 to 2010 for the SEC and the Public Company Accounting Oversight Board (PCAOB), whose rules the SEC approves, to change rules in a way that would solve the problem of unwarranted costs imposed on the private sector by the rules implementing section 404 of the Sarbanes–Oxley Act.[7] While the SEC tinkered with the rules, it did not solve the problem to the satisfaction of Congress.[8] Congress took action in 2010 to address part of the problem, granting by statute to companies whose stock is publicly traded and whose aggregate worldwide value is $75 million or more an exemption from the requirement in section 404(b) for the company to have the registered public accounting firm that does the company’s audit attest to, and report on, management’s assessment of the company’s internal control structure and procedures.[9]

While Congress took a laudable first step in exempting the smaller companies from section 404(b), Congress should complete promptly the job of reviewing the full impact of section 404, including on medium-sized and large-sized companies, and repealing section 404 or fixing it to eliminate unwarranted costs. Companies could use freed funds, no longer absorbed by section 404 implementation, to invest in their lines of business, creating much-needed jobs.

Congress Should Re-examine Whether Section 404 Is Needed and, If So, How to Cut Its Costly Burden on Businesses

Congress should reconsider carefully the requirements in section 404 for company management to assess the effectiveness of its internal control structure and procedures and then for the company’s registered public accounting firm to attest to that management assessment. Given the traditional role of each state in regulating the corporate governance of corporations incorporated in that state,[10] Congress should first examine anew whether federal law should address those subjects, or whether they should be left to state law. In a society based on limited government and free enterprise, and in light of the traditional role of the states in our federal system, Congress should start its examination with a presumption in favor of repealing section 404 and leaving the subjects addressed by section 404 to the states.

If Congress nevertheless concludes anew that federal law should address the subjects covered in section 404, then Congress should consider how to attain, at a lower cost to the affected companies, whatever benefits Congress believes the federal law confers. For example, company managements and auditing firms, fearful of the legal risks they face as they make and attest to assessments of internal controls required by section 404, may press for a degree of assurance of accuracy that is costly to attain and exceeds the degree necessary to provide comfort to markets about the soundness of the company’s accounting. Congress could address such concerns through a variety of statutory changes, such as amending section 404 to include a reasonable standard of material weakness with respect to internal controls,[11] specifying that section 404 creates no liability to any parties, other than to the United States to the extent otherwise provided by law,[12] or rendering criminal penalties inapplicable absent intentional criminality.[13] Congress also could consider further exemptions from all or part of section 404 based on the market capitalization of companies,[14] the function of the company,[15] or other criteria.[16] Recognizing that companies and auditing firms may incur transition costs to implement changes with respect to section 404, Congress should attempt to minimize the costs of implementing the needed changes.

Congress Should Review Section 404 Promptly

Congress should take promptly every step it reasonably can to discourage unwarranted regulations and encourage economic growth and job creation. The government should not force businesses to use their funds to meet the costs of compliance with excessive government regulation when companies could invest those funds to create jobs and meet demand for their products or services. Congress should proceed immediately to reexamine section 404 of the Sarbanes–Oxley Act of 2002 and repeal or modify it as necessary, to free businesses to invest more of their funds in creating jobs and economic growth rather than in complying with government overregulation.

David S. Addington is Vice President for Domestic and Economic Policy at The Heritage Foundation.

Show references in this report



[1]Section 404 of the Sarbanes–Oxley Act of 2002 (Public Law 107-204, July 30, 2002), as amended by section 989G(a) of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Public Law 111-203, July 21, 2010)(15 U.S.C. 7262). In section 404, the “Commission” means the Securities and Exchange Commission, the “Board” means the Public Company Accounting Oversight Board, and an “issuer” means “an issuer (as defined in section 3 of the Securities Exchange Act of 1934 (15 U.S.C. 78c)), the securities of which are registered under section 12 of that Act (15 U.S.C. 78l), or that is required to file reports under section 15(d) (15 U.S.C. 78o(d)), or that files or has filed a registration statement that has not yet become effective under the Securities Act of 1933 (15 U.S.C. 77a et seq.), and that it has not withdrawn.” See sections 2(a)(5), (6), and (7) of the Sarbanes–Oxley Act of 2002.

[2]Section 404 of the Sarbanes–Oxley Act of 2002, as amended, provides in full:

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.

(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

(c) EXEMPTION FOR SMALLER ISSUERS.—Subsection (b) shall not apply with respect to any audit report prepared for an issuer that is neither a “large accelerated filer” nor an “accelerated filer” as those terms are defined in Rule 12b-2 of the Commission (17 C.F.R. 240.12b-2).

[3]Michael Bloomberg and Charles E. Schumer, Letter forwarding report prepared by McKinsey & Company, “Sustaining New York’s and the US’ Global Financial Services Leadership,” (January 22, 2007), p. 2, available at http://www.nyc.gov/html/om/pdf/ny_report_final.pdf (visited September 26, 2011).

[4]President George W. Bush, Statement by the President (Federal Hall, New York City, New York, January 31, 2007).

[5]Jiamin Wang, “Sarbanes–Oxley Section 404 Places Disproportionate Burden on Smaller Public Companies,” Center for Data Analysis, The Heritage Foundation, August 2008, p. 37 (“Our analysis of Sarbanes–Oxley Section 404’s impact on public companies, especially smaller 404 filers, suggests that: . . . Section 404 has imposed a heavy compliance burden for all 404 filers: 404 filers experienced a median increase of 66 percent in audit fee as a percentage of revenue from base year to the second compliance year, while non-404 filers only experienced a median increase of 9 percent during that period. . . .”), available at http://www.heritage.org/About/Staff/Departments/Center-for-Data-Analysis/~/media/CDA/CDA_features/SOXCDAedited3.ashx (visited September 27, 2011).

[6]Stephen M. Bainbridge, “Dodd–Frank: Quack Federal Corporate Governance Round II,” 95 Minn. L. Rev. 1779, 1781 (May 2011)(“The SEC estimated that the average cost of complying with section 404 would be approximately $91,000. As it turned out, a 2005 survey put the direct cost of complying with section 404 in its first year at $7.3 million for large accelerated filers and $1.5 million for accelerated filers. . . . Second-year compliance costs dropped, although surveys report widely differing estimates of the extent of the drop. According to all the surveys, however, second-year compliance costs remained many times greater than the SEC’s estimate of first-year costs.”)(footnotes omitted).

[7]The PCAOB is a private nonprofit corporation whose board members and employees are not government employees for statutory purposes, but whose board members the SEC appoints and which has substantial powers to govern the accounting and auditing industry. 15 U.S.C. 7211. The SEC approves rules issued by the PCAOB. 15 U.S.C. 7217. See Free Enterprise Fund v. Public Company Accounting Oversight Board, 130 S. Ct. 3138, 3147 (2010).

[8]The SEC staff maintains that, “[s]ince the enactment of the Sarbanes–Oxley Act, the Commission has taken several steps to reduce the burden for issuers to comply with the reporting and attestation requirements under section 404,” and has published a list of those steps. SEC, “Study and Recommendations on Section 404(b) of the Sarbanes–Oxley Act of 2002 For Issuers With Public Float Between $75 and $250 Million” (April 2011), available at http://www.sec.gov/news/studies/2011/404bfloat-study.pdf (visited September 26, 2011), pp. 14–25.

[9]Section 989G(a) of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Public Law 111-203, July 21, 2010). Section 989G also directed the SEC to “conduct a study to determine how the Commission could reduce the burden of complying with section 404(b) of the Sarbanes–Oxley Act of 2002 for companies whose market capitalization is between $75,000,000 and $250,000,000 for the relevant reporting period while maintaining investor protection for such companies.” In response, the SEC submitted to Congress the “Study and Recommendations on Section 404(b) of the Sarbanes–Oxley Act of 2002 For Issuers With Public Float Between $75 and $250 Million” (April 2011), available at http://www.sec.gov/news/studies/2011/404bfloat-study.pdf (visited September 26, 2011). The SEC study made two recommendations: (1) “Maintain existing investor protections of Section 404(b) for accelerated filers, which have been in place since 2004 for domestic issuers and 2007 for foreign private issuers,” and (2) “Encourage activities that have potential to further improve both effectiveness and efficiency of Section 404(b) implementation.” The SEC in effect ignored the statutory directive to “determine how” the Commission could reduce the section 404(b) burden and just responded to Congress as if the statute had asked “whether” the Commission should reduce the burden.

[10]Given the tendency of many public corporations to incorporate in Delaware, that state’s corporation law would be of particular interest in re-examining whether a need exists for a federal law on management assessment of internal controls, and accounting firm attestation thereto. See, Stephen M. Bainbridge, “Dodd–Frank: Quack Federal Corporate Governance Round II,” 95 Minn. L. Rev. 1779, 1784-86 (May 2011).

[11]Paragraph A7 of Appendix A to the PCAOB’s Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements” (June 12, 2007), defines “material weakness” as follows:

A7. A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. Note: There is a reasonable possibility of an event, as used in this standard, when the likelihood of the event is either “reasonably possible” or “probable,” as those terms are used in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies (“FAS 5”).

The FAS 5 definition of “reasonably possible” is “[t]he chance of the future event or events occurring is more than remote but less than likely”—which may create a concern among company managements and auditing firms that the rules implementing section 404 require them to make certain that there is no more than a slightly-greater-than-remote chance that the internal controls would fail to prevent or detect a deficiency. To provide a more reasonable standard of materiality for company management and external auditors, Congress could consider whether to amend section 404 by (1) inserting “, with respect to material weaknesses,” after “adequate”; (2) inserting “, with respect to material weaknesses,” after “effectiveness”; and by adding at the end of section 404 “(d) MATERIAL WEAKNESS.—For purposes of this section, a ‘material weakness’ is a deficiency, or combination of deficiencies, such that a material misstatement of the company’s annual or interim financial statements likely will not be prevented or detected on a timely basis.”

[12]For example, Congress could consider whether to amend section 404 by adding at the end thereof: “(d) PROHIBITION ON LIABILITY OTHER THAN TO THE UNITED STATES.—This section shall not give rise, directly or indirectly, to any criminal, administrative, or civil liability of any kind to any person or government, other than to the United States to the extent otherwise provided by law.” The provision would make clear that companies and accounting firms, and their personnel (each of whom is a “person” under section 1 of title 1, United States Code), are not liable, for failure to comply with section 404, to anyone (such as individuals, other companies, or state or local governments) except to the U.S. government and then only to the extent that law other than section 404 provides for the liability to the U.S. government. See Horizon Asset Management, Inc. v. H&R Block, Inc., 580 F. 3d 755 (8th Cir. 2009)(allegations of false statements by company officers made in course of company’s implementation of section 404 of Sarbanes–Oxley Act were insufficient basis to infer scienter element required in civil action for securities fraud); see also Kim v. Boeing Co., 2011 WL 4437086 (W.D. Wash. September 23, 2011)(granting summary judgment in favor of company in employee civil action under 18 U.S.C. 1514A against company based on alleged retaliation against employee for blowing the whistle on alleged company failure to comply with rules implementing section 404 of Sarbanes–Oxley Act).

[13]To illustrate, Congress could consider whether to amend section 404 by adding at the end thereof: “(d) STATE OF MIND.—No person shall be convicted of an offense against the United States based in whole or in part upon conduct that violates this section or a rule issued under this section, unless the person willfully violated this section or such rule.” The provision would require the government to prove beyond a reasonable doubt that the person charged with the offense committed an intentional violation of a known legal duty under section 404 or the rules implementing section 404. Thus, the provision would make clear that companies and accounting firms, and their personnel (each of whom is a “person” under section 1 of title 1, United States Code), cannot be held criminally liable for mere errors or omissions they make in their efforts to comply with section 404.

[14]See, for example, H.R. 2941 of the 112th Congress, the “Startup Expansion and Investment Act,” introduced on September 15, 2011, by Representative Ben Quayle (R–AZ). The bill permits a company whose stock is publicly traded, whose market capitalization is less than $1 billion, and which has been subject for fewer than 10 years to the Securities Exchange Act requirement to file an annual report with the SEC, to elect not to be subject to the section 404 requirements for a management assessment of internal controls and the auditor attestation of that assessment. Such legislation is designed to reduce the costly burden of compliance with much of section 404 in the early years after a corporation first offers its stock for public trading. However, the bill appears to have the effect (at least after a company has reported to the SEC for a decade) of undoing the existing exemption from the auditor attestation requirement for smaller-capitalization corporations granted by section 989G(a) of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Public Law 111-203, July 21, 2010).

[15]See, for example, section 102 of H.R. 1697 of the 112th Congress, the “Community Banks Serving Their Communities First Act,” introduced on May 3, 2011, by Representative Blaine Luetkemeyer (R–MO). Section 102 of H.R. 1697 would exempt insured depository institutions with assets valued at $1 billion or less from section 404 of the Sarbanes–Oxley Act. The same provision appears in section 102 of S. 1600, also titled “Community Banks Serving Their Communities First Act,” introduced on September 22, 2011, by Senator Jerry Moran (R–KS).

[16]Under section 302 of the Sarbanes–Oxley Act (15 U.S.C. 7241), chief executive and chief financial officers must, in the company’s reports to the SEC, make various certifications, including about truth of report statements, fair presentation of financial condition, and effectiveness of internal controls. The requirements of section 302 overlap to some extent with the requirement under section 404(a) for an assessment of internal controls. David C. John and Nancy M. Marano, “The Sarbanes–Oxley Act: Do We Need a Regulatory or Legislative Fix?” Heritage Foundation Backgrounder No. 2035, May 16, 2007, p. 2, available at http://www.heritage.org/Research/Reports/2007/05/The-Sarbanes-Oxley-Act-Do-We-Need-a-Regulatory-or-Legislative-Fix (visited September 29, 2011). Accordingly, if Congress makes statutory adjustments to address concerns with the scope of section 404 and the costs of implementing that section, it should consider whether there is a need for corresponding adjustments in relation to section 302.

Heritage's daily Morning Bell e-mail keeps you updated on the ongoing policy battles in Washington and around the country.


The subscription is free and delivers you the latest conservative policy perspectives on the news each weekday--straight from Heritage experts.


The Morning Bell is your daily wake-up call offering a fresh, conservative analysis of the news.


More than 450,000 Americans rely on Heritage's Morning Bell to stay up to date on the policy battles that affect them.


Rush Limbaugh says "The Heritage Foundation's Morning Bell is just terrific!"


Rep. Peter Roskam (R-IL) says it's "a great way to start the day for any conservative who wants to get America back on track."


Sign up to start your free subscription today!