The Sarbanes-Oxley Act: Do We Need a Regulatory or Legislative Fix?

Report Government Regulation

The Sarbanes-Oxley Act: Do We Need a Regulatory or Legislative Fix?

May 16, 2007 21 min read Download Report

Authors: David John and Nancy Marano

Since the passage of the Public Company Account­ing Reform and Investor Protection Act of 2002 (the Sarbanes-Oxley Act), small and mid-sized public companies have struggled to comply with its onerous provisions, which created an enormous and dispro­portionate regulatory burden. Most of these costs can be attributed to Section 404, a small section of only 168 words that requires both an internal audit and an external audit of a company's financial accounting controls.

A growing body of evidence suggests that the unin­tended consequences of Sarbanes-Oxley, especially Section 404, are harming the U.S. economy and its financial industry. However, the problems with Sec­tion 404 are caused as much by how regulators have implemented it and how outside auditors have inter­preted it. While both the Securities and Exchange Commission (SEC) and the Public Company Account­ing Oversight Board (PCAOB) have recently released proposed changes in how Section 404 is imple­mented, it is not clear that these changes will be suffi­cient to affect auditors' overzealous behavior in an era in which their every action may be subjected retroac­tively to a lawsuit. For that reason, auditors may need some level of protection against legal liability before they feel comfortable with reducing the scope-and cost-of Section 404 audits.

Furthermore, legislative action short of outright repeal of Section 404 is not certain to reduce the com­pliance burdens and costs. The wording of Section 404 is so simple and broad that corrective legislation would likely lengthen it and make it even more complex. However, one bill (H.R. 1508 and S. 869) appears capable of reducing the burden of Section 404 while still protecting investors.

Section 404 Requirements

Section 404 requires the management of any publicly traded company to produce an internal control report[1] describing the scope and adequacy of its financial reporting procedures and internal financial control structures. The company is required to include this information in its annual report, send it to investors, and file it with the SEC. In addition, the company must produce "an assessment…of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."[2] In the same report, an outside auditor must both attest to and report on the management's assessment of the effectiveness of the company's internal controls and procedures. In short, Section 404 requires both an internal audit and external audit of financial ac­counting controls, which has turned out to be costly and time-consuming in practice.

Section 404 duplicates part of Section 302 of the Sarbanes-Oxley Act, which requires that annual reports include a certification that the officers who signed the report are responsible for internal accounting controls, have evaluated them within the previous 90 days, and have reported on their findings. The certification must list all deficiencies in those controls and information on any fraud committed by any employee involved with those internal controls. It must also disclose any signifi­cant changes in the internal controls or other factors that could negatively affect them.[3]

The problems with Section 404 come not just from its language, but also from how regulators and auditing firms have implemented it. That imple­mentation was influenced by the serious criticism of the SEC and the accounting industry over the accounting failures of Enron, WorldCom, and other corporations. It was also shaped by the prosecution and subsequent dissolution of Arthur Andersen, formerly one of the world's largest accounting and auditing firms, and by the scores of lawsuits against auditors filed after that prosecution. While the reg­ulators shaped their initial implementation guide­lines for Section 404 in a way to escape criticism for being too lax, the accounting industry's response sought to protect members from any future legal challenges.

The Public Company Accounting Oversight Board adopted Auditing Standard No. 2 to imple­ment Section 404 on March 9, 2004,[4] and it was approved by the SEC on June 17, 2004. The stan­dard is 161 pages of dense technical language that is virtually impenetrable for anyone other than an auditor. Given the accounting standard and the legal climate, auditors have felt that the only way to protect themselves from prosecution and share­holder suits is by extensively testing every internal standard and procedure, whether or not it is likely to have any significant effect on the financial state­ments' accuracy.

This implementation cost is spread unevenly among publicly traded companies, costing smaller companies significantly more proportionally than large companies because it imposes the same requirements on all publicly traded companies regardless of size. As a result, the SEC delayed Sec­tion 404 implementation for smaller companies several times and created an Advisory Committee on Smaller Public Companies to develop recom­mendations for how to apply Section 404 to smaller companies.

Attempted Regulatory Fixes

In December 2006, both the SEC and the PCAOB issued draft rules to reduce the burden that Section 404 imposes on smaller publicly traded companies. Both agencies decided against relief based solely on company size and instead decided to focus on the complexity of a company's financial operations. In addition, both agencies sought to focus auditors on potential problems that had the most probability of significantly affecting a firm's financial statements and away from a sweeping review that covers all aspects of a firm's financial controls, regardless of whether or not they were likely to cause significant risk to the company's financials.

The SEC proposal focuses on actions by manage­ment required under Section 404,[5] while the PCAOB proposal deals with guidance to auditors.[6] The SEC regulations would limit management's responsibilities to evaluating whether or not the design of the corporation's internal financial control system could "reasonably" be expected to detect a material misstatement of its financial condition. If the draft regulations are made final, executives would not be required to attest to details such as the accuracy of petty cash accounts or other minor areas that are unlikely to affect the company's overall financial condition significantly.

Regrettably, the SEC proposal would leave some issues unresolved. One is that the current SEC reg­ulations on Section 404 go well beyond the direct intent of Congress by requiring a company's internal financial controls to include controls for safeguard­ing assets. While other laws require internal con­trols that safeguard assets, those controls did not have to be certified by an outside auditor. It is very hard to imagine a case in which the theft or loss of assets would be so great as to require reporting in a financial statement. Given the concern about the burden imposed by Section 404, the SEC could take the additional significant step of reducing that bur­den by withdrawing the regulations dealing with the safeguarding of assets.

The PCAOB proposal complements the SEC's actions by providing guidance to auditors on how to audit Section 404 compliance. In general, the pro­posed audit standard would encourage auditors to focus on risk assessment rather than on operational details. The proposed standard also defines terms such as "significant deficiency" and "material weak­ness" in a way that would help auditors to determine the relative importance of specific controls. Key changes are elimination of the requirement that auditors evaluate management's process and allow­ing auditors to use material from previous audits and the work of others. This last change would enable better integration of financial control audits into a company's regular audit of its financial statements.

Are the SEC and PCAOB Actions Sufficient?

The short answer is that the SEC and PCAOB actions are probably not sufficient. The SEC and the PCAOB have made good-faith efforts to reduce the burden of complying with Section 404, but the actual effects of those changes will not be known for at least a year. If auditors actually focus their atten­tion on controls that have a reasonable risk of mate­rially affecting financial statements, then the cost and scope of Section 404 audits should be reduced. However, many auditors may still feel that the reg­ulatory changes do not adequately protect them from litigation and could insist on performing more comprehensive audits.

In the long run, accounting firms will probably need some limit on their liability for Section 404 audits before they feel able to change them signifi­cantly. Furthermore, the new SEC and PCAOB pro­posals may face a legal challenge that could necessitate a legislative fix.

Probably the best legislative change would be the moderate approach contained in H.R. 1508 and S. 869. However, although Representative Barney Frank (D-MA), chairman of the House Financial Services Committee, said in March 2007 that Sarbanes- Oxley requires too many certifications of financial statements, he also said that the SEC and PCAOB can handle the problem and that no legislation is needed.[7] Frank's opposition, combined with similar statements from Senator Christopher Dodd (D- CT), chairman of the Senate Banking Committee, and the April 24, 2007, defeat of an attempt by Sen­ator Jim DeMint (R-SC) to attach the text of S. 869 to another bill,[8] probably ensures that there will be no early legislative action.

A Legislative Fix: The COMPETE Act

While most attention is currently focused on potential SEC and PCAOB actions to reform Sar­banes-Oxley, legislation has been proposed that would promote a more reasonable application of that law and especially benefit smaller public com­panies. The Competitive and Open Markets that Protect and Enhance the Treatment of Entrepreneurs (COMPETE) Act (H.R. 1508) was introduced in the House of Representatives on March 13, 2007, by Representatives Gregory W. Meeks (D-NY) and Tom Feeney (R-FL) and 25 cosponsors. An identical bill, S. 869, was introduced the next day in the Senate by Senator DeMint and two cosponsors. Similar legisla­tion was introduced in the 109th Congress.

The COMPETE Act would allow smaller public companies to opt out of Section 404's reporting requirements, but it would still require them to main­tain enhanced internal controls and increased trans­parency. Specifically, as introduced, the bill would:

  • Make Section 404 compliance voluntary for smaller companies;
  • Require that smaller and mid-sized companies that opt out of Section 404 comply with standard internal controls guidelines that better fit their size and risk to investors;
  • Require the SEC and PCAOB to define the stan­dard of what is a true material weakness and bet­ter define what is "reasonable," "significant," and "sufficient" to provide clarity for audits and busi­nesses and to standardize audits;[9]
  • Modify the independence rule to allow compa­nies that conduct internal audits to receive pru­dent technical advice from their external auditors;
  • Reduce the frequency of random external audits for companies that must comply with Section 404 after their first year of successful compli­ance; and
  • Mandate a study of a standard-based approach to corporate governance.

Small and mid-sized companies are defined as having fewer than 1,500 shareholders, total market capitalization of under $700 million, and total product revenues of under $125 million. If the COMPETE Act becomes law, these smaller and mid-sized companies could avoid costly and time-con­suming requirements that make them less competi­tive and more likely to go private or merge with a larger company.

Overall, H.R. 1508 is a moderate yet comprehen­sive approach to the major problems caused by Sec­tion 404. However, it is uncertain whether or not reducing the frequency of external audits of internal financial reporting controls will really reduce audit­ing fees. While this approach seems attractive as companies would only have to pay for a costly audit of their internal financial controls every few years, auditing firms could fear that they would be held liable for weaknesses in internal controls that might develop in years between the required audits and insist on repeating the checks every year, even though that is not required.

A more successful approach would legislatively change the structure of the Section 404 audit from examining the details of how a company's internal financial controls are structured and operate in day-to-day situations to certifying that the overall struc­ture is appropriate for a company of its size. This approach, which is embodied in the SEC and PCAOB proposed regulatory changes, should be much easier and less costly for management to com­ply with and for auditors to examine. Legislation could also clarify the auditors' legal liability and clearly limit it to issues surrounding structure, while management would be solely responsible for the operation of that structure.

The Sarbanes-Oxley Act and What It Requires

Following unprecedented corporate scandals, most notably the 2002 collapse of Enron and WorldCom, Congress quickly enacted the Sar­banes-Oxley Act. The law places stringent corpo­rate governance and financial reporting standards on all U.S. publicly owned companies and strict controls on management consultants and public accounting firms.

Although the act's introduction is credited with calming financial markets and raising investor con­fidence, its unprecedented reporting burdens and paperwork requirements are blamed for extremely high compliance costs and a share of the decline in the competitiveness of U.S. financial markets. In particular, Section 404 mandates that auditors sign off on a company's internal financial reporting con­trols, a costly process that has been especially bur­densome for smaller publicly traded companies.

Sarbanes-Oxley primarily addresses auditor in­dependence, corporate responsibility, and enhanced financial disclosure. In addition to mandating tougher penalties and longer prison sentences for executives who intentionally misstate financial statements, Sarbanes-Oxley:

  • Requires chief executive officers (CEOs) and chief financial officers (CFOs) to certify company financial reports and requires public reporting of their compensation and profits;
  • Accelerates reporting of trades by insiders;
  • Prohibits, under the "independence rule," audit firms from providing non-audit services to their clients such as consulting, legal, and actuarial services;
  • Requires auditor independence, including a pre-certification by company audit committees before auditors are hired to do any work unre­lated to auditing; and
  • Requires publicly traded companies to furnish independent annual audit reports on the reliabil­ity of their internal financial reporting controls.

As noted, the last requirement-the assessment of internal controls structure and financial reporting systems by both management and an outside audi­tor as required by Section 404-is the most burden­some provision of the legislation and has been the subject of fierce debate since Sarbanes-Oxley was enacted. Yet while most discussions about Sar­banes-Oxley reform have focused on Section 404, it is not clear that correcting just those problems would restore the international competitiveness of American financial markets.

The PCAOB's Dubious Structure

Sarbanes-Oxley also added another level of oversight to the accounting industry by creating the Public Company Accounting Oversight Board. Since its creation, the PCAOB has issued broad interpretations of Sarbanes-Oxley's auditing rules, known as accounting standards, that have cost pub­lic companies and the overall U.S. economy billions of dollars each year.

According to Sarbanes-Oxley, the PCAOB is not part of the government, but a private entity that is owned by the SEC. This arguably violates the Appointments Clause of the U.S. Constitution,[10] because members of the PCAOB are appointed by and report to the five members of the SEC rather than the President. The legislators who created the PCAOB argued that, because the SEC already monitored accounting, it could create the PCAOB and designate it to oversee the accounting industry. Under Sar­banes-Oxley, the PCAOB develops company audit standards, which must be approved or disapproved as a whole by the commissioners of the SEC.

This ungainly structure was designed to meet the political goal of increasing audit oversight while not officially creating a new government agency. Critics point out that regardless of the wording in Sar­banes-Oxley, the PCAOB in fact operates like an independent executive agency, and the Free Enter­prise Fund filed a lawsuit challenging the constitu­tionality of the PCAOB's structure. The U.S. District Court for the District of Columbia ruled against the suit on March 21, 2007,[11] but the Free Enterprise Fund has stated that it will appeal the decision.[12]

If the suit is successful and the PCAOB's struc­ture is declared unconstitutional, the entire Sarbanes- Oxley Act could in theory be doomed because the law lacks a severability clause. Thus, if federal courts ruled against the current PCAOB structure, the entire Sarbanes-Oxley Act would be invali­dated. However, the court would likely give Con­gress time to "fix" the act. As some experts have noted, these legal complications could set off a "gigantic litigation festival for trial lawyers"[13] at the expense of investors.

Regardless of how the suit is decided, the PCAOB's hybrid nature is a dangerous innovation that blurs the line between government entities and self-regulatory bodies such as the Financial Accounting Standards Board. At the very least, Con­gress should clarify that the PCAOB is a government agency and make board members presidential appointees who must be confirmed by the Senate. Regardless of the legal fiction that the PCAOB is a subsidiary of the SEC, it is in practice an indepen­dent agency and should be recognized as one.

The PCAOB could be folded into the SEC, but given the SEC staff's tendency to push for ever more comprehensive regulatory requirements regardless of whether they are supported by law and economic evidence, such a move would probably be a mis­take. The PCAOB exists, and it is probably too late simply to eliminate it. In addition, the agency could serve a positive function by delineating acceptable auditing practices that should be protected from legal challenges.

Sarbanes-Oxley's Cost to U.S. Companies and Investors

Costs associated with Sarbanes-Oxley have be­come a major disincentive to companies listing on American stock exchanges to the point that London or another city could replace New York as the world's financial center. In June 2006, The Daily Telegraph reported that the United Kingdom's Financial Ser­vices Authority reassured London's financial com­munity about a proposed NASDAQ takeover of the London Stock Exchange (LSE) "by saying that dra­conian US corporate governance regulations are un­likely to apply to UK-listed companies"[14] even if a U.K. exchange is purchased by an American ex­change. In an editorial entitled "It's Risky All Round Doing Business with the Americans" that appeared opposite the news article, City Editor Damian Reece highlighted how the LSE is benefiting by advertising itself as a Sarbanes-Oxley-free zone. He described Sarbanes-Oxley as an "over-zealous political and regulatory reaction" to the Enron scandal that "has made American stock exchanges, the key capital-raising entity in any free-market economy, a more expensive and difficult place to do business."[15]

Similarly, in January 2006, The Wall Street Journal reported that more and more companies were choosing to list on foreign exchanges rather than on a U.S. exchange. Before Sarbanes-Oxley, nine dollars out of every 10 raised by foreign companies came from new stock offerings in New York City. Three years after Sarbanes-Oxley, that number had shrunk to one dollar out of every 10.[16] There are certainly other factors, such as a major shift in how financial markets operate, that contributed to this decline, but understating Sarbanes-Oxley's impact would be a mistake.

A recent Capitol Analysts Network study showed that 129 new listings appeared on foreign exchanges in 2005, compared to only six listings on U.S. stock exchanges.[17] In addition, while only 43 companies de-listed from U.S. exchanges in the year before Sar­banes-Oxley, 198 companies de-listed in the year following the act, and 134 more followed suit in 2004. The report correctly points out that small companies have five options to help their sharehold­ers: never going public; selling out to larger firms; voluntarily de-listing from the American Stock Ex­change, NASDAQ, or the New York Stock Exchange; listing on the London or Hong Kong exchange; or simply remaining a publicly traded company and be subject to costly regulation. As the report notes, four of these choices are detrimental to the U.S. economy and U.S. exchanges.[18] However, de-listing allows only small publicly traded companies to escape Sar­banes-Oxley because current rules state that a com­pany with more than 300 stockholders that de-lists must remain registered with the SEC and still meet Sarbanes-Oxley requirements.

According to an American Electronics Associa­tion study, complying with Sarbanes-Oxley's re­quirements costs companies $35 billion per year.[19] These costs are disproportionately higher for smaller companies, which have limited resources. The report states that the regulatory burden im­posed by Section 404 cripples competition by lim­iting the number of smaller firms in the marketplace and forcing investors to put their money into larger companies that have less potential for growth.

Although the SEC initially estimated that the cost of compliance with Sarbanes-Oxley would be $91,000 per company, or about $1.24 billion overall, most studies agree that the real cost is significantly higher.[20] At one extreme is an American Enterprise Institute study that measured the total drop in market capitalization during Congress's consideration of Sar­banes-Oxley in July 2002 and concluded that it has already cost the American economy $1.4 trillion.[21] More recent estimates put the average cost of direct compliance costs and outside auditing fees in 2006 at 2.5 percent of a company's revenues.[22]

Evidence suggests that the costs associated with Sarbanes-Oxley are a significant factor in pushing companies entirely out of the public sector. A study conducted by Foley & Lardner, a national law firm, found that the average annual regulatory cost for a public company in the U.S. had more than tripled in the two years after Sarbanes-Oxley was enacted. According to the study, while 143 companies went private in 2001, the year before Sarbanes-Oxley was enacted, 245 public companies made the switch in 2004.[23]


Although Congress sent a clear message by en­acting Sarbanes-Oxley that corporate fraud would not be tolerated, such fraud was already a crime. In over two dozen cases, the executives behind the En­ron, WorldCom, and similar scandals have been tried, convicted, and sentenced under criminal laws that were on the books before Sarbanes-Oxley.

While fraud was already a crime, under Sar­banes-Oxley, CEOs, CFOs, members of boards of directors, and external auditors who incorrectly confirm the accuracy of a company's financial state­ments face serious civil and criminal repercussions, including prison sentences that could exceed sentences given to convicted murderers. As a result of these severe penalties, corporate leaders have become more averse to risk, seriously undermining corporate earnings.

In addition, Sarbanes-Oxley also criminalized failing to identify risks that are later found to be problems.[24] Fear of prosecution also damages the relationship between companies and auditors. The potential of tough penalties for any misstep makes auditors less likely to give advice on whether or not a company is complying with the law for fear of criminal prosecution. Before Sarbanes-Oxley, this was precisely their job. Companies can no longer choose to ignore any advice from auditors for fear that it could be regarded as creating a material weakness under Sarbanes-Oxley.[25]

April 2006 GAO Recommendations

In an April 2006 report, the Government Accountability Office (GAO) reported that Sarbanes- Oxley in general and Section 404 in particular imposed a significantly higher and disproportionate compliance cost on smaller public companies than they did on larger companies. Cost estimates asso­ciated with Section 404 include both direct compli­ance costs and related audit fees. The GAO noted that smaller companies' resource limitations and confusion regarding implementation of internal controls accounted for approximately 2 percent of small companies becoming private in 2004.

The GAO report included recommendations that the SEC determine the appropriate relief for smaller companies and urged the SEC chairman to "analyze and consider, in addition to size, the unique characteristics of smaller public compa­nies and the knowledge base, educational back­ground, and sophistication of their investors in determining categories of companies for which additional relief may be appropriate."[26]

Olympia Snowe (R-ME), then chairman of the Senate Small Business Committee and one of two Senators who requested the GAO study, characterized the results as demonstrating the need for regulators to lessen the law's impact on smaller companies:

This report leads me to caution the SEC against creating complex and cumbersome regulations that have the potential to place small businesses in a paralyzing state of regu­latory limbo and damage their ability to cre­ate jobs. Instead, I urge the SEC to adopt clear, unambiguous and practical small-busi­ness rules.[27]

The SEC Advisory Committee on Small Public Companies

Following a massive outcry about the antici­pated burden of complying with Sarbanes-Oxley, the SEC created the Advisory Committee on Small Public Companies in March 2005. In its final report on April 23, 2006, the committee recom­mended an exemption from Section 404 for small companies with market caps of less than $128 million and/or those that take in less than $125 million.[28] It also recommended reducing the requirements for all other companies with market caps up to $787 million.

However, in spite of these recommendations and similar recommendations from the GAO, the SEC announced on May 17, 2006, only a brief postpone­ment of Section 404 requirements for the smallest company filers, noting that all companies would ultimately be required to comply with Section 404 and other requirements.[29] Ultimately, both the SEC and the PCAOB responded with significant changes that should reduce the administrative burden, but it would be naive to assume that the agencies' propos­als will not be controversial.

At the time that the advisory committee was completing its recommended exemption from Sec­tion 404, former SEC chairman Arthur Levitt called such a move a "misguided exemption" on the grounds that it "would make it more difficult for smaller companies to attract capital needed for growth and undermine confidence in markets," noting his "fear that these proposed changes will harm, not help, small companies."[30]

Those who side with the former SEC chairman underestimate smaller publicly traded companies, which are sensitive to market forces. Those compa­nies are quite aware of the need to maintain a nec­essary level of internal controls in order to attract capital investment. Opting out of Section 404 would not allow these companies to circumvent corporate governance altogether, but it would give them the freedom to adjust their internal control structures to the level that would best attract out­side investment capital.

If compliance with the specific requirements of Section 404 is what investors need to feel secure, then equities of those smaller companies that volun­tarily choose to meet those standards will increase in price faster than those of companies that choose not to comply. Such a signal would clearly encour­age all companies to meet the more stringent stan­dards rather than to develop their own.

What Should Be Done

To mitigate some of the problems created by Sarbanes-Oxley and to change international per­ceptions of the law, Congress should:

  • Strongly consider legislative changes in Sec­tion 404, such as those contained in H.R. 1508 and S. 869;
  • Limit auditors' legal liability for good faith audits; and
  • Clarify the structure of the PCAOB by making it an independent agency.
    For their part, the SEC and the PCAOB should:
  • Implement proposed regulatory changes in the implementation of Section 404 but withdraw Section 404 regulations dealing with the safe­guarding of assets.


Although Sarbanes-Oxley initially calmed inves­tors' fears and strengthened the internal controls of U.S. companies, it has also had a number of unin­tended consequences. These are mainly, but not exclusively, due to Section 404 and how it has been implemented. Recent SEC and PCAOB actions appear likely to lessen the negative impact of Sec­tion 404 and other parts of Sarbanes-Oxley signifi­cantly, but their effectiveness will take several years to measure. In the interim, the new congressional leadership and the Bush Administration appear to have reached a consensus that legislative action is not desirable.

However, failure to take some additional publi­cized action to address the burdens imposed by Sar­banes-Oxley could have serious consequences. The international financial markets are changing rapidly, and the United States' former dominant position in this area is clearly threatened. Sarbanes-Oxley's real and perceived negative impact on U.S. and foreign companies that are publicly traded on U.S. exchanges appears to have accelerated the move­ment of international financial transactions outside of New York. The regulatory reforms proposed by the SEC and the PCAOB could significantly reduce compliance costs, but they are unlikely to change international perceptions of the law. That would almost certainly require congressional action.

Even if a legislative review of the law is delayed while the SEC and PCAOB regulatory improve­ments are given a chance to work, Congress still needs to eliminate the unnecessary parts of the law in the long run.

Sarbanes-Oxley is an object lesson that congres­sional overreaction to a crisis or scandal can have serious negative consequences. Imposing a highly technical one-size-fits-all requirement on busi­nesses regardless of their sizes could cause as much harm as the problem that Congress seeks to solve. Congress needs to remember this the next time it is tempted to legislate before it really understands the problem that it is attempting to correct.

David C. John is Senior Research Fellow in Re­tirement Security and Financial Institutions and Nancy M. Marano is a former Research Assistant in the Thomas A. Roe Institute for Economic Policy Studies at The Heritage Foundation.


David John

Former Senior Research Fellow in Retirement Security and Financial Institutions

Nancy Marano