Investor Demand for Internal Control Audits of Large U.S. Companies

If regulation did not require large U.S. companies to have internal control audits, would investors demand this external assurance? In other words, would investors demand, or value, internal control audits for large companies if they were voluntary?  This is the question we explore in our article, Investor Demand for Internal Control Audits of Large U.S. Companies: Evidence from a Regulatory Exemption for M&A Transactions, forthcoming in The Accounting Review.

When politicians signed the Sarbanes-Oxley Act of 2002 (SOX) into law, they effectively mandated a new form of external assurance that previously had not been supplied in the market. Specifically, section 404(b) of SOX requires auditors of large U.S. public companies to opine on the quality of their clients’ internal controls over financial reporting. This costs U.S. companies, in aggregate, several billion dollars every year. The intended benefit of internal control audits is to “increase market efficiency by improving investor confidence in the reliability of a company’s financial disclosure and system of internal control over financial reporting” (https://www.sec.gov/rules/final/33-8238.htm). However, because financial statement audits already provide investors with (a) assurance over company financial reports and (b) a legal claim against auditors, it is unclear whether investors demand, or value, additional assurance over a company’s internal controls. Because SOX 404(b) went into effect at the same time for all large U.S. public companies (i.e., accelerated filers), quantifying the value that investors place on internal control audits for these large companies has proven difficult.

A key innovation in this study is that we exploit a regulatory exemption that allows companies the option to exclude acquired operations from an internal control audit in the year of acquisition. Regulators granted this exemption based on the expectation that it might not always be possible for a company and its auditors to complete an assessment of an acquired business’s internal control over financial reporting in the period between the effective date of acquisition and the year-end reporting date. This exemption provides a setting in which we can observe variation in the “amount” of assurance over internal controls for a sample of large U.S.-based public companies. This allows us to provide insight on whether investors in large companies demand assurance on internal control quality, regardless of the outcome of those internal control audits.

If investors demand internal control assurance either because of (a) expected improvements in information quality, or (b) information signaled by management’s choice to have the audit, we hypothesize that investors will respond negatively to the revelation that an internal control audit did not include acquired operations. Further, we expect investor reactions will be magnified as the percentage of a company excluded from an internal control audit increases. Similarly, the investor reaction should also be magnified when there is greater information uncertainty ex ante about the consolidated company. Descriptively, we find that 35 percent of material acquisitions completed from 2005 to 2013 were excluded from large U.S. companies’ internal control audits. With respect to our hypotheses, we find that companies that exclude acquired operations from the internal control audit experience negative and statistically significant abnormal returns on the day that the opt-out decision is revealed (i.e., the Form 10-K release date). The economic effect is a 17 to 44 basis point difference in one-day abnormal returns between opt-out and opt-in companies. Further, in cross-sectional tests we find that, as expected, abnormal returns are even more negative for a) large acquisitions that are scoped out and b) companies that have lower information quality ex ante; as measured by higher previous stock return volatility and higher bid-ask spreads. These findings suggest that, in a setting where internal control assurance is essentially voluntary, investors perceive value in (i.e., demand) internal control audits for large companies.

Having found evidence that investors demand internal control audits in a relatively homogenous group of large U.S. companies, we next examine whether investors’ reactions appear justified. Specifically, we examine the relation between the extent of internal control assurance and financial reporting quality. If opt-out disclosures provide relevant information about financial reporting quality, then the negative investor reactions at the time of the revelation of the opt-out decision seem justified. We find that the likelihood of an accounting restatement in the 12 months following an acquisition’s effective date, the period most likely to be affected by a reduction in assurance of internal control quality, is higher for companies who opt-out of internal control audits. Therefore, investors’ negative reactions to opt-out decisions appear to be justified.

Overall, the results of this study suggest that investors demand internal control assurance for large U.S. companies. Even though these large companies would seemingly have high quality financial reporting ex ante, we find that investors react negatively if these companies exclude a portion of their operations from their internal control audit. This evidence suggests that voluntary internal control audits provide verification and/or signaling benefits for large U.S. public companies.

This study provides insight into how internal control assurance impacts various market and corporate outcomes. Prior studies on internal control audits have generally investigated small public companies around the size-cutoff ($75 million in market capitalization) for mandated internal control audits. This previous design choice is likely due to the lack of identified variation in internal control audits within larger companies. However, both internal control processes and audits are fundamentally different for large versus small companies. In sharp contrast to prior studies on internal control audits, the average company in our study has a market capitalization of $10.1 billion, making the companies in our study more representative of the large companies that make up the overall U.S. market capitalization. Furthermore, the average size of an acquisition in our sample is $1.0 billion.

The results of our study should be informative to policy makers. Aside from the PCAOB’s recent focus and inspection efforts on internal control audits, regulators have continually reduced the scope and extent of mandated internal control audits. Our results suggest that future reductions in internal control assurance for large companies may be viewed negatively by investors. Importantly, because the extent of internal control audits is associated with future restatements, reductions in mandated internal control audits may have a negative impact on future reporting quality.

The complete article is available for download here.