Sarbanes-Oxley § 404 at Twenty

Stephen M. Bainbridge is the William D. Warren Distinguished Professor of Law at UCLA School of Law. This post is based on his recent paper.

Almost two decades ago, the late securities law scholar Larry Ribstein used the then newly adopted Sarbanes-Oxley Act of 2002 (“SOX”) as a case study of federal regulatory responses to capital market crises. Ribstein drew three conclusions from that study:

First, the appropriate regulatory course is often unclear, given the uncertain costs and benefits of regulation. Second, even if theoreticians can propose a regulatory solution that seems to work, political realities and the interplay of interest groups often intervene to prevent this solution from being adopted. Third, even if markets have malfunctioned, market actors often are better able than politicians to correct them.

In light of those concerns, Ribstein argued for including sunset provisions in major changes in the federal laws regulating securities and corporate governance, especially with respect to regulatory responses to disclosure abuses resulting from new devices or practices. Roberta Romano similarly argued that “the best means of responding to the typical pattern of financial regulation—legislating in a crisis atmosphere under conditions of substantial uncertainty followed by status quo stickiness—is to include as a matter of course in such legislation and regulation, sunset provisions requiring subsequent review and reconsideration . . ..” Both scholars premised their arguments on the belief that major reform legislation in this field tends to come after a major stock market bubble bursts, a proposition I likewise embraced in my book Corporate Governance After the Financial Crisis. In the political ferment following bursting of a bubble, I argued, “policy entrepreneurs . . . spring into action, hijacking the legislative response to the crisis to advance their agenda,” which may not be socially optimal. The political pressure associated with the fallout from a burst bubble, moreover, “does not facilitate careful analysis of costs and benefits.” The result is often “rules that were wrong from the outset or may quickly become obsolete.”

These concerns motivated Ribstein, Romano, and myself to favor what Ribstein called “humble regulation.” Collectively, as Usha Rodrigues observed, “Bainbridge, Romano, and Ribstein condemn congressional intervention in business law, advocating for increased state power, sunsets, and other measures to curb excessive regulatory legislation.” Specifically, I offered up SOX § 404 as a poster child for the case for humble regulation.

As adopted, § 404(a) required the SEC to promulgate rules requiring reporting companies to include a statement by issuer management acknowledging their responsibility “for establishing and maintaining an adequate internal control structure and procedures for financial reporting” and assessing, “as of the end of the end of the issuer’s most recent fiscal year, the effectiveness of the issuers’ internal controls for financial reporting.” Section 404(b) required the issuer’s external auditor to “attest to, and report on,” management’s assessment of its internal controls over financial reporting.

SOX § 404 was intended to improve public company internal controls over financial reporting (ICFR). Faulty internal controls were believed to have contributed to many corporate scandals during the dot-com era. Empirical research of the pre-SOX era suggested that reporting companies with poor internal controls tended to have more frequent earnings restatements, more SEC enforcement proceedings, and poorer performance than comparable firms with strong internal controls.

When SOX was adopted § 404 was not among the most controversial provisions. Instead, it was the attorney conduct rules, CEO and CFO certification requirements, and the ban on loans to officers and directors—plus the larger question of federalizing corporate governance—that generated most of the early criticism aimed at the statute. Once companies began implementing § 404’s mandate for assessments of their internal controls over financial reporting, however, it became apparent that compliance costs were considerably greater than anticipated. In short order, § 404 became—and remains—SOX’s most controversial provision.

In response to these ongoing controversies, Congress and the SEC offered issuers various forms of relief. The net effect of these successive rulemaking proceedings is that all reporting companies are now required to comply with the management assessment mandated by § 404(a). Non-accelerated filers and a substantial number of accelerated filers, however, are exempt from the auditor attestation required by § 404(b). The result is that a significant number of reporting companies are subject only to § 404(a), although the precise percentage of reporting companies subject solely to § 404(a) is somewhat uncertain.

SOX’s twentieth anniversary seems an opportune time to reassess the controversy over § 404. There is a considerable body of empirical evidence on the costs and benefits of § 404, which this article reviews. As it turns out, however, there are so many potential confounding factors that all of the evidence must be viewed with a degree of skepticism. Nonetheless, a few conclusions can be drawn.

Reviewing the empirical evidence on SOX § 404’s costs and benefits calls to mind Harry Truman’s wish for a one-handed economist. There is evidence on both sides of the debate about the statute’s merits. But there are so many potential confounding factors that all of the evidence must be viewed with a degree of skepticism. Nonetheless, a few conclusions can be drawn.

With the benefit of hindsight, it seems clear that Congress in 2002 had no idea what it would cost companies to comply § 404. The SEC had an estimate of what § 404(a) compliance would cost but had no idea what § 404(b) compliance would cost. Sticker shock seems the right description of the reaction once those costs became clear.

Section 404 compliance costs were substantial from the outset. Those costs were disproportionately borne by smaller firms from the outset. Section 404 compliance costs remain high and show no signs of dropping over time. It remains the case that those costs are disproportionately borne by smaller firms.

As far as achieving its main goal of reducing material weaknesses in ICFR, § 404 cannot be deemed a success. Both adverse managerial reports and auditor attestations actually rose prior to 2014 and have dropped only slightly in the subsequent period. Problems with firms failing to remediate persistent material weaknesses remain a source of concern.

For proponents of the humble regulation approach to federal securities law, § 404 at age twenty nevertheless is something of a mixed bag. On the one hand, the unexpectedly high costs and their persistence argues in favor of Congressional caution in responding to market crises, as does the ambiguity of evidence of lasting benefits. On the other hand, the success of § 404’s critics in obtaining not insignificant relief from both Congress and the SEC suggests that the ratchet effect is not as powerful as some—including the present author—may have believed. It turns out that resistance is not always futile.

The complete paper is available for download here.

Both comments and trackbacks are currently closed.