The Government Accountability Office (GAO) has issued a report on the costs of compliance with Section 404 of the Sarbanes-Oxley Act (SOX).  In Sarbanes-Oxley Act: Compliance Costs Are Higher for Larger Companies, GAO found that compliance costs are higher for larger companies but proportionally more burdensome for smaller ones.

SOX Section 404 imposes two requirements on public companies.  Section 404(a) requires management to annually assess the effectiveness of internal control over financial reporting (ICFR) and to report their assessment in an SEC filing.  Section 404(b) requires the company to obtain and file an annual ICFR assessment from the company’s independent auditor.  All public companies must comply with the management assessment requirement in Section 404(a).  Only companies with a public float (i.e., market value of shares held by public investors) of $700 million or more, or a public float of $75 million or more and $100 million or more in annual revenue, must obtain a Section 404(b) auditor attestation. Emerging growth companies (companies with less than $1.235 billion in annual revenue that also meet certain other criteria) or also exempt from Section 404(b).

GAO prepared the study at the request of the Chair of the Subcommittee on Capital Markets of the House Committee on Financial Services. The Subcommittee asked GAO to review the costs and other effects of SOX, particularly ICFR reporting, as part of Congress’s consideration of reforms to stimulate initial public offerings.  The study could therefore influence the possibility of legislation making further changes to the scope of the Section 404(b) auditor attestation requirement.

GAO’s report examines three issues: (1) compliance costs associated with Section 404, (2) the effects of the exemptions from Section 404(b) auditor ICFR attestation on fraud risks and the reliability of financial information, and (3) other effects of the Section 404(b) exemption on companies and investors.

Compliance Costs 

GAO found that larger companies spend more on SOX compliance, but smaller companies spend a higher proportion of their assets on SOX compliance:

“Larger (nonexempt) companies generally incurred higher overall Sarbanes-Oxley compliance costs, but these costs were proportionally more burdensome for smaller (exempt) companies. Nonexempt companies (generally those with $75 million or more in publicly held shares or companies not qualifying as emerging growth companies) had higher costs (19 percent) than their exempt counterparts, according to GAO’s analysis of a nongeneralizable sample of 96 companies.”

Moreover, for a company that is exempt from the auditor ICFR attestation requirement, the transition to full Section 404 compliance is expensive:

“Companies generally experienced increased audit costs when they transitioned from exempt to nonexempt status (became subject to auditor attestation because their public float or revenues grew above exemption thresholds). Audits of nonexempt companies involve more work because the incremental auditing standards that apply to them require more planning, control testing, and quality review. GAO’s analysis found a median increase of $219,000 (13 percent) in audit fees in the year a company became nonexempt. Audit fees generally leveled off in the year after transition.” (GAO’s analysis found a $47,000 median audit fee increase in the year following transition.)

Auditor ICFR Attestation Exemption and Fraud Risk

Based on a review of other studies, GAO observes that companies that announced financial statement restatements tended to have weak ICFR or be smaller. GAO’s analysis of one hundred restatements in 2022 and 2023 found that 41 of 56 Section 404(b)-exempt companies (73 percent) that restated cited both ineffective ICFR and material weaknesses, compared to 26 of 44 nonexempt companies (59 percent).  Weak internal controls are, in turn, also associated with fraud. GAO states, “Our analysis of a sample of 55 SEC enforcement cases involving accounting violations announced in 2022 and 2023 found 47 involved weak or insufficient internal controls, or materially misleading statements. Of those, 37 cases were fraud-related violations.”

Other Effects of the Auditor ICFR Attestation Exemption 

Apart from the issue of increased restatement risk, GAO found both positive and negative effects of the Section 404(b) exemption from auditor attestation.

• Investment in Business Development and Growth.  “Several studies we reviewed identified cost savings from not paying audit fees [for ICFR attestation] as a key measurable benefit of the exemption. For example, one study found that following the passage of the JOBS Act, reduced compliance costs allowed companies to invest more in research and development and innovation.  Another study reported that relaxed disclosure requirements helped emerging growth companies save money and other resources that otherwise would be needed to prepare documents.  A separate study noted that the exemption freed up management and employee time that otherwise would have been spent with auditors.” (footnotes omitted)

• Reduced Investor Confidence in Their Financial Reporting.  Auditor ICFR attestation has a positive impact on investor confidence because it is “viewed as providing reasonable assurance about the effectiveness of companies’ internal controls and the reliability of their financial reporting, as demonstrated by fewer restatements.”  Further, “diminished disclosures associated with the exemption” increases information asymmetry between company management and investors, which, in turn, can increase the cost of capital.

• Effect on the Number of IPOs.  In 2012, the Jumpstart Our Business Startups Act (JOBS Act) expanded the exemption from auditor ICFR attestation and created the emerging growth company category.  GAO concludes that it is unclear whether the JOBS Act had any impact on the number of initial public offerings (IPOs).  Some studies indicate the JOBS Act increased IPOs by lowering the costs of going public and operating as a public company.  GAO notes, however, that the JOBS Act included other reforms and that the studies GAO reviewed “did not pinpoint which JOBS Act provisions influenced the decision to go public.”  In addition, non-regulatory factors, such as market volatility, overall economic conditions, and alternative mechanisms for raising capital, can affect a company’s decision to go public.

GAO’s findings are generally consistent with other studies of Section 404 compliance costs.  See Protiviti Reports that SOX Compliance Costs Continue to Rise, June-July 2022 Update.  Indeed, much of GAO’s report is based on prior studies, such as Protiviti’s.