Sarbanes-Oxley Section 404 and Internal Controls
A Look at Two Years of Compliance

By Jean C. Bedard, Lynford E. Graham, Rani Hoitash, and Udi Hoitash

E-mail Story
Print Story
OCTOBER 2007 - The provisions of the Sarbanes-Oxley Act of 2002 (SOX) aimed at improving internal control over financial reporting (ICFR) have caused a great upheaval among public companies and their independent accountants. Section 404 of SOX became effective on November 15, 2004, meaning that SEC-designated accelerated filers are now in their third year of reporting on ICFR effectiveness. Now is an appropriate time to assess the first two years of section 404 compliance, to help auditors understand the big picture of section 404 reporting to date.

The authors culled information from a variety of sources to try to answer the following questions: What types of companies are disclosing ICFR material weaknesses under section 404? Is progress being made toward improving ICFR? Do audit fees factor in the additional risk associated with ICFR weaknesses? What are the consequences of reporting ineffective ICFR (e.g., do companies reporting weaknesses change auditors more frequently)?

Professionals and standards-setters continue to discuss the challenges, costs, and benefits of SOX section 404. The answers to these questions are particularly relevant as nonaccelerated filers look toward the impending section 404 implementation requirements in 2008 and 2009, as imposed by the SEC and the PCAOB.

Data Used

AuditAnalytics ( compiles data from public disclosures of material weaknesses in the 10-K reports of accelerated filers. Of the 2,641 and 3,575 companies filing in fiscal years 2004 and 2005, respectively, 386 (14.6%) and 340 (9.5%) reported material weaknesses in ICFR in each year. To provide a direct comparison across the first two years of compliance, the coauthors removed the 1,124 companies that are first-time filers in 2005, and the 190 companies that filed a 404 report in 2004 but had not yet filed a report as of June 17, 2006. This leaves 2,451 companies with section 404 disclosures in both years.

Among the 2,451 companies, the number disclosing ICFR problems fell from 337 (13.7%) in 2004 to 179 (7.3%) in 2005. A likely explanation is that ICFR is improving overall. Exhibit 1 shows that in 2005, 255 companies previously disclosing material weaknesses reported effective controls, 97 companies disclosed new material weaknesses, 82 companies disclosed material weaknesses in both years (the same problems or new ones), and 2,017 companies reported effective ICFR in both years.

Effect of Company Size and Audit Fees

Companies reporting material weaknesses in ICFR were compared to companies reporting effective controls, along two dimensions: company size and audit fees. Using 2,410 companies with complete audit fee data in 2004 and 2005, and using total assets to measure size, Exhibit 2 shows that companies reporting material weaknesses for the first time in 2005 and companies reporting material weakness in both years were smaller than companies with effective controls in both years. (The group medians are lower by 58% and 75%, respectively). There are several possible reasons for this trend: 1) Smaller companies may lack the resources to remediate material weaknesses in the year they are identified (e.g., fewer internal audit resources); 2) smaller companies may have started ICFR testing later in the year, making it difficult to remediate discovered weaknesses by the balance sheet date; or 3) smaller companies’ management may have decided that remediation in the current year is not cost-effective.

Detecting why smaller companies have more reported problems is obviously an important issue as nonaccelerated filers approach the section 404 compliance date, but the authors are not aware of research that has addressed this topic.

Exhibit 3 shows that audit fees (adjusted in proportion to total assets) are substantially higher for companies reporting material weaknesses. Relative audit fees of companies disclosing material weaknesses are about twice those of companies with no reported weaknesses. Consistent with the audit risk model (SAS 47, Audit Risk and Materiality in Conducting an Audit), auditors of companies with weaker controls during this period apparently charged additional audit fees due to the increased audit work required to reduce audit risk to target levels. Additionally, as noted by Jack T. Ciesielski and Thomas R. Weirich (“Ups and Downs of Audit Fees Since the Sarbanes-Oxley
Act: A Closer Look at the Effects of Compliance,” The CPA Journal, October 2006), auditors may seek compensation for future litigation expenses when a “sturdier audit” isn’t enough. Recent academic research using data from a large audit firm (Jean C. Bedard and Karla Johnstone, “Audit Planning and Pricing During the Period Surrounding Passage of the Sarbanes-Oxley Act,” working paper, Bentley College) confirms that both engagement hours and implied hourly billing rates are affected by internal control weaknesses and the risk of financial reporting misstatements.

While it is important to point out that audit fees are adjusted for the risk derived from ICFR weaknesses, public outcry over the overall costs of SOX section 404 compliance leads to the question of whether fees paid to auditors experience a decline after the initial setup year. Exhibit 3 shows that the answer depends on the client’s ICFR effectiveness. The chart shows two columns (2004 and 2005) for each ICFR reporting group, illustrating the differences in audit fees using a theoretical company with $1 billion in assets. Audit fees for companies with no material weaknesses in either year declined from 0.20% to 0.18% of assets (i.e., representing $200,000 for the sample $1 billion company). Similarly, audit fees of companies that remediated material weaknesses from 2004 and 2005 also declined in 2005, from 0.33% to 0.31% (i.e., $200,000).

In contrast, audit fees increased for companies reporting a material weakness in both years, from 0.44% to 0.51% of assets in 2005 (i.e., $700,000). In addition, audit fees for companies reporting material weaknesses only in 2005 increased from 0.34% to 0.37% of assets (i.e., $300,000). It is interesting that while companies in the latter group had clean ICFR opinions in 2004, their 2004 audit fees were higher than those of companies with clean ICFR opinions in that year. Did auditors of those companies respond to the risk of detected deficiencies in that year, but conclude that those deficiencies did not rise to the level of a material weakness? If so, another year of investigation might have led to the conclusion that problems in those clients were more serious than previously thought.

In sum, Exhibit 3 shows that companies with strong controls (as measured by section 404 disclosures) will pay lower audit fees, and improving ICFR will result in audit fee savings.

Effect of Audit Firm Size

Exhibit 4 shows the percentage of clients of Big Four, mid-tier, and small audit firms that reported material weaknesses. The data show that clients of mid-tier and small audit firms have a higher frequency of reporting material weaknesses, as compared to the Big Four. Specifically, 13% of Big Four sample clients reported material weaknesses in 2004, compared with 31% of mid-tier firm clients and 16% of small-firm clients. Exhibit 4 also shows that clients of all audit firm size groups reported fewer material weaknesses in 2005, as compared to 2004.

The reason for the differential in material weaknesses among clients of large, mid-tier, and small audit firms is not clear. The lower rate among clients of the Big Four compared to mid-tier clients might reflect the recent trend of large firms to disengage from audits of higher-risk clients (see Phyllis Plitch and Lingling Wei, “Auditor-Client Breakups Rise, While Disclosure Often Lags,” Wall Street Journal, August 3, 2004). That trend does not, however, explain the lower rate of material weaknesses reported among small firms as compared to mid-tier firms. This lower disclosure rate could be attributed to the characteristics of the audited businesses. For example, clients of smaller audit firms might have less-complex operations, reducing the likelihood of material weaknesses. In addition, the complexity involved in the detection and classification of deficiencies could be a factor. Material weaknesses are distinguished from less severe issues on the basis of materiality and misstatement probability, both of which are difficult to judge in practice. AS2’s use of conceptual guidelines to assess the severity of deficiencies, rather than a more formulaic approach, may contribute to the difficulty of classifying deficiencies. Due to the difficulty and newness of the section 404 process, substantial experience may be needed to gain expertise in the detection and classification of deficiencies. When a firm audits few accelerated filers, it is difficult to gain such expertise quickly. (A substantial number of accelerated filers are audited by public accounting firms having few section 404 engagements. For example, in 2005, 192 accelerated filers were audited by 116 firms having five or fewer accelerated filers as clients.)

Even if the difference in experience accounts for the reporting differences between clients of small and mid-tier firms (which thus should decline over time), the onset of SOX section 404 implementation for nonaccelerated filers is approaching fast. In 2008 and 2009, about 10,000 additional companies will be assessing and reporting on ICFR under section 404. Many of those companies will be audited by firms that serve only a few public clients. With these companies, as well as with the initial group of accelerated filers, the experience factor may lead to different severity assessments when viewed in the aggregate. Changes in the professional environment since AS2 was released [such as AS5, An Audit of Internal Control over Financial Reporting that Is Integrated with an Audit of Financial Statements, approved by the SEC on July 25, 2007, and the SEC interpretative guidance issued on June 20, 2007, “Commission Guidance Regarding Management’s Report on Internal Control over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934”] and the availability of training courses for companies and auditors in the controls assessment process) may, however, mitigate the effects of any experience factor observed among nonaccelerated filers in their early years of section 404 compliance.

Material Weakness Disclosures and Financial Restatements

SOX section 404 material weakness disclosures are sometimes accompanied by financial reporting restatements. The combination of a restatement with a material weakness disclosure is more likely to produce a negative reaction by investors and creditors. In the 2004 data, 55 companies with material weaknesses (16%) announced intended restatements, compared to 109 (5%) of companies with effective ICFR. In 2005, 50 (28%) companies with material weaknesses and 206 (9%) of companies with effective controls announced intended restatements.

The data indicate that, in both years, companies with material weaknesses were more likely to restate than companies with effective controls. In addition, the data show that the overall number of restatements is increasing, a trend that, on the surface, seems inconsistent with an improvement in ICFR associated with section 404. Some analysts have interpreted this to mean that companies and their auditors are looking closer at reported results and are working toward the correction of past problems (see David Reilly, “SOX Changes Take Root,” Wall Street Journal, March 3, 2006).

Material Weaknesses and Auditor Change

Public disclosure of ICFR weaknesses, along with other changes coincident with SOX implementation, has brought about significant realignment in company–auditor relationships. Because changing auditors is costly to both auditors and clients, this represents another “cost” of SOX that companies should carefully consider. Are companies that change auditors more likely to report material weaknesses? In the above data, 45 (13%) of companies reporting a material weakness changed auditors in 2004, as compared to 113 (5%) of those reporting effective ICFR. In 2005, 25 (14%) of companies with material weaknesses changed auditors, compared to 175 (8%) with effective controls.

Two conclusions are evident from the data on auditor changes. First, there is greater auditor-switching among companies with material weaknesses. This may be due to disagreements with auditors over ICFR reporting, higher audit fees, or auditors resigning from higher-risk engagements. Second, the frequency of auditor-switching is increasing overall.

Small Filers and the Cost–Benefit of Section 404

The debate surrounding the costs and benefits of SOX section 404 has focused on whether this regulation should be applied to smaller public companies. Both the SEC and the PCAOB have shown concern about a disproportionate compliance burden for small registrants. While the compliance date was recently postponed, the SEC has reaffirmed that nonaccelerated filers must comply with section 404’s management reporting requirements for fiscal years ending on or after December 15, 2008, and with auditor attestation requirements a year later (SEC Final Rule, “Internal Control Over Financial Reporting In Exchange Act Periodic Reports Of Non-Accelerated Filers And Newly Public Companies,” Release 33-8760). Even though this affords smaller public companies additional time to comply, there is risk that they will go private or delist from U.S. stock exchanges in favor of foreign financial markets in order to avoid the costs of compliance. The authors’ data support the SEC’s decision; they suggest that among accelerated filers, small issuers are generally characterized by weaker ICFR.

While the costs of compliance are visible, estimating the benefits of SOX is a more challenging proposition. Ideally, the benefits to society and the perception of U.S. financial markets should be considered. Nonetheless, the data reported here and in other recent academic research suggest that there are considerable benefits of improving ICFR that accrue to the companies themselves. The data clearly indicate that smaller companies should begin now to take section 404 compliance seriously, working toward the goal of a clean ICFR auditor opinion in 2008. Companies that achieve an unqualified opinion on their ICFR should experience relative savings in their audit fees, and may avoid the difficulty and added expense of changing auditors.

Furthermore, academic research has detected other monetary benefits of unqualified ICFR reports, including lower cost of capital (see Hollis Ashbaugh-Skaife, Daniel W. Collins, William R. Kinney, Jr., and Ryan LaFond, “The Effect of Internal Control Deficiencies on Firm Risk and Cost of Equity Capital,” working paper, University of Wisconsin–Madison, 2006) and avoidance of adverse stock market reaction to ICFR material weakness disclosure (see Gus De Franco, Yuyan Guan, and Hai Lu, “The Wealth Change and Redistribution Effects of Sarbanes-Oxley Internal Control Disclosures,” working paper, University of Toronto, 2005). Other potential benefits include reducing long-term monitoring costs within the company, and increasing available management time and energy for strategizing and growing the business, because less time is required to attend to avoidable crises that arise due to weak internal control: fraud, earnings restatements, and so forth.

The relative difficulty of measuring benefits from investment in ICFR is analogous to the information technology (IT) “productivity paradox” observed during the 1990s. Companies that invested (voluntarily) in their IT infrastructure observed the immediate investment cost, but were unable to observe the associated increase in productivity for a long period of time. Even after productivity increases were observable, and it was clear that IT investments resulted in positive net value, it remained difficult to quantify the benefits. The authors believe that, in a similar manner, the long-term benefits of SOX will eventually become apparent, but quantifying them will continue to be a challenge.

Jean C. Bedard, PhD, CPA, is the Timothy B. Harbert Professor of Accounting at Bentley College, Waltham, Mass.
Lynford E. Graham, PhD, CPA, CISA, is a consultant in Short Hills, N.J.
Rani Hoitash, PhD, CISA
, is an assistant professor of accounting at Bentley College, Waltham, Mass. Udi Hoitash is a PhD candidate at the Rutgers Business School, Newark, N.J.




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices