Order Code RS22482
Updated May 29, 2007
Section 404 of the Sarbanes-Oxley Act
of 2002 (Management Assessment
of Internal Controls): Current Regulation
and Congressional Concerns
Michael V. Seitzinger
American Law Division
Summary
Section 404 of the Sarbanes-Oxley Act of 2002 requires the Securities and
Exchange Commission to issue rules requiring annual reports filed by reporting issuers
to state the responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting and for each accounting
firm auditing the issuer’s annual report to attest to the assessment made of the internal
accounting procedures made by the issuer’s management. There have been criticisms
that this provision is overly burdensome and costly for small and medium-sized
companies. On December 15, 2006, the Securities and Exchange Commission adopted
rule changes giving smaller firms more time to comply with Section 404's reporting
requirements. In the 110th Congress, H.R. 1049, the Amend Misinterpreted Excessive
Regulation in Corporate America Act, has been introduced. This bill would create an
ombudsman for the Public Company Accounting Oversight Board and would require
regulations issued to reduce the costs of compliance with Section 404. H.R. 1508 and
S. 869, titled the Compete Act of 2007, have also been introduced, as have H.R. 1550
and H.R. 1780. H.R. 1550 would require the SEC’s rules to permit certain issuers
voluntarily to elect not to prepare the required internal control report. The issuers
mentioned in this bill which may exempt themselves from the Section 404 requirement
include insured depository institutions, bank holding companies, and savings and loan
companies. H.R. 1780 would require the SEC to issue rules which incorporate risk-
based concepts in assessing internal control over financial reporting for issuers, specific
guidelines for measuring such terms as “reasonable” and “material,” and specific
alternative requirements for smaller issuers. On April 4, 2007, the SEC’s commissioners
endorsed the recommendations of its staff for the staff to work closely with the Public
Company Accounting Oversight Board to issue auditing standards which are intended
to ease the burden on small companies in complying with Section 404. On May 23,
2007, the Securities and Exchange Commission voted to approve a somewhat relaxed
set of guidelines for the internal accounting controls required by Section 404 for smaller
public companies, defined in most cases as those with a public float below $75 million.
This report will be updated as needed.

---

CRS-2
On July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002,
P.L. 107-204. This law has been described by some as the most important and far-
reaching securities legislation since passage of the Securities Act of 19331 and the
Securities Exchange Act of 1934,2 both of which were passed in the wake of the Stock
Market Crash of 1929.
Sarbanes-Oxley had its genesis early in 2002 after the declared bankruptcy of the
Enron Corporation, but for some time it appeared as though its impetus had slowed.
However, when the WorldCom scandal became known in late June, the Congress showed
renewed interest in enacting stiffer corporate responsibility legislation, and Sarbanes-
Oxley quickly became law.
The act established the Public Company Accounting Oversight Board (PCAOB or
Board), which is supervised by the Securities and Exchange Commission (SEC or
Commission). The act restricts accounting firms from performing a number of other
services for the companies which they audit. The act also requires new disclosures for
public companies and the officers and directors of those companies. Among the other
issues affected by the legislation are securities fraud, criminal and civil penalties for
violating the securities laws and other laws, blackouts for insider trades of pension fund
shares, and protections for corporate whistleblowers.
Currently, one of the most controversial provisions of the act is Section 404,
Management Assessment of Internal Controls. The provision states:
(a) Rules Required — The Commission shall prescribe rules requiring each annual
report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15
U.S.C. 78m or 78o(d)) to contain an internal control report, which shall —
(1) state the responsibility of management for establishing and maintaining an
adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of
the effectiveness of the internal control structure and procedures of the issuer for
financial reporting.
(B) Internal Control Evaluation and Reporting — With respect to the internal control
assessment required by subsection (a), each registered public accounting firm that
prepares or issues the audit report for the issuer shall attest to, and report on, the
assessment made by the management of the issuer. An attestation made under this
subsection shall be made in accordance with standards for attestation engagements
issued or adopted by the Board. Any such attestation shall not be the subject of a
separate engagement.
The provision’s controversy stems from charges that some aspects of Sarbanes-
Oxley, particularly Section 404, are overly burdensome and costly for small and medium-
sized companies. For example, one critic has stated that the costs of Section 404 are
1 15 U.S.C. §§ 77a et seq.
2 15 U.S.C. §§ 78a et seq.

---

CRS-3
“extreme.” “As one of our members testified before the House Small Business
Committee, his company’s efforts to comply with Section 404 in preparation to go public
were simply too excessive to justify the effort — 10% to 15% of gross revenues .... Well-
published studies and hard data demonstrate similar cost percentages for small firms.”3
On May 17, 2006, the SEC issued a press release which, among other actions,
announced that it would briefly postpone application of Section 404 to the smallest
companies but that ultimately all public companies would be required to comply with the
internal control reporting requirements of Section 404.4 This view taken by the
Commission conflicts with several recommendations in a report5 issued by the
Commission’s Advisory Committee on Smaller Public Companies on April 23, 2006,
which would exempt small companies from many of the internal reporting requirements
of Section 404.
On December 15, 2006, the SEC adopted rule changes which give smaller firms,
referred to as non-accelerated filers, more time to comply with Section 404's internal
controls reporting requirements.6 Under the extension a non-accelerated filer must
provide management’s assessment concerning internal control over financial reporting in
its annual reports for fiscal years ending on or after December 15, 2007. In addition, the
SEC extended the date by which a non-accelerated filer must begin to comply with the
auditor attestation requirement until filing an annual report for fiscal years ending on or
after December 15, 2008.
The perceived problem of compliance with Section 404 reporting requirements faced
by small and medium-sized companies was an issue in the 109th Congress. Virtually
identical bills addressing this issue were introduced in both houses of Congress: H.R.
5405 in the House and S. 2824 in the Senate. Each bill was titled the Competitive and
Open Markets that Protect and Enhance the Treatment of Entrepreneurs (COMPETE) Act.
The bills would have permitted an issuer to elect voluntarily not to be subject to much of
Section 404 of Sarbanes-Oxley if the issuer has a total market capitalization for the
relevant reporting period of less than $700 million; has total product revenue for that
reporting period of less than $125 million; has fewer than 1500 record beneficial holders;
has been subject to the various reporting requirements of sections 13(a)7 or 15(d)8 of the
Securities Exchange Act of 1934 for a period of less than twelve calendar months; or has
not filed and was not required to file an annual report under Section 13(a) or 15(d) of the
Securities Exchange Act of 1934. The bills would have set forth a de minimus standard
3 Statement of Karen Kerrigan, president and CEO of the Small Business & Entrepreneurship
Council, as reported in ABA Journal e-Report, at [http://abanet.org/journal/ereport/jy7sox.html]
(July 7, 2006).
4 SEC Announces Next Steps for Sarbanes-Oxley Implementation, at [http://sec.gov
/news/press/2006/2006-75.htm] (May 17, 2006).
5 Final Report of the Advisory Committee on Smaller Public Companies to the Securities and
Exchange Commission, at [http://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf] (April
23, 2006).
6 [http://www.sec.gov/rules/final/2006/33-8760.pdf].
7 15 U.S.C. § 78m(a).
8 15 U.S.C. § 78o(d).

---

CRS-4
for implementing the requirements of Section 404. The bills would also have required
the SEC and the PCAOB to conduct a study assessing the principles-based Turnbull
Guidance9 under the securities laws of Great Britain to the implementation of Section 404
of Sarbanes-Oxley and to submit the report to Congress within one year of enactment of
the COMPETE Act.
Bills introduced in the 110th Congress continue the attempt to correct the perceived
problems created by Section 404. H.R. 1049, referred to the Committee on Financial
Services, is titled the Amend Misinterpreted Excessive Regulation in Corporate America
Act (AMERICA). The bill would create an ombudsman for the Public Company
Accounting Oversight Board. The ombudsman would be appointed by the Board and
would act as a liaison between the PCAOB and any registered public accounting firm or
issuer concerning issues or disputes related to the preparation or issuance of any audit
report of that issuer, especially with respect to the implementation of Section 404; assure
that safeguards exist to encourage complainants to come forward and to preserve
confidentiality; and carry out other activities in accordance with guidelines prescribed by
the Board. The bill would also reorganize the PCAOB to provide that the members of the
Board shall be appointed by the President, by and with the advice and consent of the
Senate.10 The bill would require the SEC and the PCAOB to adopt revisions to their rules
or standards under Section 404 of Sarbanes-Oxley so that the costs of implementation of
Section 404 will not significantly increase the costs of complying with the annual audits
required by the Securities Exchange Act.11 Further, the bill would prohibit a private right
of action to be brought against any registered public accounting firm in any federal or
state court on the basis of a violation or alleged violation of the requirements of Section
404 or of the standards issued by the Board for the purposes of implementing the
provisions of Section 404.12
H.R. 1508, referred to the Committee on Financial Services, and S. 869, referred to
the Committee on Banking, Housing, and Urban Affairs, are titled the Compete Act of
2007 and are comparable. They are similar to H.R. 5405 and S. 2824, introduced in the
109th Congress. They would amend Section 404 so that each registered public accounting
firm preparing or issuing an audit report for an issuer would be required to attest to and
report on the management assessment of the issuer. The attestation and report on the
assessment made by the management of the issuer would not include a separate opinion
on the outcome of the assessment This attestation and report would be required to be
performed at three-year intervals. The attestation would be required to be made in
accordance with standards adopted by the Board. The standards adopted by the Board
would be required to eliminate duplication of audits and examinations. The SEC would
be required to develop a standard of materiality for the conduct of the assessment and
report on an internal control that would have to be based upon whether the internal control
has a material affect on the company’s financial statements and is significant to the
9 For information on the Turnbull Guidance, see [http://www.frc.org.uk
/corporate/internalcontrol.cfm].
10 H.R. 1049, 110th Cong., § 4.
11 H.R. 1049, 110th Cong., § 5.
12 H.R. 1049, 110th Cong., § 7.

---

CRS-5
issuer’s overall financial status.13 The bills would permit a smaller public company not
to be subject to Section 404. A “smaller public company” would be defined as having a
total market capitalization for the relevant reporting period of less than $700 million and
total product and services revenue for the reporting period of less than $125 million or
at the beginning of the reporting period fewer than 1500 record beneficial owners.14 The
SEC and the Board would be required to conduct a study examining the lack of and
impediments to robust competition for the performance of audits for issuers.15 The SEC
and the Board would also be required to conduct a study comparing and contrasting the
principles-based Turnbull Guidance16 under the securities laws of Great Britain to the
implementation of Section 404 of Sarbanes-Oxley.17
H.R. 1550, referred to the Committee on Financial Services, would, in addition to
amending Section 302 of the Sarbanes -Oxley Act (Corporate Responsibility for Financial
Reports), amend Section 404 to exempt certain financial institutions from having to
prepare the internal control report.18 These financial institutions include insured
depository institutions, bank holding companies, and savings and loan companies.
H.R. 1780, referred to the Committee on Financial Services, would require the SEC
to issue rules which incorporate risk-based concepts in assessing internal control over
financial reporting for issuers, specific guidelines for measuring such terms as
“reasonable” and “material,” and specific alternative requirements for smaller issuers.19
On April 4, 2007, the SEC’s commissioners endorsed the recommendations of its
staff to work closely with the PCAOB to issue auditing standards intended to ease the
burden on small companies in complying with Section 404.20
On May 23, 2007, the SEC commissioners voted unanimously to approve a relaxed
set of guidelines for the internal accounting controls required by Section 404 for smaller
public companies, defined in most cases as those with a public float below $75 million.21
crsphpgw
13 H.R. 1508, 110th Cong., § 2; S. 869, 110th Cong., §3.
14 H.R. 1508, 110th Cong., § 3; S. 869, 110th Cong., § 4.
15 H.R. 1508, 110th Cong., § 4; S. 869, 110th Cong., § 5.
16 See footnote 9.
17 H.R. 1508, 110th Cong., § 5; S. 869, 110th Cong., § 6.
18 H.R. 1550, 110th Cong., § 3.
19 H.R. 1780, 110th Cong., § 2.
20 [http://sec.gov/news/press/2007/2007-62.htm].
21 [http://sec.gov/news/press/2007/2007-102.htm].

---