Order Code RS22482 Updated May 29, 2007 Section 404 of the Sarbanes-Oxley Act of 2002 (Management Assessment of Internal Controls): Current Regulation and Congressional Concerns Michael V. Seitzinger American Law Division Summary Section 404 of the Sarbanes-Oxley Act of 2002 requires the Securities and Exchange Commission to issue rules requiring annual reports filed by reporting issuers to state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and for each accounting firm auditing the issuer’s annual report to attest to the assessment made of the internal accounting procedures made by the issuer’s management. There have been criticisms that this provision is overly burdensome and costly for small and medium-sized companies. On December 15, 2006, the Securities and Exchange Commission adopted rule changes giving smaller firms more time to comply with Section 404's reporting requirements. In the 110th Congress, H.R. 1049, the Amend Misinterpreted Excessive Regulation in Corporate America Act, has been introduced. This bill would create an ombudsman for the Public Company Accounting Oversight Board and would require regulations issued to reduce the costs of compliance with Section 404. H.R. 1508 and S. 869, titled the Compete Act of 2007, have also been introduced, as have H.R. 1550 and H.R. 1780. H.R. 1550 would require the SEC’s rules to permit certain issuers voluntarily to elect not to prepare the required internal control report. The issuers mentioned in this bill which may exempt themselves from the Section 404 requirement include insured depository institutions, bank holding companies, and savings and loan companies. H.R. 1780 would require the SEC to issue rules which incorporate riskbased concepts in assessing internal control over financial reporting for issuers, specific guidelines for measuring such terms as “reasonable” and “material,” and specific alternative requirements for smaller issuers. On April 4, 2007, the SEC’s commissioners endorsed the recommendations of its staff for the staff to work closely with the Public Company Accounting Oversight Board to issue auditing standards which are intended to ease the burden on small companies in complying with Section 404. On May 23, 2007, the Securities and Exchange Commission voted to approve a somewhat relaxed set of guidelines for the internal accounting controls required by Section 404 for smaller public companies, defined in most cases as those with a public float below $75 million. This report will be updated as needed. CRS-2 On July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002, P.L. 107-204. This law has been described by some as the most important and farreaching securities legislation since passage of the Securities Act of 19331 and the Securities Exchange Act of 1934,2 both of which were passed in the wake of the Stock Market Crash of 1929. Sarbanes-Oxley had its genesis early in 2002 after the declared bankruptcy of the Enron Corporation, but for some time it appeared as though its impetus had slowed. However, when the WorldCom scandal became known in late June, the Congress showed renewed interest in enacting stiffer corporate responsibility legislation, and SarbanesOxley quickly became law. The act established the Public Company Accounting Oversight Board (PCAOB or Board), which is supervised by the Securities and Exchange Commission (SEC or Commission). The act restricts accounting firms from performing a number of other services for the companies which they audit. The act also requires new disclosures for public companies and the officers and directors of those companies. Among the other issues affected by the legislation are securities fraud, criminal and civil penalties for violating the securities laws and other laws, blackouts for insider trades of pension fund shares, and protections for corporate whistleblowers. Currently, one of the most controversial provisions of the act is Section 404, Management Assessment of Internal Controls. The provision states: (a) Rules Required — The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall — (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (B) Internal Control Evaluation and Reporting — With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. The provision’s controversy stems from charges that some aspects of SarbanesOxley, particularly Section 404, are overly burdensome and costly for small and mediumsized companies. For example, one critic has stated that the costs of Section 404 are 1 15 U.S.C. §§ 77a et seq. 2 15 U.S.C. §§ 78a et seq. CRS-3 “extreme.” “As one of our members testified before the House Small Business Committee, his company’s efforts to comply with Section 404 in preparation to go public were simply too excessive to justify the effort — 10% to 15% of gross revenues .... Wellpublished studies and hard data demonstrate similar cost percentages for small firms.”3 On May 17, 2006, the SEC issued a press release which, among other actions, announced that it would briefly postpone application of Section 404 to the smallest companies but that ultimately all public companies would be required to comply with the internal control reporting requirements of Section 404.4 This view taken by the Commission conflicts with several recommendations in a report5 issued by the Commission’s Advisory Committee on Smaller Public Companies on April 23, 2006, which would exempt small companies from many of the internal reporting requirements of Section 404. On December 15, 2006, the SEC adopted rule changes which give smaller firms, referred to as non-accelerated filers, more time to comply with Section 404's internal controls reporting requirements.6 Under the extension a non-accelerated filer must provide management’s assessment concerning internal control over financial reporting in its annual reports for fiscal years ending on or after December 15, 2007. In addition, the SEC extended the date by which a non-accelerated filer must begin to comply with the auditor attestation requirement until filing an annual report for fiscal years ending on or after December 15, 2008. The perceived problem of compliance with Section 404 reporting requirements faced by small and medium-sized companies was an issue in the 109th Congress. Virtually identical bills addressing this issue were introduced in both houses of Congress: H.R. 5405 in the House and S. 2824 in the Senate. Each bill was titled the Competitive and Open Markets that Protect and Enhance the Treatment of Entrepreneurs (COMPETE) Act. The bills would have permitted an issuer to elect voluntarily not to be subject to much of Section 404 of Sarbanes-Oxley if the issuer has a total market capitalization for the relevant reporting period of less than $700 million; has total product revenue for that reporting period of less than $125 million; has fewer than 1500 record beneficial holders; has been subject to the various reporting requirements of sections 13(a)7 or 15(d)8 of the Securities Exchange Act of 1934 for a period of less than twelve calendar months; or has not filed and was not required to file an annual report under Section 13(a) or 15(d) of the Securities Exchange Act of 1934. The bills would have set forth a de minimus standard 3 Statement of Karen Kerrigan, president and CEO of the Small Business & Entrepreneurship Council, as reported in ABA Journal e-Report, at [http://abanet.org/journal/ereport/jy7sox.html] (July 7, 2006). 4 SEC Announces Next Steps for Sarbanes-Oxley Implementation, at [http://sec.gov /news/press/2006/2006-75.htm] (May 17, 2006). 5 Final Report of the Advisory Committee on Smaller Public Companies to the Securities and Exchange Commission, at [http://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf] (April 23, 2006). 6 [http://www.sec.gov/rules/final/2006/33-8760.pdf]. 7 15 U.S.C. § 78m(a). 8 15 U.S.C. § 78o(d). CRS-4 for implementing the requirements of Section 404. The bills would also have required the SEC and the PCAOB to conduct a study assessing the principles-based Turnbull Guidance9 under the securities laws of Great Britain to the implementation of Section 404 of Sarbanes-Oxley and to submit the report to Congress within one year of enactment of the COMPETE Act. Bills introduced in the 110th Congress continue the attempt to correct the perceived problems created by Section 404. H.R. 1049, referred to the Committee on Financial Services, is titled the Amend Misinterpreted Excessive Regulation in Corporate America Act (AMERICA). The bill would create an ombudsman for the Public Company Accounting Oversight Board. The ombudsman would be appointed by the Board and would act as a liaison between the PCAOB and any registered public accounting firm or issuer concerning issues or disputes related to the preparation or issuance of any audit report of that issuer, especially with respect to the implementation of Section 404; assure that safeguards exist to encourage complainants to come forward and to preserve confidentiality; and carry out other activities in accordance with guidelines prescribed by the Board. The bill would also reorganize the PCAOB to provide that the members of the Board shall be appointed by the President, by and with the advice and consent of the Senate.10 The bill would require the SEC and the PCAOB to adopt revisions to their rules or standards under Section 404 of Sarbanes-Oxley so that the costs of implementation of Section 404 will not significantly increase the costs of complying with the annual audits required by the Securities Exchange Act.11 Further, the bill would prohibit a private right of action to be brought against any registered public accounting firm in any federal or state court on the basis of a violation or alleged violation of the requirements of Section 404 or of the standards issued by the Board for the purposes of implementing the provisions of Section 404.12 H.R. 1508, referred to the Committee on Financial Services, and S. 869, referred to the Committee on Banking, Housing, and Urban Affairs, are titled the Compete Act of 2007 and are comparable. They are similar to H.R. 5405 and S. 2824, introduced in the 109th Congress. They would amend Section 404 so that each registered public accounting firm preparing or issuing an audit report for an issuer would be required to attest to and report on the management assessment of the issuer. The attestation and report on the assessment made by the management of the issuer would not include a separate opinion on the outcome of the assessment This attestation and report would be required to be performed at three-year intervals. The attestation would be required to be made in accordance with standards adopted by the Board. The standards adopted by the Board would be required to eliminate duplication of audits and examinations. The SEC would be required to develop a standard of materiality for the conduct of the assessment and report on an internal control that would have to be based upon whether the internal control has a material affect on the company’s financial statements and is significant to the 9 For information on the /corporate/internalcontrol.cfm]. 10 H.R. 1049, 110th Cong., § 4. 11 H.R. 1049, 110th Cong., § 5. 12 H.R. 1049, 110th Cong., § 7. Turnbull Guidance, see [http://www.frc.org.uk CRS-5 issuer’s overall financial status.13 The bills would permit a smaller public company not to be subject to Section 404. A “smaller public company” would be defined as having a total market capitalization for the relevant reporting period of less than $700 million and total product and services revenue for the reporting period of less than $125 million or at the beginning of the reporting period fewer than 1500 record beneficial owners.14 The SEC and the Board would be required to conduct a study examining the lack of and impediments to robust competition for the performance of audits for issuers.15 The SEC and the Board would also be required to conduct a study comparing and contrasting the principles-based Turnbull Guidance16 under the securities laws of Great Britain to the implementation of Section 404 of Sarbanes-Oxley.17 H.R. 1550, referred to the Committee on Financial Services, would, in addition to amending Section 302 of the Sarbanes -Oxley Act (Corporate Responsibility for Financial Reports), amend Section 404 to exempt certain financial institutions from having to prepare the internal control report.18 These financial institutions include insured depository institutions, bank holding companies, and savings and loan companies. H.R. 1780, referred to the Committee on Financial Services, would require the SEC to issue rules which incorporate risk-based concepts in assessing internal control over financial reporting for issuers, specific guidelines for measuring such terms as “reasonable” and “material,” and specific alternative requirements for smaller issuers.19 On April 4, 2007, the SEC’s commissioners endorsed the recommendations of its staff to work closely with the PCAOB to issue auditing standards intended to ease the burden on small companies in complying with Section 404.20 On May 23, 2007, the SEC commissioners voted unanimously to approve a relaxed set of guidelines for the internal accounting controls required by Section 404 for smaller public companies, defined in most cases as those with a public float below $75 million.21 crsphpgw 13 H.R. 1508, 110th Cong., § 2; S. 869, 110th Cong., §3. 14 H.R. 1508, 110th Cong., § 3; S. 869, 110th Cong., § 4. 15 H.R. 1508, 110th Cong., § 4; S. 869, 110th Cong., § 5. 16 See footnote 9. 17 H.R. 1508, 110th Cong., § 5; S. 869, 110th Cong., § 6. 18 H.R. 1550, 110th Cong., § 3. 19 H.R. 1780, 110th Cong., § 2. 20 [http://sec.gov/news/press/2007/2007-62.htm]. 21 [http://sec.gov/news/press/2007/2007-102.htm].