Section 404 of the Sarbanes-Oxley Act of 2002 (Management Assessment of Internal Controls): Current Regulation and Congressional Concerns Michael V. Seitzinger Legislative Attorney July 21, 2010 Congressional Research Service 7-5700 www.crs.gov RS22482 CRS Report for Congress Prepared for Members and Committees of Congress Section 404 of the Sarbanes-Oxley Act of 2002 Summary Section 404 of the Sarbanes-Oxley Act of 2002 requires the Securities and Exchange Commission (SEC) to issue rules requiring annual reports filed by reporting issuers to state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and for each accounting firm auditing the issuer’s annual report to attest to the assessment made of the internal accounting procedures made by the issuer’s management. There have been criticisms that this provision is overly burdensome and costly for small and medium-sized companies. On December 15, 2006, the SEC adopted rule changes giving smaller firms more time to comply with Section 404’s reporting requirements. Compliance with Section 404 by small and medium-sized companies was an issue in both the 109th and 110th Congresses and has continued to be an issue in the 111th Congress. On November 4, 2009, the House Financial Services Committee recommended H.R. 3817, the Investor Protection Act, which contained a clause, inserted as a bipartisan amendment, permanently exempting businesses with a market capitalization up to $75 million from complying with the auditing requirements of Section 404. This bill was included in H.R. 4173, the Wall Street Reform and Consumer Protection Act of 2009, as section 7606, passed by the House on December 11, 2009. The Senatepassed bill on financial regulatory reform, S. 3217, did not have a comparable provision. House and Senate conferees on Wall Street reform approved a conference report, H.Rept. 111-517, which has a provision exempting businesses with a market capitalization of $75 million or less from complying with the auditing requirements of Section 404. Both the House and the Senate agreed to the conference report. The President signed the bill, known as the Dodd-Frank Wall Street Reform and Consumer Protection Act, into law as P.L. 111-203 on July 21, 2010. This report will be updated as needed. Congressional Research Service Section 404 of the Sarbanes-Oxley Act of 2002 Contents Background ................................................................................................................................1 Congressional Attention ..............................................................................................................2 Contacts Author Contact Information ........................................................................................................4 Congressional Research Service Section 404 of the Sarbanes-Oxley Act of 2002 Background On July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002, P.L. 107-204. This law has been described by some as the most important and far-reaching securities legislation since passage of the Securities Act of 19331 and the Securities Exchange Act of 1934,2 both of which were passed in the wake of the Stock Market Crash of 1929. Sarbanes-Oxley had its genesis early in 2002 after the declared bankruptcy of the Enron Corporation, but for some time it appeared as though its impetus had slowed. However, when the WorldCom scandal became known in late June, the Congress showed renewed interest in enacting stiffer corporate responsibility legislation, and Sarbanes-Oxley quickly became law. The act established the Public Company Accounting Oversight Board (PCAOB or Board), which is supervised by the Securities and Exchange Commission (SEC or Commission). The act restricts accounting firms from performing a number of other services for the companies which they audit. The act also requires new disclosures for public companies and the officers and directors of those companies. Among the other issues affected by the legislation are securities fraud, criminal and civil penalties for violating the securities laws and other laws, blackouts for insider trades of pension fund shares, and protections for corporate whistleblowers. Currently, one of the most controversial provisions of the act is Section 404, Management Assessment of Internal Controls. The provision states: (a) Rules Required—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall— (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (B) Internal Control Evaluation and Reporting—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. The provision’s controversy stems from charges that some aspects of Sarbanes-Oxley, particularly Section 404, are overly burdensome and costly for small and medium-sized companies. For example, one critic has stated that the costs of Section 404 are “extreme.” “As one of our members testified before the House Small Business Committee, his company’s efforts to comply with Section 404 in preparation to go public were simply too excessive to justify the effort—10% 1 2 15 U.S.C. §§ 77a et seq. 15 U.S.C. §§ 78a et seq. Congressional Research Service 1 Section 404 of the Sarbanes-Oxley Act of 2002 to 15% of gross revenues.... Well-published studies and hard data demonstrate similar cost percentages for small firms.”3 The SEC over the years has taken various steps to delay compliance with Section 404 by defined small companies. For example, on May 17, 2006, the SEC issued a press release which, among other actions, announced that it would briefly postpone application of Section 404 to the smallest companies but that ultimately all public companies would be required to comply with the internal control reporting requirements of Section 404.4 This view taken by the Commission conflicted with several recommendations in a report5 issued by the Commission’s Advisory Committee on Smaller Public Companies on April 23, 2006, which would exempt small companies from many of the internal reporting requirements of Section 404. On December 15, 2006, the SEC adopted rule changes which give smaller firms, referred to as non-accelerated filers, more time to comply with Section 404’s internal controls reporting requirements. 6 Under the extension, a non-accelerated filer must provide management’s assessment concerning internal control over financial reporting in its annual reports for fiscal years ending on or after December 15, 2007. On April 4, 2007, the SEC’s commissioners endorsed the recommendations of its staff to work closely with the PCAOB to issue auditing standards intended to ease the burden on small companies in complying with Section 404.7 Additionally, on May 23, 2007, the SEC commissioners voted unanimously to approve a relaxed set of guidelines for the internal accounting controls required by Section 404 for smaller public companies, defined in most cases as those with a public float below $75 million. Congressional Attention The perceived problem of compliance with Section 404 reporting requirements faced by small and medium-sized companies was an issue in both the 109th and 110th Congresses and has continued to be an issue in the 111th Congress. Virtually identical bills addressing this issue were introduced in both houses of the 109th Congress: H.R. 5405 in the House and S. 2824 in the Senate. Each bill was titled the Competitive and Open Markets that Protect and Enhance the Treatment of Entrepreneurs (COMPETE) Act. The bills would have permitted an issuer to elect voluntarily not to be subject to much of Section 404 of Sarbanes-Oxley if the issuer has a total market capitalization for the relevant reporting period of less than $700 million; has total product revenue for that reporting period of less than $125 million; has fewer than 1,500 record beneficial holders; has been subject to the various reporting requirements of Sections 13(a)8 or 15(d)9 of the 3 Statement of Karen Kerrigan, president and CEO of the Small Business & Entrepreneurship Council, as reported in ABA Journal e-Report, at http://abanet.org/journal/ereport/jy7sox.html (July 7, 2006). 4 SEC Announces Next Steps for Sarbanes-Oxley Implementation, at http://sec.gov/news/press/2006/2006-75.htm (May 17, 2006). 5 Final Report of the Advisory Committee on Smaller Public Companies to the Securities and Exchange Commission, at http://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf (April 23, 2006). 6 http://www.sec.gov/rules/final/2006/33-8760.pdf. 7 http://sec.gov/news/press/2007/2007-62.htm. 8 15 U.S.C. § 78m(a). Congressional Research Service 2 Section 404 of the Sarbanes-Oxley Act of 2002 Securities Exchange Act of 1934 for a period of less than 12 calendar months; or has not filed and was not required to file an annual report under Section 13(a) or 15(d) of the Securities Exchange Act of 1934. The bills would have set forth a de minimus standard for implementing the requirements of Section 404. The bills would also have required the SEC and the PCAOB to conduct a study assessing the principles-based Turnbull Guidance10 under the securities laws of Great Britain to the implementation of Section 404 of Sarbanes-Oxley and to submit the report to Congress within one year of enactment of the COMPETE Act. Bills introduced in the 110th Congress continued the attempt to correct the perceived problems created by Section 404. H.R. 1049, referred to the Committee on Financial Services, was titled the Amend Misinterpreted Excessive Regulation in Corporate America Act (AMERICA). The bill would have created an ombudsman for the Public Company Accounting Oversight Board (PCAOB or Board). The ombudsman would have been appointed by the Board and would have acted as a liaison between the PCAOB and any registered public accounting firm or issuer concerning issues or disputes related to the preparation or issuance of any audit report of that issuer, especially with respect to the implementation of Section 404; assured that safeguards existed to encourage complainants to come forward and to preserve confidentiality; and carried out other activities in accordance with guidelines prescribed by the Board. The bill would have required the SEC and the PCAOB to adopt revisions to their rules or standards under Section 404 of Sarbanes-Oxley so that the costs of implementation of Section 404 would not significantly increase the costs of complying with the annual audits required by the Securities Exchange Act.11 Further, the bill would have prohibited a private right of action to be brought against any registered public accounting firm in any federal or state court on the basis of a violation or alleged violation of the requirements of Section 404 or of the standards issued by the Board for the purposes of implementing the provisions of Section 404.12 H.R. 1508, referred to the Committee on Financial Services, and S. 869, referred to the Committee on Banking, Housing, and Urban Affairs, were titled the COMPETE Act of 2007 and were comparable. They were similar to H.R. 5405 and S. 2824, introduced in the 109th Congress. They would have amended Section 404 so that each registered public accounting firm preparing or issuing an audit report for an issuer would have been required to attest to and report on the management assessment of the issuer. The attestation and report on the assessment made by the management of the issuer would not have included a separate opinion on the outcome of the assessment. This attestation and report would have been required to be performed at three-year intervals. The attestation would have been required to be made in accordance with standards adopted by the Board. The SEC would have had to develop a standard of materiality for the conduct of the assessment and report on an internal control based upon whether the internal control had a material affect on the company’s financial statements and was significant to the issuer’s overall financial status.13 The bills would have permitted a smaller public company not to be subject to Section 404. A “smaller public company” was defined as having a total market capitalization for the relevant reporting period of less than $700 million and total product and services revenue for the reporting period of less than $125 million or at the beginning of the (...continued) 9 15 U.S.C. § 78o(d). 10 For information on the Turnbull Guidance, see http://www.frc.org.uk/corporate/internalcontrol.cfm. 11 H.R. 1049, 110th Cong., § 5. 12 H.R. 1049, 110th Cong., § 7. 13 H.R. 1508, 110th Cong., § 2; S. 869, 110th Cong., §3. Congressional Research Service 3 Section 404 of the Sarbanes-Oxley Act of 2002 reporting period fewer than 1,500 record beneficial owners.14 The SEC and the Board would have had to conduct a study examining the lack of and impediments to robust competition for the performance of audits for issuers.15 The SEC and the Board would have also been required to conduct a study comparing and contrasting the principles-based Turnbull Guidance16 under the securities laws of Great Britain to the implementation of Section 404 of Sarbanes-Oxley. 17 Several other bills affecting compliance with Section 404 were introduced in the 110th Congress. Bills introduced in the 111th Congress to provide an exemption for small companies from the requirements of Section 404 included H.R. 1797 and H.R. 3775. On November 4, 2009, the House Financial Services Committee recommended H.R. 3817, the Investor Protection Act, which contained a clause, inserted as a bipartisan amendment, permanently exempting businesses with a market capitalization up to $75 million from complying with the auditing requirements of Section 404. The SEC and others would study how the burden of compliance with Section 404 could be reduced for companies valued between $75 million and $250 million and whether reducing or eliminating their compliance with Section 404 would encourage these companies to offer their shares to the public on United States exchanges. This bill was included in H.R. 4173, the Wall Street Reform and Consumer Protection Act of 2009, as section 7606, passed by the House on December 11, 2009. The Senate-passed bill on financial regulatory reform, S. 3217, did not have a comparable provision. House and Senate conferees on Wall Street reform approved a conference report, H.Rept. 111-517, which has a provision exempting businesses with a market capitalization of $75 million or less from complying with the auditing requirements of Section 404. The provision also requires the Securities and Exchange Commission to determine how it can reduce the burden of complying with Section 404 for companies whose market capitalization is between $75 million and $250 million while maintaining investor protections. Both the House and the Senate agreed to the conference report. The President signed the bill, known as the DoddFrank Wall Street Reform and Consumer Protection Act, into law as P.L. 111-203 on July 21, 2010. Author Contact Information Michael V. Seitzinger Legislative Attorney mseitzinger@crs.loc.gov, 7-7895 14 H.R. 1508, 110th Cong., § 3; S. 869, 110th Cong., § 4. H.R. 1508, 110th Cong., § 4; S. 869, 110th Cong., § 5. 16 See footnote 10. 17 H.R. 1508, 110th Cong., § 5; S. 869, 110th Cong., § 6. 15 Congressional Research Service 4