.

Section 404 of the Sarbanes-Oxley Act of 2002
(Management Assessment of Internal
Controls): Current Regulation and
Congressional Concerns

Michael V. Seitzinger
Legislative Attorney
December 20, 2011
Congressional Research Service
7-5700
www.crs.gov
RS22482
CRS Report for Congress
Pr
epared for Members and Committees of Congress
c11173008


.
Section 404 of the Sarbanes-Oxley Act of 2002

Summary
Section 404 of the Sarbanes-Oxley Act of 2002 requires the Securities and Exchange Commission
(SEC) to issue rules requiring annual reports filed by reporting issuers to state the responsibility
of management for establishing and maintaining an adequate internal control structure and
procedures for financial reporting and for each accounting firm auditing the issuer’s annual report
to attest to the assessment made of the internal accounting procedures made by the issuer’s
management. There have been criticisms that this provision is overly burdensome and costly for
small and medium-sized companies. On December 15, 2006, the SEC adopted rule changes
giving smaller firms more time to comply with Section 404’s reporting requirements. Compliance
with Section 404 by small and medium-sized companies was an issue in both the 109th and 110th
Congresses and has continued to be an issue in the 111th Congress. On November 4, 2009, the
House Financial Services Committee recommended H.R. 3817, the Investor Protection Act,
which contained a clause, inserted as a bipartisan amendment, permanently exempting businesses
with a market capitalization up to $75 million from complying with the auditing requirements of
Section 404. This bill was included in H.R. 4173, the Wall Street Reform and Consumer
Protection Act of 2009, as Section 7606, passed by the House on December 11, 2009. The Senate-
passed bill on financial regulatory reform, S. 3217, did not have a comparable provision. House
and Senate conferees on Wall Street reform approved a conference report, H.Rept. 111-517,
which has a provision exempting businesses with a market capitalization of $75 million or less
from complying with the auditing requirements of Section 404. Both the House and the Senate
agreed to the conference report. The President signed the bill, known as the Dodd-Frank Wall
Street Reform and Consumer Protection Act, into law as P.L. 111-203 on July 21, 2010. Bills have
been introduced in the 112th Congress which allow, at least temporarily, certain companies
capitalized at more than $75 million to have an exemption from complying with certain parts of
Section 404 of Sarbanes-Oxley and other provisions of the federal securities laws.
This report will be updated as needed.
Congressional Research Service

.
Section 404 of the Sarbanes-Oxley Act of 2002

Contents
Background...................................................................................................................................... 1
Congressional Attention................................................................................................................... 2

Contacts
Author Contact Information............................................................................................................. 5

Congressional Research Service

.
Section 404 of the Sarbanes-Oxley Act of 2002

Background
On July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002, P.L. 107-204.
This law has been described by some as the most important and far-reaching securities legislation
since passage of the Securities Act of 19331 and the Securities Exchange Act of 1934,2 both of
which were passed in the wake of the Stock Market Crash of 1929.
Sarbanes-Oxley had its genesis early in 2002 after the declared bankruptcy of the Enron
Corporation, but for some time it appeared as though its impetus had slowed. However, when the
WorldCom scandal became known in late June, the Congress showed renewed interest in enacting
stiffer corporate responsibility legislation, and Sarbanes-Oxley quickly became law.
The act established the Public Company Accounting Oversight Board (PCAOB or Board), which
is supervised by the Securities and Exchange Commission (SEC or Commission). The act
restricts accounting firms from performing a number of other services for the companies which
they audit. The act also requires new disclosures for public companies and the officers and
directors of those companies. Among the other issues affected by the legislation are securities
fraud, criminal and civil penalties for violating the securities laws and other laws, blackouts for
insider trades of pension fund shares, and protections for corporate whistleblowers.
Currently, one of the most controversial provisions of the act is Section 404, Management
Assessment of Internal Controls. The provision states:
(a) Rules Required—The Commission shall prescribe rules requiring each annual report
required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or
78o(d)) to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the
effectiveness of the internal control structure and procedures of the issuer for financial
reporting.
(B) Internal Control Evaluation and Reporting—With respect to the internal control
assessment required by subsection (a), each registered public accounting firm that prepares
or issues the audit report for the issuer shall attest to, and report on, the assessment made by
the management of the issuer. An attestation made under this subsection shall be made in
accordance with standards for attestation engagements issued or adopted by the Board. Any
such attestation shall not be the subject of a separate engagement.
The provision’s controversy stems from charges that some aspects of Sarbanes-Oxley, particularly
Section 404, are overly burdensome and costly for small and medium-sized companies. For
example, one critic has stated that the costs of Section 404 are “extreme.” “As one of our
members testified before the House Small Business Committee, his company’s efforts to comply
with Section 404 in preparation to go public were simply too excessive to justify the effort—10%

1 15 U.S.C. §§77a et seq.
2 15 U.S.C. §§78a et seq.
Congressional Research Service
1

.
Section 404 of the Sarbanes-Oxley Act of 2002

to 15% of gross revenues.... Well-published studies and hard data demonstrate similar cost
percentages for small firms.”3
The SEC over the years has taken various steps to delay compliance with Section 404 by defined
small companies. For example, on May 17, 2006, the SEC issued a press release which, among
other actions, announced that it would briefly postpone application of Section 404 to the smallest
companies but that ultimately all public companies would be required to comply with the internal
control reporting requirements of Section 404.4 This view taken by the Commission conflicted
with several recommendations in a report5 issued by the Commission’s Advisory Committee on
Smaller Public Companies on April 23, 2006, which would exempt small companies from many
of the internal reporting requirements of Section 404.
On December 15, 2006, the SEC adopted rule changes which give smaller firms, referred to as
non-accelerated filers, more time to comply with Section 404’s internal controls reporting
requirements.6 Under the extension, a non-accelerated filer must provide management’s
assessment concerning internal control over financial reporting in its annual reports for fiscal
years ending on or after December 15, 2007.
On April 4, 2007, the SEC’s commissioners endorsed the recommendations of its staff to work
closely with the PCAOB to issue auditing standards intended to ease the burden on small
companies in complying with Section 404.7
Additionally, on May 23, 2007, the SEC commissioners voted unanimously to approve a relaxed
set of guidelines for the internal accounting controls required by Section 404 for smaller public
companies, defined in most cases as those with a public float below $75 million.
Congressional Attention
The perceived problem of compliance with Section 404 reporting requirements faced by small
and medium-sized companies was an issue in both the 109th and 110th Congresses and has
continued to be an issue in the 111th Congress. Virtually identical bills addressing this issue were
introduced in both houses of the 109th Congress: H.R. 5405 in the House and S. 2824 in the
Senate. Each bill was titled the Competitive and Open Markets that Protect and Enhance the
Treatment of Entrepreneurs (COMPETE) Act. The bills would have permitted an issuer to elect
voluntarily not to be subject to much of Section 404 of Sarbanes-Oxley if the issuer has a total
market capitalization for the relevant reporting period of less than $700 million; has total product
revenue for that reporting period of less than $125 million; has fewer than 1,500 record beneficial
holders; has been subject to the various reporting requirements of Sections 13(a)8 or 15(d)9 of the

3 Statement of Karen Kerrigan, president and CEO of the Small Business & Entrepreneurship Council, as reported in
ABA Journal e-Report, at http://abanet.org/journal/ereport/jy7sox.html (July 7, 2006).
4 SEC Announces Next Steps for Sarbanes-Oxley Implementation, at http://sec.gov/news/press/2006/2006-75.htm (May
17, 2006).
5 Final Report of the Advisory Committee on Smaller Public Companies to the Securities and Exchange Commission,
at http://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf (April 23, 2006).
6 http://www.sec.gov/rules/final/2006/33-8760.pdf.
7 http://sec.gov/news/press/2007/2007-62.htm.
8 15 U.S.C. §78m(a).
Congressional Research Service
2

.
Section 404 of the Sarbanes-Oxley Act of 2002

Securities Exchange Act of 1934 for a period of less than 12 calendar months; or has not filed and
was not required to file an annual report under Section 13(a) or 15(d) of the Securities Exchange
Act of 1934. The bills would have set forth a de minimus standard for implementing the
requirements of Section 404. The bills would also have required the SEC and the PCAOB to
conduct a study assessing the principles-based Turnbull Guidance10 under the securities laws of
Great Britain to the implementation of Section 404 of Sarbanes-Oxley and to submit the report to
Congress within one year of enactment of the COMPETE Act.
Bills introduced in the 110th Congress continued the attempt to correct the perceived problems
created by Section 404. H.R. 1049, referred to the Committee on Financial Services, was titled
the Amend Misinterpreted Excessive Regulation in Corporate America Act (AMERICA). The bill
would have created an ombudsman for the Public Company Accounting Oversight Board
(PCAOB or Board). The ombudsman would have been appointed by the Board and would have
acted as a liaison between the PCAOB and any registered public accounting firm or issuer
concerning issues or disputes related to the preparation or issuance of any audit report of that
issuer, especially with respect to the implementation of Section 404; assured that safeguards
existed to encourage complainants to come forward and to preserve confidentiality; and carried
out other activities in accordance with guidelines prescribed by the Board. The bill would have
required the SEC and the PCAOB to adopt revisions to their rules or standards under Section 404
of Sarbanes-Oxley so that the costs of implementation of Section 404 would not significantly
increase the costs of complying with the annual audits required by the Securities Exchange Act.11
Further, the bill would have prohibited a private right of action to be brought against any
registered public accounting firm in any federal or state court on the basis of a violation or
alleged violation of the requirements of Section 404 or of the standards issued by the Board for
the purposes of implementing the provisions of Section 404.12
H.R. 1508, referred to the Committee on Financial Services, and S. 869, referred to the
Committee on Banking, Housing, and Urban Affairs, were titled the COMPETE Act of 2007 and
were comparable. They were similar to H.R. 5405 and S. 2824, introduced in the 109th Congress.
They would have amended Section 404 so that each registered public accounting firm preparing
or issuing an audit report for an issuer would have been required to attest to and report on the
management assessment of the issuer. The attestation and report on the assessment made by the
management of the issuer would not have included a separate opinion on the outcome of the
assessment. This attestation and report would have been required to be performed at three-year
intervals. The attestation would have been required to be made in accordance with standards
adopted by the Board. The SEC would have had to develop a standard of materiality for the
conduct of the assessment and report on an internal control based upon whether the internal
control had a material affect on the company’s financial statements and was significant to the
issuer’s overall financial status.13 The bills would have permitted a smaller public company not to
be subject to Section 404. A “smaller public company” was defined as having a total market
capitalization for the relevant reporting period of less than $700 million and total product and
services revenue for the reporting period of less than $125 million or at the beginning of the

(...continued)
9 15 U.S.C. §78o(d).
10 For information on the Turnbull Guidance, see http://www.frc.org.uk/corporate/internalcontrol.cfm.
11 H.R. 1049, 110th Cong., §5.
12 H.R. 1049, 110th Cong., §7.
13 H.R. 1508, 110th Cong., §2; S. 869, 110th Cong., §3.
Congressional Research Service
3

.
Section 404 of the Sarbanes-Oxley Act of 2002

reporting period fewer than 1,500 record beneficial owners.14 The SEC and the Board would have
had to conduct a study examining the lack of and impediments to robust competition for the
performance of audits for issuers.15 The SEC and the Board would have also been required to
conduct a study comparing and contrasting the principles-based Turnbull Guidance16 under the
securities laws of Great Britain to the implementation of Section 404 of Sarbanes-Oxley.17
Several other bills affecting compliance with Section 404 were introduced in the 110th Congress.
Bills introduced in the 111th Congress to provide an exemption for small companies from the
requirements of Section 404 included H.R. 1797 and H.R. 3775. On November 4, 2009, the
House Financial Services Committee recommended H.R. 3817, the Investor Protection Act,
which contained a clause, inserted as a bipartisan amendment, permanently exempting businesses
with a market capitalization up to $75 million from complying with the auditing requirements of
Section 404. The SEC and others would study how the burden of compliance with Section 404
could be reduced for companies valued between $75 million and $250 million and whether
reducing or eliminating their compliance with Section 404 would encourage these companies to
offer their shares to the public on United States exchanges. This bill was included in H.R. 4173,
the Wall Street Reform and Consumer Protection Act of 2009, as Section 7606, passed by the
House on December 11, 2009. The Senate-passed bill on financial regulatory reform, S. 3217, did
not have a comparable provision. House and Senate conferees on Wall Street reform approved a
conference report, H.Rept. 111-517, which has a provision exempting businesses with a market
capitalization of $75 million or less from complying with the auditing requirements of Section
404. The provision also requires the Securities and Exchange Commission to determine how it
can reduce the burden of complying with Section 404 for companies whose market capitalization
is between $75 million and $250 million while maintaining investor protections. Both the House
and the Senate agreed to the conference report. The President signed the bill, known as the Dodd-
Frank Wall Street Reform and Consumer Protection Act, into law as P.L. 111-203 on July 21,
2010.
In the 112th Congress, bills have been introduced which, in targeting the issue of providing access
to the capital markets for certain types of companies, allow some companies capitalized at more
than $75 million to have a temporary exemption from complying with parts of Section 404 and
other provisions of the federal securities laws. For example, S. 1933 and H.R. 3606, which are
identical and titled the Reopening American Capital Markets to Emerging Growth Companies Act
of 2011, focus on a category of company called in the bills an “emerging growth company.” An
“emerging growth company” is defined as an issuer18 having total annual gross revenues of less
than $1 billion during its most recently completed fiscal year. An issuer meeting this criterion will
remain an emerging growth company until the earliest of the last day of the issuer’s fiscal year
having annual gross revenues of $1 billion or more, the last day of the issuer’s fiscal year after the
fifth anniversary of the date of the issuer’s first sale of common equity securities with an effective
registration statement, or the date on which the issuer is a “large accelerated filer” as defined in
17 C.F.R. Section 240.12b-2.19 These bills allow an emerging growth company such exemptions

14 H.R. 1508, 110th Cong., §3; S. 869, 110th Cong., §4.
15 H.R. 1508, 110th Cong., §4; S. 869, 110th Cong., §5.
16 See footnote 10.
17 H.R. 1508, 110th Cong., §5; S. 869, 110th Cong., §6.
18 An issuer is “every person who issues or proposes to issue any security....” 15 U.S.C. §§77b(4) and 78c(8).
19 According to 17 C.F.R. Section 240.12b-2(2), a “large accelerated filer” is an issuer meeting the following conditions
at the end of its fiscal year: (1) the issuer had an aggregate worldwide market value of the voting and non-voting
(continued...)
Congressional Research Service
4

.
Section 404 of the Sarbanes-Oxley Act of 2002

from the federal securities laws and regulations as disclosures of certain executive compensation
information and of the management’s discussion of financial operations. The bills also insert an
amendment to Section 404(b) of Sarbanes-Oxley which exempts an emerging growth company
from having to comply with the internal control evaluation and reporting requirements.
In addition, the bills amend Section 103 of Sarbanes-Oxley, which concerns auditing and quality
control standards, to exempt an auditor of an emerging growth company from having to provide
certain additional information about the audit and financial statements of the company, so long as
the additional information is not necessary or appropriate in the public interest.
S. 1933 and H.R. 3606 also focus on the availability of information about emerging growth
companies. For example, the publication or distribution by a broker or dealer of a research report
about an emerging growth company that is preparing to offer common equity securities to the
public will not be deemed to be an offer for sale or offer to sell the securities. Other provisions of
the bill provide for expanding additional permissible communications about an emerging growth
company without triggering requirements associated with a formal public offering of the
securities. An emerging growth company may also submit to the SEC before its initial public
offering date a draft registration statement for confidential nonpublic review.

Author Contact Information

Michael V. Seitzinger

Legislative Attorney
mseitzinger@crs.loc.gov, 7-7895



(...continued)
common equity held by its non-affiliates of $700 million or more, as of the last business day of the issuer’s most
recently completed second fiscal quarter; (2) the issuer has been subject to various registration and reporting
requirements; (3) the issuer has filed at least one annual report subject to various registration and reporting
requirements; and (4) the issuer is not eligible to use the requirements for smaller reporting companies for its annual
and quarterly reports.
Congressional Research Service
5