Section 404 of the Sarbanes-Oxley Act of 2002 (Management Assessment of Internal Controls): Current Regulation and Congressional Concerns

^Pr^ep^ar^{ed f}^o^r^M^e^m^b^ers^an^d^Com^mⁱ^t^t^ees^of^C^ong^r^e^ss

Section 404 of the Sarbanes-Oxley Act of 2002 requires the Securities and Exchange Commission
(SEC) to issue rules requiring annual reports filed by reporting issuers to state the responsibility
of management for establishing and maintaining an adequate internal control structure and
procedures for financial reporting and for each accounting firm auditing the issuer’s annual report
to attest to the assessment made of the internal accounting procedures made by the issuer’s
management. There have been criticisms that this provision is overly burdensome and costly for
small and medium-sized companies. On December 15, 2006, the SEC adopted rule changes ^th
giving smaller firms more time to comply with Section 404’s reporting requirements. In the 110
Congress, a number of bills have been introduced that would address the perceived issue in
different ways. Among these bills are H.R. 1049, H.R. 1508, H.R. 1550, H.R. 1780, H.R. 2727, S.
869, and S. 1153. On April 4, 2007, the SEC’s commissioners endorsed the recommendations of
its staff for the staff to work closely with the Public Company Accounting Oversight Board to
issue auditing standards that are intended to ease the burden on small companies in complying
with Section 404. On May 23, 2007, the SEC voted to approve a somewhat relaxed set of
guidelines for the internal accounting controls required by Section 404 for smaller public
companies, defined in most cases as those with a public float below $75 million. SEC Chairman
Cox has proposed that smaller companies be given an additional year to comply with the internal
control audit requirements of section 404. The agency may vote on this proposal as early as
January 2008. This report will be updated as needed.

n July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002, P.L.

107-204. This law has been described by some as the most important and far-reaching ¹

securities legislation since passage of the Securities Act of 1933 and the Securities ²O

Exchange Act of 1934, both of which were passed in the wake of the Stock Market Crash of

1929.

Sarbanes-Oxley had its genesis early in 2002 after the declared bankruptcy of the Enron
Corporation, but for some time it appeared as though its impetus had slowed. However, when the
WorldCom scandal became known in late June, the Congress showed renewed interest in enacting
stiffer corporate responsibility legislation, and Sarbanes-Oxley quickly became law.
The act established the Public Company Accounting Oversight Board (PCAOB or Board), which
is supervised by the Securities and Exchange Commission (SEC or Commission). The act
restricts accounting firms from performing a number of other services for the companies which
they audit. The act also requires new disclosures for public companies and the officers and
directors of those companies. Among the other issues affected by the legislation are securities
fraud, criminal and civil penalties for violating the securities laws and other laws, blackouts for
insider trades of pension fund shares, and protections for corporate whistleblowers.
Currently, one of the most controversial provisions of the act is Section 404, Management
Assessment of Internal Controls. The provision states:
^{(a) R}^u^le^s^R^e^qu^ired—T^h^e^C^o^mm^is^sⁱ^{on s}^h^{all pres}^{cribe r}^u^le^s^requ^iriⁿ^{g each annu}^{al report}
^requⁱ^r^{ed by}^s^ectⁱ^oⁿ^{13(a) or}¹⁵^(d)^of^t^h^{e S}^ecu^ri^tⁱ^es^Ex^c^h^ang^e^A^c^t^of^{1934 (1}^{5 U}^.^S^.^C^.⁷⁸^m^o^r
^78o(^{d)) t}^o^con^t^aiⁿ^anⁱⁿ^t^e^rn^a^l^con^t^rol^report^,^w^hⁱ^c^h^sh^al^l^—
⁽¹⁾^{state th}^e^r^e^sp^oⁿ^sib^ili^t^y^o^f^m^aⁿ^a^g^e^m^eⁿ^t^f^o^r^estab^lis^hⁱⁿ^g^an^d^m^aⁱⁿ^taⁱⁿⁱⁿ^g^aⁿ^ad^eq^u^a^te
ⁱⁿ^tern^a^l^con^t^{rol s}^t^ru^ct^u^r^{e an}^d^procedu^r^es^f^o^{r f}ⁱⁿ^aⁿ^c^{ial reportin}^{g; an}^d
^{(2) con}^t^ain^an^as^s^e^s^s^m^{ent, as}^of^th^{e en}^{d of}^t^h^e^m^o^s^t^{recent fis}^cal^y^{ear of}^th^{e i}^s^s^u^{er, of}^th^e
^ef^f^e^c^tiv^eⁿ^e^s^s^of^t^h^{e i}ⁿ^tern^a^l^c^oⁿ^t^{rol s}^t^ru^ct^u^r^{e an}^{d procedu}^r^es^of^t^h^{e is}^s^u^er^f^o^{r f}ⁱⁿ^aⁿ^c^ia^l
^reportⁱⁿ^g^.
⁽^B⁾^Iⁿ^terⁿ^{al Co}ⁿ^t^r^o^{l Ev}^al^u^a^tⁱ^oⁿ^an^d^Rep^o^r^tin^g^—^Wⁱ^t^h^r^e^sp^{ect to}^th^{e in}^terⁿ^{al co}ⁿ^t^r^o^l
^as^s^e^s^s^m^en^{t required by}^s^u^b^s^ection^{(a), each}^regⁱ^s^t^{ered pu}^{blic accou}ⁿ^tⁱⁿ^g^fir^m^t^h^{at prepares}
^o^r^issu^e^s^t^h^{e a}^u^d^{it r}^e^p^o^r^{t f}^o^r^th^{e iss}^u^er^s^h^{all a}^ttest^to^{, an}^d^r^e^p^o^r^{t o}ⁿ^{, th}^{e a}^sse^ss^m^eⁿ^t^m^a^d^e^b^y
^th^e^m^aⁿ^a^g^e^m^eⁿ^t^o^f^t^h^{e is}^su^er^.^An^attestatioⁿ^m^a^d^e^uⁿ^d^e^r^thⁱ^s^su^b^s^ect^ioⁿ^s^h^{all b}^e^m^a^d^eⁱⁿ
^accordan^ce^wⁱ^t^h^stan^dards^f^o^{r attes}^t^atioⁿ^eng^a^g^e^m^eⁿ^t^s^iss^u^ed^{or adopte}^d^by^t^h^{e Board. A}^ny
^su^c^h^attesta^tioⁿ^s^h^allⁿ^o^{t b}^e^th^{e su}^b^j^{ect o}^f^{a sep}^a^r^a^{te en}^g^a^g^e^m^eⁿ^t^.
The provision’s controversy stems from charges that some aspects of Sarbanes-Oxley, particularly
Section 404, are overly burdensome and costly for small and medium-sized companies. For
example, one critic has stated that the costs of Section 404 are “extreme.” “As one of our
members testified before the House Small Business Committee, his company’s efforts to comply
with Section 404 in preparation to go public were simply too excessive to justify the effort—10%

¹¹⁵^U^.^S^.^C^.^§§⁷⁷^a^et^seq^.
²¹⁵^U^.^S^.^C^.^§§⁷⁸^a^et^seq^.

to 15% of gross revenues .... Well-published studies and hard data demonstrate similar cost ³
percentages for small firms.”
On May 17, 2006, the SEC issued a press release which, among other actions, announced that it
would briefly postpone application of Section 404 to the smallest companies but that ultimately
all public companies would be required to comply with the internal control reporting ⁴
requirements of Section 404. This view taken by the Commission conflicts with several ⁵
recommendations in a report issued by the Commission’s Advisory Committee on Smaller Public
Companies on April 23, 2006, which would exempt small companies from many of the internal
reporting requirements of Section 404.
On December 15, 2006, the SEC adopted rule changes which give smaller firms, referred to as
non-accelerated filers, more time to comply with Section 404’s internal controls reporting ⁶
requirements. Under the extension a non-accelerated filer must provide management’s
assessment concerning internal control over financial reporting in its annual reports for fiscal
years ending on or after December 15, 2007. In addition, the SEC extended the date by which a
non-accelerated filer must begin to comply with the auditor attestation requirement until filing an
annual report for fiscal years ending on or after December 15, 2008.
The perceived problem of compliance with Section 404 reporting requirements faced by small ^th
and medium-sized companies was an issue in the 109 Congress. Virtually identical bills
addressing this issue were introduced in both houses of Congress: H.R. 5405 in the House and S.
2824 in the Senate. Each bill was titled the Competitive and Open Markets that Protect and
Enhance the Treatment of Entrepreneurs (COMPETE) Act. The bills would have permitted an
issuer to elect voluntarily not to be subject to much of Section 404 of Sarbanes-Oxley if the issuer
has a total market capitalization for the relevant reporting period of less than $700 million; has
total product revenue for that reporting period of less than $125 million; has fewer than 1500
record beneficial holders; has been subject to the various reporting requirements of Sections ⁷⁸
13(a) or 15(d) of the Securities Exchange Act of 1934 for a period of less than twelve calendar
months; or has not filed and was not required to file an annual report under Section 13(a) or 15(d)
of the Securities Exchange Act of 1934. The bills would have set forth a de minimus standard for
implementing the requirements of Section 404. The bills would also have required the SEC and ⁹
the PCAOB to conduct a study assessing the principles-based Turnbull Guidance under the
securities laws of Great Britain to the implementation of Section 404 of Sarbanes-Oxley and to
submit the report to Congress within one year of enactment of the COMPETE Act.
Bills introduced in the 110^th Congress continue the attempt to correct the perceived problems
created by Section 404. H.R. 1049, referred to the Committee on Financial Services, is titled the

³^Sta^t^e^m^eⁿ^{t of}^K^a^r^e^{n K}^e^r^rⁱ^ga^{n, pr}^e^s^ideⁿ^{t a}ⁿ^{d C}^E^O^of^the^Sm^a^{ll B}^u^sⁱ^ne^s^s^&^Entr^e^p^r^e^ne^u^r^s^h^ip^C^o^unc^il,^a^s^r^e^por^te^dⁱⁿ
^A^B^A^Journa^{l e}^-^Re^{port, a}^t^htt^p^://a^ba^ne^t.org^/^jour^na^l/^e^r^e^port/jy^7sox^.h^tm^{l (July}^{7, 200}^6).
⁴^S^E^{C A}ⁿ^no^un^{ces Next}^S^t^ep^{s f}^o^{r Sa}^rb^an^es-Oxl^{ey Imp}^l^emen^t^a^tⁱ^oⁿ^{, a}^t^htt^p^://se^c^.^g^o^v^/^ne^w^s^/^p^re^ss/20^06/²⁰⁰⁶^-7^5.htm^(Ma^y
^{17, 20}⁰⁶⁾^.
⁵^Fina^{l Re}^p^o^rt^of^the^A^d^vⁱ^sory^Co^m^m^itte^e^{on Sm}^a^lle^{r P}^u^blic^C^o^m^p^aⁿ^ie^{s to t}^h^e^Se^c^u^ritie^{s a}ⁿ^{d Ex}^c^h^aⁿ^g^e^Com^m^ission,
^a^t^http^://w^ww^.^s^e^c^.^g^o^v^/^inf^o^/sm^a^llbus/a^c^s^pc^/^a^c^s^pc^-f^ina^l^re^port.pdf^(April^23,²⁰⁰⁶^).
⁶^htt^p^://w^w^w^.s^e^c^.^g^o^v^/^rule^s^/^fⁱ^na^l/2006^/^33-8⁷⁶⁰^.p^df^.
⁷^{15 U}^.^S.C^.^§^78m⁽^a⁾^.
⁸^{15 U}^.^S.C^.^§⁷⁸^o(^d)^.
⁹^{For i}ⁿ^f^o^rm^a^{tion on}^the^T^u^rn^bu^ll^G^u^idaⁿ^c^e^,^se^e^h^ttp://w^ww^.^f^rc^.org^.^u^k^/^c^o^rpora^t^e^/^inte^rna^l^c^o^ntro^l.c^f^m^.

Amend Misinterpreted Excessive Regulation in Corporate America Act (AMERICA). The bill
would create an ombudsman for the Public Company Accounting Oversight Board. The
ombudsman would be appointed by the Board and would act as a liaison between the PCAOB
and any registered public accounting firm or issuer concerning issues or disputes related to the
preparation or issuance of any audit report of that issuer, especially with respect to the
implementation of Section 404; assure that safeguards exist to encourage complainants to come
forward and to preserve confidentiality; and carry out other activities in accordance with
guidelines prescribed by the Board. The bill would also reorganize the PCAOB to provide that the
members of the Board shall be appointed by the President, by and with the advice and consent of ¹⁰
the Senate. The bill would require the SEC and the PCAOB to adopt revisions to their rules or
standards under Section 404 of Sarbanes-Oxley so that the costs of implementation of Section

404 will not significantly increase the costs of complying with the annual audits required by the ¹¹

Securities Exchange Act. Further, the bill would prohibit a private right of action to be brought
against any registered public accounting firm in any federal or state court on the basis of a
violation or alleged violation of the requirements of Section 404 or of the standards issued by the ¹²
Board for the purposes of implementing the provisions of Section 404.
H.R. 1508, referred to the Committee on Financial Services, and S. 869, referred to the
Committee on Banking, Housing, and Urban Affairs, are titled the Compete Act of 2007 and are ^th
comparable. They are similar to H.R. 5405 and S. 2824, introduced in the 109 Congress. They
would amend Section 404 so that each registered public accounting firm preparing or issuing an
audit report for an issuer would be required to attest to and report on the management assessment
of the issuer. The attestation and report on the assessment made by the management of the issuer
would not include a separate opinion on the outcome of the assessment This attestation and report
would be required to be performed at three-year intervals. The attestation would be required to be
made in accordance with standards adopted by the Board. The standards adopted by the Board
would be required to eliminate duplication of audits and examinations. The SEC would be
required to develop a standard of materiality for the conduct of the assessment and report on an
internal control that would have to be based upon whether the internal control has a material
affect on the company’s financial statements and is significant to the issuer’s overall financial ¹³
status. The bills would permit a smaller public company not to be subject to Section 404. A
“smaller public company” would be defined as having a total market capitalization for the
relevant reporting period of less than $700 million and total product and services revenue for the
reporting period of less than $125 million or at the beginning of the reporting period fewer than ¹⁴
1500 record beneficial owners. The SEC and the Board would be required to conduct a study
examining the lack of and impediments to robust competition for the performance of audits for ¹⁵
issuers. The SEC and the Board would also be required to conduct a study comparing and ¹⁶
contrasting the principles-based Turnbull Guidance under the securities laws of Great Britain to ¹⁷
the implementation of Section 404 of Sarbanes-Oxley.

¹⁰^H.^R^.¹⁰⁴⁹^,¹¹⁰^th^C^ong^{., § 4.}
¹¹^H.^R^.¹⁰⁴⁹^,¹¹⁰^th^C^ong^{., § 5.}
¹²^H.^R^.¹⁰⁴⁹^,¹¹⁰^th^C^ong^{., § 7.}
¹³^H.^R^.¹⁵⁰⁸^,¹¹⁰^th^C^ong^.,^§^{2; S}^.⁸^69,¹¹⁰^th^Cong^.,^§³^.
¹⁴^H.^R^.¹⁵⁰⁸^,¹¹⁰^th^C^ong^.,^§^{3; S}^.⁸^69,¹¹⁰^th^C^ong^.,^§^4.
¹⁵^H.^R^.¹⁵⁰⁸^,¹¹⁰^th^C^ong^.,^§^{4; S}^.⁸^69,¹¹⁰^th^C^ong^.,^§^5.
¹⁶^Se^e^f^ootn^o^te^9.
¹⁷^H.^R^.¹⁵⁰⁸^,¹¹⁰^th^C^ong^.,^§^{5; S}^.⁸^69,¹¹⁰^th^C^ong^.,^§^6.

H.R. 1550, referred to the Committee on Financial Services, would, in addition to amending
Section 302 of the Sarbanes -Oxley Act (Corporate Responsibility for Financial Reports), amend
Section 404 to exempt certain financial institutions from having to prepare the internal control ¹⁸
report. These financial institutions include insured depository institutions, bank holding
companies, and savings and loan companies.
H.R. 1780, referred to the Committee on Financial Services, would require the SEC to issue rules
which incorporate risk-based concepts in assessing internal control over financial reporting for
issuers, specific guidelines for measuring such terms as “reasonable” and “material,” and specific ¹⁹
alternative requirements for smaller issuers.
H.R. 2727, referred to the Committee on Financial Services, would require the SEC to modify its ²⁰
Section 404 regulations so that a non-accelerated filer would not be required to provide
management’s report on internal control over financial reporting until filing its annual report for
the fiscal year ending on or after December 15, 2008.
In the Senate, in addition to S. 869, discussed above, S. 1153, referred to the Committee on
Banking, Housing, and Urban Affairs, would require the SEC to conduct and complete an
analysis of any final rule of the Public Company Accounting Oversight Board. The bill would
also require the Comptroller General to conduct an assessment of the impact on small business
concerns of any rule issued by the SEC to carry out Section 404.
On April 4, 2007, the SEC’s commissioners endorsed the recommendations of its staff to work
closely with the PCAOB to issue auditing standards intended to ease the burden on small ²¹
companies in complying with Section 404.
On May 23, 2007, the SEC commissioners voted unanimously to approve a relaxed set of
guidelines for the internal accounting controls required by Section 404 for smaller public ²²
companies, defined in most cases as those with a public float below $75 million. Chairman Cox
has proposed that smaller public companies be given an additional year to comply with the
internal control audit requirements of section 404. The agency may vote on this proposal as early
as January 2008.

^Mich^{ael V. Seitz}^ing^e^r
^L^e^gⁱ^s^l^at^iv^{e A}^t^torn^e^y
^m^s^ei^t^zⁱⁿ^g^e^r^@^crs^.^l^o^c.g^o^v^,^7-⁷⁸⁹⁵

¹⁸^H.^R^.¹⁵⁵⁰^,¹¹⁰^th^C^ong^{., § 3.}
¹⁹^H.^R^.¹⁷⁸⁰^,¹¹⁰^th^C^ong^{., § 2.}
²⁰^A^non-^accel^erat^ed^fⁱ^l^e^{r i}^s^gen^e^ral^l^y^anⁱ^ssu^er^wⁱ^t^h^an^aggregat^{e w}^o^rl^d^wⁱ^d^{e market}^v^a^l^u^{e o}^f^t^h^{e vo}^tⁱ^{ng an}^d^noⁿ^-^vo^tⁱⁿ^g
^c^o^m^m^{on e}^quity^he^{ld by}^{its no}^n-a^f^f^ilia^te^{s of}^le^s^s^thaⁿ^$⁷⁵^,⁰⁰^0,⁰⁰^0.^Se^e^{17 C}^.^F.R^.^§²⁴^0.¹²^b-^2.
²¹^htt^p^://se^c^.^g^o^v^/^ne^w^s^/^p^re^ss/20^07/²⁰⁰⁷^-6^2.htm^.
²²^htt^p^://se^c^.^g^o^v^/^ne^w^s^/^p^re^ss/20^07/²⁰⁰⁷^-1^02.^htm^.