Fixing 404.

• Author: Grundfest, Joseph A.

Although debate persists as to whether the costs of Sarbanes-Oxley's Section 404 regulations exceed their benefits, there is broad consensus that the rules have been inefficiently implemented. Substantive and procedural factor's contribute to the rules' inefficiency.

From a substantive perspective, the terms "material weakness" and "significant deficiency" are central to the implementing regulations and are easily interpreted to legitimize audits of controls that have only a remote probability of causing an inconsequential effect on the issuer's financial statements. As a quantitative matter, the literature suggests that a control with a remote probability of causing an inconsequential effect has an expected value of only five one-hundredths of one percent of a firm's net income.

Procedurally, the Section 404 rules are implemented in an economic and political environment that generates a powerful tropism for inefficient hyperenforcement. Auditors have been broadly criticized for a rash of audit failures and restatements. They do not want to be further criticized for implementing Section 404 with insufficient vigor. Auditors are also subject to significant uninsurable litigation risk. That provides an incentive to externalize risk by forcing clients to absorb greater precautionary costs that benefit auditors by reducing the probability of an audit failure. Auditors also make money selling Section 404 services to audit and nonaudit clients alike. These three forces combine to create powerful incentives for the audit industry, incentives that contribute to inefficient expenditures on Section 404 procedures much like the forces that drive inefficient expenditures on defensive medical procedures.

To address these concerns, the Securities and Exchange Commission ("Commission" or "SEC") and the Public Company Accounting Oversight Board ("PCAOB") should aggressively redraft the rules implementing Section 404 to eliminate the need to examine controls that are unlikely to have a material effect. At the same time, the PCAOB should monitor audit firms' Section 404 practices and discipline auditors who promote or engage in cost-inefficient procedures.

We are not confident that these or any other reforms will be sufficient to remedy the problems already created by Section 404. The audit profession has incorporated inefficient Section 404 procedures into its integrated audit framework, and experience suggests that auditors are loathe to weaken processes already in place. While the Commission and the PCAOB should act aggressively to rationalize Section 404 costs, Section 404 as implemented under the current rules may have established an irreversible process that will continue to impose inefficient costs on publicly traded firms for years to come.

TABLE OF CONTENTS INTRODUCTION I. THE HISTORY AND EVOLUTION OF SECTION 404 II. BASIC COST-BENEFIT ANALYSIS III. THE SUBSTANTIVE FIX A. A Precise Definition of the Problem B. A Proposed Solution IV. THE PROCEDURAL FIX A. A Precise Definition of the Problem B. A Proposed Solution V. THE SMALL COMPANY PROBLEM CONCLUSION POSTSCRIPT INTRODUCTION

It's time to fix the rules that implement Section 404 of the Sarbanes-Oxley Act of 2002 ("Sarbanes-Oxley Act" or "Sarbanes-Oxley"). (1) Section 404 is a delegation of authority to the Securities and Exchange Commission ("Commission" or "SEC") to "prescribe rules" governing management's internal control reports, and to the Public Company Accounting Oversight Board ("PCAOB") to "set standards for attestation engagements" relating to management's reports. (2) The difficulties arise not in the text of Section 404 but in the structure of the rules adopted by the PCAOB, and approved by the SEC, implementing Section 404. The specific language of Auditing Standard No. 2 ("AS2"), (3) which defines the standards for attestation referenced in the statutory text, was a product of these rules.

An important political point deserves emphasis at the outset. There is nothing inherently wrong with the language of Section 404 as enacted by Congress. It is entirely possible for strong supporters of Sarbanes-Oxley to be vigorous opponents of Section 404 as implemented by the PCAOB and the SEC through AS2. This Article's critique is directed entirely at AS2. Resolution of these problems will not require Congressional action because the PCAOB and the Commission can implement all necessary and appropriate amendments at the administrative level.

While there is substantial debate over the costs and benefits of Section 404 as implemented by AS2, there is far greater consensus that the PCAOB's rules are not cost effective in the sense that a very large portion of Section 404's benefits can be generated while imposing substantially lower costs on the economy. (4) Consistent with this view, the head of the PCAOB has stated that "it is... clear to us that the first round of internal control audits cost too much." (5)

The cost of Section 404 compliance seems to have surprised the very regulators who put the rules in place. A recent study found that the direct cost of implementing Section 404 in its first year averaged about $7.3 million for companies with market capitalizations in excess of $700 million and about $1.5 million for issuers with market capitalizations of $75 million to $700 million. (6) The SEC initially estimated the average cost of complying with Section 404 at approximately $91,000. (7) First-year implementation costs for larger companies were thus eighty times greater than the SEC had estimated, and sixteen times greater than estimated for smaller companies.

This observation raises additional questions about the fundamental cost-benefit calculus underlying Section 404's implementing regulations. If, at the time of the rules' adoption, regulators believed that AS2 would generate benefits in excess of projected costs, by how much did they expect benefits to exceed costs? Did they believe that benefits would exceed costs by some modest amount, or did they actually believe that AS2's benefits would range from sixteen to eighty times greater than its expected costs? It follows that, unless regulators believed that AS2 would generate benefits enormously in excess of its projected costs--a proposition entirely unsupported by the record--the standard has sorely disappointed its drafters. AS2 may stand as one of the greatest failures of cost-benefit analysis in the history of the Securities and Exchange Commission.

The debate over Section 404's cost effectiveness is not limited to its first-year implementation costs. (8) While Section 404 start-up costs were quite high and second-year compliance costs appear to be lower, there is significant dispute over the magnitude of second-year cost declines. Data generated in a study supported by the audit industry suggest that average second-year Section 404 compliance costs for smaller companies were $900,000, or 39% less than first-year costs, and that second-year compliance costs for larger companies averaged $4.3 million, or 42% less than first-year implementation costs. (9) In contrast, a study by Financial Executives International found that "total average cost for Section 404 compliance ... during fiscal year 2005 [was] down 16.3 percent from 2004," and suggests that these reductions were only "about half of what were anticipated" (10) and about half of the magnitude of the cost declines reported by the audit industry's sponsored study.

While news of reduced Section 404 compliance costs was no doubt welcome, the simple observation that costs have declined addresses neither the core cost-benefit question nor the cost-efficiency concerns raised by the Section 404 rules. In particular, just as first-year implementation costs would reasonably be expected to exceed second-year costs, first-year implementation benefits would also be expected to exceed second-year benefits. (11) The available surveys do not, however, quantify first- or second-year benefits in a form that supports any clear inference as to whether Section 404 is more or less cost effective in its second year than it was in its first.

Further, assuming that the audit industry's more aggressive estimates of cost declines are correct, these declines are from a very high base. The audit industry's estimate of second-year compliance costs for the average firm still runs about 9.5 times greater than the Commission's initial estimate for first-year costs. For larger firms, second-year compliance costs now run about fifty-two times the Commission's initial expectations. These data suggest that Section 404's second-year implementation costs remain quite inefficient in comparison with the SEC's initial expectations. Just as it is widely appreciated that "the first round of internal control audits cost too much," (12) there is a high likelihood that the second round of internal control audits also cost too much. Absent fundamental reform, the third, fourth, and fifth rounds are also likely to cost too much, ad infinitum. (13)

How and why did such a gap arise between expected and actual costs? What, if anything, can be done to bring Section 404 costs more in line with the regulators' own initial expectations? Responding to both questions calls for a detailed examination of the substantive definitions of two terms at the core of the Section 404 rules--"significant deficiency" and "material weakness"--as well as a nuanced appreciation of the procedural environment in which these rules were initially adopted and the litigation environment in which they continue to be enforced.

From a substantive perspective, the root cause of Section 404's cost inefficiency resides in the PCAOB's definitions of the terms "significant deficiency" and "material weakness" combined with the pre-existing definition of the term "remote likelihood" as applied to the Section 404 process. As explained in detail below, these definitions force auditors and registrants to expend a great...