Bainbridge, Stephen Mark, Sarbanes-Oxley § 404 at Twenty (August 26, 2022). UCLA School of Law, Law-Econ Research Paper No. 08, 2022, Available at SSRN: https://ssrn.com/abstract=4201778
Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) was intended to improve public company internal controls over financial reporting (ICFR). Faulty internal controls were believed to have contributed to many corporate scandals during the dot-com era. Empirical research of the pre-SOX era suggested that reporting companies with poor internal controls tended to have more frequent earnings restatements, more SEC enforcement proceedings, and poorer performance than comparable firms with strong internal controls. When SOX was adopted § 404 was not among the most controversial provisions. Instead, it was the attorney conduct rules, CEO and CFO certification requirements, and the ban on loans to officers and directors—plus the larger question of federalizing corporate governance—that generated most of the early criticism aimed at the statute. Once companies began implementing § 404’s mandate for assessments of their internal controls over financial reporting, however, it became apparent that compliance costs were considerably greater than anticipated. In short order, § 404 became—and remains—SOX’s most controversial provision. SOX’s twentieth anniversary seems an opportune time to reassess the controversy over § 404. There is a considerable body of empirical evidence on the costs and benefits of § 404, which this article reviews. As it turns out, however, there are so many potential confounding factors that all of the evidence must be viewed with a degree of skepticism. Nonetheless, a few conclusions can be drawn. With the benefit of hindsight, it seems clear that Congress in 2002 had no idea what it would cost companies to comply § 404. The SEC had an estimate of what § 404(a) compliance would cost but had no idea what § 404(b) compliance would cost. Sticker shock seems the right description of the reaction once those costs became clear. Section 404 compliance costs were substantial from the outset. Those costs were disproportionately borne by smaller firms from the outset. Section 404 compliance costs remain high and show no signs of dropping over time. It remains the case that those costs are disproportionately borne by smaller firms. As far as achieving its main goal of reducing material weaknesses in ICFR, § 404 cannot be deemed a success. Both adverse managerial reports and auditor attestations actually rose prior to 2014 and have dropped only slightly in the subsequent period. Problems with firms failing to remediate persistent material weaknesses remain a source of concern.