This statement is also available here as an Adobe PDF.

Statement No. 219

For Information Contact:
Randall S. Kroszner
(773) 702 - 8779

The internal control structures and procedures for financial reporting by publicly-traded firms are the focus of Section 404 of the Sarbanes-Oxley Act. Under the SEC and PCAOB rules implementing Section 404, each firm must produce an annual internal control report that has four features: (i) a description of management’s responsibility for establishing and maintaining such controls; (ii) an explanation of the framework that management uses to determine the effectiveness of the controls; (iii) an assessment by management of how effective the controls are; and (iv) an attestation by the firm’s external auditor concerning the management’s assessment of the effectiveness of the controls. Management is required to perform quarterly evaluations of changes that materially affect or are likely to materially affect the internal control system. Management also must determine if there are any material weaknesses in the effectiveness of its internal control system and disclose them to the markets. 
       
To evaluate the efficiency and effectiveness of a regulation such as Section 404, it is necessary to assess the costs it imposes on shareholders relative to the benefits they and others might receive. As a first step, Congress should clearly identify what the need for the legislation is. In the case of Section 404 of Sarbanes-Oxley, for example, valuable questions to have been asked include: To what extent were shareholder losses or declines in confidence in corporate investments impaired because firms’ internal controls were inadequate? Were earnings restatements necessitated because internal controls failed to reveal misleading accounting? To what extent did independent public accountants fail in their responsibility to follow Generally Accepted Auditing Standards to assess the effectiveness of a client’s internal control system and to inform managers and shareholders of serious inadequacies? Ultimately, to what extent might frauds have been prevented? In addition, Congress should clearly specify the objective(s) of the legislation they enact to permit a subsequent evaluation of how well the legislation has achieved its goals. 
      
The costs of implementing Section 404 were difficult to estimate in advance. Early reports, however, suggest that the scope and requirements of implementing Section 404 have significantly increased both internal and external costs. The Financial Executives International, an organization of Chief Financial Officers (CFOs) and other senior financial executives, for example, surveyed 217 firms with average revenues of $5 billion and found that total direct cost of compliance with Section 404 in its first year has averaged $4.36 million per firm. Most CFOs surveyed believe that compliance costs will fall in future years but that the decline will be less than 40 percent. 
      
In order to attest to the management’s assessment of the control systems, auditors have been requiring a large amount of detailed documentation of all of a firm’s internal procedures. In addition, there has been an “across the board” approach on the demands for documentation and evaluation of procedures rather than a “risk-based” approach that focuses more attention on areas most likely to be the source of trouble. In other words, the burdens have been similar for both major and minor internal controls as opposed to placing a greater emphasis on the controls relating to important areas of a firm’s operations that are most likely to have a material impact on financial reports. 

In cases such as Section 404, where the costs and benefits are difficult to assess prior to the implementation of the regulation, Congress should require that an evaluation of costs and benefits be undertaken an appropriate number of years after the regulation has been implemented. For Section 404, sufficient data may be available, say, three years from now to provide some gauge of the efficiency of the regulation. An independent body within the government, such as the GAO, or an appropriate private sector body should be directed by Congress to collect data from the affected parties and undertake an evaluation of the costs and benefits of the regulation. Such an evaluation should take into account relevant outside or third party analyses.

A sound regulatory evaluation would: first, explain the objective(s) of the regulation; second, consider alternative available approaches to achieving those objective(s); and third, evaluate both the quantitative and qualitative benefits and costs of the regulation and its main alternative(s). To evaluate the benefits and costs, such an analysis would have to specify a clear “baseline” comparison. Typically, this would be a “no action” baseline involving what the world would be like without the regulation. In the case of Section 404 of Sarbanes-Oxley, for example, the “no action” baseline would not be likely be “business as usual” circa 2001. As a result of the well-publicized corporate scandals in 2001 and 2002, it is likely that publicly-traded firms would have undertaken additional expenditures on auditing and controls without any legislative requirement or regulatory change. 
      
In evaluating the regulation, some benefits and costs may be difficult to quantify. Enhancing the credibility of publicly-traded firms’ financial reports and improving the integrity of markets, for example, may be potential benefits that are difficult to quantify, although to the extent possible an analysis should strive to find measurable proxies. If such non-quantified benefits or costs are likely to be significant, a so-called “threshold” or “break-even” analysis could be undertaken to evaluate their importance. Such a threshold analysis would answer the question: “How great would the value of the non-quantified benefits have to be for the regulation to yield positive net benefits?” 
      
To summarize, cost-benefit analysis is a widely used tool for regulatory analysis and evaluation. Important regulations that may involve significant costs should be periodically evaluated using the best available data and techniques to inform policy-makers and the public about the efficiency of rules and regulations. Given the newness, apparent cost, and controversies surrounding Section 404, this regulation would be a worthwhile project for data collection in order to undertake regulatory review in, say, three years.