With the hint of deregulation in the D.C. air, some sense the opportunity – or risk, depending on your point of view – that major portions of the landmark Sarbanes-Oxley Act of 2002 (SOX) might be open to some revision. As reported by Michael Rapoport in the Wall Street Journal, legislation proposed by congressional Republicans seeks at the very least to increase the market capitalization threshold of when SOX Section 404(b) – the section requiring companies to obtain an independent audit of their internal control environment – kicks in.
The argument for loosening SOX 404(b) revolves around whether the rule is too cumbersome and costly for smaller companies. The question is, at what point does the cost of complying with the rule outweigh its benefit to investors? As Rapoport discusses, there is currently a proposal to raise the floor from a market cap of $75 million to $250 million, with the possibility of pushing it up even to $500 million.
According to Francine McKenna of MarketWatch, this would allow one third of companies that are currently required to issue an auditor’s assessment of ICFR to not have to comply with SOX 404(b) based on FY 2015 data. These companies would still have to comply with SOX 404(a), management’s assessment of ICFR.
SOX 404(b) became effective for accelerated filers for fiscal years ending on or after November 15, 2004. Our recent research report on SOX 404 found for fiscal years that ended in 2004 (the first year of implementation), 15.7% of companies that had to comply with SOX 404(b) disclosed ineffective ICFR. The percent of companies that disclosed ineffective ICFR has declined dramatically, reaching a low of just 3.4% in 2010, but rising since then to 5.3% as of 2015.
One criticism of SOX 404 is that many material weaknesses are not disclosed until after a company has restated its financial statements. The PCAOB found that 80.4% of companies with a restatement in 2014 did not have ineffective ICFR prior to the disclosure of the restatement. This raises doubts about whether SOX 404 has much of an effect.
If we look more broadly at restatements we can see evidence that SOX 404 has had an impact. Sarbanes-Oxley was passed following the failure of numerous public companies including Enron and WorldCom. These companies’ failures were due to massive fraud that went undetected. SOX 404 was implemented in order to curb management’s ability to commit fraud and to reduce instances of error.
In our 2015 Financial Restatements Report we found that after the implementation of SOX there was a massive increase in financial restatements that peaked at 1,851 in 2006. That number declined significantly to just 737 in 2015. We’ve also found that the financial impact on net income has also declined. Restatements of $3 billion to $6 billion were made in each year between 2002 and 2006. Since 2008 only one year had a restatement that has impacted net income by more than $1 billion.
The Insurance Journal reported that at the 2017 D&O Symposium presented by the Professional Liability Underwriting Society, Andrew Fastow, Enron’s former CFO, asked “how is it possible to be CFO of the year and go to federal prison for doing the same deals?” But as Jeffrey Johann’s pointed out on Twitter, “fraud is fraud whether discovered or not.” Maybe if SOX 404(b) had been in place at the time, those deals would have prevented Mr. Fastow’s fraud from ever occurring in the first place.