Background Of Sox 404 Legislation Accounting Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Since the dot-com bubble burst in the beginning of year 2000 the SEC has enacted one of probably the most significant legislation ever for public companies to adopt in the US, Sarbanes-Oxley Act (SOX) 2002. However, the most costly act within this legislation is the SOX 404 which focuses on internal control measures. Thus, this chapter will assess the benefits and costs from this legislation and try and suggest that it also be used for the credit rating industry to improve their internal controls. The chapter will identify control improvements that have taken place since the enactment of SOX 404 and what has been learned from earlier mistakes so as to improve the efficiency and effectiveness.

5.2 Background of SOX 404

After the internet boom collapsed, around year 2000, there were a lot of significant internal control failures that came to light. Firms such as Enron, WorldCom, Tyco, and others had been involved in fraudulent financial statements and they had by now lost a huge amount of capital that belonged to investors. Furthermore, there was also a mistrust of financial reporting and an overall concern regards to the implications it would have to the stock market and economy. Therefore in 2002 the SEC enacted the Sarbanes-Oxley Act (SOX) to combat these and other issues that were highlighted during this period as they believed that it was not enough to only improve the audit profession.

Subsequently, on May 2003 the SOX 404 Act came about as control deficiencies reinforced the importance of internal controls to investors, regulators, management, and boards. Thus, the aim was to create an act that required public companies to address these internal control issues and hold key employees accountable for their financial reporting. The legislation directed these responsibilities to the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) as a lack of integrity at the top of the organization were found (Beresford et al. 2003).

Furthermore, the act took the auditing standards away from the American Institute of Certified Public Accountants (AICPA) and formed a new body called the Public Company Accounting Oversight Board (PCAOB), to set auditing standards for public firms. However, the complexity in getting the new body into action took time, hence the delay and difficulties some firms had to face in implementing SOX 404.

Nevertheless, this new act required management and an external auditor to assess the company's internal control over financial reporting (ICFR). The report must state that SOX 404(a) "a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company" (SEC, 2003) and (b) "management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year" (SEC, 2003), hence also having to disclose any weakness found in the company's ICFR. This act is the most costly aspect of the Sarbanes-Oxley legislation as it requires a lot of time and effort to control, document, and test.

Moreover, as this legislation affects both domestic and foreign companies the commission decided that domestic firms must start complying by this act by 2004 and foreign firms by 2005. Nevertheless, the act was postponed a couple of times for foreign firms due to the difficulties in implementing this new reform.

As firms are different in many aspects such as size and complexity there is no specific system that each company can adopt, however. Most of the companies in the US use the internal framework recommended from the Committee of Sponsoring Organization (COSO). This approach, which is voluntary, provides a framework against the internal controls so as to improve the ICFR. Thus, identifying significant financial reporting element and assessing each entity to its core so as to disclose accounts and their relevant assertions, in regards to risk. This approach will concentrate the internal control procedures on specific accounts that may have a misstatement; hence, what is important, how important it is, and what level of risk is acceptable.

5.3 Strength and shortcomings of SOX 404 (Analysis based on benefit and cost)

Since the introduction of section 404 the main objective has been to improve the quality of reporting and to improve investors' confidence in the financial market. The recent crisis, before the enactment of SOX, highlighted the need to provide investors with a more comprehensive understanding of what is needed to prepare and present the financial statement. Hence, SOX 404 primary focus is to accomplish this act by improving the disclosure requirements to investors in regards to management's responsibilities of financial statements and ICFR. The importance of how management discharges its responsibilities is also highlighted by this act as it is deemed very important on what managers seems to be important, thus needed to be looked over, and what is of less risk, hence able to give responsibility to someone else. This aspect is deemed to be very essential in the process of financial reporting as any weaknesses in internal controls may create unintentional accounting estimation and reporting errors (Kinney & McDaniel, 1989). Therefore, investors will be in a better position to evaluate management's performance of its responsibilities and thus its financial statement and other unaudited financial information as well, were an enhanced disclosure requirement may improve the chances to detect fraudulent activities and minimize its adverse effects (SEC, 2003).

Moreover, although SOX 404 has been extensively criticised the benefits from this legislation were seen as of greater significance to investors compared to the compliance costs, which were considerably underestimated, see appendix 1 of direct and indirect effects of SOX 404. Thus, the main cost factors that contribute to this expensive legislation are the cost of internal labour, external consulting and technology expenses, and audit confirmation charges. According to Jagan et al. (2008) the mean total compliance cost is estimated to be $2.2 million were a positive relationship in terms of these factors has been identified. Thus, factors such as firms' size, internal control weaknesses, cost of technology and internal control policies, and the confirmation charges adopted by audit firms play a huge part in the total cost. Nevertheless, they also found that there was a negative relationship of firms in regulated industries and firms that had to raise new capital. However, it is important to emphasize that these cost estimations do not distinguish between start up cost, which tends to be more expensive, compared to ongoing costs.

However, a study by the financial executives international found that the overall cost with SOX 404 cost smaller firms, with a revenue of $2.5 billion, as much as $3.1 million a year (Brodie & Blum, 2004) compared to larger companies whose cost may reach $35 million a year (Henry and Borrus, 2005).

The concern, by executives, of these high cost persisted over a few years after the legislation was enacted (New York Times, 2007). However, in the middle of 2007 the SEC addressed these concerns by issuing the management guidance (SEC, 2007) and approved the PCAOB's new auditing standard number 5 (AS5) (PCAOB, 2007). These new reforms main objective was to enhance the efficiency and effectiveness of SOX 404 implementations.

The management guidance of 2007 describes a top-down risk approach in terms of meeting the requirements of section 404. The main objective is to reduce the specific costs associated to SOX 404 by emphasizing to management to start with the financial statement that posses the greatest risk and then to focus on specific entity controls. However, it also indicates that management must take into context the nature and extent of their process in regards to the significant accounts and disclosure requirements. In other words, they must engage in evidence gathering, documentation procedures, and testing the controls thoroughly. Thus, this new reform emphasized more flexibility and discretion in terms of management's part in complying with SOX 404. The table below shows the total cost of section 404 pre and post year 2007 when the management guidance was introduced, hence the total costs have decreased since the reform.

Table 1

Source:, Accessed on: 1st Sep. 2010

Nevertheless, companies do not have to follow this management guidance as it is only voluntary.

However, is must also be highlighted that smaller companies are affected by section 404 differently from larger companies as there is a fixed cost involved. Thus, the COSO have published guidance for ICFR for small and mid-sized companies as they tend to find section 404 more difficult to implement. Recent studies has found that US companies with revenues of $5 billion spend 0.06% of revenues on section 404 compared to smaller companies who spend 2.55%, with a revenue of $100 million (SEC, 2006).

Although, it is more expensive for smaller companies compared to larger ones it is important to emphasize not to exempt smaller companies from this act. According to Gao et al. (2009) unintended consequences of postponing the requirements of SOX 404 for smaller firms lead to an incentive for these companies to stay small. Thus, fewer investments are being made, increasing the dividend to shareholder, and making more bad news disclosure.

To further reduce cost the PCAOB enacted AS5, thus having the objective to significantly reduce the time required to do the individual audit of ICFR, see appendix 2. This reform superseded the AS2 as it was too expensive for companies to enact. According to the CEO of Ernst & Young "much of the debate regarding the high costs of 404 implementation seems to be centred on audit fees" (EY 2005). The audit fees roughly represent 25% of the firms cost in regards to implementing SOX 404 (SEC, 2005b). Nevertheless, it is also important to stress that if ICFR is not effective then it may increase "the probability that accounting problems exist" (Wilfert, 2005).

Moreover, evidence has also been found that SOX 404 leads to a lower cost of equity by rectifying the internal control deficiencies (Collins et al. 2009). As ineffective internal controls are widely associated with a less reliable financial reporting it is important to reduce the risk to investor by improving the internal control standards. In addition, according to Arping and Sautner (2010) the transparency of European cross listed firms has also improved for companies that comply with SOX 404 and that engage in informational sensitive industries such as the financial service sector. The Lord & Benoit Report (2006) also reported that companies that engage in SOX 404 experience a much better rise in share prices compared to firms that did not.

Hence, the apparent benefits from SOX 404 are many but to distinguish a few of more importance such as improved corporate governance, reviving the capital market, improving liquidity, and improving financial reporting have lead to an increase in investors and other market participants confidence in the securities market. Nevertheless, these benefits must be compared with the shortcomings that come along with section 404. Factors such as direct costs, the legislation discouraging initial public offerings (IPO) and foreign companies from listing in the US has to be weighed against the benefits to get the true value from this legislation. Thus, the PCAOB are continually looking to enhance the legislation by reducing the cost involved.

5.4 Implementation/discussion

Over the last couple of decades we have been through a few financial recessions were in hindsight the rating agencies have played an important role. From the commercial paper scandal in 1970, the East Asian crisis in 1997 and to the DotCom bubble in 2000. However, no financial scandals have had a more severe and deep affect then the recent financial crisis. The severe drop in market capitalization and investor confidence, thus I believe, that of all the recent amendments to the regulation of the rating industry, the internal control requirements of SOX 404 has the greatest potential to improve the reliability of ratings.

As the CRAs are embedded into regulatory requirements, such as Basel 2 and the new Basel 3, which will be implemented by almost all the countries around the world, it is very crucial that the rating agencies remain independent and objective when they rate a product or country. The CRAs are too important in the stability of the financial market thus they must be regulated to minimize risk. Hence, the implications of a weakness in the system can have severe adverse affects affecting people all around the world.

By implementing section 404 it is important to emphasize that the aim is to improve internal controls over the main critics that CRAs face, thus improving disclosure requirements. It is important that rating agencies collect and assess the information gathered but that they also emphasize what has been done to verify the accuracy of the gathered information, hence setting a minimum standard among them, were the information is relevant, reliable, and timely.

Moreover, it is also very important for investors to understand the process in a committee meeting when a rating has been changed from the initial rating given from the analyst. This qualitative discussion is normally never disclosed thus creating uncertainty and doubt in the rated product. In addition, the internal control improvement on SOX 404 should also highlight how the analyst and his team assign the correct weight to the different factors being used in the methodology as it plays an important role towards the outcome. The previous overoptimistic ratings, I believe, were given to hide the weakness of the troubled financial products.

Furthermore, as CRAs are classified as small companies, in regards to section 404 because of their roughly revenue stream of $2billion (for the top two CRAs), the cost in proportion to their revenue will be high. However, I believe that the audit fees in terms of implementing SOX 404 should be exempt from the rating agencies as it only creates a duplicative cost, hence being tested once by the firm then again by the audit company creating excess cost. In addition, as the CRAs so widely claim to believe in the reputational model it should act as a deterrent to make sure they get it right the first time.

Nonetheless, the limitation on trying to implement this legislation on all the CRAs around the world might be difficult to achieve, however. The legislation will still cover 94+% of all the rated products in the world if it becomes a requirement of the NRSROs, hence still being able to have worldwide effects. However, it is also important to remember that risk management is dependent on human judgement and therefore susceptible to decision making. Thus, procedures need to be put in place to avoid any unintended consequences.

Thus, the potential benefit from this legislation is to restore public and investors confidence in the rating companies as they are faced with major criticism. However, there is also an explicit focus were the intention is to improve the accuracy of the methodologies being used by requiring agencies to disclose specific factors in the rating process mechanism.

5.5 Summary (264)

Since the collapse of Enron in late 2001 the SEC had to adopt some form of legislation that would tackle the issues that came to light during this period. Thus, one of the most significant legislation was enacted in 2002 were section 404 would play an important role. The shortcomings in ICFR was brought to surface thus massive change needed to be reformed to improve investor and the public's confidence in the capital market.

Nevertheless, the proposal is that this legislation also be used in the CRA industry. The shortcomings that has been highlighted, not only from the recent crisis but also from previous ones, indicates that they cannot be overlooked at. As they play an increasing role in the financial and regulatory market better regulation is required and I believe that SOX 404 will improve the situation as issues are identified in a proactive rather than reactive manner.

However, the cost and implications must also be taken into context although there has been a decline in the cost of implementing SOX 404. Furthermore, the continued improvements in control process, technology, and monitoring systems will ensure that the continued oversight over internal controls is effective. Thus, representing that the CRA industry has an effective internal control system that makes sure that the relevant inputs to the methodologies and the committee discussion gets published, hence strengthening investor and public confidence that they are independent and objective when assessing each and every product. If this is the case, then I believe that it is worth to get the internal control structures right from the first time.

Chapter 6: Conclusion and Recommendations for Further Work

6.1 Conclusions

The recent financial crisis has drawn a lot of attention to the CRA industry over their role in fuelling the crisis instead of acting as a gatekeeper. Although it has been argued by many that rating agencies has no skills in being gatekeepers they still have been entrusted to do this role by the SEC. However, for this to be effective the CRAs need to be independent and objective when assessing different securities. In addition, as CRAs are becoming more centralised and embedded into our financial market it is of great importance that we get this right as the capital market is becoming increasingly complex.

Furthermore, there is both a political, through raising capital and public importance as a weakness in the rating agencies model or behaviour can have worldwide consequences. The MBS and products derived from them such as CDOs and CDOs squared are a prime example where credit agencies lost the control and got carried away. These products were given an overoptimistic rating where little disclosure/transparency were given as the products become increasingly complicated. No explanation or publication were given in regards to the evaluation of how much weight to allocate to each factor in the methodologies used and discussions within the rating committee. Thus, when the crisis unfolded billions of dollars were wiped out from the capital market were CRAs quickly and drastically downgraded billions of dollars worth in MBS and CDOs.

Moreover, issues arising from conflict of interest, lack of competition, and transparency are among the most criticized factors that contributed to the lack of independency from the CRAs. However, CRAs do not agree that they have lost their objectivity as they deeply rely on the reputational model which will deter agencies from overrating products and having conflicts of interest. Thus, believing that any rating agency that continually overrates products will lose investor confidence and subsequently lose revenue. Nevertheless, this has not been the case as time and time again CRAs has played an important role in the recent crises over the decades were S&P, Moody's, and Fitch still control most of the rated products worldwide.

Moreover, as the SEC enacted the NRSRO designation in 1975 it has still not deterred CRAs from overestimating products instead many commentators has argued that it is a barrier to entry. The intent of the legislation was to approve companies to use these CRAs and their ratings as a standard for regulatory reasons, however. The rating agencies being assigned this designation still played a big role in the recent crisis therefore having worldwide effects when the crisis unfolded. Therefore, the SEC and the EU had to come up with new legislation to improve the legislations in the rating industry, but I believe that they are still inadequate and that SOX 404 will have the most profound and effective outcome since the enactment of the NRSRO in 1975. As our financial markets are built on trust and faiths were CRAs has to be objective and independent it is crucial that we get this right to improve investor and public confidence.

Nevertheless, as SOX 404 was enacted to help companies with their ICFR I still believe that it can be used in the rating industry. As CRAs relinquishes any type of accountability for their ratings as they are only opinions some kind of reform needs to be put in place so that managements become more involved and accountable in the rating outcome and its effects.

6.2 Recommendations for further Work

This dissertation has been based on public information only thus it has been difficult comparing year on year cost and benefits from section 404 for specific firms. In addition, as there is a limitation towards the allocated time given it is necessary to highlight that the current issues of the CRA industry makes the report current but that it also impedes by not being able, in depth, to compare different commentators opinion on the matter. Moreover, section 404 is still being changed to become more effective and efficient as it has only been around for six years, thus this report is only able to assess the current changes up till now.

Nonetheless, the implementation of section 404 needs to be carefully assessed as there are limitations for implementing it to the rating industry. As the fixed cost with this reform increases disproportionate with smaller firms then larger ones there needs to be a cut off level were firms earning less than a specific amount in revenue should be exempt. Otherwise the legislation may become anti-competitive. Thus, recommending this part of the legislation for further research so as to ensure that no unintentional consequences arise.


This study examines the role that the rating agencies played in the recent financial crisis and identifies factors that played a significant part in fuelling the crisis. These factors can be classified as conflict of interest, lack of competition, and transparency. As the rating agencies are increasingly being embedded into the regulatory requirements, such as the Basel Accord, it is important to highlight the role they had in creating the hype surrounding the MBS and CDOs. Therefore, an in depth assessment will be made to see if section 404 of the Sarbanes-Oxley Act can be used for the rating industry as well so as to improve the disclosure requirements for the rating agencies. As prior reform has focused on improving the conflict of interest and lack of competition this study will focus on improving the disclosure/transparency requirements of the rating industry, examining both the cost and benefits that has risen from SOX 404. Based on this methodology I find that SOX 404 can be used to improve the internal controls of CRAs, hence becoming more transparent. However, the issue of cost needs to be carefully assessed over the benefits as the fixed cost of section 404 becomes disproportionately higher for smaller firms compared to bigger ones.

Appendix 1

Source:, Accessed on: 1st Sep. 2010