A Question on SOX Compliance Costs
Brace yourselves, SOX compliance professionals! A new government report finds that Sarbanes-Oxley compliance costs are generally higher for large public companies, but more onerous for smaller ones — confirming what everyone in the field has already known for, like, the last 20 years.
The report was released by the U.S. Government Accountability Office last Friday. Its stated purpose was to study companies’ cost of compliance with Section 404 of the Sarbanes-Oxley Act, which comes in two parts: Section 404(a), which requires all publicly traded companies to assess the strength of their internal controls over financial reporting; and Section 404(b), which requires large companies also to undergo an independent audit of those internal controls.
For SOX compliance folks who follow this stuff closely, however, the findings are little more than a blinding glimpse of the obvious, documented year after year after year.
First is the cost discrepancy between larger public companies (those with a market cap above $250 million) and smaller ones (those with market caps below $250 million). Larger companies tend to pay higher SOX compliance costs in absolute dollars, because they have larger and more complex operations. Smaller companies, however, face higher SOX compliance costs as a percentage of assets, because their financial processes tend to be less robust, which forces their audit firms to do more testing.
Or, as the GAO report said:
Larger companies, with more extensive resources, were able to develop more sophisticated internal control systems, which reduced audit procedures and costs for auditors. In contrast, auditors of smaller companies may need to perform more extensive internal control testing, resulting in higher fees.
This is not news. Consulting firms such as Protiviti or Audit Analytics documented that trend 20 years ago as companies first started grappling with SOX compliance. Compliance costs when measured as a percentage of revenue, or assets, or dollar of revenue, or whatever, have always been more expensive for smaller companies.
Second is the sudden surge in audit fees that small public companies tend to see as they approach the threshold to comply with Section 404(b), which is defined as having a market cap of $75 million or greater. A company realizes that it will soon no longer be exempt, and implements a raft of internal control changes so it can pass those 404(b) audits. That causes a run-up in costs before the “transition year,” an even larger increase in the actual transition year, and then smaller but consistent fee increases in the post-transition years.
How large is that surge, exactly? The GAO studied the SOX compliance costs for 96 companies that crossed the 404(b) threshold from 2019 to 2023, and came up with Figure 1, below.
Source: GAO
OK, but the run-up in audit fees as Section 404(b) approaches is another well-documented phenomenon. Plus, the GAO itself says that while the data in Figure 1 is interesting, “Our analysis, while useful for understanding compliance costs, is not generalizable to the population of U.S.-based public companies.”
So Why Did the GAO Do This Study at All?
That’s a good question. Presumably the GAO undertook this study at the request of Republicans in Congress — Rep. Ann Wagner, chair of the House Subcommittee on Capital Markets, is the named recipient of the report — as some sort of prelude to legislation Republicans will introduce sooner or later to reduce or roll back SOX compliance requirements.
To be clear, I’m not aware of any specific legislation in Congress right now to reduce SOX compliance burdens, but the idea is never far from Republicans’ hearts. Just last month Wagner’s committee held a hearing on SOX compliance costs. Republicans have complained about the costs of SOX compliance pretty much since they enacted the Sarbanes-Oxley Act in 2002.
Moreover, the Securities and Exchange Commission is the agency with primary oversight of SOX compliance, and SEC chairman Paul Atkins has harped about SOX compliance costs at least since 2005. So it’s not a question of whether Republicans will make some sort of move to roll back SOX compliance, but when, and in what form.
Would a SOX Compliance Rollback Help Companies?
That might seem like another good question, but really it isn’t; it shoehorns too many disparate concerns into eight words when there simply isn’t enough room for them all.
For example, we first need to define exactly how a SOX compliance rollback would “help” companies. One answer is that a rollback would reduce costs, but it’s not clear that rolling back SOX compliance burdens actually would reduce costs to any significant degree.
The plain truth is that modern business processes and IT systems are so enmeshed into systems of internal control over financial reporting that a company can’t easily disentangle the two threads just to snip one of them in half. Even if Republicans do roll back SOX compliance requirements, companies will still need to maintain those systems and processes because that’s what makes the business run.
Or, as the GAO study put it, “Internal compliance costs may be difficult to disaggregate from other company expenses because resources and technology often serve purposes other than Section 404 compliance.”
That point is also true even when we’re talking specifically about Section 404(b), the requirement for an external audit of internal control over financial reporting (ICFR). Today just about all companies undergo an integrated audit of both financial statement accuracy and ICFR. The two can’t easily be torn asunder because audit firms need to understand the effectiveness of a company’s ICFR so the firms can offer an accurate opinion of the company’s financial statements.
Again, the GAO: “Similar to internal costs, Section 404(b)-related external audit fees largely cannot be disentangled from total external audit fees.”
On the other hand, the risk of higher costs due to lower SOX compliance standards is substantial.
This is the part Republicans never like to talk about: that if we weaken the rules for ICFR, that increases the chance of accounting fraud, financial restatements, material weaknesses in the company’s corporate reporting, and other missteps— missteps that, if they happen, bring much higher costs than SOX compliance burdens ever do.
That’s another dimension of SOX compliance (or the lack thereof) that’s been documented time and again over the years, from voices such as Audit Analytics, the Center for Audit Quality, and even the SEC. Companies that don’t have strong financial processes, or that are exempt from audits of ICFR, tend to experience more trouble with restatements and fraud and higher costs of capital when they seek investment from the markets.
So do we want to reduce the annual, well-defined SOX compliance costs borne by all, in exchange for the greater risk of more expensive accounting disasters suffered by the few? Because that’s the trade-off here. It doesn’t sound like good investor protection to me — so don’t be surprised if Republicans lunge for it with both hands.