We have heard much about the costs of internal controls reporting under SOX 404. Proponents argue that the fraud reduction is worth the costs. One might question this in light of anecdotes like all the missing cash at MF Global (and many other post-SOX securities fraud suits where auditors and executives had signed off on internal controls). But more comprehensive evidence would be helpful.
The latest word on the evidence front is Rice and Weber, How Effective is Internal Control Reporting Under SOX 404? Determinants of the Non-Disclosure of Existing Material Weaknesses. Here’s the abstract:
We study determinants of internal control reporting decisions during the SOX 404 era using a sample of restating firms whose original misstatements are linked to underlying control weaknesses. We find that only a minority of these firms acknowledge their existing control weaknesses during their misstatement periods, and that this proportion has declined over time. Further, the probability of reporting existing weaknesses is negatively associated with external capital needs, firm size, non-audit fees, and the presence of a large audit firm; it is positively associated with financial distress, auditor effort, previously reported control weaknesses and restatements, and recent auditor and management changes. These results provide evidence that detection and disclosure incentives play a role in whether existing material weaknesses are reported, which has implications for the effectiveness of SOX 404 in providing investors with advance warning of potential accounting problems.
There are three remarkable things here.
- The authors study only firms that had internal controls weaknesses to see which reported, reducing the problem of confounding the existence of problems with the weakness of reporting.
- “Only a minority” (32.4%) of these weak-controls firms actually report their weaknesses, despite SOX.
- These firms are least likely to report weaknesses when they most need money. This shouldn’t seem too surprising, because this is when the firm has most incentive to misreport. But if you hoped SOX would be effective in counteracting those incentives, forget about it.
The authors explain on the Harvard blog:
The usefulness of internal control reports in providing advance warning on the likelihood of misstatements in the financial reports is reduced if control weaknesses are not disclosed until after the misstatements themselves are later revealed. * * *
The results of this study make several contributions to the literature. By documenting that SOX 404 reports are not always effective in identifying existing control weaknesses and, further, that the effectiveness has not improved over time, our results lend some support to criticisms of internal control reporting in practice and suggest that recent declines in reported material weaknesses may not be reflective of improvements in underlying control practices, consistent with concerns voiced by the SEC. These results also inform recent debates over the value of requiring control reports to be audited. Despite the audit requirement of SOX 404, our evidence indicates that the majority of restating firms provided no advance warning of the control problems that led to their misstatements. Finally, our results also have implications for future academic research. We document considerable variation in whether existing weaknesses are actually reported and our evidence on the determinants of that reporting should be considered by future research using public disclosures to study internal control practices.
The authors note the caveat that “the generalizability of our results to firms with control weaknesses that do not lead to restatements is unclear. This is particularly true of our results for Big 4 vs. non-Big 4 auditors because of the direct role that auditors play in certifying the reliability of financial statements (and thus in the likelihood of restatement).” They offer the following explanation of the curious negative correlation with Big 4 accountants:
Given previous evidence that larger auditors tend to provide higher quality financial statement audits (see Francis  for a review), larger auditors may be better able to “audit around” control weaknesses and avoid the misstatements that would lead to inclusion in our sample.
The bottom line is that even if internal controls reporting is generally a good idea, this evidence indicates the current approach is failing: it’s not only imposing high costs, but it’s getting low results. One might hope that in light of these results SOX would at least be revised to target mandates where they are most needed. This could happen in a more dynamic regulatory system. But in 2002 Congress locked internal controls reporting in a vault impervious to post-2002 data. The PCAOB can tweak auditors’ obligations, but it can’t change the basic regulatory framework.