Do the Benefits of Small Issuer SOX 404(b) Exemptions Outweigh the Costs? Free

Since its adoption in 2002, many stakeholders have questioned the reasonableness (and fairness) of the additional costs of SOX Section 404 (Part b), which mandates an integrated audit in which the auditor attests to the effectiveness of internal control over financial reporting. Internal control attestation and the consequent additional auditing increase information about internal controls for investors and lead to greater assurance but also lead to a significant increase in audit fees (Kinney, Martin, and Shepardson 2013). Auditors and issuers appear to be in a “tug-of-war” over SOX 404(b) with issuers questioning the number of procedures required and auditors pointing to professional standards (Whitehouse 2006). While Auditing Standard No. 5 (AS5, PCAOB 2007) alleviated several cost concerns, smaller issuers still argue that SOX 404(b) audit compliance costs are too high and deter capital market entry. Consistent with these claims, Weber and Yang (2020) find that smaller issuers close to the threshold prefer to grow through debt rather than equity. Investors are often caught in the middle, with those in favor of the exemptions citing the benefits of spending more company funds on strategic projects (Peirce 2020), and those opposed arguing that investors rely most on internal control audits for the now-exempt issuers (Jackson 2019; Harnoy and Feder 2020; Lee 2020). In this paper, we discuss the potential for overauditing in a credence good framework (based on Levine [2009]) to understand how auditors may, intentionally or not, require disproportionately more work for less influential clients and discuss potential remedies.

It is not surprising that integrated audits of internal controls and financial statements increase audit costs. Integrated audits require auditors to (1) perform and document additional procedures to assess the effectiveness of internal control over financial reporting and (2) when breakdowns in controls are detected, increase the level of auditing to gain a satisfactory level of assurance for the financial statements and internal controls. While the SEC estimates issuers will save approximately $210,000 per year from the exemption (Cooley LLP 2020), some SEC commissioners question these estimates and argue that the increased cost of capital for these issuers will offset the cost savings (Lee 2020). High costs alone are not a reason to eliminate regulation—only high costs without commensurate benefits.

The empirical and descriptive literature about the benefits of SOX 404(b) is mixed on the net effects.¹Engel, Hayes, and Wang (2007) and Leuz, Triantis, and Wang (2008) argue for net costs due to delistings and going dark, whereas Ge, Koester, and McVay (2017) find that shareholders of smaller issuers with ineffective internal controls lose far more than they gained following exemptions.² Michael Oxley, co-sponsor of SOX, remarked, “I would have initially had more of a scaled-down provision that would have treated smaller companies differently from the larger, Fortune 500 companies” (Quick 2012).

It is also likely that investors are not of one mind on the role of and need for internal control attestation. Some investors may prefer to impute the risk of misstatement, given a SOX 404(b) exemption, into their valuation, while others prefer that regulations protect them from such risk.

The task of considering the needs of all investors in determining exemption criteria is indeed a difficult one. In March 2020, the SEC adjusted the definitions of accelerated and large accelerated filers such that “smaller reporting companies” (SRCs) that are also accelerated filers are now exempt from SOX 404(b), consistent with the “emerging growth companies” (EGCs) exemption created by the JOBS Act of 2012 (SEC 2020a, 2020b). The SEC decided to move forward in an effort to incentivize small issuers to go (or stay) public amid the unfolding pandemic. While auditing practitioners, academics, and some SEC commissioners voiced concern that this action continues a recent trend toward dismantling SOX-era regulations (Honigsburg and Rajgopal 2019; Jackson 2019; Johnson 2020), concerns over excessive audit procedures or fees relative to their benefits provided strong motivation for expanding exemptions (Cooley LLP 2020; Peirce 2020). Commissioner Peirce described her ideal world as one in which SOX 404(b) was optional (Peirce 2020). The purpose of this paper is to inform the debate and highlight some overlooked attributes of SOX 404(b) that may be relevant to the SEC when considering further regulatory action.

Our summary begins with the representation of SOX 404(b) attestation as a credence good, following Levine (2009). A credence good is a type of good or service with qualities that cannot be observed by the consumer after purchase. This makes it difficult for the consumer to determine “how much” of the service they want or need.

Consider a sleep apnea patient whose doctor recommends a surgical procedure to remove extraneous tissue causing the apnea, but the patient has read that losing weight, quitting smoking, or using a CPAP machine at night are all non-invasive and effective treatments. Since the patient is not a medical professional, he cannot accurately assess the best treatment—and the best treatment may indeed be corrective surgery. But, it is also possible that the doctor and the patient weigh the costs and benefits of each approach differently. In an audit, there is always residual risk, and the amount that the client and the auditor are willing to bear can differ. Even after the audit, the actual level of assurance achieved cannot be perfectly known (O'Keefe, Simunic, and Stein 1994; Knechel, Rouse, and Schelleman 2009), but the auditor and client must come to agreement on the scope and cost of the integrated audit.

Issuers have lobbied the SEC for years, complaining that internal control audit costs are too high (Accounting Today 2007; Radin and Katowitz 2016). They argue that auditors perform more assurance tests than are necessary for their risk level, which we refer to as “overassessment” or “overauditing” (Accounting Today 2007). Even if these issuers are correct and SOX 404(b) costs are high due to overassessment (rather than appropriate levels), size-based exemptions may be too simplistic. Using the model's framework, we discuss how the relative importance of the client, not absolute size, may be the characteristic of greater concern vis-à-vis overassessment.

Internal control attestations are rife with information asymmetry. Issuers cannot perfectly determine whether they have deficiencies (and thus need incremental auditing to achieve an appropriate level of assurance), nor can they assess whether their auditor is providing the most appropriate remedy. These characteristics put internal control audits in a class of services called “credence goods.”

Other examples include medical treatment, computer maintenance, and automobile repair, where clients are at a severe information disadvantage relative to experts. CBS News (2016) found that computer experts repeatedly provided an incorrect diagnosis of a hardware failure with a considerably higher price for repair/replacement. In an audit setting, issuers may be satisfied with their current internal control systems (even if they are deficient), but they are unlikely to know either (1) the acceptable range in applying the standard against which their internal controls are judged or (2) the extent of additional audit procedures required for an appropriate level of audit confidence. While Bedard and Graham (2011) find that issuers detect fewer control failures and assign lower severity scores to internal control problems than auditors, the credence good model predicts that because the auditor both provides the service and acts as the expert, the levels of treatment may be suboptimal (Levine 2009; Causholli and Knechel 2012).

Although we cannot find an explicit claim that auditors deliberately find internal control deficiencies where none exist, it has been suggested that auditors are taking an excessively risk averse and revenue-enhancing approach to internal control audits.³ While public issuers generally have strong internal control systems, particularly over material events, SOX 404(b) issuers must provide significant documentation and implement more automated controls to meet the threshold needed for an internal control audit. A CFO may feel “overaudited” if the auditor requires a level of documentation higher than the CFO believes is necessary, additional tests to audit around internal controls that do not meet the auditor's satisfaction, or additional shadow forensic work.

While internal control auditing shares some characteristics with common credence goods, it also differs in two important ways. Patients who seek a medical opinion are typically able to (1) seek a second opinion and (2) decide whether to get treatment. There are no opportunities for ex ante second opinions without switching auditors, and non-diagnosis and/or non-treatment is not an option for public companies, which may create inefficiencies in the market for audit services. If the issuer wants a second opinion, it must switch auditors and incur switching costs, as it must still have a complete audit of financial statements and internal controls plus any intangible costs from switching.

Levine (2009) assumes the auditor maximizes the expected profits from the combined audit, subject to the possibility that the client (issuer) switches auditors in response to excessive fees. Alternatively, the auditor's motive may be to minimize their audit risk and expected legal liability. In a one-shot game, where the auditor and its client have only one interaction, the auditor has incentives to conservatively assess the internal control problem and require extra procedures. While the auditor views the assessment as in-line with their risk tolerance, it is overauditing from the perspective of the issuer and regulators because fair assessment would not factor the additional risk of a one-period client into the audit procedures.

Shifting to a more likely setting, the current auditor expects to interact with the client not only in the current period but also in the future, earning future fees over the life of the relationship. Therefore, we shift to Levine's (2009) more complete model that incorporates the value of incumbency. When the auditor considers the stream of future cash flows that would be lost, should the client switch to another auditor, the auditor has a correcting mechanism similar to second opinions in other credence goods. The result: the more valuable the client, the less overassessment. If the future benefits are extremely high, they can eliminate excess auditing, or levels of auditing at which costs exceed the benefits. In a framework where internal control audits have the properties of credence goods, the likelihood of overassessment depends on the client's incumbency value, which is a combination of the size of the client relative to the size of the auditor, rather than the client's size alone.

Unintentional overauditing can occur on less important clients that share an audit partner's attention with higher priority clients if audit planning and oversight are shifted to less experienced professionals. These less experienced auditors tend to do more, not less; without an attentive partner making the determination of sufficiency, the audit team may gather more evidence than is strictly necessary. PCAOB oversight further motivates a conservative approach. First, issuer size is only one of many risk factors determining the audits selected for inspection (CAQ 2012). Second, auditors tend to be more risk averse than other professionals in the room. In the case of legal action around audits, auditors are likely to ask for investigative or forensic accounting procedures that the (legal) investigative team may consider to be unnecessary or excessive and that actually could have significant budgetary implications for the client (Moritz 2020).

By expanding size-based exemptions, the SEC's newest amendment will likely reduce some overassessment, but could also result in fewer detections of inaccuracies. Are there alternatives to size exemptions that could lessen the overassessment problem without creating an offsetting decrease in error detection? In this section, we consider some common solutions proposed to alleviate audit market concerns.

The PCAOB is uniquely positioned to observe overassessment as it inspects whether audits meet generally accepted auditing standards. While its focus is naturally on audit firms that do too little, it recognized the importance of audit efficiency and effectiveness in its passage of AS5, which streamlined the original Auditing Standard No. 2 approach to the integrated audit (PCAOB 2007). The recent changes expanding small issuer exemptions more than a decade after AS5 provide prima facie evidence the PCAOB could do more to incorporate review for overauditing directly into its protocols. In reality, the PCAOB likely prefers overassessment within a certain acceptable range. Chairman McDonough of the PCAOB commented:

If the PCAOB could perfectly monitor overassessment, it would eliminate audit incentives to overassess (Levine 2009), but perfect monitoring is not realistic. Even small gaps in monitoring lead to a prediction of overassessment (Levine 2009), so an increase in monitoring alone is not a viable policy intervention to remedy the problem for lower incumbency value clients.

Auditor rotation is often suggested as a solution to audit market problems, although there are mixed results on its expected effectiveness (e.g., J. Myers, L. Myers, Palmrose, and Scholz 2005; Bowlin, Hobson, and Piercey 2015).⁴ Similar to size-based exemptions, Levine (2009) suggests time-based rotations would not unambiguously lead to more fair assessments because it is the relative importance of the client to the auditor and the length of the future relationship, not the length of the past relationship, that creates a disincentive for overassessment. If the client is more important to its current auditor than the future auditor, then rotation would increase the degree of overassessment. Shortening the duration of the auditor/client relationship may also increase overassessment because the value of retaining the client decreases.

With four firms holding so much market share, breaking up the largest firms is often a suggested regulatory solution. This solution is most closely connected to the model in Levine (2009), because splitting up a firm will directly change the importance of a client. That said, large audit firms have economies of scale in auditing. Insofar as breaking up an auditor might improve a client's relative importance and reduce overassessment costs, it would also make the auditor less efficient and lead to a more than commensurate increase in the costs of auditing. Regulators in the UK are experimenting with a related approach, as the Big 4 will be required to operationally isolate or “ring fence” their audit practices by 2024 (Trentmann 2020). While overassessment is not the motivator in the UK case, it shares similar contradictory predictions. Proponents point to the growing importance of the audit client to the individual partner as generally improving audit quality, but opponents cite concerns over lost economies of scale and lost knowledge spillovers from the separation of audit and non-audit services (Trentmann 2020). Whether the benefit of reduced overassessment from smaller audit partner portfolios is outweighed by the increased costs of auditing and potentially lower quality is an empirical question.

As each policy solution introduces its own unintended consequences, it follows that regulators, practitioners, and academics likely want to consider a combination of policy interventions, which may include expanded exemption, to resolve concerns over the negative economic consequences of SOX 404(b) for smaller issuers.

In this paper, we introduce a credence good model of internal control auditing to evaluate SEC exemptions from SOX 404(b) audits. While the SEC rules have used issuer market capitalization and revenues as the primary mechanisms to identify small issuers for whom SOX 404(b) compliance costs are particularly onerous, there are many academics, investors, and practitioners who express disagreement with the decision to expand exemptions for these issuers. We highlight a limitation of size as a criterion for exemption. Under the credence good model, smaller issuers are at higher risk for overassessment by large auditors because the low expected value of future fees does not adequately restrain the auditors from overauditing to minimize their audit risk and expected litigation liability. In contrast, the fear of losing an important client encourages auditors to provide a more balanced assessment of services necessary as future fees offset those potential costs. It is not absolute size, but instead relative size, that deters overassessment (Levine 2009).

We examine whether three commonly offered regulatory solutions could better solve the tendency to overassess than size exemptions. Auditor rotation will not address either compliance costs or overassessment because time-based rotation does not consider the importance of the small company to the new audit firm. While increased monitoring and splitting up audit firms emerge as potential solutions, each has unintended consequences, suggesting a combination of solutions would be needed to address the problem of overassessment. Regulators could leverage practitioners and academics to identify a combination of policies that will better balance SOX 404(b) compliance costs for smaller issuers with the benefits of SOX 404(b) for their current and potential investors and creditors.