Internal Controls:

SEC Should Consider Requiring Companies to Disclose Whether They Obtained an Auditor Attestation

GAO-13-582: Published: Jul 3, 2013. Publicly Released: Jul 3, 2013.

Additional Materials:


Angela N. Clowers
(202) 512-8678


Office of Public Affairs
(202) 512-4800

What GAO Found

Since the implementation of the auditor attestation requirement of the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley Act), companies exempt from the requirement have had more financial restatements (a company's revision of publicly reported financial information) than nonexempt companies, and the percentage of exempt companies restating generally has exceeded that of nonexempt companies. Exempt and nonexempt companies restated their financial statements for similar reasons (e.g., revenue recognition and expenses), and the majority of these restatements produced a negative effect on the companies' financial statements.

Views on the costs and benefits of auditor attestation vary among companies and others. Although companies and others reported that the costs associated with compliance can be significant, especially for smaller companies, GAO's and others' analyses show that these costs have declined for companies of all sizes since 2004. Companies and others reported benefits of compliance, such as improved internal controls and reliability of financial reports. However, measuring whether auditor attestation compliance costs outweigh the benefits is difficult and views among companies and others were mixed as to whether the costs exceeded the benefits of compliance.

A majority of empirical studies GAO reviewed suggest that compliance with the auditor attestation requirement has a positive impact on investor confidence in the quality of financial reports. Some interviewees said the independent scrutiny of a company's internal controls is an important investor protection safeguard. The Securities and Exchange Commission (SEC) does not require exempt companies to disclose in their annual report whether they voluntarily obtained an auditor attestation. SEC officials said it is not common for SEC to require a company to disclose voluntary compliance with requirements from which it is exempt. However, federal securities laws require companies to disclose relevant information to investors to aid in their investment decisions. Although information on auditor attestation status is available to investors, requiring a company to explicitly state whether it has obtained an auditor attestation on internal controls could increase transparency and investor protection.

Why GAO Did This Study

Section 404(b) of the Sarbanes-Oxley Act requires a public company to have its independent auditor attest to and report on management's internal control over financial reporting; this is known as the auditor attestation requirement. In July 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act exempted companies with less than $75 million in public float from the auditor attestation requirement. The act mandated that GAO examine the impact of the permanent exemption on the quality of financial reporting by small public companies and on investors. This report discusses (1) how the number of financial statement restatements compares between exempt and nonexempt companies (i.e., those with $75 million or more in public float), (2) the costs and benefits of complying with the attestation requirement, and (3) what is known about the extent to which investor confidence is affected by compliance with the auditor attestation requirement. GAO analyzed financial restatements and audit fees data; surveyed 746 public companies with a response rate of 25 percent; interviewed regulatory officials and others; and reviewed laws, surveys, and studies.

What GAO Recommends

GAO recommends that SEC consider requiring public companies, where applicable, to explicitly disclose whether they obtained an auditor attestation of their internal controls. SEC responded that investors could determine attestation status from available information. But without clear disclosure, investors may misinterpret a company's status; therefore, this warrants SEC's further consideration.

For more information, contact A. Nicole Clowers at (202) 512-8678 or

Recommendation for Executive Action

  1. Status: Closed - Implemented

    Comments: SEC noted that current Public Company Accounting Oversight Board (PCAOB) standards permit an auditor to include a statement in its audit report when it has not been engaged to opine on internal control over financial reporting. SEC has requested PCAOB to seek comment on whether this optional statement by the auditor should be made mandatory. On August 13, 2013, PCAOB included a question in its proposed amendments to the auditor's reporting model, which asked," "[I]n the situations described in the proposed amendments to existing AU sec. 508, should the Board require, rather than allow, the auditor to include statements in the auditor's report that the auditor was not engaged to examine management's assertion on the effectiveness of internal control over financial reporting and that the auditor does not express an opinion on management's report?"

    Recommendation: To enhance transparency and investor protection, SEC should consider requiring public companies, where applicable, to explicitly disclose whether they obtained an auditor attestation of their internal controls.

    Agency Affected: United States Securities and Exchange Commission


Explore the full database of GAO's Open Recommendations »

Jan 30, 2018

Dec 8, 2017

Dec 7, 2017

Dec 6, 2017

Sep 29, 2017

Sep 12, 2017

Sep 7, 2017

Apr 19, 2017

Mar 29, 2017

Feb 24, 2017

Looking for more? Browse all our products here