Internal Controls: SEC Should Consider Requiring Companies to Disclose Whether They Obtained an Auditor Attestation

What GAO Found

Since the implementation of the auditor attestation requirement of the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley Act), companies exempt from the requirement have had more financial restatements (a company's revision of publicly reported financial information) than nonexempt companies, and the percentage of exempt companies restating generally has exceeded that of nonexempt companies. Exempt and nonexempt companies restated their financial statements for similar reasons (e.g., revenue recognition and expenses), and the majority of these restatements produced a negative effect on the companies' financial statements.

Views on the costs and benefits of auditor attestation vary among companies and others. Although companies and others reported that the costs associated with compliance can be significant, especially for smaller companies, GAO's and others' analyses show that these costs have declined for companies of all sizes since 2004. Companies and others reported benefits of compliance, such as improved internal controls and reliability of financial reports. However, measuring whether auditor attestation compliance costs outweigh the benefits is difficult and views among companies and others were mixed as to whether the costs exceeded the benefits of compliance.

A majority of empirical studies GAO reviewed suggest that compliance with the auditor attestation requirement has a positive impact on investor confidence in the quality of financial reports. Some interviewees said the independent scrutiny of a company's internal controls is an important investor protection safeguard. The Securities and Exchange Commission (SEC) does not require exempt companies to disclose in their annual report whether they voluntarily obtained an auditor attestation. SEC officials said it is not common for SEC to require a company to disclose voluntary compliance with requirements from which it is exempt. However, federal securities laws require companies to disclose relevant information to investors to aid in their investment decisions. Although information on auditor attestation status is available to investors, requiring a company to explicitly state whether it has obtained an auditor attestation on internal controls could increase transparency and investor protection.

Why GAO Did This Study

Section 404(b) of the Sarbanes-Oxley Act requires a public company to have its independent auditor attest to and report on management's internal control over financial reporting; this is known as the auditor attestation requirement. In July 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act exempted companies with less than $75 million in public float from the auditor attestation requirement. The act mandated that GAO examine the impact of the permanent exemption on the quality of financial reporting by small public companies and on investors. This report discusses (1) how the number of financial statement restatements compares between exempt and nonexempt companies (i.e., those with $75 million or more in public float), (2) the costs and benefits of complying with the attestation requirement, and (3) what is known about the extent to which investor confidence is affected by compliance with the auditor attestation requirement. GAO analyzed financial restatements and audit fees data; surveyed 746 public companies with a response rate of 25 percent; interviewed regulatory officials and others; and reviewed laws, surveys, and studies.