In 2002, after a series of accounting scandals involving Enron and WorldCom, Congress swiftly passed the Sarbanes-Oxley Act in an effort to restore investors’ confidence in the market. The passage of the Sarbanes-Oxley Act was a watershed moment in U.S. financial history, and Section 404—requiring management assessment and auditor attestation of internal controls of financial reporting—is the most contested and expensive provision within the Act. Since the passage of the Act, an army of academic scholars have studied the various economic effects of Section 404, relying on sophisticated event study designs. Thanks to these studies, we now know a great deal about Section 404, even though scholars continue to debate about the provision’s overall welfare implications.
Less well-known, however, is the administrative history of Section 404—namely, the experience of the U.S. Securities and Exchange Commission (SEC) in implementing Section 404. Twenty years ago, when the SEC set out to implement Section 404 provisions as rules, the agency came up against a novel set of challenges: it confronted a number of administrative questions of first impression. The variety of issues the SEC had to wrestle with presaged larger administrative issues the agency would go on to address in the coming decades. In fact, many of the challenges and the conundrums presented by Section 404 rules were not fully appreciated until those issues surfaced again in subsequent statutes, such as the Dodd-Frank Act of 2010 and the JOBS Act of 2012. But it was the Sarbanes-Oxley Act—and Section 404 in particular—that really forced the agency to deliberate on a number of thorny issues and prepared the agency for more storms to come. In this sense, Section 404 left behind an indelible administrative legacy for the SEC. In my forthcoming article, I discuss Sarbanes-Oxley Section 404 and the administrative legacy its implementation history has had on the SEC. For the readers of the Notice &Comment blog, I wanted to highlight just one aspect of the SEC’s experience: a cost estimate that almost cost the agency its credibility.
One story that is repeated countless times in the lore of Section 404 is that at the time the SEC adopted the rules, the agency estimated Section 404 compliance costs to be approximately $91,000 per firm. This number was heavily criticized by many as grossly underestimating the true costs associated with Section 404. Critics of the SEC would routinely cite this number as evidence that the SEC had no idea just how costly complying with Section 404 was. In my Article, I devote a section to discussing how the SEC might have arrived at the number $91,000, which I include in this post.
Despite the notoriety this figure has gained, few scholars seem to have examined the SEC’s basis for arriving at this figure. Several things are worth noting here. First, in arriving at $91,000, the SEC never purported to include Section 404(b) costs—the far more expensive provision. Thus, the $91,000 pertains only to Section 404(a) costs. The SEC’s 2003 Section 404 Rule Release actually stresses this point in three separate places. This means, for instance, that $91,000 should not be compared to the actual audit fees (which pertain exclusively to Section 404(b) compliance). Second, it is not even clear if the SEC ever intended to capture all of Section 404(a) compliance costs with this figure (although one could certainly get that sense from reading the cost discussion). The reason is that the $91,000 estimate was prepared solely for the purposes of assessing the paperwork burden hours associated with Section 404(a).
To understand the significance of this estimate and its inclusion in the 2003 Section 404 Rule Release, one has to understand the requirements of the Paperwork Reduction Act of 1995 (PRA). Congress enacted the PRA in 1980 (and amended it in 1995) with an express intent of reducing the amount of paperwork burden the federal government imposes on private businesses and citizens. From the outset, the PRA was not focused on the efficiency of administrative actions or even overall regulatory costs. It was primarily concerned with making sure that each agency is mindful of the hourly burdens it would impose in collecting information from the public (including citizens and businesses). For this reason, when an agency proposes a rule that requires paperwork burdens on any entity (including individual income tax returns), as a housekeeping matter, it must include its estimate of paperwork burden hours and costs in the rule proposal, collect public evaluations and comments regarding its initial numbers, and submit the revised estimates to the OMB for approval. Importantly, an agency may not enforce the collection of information unless it checks all the boxes. The rulemaking agency also must make sure to file updated paperwork burden estimates every three years.
Put differently, even if the SEC had no statutory requirement to consider the economic effects of its rules, it must still include PRA cost estimates for the purpose of getting OMB approval. It is noteworthy that the PRA does not provide any cause of action against the agency on the ground that the agency made errors on its estimate. The most that can happen is that if the OMB does not approve it, the agency is unable to enforce the regulation.
What types of costs, then, would not be included in the SEC’s paperwork burden estimate? Given that the SEC calculated the paperwork burdens by estimating hourly burdens of preparing paperwork multiplied by wage estimates, its cost estimate would not include non-labor costs. These can include: travel costs, lodging, meals, as well as costs needed to purchase any equipment, software, hardware, or any other supplies.
But that’s not all. Long before Section 404 arrived on the scene, there was already Section 13(b)(2) of the Exchange Act, which was enacted by Congress in 1977. In the 2003 Section 404 Rule Release, the SEC clarified in a number of places that its definition of “internal control over financial reporting” (ICFR) is “consistent with the description of internal accounting controls in Exchange Act Section 13(b)(2)(B).” The Release also compared the Section 404 requirements against Section 13(b)(2) by citing the Commission’s interpretive release from 1981:
We have previously stated, as a matter of policy, that under Section 13(b)(2) “every public company needs to establish and maintain records of sufficient accuracy to meet adequately four interrelated objectives: appropriate reflection of corporate transactions and the disposition of assets; effective administration of other facets of the issuer’s internal control system; preparation of its financial statements in accordance with generally accepted accounting principles; and proper auditing.”
In other words, under the SEC’s interpretation, the requirement for issuers to maintain effective ICFR was already in place. The SEC’s Office of Economic Analysis’ 2009 Study on Section 404 states this point more explicitly: “Section 13(b)(2) of the Exchange Act requires companies to maintain effective ICFR, while Section 404 requires management to report on the effectiveness of ICFR.”
Given the agency’s interpretation of Section 13(b)(2) in the 2003 Section 404 Rule Release, one conclusion is that any cost associated with maintaining effective ICFR, however costly, should not be attributed to Section 404, as it should count as the cost of complying with Section 13(b)(2). Accordingly, the cost of complying with Section 404(a) should only recognize the cost of reporting on the effectiveness of ICFR—conditional on the firms’ having plans and procedures in place to maintain effective ICFR. Once again, the OEA’s 2009 Study iterates this point: “From this perspective, Section 404 cost estimates that include the ICFR maintenance expenses overestimate the cost of compliance with Section 404—by including more than just the cost of reviewing ICFR and preparing the mandated disclosures.”
The SEC’s PRA estimate, then, should be understood on its own terms. It is the estimated hourly-burden cost of complying with Section 404(a) for the purpose of reporting on the effectiveness of ICFR, above and beyond the cost of maintaining effective ICFR and not including any non-labor costs. To the best of the author’s knowledge, no study criticizing the SEC’s estimate has ever tried to assess this value independently.
None of this is intended to suggest there is any intrinsic value to calculating $91,000 from the perspective of the industry or the general public. Indeed, $91,000 is admittedly a useless figure in just about every aspect except one: unless the SEC gets OMB approval after including this number in the Rule Release, it will not be able to enforce its Section 404 rules.
But then how was it that the SEC did not have to include the PRA estimates for Section 404(b)? On this point, the 2003 Rule Release states as follows:
Our PRA estimates do not include any additional burdens or costs that a company will incur as a result of having to obtain an auditor’s attestation report on management’s internal control report because the [Public Company Accounting Oversight Board], rather than the Commission, is responsible for establishing the attestation standards and the Sarbanes-Oxley Act itself requires companies to obtain such an attestation.
To understand the SEC’s argument, it helps to examine the actual text of Section 404. There is an important difference between Section 404(a)’s language and Section 404(b)’s language: the former requires the SEC to adopt a rule, while the latter is a direct statutory requirement on issuers’ auditors. Thus, the SEC appears to be reasoning as follows: although management assessment is a burden requirement that stems from the SEC’s own rule (even though the agency was required to adopt the rule), the attestation requirement comes directly from the statute. In other words, the agency is not imposing any paperwork burden under Section 404(b), only Congress and PCAOB are. Accordingly, the agency does not need to calculate PRA burden estimates in order to enforce Section 404(b).
A few observations. First, the SEC’s reason here is at least consistent with its reason for not including the cost of complying with Section 13(b)(2) into the compliance costs for Section 404(a). Second, this nuanced division is a preview of the critical distinction between statutorily-mandated component costs and discretionary component costs the agency would come to emphasize in later years. The take-away here is that the context in which these figures are provided should matter, even if the figures are ultimately not the most important ones from the industry’s or the general public’s perspective.
At any rate, the SEC seems to have learned its lesson that including the PRA estimate as the only quantified value in the discussion of compliance costs can be misleading. The agency has since made a few adjustments. First, the agency’s 2012 Guidance on Economic Analysis makes the following point:
[PRA] burdens do not necessarily characterize all compliance costs and in most cases, they are only one of many possible inputs, both qualitatively and quantitatively, into the overall analysis of costs. With most rules, the cost estimate that results from multiplying PRA burden-hours by hourly wage rates is not substitutable for the broader analysis of a rule’s likely economic consequences contained in the release’s economic analysis.
Second, the SEC’s more recent rules began explicitly distinguishing between paperwork-burden components and non-paperwork-burden components of compliance costs, and when possible, the SEC also gives numerical estimates of the non-paperwork-burden components of compliance costs. Third, the 2012 Guidance on Economic Analysis also emphasizes the importance of specifying the economic and regulatory baseline in considering costs and benefits.
Were the SEC to conduct an economic analysis of Section 404 today, its analysis would likely look different in a number of ways. First, it would likely make clear that the Commission is considering compliance costs against the baseline of Section 13(b)(2) and thus would not include the issuers’ costs of maintaining effective ICFR as part of the compliance cost owing to Section 404. Second, it would likely also distinguish between PRA costs and non-PRA costs within Section 404 compliance cost. Finally, it may choose to separately consider the cost of complying with Section 13(b)(2) as a possible economic cost of Section 404, with a caveat that this figure would apply only to the extent issuers have not already been complying with it. Notwithstanding all of these differences, it is unclear whether the agency’s PRA estimate for Section 404(a), if calculated today, should look much different from $91,000 (save for an inflation adjustment).
Yoon-Ho Alex Lee is Professor of Law at Northwestern Pritzker School of Law and Director of Northwestern University Center on Law, Business, and Economics. This post draws substantially from the author’s forthcoming piece titled “Sarbanes-Oxley Section 404 and Its Administrative Legacy.”
 Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Rel. No. 33-8238, 68 Fed. Reg. 36,635 (June 18, 2003) [hereinafter “2003 Section 404 Rule Release”].
 See, e.g., Joseph A. Grundfest & Steven E. Bochner, Fixing 404, 105 Mich. L. Rev. 1643 (2007) (criticizing the SEC’s $91,000 for being too low); Yousef Jahmani & William A. Dowling, The Impact of Sarbanes-Oxley Act, 6 J. Bus. & Econ. Res. 57 (2008) (same); Frank H. Easterbrook, The Race for the Bottom in Corporate Governance, 95 Va. L. Rev. 685 (2009)(same); Ronald E. Giordano, Enabling Efficient Small and Midcap Sarbanes-Oxley § 404 Compliance—Check the (Sar)Box, 4 Int’l J. Discl. Gov. 42 (2007) (same); Anwer S. Ahmed et al., How Costly is the Sarbanes-Oxley Act? Evidence on the Effects of the Act on Corporate Profitability, 16 J. Corp. Fin. 352 (2010) (same).
 See, e.g., Paul P. Arnold, Give Smaller Companies a Choice: Solving Sarbanes-Oxley Section 404 Inefficiency, 42 U. Mich. J.L. Reform 931 (2008-2009) (same); Charles W. Murdock, Sarbanes-Oxley Five Year Later: Hero or Villain, 39 Loy. U. Chi. L.J. 525 (2007-2008) (same).
 2003 Section 404 Rule Release, supra note 1, at 36,657 nn.169 & 174.
 Id. at 36,657 (“Using our PRA burden estimates, we estimate the aggregate annual costs of implementing Section 404(a) of the Sarbanes-Oxley Act to be around $1.24 billion).
 44 U.S.C. §§ 3501–3521.
 See id. at §3501 (“The purposes of this chapter are to . . . minimize the paperwork burden for individuals, small businesses, educational and nonprofit institutions, Federal contractors, State, local and tribal governments, and other persons resulting from the collection of information by or for the Federal Government . . . .”).
 44 U.S.C. §3507(a).
 See id.
 See Section 3507(g) and Section 3507(h) of the Paperwork Reduction Act of 1995, Pub. L. No. 104-13,109 Stat. 176 (codified at U.S.C. §§ 3507(g)-(h)).
 See, e.g., Sutton v. Providence St. Joseph Med. Ctr., 192 F.3d 826, 844 (9th Cir. 1999) (“[The PRA] authorizes its protections to be used as a defense. [It] does not authorize a private right of action.”).
 See id.
 See 2003 Section 404 Rule Release, supra note 1, at 36,655 (“We calculated the burden by multiplying the estimated number of affected responses by the estimated average number of hours that management will spend conducting its assessment of the company’s internal control over financial reporting and preparing the related disclosure.”).
 See id. at 36,640, 36,647 (“The concept of reasonable assurance is built into the definition of internal control over financial reporting that we are adopting. This conforms to the standard contained in the internal accounting control provisions of Section 13(b)(2) of the Exchange Act.”).
 See id. at 36,643 n.76 (citing Statement of Policy Regarding the Foreign Corrupt Practices Act of 1977, Release No. 34-17500, 46 Fed. Reg. 11,544 (Jan. 29, 1981)).
 Office of Economic Analysis, U.S.Sec. & Exch. Comm’n, Study of the Sarbanes-Oxley Act of 2002 Section 404 Internal Control over Financial Reporting Requirements 12 (2009), http://www.sec.gov/news/studies/2009/sox-404_study.pdf [hereinafter “2009 Study”].
 Id. at 13.
 2003 Section 404 Rule Release, supra note 1, at note 169 (emphasis added).
 Section 404(a) specifies “[t]he Commission shall prescribe rules requiring each annual report . . . to contain an internal control report, which shall contain . . . an assessment . . . of the effectiveness of the internal control structure . . . ,” while Section 404(b) reads “[w]ith respect to the internal control assessment required by subsection (a), each [issuer’s auditor] shall attest to . . . the assessment made by management of the issuer.” Section 404 of the Sarbanes-Oxley Act of 2002 (emphases added).
 See U.S. Sec. & Exch. Comm’n, Current Guidance on Economic Analysis in SEC Rulemakings 11 n.32 (Mar. 16, 2012), available athttp://www.sec.gov/divisions/riskfin/rsfi_guidance_econ_analy_secrulemaking.pdf [hereinafter “2012 Guidance on Economic Analysis”].
 See, e.g., Regulation Systems Compliance and Integrity, Rel. No. 34-73639, 79 Fed. Reg. 72,251, 72405-06 (December 5, 2014) (“[T]he Commission has quantified non-paperwork related costs for SCI entities that total between approximately $14 million and $106 million in initial costs and between $9 million and $70 million in annual ongoing costs.”).
 See 2012 Guidance on Economic Analysis, supra note 20, at 7 (“The baseline includes both the economic attributes of the relevant market and the existing regulatory structure, including (where relevant) state law.”).