(b) Internal Control Evaluation and Reporting. With respect to the inter-
nal control assessment required by subsection (a), each registered public
accounting firm that prepares or issues the audit report for the issuer
shall attest to, and report on, the assessment made by the management
of the issuer. An attestation made under this subsection shall be made in
accordance with standards for attestation engagements issued or
adopted by the Board. Any such attestation shall not be the subject of a
separate engagement.”What does Section 404 mean for business? ......................................
Section 404 requires that companies build up an internal control system that
is checked by the CEO and CFO, and then by an external auditor. The control
system should guarantee that the closing accounts are correct and should
also have built-in checks to prevent fraud. A company’s internal access con-
trols and process controls must be able to spot inconsistencies. Many com-
panies are choosing to automate their processes to help them monitor for
fraud. The human element is, unfortunately, not a guarantee of consistently
clean information.Although Section 404 can be summed up in a few words, it is no lightweight.
According to University of Austin, Texas business law professor Robert A.
Prentice, in his forthcoming article, “Sarbanes-Oxley: The Evidence Regarding
the Impact of Section 404,” in the Cardoza Law Review, “whether SOX will ulti-
mately be considered a success or not depends on the legacy of 404.” Section
404 also has the loudest detractors and supporters. For more information,
see the “The cases for and against Section 404” sidebar in this chapter.Chapter 4: How Sarbanes and Oxley Changed Our Lives 97
The cases for and against Section 404
Supporters of 404 believe that to avoid fraud and
improve investor confidence, companies must
have good internal controls and independent
audits. The reports produce clean information
for the capital markets. Companies with poor
internal controls tend to have more risk. The
benefits of 404 — better gatekeeping, clean
information, less risk — far outweigh the nega-
tives. Since the implementation of SOX in 2002,
no major domestic corporate scandals (except
for backdated ones) have occurred. In other
words, 404 and its SOX counterparts are doing
the job they were meant to do.
Detractors believe the costs of 404 outweigh the
benefits. Direct costs of 404 implementation
have far exceeded expectations. A major factor
has been the increased audit fees. These costs
are especially burdensome for small compa-
nies. Companies are either choosing to list on
the London and Frankfurt Stock Exchanges
instead of in New York to avoid the regulations,
or they are choosing to go private. Foreign firms
are choosing not to go public in the U.S. All this
is damaging New York’s image as financial cap-
ital of the world. Detractors also say the law,
with its emphasis on penalization, is too tough.