Statement on the Rollback of Auditor Attestation Requirements
Today, in the face of extensive objection from investors, we strip away a layer of investor protection for financial reporting.[1] The rule adopted today removes the requirement that an auditor attest to the adequacy of internal controls over financial reporting (ICFR) for public companies with revenues of less than $100 million.[2] Eliminating the auditor attestation removes a critical gatekeeping function that we know works to improve the reliability of financial reporting for investors.[3] And we sacrifice this important protection for an admittedly modest[4] cost reduction for issuers that could well be negated by an increased cost of capital.
There are valid concerns on both sides of the policy choice the Commission makes today. Public companies with relatively lower revenues are understandably concerned about costs related to regulatory compliance; investors are understandably concerned about the extent and reliability of disclosures they need to make informed investment decisions.
Rather than balancing these concerns, however, the final rule overrides investors’ views, and eliminates the auditor attestation requirement at lower-revenue companies. In fact, as we have seen with other rules,[5] the final rule swings further than the proposal in the direction that concerned investors, eliminating the ICFR auditor attestation requirement for certain business development companies (BDCs) as well.[6]
I have a growing concern that we may not give adequate consideration to the views of investors on certain issues. There have been a number of releases over the past several months where, as here, there was a clear division of views between investors and other commenters. This was true, for example, for the proxy guidance issued last August,[7] amendments to the Volcker Rule last September,[8] the shareholder submission thresholds proposal last November,[9] the accredited investor and resource extraction proposals last December,[10] and the exempt offering framework proposal last week.[11]
In each case, the comment file revealed a clear divide and, in each case, we disfavored or even disregarded investor views. This fact is documented in my prior statements on these releases,[12] and continues with the rule adopted today.[13] There must be a limit to the number of times we can credibly assert to investors that we act in their best interests by making policy choices they directly oppose.[14]
With today’s final rule, we roll back an important protection over financial reporting put in place by the Sarbanes-Oxley Act in the wake of major corporate accounting scandals. Financial reporting is only as reliable as the controls in place to ensure its accuracy, thus internal controls over financial reporting form what we have called “the first line of defense in detecting and preventing material errors or fraud in financial reporting.”[15] Today’s rule diminishes the role of the gatekeeper—the auditor—in that first line of defense, thereby increasing the risk to investors of unreliable financial reporting.
The release notes that, although we are eliminating the auditor attestation requirement, auditors still review internal controls as part of their audits of financial statements. There is value in that review, but there is a significant difference between that review and an opinion from auditors as to the adequacy of internal controls. Attestations are designed to, and do, heighten and focus the attention of those in a position to ensure efficiency and compliance. Attestations increase accountability and they work. It’s a kind of “buck stops here” approach that is lost under the new rule.[16]
We are justifying this loss on the grounds that eliminating the auditor attestation will reduce costs for low-revenue issuers and thereby promote capital formation. Both propositions are questionable. First, the final rule rests in part on the unsupported hypothesis that relieving companies of modest additional costs for auditor attestation will encourage more companies to go public.[17] Unfortunately, there just isn’t evidence for this intuition, which animates a number of other recent policy choices.[18]
Second, the final rule rests in part on the idea that, however modest the compliance costs savings are, lower-revenue issuers can use those funds for other, presumably more productive, ends.[19] But any cost savings for those companies may well be diminished or even negated by an increase in the cost of capital for issuers that do not have auditor attestations. We know from the comment file that investors do not want this change. That fact, in and of itself, certainly makes it plausible that investors may require a premium to compensate for the increased risk.
Thus, while the benefit to public markets of the rollback is unclear, its effect is not. There will be less information for investors about the quality of internal controls, less detection of ineffective internal controls, and less accountability for management regarding its assessment of internal controls.[20]
Finally, I note that this proposal and final rule have engendered much debate, particularly related to the economic analysis. Our economists have responded with substantial new analysis, and I’m grateful for their work.[21] It seems likely, however, that the new analysis will prompt further significant debate.[22]
For example, it would have been helpful to have commenters’ analysis regarding at least one counterintuitive finding in the economic analysis. There is a chart on page 160 of the release that appears to suggest that the market reacts positively to the disclosure of ineffective internal controls at low-revenue issuers.[23] Respectfully, such a result, at a minimum, deserves deeper scrutiny.[24] Unfortunately, it will be too late for us to consider public comment on this point, or any of the other substantial new analysis in the release.
While there may be continued debate regarding, for instance, whether low-revenue issuers present heightened risks related to financial reporting, there is no question that removing the auditor attestation requirement increases the risk overall to investors of ineffective internal controls and unreliable financial statements. Because we have not justified taking that risk or adequately taken into consideration the views of investors, I must respectfully dissent.
Last Reviewed or Updated: March 12, 2020