Yet another W$J report on the costs of the SOX internal reporting rule, Section 404.
As usual, the story discusses the costs imposed on firms, especially smaller firms, and the benefits to the compliance industry. Other such reports are covered in this blog’s Sarbanes-Oxley archive.
There may be a tendency to think that all this is being overblown. In other words, there might be a backlash against the backlash (we might be entering the post-post-post Enron period).
In response to such a claim, I want to make three points. First, there’s an argument that this is all about start-up costs under the rule, and that after reporting systems are put into place the costs will go down and benefits will dominate. One response is that in this second phase we will start to see the liability costs of Section 404 – every business that fails because of inherent business risks will become potential litigation bait because of a hindsight claim linking the failure with incomplete disclosure of internal control gaps. This possibility, in turn, may force firms to over-disclose risks. Moreover, such liability could further entrench the federal government in the regulation of internal corporate governance.
Second, the “start-up” period may be particularly long because it will take some time for the courts and the SEC to articulate the new materiality rule under Section 404 as to which internal control deficiencies must be disclosed.
Third, and most importantly, the big question in my view is not whether there should be some rule on internal controls disclosures, but whether it should be a mandatory federal rule?
As for state law, Delaware already had the Caremark test. As summarized in Ribstein & Letsou, Business Associations, 4th edition 2003:
[In] In re Caremark International Inc. Derivative Litigation [698 A.2d 959 (Del. Ch. 1996)] . . . directors were alleged to have failed to adequately supervise employees who were indicted for violating the terms of the Federal Anti Referral Payments Law, which prohibits healthcare providers from paying to induce referral of Medicare or Medicaid patients. . . . . Chancellor Allen concluded that the director’s obligation includes a duty to assure himself that “information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.” Failure to maintain such a system could “render a director liable for losses caused by non-compliance.”
There is nothing stopping the states from beefing up this rule, or imposing a disclosure rule to provide the necessary assurance. This would have the advantage of preserving the states’ role as the primary regulators of internal corporate governance.
Even a federal rule could be optional – that is, permit firms to choose whether to report on internal controls. We might see an equilibrium in which larger firms reassure investors that there are no lurking Enron-type problems while smaller firms decide that the costs of such disclosure outweigh the benefits. That would beat forcing the latter to “go dark” and eschew all federal disclosures. There’s no “lemons problem” need for every company to provide these reports – the market can readily distinguish the reporting companies from the non-reporters.
In short, Section 404 may not be as bad as is being reported. It’s worse, especially considering that there were lower-cost ways of getting at the same result.
Comments