Internal Control Audits: Why an SEC Proposal Could Hurt More Than It Helps

mic Listen to the podcast:

Wharton's Daniel Taylor discusses his research on why proposed SEC changes on small firm audits could lead to more accounting scandals.

The Securities and Exchange Commission proposed in May to exempt relatively small firms – with revenues less than $100 million – from independent audits to verify their internal controls. The objective is to help small companies reduce the cost of going public and to increase the number of publicly traded companies. Still, this exemption could also help management to conceal fraud and lead to more firms restating their accounts.

This would erode more shareholder value than the combined savings in audit costs, according to research by Wharton accounting professor Daniel Taylor. Taylor’s co-authors are Stanford’s Mary Barth, Wayne Landsman from the University of North Carolina and Joseph Schroeder of Indiana University. Taylor discussed the potential impact of the SEC proposal in an in-depth conversation with Knowledge@Wharton. (Listen to the podcast at the top of this page.)

An edited transcript of the conversation follows.

Knowledge@Wharton: The SEC believes its proposal will encourage more companies to go public. Do you agree?

Daniel Taylor: The SEC is trying to reduce the compliance burden and de-burden companies so that they don’t have to pay large costs to be publicly traded. Proponents of this proposal argue that it will encourage more companies to go public. There are two things that we need to think about in this regard.

The first is that there is this trade-off between the number of companies seeking to go public, and the quality of companies seeking to go public. This trade-off doesn’t seem to be a part of the discussion. Rather, the proponents of de-burdening or reducing compliance costs tend to fixate on just the number of public companies, as if the objective is just, “Let’s get more public companies out there traded in the market.”

I can understand that. There’s a lot of action now in private equity, and the SEC’s objective is to bring some of those private equity [investments] to the public market and democratize investing. [They want to] give retail investors access to these companies that would otherwise be exclusive to private equity holders. That’s admirable.

But let’s go back to the tradeoff between the number of public companies and the quality of public companies. Suppose you’re in the market for a used car, and the regulator says, “All cars have to be inspected by a mechanic, and that report has to be provided to prospective buyers.” What types of cars are going to be sold in such a market? Well, the cars that get the bad reports, that are lemons or junkers, probably aren’t going to be sold, because the mechanic’s report will uncover them.

“We can certainly increase the number of companies by sacrificing compliance and oversight. But is that something that we should desire?”

Now, suppose we move from that world where everybody must provide an inspection report, to a world when the regulator does not require the inspection report to be provided. Would there be more people selling their used cars? Certainly. Two types of new sellers would come into the market. The first type of seller, or Type A, would be that person who couldn’t afford the mechanics inspection report, even if he had a good-quality car.

The second type, or Type B, is the person who wouldn’t have tried to sell the car in the earlier market, because the car would have failed the mechanic’s report. But now, maybe they can sell their car to somebody because there’s [no longer the] requirement of a [mechanic’s] report.

Now, the question is, are there more good cars coming onto the market from people that couldn’t afford [the mechanic’s report]? Type A. Or, are there more cars [being sold by] by some people who were merely trying to avoid the inspection report? Type B. You could think of that as an analogy for what’s going on here, where the inspection report is the internal control audit, and the selling of the cars are companies selling their shares to investors.

To provide some insight on this question, we can draw on evidence regarding the JOBS Act of 2012 (Jumpstart Our Business Startups Act) which is related to the current proposal. That act exempted IPOs with less than $1 billion in annual revenue from internal control audits, and it covers most IPOs.

Based on what happened with the JOBS Act, we see more Type B firms going public. The SEC’s own analysis in its proposal [reveals that] firms that went public after the JOBS Act and were able to take advantage of the [exemption from] internal control audit were 1.5 times more likely to restate their financial statements than their peers. They had a 13.5% restatement rate, compared to 8.5% for the peer group. The restatement rates are important; they tell us that more Type B firms went public. If there were [more] Type A firms going public, we would have expected the restatement rate to either be the same or to drop.

How can we wrap the JOBS Act and the car example to the current proposal? Well, when we relax auditing requirements for public companies, we see higher restatement rates. That’s an empirical fact, and the SEC admitted as such in its proposal.

To summarize, suppose there’s a marginal company that wouldn’t have gone public when the audit was required. But now that the audit isn’t required, they’re willing to go public. Is that really the type of company that you want to be investing in? So, there is this trade-off between number of companies and quality of companies. We can certainly increase the number of companies by sacrificing compliance and oversight. But is that something that we should desire?

Informed investors and institutional investors can sift through this. They’re professionals. I’m concerned more about the retail investors who hold index funds [that track] the S&P and Nasdaq, and hold ETFs (exchange-traded funds). If we reduce the amount of compliance and oversight necessary to be a publicly-traded company in the U.S., that will increase volatility because it’s the type B firms that are going public now. It will increase the number of accounting scandals. I’m not sure that it’s a good idea to increase the number of [publicly-held] firms if the side effect is to have greater volatility and more accounting scandals.

We need to strike a balance. I’m not saying, “Don’t increase the number of publicly-traded companies.” But there’s this cost-benefit trade-off that needs to be considered. We shouldn’t just fixate myopically on increasing the number of publicly traded companies.

The second thing is that the SEC estimates the average annual cost savings from forgoing an internal control audit at $210,000: $100,000 savings in audit fees and $110,000 savings in internal costs. The latter savings stem from the fact that firms no longer have to dedicate staff to working with the auditor. I don’t think saving of this magnitude will encourage companies to go public.

Knowledge@Wharton: You refer to internal control audits. You could explain what they are, and how will things change from the system that exists today if the proposal is implemented?

Taylor: An internal control audit is designed to audit the process that managers go through to get at the financial statements and the economic transactions. One example would be of what an internal control audit prevents. Suppose you have a manager who can set up payroll. We want to make sure that the manager can’t invent four fictitious employees, pay those four fictitious employees and pocket the money. An internal control audit would test the controls surrounding the payroll process to make sure they are working effectively so that it would prevent the manager from doing that, or from paying additional money to a supplier and shortchanging another supplier.

In the current regulatory structure of the Sarbanes-Oxley Act, or SOX, there are two [sections] related to internal controls – 404 (a) and 404 (b). Section 404 (a) requires management of all publicly traded companies to disclose the effectiveness of their internal controls and list any material weaknesses in internal controls. So, 404 (a) would have managers say, “We think our internal controls are great,” or, “We’ve identified some deficiencies in our internal controls, and we’re working to fix them.” Section 404 (b) relates to the internal control audit. An external auditor verifies the quality of the internal controls and that the firm is following best practices.

A good way to think about this is that 404 (a) is the “trust” in “trust but verify”. We trust that managers disclose truthfully that they have a weakness in their internal controls. 404(b) is the “verify,” it has the auditor come in, look under the hood, and see if the internal controls conform to best practices. That verification is very, very important.

The SEC’s proposal is saying, “If you have less than $100 million in annual revenue, you are now going to be exempt from 404 (b). So, you do not need to get verification of your 404 (a) opinions of internal controls.” If the proposal gets put into place, fewer companies will get the internal control audits. Then, investors and market participants will have to rely solely on what managers say is the quality of their internal controls.

The audit is designed to verify and to detect any issues relating to the internal controls. Those two factors combined give rise to incentives to make managers improve their internal controls. This is also borne out in the SEC’s own analysis in its proposal; it shows that after you have a 404(b) audit, the quality of your internal controls increases materially. The concern is that if you roll back that verification component, the 404(b) audit, then there will be less incentive for managers to increase the quality of their internal controls. And, there will potentially be greater accounting restatements.

Knowledge@Wharton: Jay Clayton, the SEC Chairman, has said that many smaller companies including biotech and health care companies will be able to redirect their savings [in audit costs] into growing their companies by investing in research and human capital. Do you think he’s right?

“We’d like to see the SEC conduct a revised analysis looking at fraud and moving beyond restatement rates.”

Taylor: It’s certainly true that if you’re saving some money from reduced oversight and compliance, managers can redirect the funds to wherever they would like to. They can redirect it towards investment, and towards research and development. They could redirect it towards salaries, bonuses or share buybacks. The proponents of the proposal are saying, “We’re going to basically trade off [auditors and scientists]. We’re going to hire one less auditor and hire one more scientist.”

I take the point that we want to encourage investment and research and development. But the question is, should we be doing that by sacrificing oversight and compliance? There are other ways to encourage research and development and investment, such as through tax credits.

The SEC’s mission statement was not to encourage investment and R&D and [increase] the number of publicly-traded companies. It was to protect investors. So, sure, we can encourage investment and R&D by reducing compliance and oversight. But that will be sacrificing investor protections.

Some proponents [of the SEC proposal] have in the popular press suggested it will save millions of dollars for companies. However, a company still must provide its own assessment of internal controls. If it does not have to pay for the 404 (b) audit, we know that it could save audit fees of $100,000. Where will they get the rest of the millions in savings? The argument is that they can cut their internal staff in the internal controls department. But that means you’re going to have weaker internal controls, because it was the verification of the audit, that was forcing these companies to have best practices. By cutting internal control staff to save $1 million or $2 million, you’re basically saying that the quality of the internal controls will decline.

Let’s think about encouraging investment in R&D and human capital. The average company affected by this proposal had $231 million average market capitalization, and $43 million in average revenue in 2018. The saving of $210,000 is a rounding error in terms of the firm’s revenue and less than 0.1% of the average firm’s market cap.

Knowledge@Wharton: You collaborated with faculty members at Stanford University, the University of North Carolina and Indiana University to analyze this proposal. Could you give us a broad overview of your main findings?

Taylor: The way the SEC’s rule-making process typically works is the SEC puts forward a proposal, and then it opens up what is known as the “comment letter” period. Here, it solicits opinions from the public; you can go online and submit comments and analyses to the SEC. They then review the comment letters and what they’ve heard back from various constituencies before making their final decision. That is known as “evidence-based policy-making.” It espouses a preference for making policy decisions based on empirical data and empirical evidence. That is commendable – that our regulatory bodies would [pursue] evidence-based policy making.

As part of that process, we reviewed the proposal and submitted a comment letter. There are two main parts of our analysis. Part I is about the costs of these internal control audits. As we mentioned previously, the SEC estimates $210,000 in [average annual] cost savings [for firms] from forgoing internal control audits. We showed that that is a very tiny fraction, less than 1%, of the average affected company’s market value. So, we questioned the economic significance of the average proposed savings.

Some firms will realize larger savings, and some will realize smaller savings. But in evidence-based policymaking, you want to consider the average effect, not just the effect on a few select firms. We weigh the $210,000 in cost savings against the benefit of the audits.

Part II of our comment letter gets into the benefits of the audits and talks about some empirical analysis. When the SEC puts forward a proposal, it must also submit an empirical analysis of the data that support the proposal. In Part II of our letter, we critique the SEC’s analysis. They did not attempt to quantify the benefits of the audits. They just talk about the cost of the audits; [there is] no quantification of the benefits.

They focused on the [accounting] restatement rates. Earlier, we discussed the restatement rates of emerging growth companies, or companies covered under the JOBS Act. That’s a good first step. But what we’re trying to avoid is large restatements and accounting fraud. You don’t want to treat all restatements as being equal.

If I say, for example, that 1% of firms restated [their accounts], someone might say, “Oh, that’s very low.” But what if that one restatement was of $2 billion? Well, now all of a sudden that 1% restatement [rate] is pretty big.

The SEC’s proposal didn’t consider the magnitude of the restatements. We picked 2018, the most recent year for which we have full financial statement data. We looked at all the companies which the proposal would exempt from internal control audits going forward. Of all the companies that would be affected by the proposal, 11 companies restated their accounts. That doesn’t sound like very much; there are only 358 companies affected, so 11 is a pretty low restatement rate.

“Internal control audits are being used across all types of firms, by investors, to judge red flags for misrepresentation.”

But those 11 companies combined restated $65 million in net income. There are many different items on your financial statements that you can restate. But [accounting] practitioners and Wall Street tend to focus on net income, so we just did that calculation.

[We focused next on] the effect of restatements on share price or on shareholder value. When a company restates [its accounts] due to fraud or internal control weakness, it’s typically a harbinger of something bad. It’s the tip of the iceberg for worse things to come. When companies issue restatements due to fraud, they typically don’t recover from that. Their share price goes down, and it normally stays down, and [they are] on a fast track towards bankruptcy and shareholder lawsuits.

We found that the 11 companies that restated their accounts cumulatively destroyed $294 million in shareholder wealth in value in one year. Now, let’s scroll back. Our cost savings was $210,000 per year per company. There are 358 companies affected. Multiply 358 times the $210,000 in estimated cost savings, and you get around $75 million.

That means that on aggregate, the SEC is expecting to save companies, or the stock market, $75 million per year. But there were restatements for $294 million in 2018. So, in one year alone, the restatements wiped out more value than would have been saved by foregoing internal control audits.

Now, I’ll be the first to admit, we don’t know whether those restatements would have occurred in the presence or absence of an internal control audit. We don’t know if the restatements were uncovered through an internal control audit. We just know that those companies that the SEC proposes to exempt from internal control audits issued restatements that destroyed $294 million in market value. Now we think maybe the SEC should pause, take stock of that, maybe do a deeper dive and look at the magnitude of what’s being restated in their analysis, rather than percentages.

The other thing that we touch on is that it’s useful to look at fraud rates. The SEC didn’t look at the rate of fraud and how internal control weaknesses relate to fraud.

Several of the companies that are targeted by the proposal are in the biotech industry, as your previous question mentioned. You have companies that have less than $100 million in revenue, but some can be quite large, at $500 million in market value. They could be high-growth companies. They could be companies working on a cure for cancer. They don’t have any sales right now, but maybe they’ve got some patents, or they’re working on some patents. Consequently, that company would be very, very highly valued.

When you have a fraud at a company like that, a lot of shareholder wealth could be destroyed in addition to destroying revenue. We know from academic research that fraud is most likely to occur in high-growth firms. High-growth firms have pressures to meet or beat analysts’ estimates. They have pressures to perform. If you look at who the SEC has enforced against historically, and the academic research, these small, high-growth firms are where fraud is most likely. So, we’d like to see the SEC conduct a revised analysis looking at fraud and moving beyond restatement rates.

Knowledge@Wharton: You mentioned that the exemption from audits of internal controls may affect small, high-growth biotech firms. But are audits any less relevant for those firms than it is for others?

Taylor: One of the things that the proposal to exempt firms from internal control audits does indicate, is that it disproportionately affects biotech firms. Intuitively, it makes sense. The proposal affects firms with less than $100 million in revenue, and some could be biotech firms. The presumption is: “These are firms where we care predominantly about the science. We care predominantly about whether in fact they can cure cancer, and whether in fact they do have a cutting-edge vaccine. We don’t care too much about their financial statements; we care more about the science.”

Well, let’s unpack that. It is a valid point. I’m not going to dispute that science is important, and what they’re doing is important. An academic paper by some colleagues of mine surveyed 344 buy-side analysts from 181 different investment companies about red flags for intentional misreporting. The survey asked managers, “What are the red flags of intentional misreporting?” Strikingly, 60% of respondents of analysts said, “Material internal control weaknesses are definitely a red flag of management intent to misrepresent financial results.”

What that suggests is that investors are using these audits to gauge whether managers have bad intentions, and whether they have malevolent intentions to misrepresent. That is consistent with the academic evidence that these are associated with restatements. So, it’s important to note that internal control audits are being used by investors across all types of firms to judge red flags for misrepresentation regardless of whether they are biotech firms.

Now, is accounting less relevant to small, high-growth issuers, where valuations are predominantly based on the future rather than past transactions? Accounting doesn’t always pick up past transactions. Sometimes it picks up future transactions. But a large part of accounting is about historical transactions. Let’s unpack that.

Think about a low revenue, high-growth company. It’s going to be valued based on its price-to-earnings, or its price-to-revenue, multiple. Our analysis looked at those firms in 2018 that were affected by the SEC proposal – not just the 11 that restated their accounts, but all the firms in 2018 that were affected by the proposal. We compared their price-to-revenue ratio with that of their peers who wouldn’t be affected. We typically think that higher growth means a higher price-to-revenue ratio – we’re willing to pay more for a [share in terms of] dollar of revenue, or a dollar of earnings.

“When companies issue restatements due to fraud, they typically don’t recover from that…. They are on a fast track towards bankruptcy and shareholder lawsuits.”

The price-to-revenue multiple for the affected companies in 2018 was 93 – for every $1 in revenue, $93 in price. For the peer firms that weren’t affected, the price-to-revenue ratio was 2.47. So if you were to manipulate revenue by $1, there would be a much larger effect on stock price when the price-to-revenue ratio was larger, exactly the set of firms that the SEC is proposing to exempt from internal control audits.

That’s important, because while it suggests that the valuation is based on the future, we can’t completely ignore the numbers. If anything, there’s a higher valuation for every dollar of revenue in these firms. That’s why the academic literature and the SEC generally finds fraud as more pronounced in small, high-growth firms.

Knowledge@Wharton: What implications do you see for investors, employees, customers and other stakeholders, if the SEC were to go ahead with this proposal? What will be the ripple effects on the U.S. economy?

Taylor: There are a couple of different constituencies in there. The first is investors. Sophisticated institutional investors won’t know whether a manager is misrepresenting or not, so they may allocate their investment from firms that forego internal control audits to those that still have internal control audits.

The other type of investors – retail investors – typically hold diversified portfolios, mutual funds [and others that track] indexes like the S&P 500. One might think that one fraud, two frauds, one restatement or two restatements will not hurt them.” I certainly agree with that, assuming that they’re of reasonable size, not Enron-style frauds or restatements.

But if we’re going to increase the rate of restatement within the entire economy, that could potentially have a substantial effect on index funds and retail investors. One way to think about this is to look at what the SEC suggests the restatement rate will be after the proposal is put into effect. The SEC’s proposal suggests that there will be a 26% to 72% increase in restatements among the affected firms. The restatement rate among affected firms would grow from 6.2% to 10% or 11% (approaching the 11.2% restatement rate for all emerging growth companies).

You will see a total increase in the number of firms announcing restatements in any given year. In that sense, it’s a systematic decline in reporting quality that’s going to affect investors, even if they hold diversified portfolios. And, you will see an increase in volatility and a potential increase in the number of scandals.

Other stakeholders such as employees and the customers are also affected potentially by large restatements and with accounting fraud. If you have a $500 million firm, and if a fraud in a firm of that size takes down the entire company, employees will lose their jobs. Customers will lose their products. Suppliers will lose their orders. So, there will be a void, so to speak, in the economy. You can’t just take the economy, subtract a $500 million firm, and then expect to go on with business as normal. Everything is interconnected.

Citing Knowledge@Wharton


For Personal use:

Please use the following citations to quote for personal use:


"Internal Control Audits: Why an SEC Proposal Could Hurt More Than It Helps." Knowledge@Wharton. The Wharton School, University of Pennsylvania, 06 August, 2019. Web. 18 August, 2019 <>


Internal Control Audits: Why an SEC Proposal Could Hurt More Than It Helps. Knowledge@Wharton (2019, August 06). Retrieved from


"Internal Control Audits: Why an SEC Proposal Could Hurt More Than It Helps" Knowledge@Wharton, August 06, 2019,
accessed August 18, 2019.

For Educational/Business use:

Please contact us for repurposing articles, podcasts, or videos using our content licensing contact form.