Does SOX 404 Have Teeth? Consequences of the Failure to Report Existing Internal Control Weaknesses

We identify a sample of firms with restatements attributable to underlying control weaknesses, some which had previously reported these weaknesses as required by SOX 404 and some of which acknowledged them only after announcing the related restatement. We then examine whether various penalties that could serve as enforcement mechanisms for SOX 404 differ across these two groups. We find no evidence that penalties are more likely for firms, managers, or auditors that fail to report existing control weaknesses. Instead, class action lawsuits, SEC sanctions, and management and auditor turnover are all more likely in the wake of a restatement when control weaknesses had previously been reported. These results are consistent with public disclosures of control weaknesses making it difficult for management to plausibly claim later that they had been unaware of the underlying conditions that led to misstatements. These results also suggest that the enforcement mechanisms surrounding SOX 404 are unlikely to provide strong incentives for compliance and offer a potential explanation for why most restatements are issued by firms that have previously claimed to have effective internal controls. We also find that investors appear to be more surprised by restatements for firms that previously claimed to have effective internal controls, as evidenced by more negative abnormal returns and larger abnormal trading volume around restatement announcements. These results suggest that unreliable SOX 404 reports are costly to investors by distorting their investment decisions.