American Accounting Association DOI: 10.2308/ciia-51480 CURRENT ISSUES IN AUDITING Vol. 10, No. 2 Fall 2016 pp. A28–A37 An Analysis and Taxonomy of Disclosure Controls and Procedures Effectiveness Thomas R. Weirich Lori Olsen Central Michigan University SUMMARY: With the passage of the Sarbanes-Oxley Act, there has been much discussion and analysis of Section 404 dealing with management’s and the external auditor’s evaluation of internal controls over financial reporting (ICFR). However, Section 302 of the Act requires management to evaluate their disclosure controls and procedures (DC&P) and report on the effectiveness of such controls in their 10-Q and 10-K filings. This paper explains the SEC’s differentiation of ICFR and DC&P and attempts to report on the effectiveness of DC&P utilizing the Audit Analytics database. The data show that DC&P have been ineffective, as reported by management in their 10-K filings, ranging from a low of 13.75 percent to a high of 33.91 percent of observations over the 11-year period from 2004 through 2014. The paper concludes with potential research issues related to DC&P. Keywords: internal control; disclosure controls and procedures; control effectiveness. T INTRODUCTION he unraveling of corporate misdeeds during the late 1990s gave rise to the passage of the Sarbanes-Oxley Act (SOX) in 2002 by the 107th Congress. The intent of the Act is: ‘‘To protect investors by improving the accuracy and reliability of corporate disclosures’’ (U.S. House of Representatives 2002). For disclosures to be reliable and accurate, a company must have a system of controls and procedures that will likely expose inaccuracies and reveal information of interest to investors. Section 404(a) of the Act specifically addresses internal controls surrounding financial reporting by requiring an internal control report to be included with each annual report submitted per the 1934 Securities Exchange Act Section 13(a) or 15(d) (U.S. House of Representatives 2002). While the focus of SOX Section 404 is financial reporting, SOX Section 302 encompasses a broader range of activities. Under Section 302(a)(4)(A) the signing officers ‘‘are responsible for The authors thank two anonymous reviewers and Dorsey Baskin for their insightful comments and helpful suggestions. Editor’s note: Accepted by J. Gregory Jenkins. Submitted: February 2016 Accepted: May 2016 Published Online: May 2016 A28 Weirich and Olsen A29 establishing and maintaining internal controls’’ (U.S. House of Representatives 2002) and Section 302(a)(4)(B) further states that they ‘‘have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities’’ (U.S. House of Representatives 2002; emphasis added). Consequently, management is charged with the responsibility of designing internal controls so that all material information, both financial and nonfinancial, is made available to the officers. Over the years, much has been written as to the topics of internal control (IC) and internal control over financial reporting (ICFR), from defining the terms (COSO 2013), to providing a historical perspective of ICFR-SOX 404 (Gupta, Weirich, and Turner 2013), to reporting on the effectiveness of such controls (Rice, Weber, and Wu 2015). However, very little has been reported on the topic of Disclosure Controls & Procedures (DC&P). Therefore, the purpose of this paper is to provide background information as to DC&P, illustrate the importance of such controls, and document trends as to the effectiveness of such controls as reported by management. This information is useful to investors and auditors as they seek to gain knowledge about the effectiveness of issuers’ disclosure systems and hence, the completeness of information provided. The findings are also of interest to regulators whether they seek to assess existing compliance with SOX 302 or identify areas to enhance issuers’ information provided to investors. Investigating and discussing trends related to DC&P also brings several questions to light and hence, the paper concludes with avenues for future research and auditor considerations related to DC&P. BACKGROUND ON ICFR AND DC&P SOX 404(a)(1) states that management has the responsibility for ‘‘establishing and maintaining an adequate internal control structure and procedures for financial reporting’’ (U.S. House of Representatives 2002; emphasis added), while Section 404(a)(2) requires management to include an assessment of the effectiveness of the internal controls over financial reporting (ICFR) (U.S. House of Representatives 2002; emphasis added). Under the directive of SOX, the Securities and Exchange Commission issued Release 338124 (SEC 2002) with an effective date of August 29, 2002, which explicitly sets forth the certifying officers’ responsibilities for establishing, maintaining, and designing DC&P. Officers must also evaluate the effectiveness of those DC&P and report their conclusions. Section 302 of SOX (U.S. House of Representatives 2002) describes four key elements for this evaluation: 1. 2. 3. 4. Establish a ‘‘disclosure committee.’’ Adopt and consistently adhere to a set of formal written policies and procedures. Establish a regular disclosure evaluation system. Establish a certification review and reporting procedures involving the audit committee. Consequently, the issuer has a responsibility to maintain an adequate system of disclosure controls and procedures. The SEC’s (2002, Release 33-8124 (B)(3)) use of the phrase ‘‘disclosure controls and procedures’’ was purposeful and done to capture the perceived intent of Congress that the certifying officers are to be responsible for including material financial and nonfinancial information in the quarterly and annual reports and to distinguish these controls and procedures from internal controls over financial reporting. The certifying officers’ conclusions about the effectiveness of DC&P can be found in Section 9(a) of an issuer’s 10-K. Current Issues in Auditing Volume 10, Number 2, 2016 Weirich and Olsen A30 The SEC distinguishes disclosure controls and procedures from internal controls over financial reporting by explicitly defining both terms. Within Rule 13a-15(f ) of the Securities Exchange Act of 1934, the SEC defines disclosure controls and procedures as: Controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Act (15 U.S.C. 78a et seq) is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Act is accumulated and communicated to the issuer’s management . . . as appropriate to allow timely decisions regarding required disclosure. (SEC 1934) The SEC further defines ICFR, which are stated to be distinct from DC&P in the Exchange Act Rules 13a-15(f ) and 15d-15(f ) as: A process designed . . . to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. (SEC 1934) Perusal of the definitions reveals that internal controls over financial reporting specifically address controls necessary to give ‘‘reasonable assurance’’ about the reliability of financial reports and adherence to generally accepted accounting principles. On the other hand, disclosure controls and procedures are more comprehensive because they relate to all required disclosures, financial and nonfinancial. When describing the relationship between the two definitions, some constituents propose that internal control over financial reporting is wholly contained within disclosure controls and procedures. This view takes the stance that reliable financial reporting is necessary for complete disclosure. Although the SEC agrees that there is a significant amount of overlap between the two definitions, the SEC maintains that some elements of internal control over financial reporting may be excluded from disclosure controls and procedures. As an example, the SEC makes a point that companies have some discretion in designing their controls and procedures such that some elements of internal control over financial reporting are not included. They cite an example where a company’s design may exclude ‘‘dual signature requirements or limitations on signature authority on checks’’ from disclosure controls and procedures (SEC 2003, Release 33-8238 (D)). Nonetheless, as a result of Sarbanes-Oxley and the subsequent SEC regulations, issuers’ principal executive and financial officers must disclose, in the quarterly and annual reports, their conclusions about whether disclosure controls and procedures are effective and, when relevant, the reasons for their conclusion. This assessment of effectiveness is to be done at the ‘‘reasonable assurance’’ level, consistent with the reasonable assurance discussed within the definition of internal control over financial reporting and the audit literature (SEC 2003, Release 33-8238 (F)(4)). IMPORTANCE OF EFFECTIVE DC&P The SEC takes issuers’ responsibility for disclosure control procedures seriously and has brought about numerous enforcement actions. One example is Accounting and Auditing Enforcement Release No. 3490 (SEC 2013a), dated September 19, 2013. The SEC (2013a) instituted cease and desist proceedings against JPMorgan Chase & Co. In summary, JPMorgan’s Current Issues in Auditing Volume 10, Number 2, 2016 Weirich and Olsen A31 quarterly report filed on May 10, 2012 disclosed a loss of $2 billion from a portfolio managed by JPMorgan’s Chief Investment Officer. At this time, DC&P were reported as effective while ICFR were reported as having a material weakness. Subsequent losses grew to $6 billion and it became apparent that the full extent of the earlier losses was not reported, in part, because of the material weakness in internal control over financial reporting. In turn, this weakness in ICFR kept material information from the appropriate persons and timely disclosure decisions could not be made. This scenario illustrates the link between ICFR and DC&P where ineffective ICFR can result in ineffective DC&P. Consequently, JPMorgan’s disclosure controls and procedures were ineffective and should have been reported as such. The SEC imposed a $200 million civil penalty. The SEC’s (2010) complaint dated February 1, 2010 against Bank of America Corporation provides another example of ineffective DC&P. It is alleged that Bank of America sought to acquire Merrill Lynch & Co., Inc. and a $29 billion merger agreement was dated September 15, 2008. Shareholders were to vote on the agreement at the December 5, 2008 meeting. During the time preceding this meeting, Merrill had October losses of $4.5 billion and it was evident that Merrill would report large losses for November. However, those losses were not disclosed to shareholders because November’s losses were estimates and the total fourth quarter loss was expected to fall within the $2–$10 billion range of losses that Merrill had incurred in prior quarters. The Bank of America shareholders voted to approve the merger on December 5, 2008 without knowledge of Merrill’s October and estimated November losses. On December 8, 2008, Bank of America received an update forecasting a $12.5 billion loss and two weeks after the merger closed (January 16, 2009), Bank of America disclosed that Merrill had a net loss of $15.3 billion in the fourth quarter; the largest in Merrill’s history. Further, the merger negotiations left Merrill the authority to award $5.8 billion in year-end bonuses with a recorded expense up to $4.5 billion. This provision was not disclosed prior to the December 5, 2008 shareholder meeting, and on December 8, 2008, Merrill’s Management Development and Compensation Committee met and approved a $3.62 billion bonus pool resulting in an expense of $3.37 billion. Within Bank of America’s 2008 10K, both auditors and management assessed DC&P as well as ICFR to be effective. As a result of the SEC’s action, among other sanctions, Bank of America was ordered to hire an independent party to assess their DC&P and a $150 million civil penalty was assessed. DC&P EFFECTIVENESS Although the JPMorgan and Bank of America examples are likely extreme, they serve to illustrate the importance of DC&P. Thus, overall, how have issuers adapted to the requirements? Utilizing Audit Analytics we examined the disclosure control reports made by issuers in their 10-K filings. For those issuers where the disclosure controls and procedures are ineffective, Audit Analytics categorizes the ineffective DC&P as: (1) (2) (3) (4) Accounting issues, errors in applying GAAP; Fraud issues, irregularities or misrepresentations; Clerical, errors in accounting and clerical application; or Other, many entities do not disclose reasons for their ineffective DC&P. Table 1 provides descriptive information for the data gathered over the period 2004 through 2014. To avoid double counting of reported deficiencies in 10-Qs and also in 10-Ks, Table 1 reports information for 10-K disclosures only. The second column of Table 1 shows that the number of firms having disclosure control data on Audit Analytics ranges from 6,633 in 2006 to 9,016 in 2009. While there are 84,492 observations over the 11-year period, these observations do Current Issues in Auditing Volume 10, Number 2, 2016 Weirich and Olsen A32 TABLE 1 Number of Reported Disclosure Control Deficiencies All Observations Years 2004 through 2014 Year Number of Firms in Each Year Firms with DC&P Deficiency Percentage of Firms with DC&P Deficiency 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 6,878 6,792 6,633 6,861 8,843 9,016 8,593 8,154 7,787 7,595 7,340 946 1,107 1,190 1,252 2,152 2,356 2,394 2,397 2,378 2,408 2,489 13.75 16.30 17.94 18.25 24.34 26.13 27.86 29.40 30.54 31.71 33.91 806 935 953 931 1,718 1,858 1,792 1,788 1,797 1,844 1,808 20 33 33 28 12 6 1 8 13 11 4 946 1,106 1,185 1,252 2,151 2,352 2,388 2,392 2,378 2,405 2,483 5 8 10 2 3 2 3 1 1 1 12 Totals 84,492 21,069 24.94 16,230 169 21,038 48 Number of Firms with a DC&P Deficiency in That Category Accounting Fraud Other Error not represent 84,492 distinct firms. A single firm may be included in the Audit Analytics data over all years from 2004 through 2014, which would give rise to 11 separate annual observations for that firm or 11 firm-year observations. Hence, the 84,492 (firm-year) observations represent 15,392 distinct firms. The third column in Table 1 shows that the number of firms disclosing DC&P deficiencies ranges from a low of 946 in 2004 to a high of 2,489 in 2014. Note that the fourth column provides the percentage of firms that report DC&P deficiencies, and the percentages range from a low of 13.75 percent in 2004 to a high of 33.91 percent in 2014. The fourth column reveals a monotonic increase in the proportion of firms reporting a disclosure control deficiency as we move from 2004 to 2014. The largest year-to-year percentage increase occurs from 2007 (18.25 percent) to 2008 (24.34 percent). This may be related to the SEC’s (2007) Final Rule 33-8829 released on August 3, 2007 where the term ‘‘Significant Deficiency’’ is formally defined for the purpose of communicating DC&P deficiencies. The next four columns show the number of instances whereby Audit Analytics categorizes a firm as having a deficiency related to accounting, fraud, other, or error. It appears that the majority of deficiencies are either accounting or other, with only a handful falling into the fraud or error categories. Unreported analyses by the authors reveal that most firms have multiple disclosure deficiencies in a given year. The maximum number of disclosure deficiencies reported by a single issuer over this period is 27. Although this appears to be an anomaly, many firms report several sources of disclosure control deficiencies, which often span across two categories. Although uncommon, there are several instances where an issuer has reported disclosure deficiencies in three of the four categories. In sum, Table 1 shows that the number of reported disclosure control deficiencies has generally been increasing and that most are related accounting errors resulting from misapplications of GAAP, and other issues. For completeness, Panel A of Table 2 provides similar information for the set of firm years having both DC&P and ICFR assessment data through Audit Analytics. The first set of columns in Current Issues in Auditing Volume 10, Number 2, 2016 Weirich and Olsen A33 TABLE 2 Firms with DC&P and ICFR Assessment Data Panel A: Number of Reported Disclosure Control Deficiencies for Firms with Internal Control over Financial Reporting Assessments Years 2004 through 2014 Management’s Assessment of Internal Control over Financial Reporting Auditors’ Assessment of Internal Control over Financial Reporting Percentage of Firms with DC&P Deficiency Year Number of Firms in Each Year Firms with DC&P Deficiency Percentage of Firms with DC&P Deficiency Number of Firms in Each Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2,569 3,817 3,918 5,514 7,901 8,291 7,971 7,646 7,360 7,106 6,833 353 564 698 938 1,842 2,147 2,221 2,249 2,281 2,288 2,331 13.74 14.78 17.82 17.01 23.31 25.90 27.86 29.41 30.99 32.20 34.11 2,557 3,788 3,866 3,947 3,879 3,678 3,480 3,462 3,387 3,336 3,388 345 547 666 568 533 475 528 612 622 601 762 13.49 14.44 17.23 14.39 13.74 12.91 15.17 17.68 18.36 18.02 22.49 Totals 68,926 17,912 25.99 38,768 6,259 16.14 Firms with DC&P Deficiency (continued on next page) Panel A represent the reduced sample of 68,926 firm years, consisting of 13,014 distinct firms, over the 2004 through 2014 period, where management has assessed the effectiveness of internal controls over financial reporting. The second set of columns represents the 38,768 firm years, consisting of 6,231 distinct firms, where auditors have assessed the effectiveness of internal controls over financial reporting. One explanation for the lower number of observations in Table 2 is the delays or extensions in ICFR requirements for non-accelerated filers and Emerging Growth Companies (EGCs). The pattern of DC&P deficiencies for the reduced sample(s) is similar to Table 1; however, the percentage of observations with DC&P deficiencies is lower for those firms for which auditors assess internal controls over financial reporting. Unreported analyses show that the firms having an auditor assessment of ICFR tend to be larger on the dimensions of market value of equity, sales revenues, and total assets than the firms having management’s assessment of ICFR. This observation suggests that larger firms may have more resources available to implement an effective system of DC&P and/or that auditor involvement may play a positive role for effective DC&P. For parsimony, the four Audit Analytics categories are not reported in Table 2; however, a very similar pattern emerges in that most DC&P deficiencies fall under accounting and other. Recall that some constituents question whether disclosure controls and procedures can be effective when internal controls over financial reporting are not. This assertion rests on the premise that DC&P are more comprehensive and include all information, both financial and nonfinancial. Thus, to some extent, ICFR can be viewed as a component of DC&P and thus, DC&P would not be Current Issues in Auditing Volume 10, Number 2, 2016 Weirich and Olsen A34 TABLE 2 (continued) Panel B: Combinations of Disclosure Control and Procedures and Internal Control over Financial Reporting Assessments Management’s Assessment of ICFR Auditors’ Assessment of ICFR Number of Firm Years Percentage of Firm Years Number of Firm Years 1. Disclosure Controls Not Effective and Internal Controls over Financial Reporting Are Not Effective 2. Disclosure Controls Effective and Internal Controls over Financial Reporting Are Effective 3. Disclosure Controls Not Effective and Internal Controls over Financial Reporting Are Effective 4. Disclosure Controls Effective and Internal Controls over Financial Reporting Are Not Effective 12,144 17.62 2,213 5.71 50,895 73.84 32,484 83.79 5,768 8.37 4,046 10.44 119 0.17 25 0.06 Totals 68,926 100.00 38,768 100.00 Category Percentage of Firm Years effective if ICFR were not effective. Table 2, Panel B shows the different combinations of effectiveness for DC&P and ICFR for the two samples provided in Panel A. The first (second) set of columns represent the 68,926 (38,768) observations where management (auditors) assess ICFR. The first set of rows, Category 1, represents the circumstance where both DC&P and ICFR are not effective. When management assesses ICFR, 17.62 percent of the observations fall in this category and when auditors assess ICFR, 5.71 percent of the observations exhibit this pattern. This is consistent with the observation from Panel A that the percentage of firms where DC&P are not effective is slightly higher for the sample where management assesses internal controls. Otherwise, patterns are very similar and for most observations, there is alignment between DC&P and ICFR effectiveness. There are instances for both samples where assessments of DC&P and ICFR do not align, with the fewest being when disclosure controls are considered effective and internal controls over financial reporting are considered ineffective. This infrequency is consistent with the standpoint that for the most part, ICFR can be viewed as a subset of DC&P; yet, the SEC notes that an issuer’s procedures could be designed such that some components of ICFR may be excluded from DC&P (SEC 2003, Release 33-8238(D)). Current Issues in Auditing Volume 10, Number 2, 2016 Weirich and Olsen A35 More frequent are instances where DC&P are not effective and internal controls over financial reporting are effective. Category 3 of Table 2, Panel B shows that 8.37 percent (10.44 percent) of the observations exhibit this pattern when management (auditors) assesses internal controls. This situation is partially explained by the different reporting thresholds for DC&P and ICFR. Ineffective disclosure controls are reported at the ‘‘significant deficiency’’ and ‘‘material weakness’’ levels, while ICFR are reported when there is a material weakness. Thus, the reporting threshold for disclosure controls is lower than for internal controls. Unreported results reveal that Audit Analytics categorized 30.32 (24.12) percent of these ineffective DC&P as ‘‘accounting’’ when management (auditors) assessed ICFR as effective. Thus, examining whether DC&P at the ‘‘significant deficiency’’ level can predict subsequent ICFR and/or DC&P material weaknesses may be of interest to issuers’ constituents. DC&P EVALUATION PROCESS Given the frequency of disclosure control and procedure deficiencies and their potential severity, designing an effective system is not trivial. Although there is some guidance, the SEC recognizes that an effective system for DC&P varies across firms. Accordingly, in the Final Rule Release 33-8124, the SEC (2002) notes that ‘‘we are not requiring any particular procedures . . . we expect each issuer to develop a process that is consistent with its business and internal management and supervisory practices.’’ The SEC (2002) goes on to recommend that a committee be formed and charged with ‘‘responsibility for considering the materiality of information and determining disclosure obligations on a timely basis.’’ This committee should report to senior management. Consequently, designing effective DC&P is principles based. In John W. White’s (2006 [Former Director of the SEC’s Division of Corporation Finance]) October 12, 2006 speech, he outlines some steps for developing a principles-based system as follows: (1) Identifying the key objective of reporting or disclosure, (2) specifying some detailed rules (but not for every situation), (3) providing descriptive guidance and representative (but not exhaustive) examples about the application of the principle, and (4) remembering that the standard and its expectations really start and end with the principle. While the design of DC&P is expected to vary from across firms, the SEC does refer issuers to the framework provided by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. The latest version (COSO 2013) includes enhancements to improve clarity and to explicitly include nonfinancial and internal reporting. In part, the framework is expected to ‘‘enable organizations to effectively and efficiently develop and maintain systems of internal control that can enhance the likelihood of achieving the entity’s objectives and adapt to changes in the business and operating environments’’ (COSO 2013). CONCLUSION AND AVENUES FOR FUTURE RESEARCH The importance of disclosure effectiveness is a major focus on the part of the SEC. In 2006, the SEC issued a news release (SEC 2006, Release No. 2006-123) whereby the Commission voted to adopt changes to the disclosure requirements for executive compensation. More recently, in December 2013, the Commission released a report to Congress (SEC 2013b) related to its disclosure rules for public companies. In this report, the Commission provides preliminary conclusions and further recommendations about the disclosure reform that was mandated by the Jumpstart Our Business Strategies (JOBS) Act. Current Issues in Auditing Volume 10, Number 2, 2016 Weirich and Olsen A36 As a requirement of the JOBS Act, the SEC’s Division of Corporation Finance is currently reviewing the disclosure requirements of the securities laws in order to improve material item disclosures for the benefit of companies, as well as investors’ access to such information. Such a review highlights the importance of a company’s internal controls over financial reporting and their disclosure controls and procedures to provide useful information and in turn, emphasizes the need for research that enhances our understanding of the issues. From discussion with staff at the SEC, PCAOB, and audit partners at major accounting firms, the following are potential avenues for future research and auditor considerations. Avenues for Future Research 1. ICFR evaluation is normally a decentralized process where lower units sub-certify and report upward on process controls. However, DC&P evaluations are more entitylevel controls that may not have sub-certification. Thus, what is management’s committee composition in the evaluation of DC&P versus ICFR? Are they the same members, separate committees, or a mixture? What is management’s process in evaluating DC&P? What would be best practices for the committee composition and evaluation procedures? 2. What is the external auditor’s involvement in the evaluation of DC&P in a financial statement audit? What are the specific audit procedures conducted in the evaluation? Is the evaluation documented? 3. Should there exist a specific framework to guide one in evaluating DC&P, or does the COSO framework provide an adequate framework? 4. When ICFR are considered effective and DC&P are considered ineffective as a result of accounting issues, can these ineffective DC&P predict future material weaknesses and/or restatements? 5. Why is there an increase in ‘‘other,’’ or unspecified, reasons in management reporting of ineffective DC&P? 6. What is management’s remediation process of DC&P? 7. The SEC has reported enhanced disclosures, either required or to be required, in filings of information related to conflict mineral, sustainability, non-GAAP measures, etc. Will such disclosures be covered by DC&P? 8. Does the auditor have a clear understanding and documentation of inconsistencies between reported DC&P deficiencies and ICFR deficiencies? 9. Does the auditor interact with the disclosure committee? If so, then how does that affect the planning or execution of the audit? 10. Given the auditor’s responsibility with respect to ‘‘other information,’’ should the auditor obtain representations from the disclosure committee? An entity benefits in many ways from ensuring it has effective disclosure controls and procedures. It not only supports the certifications that the CEO and CFO are required to provide in their filings, but also effective DC&P provide a quality control over the entity’s disclosure process. Having effective DC&P will reduce the risk of failing to disclose material information on a timely basis or disclosing information that is incomplete or inaccurate. Having ineffective DC&P may result in the loss of reputation, investor confidence, and possible market value. Accordingly, addressing the relationship of DC&P with firm characteristics, investor confidence, and informational value of DC&P assessments provide avenues for future research. Current Issues in Auditing Volume 10, Number 2, 2016 Weirich and Olsen A37 REFERENCES Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2013. Internal Control—Integrated Framework. New York, NY: American Institute of Certified Public Accountants. Gupta, P., T. Weirich, and L. Turner. 2013. Sarbanes-Oxley and public reporting on internal control: Hasty reaction or delayed action? Accounting Horizons 27 (2): 371–408. Rice, S. C., D. Weber, and B. Wu. 2015. Does SOX 404 have teeth? Consequences of the failure to report existing internal control weaknesses. The Accounting Review 90 (3): 1169–1200. Securities and Exchange Commission (SEC). 1934. Securities Exchange Act of 1934. Washington, DC: GPO. Securities and Exchange Commission (SEC). 2002. Certification of Disclosure in Companies’ Quarterly and Annual Reports. Final Rule Release No. 33-8124. August 29, 2002. Washington, DC: GPO. Securities and Exchange Commission (SEC). 2003. Management’s Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports. Final Rule Release No. 33-8238. June 5, 2003. Washington, DC: GPO. Securities and Exchange Commission (SEC). 2006. SEC Votes to Adopt Changes to Disclosure Requirements Concerning Executive Compensation and Related Matters. Press Release. July 26, 2006. Washington, DC: GPO. Securities and Exchange Commission (SEC). 2007. Definition of the Term Significant Deficiency. Final Rule Release No. 33-8829. August 3, 2007. Washington, DC: GPO. Securities and Exchange Commission (SEC). 2010. Securities and Exchange Commission v. Bank of America Corporation, Civil Action Nos. 09-6829 and 10-0215. Litigation Release No. 21407, February 4, 2010. Washington, DC: GPO. Securities and Exchange Commission (SEC). 2013a. Accounting and Auditing Enforcement: In the Matter of JPMorgan and Co. Release No. 3490. September 19, 2013. Washington, DC: GPO. Securities and Exchange Commission (SEC). 2013b. Report on Review of Disclosure Requirements in Regulation SK. Staff Report, December, 2013. Washington, DC: GPO. U.S. House of Representatives. 2002. The Sarbanes-Oxley Act of 2002. Public Law 107-204 [H. R. 3763]. Washington, DC: GPO. White, J. W. 2006. Principles Matter: Related Person Transactions Disclosure and Disclosure Controls and Procedures. Available at: https://www.sec.gov/news/speech/2006/spch101206jww.htm Current Issues in Auditing Volume 10, Number 2, 2016 Copyright of Current Issues in Auditing is the property of American Accounting Association and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.