Internal control audits are a cornerstone of financial transparency and investor confidence in U.S. capital markets. However, for smaller public companies, compliance with these requirements — particularly under Section 404(b) of the Sarbanes-Oxley Act — can pose significant challenges. Recent discussions in Congress have spotlighted these concerns, prompting a reevaluation of the balance between regulatory rigor and the operational realities of smaller entities.
Overview of ICFR requirements
Public companies are required to maintain and disclose internal controls over financial reporting (ICFR) under various laws. These include the Securities Exchange Act of 1934, the Foreign Corrupt Practices Act and the Sarbanes-Oxley Act of 2002. In particular, Section 404(a) of the Sarbanes-Oxley Act requires a public company’s management to assess the effectiveness of ICFR annually. Sec. 404(b) requires the company to hire independent auditors to provide an attestation report on management’s assessment of internal controls.
After more than two decades, Sec. 404(b) remains controversial as one of the act’s most expensive mandates. Smaller public companies have objected to the requirement for auditor independence. External auditors can’t audit their own work, which means a company subject to Sec. 404(b) can’t ask its auditor for help developing and documenting compliant internal controls, as outlined in Sec. 404(a).
Current Sec. 404(b) exemptions
Certain public companies may be exempt from the Sec. 404(b) requirements. Under a final rule issued by the U.S. Securities and Exchange Commission in 2020, smaller reporting companies (SRCs) with annual revenue under $100 million and public float under $700 million are generally exempt. Public float is the value of a company’s common stock that’s publicly traded.
In addition, the Jumpstart Our Business Startups Act of 2012 provides an exemption for emerging growth companies (EGCs) with annual revenue of less than $1 billion (adjusted annually for inflation). The EGC exemption generally applies for up to five years after the company’s initial public offering, unless its public float exceeds $700 million. However, even if your company qualifies for a Sec. 404(b) exemption, it’s still responsible for assessing the effectiveness of your internal controls over financial reporting under Sec. 404(a)
Recent congressional hearings
On June 25, 2025, the U.S. House Financial Services Committee’s Subcommittee on Capital Markets held a hearing to examine the implementation of the Sarbanes-Oxley Act, focusing on how certain provisions affect public companies and capital markets activity. Discussions underscored the need to ensure that unnecessary barriers don’t hinder the path to becoming a public company. They also highlighted the importance of balancing investor protections with the operational capacities of smaller entities.
In a recent public statement, the subcommittee’s chairperson, Ann Wagner, said, “For many small companies, Section 404(b) has become a major obstacle. It requires companies not only to assess their own internal financial controls, but also to pay for an external auditor to effectively repeat that process.” She estimated that the annual costs of Sec. 404(b) compliance often exceed $1 million, putting a disproportionate burden on smaller companies and start-ups. And, while compliance costs have risen in recent years, she said, “Internal control weaknesses remain stubbornly high.”
Wagner also noted that some companies structure their growth, fundraising and public float to avoid triggering these requirements. For example, companies might increase dividends, buy back stock or issue more debt than equity to avoid crossing the Sec. 404(b) compliance thresholds.
Costs vs. benefits
Among the hearing’s witnesses was Frank Watanabe, president and CEO of Arcutis Biotherapeutics, an emerging biotech company. Watanabe shed some light on the real-world implications of the Sec. 404(b) requirements. He testified that his company became subject to Sec. 404(b) in 2021, after its public float exceeded $700 million, even though it hadn’t yet generated any revenue. To date, Sec. 404(b) compliance has cost the company roughly $11 million — approximately the cost of running a large Phase 2 clinical trial. “These millions of dollars spent on unnecessary compliance was precious capital that could have been spent on developing life-altering drugs,” testified Watanabe.
Another witness, University of Delaware’s Lawrence Cunningham, cautioned against equating ICFR compliance with financial reporting accuracy. He said, “A company can have strong internal controls and still misreport its financials, or weak controls and report accurately.”
While business groups have repeatedly argued that Sec. 404(b) compliance costs far outweigh the benefits, not all stakeholders favor further exemptions from the requirements. Investor protection advocates contend that auditor attestation of ICFR reduces the likelihood that management will manipulate the company’s financial results.
Wait and see
The debate over Sec. 404(b) has resumed under the second Trump administration, which has generally favored regulatory relief for businesses. While many smaller public companies currently qualify for exemptions based on revenue and public float thresholds, policymakers are weighing whether additional reforms are needed to improve access to capital markets and ease the compliance burden for smaller entities. However, the issue remains divisive.
Given the renewed legislative attention and growing pressure from the business community, the future landscape for internal control audit requirements could change. In the meantime, public companies that are subject to these complex rules should consult with their auditors to determine the appropriate internal control strategy and ensure they’re prepared for any forthcoming developments.
© 2025