Internal Controls After Sarbanes-Oxley: Revisiting Corporate Law\u27s Duty of Care as Responsibility for Systems

Abstract

Revisiting section 3.4.2 of Clark\u27s Corporate Law (\u27Duty of Care as Responsibility for Systems ) reminds us, however, that the internal controls story actually goes back many decades, and that many of the strategic issues that are at the heart of section 404 have long been contentious. My Article will briefly update Clark\u27s account through the late 1980s and 1990s before returning to Sarbanes-Oxley and rulemaking thereunder by the SEC and the newly created Public Company Accounting Oversight Board ( PCAOB ). My main point builds on one of Clark\u27s but digs deeper. Internal controls requirements, whether federal or state, are incoherent unless and until one articulates clearly for whose benefit they exist, and to what end. There are, in fact, a number of competing articulations. The failure to identify a single and coherent rationale creates significant uncertainty, which has been exploited by players in the legal, accounting, consulting, and information technology fields. Companies are probably spending more time and resources on 404 compliance than a reasonable reading of the legislation and the rules necessarily requires, heavily influenced by those who gain from issuer over-compliance. This rent-seeking compromises the political viability and substantive quality of what is at the heart a beneficial statutory reform