1

Implications of the Sarbanes-Oxley Act on the Public Sector

2005 NASACT Annual ConferenceAugust 15, 2005

Gail Flister VallieresU.S. Government Accountability Office

2

Integrity and Trust in Government

• Without integrity and trust, governments, institutions and leaders cannot succeed.

• With trust, governments, institutions and leaders can achieve great things.

• “Getting it right” with regard internal control and accountability will be critical to achieving and maintaining the public’s trust in government.

3

Current Government Environment

• continually increasing demands for government effectiveness and accountability

• fiscal pressures, increasing costs, structural deficit

• financial and performance reporting pressures and incentives

• changing laws and regulations

• changing demographics

• ability to hire and retain skilled staff

• control environment/ risk assessment

4

Sarbanes-Oxley Act of 2002

Instituted sweeping changes for accountability profession and corporate governance in the following areas:

oversight of the auditing profession

auditor independence

corporate responsibility

enhanced financial disclosure requirements (including internal control reporting)

5

Sarbanes-Oxley Act of 2002

Instituted sweeping changes for accountability profession and corporate governance in the following areas:

oversight of the auditing profession

auditor independence

corporate responsibility

enhanced financial disclosure requirements (including internal control reporting)

6

Sarbanes-Oxley Act Audit Profession Oversight

Creation of Public Company Accounting Oversight Board (PCAOB). Principal duties:

establish or adopt standards for public company audits

enforce compliance with standards and the Act

inspect and register public accounting firms

conduct investigations of firms and disciplinary proceedings

impose sanctions

7

Sarbanes-Oxley Act Impact on U.S. Auditing Standards

Three US Auditing Standards-Setting Organizations Public Company Accounting Oversight Board (PCAOB)Audits of publicly traded companies

Auditing Standards Board (ASB) of the AICPA Privately held companies Not-for-profit organizations

U.S. Government Accountability Office Federal, state, local governments Not-for-profit organizations receiving federal funding

8

Sarbanes-Oxley Act: Impact on U.S. Auditing Standards

Comptroller General established the “U.S. Auditing Standards Coordinating Forum”

PCAOB, GAO, ASB

Three principals meet several times a year.

Key staff coordinate regularly to implement agenda.

Rotating chair, based on who is hosting the meeting.

Still defining role for IAASB

9

Sarbanes-Oxley Act Impact on U.S. Auditing Standards

Purpose of U.S. Auditing Standards Coordinating Forum

maximize complementary standards-setting agendas

minimize duplicative or competing efforts

identify any significant gaps not being addressed

develop strategies for overcoming challenges and barriers to modernizing the auditing profession in the U.S.

assure consistency where appropriate for core auditing standards, while seeking to modernize those standards

10

Sarbanes-Oxley Act Auditor Independence

It is now unlawful for a registered accounting firm to provide certain nonaudit services to audit clients,

including:

accounting and bookkeeping services

financial information systems design and implementation

appraisal, valuation, and actuarial services,

internal audit outsourcing services management or human resources functions

All other nonaudit services provided to audit clients require prior audit committee approval

11

Sarbanes Oxley Act Auditor Independence

An accounting firm is not allowed to perform an audit of a registrant whose key financial or management personnel were employed by that accounting firm and participated in the audit within one year of the current audit.

The auditor must report to the audit committee all “critical accounting policies and practices” used in preparing financial statements

The lead audit, concurring and reviewing partners must rotate every 5 years.

12

Auditor Independence Implications for Government

Yellow Book independence standards became effective in 2003

Auditor communications with audit committees.

Audit Partner Rotation– no related government requirement.

Employment restrictions–watch for situations that could result in appearance of independence problems under current Yellow Book independence standards.

13

Sarbanes Oxley Act Corporate Responsibility

New Requirements for Audit Committees

Members must be on the Board of Directors and be “independent”

Responsible for the appointment, compensation, and oversight of the auditor

The auditor must report to the audit committee all “critical accounting policies and practices” used in preparing financial statements

Must be appropriately funded by the company

14

Sarbanes Oxley Act Corporate Responsibility

Other Corporate Responsibility Requirements

The CEO and CFO must certify that financial statements and disclosures are appropriate and fairly present, in all material respects, the operations and financial condition of the company.

Unlawful for officers and directors to “fraudulently influence, coerce, manipulate, or mislead” the auditor

15

Corporate Responsibility Implications for Government Auditors and financial professionals should evaluate

whether implementing an audit committee or similar type of committee would enhance governance

Auditors should encourage good governance practices within the entities they audit.

CFO and CEO Certification of financial results—Does top management understand and care about what is in the financial statements?

Auditors: watch for reporting pressures and improper management on audit or reporting results.

16

Sarbanes-Oxley Act Section 404: Internal Control

Management is required to establish and maintain adequate internal control structure and procedures for financial reporting

Include in the annual report a statement of management’s responsibility for and management’s assessment of the effectiveness of those controls.

The company’s auditors are required to attest to and report on management’s assessment of the effectiveness of internal control over financial reporting.

17

Sarbanes-Oxley Act Section 404: Internal Control

PCAOB Auditing Standard No 2: “Audit of Internal Control over Financial Reporting in conjunction with

Audit of Financial Statements”

Requires auditor opinions oninternal control effectiveness management’s assessment of internal control

effectiveness

Internal control audit must be performed in conjunction with financial statement audit

18

Sarbanes-Oxley Act Section 404: Internal Control

PCAOB Auditing Standard No 2 (cont):

Requires walkthroughs for each major transaction class

Limits on rotation testing of controls

Limits on reliance on work of others

New, more rigorous definitions of material weakness and significant deficiency (formerly reportable condition)

19

Federal Gov’t Internal Control Requirements—FMFIA/OMB A-123

• Federal Financial Managers Financial Integrity Act of 1982 (FMFIA) establishes overall requirements for internal control in federal agencies. The agency head must establish controls that reasonable ensure that

• Obligations and costs are in compliance with applicable law

• Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation, and

• Revenues and expenditures applicable to agency operations are properly recorded and accounted for

20

Federal Gov’t Internal Control Requirements—FMFIA/OMB A-123

• Office of Management and Budget (OMB) Circular A-123, “Management Accountability and Control”

• Implements FMFIA• covers all aspects of an agencies operations (programmatic,

financial, and compliance)

• Over the years, OMB Circular A-123, has broadened these requirements to include controls over all aspects of an agency’s operations.

• Latest update (December 2004) provides updated internal control standards (incorporating the COSO elements) and new specific requirements for conducting management’s assessment of the effectiveness of internal control

21

Federal Gov’t Internal Control Requirements—FMFIA/OMB A-123

• December 2004, revised OMB Circular A-123 requires

• annual management assurances on internal control in Performance and Accountability Report.

• separate assurance on internal control over financial reporting using the COSO elements (for the 24 CFO-Act agencies)

• identification of material weaknesses, non-conformances, and corrective actions.

• Revised A-123 does not require audit of internal control over financial reporting

• GAO supported the revised A-123 in recent testimony before House Government Reform Subcommittee on Government Management. (GAO-05-321T, Feb. 16, 2005)

22

Federal Gov’t Internal Control Requirements—FMFIA/OMB A-123

GAO Identified six critical implementation issues

1. Need for supplemental guidance and implementation tools

2. The following objectives covered by the Circular will require special attention– (1) achieving effective and efficient operations, and (2) complying with laws and regulations.

3. Managers throughout an agency need to provide strong support for internal control.

4. Agencies need to strike a balance between costs and benefits, while achieving an appropriate level of internal control.

5. Management testing of controls is essential to determine their soundness, whether they are being adhered to, and whether corrective action is necessary.

6. Personal accountability will be essential, starting with top agency management and cascading throughout the organization.

23

Federal Gov’t Internal Control Requirements—FMFIA/OMB A-123

GAO Views on the next steps– auditor opinions on internal control--

• Auditor opinions on internal control over financial reporting is an important component of monitoring risk management and accountability systems.

• Need to determine if management has assessed internal control and has a firm basis for its assertion over effectiveness before attempting to audit internal control over financial reporting.

24

Internal Control ReportingGetting Started

• Does management have a credible basis for a conclusion about the effectiveness of internal control over financial reporting?

• What is the level of maturity of the internal control systems in place for financial reporting?

• What are the associated risks?

• What is the targeted level of maturity for internal controls?

• Small, simple entities vs. large, complex entities

• What are benefits and cost of an audit of internal control, given where the entity is in the process?

25

Internal Control ReportingGetting Started

Level 1: Unreliable• Unpredictable environment • controls not designed, in

place

 Level 2: Informal• controls designed, in place • not adequately documented• mostly dependent on the

individuals doing the function

• no formal training or communication of results

 

Internal controls maturityframework:

Level 3: Standardized•controls in place, documented, and communicated to employees•deviations may not be detected

Level 4: Monitored•standardized controls with periodic testing for effective design and operation, reporting to management

Level 5: Optimized•integrated internal control framework• real-time monitoring by management with continuous improvement•automation to support controls and make rapid changes to controls if needed

•Source: Pricewaterhousecoopers, The Sarbanes-Oxley Act of 2002: Strategies for Meeting New Internal Control Reporting Challenges: A White Paper, 2002

26

Sarbanes-Oxley Act Implementation:What We Have Learned and Future Directions

• The Sarbanes-Oxley Act reforms are sound and necessary

• Reforms have improved governance and management, including the involvement of the board, audit committees, and top management in financial reporting and internal control issues.

• Implementing section 404 has been challenging due to:

• The amount and nature of internal control work performed in the past

• Extensive audit work being performed due to real and/or perceived lack of flexibility in PCAOB Auditing Standard No. 2

• Significant first-year implementation efforts

27

Sarbanes-Oxley Act Implementation:What We Have Learned and Future Directions

• GAO strongly supports the concepts behind section 404. However, we believe that economies and efficiencies can be gained in the process through:

• Auditor and management efficiencies and streamlining in the second year and beyond.

• Better integration of the financial and internal control audit.

• Additional PCAOB and SEC guidance that provides for a risk-based approach using reasoned risk and experience-based auditor judgments in areas such as rotation of testing and additional flexibility in using the work of others (similar to the approach in GAO’s Financial Audit Manual).

• Ongoing feedback from the PCAOB inspection process

28

GAO Technical Assistance

The Yellow Book is available on GAO’s website at:

www.gao.gov/govaud/ybk01.htm

For technical assistance, contact us at

yellowbook@gao.gov

29

Contact Information

Gail Flister VallieresFinancial Management & AssuranceU.S. Government Accountability Office(202) 512-9370 vallieresg@gao.gov