What is Sarbanes-Oxley• Drafted by Sen. Paul Sarbanes and Rep. Michael Oxley
– Signed into law 7/30/02
• A reaction to high-profile corporate fraud cases– Enron– WorldCom
• Intended to prevent similar situations by– Creating and strengthening corporate controls– Requiring enhanced financial disclosures– Creating new standards for corporate accountability– Creating new penalties for acts of wrong doing
SOxThe Sarbanes-Oxley Act of 2002 United States federal lawMajor corporate and accounting scandalsAct’s key provisions:– PCAOB (Public Co. Accounting Oversight Board)– Auditor independence– Corporate governance– Enhanced financial disclosures
The ObjectiveObjectives – Internal controls should be designed to provide reasonable assurance on:– Effectiveness and efficiency of operations– Reliability of financial reporting– Compliance with laws and regulations
The Company’s SOx process narratives and testing of key controls are to support the reliability of our financial reporting.
The Scope of the Act• The scope of the act focuses on:
– Internal controls.• Process.• Policies.• Activities.
– Compliance and reporting.• Transparency.• Accuracy.
– Governance.• Accountability.• Responsibility. • Avoidance of conflict of interest.
The Details of ActTitle I Public Company Accounting Oversight BoardTitle IIAuditor Independence
Title III Corporate ResponsibilityTitle IV Enhanced Financial DisclosuresTitle VAnalyst Conflicts of InterestTitle VI Commission Resources and AuthorityTitle VII Studies and Reports
Title VIII Corporate and Criminal Fraud AccountabilityTitle IX White-Collar Crime Penalty EnhancementsTitle XCorporate Tax ReturnsTitle XI Corporate Fraud and Accountability
Public Company Accounting Oversight Board
• Established by SOX.• Nonprofit agency.• Responsibilities:– Register and inspect public accounting firms.– Establish standards for public accounting firms.– Enforce compliance with the act and rules of the
board.– Investigate firms and impose sanctions.
Corporate Responsibility• Assigns the responsibility to the audit committee to appoint, compensate,
and oversee the public accounting firm that performs the audit.• Requires CEO and CFO to:
– Certify fairness of financial statements.– Take responsibility for disclosure controls.
• Makes it unlawful to fraudulently influence, coerce, or mislead an auditor.• Provides for the forfeiture of certain compensation following the issuance
of a “non-compliant” financial document.• Provides the SEC with greater flexibility to remove management or board
members.• Requires attorneys to report evidence of material violations.
Corporate Responsibility (continued)
• Section 301: Public Company Audit Committees – Companies that are not compliant with SEC audit committee
requirements are subject to delisting.– Audit committees are responsible for oversight of auditors
including the resolution of disagreements between management and auditors.
– Audit committees must set up procedures to receive and address “whistle-blower” complaints.
– Employees and others may take concerns directly to the audit committee.
– Audit committee members are required to be independent, and a disclosure is required in proxy statements.
Enhanced Financial Disclosures• Requires disclosure of material off balance sheet
arrangements.• Prohibits companies from making loans to directors or
executives.• Requires management to establish and maintain adequate
internal controls and procedures for financial reporting.• Requires disclosure of a code of ethics for senior financial
officers.• Requires companies to disclose whether at least one of the
audit committee members is a financial expert.• Requires rapid disclosure of changes in financial condition.
Enhanced Financial Disclosures (continued
• Section 404: Management Assessment of Internal Controls– Requires management to establish and maintain adequate
internal controls and procedures for financial reporting.– Requires that each annual report includes a statement:
• Describing management’s:– Responsibility for internal controls and procedures for financial
reporting.– Assessment of the effectiveness of the controls and financial reporting
procedures.
• Incorporating the independent auditor’s review of management’s assessment of internal controls and financial reporting procedures.
Enhanced Financial Disclosures (continued)
– Related SEC releases define internal controls and procedures for financial reporting as controls that provide reasonable assurances that:• Transactions are properly authorized.• Assets are safeguarded against unauthorized or improper use.• Transactions are properly recorded to permit the preparation
of financial statements that are presented in a manner consistent with GAAP.
– To meet the assessment requirement, management must select a suitable, recognized framework for assessing the effectiveness of internal controls.
Impact on VendorsSOX Is About Business Practices
• SOX has implications for most business practices and processes of publicly traded companies. – Any errors or misstatements that could cause a company to have
to restate its financials are areas that require focus. – Systems and processes must be in place to administer the
pricing, services, and discounts.– Visibility and control must ensure that pricing and costs are
captured accurately and on a timely basis. – Pricing services and discount processes often have the most
people involved and represent the largest risk area. • Combined implications create a very large potential for misstated
financial results and SOX scrutiny, sanctions, and bad press.
Impact on VendorsSOX Impact
• Skyrocketing SOX implementation costs:– Have put high-tech companies in the position of having to delay major
projects. – Force companies to struggle to compete with low-cost competition
from Asia.• The SOX impact is more than technical, more than analytical, more than
financial:– SOX places a burden of responsibility on all employees, not just the
accountants.– SOX impacts IT priorities and “To do” list.– SOX will impact the role of IT in its users’ business and data.– SOX will challenge any IT organization whose culture is one of
containment.
Impact on VendorsSOX Requirements
• Companies must ensure that:– Bad news is reported upwards.– IT project definitions include potential financial impact.
• Ignoring problems is not allowed under SOX.• Different sections of the act are driving or will drive changes in the financial
organization.– Sections 302 and 404.
• Process mapping.• Systematic remedies.• Process changes.• Collaboration and teaming.
– Section 409.• Systematic remedies.• Major process changes.
Impact on VendorsCompliance Process
Control Activities
Policies/procedures that ensure management directives are carried out.
Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.
Monitoring
Assessment of a control system’s performance over time.
Combination of ongoing and separate evaluation.
Management and supervisory activities.
Internal audit activities.
Control Environment
Sets tone of organization-influencing control consciousness of its people.
Factors include integrity, ethical values, competence, authority, responsibility.
Foundation for all other components of control.
Information and Communication
Pertinent information identified, captured and communicated in a timely manner.
Access to internal and externally generated information.
Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.
Risk Assessment
Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.
Impact on AgenciesThe World Has Changed
• Agencies may experience direct impact.– Correctional industries that are public organizations are directly
impacted.• These organizations must comply.
– Titles I, III, and IV establish practices and standards that most auditing organizations, including government auditors, follow.
• Agencies will experience indirect impact:– Contractors working with agencies will be required to comply.
• Internal reporting will increase.• Time to complete and project status are significant elements in
contractor risk management efforts.• Payment and contract issues will center on SOX compliance and may
limit previous flexibility.– Costs will go up as companies cope with SOX costs.
Impact on AgenciesAudit Guidance
• The implication of Title I is that now there are three audit standards-setting bodies in the United States.– PCAOB, which sets audit standards for publicly traded
companies.– Auditing Standards Board of the American Institute of
Certified Public Accountants, which sets standards for privately held companies and not-for-profit organizations.
– U.S. General Accounting Office, which sets standards for federal, state, and local governments through the Yellow Book.
Impact on AgenciesGovernment Auditors
• Although SOX affects corporate auditing and internal controls, the impact on government auditors is as follows:– Government auditors should encourage good
governance practices with the entities they audit. – Government auditors have a unique responsibility to
ensure accountability for public resources and government services.
– The fundamental role of government auditors should remain clear and unchanged – provide assurance.
Impact on AgenciesNoncompliance
• While most corrections agencies and their activities do not fall directly under SOX, reasonable effort should be made to modify processes to comply.
• Where compliance is required, noncompliance can result in criminal investigation to determine whether:– Information was transmitted by mail.– Information was withheld from investigators.
In these cases, felony charges can be brought.• In other cases, agencies may be ordered to comply with auditor
statements and requirements that:– Add expensive processes with no additional funding source.– Add reporting requirements not otherwise necessary.
Future ImpactSOX Is Likely to Grow
• The results of SOX, both positive and negative, have led to several discussions on expanding the scope of SOX.– Congress is reviewing options to expand to nonprofits to
reduce scandals like that of the United Way several years ago.– Congress is also examining the reporting of privately held
companies.– The Government Accounting Office is reviewing procedures
for government agencies.– Additional rules in support of SOX and auditing process are
under review or in draft form.• State and local governments are revising policies and in a few
cases, legislation, to require SOX-like activity reporting.
Future ImpactGetting a Handle on SOX
• Many auditors and accounting professionals offer programs to assess SOX compliance that provide:– Reports on areas of concerns.– Recommended changes.– Programs that align an organization’s practices to comply with
SOX.• All CFOs and agency budget officers should conduct reviews of
internal governance and compliance.– Focus on financial and audit process understanding.– Whistler-blower protections.
• Key leaders should monitor SOX as well as state and local policy changes.