Sarbanes-Oxley Act

What is Sarbanes-Oxley• Drafted by Sen. Paul Sarbanes and Rep. Michael Oxley

– Signed into law 7/30/02

• A reaction to high-profile corporate fraud cases– Enron– WorldCom

• Intended to prevent similar situations by– Creating and strengthening corporate controls– Requiring enhanced financial disclosures– Creating new standards for corporate accountability– Creating new penalties for acts of wrong doing

SOxThe Sarbanes-Oxley Act of 2002 United States federal lawMajor corporate and accounting scandalsAct’s key provisions:– PCAOB (Public Co. Accounting Oversight Board)– Auditor independence– Corporate governance– Enhanced financial disclosures

The ObjectiveObjectives – Internal controls should be designed to provide reasonable assurance on:– Effectiveness and efficiency of operations– Reliability of financial reporting– Compliance with laws and regulations

The Company’s SOx process narratives and testing of key controls are to support the reliability of our financial reporting.

The Scope of the Act• The scope of the act focuses on:

– Internal controls.• Process.• Policies.• Activities.

– Compliance and reporting.• Transparency.• Accuracy.

– Governance.• Accountability.• Responsibility. • Avoidance of conflict of interest.

The Details of ActTitle I Public Company Accounting Oversight BoardTitle IIAuditor Independence

Title III Corporate ResponsibilityTitle IV Enhanced Financial DisclosuresTitle VAnalyst Conflicts of InterestTitle VI Commission Resources and AuthorityTitle VII Studies and Reports

Title VIII Corporate and Criminal Fraud AccountabilityTitle IX White-Collar Crime Penalty EnhancementsTitle XCorporate Tax ReturnsTitle XI Corporate Fraud and Accountability

Public Company Accounting Oversight Board

• Established by SOX.• Nonprofit agency.• Responsibilities:– Register and inspect public accounting firms.– Establish standards for public accounting firms.– Enforce compliance with the act and rules of the

board.– Investigate firms and impose sanctions.

Corporate Responsibility• Assigns the responsibility to the audit committee to appoint, compensate,

and oversee the public accounting firm that performs the audit.• Requires CEO and CFO to:

– Certify fairness of financial statements.– Take responsibility for disclosure controls.

• Makes it unlawful to fraudulently influence, coerce, or mislead an auditor.• Provides for the forfeiture of certain compensation following the issuance

of a “non-compliant” financial document.• Provides the SEC with greater flexibility to remove management or board

members.• Requires attorneys to report evidence of material violations.

Corporate Responsibility (continued)

• Section 301: Public Company Audit Committees – Companies that are not compliant with SEC audit committee

requirements are subject to delisting.– Audit committees are responsible for oversight of auditors

including the resolution of disagreements between management and auditors.

– Audit committees must set up procedures to receive and address “whistle-blower” complaints.

– Employees and others may take concerns directly to the audit committee.

– Audit committee members are required to be independent, and a disclosure is required in proxy statements.

Enhanced Financial Disclosures• Requires disclosure of material off balance sheet

arrangements.• Prohibits companies from making loans to directors or

executives.• Requires management to establish and maintain adequate

internal controls and procedures for financial reporting.• Requires disclosure of a code of ethics for senior financial

officers.• Requires companies to disclose whether at least one of the

audit committee members is a financial expert.• Requires rapid disclosure of changes in financial condition.

Enhanced Financial Disclosures (continued

• Section 404: Management Assessment of Internal Controls– Requires management to establish and maintain adequate

internal controls and procedures for financial reporting.– Requires that each annual report includes a statement:

• Describing management’s:– Responsibility for internal controls and procedures for financial

reporting.– Assessment of the effectiveness of the controls and financial reporting

procedures.

• Incorporating the independent auditor’s review of management’s assessment of internal controls and financial reporting procedures.

Enhanced Financial Disclosures (continued)

– Related SEC releases define internal controls and procedures for financial reporting as controls that provide reasonable assurances that:• Transactions are properly authorized.• Assets are safeguarded against unauthorized or improper use.• Transactions are properly recorded to permit the preparation

of financial statements that are presented in a manner consistent with GAAP.

– To meet the assessment requirement, management must select a suitable, recognized framework for assessing the effectiveness of internal controls.

Impact on VendorsSOX Is About Business Practices

• SOX has implications for most business practices and processes of publicly traded companies. – Any errors or misstatements that could cause a company to have

to restate its financials are areas that require focus. – Systems and processes must be in place to administer the

pricing, services, and discounts.– Visibility and control must ensure that pricing and costs are

captured accurately and on a timely basis. – Pricing services and discount processes often have the most

people involved and represent the largest risk area. • Combined implications create a very large potential for misstated

financial results and SOX scrutiny, sanctions, and bad press.

Impact on VendorsSOX Impact

• Skyrocketing SOX implementation costs:– Have put high-tech companies in the position of having to delay major

projects. – Force companies to struggle to compete with low-cost competition

from Asia.• The SOX impact is more than technical, more than analytical, more than

financial:– SOX places a burden of responsibility on all employees, not just the

accountants.– SOX impacts IT priorities and “To do” list.– SOX will impact the role of IT in its users’ business and data.– SOX will challenge any IT organization whose culture is one of

containment.

Impact on VendorsSOX Requirements

• Companies must ensure that:– Bad news is reported upwards.– IT project definitions include potential financial impact.

• Ignoring problems is not allowed under SOX.• Different sections of the act are driving or will drive changes in the financial

organization.– Sections 302 and 404.

• Process mapping.• Systematic remedies.• Process changes.• Collaboration and teaming.

– Section 409.• Systematic remedies.• Major process changes.

Impact on VendorsCompliance Process

Control Activities

Policies/procedures that ensure management directives are carried out.

Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.

Monitoring

Assessment of a control system’s performance over time.

Combination of ongoing and separate evaluation.

Management and supervisory activities.

Internal audit activities.

Control Environment

Sets tone of organization-influencing control consciousness of its people.

Factors include integrity, ethical values, competence, authority, responsibility.

Foundation for all other components of control.

Information and Communication

Pertinent information identified, captured and communicated in a timely manner.

Access to internal and externally generated information.

Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.

Risk Assessment

Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.

Impact on AgenciesThe World Has Changed

• Agencies may experience direct impact.– Correctional industries that are public organizations are directly

impacted.• These organizations must comply.

– Titles I, III, and IV establish practices and standards that most auditing organizations, including government auditors, follow.

• Agencies will experience indirect impact:– Contractors working with agencies will be required to comply.

• Internal reporting will increase.• Time to complete and project status are significant elements in

contractor risk management efforts.• Payment and contract issues will center on SOX compliance and may

limit previous flexibility.– Costs will go up as companies cope with SOX costs.

Impact on AgenciesAudit Guidance

• The implication of Title I is that now there are three audit standards-setting bodies in the United States.– PCAOB, which sets audit standards for publicly traded

companies.– Auditing Standards Board of the American Institute of

Certified Public Accountants, which sets standards for privately held companies and not-for-profit organizations.

– U.S. General Accounting Office, which sets standards for federal, state, and local governments through the Yellow Book.

Impact on AgenciesGovernment Auditors

• Although SOX affects corporate auditing and internal controls, the impact on government auditors is as follows:– Government auditors should encourage good

governance practices with the entities they audit. – Government auditors have a unique responsibility to

ensure accountability for public resources and government services.

– The fundamental role of government auditors should remain clear and unchanged – provide assurance.

Impact on AgenciesNoncompliance

• While most corrections agencies and their activities do not fall directly under SOX, reasonable effort should be made to modify processes to comply.

• Where compliance is required, noncompliance can result in criminal investigation to determine whether:– Information was transmitted by mail.– Information was withheld from investigators.

In these cases, felony charges can be brought.• In other cases, agencies may be ordered to comply with auditor

statements and requirements that:– Add expensive processes with no additional funding source.– Add reporting requirements not otherwise necessary.

Future ImpactSOX Is Likely to Grow

• The results of SOX, both positive and negative, have led to several discussions on expanding the scope of SOX.– Congress is reviewing options to expand to nonprofits to

reduce scandals like that of the United Way several years ago.– Congress is also examining the reporting of privately held

companies.– The Government Accounting Office is reviewing procedures

for government agencies.– Additional rules in support of SOX and auditing process are

under review or in draft form.• State and local governments are revising policies and in a few

cases, legislation, to require SOX-like activity reporting.

Future ImpactGetting a Handle on SOX

• Many auditors and accounting professionals offer programs to assess SOX compliance that provide:– Reports on areas of concerns.– Recommended changes.– Programs that align an organization’s practices to comply with

SOX.• All CFOs and agency budget officers should conduct reviews of

internal governance and compliance.– Focus on financial and audit process understanding.– Whistler-blower protections.

• Key leaders should monitor SOX as well as state and local policy changes.

Challenges & ObstaclesComputer access Technical termsTimingProject ManagementSystem Lack of SOx Audit experience