1

Sarbanes-Oxley Act of 2002: Overview of

Sections Relevant to Management and Auditors

2

WHY SOX?

Enron Global Crossing WorldCom Adelphi HealthSouth Tyco Xerox Computer Associates And many others……

3

WHY SOX?

Consider this: Earnings restatements by public companies prior to 2001:

1990-97: 49 1998: 91 1999: 150 2000: 156

10% of all public U.S. companies restated their financials at least once between 1997 & 2000

HealthSouth overstated earnings by $4.6 billion Adelphi hid >$11 billion in debt Global Crossing hid $12.4 billion in debt

4

WHY SOX?

Consider this: Tyco’s accounting fraud cost investors $100 billion Xerox overstated revenue by $6.4 billion Enron stock price dropped from around $90 at the

beginning of 2001 to less than $1 at the end NASDAQ companies wiped out $148 billion in profits

between 1995 and 2000 Stock wealth collapsed by 6 trillion dollars with the

collapse of the dot.com bubble

5

WHY SOX?

The underlying issues of concern common to all these that triggered the need for drastic reform were:

Earnings management Audit deficiencies Lack of Auditor independence Ineffective audit committees Securities fraud Insider trading Corrupt tone at the top Internal control deficiencies

6

Sarbanes-Oxley Act of 2002 - Overview

The Sarbanes-Oxley Act of 2002 is intended to expand corporate governance, increase public confidence in financial reporting information and strengthen our capital markets systems.It’s the most significant securities law change since the original Securities Acts of 1933 & 1934The Act is resulting in sweeping changes in:

√ Corporate responsibilities of management and audit committees

√ Financial disclosures√ Independence of auditors and audit committees√ Oversight of public companies and auditors

Enacted July 30, 2002

7

SOX – Key Provisions

A. Creation of PCAOB

B. Requirements for senior financial officers to certify SEC filings and report on internal controls

C. New Standards for audit committee and auditor independence

D. Enhance financial disclosure requirements

E. Protection for corporate whistleblowers

F. Enhanced penalties for white-collar crime

8

A. Creation of PCAOB

Private, non-profit corporation, funded by: Accounting Support Fees charged to issuers Registration & Annual Fees paid by public accounting firms

SEC appoints Board members and exercises oversight and enforcement authority over it

Responsibilities Register public accounting firms that audit publicly traded

companies (mandatory; includes foreign accounting firms who audit companies listed on an American stock exchange).

Establish or adopt auditing, quality control, ethics, independence, and other standards relating to audits of publicly traded companies.

Inspect registered public accounting firms (annual for firms with more than 100 public company audits; every three years for others).

Investigate registered public accounting firms and their employees, conduct disciplinary hearings, and impose sanctions where justified.

Other as necessary and to enforce compliance with Sarbanes-Oxley Act.

Question - Can the PCAOB issue accounting standards?

9

EXERCISE

Go to the PCAOB website (http://www.pcaob.com/), locate a recent inspection report and consider the following: What parts of the report are public vs. non-public? When do the non-public parts become public? Peruse the report:

What are some of the key functional areas (and their respective objectives) reviewed by the PCAOB?

Identify 3 findings/deficiencies that surprised you most

Does it contain a letter of response from the firm? How would you characterize the tone of that letter?

10

B. Requirements for senior financial officers to certify SEC filings and report on Internal Controls

CEO and CFO must personally certify annual and quarterly SEC filings, and may not delegate this responsibility to subordinates and then claim ignorance when fraud is uncovered.

2 separate certifications Section 302 Section 906

Annual report on internal controls over financial reporting – section 404 (discussed later on in detail)

11

Exercise

Select a company, go to Edgar (http://www.sec.gov/edgar.shtml), and find the certification(s) With 10K and/or 10Q? Are 302 and 906 separate? What are they certifying?

12

B. Requirements for senior financial officers to certify SEC filings and report on Internal Controls

Section 302—CEO and CFO must personally certify the following: They have personally reviewed the report. Based on their knowledge, the report does not contain any material

misstatements or omit any material facts. Based on their knowledge, the financial information fairly represents in all

material respect the financial condition, results of operations, and cash flows for the company.

They are responsible for designing, maintaining, and evaluating the company’s disclosure controls & internal controls over financial reporting, they have evaluated the controls as of period end, and they have presented their conclusions about the effectiveness of those controls in the report

They have disclosed to the (external) auditors and the audit committee: all significant deficiencies and identified any material weaknesses in the

internal control over financial reporting and any fraud, whether material or not, that involves management or other

employees who have a significant role in the company’s internal control over financial reporting.

They have indicated in their report whether there have been significant changes in the company’s internal controls since the filing of their last report.

Required for all periodic reports, even if they don’t contain financial statements

13

B. Requirements for senior financial officers to certify SEC filings and report on Internal Controls Section 906—“Criminal certifications.”

To accompany reports that contain financial statements Certification indicates that report fully complies with SEC’s

requirements in that it fairly represents, in all material respects, the financial condition and result of operations for the company.

Penalties: Corporate officers who Knowingly violate the certification requirements are subject to

up to a $1,000,000 fine and up to 10 years’ imprisonment, or both.

Willfully violate the certification requirements are subject to the up $5,000,000 and up to 20 years’ imprisonment or both.

Both the 302 & 906 certifications must be in prescribed format (except for certifications accompanying amended filings – would cover

only information in the amendment)

14

B. Requirements for senior financial officers to certify SEC filings and report on Internal Controls

Section 404 requires that:

A. Management report on their internal controls over financial reporting in their annual report

B. External auditors issue their opinion on the company’s internal controls

Exemptions to Part B (JOBS Act of 2012): All companies with market capitalization <$700

million Start-up companies – for the first 5 years (or until

their market capitalization reaches $700 million)

15

C. Section 301--Audit Committee

Section 301—Audit committee responsible for appointing, compensating and overseeing work of external auditors.

Act also mandates auditors to report to audit committee—not management—and makes it responsibility of audit committee to resolve disputes between management and auditors.

Establish whistle blowing structure—Must establish procedures (e.g., a hotline) for receiving and dealing with complaints and anonymous employee tips regarding irregularities in the company’s accounting methods, internal control, or auditing matters.

16

C. Section 301--Audit Committee (ctd) Composition of audit committee

Each member must be “independent” Cannot be paid for any other consulting or advisory work.

Must include at least one Financial Expert Typically refers to individuals with several years of

experience as auditors, CFOs, controllers and/or CEOs.

A review of one company’s audit committee charter: http://www.microsoft.com/about/companyinformation/corporategovernance/committees/audit.mspx

17

Section 303

Section 303—Unlawful for any officer or director of a public company to fraudulently influence, coerce, manipulate, or mislead CPA in performance of audit for the purpose of rendering such financial statements materially misleading

Note--This is important, as subsequently the SEC operationalized it quite broadly.

18

SEC Implementation of 303

This applies not only to officers and directors, but also “any other person acting under the direction of”” those individuals

As indicated, the SEC interprets this “direction of” very broadly--it may include, for example Other lower level employees not necessarily under

supervision of that particular employee Customers or vendors who enter into side agreements

and do not report them to auditor or who misstate confirmations

Other CPA firm personnel (e.g., consultants), attorneys, securities professionals, etc.

19

SEC Implementation of 303

SEC examples of improper influence on auditor Bribes, other financial incentives, offering future

employment Providing auditor inaccurate or misleading legal analysis Threatening to cancel non-audit or audit engagements if the

auditor objects to the issuer’s accounting Seeking to have a partner removed because the partner

objects to the issuer’s accounting Blackmailing Physical threats

20

How independent were the auditors, anyway?Audit Fees Range $121,000 to $48,000,000

Mean$2,175,724

Median$1,059,000

As a Percent of revenues:

Company sales % of Sales

<$2 Billion .0473

$10 Billion to 15 Billion .0305

>$30,000,000 .0155

 

NonAudit Services Fees Mean2.7 times the audit fee

73% nonaudit fees

27% audit fees

Range0 to 32.33 times audit fee

 

IT NonAudit Services 126 of the 563 purchased

Highest = $46,800,000

2001 SEC Study of Audit Fees and NonAudit Fees—563 of Fortune 1000

21

C. New standards for auditor independence

Section 201 prohibits the following Bookkeeping or other services related to the accounting controls

or financial statements of the audit client. Financial information systems design and implementation. Appraisal or valuation services ( e.g., pension, post-employment

benefit liabilities) Actuarial services. Internal audit outsourcing. Management functions or human resources. Providing various investment services. Legal services. Any other service the PCAOB prescribes.

22

C. New standards for auditor independence Section 202—Other nonaudit services must generally be pre-

approved by the audit committee. Section 203—requires CPA firms to rotate lead audit partner

and partner responsible for reviewing audit: lead audit partner every 5 years (5 on, 5 off); quality review partner to rotate 7-2-7; Note: Firm rotation not required

Section 204—Audit firm reports to audit committee: All critical accounting policies and practices to be used. Alternative treatments that have been discussed with

management, ramifications of their use, and the treatment preferred by the CPA firm

Other material written communications between the CPA firm and management, such as any management letter or schedule of unadjusted earnings.

23

C. New standards for auditor independence Section 205—pass--definitional issues Section 206—unlawful for CPA firm to audit

company if, within prior year, the client’s CEO, CFO, controller or chief accounting officer worked with CPA firm and participated in company’ audit.

Section 207—Comptroller General of US (Head of GAO) conduct a study of mandatory rotation of firms

24

D. Enhance financial disclosure requirements Off-Balance Sheet transactions—must be disclosed Pro Forma Financial Information— SEC issued Reg. G requiring

reconciliation of pro forma financial statements to GAAP-based statements.

Prohibitions on personal loans to executives (Note: Tyco & Adelphi Communications CEOs looted their respective companies via undisclosed loans from the company that were never intended to be repaid)

Restrictions on insider trading - most transactions by insiders must be filed electronically with the SEC within 2 business days; also, companies must post this on their website by the end of the business day & disclose violators in their annual statements: Review a company’s filing on the SEC’s Edgar website

(http://www.sec.gov/edgar/searchedgar/companysearch.html); was the filing timely?

25

D. Enhance financial disclosure requirements (continued) Section 406—Code of ethics for senior financial officers

Must disclose whether they have one, and if not, why Must disclose publicly when changes are made to or waiver from are made. 10K, item 10

Section 408—SEC enhanced review of periodic filings – at least every 3 years Section 409—Must disclose material changes in financial conditions or

operations in “plain English” SEC is studying feasibility of real-time disclosure; towards that end:

10K & 10Q deadlines shortened for “Accelerated Filers”: Large Accelerated Filers (with public float >= $700 million) -

10K - 60 days for reports filed in 2006 and thereafter 10Q - 40 days for reports filed in 2006 and thereafter

Accelerated Filers (with public float >75 million but <$700 million): 10K - 75 days for reports filed in 2006 and thereafter 10Q - 40 days for reports filed in 2006 and thereafter

8Ks to be filed within 4 days of occurrence of significant event - 8K triggering events increased from 12 to 22 (see blank form at

http://www.sec.gov/about/forms/sec873.pdf)

26

The Case for Employee hotlines

27

E. Protection for corporate whistleblowers

Section 806—Civil liability for companies that retaliate against whistleblowers It is unlawful to fire, demote, suspend, threaten,

harass, or in any other manner discriminate against an employee for providing information or aiding in an investigation of securities fraud.

News item - Judge Orders Reinstatement for First Sarbanes-Oxley Whistleblower

28

E. Protection for corporate whistleblowers

Section 1107—Criminal liability for companies that knowingly, with intention to retaliate, taking any harmful action against a person for providing truthful information relating to the commission or possible commission of any federal offense. Covers all individuals regardless of where they work

(i.e., not just publicly traded companies) Punishments include fines up to $250,000 and up to 10

years in prison.

29

F. Enhanced penalties for white-collar crime

Attempt and conspiracy—“attempt” and “conspiracy to commit” have same penalties as offense itself.

Mail fraud and wire fraud—Maximum jail term changes from 5 to 20 years.

Securities fraud—Section 807 makes securities fraud a crime with fines up to $250,000 and up to 25 years in prison (note: Bernie Ebbers, age 63, of Worldcom was sentenced to 25

years in July 2005) Document destruction—Section 802 makes

destroying evidence to obstruct an investigation illegal and punishable by a fine up to $250,000 and 20 years in prison.

30

F. Enhanced penalties for white-collar crime In general working papers must be kept 7 years. Section 1102 makes it a criminal offense to corruptly alter,

destroy, mutilate or conceal a record of document with intent to impair its integrity or use in an official proceeding.

Freezing of assets—SEC can petition a federal court to issue a 45 day freeze on “extraordinary payments” to officers, directors, partners, agents, controlling persons or employees (eg. – Gemstar’s severance payments to former CEO & CFO were recently frozen while the company is under investigation).

There are also penalties addressing the freezing of assets of those accused, modifications of bankruptcy code rules, and disgorgements of bonuses under various circumstances.

31

Sarbanes-Oxley Act of 2002: Implications

32

Accounting Reform – SOX Implications

End of the self-regulation era for accountants Audit firms spun off their consulting branches and returned to their roots –

audit & tax Several companies purchasing audit and tax from separate firms (though not

required, done to enhance the appearance of independence) Partner rotation requirement reduces partner dependency on specific clients

for their livelihood Board of directors will be kept more in the loop with direct communications

from auditors (eg., AA would have had to inform audit committee about Enron’s Special Purpose Entities set up to move debt off balance sheet)

One-year cooling off period for future employment may practically translate to 2 years

Audit Firms disciplined: EY given 6-month ban in 2004 in connection with Computer Associates

independence issues In September 2005, KPMG put on a 9-month probationary period in

connection with the abusive tax shelters they aggressively marketed; former SEC chief Richard Breedon to oversee probation

33

Corporate Responsibility & Governance– SOX Implications Federal influence over corporate governance

(traditionally been in the State’s domain) Audit committees are now entirely independent

and very powerful A large number of CEOs have either resigned or

been forced out by audit committees Directors are spending 50% more time now than

before Greater responsibilities generally translate to

greater liabilities for audit committee members Greater personal legal liability on CEOs &

CFOs; since SOX, some executives have resigned rather than sign off on financial statements or internal controls

34

Corporate Responsibility & Governance– SOX Implications Corporate officials less aggressive in their

confrontations with auditors CEOs & CFOs (only) to reimburse any bonus,

incentive-based compensation & trading profits received during the 12 months after misleading financial statements were issued

Mere “unfitness” sufficient for SEC to bar individuals from ever serving as directors or officers of public companies

Directors and executive officers prohibited from trading in company securities during pension plan blackout period; disgorgement of all profit realized in violation of this rule

35

Other SOX Implications

Section 404 has greatly enhanced the cost of being a public company, though most of the increase could be attributed to first-year implementation

Many companies have reported significant cost savings because new controls revealed inefficiencies or frauds that were previously undetectable

Retired CFOs and auditors have become hot tickets for board of director positions

8K filings expected to increase from an annual average of 80,000 to 140,000

SOX 404 IMPACT

Percentage of adverse Section 404 auditor attestations declined every year from 2004 through 2009: 2004 – 16.9% 2005 – 10.3% 2006 – 9.1% 2007 – 7.7% 2008 – 5% 2009 – 2.8%

For companies who are exempt from auditor attestations (only management assessment required), the percentage of adverse assessments regarding internal controls was 28%

“Segregation of Duties” problems were found in 23.9% of the adverse filings in 2004, but only 11% of adverse filings in 2009.

36Source: Audit Analytics, a Sutton, MA, consulting and research firm