Sarbanes Oxley Act (Sox)Corporate and Auditing Accountability, Responsibility and Transparency Act of
2002
Rick Stephan Hayes, Ph.D., CPA
California State University at Los Angeles
Reasons for New Legislation
Objectives
• In response to the Arthur Anderson, Enron and WorldCom debacle, the Sarbanes-Oxley Act seeks to:
– Restore the public confidence in both public accounting and publicly traded securities
– Assure ethical business practices through heightened levels of executive awareness and accountability
Congressional Votes
• Sarbanes-Oxley Act
• Yes 522• No 3• Not voting 9
Authorizing Force against Iraq
Yes 373
No 156
Not voting 12
Legalizing Marijuana**
Yes 93
No 310
Not voting 31
**House of Representatives only
Securities Litigation Reform Act
Yes 387
No 130
Not voting 15
Criminal Penalties
• Escaping from prison 1 to 2 yearsKidnapping involving ransom 3 to 5 yearsSecond degree murder 11 to 14 years
• Air piracy 20 to 25 years
Sarbanes-Oxley Certification 10 to 20 years
The Sarbanes-Oxley ActAn Overview
SOX: Who is affected and how?
• Executives:– Responsibility for financial reporting and keeping the markets
informed– Certifications: - 302 “Disclosure controles & procedures”
- 404 “Internal controls for financial reporting”- 906 “CEO/CFO’s written statement on
fairness”– Implement Code of Ethics and whistleblower procedure
• Supervisory Board:– Enhanced oversight– Appointment of a “financial expert”
• Auditors:– Independence– Attestation on internal controls
Definition of “internal control over financial reporting”:
- Encompasses subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives
- Including controls over safeguarding assets
Definition of “internal control over financial reporting”:
- Encompasses subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives
- Including controls over safeguarding assets
Titles of the Act
I. Public Company Accounting Oversight Board
II. Auditor Independence
III. Corporate Responsibility
IV. Enhanced Financial Disclosures
V. Analyst Conflicts of Interest
VI. Commission Resources and Authority
VII. Studies and Reports
VIII. Corporate and Criminal Fraud Accountability
IX. White Collar Crime Penalty
X. Corporate Tax Returns
XI. Corporate Fraud and Accountability
Establishes audit governing board………
Establishes audit governing board………
TITLE I – PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD
• Creation of the Public Company Oversight Board (the Board)
Created as a non-profit organization, the 5 member Board oversees audits of public companies; it is under the authority of the SEC but above other professional accounting organizations such as the AICPA
General Provisions of SOx
o PCAOB To make rules governing audits of public companies
o PCAOB To oversee audits and audit firmso PCAOB independent of Federal Governmento PCAOB Self-funded through fees assessed
on CPA firms and publicly traded companieso Regulations not applicable to Not For Profit
or some foreign listed companies
PCAOB Governing Members
o Five Members, three of whom must NOT be CPAs
o If the chair is a CPA, that person must be out of the business of auditing for the prior 5 years
PCAOB’s Duties
o Write audit standards, temporarily they have adopted the AICPA’s
o Register public CPA firms to do auditso Set Quality Control standards for auditso Do peer reviews of CPA firms – at least every
three yearso Investigate and discipline o Set Continuing Professional Education
requirements for auditors o Review company disclosures and financial
statements at least every three years
PCAOB’s Audit Standards
• PCAOB has passed 15 audit standards as of December 2010.
• They also enforce as “temporary standards” the existing audit standards by the Audit Standards Board called Statements of Audit Standards (SAS)
PCAOB’s Audit Standards (Not in Text)
• AS No. 1: References in Auditors’ Reports to the Standards of the Public Company Accounting Oversight Board
• AS No. 3: Audit Documentation • AS No. 4: Reporting on Whether a Previously Reported
Material Weakness Continues to Exist
• AS No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
• AS No. 6: Evaluating Consistency of Financial Statements
• AS No. 7: Engagement Quality Review
PCAOB’s Audit Standards (Not in Text)• AS No. 8: Audit Risk • AS No. 9: Audit Planning • AS No. 10: Supervision of the Audit Engagement • AS No. 11: Consideration of Materiality in
Planning and Performing an Audit • AS No. 12: Identifying and Assessing Risks of
Material Misstatement • AS No. 13: The Auditor's Responses to the Risks
of Material Misstatement • AS No. 14: Evaluating Audit Results • AS No. 15: Audit Evidence
Can’t do other types of work for clients, including:BookkeepingSystems designValuation services Actuarial services Internal auditManagement functions
Other work needs pre-approval by audit committee
Can’t do audit if CEO, CFO from their firm, 1 year wait period
TITLE II – AUDITOR INDEPENDENCE
TITLE II (cont.)
A conflict of interest arises and an Registered Public Accounting Firm (RPAF) may not perform audit services for any issuer employing – in the capacity of CEO, controller, CFO or any other equivalent title – a former audit engagement team member – there is a “cooling-off period” for one year i.e., an employee of an RPAF who works on an
audit of an issuer may not turn around and directly go to work for that issuer – they must wait one year
Provisions for Audit firms
• Maintain audit papers for 7 years• Managing Partner rotation every 5 yrs.• Second partner rotation every 5 yrs.• Audit manager rotation every 7 years• Reports to audit committee
– All material deficiency findings
• Disclose fees for all types of services in proxy statement
• Review disclosures of firm• Attest to Internal Control of firm
CPAs Report to Audit Committee
• All critical accounting policies
• Alternate treatments• Internal Control findings• Engagement letter• Independence letter• Management representation
letter• Material weaknesses
SOx requires every public accounting firm to use quality
control policies relating to(i) monitoring of professional ethics and
independence from entities on which the firm issues audit reports;
(ii) consultation within the firm on accounting and auditing questions;
(iii) supervision of audit work;(iv) hiring, professional development, and
advancement of personnel;(v) the acceptance and continuation of audit
engagements;(vi) internal inspection
TITLE III – CORPORATE RESPONSIBILITY
Audit Committee (committees est. by the board of a company for the purpose of overseeing financial reporting) IndependenceEstablishes minimum independence standards for
audit committeesIndependence of the audit committee crucial in that it
must (1) oversee and compensate RPAF to perform audit, and (2) establish procedures for addressing complaints by the issuer regarding accounting, internal control, etc. (this lays the foundation for anonymous whistleblowing)
CEOs and CFOs must certify in any periodic report the truthfulness and accurateness of that report – creates liability
Under certain conditions of re-statement of financials due to material non-compliance, CEOs and CFOs will be required to forfeit certain bonuses and profits paid to them as a result of material mis-information
SUMMARY OF SARBANES OXLEY PROVISIONS AFFECTING DIRECTORS, CEOs AND CFOs
• Listed company audit committee independence requirements and responsibilities (Section 301)
• CEO and CFO financial statement-related certifications (Sections 302 and 906)
• Unlawful for any officer or director or person acting under the direction thereof to fraudulently influence, coerce, manipulate or mislead any independent accountant engaged to audit the financial statements of an issuer for purposes of rendering the financial statements materially misleading (Section 303)
• If there is a material restatement of an issuer’s reported financial results due to the material noncompliance of the company, as a result of misconduct, the CEO and CFO shall reimburse the issuer for any bonus or incentive or equity-based compensation received within the 12 months following the filing with the financial statements subsequently required to be restated (Section 304)
SOx Company Audit Committee
Ω Under SOx Sec 301 public company audit committees are directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by their company (including resolution of disagreements between management and the auditor regarding financial reporting).
Ω Audit firm reports directly to the audit committee. Auditors may also have to discuss accounting complaints with the Audit Committee.
Audit CommitteeIndependent Directors
Audit committee members should not receive fees other than for board service and should not be an “affiliated person” of the company.
Financial Expert At least one member of its audit committee must
be a "financial expert" (expertise in US GAAP).
Auditor OversightResponsible for oversight of external reporting, internal controls and auditing, and the appointment and compensation of the auditor.
Whistle-Blower Communications Confidential and anonymous submissions by employees.
Corporate Provisions• Corporate Officers
– Can’t influence audit– No stock transactions during blackout periods
when employees cannot trade– In pro-formas, no material untrue statements,
reconciliation and equality with GAAP– No officer loans– File any trading information within two business
days– Code of ethics– Disclose off-balance sheet financing– Disclose any non-GAAP financial measures
SOX: Section 302 certification
Section 302 requires: Quarterly certification by the CEO / CFO
regarding the completeness and accuracy of quarterly reports as well as the nature and effectiveness of disclosure controls and procedures (DC&P) supporting the quality of information included in such reports
Actions: Enhance DC&P assessment and turn into
consistent and continous process Ensure coverage of entire organization (incl. all material subsidiairies) Embed into regular review and monitoring processes
Corporate Provisions• Corporate Officers
– Certify that they have• Reviewed the reports • Reviewed internal control • Certify that there are no
material weaknesses• Certify that there is no fraud• Report fairly presents the
financial condition of the company
Management Responsibility for Audit Report - SOx
Sox Requires that the principal executive officer or officers and the principal financial officer or officers, certify in each report filed with the SEC the following:the signing officer has reviewed the report;the report does not contain any untrue
statement of a material fact or omit to state a material fact;
the financial statements, and other financial information, fairly present in all material respects the financial condition of the company;
the signing officers • are responsible for establishing and maintaining
internal controls; • have evaluated the effectiveness of the company’s
internal controls; and • have presented in the report their conclusions about
the effectiveness of their internal controls based on their evaluation;
Requires that the principal executive officer or officers and the principal financial officer or officers, certify in each report filed with the SEC the following:the signing officers have disclosed to the
company’s auditors and the audit committee of the board of directors —
• all significant deficiencies in the design or operation of internal controls which could adversely affect the company’s ability to record, process, summarize, and report financial data and have identified for the company’s auditors any material weaknesses in internal controls; and
• any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal controls;
Corporate Responsibility for Audit Report under SOx (cont.)
SOX:Section 404 Assessment – Management’s assessment must be based on
procedures sufficient both to evaluate design and test operating effectiveness
– Management must maintain evidential matter, including documentation, to provide reasonable support for the assessment (both design and testing) of effectiveness
– Any material weakness in internal control over financial reporting precludes management from reporting that internal control is effective
• Reiteration of guidance regarding independence:
• Auditors may assist management in documenting internal controls.
• Management must be actively involved in the process; cannot delegate assessment responsibility to the auditor
SOX:Meeting SEC Expectations– Compliance with COSO control standards (or
other accepted standards; IT Governance Institute recently recommended CobiT for general IT controls assessment)
– Clear documentation of internal controls as well as the testing processes
– Evidence that management have evaluated the adequacy of the design and the effectiveness of operation of the procedures and controls
– Evidence that the auditor has adequately evaluated the design and operation of financial controls
– Evidence that the audit committee and/or disclosure committee have taken a keen interesting the effectiveness of controls
TITLE V – ANALYST CONFLICTS OF INTEREST
• National Securities Exchanges and registered securities associations must adopt rules designed to address conflicts of interest that can arise when securities analysts recommend securities in research reports– To improve objectivity of research and
provide investors with useful and reliable information
TITLE VIII – CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY
• To knowingly destroy, create, manipulate documents and/or impede or obstruct federal investigations is considered felony, and violators will be subject to fines or up to 20 years imprisonment, or both
• All audit report or related workpapers must be kept by the auditor for at least 5 years – PCAOB AS 3 says 7 years.
• Whistleblower protection – employees of either public companies or public accounting firms are protected from employers taking actions against them, and are granted certain fees and awards (such as Attorney fees)
Penalties
General penalties– If alter, destroy,
cover-up or falsify documents with objective to hinder investigation – fines and up to 20 years
TITLE IX – WHITE-COLLAR CRIME PENALTY ENHANCEMENTS
• Financial statements filed with the SEC by any public company must be certified by CEOs and CFOs; all financials must fairly present the true condition of the issuer and comply with SEC regulations– Violations will result in fines less than or equal to $5
million and /or a maximum of 20 years imprisonment
• Mail fraud/wire fraud convictions carry 20 year sentences (previously 5 year sentences)
• Anyone convicted of securities fraud may be banned by SEC from holding officer/director positions in public companies
Penalties – Corporate Officers
• Give back to firms any bonuses, incentive compensation or equity based compensation earned within 12 months
• Give back profit on sales during blackout period
• False certification - $1m and up to 10 yrs.
• Willful false cert. - $5 m and up to 20 yrs.
• Company can hold up any payments to officers
Penalties
Audit firms– Temporary suspension from industry– Temporary or permanent revocation of license– Can’t go to another firm if suspended or license
revoked– Fines of up to $100,000 personal for each
violation, firm up to $2 m– If intentional up to $750,000 personal, firm up to
$15 m– Destroy working papers within 5 years – fine and
up to 10 years.
TITLE X – CORPORATE TAX RETURNS
Federal income tax returns must be signed by the CEO of an issuer
TITLE XI – CORPORATE FRAUD ACCOUNTABILITY
Destroying or altering a document or record with the intent to impair the object’s integrity for the intended use in a securities violation proceeding, or otherwise obstructing that proceeding, will be subject to a fine and/or up to 20 years imprisonment
The SEC has the authority to freeze payments to any individual involved in an investigation of a possible security violation
Any retaliatory act against whistleblowers or other informants is subject to fine and/or 10 year imprisonment