Sarbanes Oxley Act (Sox) Corporate and Auditing Accountability, Responsibility and Transparency Act of 2002

1
Sarbanes Oxley Act (Sox)Corporate and Auditing
Accountability, Responsibility and Transparency
Act of 2002

• Rick Stephan Hayes, Ph.D., CPA
• California State University at Los Angeles

2
Reasons for New Legislation
3
Objectives

• In response to the Arthur Anderson, Enron and
  WorldCom debacle, the Sarbanes-Oxley Act seeks
  to
• Restore the public confidence in both public
  accounting and publicly traded securities
• Assure ethical business practices through
  heightened levels of executive awareness and
  accountability

4
Congressional Votes
Authorizing Force against Iraq Yes 373 No
156 Not voting 12
Securities Litigation Reform Act Yes 387 No
130 Not voting 15

• Sarbanes-Oxley Act
• Yes 522
• No 3
• Not voting 9

5
Criminal Penalties

• Escaping from prison 1 to 2 yearsKidnapping
  involving ransom 3 to 5 yearsSecond degree
  murder 11 to 14 years
• Air piracy 20 to 25 years

Sarbanes-Oxley Certification
10 to 20 years
6
The Sarbanes-Oxley ActAn Overview
7
SOX Who is affected and how?

• Executives
• Responsibility for financial reporting and
  keeping the markets informed
• Certifications - 302 Disclosure controles
  procedures - 404 Internal controls for
  financial reporting - 906 CEO/CFOs written
  statement on fairness
• Implement Code of Ethics and whistleblower
  procedure
• Supervisory Board
• Enhanced oversight
• Appointment of a financial expert
• Auditors
• Independence
• Attestation on internal controls

• Definition of internal control over financial
  reporting
• Encompasses subset of internal controls
  addressed in the COSO Report that pertains to
  financial reporting objectives
• Including controls over safeguarding assets

8
Titles of the Act

1. Public Company Accounting Oversight Board
2. Auditor Independence
3. Corporate Responsibility
4. Enhanced Financial Disclosures
5. Analyst Conflicts of Interest
6. Commission Resources and Authority
7. Studies and Reports
8. Corporate and Criminal Fraud Accountability
9. White Collar Crime Penalty
10. Corporate Tax Returns
11. Corporate Fraud and Accountability

Establishes audit governing board
9
TITLE I PUBLIC COMPANY ACCOUNTING OVERSIGHT
BOARD

• Creation of the Public Company Oversight Board
  (the Board)
• Created as a non-profit organization, the 5
  member Board oversees audits of public companies
  it is under the authority of the SEC but above
  other professional accounting organizations such
  as the AICPA

10
General Provisions of SOx

• PCAOB To make rules governing audits of public
  companies
• PCAOB To oversee audits and audit firms
• PCAOB independent of Federal Government
• PCAOB Self-funded through fees assessed on CPA
  firms and publicly traded companies
• Regulations not applicable to Not For Profit or
  some foreign listed companies

11
PCAOB Governing Members

• Five Members, three of whom must NOT be CPAs
• If the chair is a CPA, that person must be out of
  the business of auditing for the prior 5 years

12
PCAOBs Duties

• Write audit standards, temporarily they have
  adopted the AICPAs
• Register public CPA firms to do audits
• Set Quality Control standards for audits
• Do peer reviews of CPA firms at least every
  three years
• Investigate and discipline
• Set Continuing Professional Education
  requirements for auditors
• Review company disclosures and financial
  statements at least every three years

13
PCAOBs Audit Standards

• PCAOB has passed 15 audit standards as of
  December 2010.
• They also enforce as temporary standards the
  existing audit standards by the Audit Standards
  Board called Statements of Audit Standards (SAS)

14
PCAOBs Audit Standards (Not in Text)

• AS No. 1 References in Auditors Reports to the
  Standards of the Public Company Accounting
  Oversight Board
• AS No. 3 Audit Documentation
• AS No. 4 Reporting on Whether a Previously
  Reported Material Weakness Continues to Exist
• AS No. 5 An Audit of Internal Control Over
  Financial Reporting That Is Integrated with An
  Audit of Financial Statements
• AS No. 6 Evaluating Consistency of Financial
  Statements
• AS No. 7 Engagement Quality Review

15
PCAOBs Audit Standards (Not in Text)

• AS No. 8 Audit Risk
• AS No. 9 Audit Planning
• AS No. 10 Supervision of the Audit Engagement
• AS No. 11 Consideration of Materiality in
  Planning and Performing an Audit
• AS No. 12 Identifying and Assessing Risks of
  Material Misstatement
• AS No. 13 The Auditor's Responses to the Risks
  of Material Misstatement
• AS No. 14 Evaluating Audit Results
• AS No. 15 Audit Evidence

16
TITLE II AUDITOR INDEPENDENCE

• Cant do other types of work for clients,
  including
• Bookkeeping
• Systems design
• Valuation services
• Actuarial services
• Internal audit
• Management functions
• Other work needs pre-approval by audit committee
• Cant do audit if CEO, CFO from their firm, 1
  year wait period

17
TITLE II (cont.)

• A conflict of interest arises and an Registered
  Public Accounting Firm (RPAF) may not perform
  audit services for any issuer employing in the
  capacity of CEO, controller, CFO or any other
  equivalent title a former audit engagement team
  member there is a cooling-off period for one
  year
• i.e., an employee of an RPAF who works on an
  audit of an issuer may not turn around and
  directly go to work for that issuer they must
  wait one year

18
Provisions for Audit firms

• Maintain audit papers for 7 years
• Managing Partner rotation every 5 yrs.
• Second partner rotation every 5 yrs.
• Audit manager rotation every 7 years
• Reports to audit committee
• All material deficiency findings
• Disclose fees for all types of services in proxy
  statement
• Review disclosures of firm
• Attest to Internal Control of firm

19
CPAs Report to Audit Committee

• All critical accounting policies
• Alternate treatments
• Internal Control findings
• Engagement letter
• Independence letter
• Management representation letter
• Material weaknesses

20
SOx requires every public accounting firm to use
quality control policies relating to

• (i) monitoring of professional ethics and
  independence from entities on which the firm
  issues audit reports
• (ii) consultation within the firm on accounting
  and auditing questions
• (iii) supervision of audit work
• (iv) hiring, professional development, and
  advancement of personnel
• (v) the acceptance and continuation of audit
  engagements
• (vi) internal inspection

21
TITLE III CORPORATE RESPONSIBILITY

• Audit Committee (committees est. by the board of
  a company for the purpose of overseeing financial
  reporting) Independence
• Establishes minimum independence standards for
  audit committees
• Independence of the audit committee crucial in
  that it must (1) oversee and compensate RPAF to
  perform audit, and (2) establish procedures for
  addressing complaints by the issuer regarding
  accounting, internal control, etc. (this lays the
  foundation for anonymous whistleblowing)
• CEOs and CFOs must certify in any periodic report
  the truthfulness and accurateness of that report
  creates liability
• Under certain conditions of re-statement of
  financials due to material non-compliance, CEOs
  and CFOs will be required to forfeit certain
  bonuses and profits paid to them as a result of
  material mis-information

22
SUMMARY OF SARBANES OXLEY PROVISIONS AFFECTING
DIRECTORS, CEOs AND CFOs

• Listed company audit committee independence
  requirements and responsibilities (Section 301)
• CEO and CFO financial statement-related
  certifications (Sections 302 and 906)
• Unlawful for any officer or director or person
  acting under the direction thereof to
  fraudulently influence, coerce, manipulate or
  mislead any independent accountant engaged to
  audit the financial statements of an issuer for
  purposes of rendering the financial statements
  materially misleading (Section 303)
• If there is a material restatement of an issuers
  reported financial results due to the material
  noncompliance of the company, as a result of
  misconduct, the CEO and CFO shall reimburse the
  issuer for any bonus or incentive or equity-based
  compensation received within the 12 months
  following the filing with the financial
  statements subsequently required to be restated
  (Section 304)

23
SOx Company Audit Committee

• Under SOx Sec 301 public company audit committees
  are directly responsible for the appointment,
  compensation, and oversight of the work of any
  registered public accounting firm employed by
  their company (including resolution of
  disagreements between management and the auditor
  regarding financial reporting).
• Audit firm reports directly to the audit
  committee. Auditors may also have to discuss
  accounting complaints with the Audit Committee.

24
Audit Committee

• Independent Directors
• Audit committee members should not receive
  fees other than for board service and should not
  be an affiliated person of the company.
• Financial Expert
• At least one member of its audit committee
  must be a "financial expert" (expertise in US
  GAAP).
• Auditor Oversight
• Responsible for oversight of external reporting,
  internal controls and auditing, and the
  appointment and compensation of the auditor.
• Whistle-Blower Communications
• Confidential and anonymous submissions by
  employees.

25
Corporate Provisions

• Corporate Officers
• Cant influence audit
• No stock transactions during blackout periods
  when employees cannot trade
• In pro-formas, no material untrue statements,
  reconciliation and equality with GAAP
• No officer loans
• File any trading information within two business
  days
• Code of ethics
• Disclose off-balance sheet financing
• Disclose any non-GAAP financial measures

26
SOX Section 302 certification

• Section 302 requires
• Quarterly certification by the CEO / CFO
  regarding the completeness and accuracy of
  quarterly reports as well as the nature and
  effectiveness of disclosure controls and
  procedures (DCP) supporting the quality of
  information included in such reports
• Actions
• Enhance DCP assessment and turn into consistent
  and continous process
• Ensure coverage of entire organization (incl. all
  material subsidiairies)
• Embed into regular review and monitoring processes

27
Corporate Provisions

• Corporate Officers
• Certify that they have
• Reviewed the reports
• Reviewed internal control
• Certify that there are no material weaknesses
• Certify that there is no fraud
• Report fairly presents the financial condition
  of the company

28
Management Responsibility for Audit Report - SOx

• Sox Requires that the principal executive officer
  or officers and the principal financial officer
  or officers, certify in each report filed with
  the SEC the following
• the signing officer has reviewed the report
• the report does not contain any untrue statement
  of a material fact or omit to state a material
  fact
• the financial statements, and other financial
  information, fairly present in all material
  respects the financial condition of the company 
• the signing officers
• are responsible for establishing and maintaining
  internal controls
• have evaluated the effectiveness of the companys
  internal controls and
• have presented in the report their conclusions
  about the effectiveness of their internal
  controls based on their evaluation

29
Corporate Responsibility for Audit Report under
SOx (cont.)

• Requires that the principal executive officer or
  officers and the principal financial officer or
  officers, certify in each report filed with the
  SEC the following
• the signing officers have disclosed to the
  companys auditors and the audit committee of the
  board of directors
• all significant deficiencies in the design or
  operation of internal controls which could
  adversely affect the companys ability to record,
  process, summarize, and report financial data and
  have identified for the companys auditors any
  material weaknesses in internal controls and
• any fraud, whether or not material, that involves
  management or other employees who have a
  significant role in the companys internal
  controls

30
SOXSection 404 Assessment

• Managements assessment must be based on
  procedures sufficient both to evaluate design and
  test operating effectiveness
• Management must maintain evidential matter,
  including documentation, to provide reasonable
  support for the assessment (both design and
  testing) of effectiveness
• Any material weakness in internal control over
  financial reporting precludes management from
  reporting that internal control is effective
• Reiteration of guidance regarding independence
  
• Auditors may assist management in documenting
  internal controls.
• Management must be actively involved in the
  process cannot delegate assessment
  responsibility to the auditor

31
SOXMeeting SEC Expectations

• Compliance with COSO control standards (or other
  accepted standards IT Governance Institute
  recently recommended CobiT for general IT
  controls assessment)
• Clear documentation of internal controls as well
  as the testing processes
• Evidence that management have evaluated the
  adequacy of the design and the effectiveness of
  operation of the procedures and controls
• Evidence that the auditor has adequately
  evaluated the design and operation of financial
  controls
• Evidence that the audit committee and/or
  disclosure committee have taken a keen
  interesting the effectiveness of controls

32
TITLE V ANALYST CONFLICTS OF INTEREST

• National Securities Exchanges and registered
  securities associations must adopt rules designed
  to address conflicts of interest that can arise
  when securities analysts recommend securities in
  research reports
• To improve objectivity of research and provide
  investors with useful and reliable information

33
TITLE VIII CORPORATE AND CRIMINAL FRAUD
ACCOUNTABILITY

• To knowingly destroy, create, manipulate
  documents and/or impede or obstruct federal
  investigations is considered felony, and
  violators will be subject to fines or up to 20
  years imprisonment, or both
• All audit report or related workpapers must be
  kept by the auditor for at least 5 years PCAOB
  AS 3 says 7 years.
• Whistleblower protection employees of either
  public companies or public accounting firms are
  protected from employers taking actions against
  them, and are granted certain fees and awards
  (such as Attorney fees)

34
Penalties

• General penalties
• If alter, destroy, cover-up or falsify documents
  with objective to hinder investigation fines
  and up to 20 years

35
TITLE IX WHITE-COLLAR CRIME PENALTY ENHANCEMENTS

• Financial statements filed with the SEC by any
  public company must be certified by CEOs and
  CFOs all financials must fairly present the true
  condition of the issuer and comply with SEC
  regulations
• Violations will result in fines less than or
  equal to 5 million and /or a maximum of 20 years
  imprisonment
• Mail fraud/wire fraud convictions carry 20 year
  sentences (previously 5 year sentences)
• Anyone convicted of securities fraud may be
  banned by SEC from holding officer/director
  positions in public companies

36
Penalties Corporate Officers

• Give back to firms any bonuses, incentive
  compensation or equity based compensation earned
  within 12 months
• Give back profit on sales during blackout period
• False certification - 1m and up to 10 yrs.
• Willful false cert. - 5 m and up to 20 yrs.
• Company can hold up any payments to officers

37
Penalties

• Audit firms
• Temporary suspension from industry
• Temporary or permanent revocation of license
• Cant go to another firm if suspended or license
  revoked
• Fines of up to 100,000 personal for each
  violation, firm up to 2 m
• If intentional up to 750,000 personal, firm up
  to 15 m
• Destroy working papers within 5 years fine and
  up to 10 years.

38
TITLE X CORPORATE TAX RETURNS

• Federal income tax returns must be signed by the
  CEO of an issuer

39
TITLE XI CORPORATE FRAUD ACCOUNTABILITY

• Destroying or altering a document or record with
  the intent to impair the objects integrity for
  the intended use in a securities violation
  proceeding, or otherwise obstructing that
  proceeding, will be subject to a fine and/or up
  to 20 years imprisonment
• The SEC has the authority to freeze payments to
  any individual involved in an investigation of a
  possible security violation
• Any retaliatory act against whistleblowers or
  other informants is subject to fine and/or 10
  year imprisonment