Title: Sarbanes Oxley Act (Sox) Corporate and Auditing Accountability, Responsibility and Transparency Act of 2002
1Sarbanes Oxley Act (Sox)Corporate and Auditing
Accountability, Responsibility and Transparency
Act of 2002
- Rick Stephan Hayes, Ph.D., CPA
- California State University at Los Angeles
2Reasons for New Legislation
3Objectives
- In response to the Arthur Anderson, Enron and
WorldCom debacle, the Sarbanes-Oxley Act seeks
to - Restore the public confidence in both public
accounting and publicly traded securities - Assure ethical business practices through
heightened levels of executive awareness and
accountability
4Congressional Votes
Authorizing Force against Iraq Yes 373 No
156 Not voting 12
Securities Litigation Reform Act Yes 387 No
130 Not voting 15
- Sarbanes-Oxley Act
- Yes 522
- No 3
- Not voting 9
5Criminal Penalties
- Escaping from prison 1 to 2 yearsKidnapping
involving ransom 3 to 5 yearsSecond degree
murder 11 to 14 years - Air piracy 20 to 25 years
Sarbanes-Oxley Certification
10 to 20 years
6The Sarbanes-Oxley ActAn Overview
7SOX Who is affected and how?
- Executives
- Responsibility for financial reporting and
keeping the markets informed - Certifications - 302 Disclosure controles
procedures - 404 Internal controls for
financial reporting - 906 CEO/CFOs written
statement on fairness - Implement Code of Ethics and whistleblower
procedure - Supervisory Board
- Enhanced oversight
- Appointment of a financial expert
- Auditors
- Independence
- Attestation on internal controls
- Definition of internal control over financial
reporting - Encompasses subset of internal controls
addressed in the COSO Report that pertains to
financial reporting objectives - Including controls over safeguarding assets
8Titles of the Act
- Public Company Accounting Oversight Board
- Auditor Independence
- Corporate Responsibility
- Enhanced Financial Disclosures
- Analyst Conflicts of Interest
- Commission Resources and Authority
- Studies and Reports
- Corporate and Criminal Fraud Accountability
- White Collar Crime Penalty
- Corporate Tax Returns
- Corporate Fraud and Accountability
Establishes audit governing board
9TITLE I PUBLIC COMPANY ACCOUNTING OVERSIGHT
BOARD
- Creation of the Public Company Oversight Board
(the Board) - Created as a non-profit organization, the 5
member Board oversees audits of public companies
it is under the authority of the SEC but above
other professional accounting organizations such
as the AICPA
10General Provisions of SOx
- PCAOB To make rules governing audits of public
companies - PCAOB To oversee audits and audit firms
- PCAOB independent of Federal Government
- PCAOB Self-funded through fees assessed on CPA
firms and publicly traded companies - Regulations not applicable to Not For Profit or
some foreign listed companies
11PCAOB Governing Members
- Five Members, three of whom must NOT be CPAs
- If the chair is a CPA, that person must be out of
the business of auditing for the prior 5 years
12PCAOBs Duties
- Write audit standards, temporarily they have
adopted the AICPAs - Register public CPA firms to do audits
- Set Quality Control standards for audits
- Do peer reviews of CPA firms at least every
three years - Investigate and discipline
- Set Continuing Professional Education
requirements for auditors - Review company disclosures and financial
statements at least every three years
13PCAOBs Audit Standards
- PCAOB has passed 15 audit standards as of
December 2010. - They also enforce as temporary standards the
existing audit standards by the Audit Standards
Board called Statements of Audit Standards (SAS)
14PCAOBs Audit Standards (Not in Text)
- AS No. 1 References in Auditors Reports to the
Standards of the Public Company Accounting
Oversight Board - AS No. 3 Audit Documentation
- AS No. 4 Reporting on Whether a Previously
Reported Material Weakness Continues to Exist - AS No. 5 An Audit of Internal Control Over
Financial Reporting That Is Integrated with An
Audit of Financial Statements - AS No. 6 Evaluating Consistency of Financial
Statements - AS No. 7 Engagement Quality Review
15PCAOBs Audit Standards (Not in Text)
- AS No. 8 Audit Risk
- AS No. 9 Audit Planning
- AS No. 10 Supervision of the Audit Engagement
- AS No. 11 Consideration of Materiality in
Planning and Performing an Audit - AS No. 12 Identifying and Assessing Risks of
Material Misstatement - AS No. 13 The Auditor's Responses to the Risks
of Material Misstatement - AS No. 14 Evaluating Audit Results
- AS No. 15 Audit Evidence
16TITLE II AUDITOR INDEPENDENCE
- Cant do other types of work for clients,
including - Bookkeeping
- Systems design
- Valuation services
- Actuarial services
- Internal audit
- Management functions
- Other work needs pre-approval by audit committee
- Cant do audit if CEO, CFO from their firm, 1
year wait period
17TITLE II (cont.)
- A conflict of interest arises and an Registered
Public Accounting Firm (RPAF) may not perform
audit services for any issuer employing in the
capacity of CEO, controller, CFO or any other
equivalent title a former audit engagement team
member there is a cooling-off period for one
year - i.e., an employee of an RPAF who works on an
audit of an issuer may not turn around and
directly go to work for that issuer they must
wait one year
18Provisions for Audit firms
- Maintain audit papers for 7 years
- Managing Partner rotation every 5 yrs.
- Second partner rotation every 5 yrs.
- Audit manager rotation every 7 years
- Reports to audit committee
- All material deficiency findings
- Disclose fees for all types of services in proxy
statement - Review disclosures of firm
- Attest to Internal Control of firm
19CPAs Report to Audit Committee
- All critical accounting policies
- Alternate treatments
- Internal Control findings
- Engagement letter
- Independence letter
- Management representation letter
- Material weaknesses
20SOx requires every public accounting firm to use
quality control policies relating to
- (i) monitoring of professional ethics and
independence from entities on which the firm
issues audit reports - (ii) consultation within the firm on accounting
and auditing questions - (iii) supervision of audit work
- (iv) hiring, professional development, and
advancement of personnel - (v) the acceptance and continuation of audit
engagements - (vi) internal inspection
21TITLE III CORPORATE RESPONSIBILITY
- Audit Committee (committees est. by the board of
a company for the purpose of overseeing financial
reporting) Independence - Establishes minimum independence standards for
audit committees - Independence of the audit committee crucial in
that it must (1) oversee and compensate RPAF to
perform audit, and (2) establish procedures for
addressing complaints by the issuer regarding
accounting, internal control, etc. (this lays the
foundation for anonymous whistleblowing) - CEOs and CFOs must certify in any periodic report
the truthfulness and accurateness of that report
creates liability - Under certain conditions of re-statement of
financials due to material non-compliance, CEOs
and CFOs will be required to forfeit certain
bonuses and profits paid to them as a result of
material mis-information
22SUMMARY OF SARBANES OXLEY PROVISIONS AFFECTING
DIRECTORS, CEOs AND CFOs
- Listed company audit committee independence
requirements and responsibilities (Section 301) - CEO and CFO financial statement-related
certifications (Sections 302 and 906) - Unlawful for any officer or director or person
acting under the direction thereof to
fraudulently influence, coerce, manipulate or
mislead any independent accountant engaged to
audit the financial statements of an issuer for
purposes of rendering the financial statements
materially misleading (Section 303) - If there is a material restatement of an issuers
reported financial results due to the material
noncompliance of the company, as a result of
misconduct, the CEO and CFO shall reimburse the
issuer for any bonus or incentive or equity-based
compensation received within the 12 months
following the filing with the financial
statements subsequently required to be restated
(Section 304)
23SOx Company Audit Committee
- Under SOx Sec 301 public company audit committees
are directly responsible for the appointment,
compensation, and oversight of the work of any
registered public accounting firm employed by
their company (including resolution of
disagreements between management and the auditor
regarding financial reporting). - Audit firm reports directly to the audit
committee. Auditors may also have to discuss
accounting complaints with the Audit Committee.
24Audit Committee
- Independent Directors
- Audit committee members should not receive
fees other than for board service and should not
be an affiliated person of the company. - Financial Expert
- At least one member of its audit committee
must be a "financial expert" (expertise in US
GAAP). - Auditor Oversight
- Responsible for oversight of external reporting,
internal controls and auditing, and the
appointment and compensation of the auditor. - Whistle-Blower Communications
- Confidential and anonymous submissions by
employees.
25Corporate Provisions
- Corporate Officers
- Cant influence audit
- No stock transactions during blackout periods
when employees cannot trade - In pro-formas, no material untrue statements,
reconciliation and equality with GAAP - No officer loans
- File any trading information within two business
days - Code of ethics
- Disclose off-balance sheet financing
- Disclose any non-GAAP financial measures
26SOX Section 302 certification
- Section 302 requires
- Quarterly certification by the CEO / CFO
regarding the completeness and accuracy of
quarterly reports as well as the nature and
effectiveness of disclosure controls and
procedures (DCP) supporting the quality of
information included in such reports - Actions
- Enhance DCP assessment and turn into consistent
and continous process - Ensure coverage of entire organization (incl. all
material subsidiairies) - Embed into regular review and monitoring processes
27Corporate Provisions
- Corporate Officers
- Certify that they have
- Reviewed the reports
- Reviewed internal control
- Certify that there are no material weaknesses
- Certify that there is no fraud
- Report fairly presents the financial condition
of the company
28Management Responsibility for Audit Report - SOx
- Sox Requires that the principal executive officer
or officers and the principal financial officer
or officers, certify in each report filed with
the SEC the following - the signing officer has reviewed the report
- the report does not contain any untrue statement
of a material fact or omit to state a material
fact - the financial statements, and other financial
information, fairly present in all material
respects the financial condition of the company - the signing officers
- are responsible for establishing and maintaining
internal controls - have evaluated the effectiveness of the companys
internal controls and - have presented in the report their conclusions
about the effectiveness of their internal
controls based on their evaluation
29Corporate Responsibility for Audit Report under
SOx (cont.)
- Requires that the principal executive officer or
officers and the principal financial officer or
officers, certify in each report filed with the
SEC the following - the signing officers have disclosed to the
companys auditors and the audit committee of the
board of directors - all significant deficiencies in the design or
operation of internal controls which could
adversely affect the companys ability to record,
process, summarize, and report financial data and
have identified for the companys auditors any
material weaknesses in internal controls and - any fraud, whether or not material, that involves
management or other employees who have a
significant role in the companys internal
controls
30SOXSection 404 Assessment
- Managements assessment must be based on
procedures sufficient both to evaluate design and
test operating effectiveness - Management must maintain evidential matter,
including documentation, to provide reasonable
support for the assessment (both design and
testing) of effectiveness - Any material weakness in internal control over
financial reporting precludes management from
reporting that internal control is effective - Reiteration of guidance regarding independence
- Auditors may assist management in documenting
internal controls. - Management must be actively involved in the
process cannot delegate assessment
responsibility to the auditor
31SOXMeeting SEC Expectations
- Compliance with COSO control standards (or other
accepted standards IT Governance Institute
recently recommended CobiT for general IT
controls assessment) - Clear documentation of internal controls as well
as the testing processes - Evidence that management have evaluated the
adequacy of the design and the effectiveness of
operation of the procedures and controls - Evidence that the auditor has adequately
evaluated the design and operation of financial
controls - Evidence that the audit committee and/or
disclosure committee have taken a keen
interesting the effectiveness of controls
32TITLE V ANALYST CONFLICTS OF INTEREST
- National Securities Exchanges and registered
securities associations must adopt rules designed
to address conflicts of interest that can arise
when securities analysts recommend securities in
research reports - To improve objectivity of research and provide
investors with useful and reliable information
33TITLE VIII CORPORATE AND CRIMINAL FRAUD
ACCOUNTABILITY
- To knowingly destroy, create, manipulate
documents and/or impede or obstruct federal
investigations is considered felony, and
violators will be subject to fines or up to 20
years imprisonment, or both - All audit report or related workpapers must be
kept by the auditor for at least 5 years PCAOB
AS 3 says 7 years. - Whistleblower protection employees of either
public companies or public accounting firms are
protected from employers taking actions against
them, and are granted certain fees and awards
(such as Attorney fees)
34Penalties
- General penalties
- If alter, destroy, cover-up or falsify documents
with objective to hinder investigation fines
and up to 20 years
35TITLE IX WHITE-COLLAR CRIME PENALTY ENHANCEMENTS
- Financial statements filed with the SEC by any
public company must be certified by CEOs and
CFOs all financials must fairly present the true
condition of the issuer and comply with SEC
regulations - Violations will result in fines less than or
equal to 5 million and /or a maximum of 20 years
imprisonment - Mail fraud/wire fraud convictions carry 20 year
sentences (previously 5 year sentences) - Anyone convicted of securities fraud may be
banned by SEC from holding officer/director
positions in public companies
36Penalties Corporate Officers
- Give back to firms any bonuses, incentive
compensation or equity based compensation earned
within 12 months - Give back profit on sales during blackout period
- False certification - 1m and up to 10 yrs.
- Willful false cert. - 5 m and up to 20 yrs.
- Company can hold up any payments to officers
37Penalties
- Audit firms
- Temporary suspension from industry
- Temporary or permanent revocation of license
- Cant go to another firm if suspended or license
revoked - Fines of up to 100,000 personal for each
violation, firm up to 2 m - If intentional up to 750,000 personal, firm up
to 15 m - Destroy working papers within 5 years fine and
up to 10 years.
38TITLE X CORPORATE TAX RETURNS
- Federal income tax returns must be signed by the
CEO of an issuer
39TITLE XI CORPORATE FRAUD ACCOUNTABILITY
- Destroying or altering a document or record with
the intent to impair the objects integrity for
the intended use in a securities violation
proceeding, or otherwise obstructing that
proceeding, will be subject to a fine and/or up
to 20 years imprisonment - The SEC has the authority to freeze payments to
any individual involved in an investigation of a
possible security violation - Any retaliatory act against whistleblowers or
other informants is subject to fine and/or 10
year imprisonment