Sarbanes Oxley Act (Sox)Corporate and Auditing Accountability, Responsibility and Transparency Act of

2002

Rick Stephan Hayes, Ph.D., CPA

California State University at Los Angeles

Reasons for New Legislation

Objectives

• In response to the Arthur Anderson, Enron and WorldCom debacle, the Sarbanes-Oxley Act seeks to:

– Restore the public confidence in both public accounting and publicly traded securities

– Assure ethical business practices through heightened levels of executive awareness and accountability

Congressional Votes

• Sarbanes-Oxley Act

• Yes 522• No 3• Not voting 9

Authorizing Force against Iraq

Yes 373

No 156

Not voting 12

Legalizing Marijuana**

Yes 93

No 310

Not voting 31

**House of Representatives only

Securities Litigation Reform Act

Yes 387

No 130

Not voting 15

Criminal Penalties

• Escaping from prison 1 to 2 yearsKidnapping involving ransom 3 to 5 yearsSecond degree murder 11 to 14 years

• Air piracy 20 to 25 years

Sarbanes-Oxley Certification 10 to 20 years

The Sarbanes-Oxley ActAn Overview

SOX: Who is affected and how?

• Executives:– Responsibility for financial reporting and keeping the markets

informed– Certifications: - 302 “Disclosure controles & procedures”

- 404 “Internal controls for financial reporting”- 906 “CEO/CFO’s written statement on

fairness”– Implement Code of Ethics and whistleblower procedure

• Supervisory Board:– Enhanced oversight– Appointment of a “financial expert”

• Auditors:– Independence– Attestation on internal controls

Definition of “internal control over financial reporting”:

- Encompasses subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives

- Including controls over safeguarding assets

Definition of “internal control over financial reporting”:

- Encompasses subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives

- Including controls over safeguarding assets

Titles of the Act

I. Public Company Accounting Oversight Board

II. Auditor Independence

III. Corporate Responsibility

IV. Enhanced Financial Disclosures

V. Analyst Conflicts of Interest

VI. Commission Resources and Authority

VII. Studies and Reports

VIII. Corporate and Criminal Fraud Accountability

IX. White Collar Crime Penalty

X. Corporate Tax Returns

XI. Corporate Fraud and Accountability

Establishes audit governing board………

Establishes audit governing board………

TITLE I – PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD

• Creation of the Public Company Oversight Board (the Board)

Created as a non-profit organization, the 5 member Board oversees audits of public companies; it is under the authority of the SEC but above other professional accounting organizations such as the AICPA

General Provisions of SOx

o PCAOB To make rules governing audits of public companies

o PCAOB To oversee audits and audit firmso PCAOB independent of Federal Governmento PCAOB Self-funded through fees assessed

on CPA firms and publicly traded companieso Regulations not applicable to Not For Profit

or some foreign listed companies

PCAOB Governing Members

o Five Members, three of whom must NOT be CPAs

o If the chair is a CPA, that person must be out of the business of auditing for the prior 5 years

PCAOB’s Duties

o Write audit standards, temporarily they have adopted the AICPA’s

o Register public CPA firms to do auditso Set Quality Control standards for auditso Do peer reviews of CPA firms – at least every

three yearso Investigate and discipline o Set Continuing Professional Education

requirements for auditors o Review company disclosures and financial

statements at least every three years

PCAOB’s Audit Standards

• PCAOB has passed 15 audit standards as of December 2010.

• They also enforce as “temporary standards” the existing audit standards by the Audit Standards Board called Statements of Audit Standards (SAS)

PCAOB’s Audit Standards (Not in Text)

• AS No. 1: References in Auditors’ Reports to the Standards of the Public Company Accounting Oversight Board

• AS No. 3: Audit Documentation • AS No. 4: Reporting on Whether a Previously Reported

Material Weakness Continues to Exist

• AS No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements

• AS No. 6: Evaluating Consistency of Financial Statements

• AS No. 7: Engagement Quality Review

PCAOB’s Audit Standards (Not in Text)• AS No. 8: Audit Risk • AS No. 9: Audit Planning • AS No. 10: Supervision of the Audit Engagement • AS No. 11: Consideration of Materiality in

Planning and Performing an Audit • AS No. 12: Identifying and Assessing Risks of

Material Misstatement • AS No. 13: The Auditor's Responses to the Risks

of Material Misstatement • AS No. 14: Evaluating Audit Results • AS No. 15: Audit Evidence

Can’t do other types of work for clients, including:BookkeepingSystems designValuation services Actuarial services Internal auditManagement functions

Other work needs pre-approval by audit committee

Can’t do audit if CEO, CFO from their firm, 1 year wait period

TITLE II – AUDITOR INDEPENDENCE

TITLE II (cont.)

A conflict of interest arises and an Registered Public Accounting Firm (RPAF) may not perform audit services for any issuer employing – in the capacity of CEO, controller, CFO or any other equivalent title – a former audit engagement team member – there is a “cooling-off period” for one year i.e., an employee of an RPAF who works on an

audit of an issuer may not turn around and directly go to work for that issuer – they must wait one year

Provisions for Audit firms

• Maintain audit papers for 7 years• Managing Partner rotation every 5 yrs.• Second partner rotation every 5 yrs.• Audit manager rotation every 7 years• Reports to audit committee

– All material deficiency findings

• Disclose fees for all types of services in proxy statement

• Review disclosures of firm• Attest to Internal Control of firm

CPAs Report to Audit Committee

• All critical accounting policies

• Alternate treatments• Internal Control findings• Engagement letter• Independence letter• Management representation

letter• Material weaknesses

SOx requires every public accounting firm to use quality

control policies relating to(i) monitoring of professional ethics and

independence from entities on which the firm issues audit reports;

(ii) consultation within the firm on accounting and auditing questions;

(iii) supervision of audit work;(iv) hiring, professional development, and

advancement of personnel;(v) the acceptance and continuation of audit

engagements;(vi) internal inspection

TITLE III – CORPORATE RESPONSIBILITY

Audit Committee (committees est. by the board of a company for the purpose of overseeing financial reporting) IndependenceEstablishes minimum independence standards for

audit committeesIndependence of the audit committee crucial in that it

must (1) oversee and compensate RPAF to perform audit, and (2) establish procedures for addressing complaints by the issuer regarding accounting, internal control, etc. (this lays the foundation for anonymous whistleblowing)

CEOs and CFOs must certify in any periodic report the truthfulness and accurateness of that report – creates liability

Under certain conditions of re-statement of financials due to material non-compliance, CEOs and CFOs will be required to forfeit certain bonuses and profits paid to them as a result of material mis-information

SUMMARY OF SARBANES OXLEY PROVISIONS AFFECTING DIRECTORS, CEOs AND CFOs

• Listed company audit committee independence requirements and responsibilities (Section 301)

• CEO and CFO financial statement-related certifications (Sections 302 and 906)

• Unlawful for any officer or director or person acting under the direction thereof to fraudulently influence, coerce, manipulate or mislead any independent accountant engaged to audit the financial statements of an issuer for purposes of rendering the financial statements materially misleading (Section 303)

• If there is a material restatement of an issuer’s reported financial results due to the material noncompliance of the company, as a result of misconduct, the CEO and CFO shall reimburse the issuer for any bonus or incentive or equity-based compensation received within the 12 months following the filing with the financial statements subsequently required to be restated (Section 304)

SOx Company Audit Committee

Ω Under SOx Sec 301 public company audit committees are directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by their company (including resolution of disagreements between management and the auditor regarding financial reporting).

Ω Audit firm reports directly to the audit committee. Auditors may also have to discuss accounting complaints with the Audit Committee.

Audit CommitteeIndependent Directors

Audit committee members should not receive fees other than for board service and should not be an “affiliated person” of the company.

Financial Expert At least one member of its audit committee must

be a "financial expert" (expertise in US GAAP).

Auditor OversightResponsible for oversight of external reporting, internal controls and auditing, and the appointment and compensation of the auditor.

Whistle-Blower Communications Confidential and anonymous submissions by employees.

Corporate Provisions• Corporate Officers

– Can’t influence audit– No stock transactions during blackout periods

when employees cannot trade– In pro-formas, no material untrue statements,

reconciliation and equality with GAAP– No officer loans– File any trading information within two business

days– Code of ethics– Disclose off-balance sheet financing– Disclose any non-GAAP financial measures

SOX: Section 302 certification

Section 302 requires: Quarterly certification by the CEO / CFO

regarding the completeness and accuracy of quarterly reports as well as the nature and effectiveness of disclosure controls and procedures (DC&P) supporting the quality of information included in such reports

Actions: Enhance DC&P assessment and turn into

consistent and continous process Ensure coverage of entire organization (incl. all material subsidiairies) Embed into regular review and monitoring processes

Corporate Provisions• Corporate Officers

– Certify that they have• Reviewed the reports • Reviewed internal control • Certify that there are no

material weaknesses• Certify that there is no fraud• Report fairly presents the

financial condition of the company

Management Responsibility for Audit Report - SOx

Sox Requires that the principal executive officer or officers and the principal financial officer or officers, certify in each report filed with the SEC the following:the signing officer has reviewed the report;the report does not contain any untrue

statement of a material fact or omit to state a material fact;

the financial statements, and other financial information, fairly present in all material respects the financial condition of the company;

the signing officers • are responsible for establishing and maintaining

internal controls; • have evaluated the effectiveness of the company’s

internal controls; and • have presented in the report their conclusions about

the effectiveness of their internal controls based on their evaluation;

Requires that the principal executive officer or officers and the principal financial officer or officers, certify in each report filed with the SEC the following:the signing officers have disclosed to the

company’s auditors and the audit committee of the board of directors —

• all significant deficiencies in the design or operation of internal controls which could adversely affect the company’s ability to record, process, summarize, and report financial data and have identified for the company’s auditors any material weaknesses in internal controls; and

• any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal controls;

Corporate Responsibility for Audit Report under SOx (cont.)

SOX:Section 404 Assessment – Management’s assessment must be based on

procedures sufficient both to evaluate design and test operating effectiveness

– Management must maintain evidential matter, including documentation, to provide reasonable support for the assessment (both design and testing) of effectiveness

– Any material weakness in internal control over financial reporting precludes management from reporting that internal control is effective

• Reiteration of guidance regarding independence:

• Auditors may assist management in documenting internal controls.

• Management must be actively involved in the process; cannot delegate assessment responsibility to the auditor

SOX:Meeting SEC Expectations– Compliance with COSO control standards (or

other accepted standards; IT Governance Institute recently recommended CobiT for general IT controls assessment)

– Clear documentation of internal controls as well as the testing processes

– Evidence that management have evaluated the adequacy of the design and the effectiveness of operation of the procedures and controls

– Evidence that the auditor has adequately evaluated the design and operation of financial controls

– Evidence that the audit committee and/or disclosure committee have taken a keen interesting the effectiveness of controls

TITLE V – ANALYST CONFLICTS OF INTEREST

• National Securities Exchanges and registered securities associations must adopt rules designed to address conflicts of interest that can arise when securities analysts recommend securities in research reports– To improve objectivity of research and

provide investors with useful and reliable information

TITLE VIII – CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY

• To knowingly destroy, create, manipulate documents and/or impede or obstruct federal investigations is considered felony, and violators will be subject to fines or up to 20 years imprisonment, or both

• All audit report or related workpapers must be kept by the auditor for at least 5 years – PCAOB AS 3 says 7 years.

• Whistleblower protection – employees of either public companies or public accounting firms are protected from employers taking actions against them, and are granted certain fees and awards (such as Attorney fees)

Penalties

General penalties– If alter, destroy,

cover-up or falsify documents with objective to hinder investigation – fines and up to 20 years

TITLE IX – WHITE-COLLAR CRIME PENALTY ENHANCEMENTS

• Financial statements filed with the SEC by any public company must be certified by CEOs and CFOs; all financials must fairly present the true condition of the issuer and comply with SEC regulations– Violations will result in fines less than or equal to $5

million and /or a maximum of 20 years imprisonment

• Mail fraud/wire fraud convictions carry 20 year sentences (previously 5 year sentences)

• Anyone convicted of securities fraud may be banned by SEC from holding officer/director positions in public companies

Penalties – Corporate Officers

• Give back to firms any bonuses, incentive compensation or equity based compensation earned within 12 months

• Give back profit on sales during blackout period

• False certification - $1m and up to 10 yrs.

• Willful false cert. - $5 m and up to 20 yrs.

• Company can hold up any payments to officers

Penalties

Audit firms– Temporary suspension from industry– Temporary or permanent revocation of license– Can’t go to another firm if suspended or license

revoked– Fines of up to $100,000 personal for each

violation, firm up to $2 m– If intentional up to $750,000 personal, firm up to

$15 m– Destroy working papers within 5 years – fine and

up to 10 years.

TITLE X – CORPORATE TAX RETURNS

Federal income tax returns must be signed by the CEO of an issuer

TITLE XI – CORPORATE FRAUD ACCOUNTABILITY

Destroying or altering a document or record with the intent to impair the object’s integrity for the intended use in a securities violation proceeding, or otherwise obstructing that proceeding, will be subject to a fine and/or up to 20 years imprisonment

The SEC has the authority to freeze payments to any individual involved in an investigation of a possible security violation

Any retaliatory act against whistleblowers or other informants is subject to fine and/or 10 year imprisonment