Sarbanes-Oxley Act
|
Sarbanes_bush_and_chao.jpg
The Sarbanes-Oxley Act (officially titled the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX and Sarbox), signed into law on 30 July 2002 by President Bush, is considered the most significant change to federal securities laws in the United States since the New Deal. It came in the wake of a series of corporate financial scandals, including those affecting Enron, Arthur Andersen, and WorldCom. The law is named after sponsors Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH). It was approved by the House by a vote of 423-3 and by the Senate 99-0.
The act was designed to review dated legislative audit requirements. The goal of the act was to protect investors by improving the accuracy and reliability of corporate disclosures. The act covers issues such as establishing a public company accounting oversight board, auditor independence, corporate responsibility and enhanced financial disclosure.
Contents |
Provisions
The Sarbanes-Oxley Act's major provisions include:
- Certification of financial reports by CEOs and CFOs
- Ban on personal loans to any Executive Officer and Director
- Accelerated reporting of trades by insiders
- Prohibition on insider trades during pension fund blackout periods
- Public reporting of CEO and CFO compensation and profits
- Additional disclosure
- Auditor independence, including outright bans on certain types of work and pre-certification by the company's Audit Committee of all other non-audit work
- Criminal and civil penalties for securities violations
- US companies are now obliged to have an internal audit function, which will need to be certified by external auditors.
- Significantly longer jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements.
- Prohibition on audit firms providing extra "value-added" services to their clients including actuarial services, legal and extra services (such as consulting) unrelated to their audit work.
- A requirement that publicly traded companies furnish independent annual audit reports on the existence and condition (i.e., reliability) of internal controls as they relate to financial reporting.
Overview of the PCAOB’s Requirements (Source: KPMG Report)
- The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements
- Information about how significant transactions are initiated, authorized, supported, processed, and reported
- Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur
- Controls designed to prevent or detect fraud, including who performs the controls and the regulated segregation of duties
- Controls over the period-end financial reporting process
- Controls over safeguarding of assets
- The results of management’s testing and evaluation.
Internal Controls
One key element of the Act is to require a report of the internal controls a company has in place to ensure compliance with the Act itself. Section 404 mandates that CEOs and CFOs must file Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports. The SEC published the final form of its rules and guidelines on the content of these reports in June of 2003.
Section 404 requires management to document and assess the effectiveness of their internal controls over financial reporting. “SOX 404 Compliance” has had serious effects on those found to have material weaknesses in internal control. In this act, companies must, for the first time, provide attestation of internal control assessment. This presents new challenges to businesses, specifically, documentation of control procedures related to information technology.
Additionally, the Public Company Accounting Oversight Board (PCAOB) ([1] (http://www.pcaobus.org/)) has issued guidelines on how management should render their opinion. The main point of these guidelines is that management should use an internal control framework such as COSO (which descibes how to assess the control environment, determine control objectives, perform risk assesments, and identify controls and monitor compliance). Companies have almost uniformly elected COSO as the standard when chosing an internal control framework.
Information Technology and SOX 404:
The PCAOB suggests considering the COSO framework in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute’s "COBIT": Control Objectives of Information and Related Technology for more appropriate standards of measure. This framework focuses on IT processes while keeping in mind the big picture of COSO’s “control activities” and “information and communication”. However, certain aspects of COBIT are outside the boundaries of Sarbanes-Oxley regulation.
IT Controls, IT Audit and SOX
In today’s business environment, the financial reporting processes of most organizations are driven by Information Technology (IT) systems. Few companies manage their data manually and most companies have moved to electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB Auditing Standard 2 states:
- "The nature and characteristics of a company’s use of information technology in its information system affect the company’s internal control over financial reporting."
Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Electronic Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and needs to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in the signoff of financial statements.
For a detailed discussion on the impact of SOX on IT Audit and Controls, see:
Cost of Implementation
There is some debate over the specific requirements of the Sarbanes-Oxley act, as written. The business community has generally acknowledged that, as John A. Thain, CEO of the New York Stock Exchange states, "There is no question that, broadly speaking, Sarbanes-Oxley was necessary" [2] (http://www.nytimes.com/2005/04/17/business/yourmoney/17sox.html?). However, the cost of implementing the new requirements has led some to question how effective or necessary the specific provisions of the law truly are.
One key area of cost is the updating of information systems to comply with the control and reporting requirements. Systems which provide document management, access to financial data, or long-term storage of information must now provide auditing capabilities. In most cases this requires significant changes, or even complete replacement, of existing systems which were designed without the needed level of auditing details.
Costs associated with SOX 404 compliance have proven to be higher than first anticipated. According to the Financial Executives International (FEI), in a survey of 217 companies with average revenue above $5 billion, the cost of compliance was an average of $4.36 million. The survey also indicated actual costs of to be approximately 39% higher than companies expected to spend. The high cost of compliance throughout the first year can be attributed to the sharp increase in hours charged per audit engagement. The PCAOB has concluded that auditors may have been overly harsh in applying auditing guidelines. However, non-compliance comes with an even higher cost in terms of stiffer penalties and jail sentences.
Company Revenue | < $5 B | $5 B - $10 B | $10 B – $50 B | > $50 B |
Average Additional Audit Hours | 6,285 | 20,756 | 11,540 | 19,000 |
Average Total Compliance Cost per Billion Dollars in Revenues (millions) | $1.9 | $1.1 | $0.6 | $0.3 |
Case Studies of Companies with Sarbanes Oxley Certification Delays, Material Weaknesses, Etc. Caused By Information Technology Issues
- Captaris Inc. - material weakness and filing delay due to inadequate internal controls and related IT controls per SOX requirements
- Cray Inc. - numerous material weaknesses in internal control over financial reporting, specifically, inadequate review of third-party contracts and lack of software application controls and documentation
The Future of SOX 404 Compliance
In a recent article by Deloitte, Under Control, the need for “sustainable compliance” is encouraged. The article suggests leveraging lessons learned to immediately transition into a long-term strategy. The following areas are described as impedances to the process:
- "Project Mindset: … many companies understandable treated section 404 compliance as a discrete project with a clearly defined ending point.”
- "Overextension of Internal Audit: If management continues to utilize internal audit for intensive 404 and 302 compliance-related work, then a significant infusion of resources (i.e., budget and headcount) to accommodate the additional workload will be needed.”
- "Poorly Defined Roles: Internal control-related roles and responsibilities, often poorly defined and segregated from the day-to-day routine of employees during the first year, will require greater clarity and integration going forward”
- "Improvisational Approach: Another symptom of deadline pressure shoed up in the jerrybuilt practices that carried many companies through the first year.”
- "Underestimation of Technology impacts and Implications: …IT is recognized as critical for achieving the goals of the Act, and the impact and implications of technology are widely regarded as significant and pervasive. In many year-one projects, organizations focused heavily on business processes and did not consider the broader role that IT plays in managing financial information and enabling controls… IT will make a huge impact on compliance going forward. At a minimum, technology investments will be necessary to support sustainable compliance in several areas, including repository, work flow, and audit trail functionality. Technology will also be used to enable the integration of financial and internal control monitoring and reporting – a critical requirement at most large and complex enterprises.”
- "Ignored Risks: Effective internal control is predicated on risk… the controls themselves – exist expressly for the purpose of minimizing the risk of financial reporting errors… In year one, risk assessment was treated as an afterthought – if addressed at all.”
The future of SOX 404 will depend on businesses ability to respond to the areas noted above by making it a part of every-day business. Deloitte has developed the “Sustained Compliance Solution Framework.” Key areas of the framework are also taken from the article, Under Control:
- Effective and efficient processes for evaluating testing, remediating, monitoring, and reporting on controls
- Integrated financial and internal control processes
- Technology to enable compliance
- Clearly articulated roles and responsibilities and assigned accountability
- Education and training to reinforce the “control environment”
- Adaptability and flexibility to respond to organizational and regulatory change.
Legislative Information
- House: 107 H.R. 3763, H. Rept. 107-414, H. Rept. 107-610
- Senate: 107 S. 2673, S. Rept. 107-205
- Law: Pub. L. 107-204, 116 Stat. 745
See Also
- Information Technology Audit
- Information Technology Controls
- Cray Inc.
- Captaris Inc.
- Richard M. Scrushy, CEO of HealthSouth, the first executive charged under Sarbanes-Oxley
External links
- Summary of Sarbanes-Oxley Act of 2002 (http://www.aicpa.org/info/sarbanes_oxley_summary.htm) AICPA
- A Laymen's Summary of All 11 Titles (http://www.csbs.org/government/legislative/misc/2002_sarbanes-oxley_summary.htm)
- The text of the law (PDF) (http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.tst.pdf) U.S. Government Printing Office
- The full text of the act in HTML format (http://www.legalarchiver.org/soa.htm)
- Signing Statement of George W. Bush (http://www.whitehouse.gov/news/releases/2002/07/20020730.html)
- Study Pursuant to Section 108(d) of the Sarbanes-Oxley Act of 2002 on the Adoption by the United States Financial Reporting System of a Principles-Based Accounting System (http://www.sec.gov/news/studies/principlesbasedstand.htm)
Forums
- An interactive forum dedicated to the Sarbanes-Oxley Act (http://www.sarbanes-oxley-forum.com)
Articles
- Sarbanes-Oxley Act Will Help Record Artists (http://www.mp3newswire.net/stories/5002/sarbanes.html) - April 22, 2004 MP3 Newswire storyde:Sarbanes-Oxley Act