| Sarbanes-oxley Act |
Website Links For Act |
Information AboutSarbanes-oxley Act |
|
meets with Senator Paul Sarbanes , Secretary Of Labor Elaine Chao and other dignitaries in the Blue Room at the White House on July 30 , 2002 .]] The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745), also known as the '''Public Company Accounting Reform and Investor Protection Act of 2002''' and commonly called '''SOX''' or '''Sarbox'''; is a '', July 31, 2002, page A1). The legislation is wide-ranging and establishes new or enhanced standards for all U.S. Public Company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities And Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Supporters of these reforms believe the legislation was necessary and useful while critics believe it does more economic damage than it prevents. The Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board , or PCAOB, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as Auditor independence, Corporate Governance , Internal Control assessment, and enhanced financial disclosure. OVERVIEW Sarbanes-Oxley contains 11 titles that describe specific mandates and requirements for financial reporting. Each title consists of several sections, summarized below: • TITLE I – “Public Company Accounting Oversight Board (PCAOB)” Title I establishes the Public Company Accounting Oversight Board (PCAOB), to provide independent oversight of public accounting firms providing audit services ("auditors"). It also creates a central oversight board tasked with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX. Title I consists of nine sections. • TITLE II - “Auditors Independence” Title II, which consists of nine sections, establishes standards for external auditor independence, to limit conflicts of interest. It also addresses new auditor approval requirements, audit partner rotation policy, conflict of interest issues and auditor reporting requirements. Section 201 of this title restricts auditing companies from doing other kinds of business apart from auditing with the same clients. • TITLE III - “Corporate Responsibility” Title III mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees, and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. It enumerates specific limits on the behaviors of corporate officers and describes specific forfeitures of benefits and civil penalties for non-compliance. For example, Section 302 implies that the company board (Chief Executive Officer, Chief Financial Officer) should certify and approve the integrity of their company financial reports quarterly. This helps establish accountability. Title III consists of eight sections. • TITLE IV - “Enhanced Financial Disclosures” Title IV consists of nine sections. It describes enhanced reporting requirements for financial transactions, including off-balance sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports. • TITLE V - “Analyst Conflicts of Interest” Title V consists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts. It defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts of interest. • TITLE VI - “Commission Resources and Authority” Title VI consists of four sections and defines practices to restore investor confidence in securities analysts. It also defines the SEC’s authority to censure or bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, adviser or dealer. • TITLE VII – “Studies and Reports” Title VII consists of five sections. These sections 701 to 705 are concerned with conducting research for enforcing actions against violations by the SEC registrants (companies) and auditors. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing and others to manipulate earnings and obfuscate true financial conditions. • TITLE VIII – “Corporate and Criminal Fraud Accountability” Title VIII consists of seven sections and it also referred to as the “Corporate and Criminal Fraud Act of 2002.” It describes specific criminal penalties for fraud by manipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers. • TITLE IX – “White Collar Crime Penalty Enhancement” Title IX consists of two sections. This section is also called the “White Collar Crime Penalty Enhancement Act of 2002.” This section increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense. • TITLE X – “Corporate Tax Returns” Title X consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return. • TITLE XI – “Corporate Fraud Accountability” Title XI consists of seven sections. Section 1101 recommends a name for this title as “Corporate Fraud Accountability Act of 2002” . It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to temporarily freeze large or unusual payments. HISTORY & CONTEXT: EVENTS CONTRIBUTING TO THE ADOPTION OF SOX A variety of complex factors created the conditions and culture in which a series of large corporate frauds occurred between 2000-2002. The spectacular, highly-publicized frauds at Enron (see Enron Scandal ), WorldCom, and Tyco exposed significant problems with conflicts of interest and incentive compensation practices. These frauds and others resulted in over U.S. $500 billion in market value declines. The analysis of their complex and contentious root causes contributed to the passage of SOX in 2002. Specific contributing factors and events included:Farrell, Greg. ''"America Robbed Blind."'' Wizard Academy Press: 2005
Timeline and passage of SOX The House passed Rep. Oxley's bill (H.R. 3763) on April 25 , 2002 , by a vote of 334 to 90. The House then referred the " Corporate And Auditing Accountability, Responsibility, And Transparency Act " or " CAARTA " to the Senate Banking Committee with the support of President George W. Bush and the SEC. At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal, Senate Bill 2673. Senator Sarbanes’s bill passed the Senate Banking Committee on June 18 , 2002 , by a vote of 17 to 4. On June 25 , 2002 , WorldCom revealed it had overstated its earnings by more than $7.2 billion during the past five Quarters (15 months), primarily by improperly accounting for its operating costs. Sen. Sarbanes introduced Senate Bill 2673 to the full Senate that same day, and it passed 97-0 less than three weeks later on July 15 , 2002 . The House and the Senate formed a Conference Committee to reconcile the differences between Sen. Sarbanes's bill (S. 2673) and Rep. Oxley's bill (H.R. 3763). The conference committee relied heavily on S. 2673 and “most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions.” (John T. Bostelman, The Sarbanes-Oxley Deskbook § 2-31.) The Committee approved the final conference bill on '', July 31, 2002, page A1). ANALYZING THE COST-BENEFIT OF SARBANES-OXLEY A significant body of academic research and opinion exists regarding the costs and benefits of SOX, with significant differences in conclusions. This is due in part to the difficulty of isolating the impact of SOX from other variables affecting the stock market and corporate earnings. Economist Article - "Five Years Under the Thumb" Conclusions from several of these studies and related criticism are summarized below:
The effect of SOX on non-US companies Some have asserted that Sarbanes-Oxley legislation has helped displace business from New York to London, where the claims that its spectacular growth in listings almost entirely coincided with the Sarbanes Oxley legislation. In December 2006 Michael Bloomberg , New York's mayor, and Charles Schumer , a U.S. senator, expressed their concern. Bloomberg-Schumer report The Sarbanes-Oxley Act's effect on Non-US companies cross-listed in the US is different on firms from . However, the administrative cost of SOX is considered a drag on the productivity of capital regardless of the rate at which it is borrowed, and it is ironically the financial catastrophes caused by the 2000 bubble market and subsequent scandals that forced the federal reserve to flood money into the market via lower interest rates. Contrary to logical thinking, it was massive economic irresponsibility that led to improved credit ratings and lower rates. IMPLEMENTATION OF KEY PROVISIONS SOX Section 302: Internal control certifications Under Sarbanes-Oxley, two separate certification sections came into effect—one civil and the other criminal. (Section 302) (civil provision); (Section 906) (criminal provision). Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the Company and its Consolidated Subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” . The officers must “have evaluated the effectiveness of the Company ’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” ''Id.''. Moreover, under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. ''See'' . The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” . The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company , of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Id. To do this, managers are generally adopting an internal control framework such as that described in COSO . Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. (See Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5,2003), available at http://www.sec.gov/rules/final/33-8238.htm.) External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in 2007. SOX Section 404: Assessment of internal control The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort. Both management and the external auditor are responsible for performing their assessment in the context of a Top-down Risk Assessment , which requires management to base both the scope of its assessment and evidence gathered on risk. Both the PCAOB and SEC recently issued guidance on this topic to help alleviate the significant costs of compliance and better focus the assessment on the most critical risk areas. The recently released (PCAOB), which superseded Auditing Standard No 2., has the following key requirements for the external auditor:
The recently released SEC guidance SEC Interpretive Guidance is generally consistent with the PCAOB's guidance above, only intended for management. SOX 404 and smaller public companies The cost of complying with SOX 404 impacts smaller companies dis-proportionally, as there is a significant fixed cost involved in completing the assessment. For example, during 2004 U.S. companies with revenues exceeding $5 billion spent .06% of revenue on SOX compliance, while companies with less than $100 million in revenue spent 2.55%. SEC Advisory Cmte. Report - See charts on pages 33-34. This disparity is a focal point of 2007 SEC and U.S. Senate action. Dodd-Shelby Amendment The PCAOB intends to issue further guidance to help companies scale their assessment based on company size and complexity during 2007. The SEC issued their guidance to management in June, 2007.[http://www.sec.gov/rules/interp/2007/33-8810.pdf] SOX 404 and information technology The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. Chief Information Officer s are typically responsible for the Security , accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP ( Enterprise Resource Planning ) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the Chief Executive Officer (CEO) and Chief Financial Officer (CFO), the chief information officer (CIO) plays a significant role in management's assessment of internal control under Section 404 and in supporting the financial statement certification process. The PCAOB suggests considering the " for more appropriate standards of measure. This framework focuses on Information Technology (IT) processes while remaining consistant with two key COSO components: control activities and information and communication. However, there are certain aspects of COBIT that are outside the boundaries of Sarbanes-Oxley regulation. IT application controls (i.e., transaction processing controls) that address material misstatement risks are a critical part of the SOX 404 assessment. However, the extent of SOX testing to perform related to IT General Controls (ITGC) has been a topic of contention. SEC Comment Letter Summary By nature, ITGC have an indirect effect on financial statements. The 2007 SEC guidance states: "...management only needs to evaluate those ITGC that are necessary for the proper and consistent operation of other controls designed to adequately address financial reporting risks." ITGC efforts will likely be carefully scrutinized in light of the new guidance, which encourages focus on the most critical financial risks. MISCELLANEOUS SOX TOPICS Impact of SOX on the corporate IT department The SEC identifies the COSO framework by name as a methodology for achieving compliance. The COSO framework defines five components of internal control, which can help support the requirements as set forth in the Sarbanes-Oxley legislation. These five areas and their impacts for the IT Department are as follows: Risk Assessment. Before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports. They must examine how the company's systems are being used and the current level and accuracy of existing documentation. The areas of risk drive the definition of the other four components of the COSO framework. Control Environment. The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. Control Activities. Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. In an IT environment, control activities typically include IT general controls -- such as controls over program changes, access to programs, computer operations -- and application controls. Monitoring. Auditing processes and schedules should be developed to address the high-risk areas within the IT organization. IT personnel should perform frequent internal audits. In addition, personnel from outside the IT organization should perform audits on a schedule that is appropriate to the level of risk. Management should clearly understand and be held responsible for the outcome of these audits. Information and Communication. Without timely, accurate information, it will be difficult for IT management to proactively identify and address areas of risk. They will be unable to react to issues as they occur. IT management must demonstrate to company management an understanding of what needs to be done to comply with Sarbanes-Oxley and how to get there. LEGISLATIVE INFORMATION
REFERENCES SEE ALSO
Similar laws in other countries
EXTERNAL LINKS
|
|
|