Implications of the Sarbanes-Oxley Act of 2002
advertisement
An Introduction to Sarbanes-Oxley Act of 2002 By Gopal Chandra Ghosh, FCA, ACMA, CSOX Page 1 of 51 CONTENTS INTRODUCTION ..................................................................................................................... 4 MISSION.................................................................................................................................... 4 BACKGROUND ........................................................................................................................ 4 Enron and WorldCom tales .................................................................................................. 5 Enron and WorldCom aftermath ......................................................................................... 5 Enactment history ................................................................................................................. 6 THE ACT AT A GLANCE ........................................................................................................ 7 CONTENTS OF THE ACT ....................................................................................................... 8 SUMMARY OF THE ACT ........................................................................................................ 8 Title I: Public Company Accounting Oversight Board (Sections 101-109) ....................... 8 Title II: Auditor independence (Sections 201-209) ........................................................... 11 Title III: Corporate responsibility (Sections 301-308) ...................................................... 12 Titles IV: Enhanced financial disclosures (Sections 401-409) .......................................... 13 Title V: Analyst conflicts of interest (Section 501) ........................................................... 14 Title VI: Commission resources & authority (Sections 601-604) ..................................... 14 Title VII: Studies and reports (Sections 701-705) ............................................................. 14 Title VIII: Corporate and criminal fraud accountability (Sections 801-807) .................. 14 Title IX: White-collar crime penalty enhancements (Sections 901-906) ........................ 15 Title X: Corporate tax returns (Section 1001) ................................................................... 15 Title XI: Corporate fraud and accountability (Sections 1101-1107) ................................ 15 IMPLEMENTATION DEADLINES ....................................................................................... 16 IMPACT OF THE ACT ........................................................................................................... 17 ACTIONS AND PENALTIES ................................................................................................. 23 CERTIFICATIONS AND ENHANCED DISCLOSURES ...................................................... 24 Certifications ....................................................................................................................... 24 Real time disclosures ........................................................................................................... 24 Materiality of events and weaknesses ................................................................................ 25 IMPROVEMENT OF BUSINESS PROCESSES ..................................................................... 26 Definition of a Business Process ......................................................................................... 26 Impact of the Act on Business Process............................................................................... 27 Page 2 of 51 WHISTLEBLOWER RESPONSIBILITY AND PROTECTION ............................................ 28 Who is whistleblower ......................................................................................................... 28 Whistleblower under Sarbanes-Oxley Act........................................................................ 28 Legal protection for whistleblowers .................................................................................. 28 Whistleblower program...................................................................................................... 30 Risks and challenges of whistleblowers ............................................................................. 30 Key factors for successful whistleblower program ............................................................ 31 Monitoring role of Audit Committee ................................................................................ 31 Examples of non-retaliation provisions ............................................................................. 31 PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD (PCAOB) ............................ 33 Standards-Setting responsibility of PCAOB ...................................................................... 33 Standards and Related Rules .............................................................................................. 34 Pre-existing standards adopted by the Board .................................................................... 34 Policy regarding use of PCAOB Materials ......................................................................... 35 STANDING ADVISORY GROUP (SAG) .............................................................................. 37 SAG selection process ......................................................................................................... 37 SAG selection criteria ......................................................................................................... 37 Biographies of current SAG members................................................................................ 37 Meetings of SAG ................................................................................................................. 38 Observers at SAG meetings ................................................................................................ 39 Working methodology of SAG ........................................................................................... 39 SMALLER PUBLIC COMPANIES ......................................................................................... 40 Advisory Committee on Smaller Public Companies ......................................................... 40 Guidance on Auditing Internal Control in Smaller Public Companies ........................... 42 RELATIONSHIP BETWEEN PCAOB AND AICPA ............................................................ 43 UNDERSTANDING SECTION 404 REQUIREMENTS ........................................................ 44 “Internal Control” under Sarbanes-Oxley ......................................................................... 44 “Internal Control” under COSO ......................................................................................... 45 About COSO ........................................................................................................................ 45 INTERNAL CONTROL - INTEGRATED FRAMEWORK ................................................... 46 Components of internal control ......................................................................................... 46 Factors & activities of internal control .............................................................................. 50 Page 3 of 51 INTRODUCTION The Sarbanes-Oxley Act of 2002 named after sponsor U.S. Senator Paul Sarbanes and U.S. Representative Michael Oxley – commonly called SOX or SarBox – was a legislative reaction to corporate accounting scandals that unrevealed in 2001. These scandals resulted in a great loss of public trust in corporate accounting and reporting practices. Sarbanes-Oxley was enacted as a major effort to prevent accounting scandals and other problems from recurring and to rebuild public trust in corporate business practices and reporting. MISSION This Act broadly titled as “The Public Company Accounting Reforms and Investors Protection Act of 2002”, was enacted with mission “To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purpose”.1 The main goal of the Sarbanes-Oxley Act is to protect investors and increase their confidence in public companies through strengthening internal control and corporate governance. The intent of the Sarbanes Oxley Act of 2002 was to guarantee that the information we rely on to make investment decisions is trustworthy and complete.2 BACKGROUND U.S. have the long history of modernizing financial discipline to face challenges of time. Stock market crash in 1929 damaged investors’ confidence that resulted in a financial depression subsequently. To rebuild the market confidence, Government passed Securities Act of 1933 to establish Securities and Exchange Commission (SEC) and thereafter Securities and Exchange Act of 1934. The SEC was given statutory authority to set accounting standards and oversight the activities of the auditors. The role of establishing auditing standards was left to the accounting profession. Between 1938 and 1959, accounting profession leaded by American Institute of Certified Public Accountants (AICPA) formed different committees and issued 51 authoritative pronouncements that formed the basis of what is known as Generally Accepted Accounting Principles (GAAP). At present Financial Accounting Standard Board (FASB) promulgates the principles for measuring, recognizing and reporting financial information in financial statements. The SEC officially recognizes the FASB’s accounting standard or issue directives consistent with those guidelines. 1 107th Congress, US, Public Law 107-204-July 30, 2002; Page-1, http://www.sec.gov/about/laws/soa2002.pdf 2 Tizor White Papers, “Background on SOX: Sarbanes Oxley Overview” by “TIZOR Enterprise Data Auditing and Protection” http://www.tizor.com/Resource-Center/Compliance-Resources/Background-on-SOX-Sarbanes-Oxley-Overview; accessed on 29 Sep 2007 at 1839 GMT. Page 4 of 51 Beside the wide range of activities of FASB and the governance or supervisory role of SEC, U.S. accounting profession established a self regulatory framework over the last many decades. They formed Public Oversight Board (POB), Quality Control Inquiry Committee (QCIC), Professional Ethics Division and introduced Continuing Professional Education (CPE) and practiced peer review to improve quality and reliability. These efforts of Government, SEC and the accounting profession altogether made U.S. financial market one of the most respectful in the world. Enron and WorldCom tales Enron filed application for bankruptcy protection on 2nd December 2001. This happened after it admitted to accounting error and irregularities that had inflated earnings by almost US$ 600 million since 1994. With US$ 62.8 billion in assets, it became the largest bankruptcy in the U.S. history. On the day of application, the stock closed at 72 cents and later 30 cents which had been traded at its highest US$ 90 in August 2000. Many employees lost their lives’ savings, children’s college funds and thousands of investors lost billions of dollars. The fraud was done through (i) showing artificial profitability by arcane financial transactions between Enron and related companies formed to take unprofitable entities off the company’s books; (ii) huge insider trade; and (ii) millions of dollars transfer to personal accounts. Shortly after Enron, WorldCom disclosed that it had hidden US$ 3.9 billion in expense. Straggled with US$ 41 billion debt, WorldCom applied for bankruptcy protection on 21st July 2002 with US$ 107 billion in assets and took over the title of the largest bankruptcy from Enron. By the end of 2003, it was estimated that the company’s total assets had been inflated by US$ 11 billion. These were mainly done by overstating profits through (i) capitalizing expenses rather than charging it off; and (ii) inflating revenues through bogus accounting entries in ‘corporate unallocated revenue accounts’. Enron and WorldCom aftermath Accounting rules prior to the scandals of 2001 allowed Enron a great deal of latitude. These rules left loopholes that were exploited and created a mindset where form was more important than substance.3 High-profile business failures culminating in a media fixation on Enron called into question the effectiveness of the profession's self-regulatory process as well as the effectiveness of the audit to uphold the public trust in the capital markets. 4 The control deficiencies at the largest failed companies were extensive and included problems with the “tone at the top” as well as deficiencies in basic processing. 3 History and Analysis of the Sarbanes - Oxley Act at http://www.cpa-cfa.com/Acc/SOX_History.html accessed on 1st Oct 07 at 0636 GMT. 4 AICPA, “Landmark Accounting Reform Legislation Signed into Law” (official circulation September 2002), page-1, http://www.aicpa.org/pubs/cpaltr/Sept2002/landmark.htm; accessed on 29 Sep 07 at 1848 GMT. Page 5 of 51 For example, within WorldCom, there were material control deficiencies noted in the board of directors’ report, including issues with: a) the closing process; b) non-supported journal entries; c) booking accounting estimates; and d) recording expenses and fixed assets. These control deficiencies were exacerbated by a lack of integrity at the top of the organization, including both top management and the board of directors. Similar deficiencies were found at other organizations as well. Early public reports of control deficiencies reinforce the perception that the quality of internal control merits the attention of boards, investors, regulators, management and internal auditors. Legislation to address shortcomings in financial reporting was already progressing in Congress and the sudden revelation and collapse of WorldCom guaranteed swift congressional action. Enactment history House Representative Michael Oxley started creating a bill called “Corporate Auditing Accountability, Responsibility and Transparency Act”. This basically stated the financial status of any company. The other features of this bill were that it stated the accountability and responsibility of bringing the financial status of any company clear and transparent. He had been serving as the chairman of the Committee on Financial Services and was House sponsor of the Sarbanes-Oxley Act of 2002.5 At the same time, Senator Paul Sarbanes had another proposal on the similar lines. He presented the bill to the Senate Banking Committee which was passed with a majority. This bill had some or the other kind of features, those were dealt with accounting, was almost same as that of Michael Oxley’s bill. As mentioned earlier, Sarbanes was the Senate sponsor of the Sarbanes-Oxley Act of 2002.6 Both Michael Oxley and Senator Paul Sarbanes presented two different bills, but both aimed at meeting with the accounting disparities of various companies following a certain pattern of rules and regulations. Both the bills were presented to the Senate Banking Committee, who passed these bills with huge majority in April 2002. Thereafter both the proposals made by House Representative Oxley and Senator Paul Sarbanes were reconciled to be formed in to one act and Sarbanes Oxley Act came into existence. The Act is overseen by the Securities and Exchange Commission of U.S. The law was approved by the House by a vote of 423-3 and by the Senate 99-0. This law was incorporated when President George William Bush signed into law the SarbanesOxley Act of 2002 on 30 July 2002 where he stated that the enforcement of this law would 5 From Wikipedia, the free encyclopedia; http://en.wikipedia.org/wiki/Michael_G._Oxley; on 15 October 20 07 6 From Wikipedia, the free encyclopedia; http://en.wikipedia.org/wiki/Paul_Sarbanes; on 15 Oct ober 2007 Page 6 of 51 have a far reaching effect on the working pattern of business organizations.7 This became the most significant legislation affecting the accounting profession since 1933. THE ACT AT A GLANCE The Sarbanes-Oxley Act of 2002 has dramatically redesigned the rules of corporate governance and related business practices. The Act created a five-member Public Company Accounting Oversight Board (PCAOB) with authority to set and enforce auditing, certification, attestation, quality control and ethics standards for public companies. It requires companies to set up stronger internal controls and puts new demands on CEO and CFOs of public companies, including making personal pledges that the quarterly and annual financial reporting of their company is truthful. The certifications required under the Act catapult the need for executives to not only document the internal control environment within the company, but also to certify that the controls are effectively working to ensure that the business risks are being properly mitigated. In addition, the law expands the independence of board audit committees. Stock exchanges contributed to the labyrinth of regulations by instituting corporate governance requirements for listed companies. In summary, to pinpoint the main points, following are the highlights of the Act: Establishes a ‘Public Company Accounting Oversight Boards (PCAOB) under Security and Exchange Commission to oversee public accounting firms and issue accounting standards; Establishes new standards for Corporate Boards and Audit Committees; It requires companies set up stronger documented internal control; Requires that CEO and CFOs of public companies certify that the quarterly and annual financial reporting of their company is truthful; The certifications required under the Act need the executives to certify making personal pledges, that the controls are effectively working; This Act requires public companies to annually evaluate their internal controls and to report those findings with SEC filings; Establishes new accountability standards and criminal penalties for Corporate Management; and Establishes new independence standards for External Auditors. Many of the requirements of the law are considered controversial, such as Section 404, which requires public companies to explain the effectiveness of their internal controls and an outside auditor to attest to its effectiveness. Under the Sarbanes-Oxley Act Section 404, 7 Francisco, “History of Sarbanes Oxley Act” 23 September 2007. Francisco owns and operates http://www.sarbanesoxleyweb.com, accessed on 1st Oct 07 at 1229 GMT Page 7 of 51 management is required to issue an annual report on internal controls over financial reporting and the auditor must attest to that report. Some people call the regulation “an overreaction” to financial scandals and compliance of Section 404 is too costly. Supporters of the law say it has already helped reduce corporate fraud and it would bring back sustainable public confidence. CONTENTS OF THE ACT The Act contains 11 titles covering auditor independence, enhanced financial disclosures, conflicts of interest and corporate accountability, among other things. The chapters are: Titles Title I Title II Title III Titles IV Title V Title VI Title VII Title VIII Title IX Title X Title XI : : : : : : : : : : : Public Company Accounting Oversight Board Auditor Independence Corporate Responsibility Enhanced Financial Disclosures Analyst Conflicts of Interest Commission Resources & Authority Studies and Reports Corporate and Criminal Fraud Accountability White-Collar Crime Penalty Enhancements Corporate Tax Returns Corporate Fraud and Accountability Sections 101-109 201-209 301-308 401-409 501 601-604 701-705 801-807 901-906 1001 1101-1107 SUMMARY OF THE ACT Sarbanes Oxley law contains components ranging from additional Corporate Board responsibilities to criminal penalties for wrong doings. The summary delineated hereunder contains only the significant provisions of the Act. Related materials are available at AICPA8 and SEC (U.S.) websites. Summaries of the important titles are below: Title I: Public Company Accounting Oversight Board (Sections 101-109) Section 101: Establishment; Administrative Provisions a. The PCAOB was established as independent and non-government body to oversee the audits of public companies. b. The Board consist of five full time members (two CPAs and three non-CPAs) appointed for five-year terms. All need to be literate in finance. c. The Chair may be held by one of the CPA members, provided that he or she has not been engaged as a practicing CPA within last five years. 8 AICPA, “Summary of the Provisions of the Sarbanes-Oxley Act of 2002”; http://thecaq.aicpa.org/Resources/Sarbanes Oxley; path CAQ Home > Resources > Sarbanes-Oxley > Summary of the Provisions of the Sarbanes-Oxley Act of 2002; accessed on 29 Sep at 1914 GMT. Page 8 of 51 d. No member may, concurrent with service on the Board, "share in any of the profits of, or receive payments from, a public accounting firm," other than "fixed continuing payments," such as retirement payments. e. Members of the Board are appointed by the Commission, "after consultation with" the Chairman of the Federal Reserve Board and the Secretary of the Treasury. Section 102: Registration with the Board Requires public accounting firms to register with the board and take certain other actions in order to perform audits of public companies. They need to apply in prescribed forms and follow prescribed guidelines. Section 103: Auditing, quality control, and Independence standards and rules Defines responsibilities of the board as: a. Register public accounting firms. b. Establish, or adopt, by rule, "auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers;" c. Conduct inspections of accounting firms and where applicable, conduct investigations and disciplinary proceedings, and impose appropriate sanctions. d. Enforce compliance with the Act, the rules of the Board, professional standards, and the securities laws relating to the preparation and issuance of audit reports and the obligations and liabilities of accountants with respect thereto. e. Set the budget and manage the operations of the Board and the staff of the Board. f. Perform such other duties or functions as necessary or appropriate. The Board must adopt an audit standard to implement the internal control review required by section 404. Section 104: Inspections of registered Public accounting firms Annual quality reviews (inspections) must be conducted for firms that audit more than 100 issues, all others must be conducted every 3 years. The SEC and/or the Board may order a special inspection of any firm at any time. Section 105: Investigations and disciplinary proceedings All documents and information prepared or received by the Board shall be confidential. However, all such documents and information can be made available to the SEC, the U.S. Attorney General, and other federal and appropriate state agencies. Disciplinary hearings will be closed unless the Board orders that they be public, for good cause and with the consent of the parties. Sanctions can be imposed by the Board to a firm if it fails to reasonably supervise any associated person with regard to Page 9 of 51 auditing or quality control standards or otherwise. No sanctions report will be made available to the public unless and until stays pending appeal have been lifted. Section 106: Foreign public accounting firms Foreign accounting firms who audit a U.S. company would require registering with the Board. This would include foreign firms that perform some audit work, such as in a foreign subsidiary of a U.S. company that is relied on by the primary auditor. Section 107: Commission oversight of the Board The SEC have "oversight and enforcement authority over the Board" and can, by rule or order, give the Board additional responsibilities. The SEC may require the Board to keep certain records, and it has the power to inspect the Board itself, in the same manner as it can with regard to SROs. The Board, in its rulemaking process, is to be treated "as if the Board were a 'registered securities association"-that is, a self-regulatory organization. The Board is required to file proposed rules and proposal for rule changes with the SEC. The SEC may approve, reject or amend such rules. The Board must notify the SEC of pending investigations involving potential violations of the securities laws, and coordinate its investigation with the SEC Division of Enforcement as necessary to protect an ongoing SEC investigation. The SEC may, by order, "censure or impose limitations upon the activities, functions, and operations of the Board" if it finds that the Board has violated the Act or the securities laws, or if the Board has failed to ensure the compliance of accounting firms with applicable rules without reasonable justification. The Board must notify the SEC when it imposes "any final sanction" on any accounting firm or associated person. The Board's findings and sanctions are subject to review by the SEC. The SEC may enhance, modify, cancel, reduce, or require remission of such sanction. Section 108: Accounting standards The SEC recognizes GAAP and all principles therein. 9 The SEC is authorized to recognize any accounting principles as 'generally accepted' that are established by a standard-setting body that meets the bill's criteria, which include requirements that the body: 10 a. be a private entity; 9 Anand, Sanjay. “Sarbanes-Oxley Guide for Finance and Information Technology Professionals”, 2006, Page-6. Publisher: John Wiley & Sons, Inc. 10 AICPA, “Summary of the Provisions of the Sarbanes-Oxley Act of 2002”; http://thecaq.aicpa.org/Resources/Sarbanes Oxley; path CAQ Home > Resources > Sarbanes-Oxley > Summary of the Provisions of the Sarbanes-Oxley Act of 2002; accessed on 29 Sep at 1814 GMT. Page 10 of 51 b. be governed by a board of trustees (or equivalent body), the majority of whom are not or have not been associated persons with a public accounting firm for the past 2 years; c. be funded in a manner similar to the Board; d. have adopted procedures to ensure prompt consideration of changes to accounting principles by a majority vote; and e. consider, when adopting standards, the need to keep them current. Title II : Auditor independence (Sections 201-209) Section 201: Services outside the scope of practice of auditors It shall be "unlawful" for a registered public accounting firm to provide any non-audit service to an issuer contemporaneously with the audit, including: (1) bookkeeping or other services related to the accounting records or financial statements of the audit client; (2) financial information systems design and implementation; (3) appraisal or valuation services, fairness opinions, or contribution-in-kind reports; (4) actuarial services; (5) internal audit outsourcing services; (6) management functions or human resources; (7) broker or dealer, investment adviser, or investment banking services; (8) legal services and expert services unrelated to the audit; (9) any other service that the Board determines, by regulation, is impermissible. The Board may exempt from these prohibitions subject to review by the Commission. Section 202: Pre-approval requirements The Act allows an accounting firm to "engage in any non-audit service, including tax services," that is not listed above, only if the activity is pre-approved by the audit committee of the issuer. The audit committee will disclose to investors in periodic reports its decision to pre-approve non-audit services. The pre-approval requirement is waived with respect to the provision of non-audit services for an issuer if the aggregate amount of all such non-audit services provided to the issuer constitutes less than 5% of the total amount of revenues paid to its auditor. Sections 203 to 209 The lead audit or coordinating partner and the reviewing partner must rotate off of the audit every 5 years. The accounting firm must report to the audit committee all "critical accounting policies and practices to be used; all alternative treatments of financial information within that have been discussed with management, ramifications of the use of such alternative disclosures and treatments, and the treatment preferred" by the firm. Page 11 of 51 The CEO, Controller, CFO, Chief Accounting Officer or person in an equivalent position cannot have been employed by the company's audit firm during the 1year period preceding the audit. Title III: Corporate responsibility (Sections 301-308) Section 301: Public company audit committees Each member of the audit committee shall be a member of the board of directors of the issuer, and shall otherwise be independent. The audit committee shall be directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by that issuer. Each audit committee shall have the authority to engage independent counsel or other advisors, as it determines necessary to carry out its duties. Section 302: Corporate responsibility for financial reports The CEO and CFO must certify that the information fairly represents the financial position of the company and operational results in all material respects. For false certification, the certifying officers will face penalties of US$ 1 million and/or up to 10 years of imprisonment for a “knowing” violation and US$ 5 million and/or up to 20 years of imprisonment for a “willing” violation. Sections 303 to 308 It shall be unlawful for any officer or director of an issuer to fraudulently influence, coerce, manipulate or mislead any auditor engaged in the performance of an audit for the purpose of rendering the financial statements materially misleading. If an issuer is required to prepare a restatement due to "material noncompliance" with financial reporting requirements, the chief executive officer and the chief financial officer shall "reimburse the issuer for any bonus or other incentive-based or equity-based compensation received" during the twelve months following the issuance or filing of the non-compliant document and "any profits realized from the sale of securities of the issuer" during that period. Prohibits the purchase or sale of stock by officers and directors and other insiders during blackout periods. Any profits resulting from sales in violation of this section "shall inure to and be recoverable by the issuer." If the issuer fails to bring suit or prosecute diligently, a suit to recover such profit may be instituted by "the owner of any security of the issuer." Attorneys appearing and practicing before the Commission in any way in the representation of issuers are required to report evidence of a material violation of securities laws to the chief legal counsel or the CEO of the company and if they do Page 12 of 51 not appropriately respond to the evidence, attorney’s are required to report the evidence to the audit committee of the board of directors. Civil penalties added to the disgorgement funds for the relief of victims of such violation. Titles IV: Enhanced financial disclosures (Sections 401-409) Section 401: Disclosures in periodic reports "Each annual and quarterly financial report shall disclose all material off-balance sheet transactions" and "other relationships" with "unconsolidated entities" that may have a material current or future effect on the financial condition of the issuer. SEC shall study off-balance sheet disclosures to determine (a) extent of off-balance sheet transactions; and (b) whether generally accepted accounting rules result in financial statements of issuers reflecting the economics of such off-balance sheet transactions to investors in a transparent fashion. Requires companies to provide enhanced disclosures, including a report on the effectiveness of internal control and procedure for financial reporting (along with external auditor attestation of that report) and disclosure covering off-balance sheet transactions and pro forma financial information. Requires disclosures regarding code of ethics for senior financial officers and reporting of certain waivers Sections 402 to 403: Conflict of interest and disclosure of transactions Generally, it will be unlawful for an issuer to extend credit to any director or executive officer. Directors, officers, and 10% owners must report designated transactions by the end of the second business day following the day on which the transaction was executed. Section 404: Management assessment of internal controls. Requires each annual report of an issuer to contain an "internal control report", which: state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement. Page 13 of 51 Section 405: Exemption. Nothing in Section 401, 402 or 404, the amendments made by those sections or the rues of the Commission under those sections apply to any registered investment company. Sections 406 to 409 Require each issuer to disclose whether or not, and if not, the reasons therefore, such issuer has adopted a code of ethics for senior financial officers. Require issuers to disclose whether at least 1 member of its audit committee is a "financial expert." The SEC shall review disclosures made by issuers on a regular and systematic basis but not less frequently than once every three years. Title V: Analyst conflicts of interest (Section 501) National Securities Exchanges and registered securities associations must adopt conflict of interest rules for research analysts who recommend equities in research reports. Title VI: Commission resources & authority (Sections 601-604) Provides additional funding to the SEC. Gives SEC and federal courts more authority to censure and impose certain prohibitions on persons and entities. Title VII: Studies and reports (Sections 701-705) Directs federal regulatory bodies to conduct studies regarding consolidation of accounting firms; credit rating agencies; violators and enforcement actions involving securities laws. Title VIII: Corporate and criminal fraud accountability (Sections 801-807) Provides tougher criminal penalties for altering documents, defrauding shareholders, and certain forms of obstruction of justice and securities fraud. Makes debts non-dischargeable if incurred in violation of securities fraud laws. Protects employees of companies who provide evidence of fraud. Employees of issuers and accounting firms are extended "whistleblower protection" that would prohibit the employer from taking certain actions against employees who lawfully disclose private employer information to, among others, parties in a judicial proceeding involving a fraud claim. Whistle blowers are also granted a remedy of special damages and attorney's fees. Auditors are required to maintain "all audit or review work papers" for five years. Page 14 of 51 The statute of limitations on securities fraud claims is extended to the earlier of five years from the fraud, or two years after the fraud was discovered, from three years and one year, respectively. A new crime for securities fraud that has penalties of fines and up to 10 years imprisonment. Title IX: White-collar crime penalty enhancements (Sections 901-906) Provides that any person who attempts to commit white collar crimes shall be treated under the law as if person had committed crime. CEO and CFO who knowingly or willfully certifies financial reports that are misleading faces a fine up to US$ 5 million and/or imprisonment of up to 20 years. Requires CEOs and CFO to certify in their periodic reports to the SEC that their financial statement fully comply with the requirements of the Securities Exchange Act of 1934 and impose penalties for certifying a misleading or fraudulent report. Maximum penalties for willful and knowing violations of this section are a fine of not more than $500,000 and/or imprisonment of up to 5 years. Title X: Corporate tax returns (Section 1001) CEO should sign the Company’s tax return. Title XI: Corporate fraud and accountability (Sections 1101-1107) Tempering with a record or otherwise obstructing a proceeding is a crime and is liable for up to 20 years in prison and a fine. The SEC is authorized to freeze the payment of an extraordinary payment to any director, officer, partner, controlling person, agent, or employee of a company during an investigation of possible violations of securities laws. The SEC may prohibit a person from serving as an officer or director of a public company if the person has committed securities fraud. Page 15 of 51 IMPLEMENTATION DEADLINES Compliance with Sarbanes-Oxley Act requirements is not-an-easy task. It involves almost all departments and people. As such the Act allows the companies to gradually comply phase by phase. The Act also defined the phases and deadlines to provide sufficient times to implement the business systems for ensuring compliance. The deadlines are subject to changes and for update, please visit www.sarbanesoxleyguide.com for current documentation. Summary of important provisions and the deadlines for implementation are delineated below: Sections Provisions Deadlines (updated as of August 2005) 11 Effective for annual filings for the first fiscal year ending after December 15, 2003 101 PCAOB Recognition 201 Non-audit Services Adopted January 28 ,2003; Services that were contracted before May 6, 2003, are allowed so long as they are completed by may 6, 2004 301 Audit committeeIndependent Director and Responsibilities Compliance is required by the earlier of the first annual meeting after January 15, 2004, or October 31 2004 302 CEO/CFO Certification For all reports due on or after August 14, 2003 906 CEO/CFO Certification For all reports due on or after August 14, 2003 304 Forfeiture of Bonuses and profits Effective July 30, 2002 306 Blackout Periods Effective January 26, 2003 401 Off-Balance Sheet Disclosures Off-balance sheet disclosures required on statements for fiscal years ending on or after July 15, 2003 Contractual obligation disclosure is required on statements for fiscal years ending on or after December 15, 2003 402 Prohibition of loans to executives Disclosure of Insider Trades Effective July 30, 2002 404 Internal Control Report Accelerated filers are required to include the annual report for first fiscal period ending on or after November 15, 2004 All others are required to include the annual report for first fiscal period ending on or after July 15, 2007 406 Code of Ethics Required disclosure (or waiver of requirement ) in annual reports for fiscal years ending on or after July 15, 2003 407 Financial Expert on Audit Required compliance for annual committee reports with 403 Effective January 26, 2003 11 Anand, Sanjay. “Sarbanes-Oxley Guide for Finance and Information Technology Professionals”, 2006, Page-63. Publisher: John Wiley & Sons, Inc. Page 16 of 51 Sections Provisions Deadlines (updated as of August 2005) 11 fiscal periods ending on or after July 15, 2003 (December 15, 2003 for small business) 409 Real time Disclosure The SEC is not required to adopt specific rules. 806 Whistleblower Program New civil and felony provisions in place as of July 30, 2002 IMPACT OF THE ACT Sarbanes-Oxley requires that company executives, boards of directors, and independent auditors take specific actions to achieve a similar goal in corporate reporting and governance as well. A central theme of Sarbanes-Oxley is how these key players must work together, with critical cross-check, to achieve that goal. To carry out this theme, Sarbanes-Oxley reinforces and expands on the responsibility of these players in the corporate reporting supply chain. In fact, the Act aimed at strengthening corporate governance through impacting the different responsibility centres both inside and surrounding the issuer entities. These responsibility centres can be categorized in to following 11 categories: a. b. c. d. e. f. g. h. i. j. k. Securities and Exchange Commission (SEC) Public Company Accounting Oversight Board (PCAOB) American Institute of Certified Public Accountants (AICPA) Chief Executive Officer (CEO) & Chief Finance Officer (CFO) Board of Directors (BoD) Audit Committee (AC) External Auditor (ExAud) Finance Department (FinDept) Internal Audit Department (IntAud) IT Functions (IT) Company Executives in general (ExGen) Securities and Exchange Commission (SEC) The Act provides additional funding to the SEC for added activities. (Section-601) The SEC have "oversight and enforcement authority over the Board." (Section-107) SEC shall make necessary rules for PCAOB and review and approve their standards. (Section-108) The SEC shall review disclosures made by issuers (including Form 10-K) on a regular and systematic basis not less frequently than once every three years. (Section-408) Page 17 of 51 The SEC shall issue rules that require each issuer to disclose whether or not, and if not, the reasons therefore, such issuer has adopted a code of ethics for senior financial officers. (Section-406) Gives SEC and federal courts more authority to censure and impose certain prohibitions on persons and entities. (Sections 107 & 1105) Public Company Accounting Oversight Board (PCAOB) Register public accounting firms(Section-102); Establish, or adopt, by rule, "auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers;" (Section-103); Conduct inspections of accounting firms (Section-104); Conduct investigations and disciplinary proceedings, and impose appropriate sanctions (Section-105); The Board must notify the SEC when it imposes "any final sanction" on any accounting firm or associated person. The Board's findings and sanctions are subject to review by the SEC. (Section-107); The Board shall collect "a registration fee" and "an annual fee" from each registered public accounting firm, in amounts that are "sufficient" to recover the costs of processing and reviewing applications and annual reports. . (Section-109); The Board must adopt an audit standard to implement the internal control review required by section 404(b); Perform such other duties or functions as necessary or appropriate. Section-101, Clause-1(c)(5) Enforce compliance with the Act, the rules of the Board, professional standards, and the securities laws relating to the preparation and issuance of audit reports and the obligations and liabilities of accountants with respect thereto. Section-101, Clause1(c)(6). Set the budget and manage the operations of the Board and the staff of the Board. Section-101, Clause-1(c)(7). Page 18 of 51 American Institute of Certified Public Accountants (AICPA) The AICPA strongly supports the goals of the Sarbanes-Oxley Act. The AICPA's mission is to provide members with the resources, information, and leadership that enable them to provide valuable services in the highest professional manner to benefit the public as well as employers and clients. Consistent with that mission, they have developed the following guidance and tools to assist members, and the companies for which they work, to ensure the high standards of corporate governance and financial reporting that are contemplated by the Act.12 Sarbanes Oxley—The Basics SEC Rules and Interpretive Guidance PCAOB Standards and Interpretive Guidance Committee of Sponsoring Organizations (COSO) Internal Control Framework and guidance AICPA Audit Committee Toolkit Antifraud & Corporate Responsibility Resource Center Other Guidance and Resources CEO & CFO Sarbanes-Oxley provisions that directly affect the CEO and CFO are as follows: Accelerated reporting requirements : - Reporting deadlines for filing periodic reports arrive earlier (determined by SEC). - Faster reporting of significant internal or external “events” affecting the business’s condition is required (Section 409). - Insider trading is to be reported faster (determined by SEC). CEO and CFO must provide financial statements & other financial information that is transparent in the way it fairly presents the company’s financial condition, results of operations etc. (Section 302). They must certify that all facts in the annual report are true and that no significant information or facts have been left out. (Section 302). CEO should sign the Company’s tax return (Section 1001). Prohibited to extend credit to any director or executive officer. (Section 402). They are responsible to identify, establish and maintain internal controls and to ensure that they are evaluated regularly; (Section 404). CEOs and CFOs must inform their boards if significant internal control deficiencies exist. (Section 404). 12 AICPA, Financial Management Centre, “Sarbanes-Oxley Act” http://fmcenter.aicpa.org/Resources/Sarbanes-Oxley Act/; accessed on 15th Oct 07 at 0056 Page 19 of 51 Certify that internal control is effective and strong and they are appraised in a regular manner; (Section 404). Requires CEOs and CFO to certify in their periodic reports to the SEC that their financial statement fully comply with the requirements of the Securities Exchange Act of 1934, and impose penalties for certifying a misleading or fraudulent report. Audit Committee Require issuers to disclose whether at least 1 member of its audit committee is a "financial expert" (Section 407). Board of Directors As the representatives of a company’s shareholders, the board of directors, through its audit committee, is responsible for overseeing the company’s accounting and financial reporting process and audits of its financial statements. Directors, officers, and 10% owners must report designated transactions by the end of the second business day following the day on which the transaction was executed involving management and principal stockholders. (Section 403). Section 404 poses significant challenges for corporate boards and management, including: the need to devote significant time and resources to ensure compliance the need for management to evaluate and report annually on the effectiveness of internal control over the financial reporting the requirement for external auditors to opine on management’s assessment of the effectiveness of its internal control over financial reporting the need for board of director and audit committee oversight of management’s process, findings and remediation efforts as management scopes and executes its section 404 plan External Auditor (registered public accounting firm) Prohibits registered public accounting firm to provide any non-audit service to an issuer contemporaneously with the audit and conditionally allowed subject to the approval of the Audit Committee. (Sections-201 & 202) The lead audit or coordinating partner and the reviewing partner must rotate off of the audit every 5 years. (Section-203) The CEO, Controller, CFO, Chief Accounting Officer or person in an equivalent position cannot have been employed by the company's audit firm during the 1-year period preceding the audit. (Section-206) Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer as to the effectiveness of internal control. (Section-404) Page 20 of 51 Auditors are required to maintain "all audit or review work papers" for five years. (Section-802) The accounting firm must report to the audit committee all critical accounting policies and practices to be used; all alternative treatments that have been discussed with management, ramifications of the use of such alternative disclosures and treatments, and the treatment preferred by the firm. (Section-404) The auditor must perform procedures to obtain sufficient evidence about the design and operation of internal controls, thereby reducing attestation risk to appropriately low levels. The auditor may consider the results of management’s tests of the operating effectiveness of controls, but never should rely on them as principal evidence. The same is true for testing by third parties or internal auditors.13 Finance Department Stake of position of the CFO has been raised through additional reporting and certification responsibilities under sections 302 & 404. His or her neck is on the line with liability equal to that of the CEO and this added responsibility is a recognition towards the CFOs claim to be the second-in-command in an corporate entity. The scope of finance department (treasury, accounting, reporting, internal control etc) as the backbone of the process of financial reporting and related internal control has got new importance. To ensure the integrity of reporting and effective control the organization needs to work in a cross-functional team. This may need some organizational changes both in structure and in roles of individuals. The CFO has integral and important role in the change process. He or she needs paramount leadership ability like dedication, visionary, inspiring and motivation etc. All those qualities will be necessary for the CFO and the compliance team, where finance people have the enhanced coordination roles, to accomplish the task. This has created the demand for the finance and IT departments to be equipped with adequate skill of finance, internal control and information systems. Internal Audit Department Responsibility of internal audit has been extended as an important vehicle to make an assessment of the effectiveness of internal control. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Assessment by internal audit consists of a continuous review of the organization, systems and business processes and recommendations in order to ensure: Effectiveness and efficiency of operations. Reliability and integrity of financial and operational information. 13 Donald K. Mcconnell Jr. and George Y. Banks, “How Sarbanes-Oxley Will Change the Audit Process” Journal of Accountancy; Page-6; http://www.aicpa.org/pubs/jofa/sep2003/mcconn.htm; visited on 15 Oct 2007 at 0112 Page 21 of 51 Compliance with laws, regulations, and contracts. Internal audit activities and working papers help the external auditors, in its audit and attestation process, as an important source of information and evidences. “Under the U.S. Sarbanes-Oxley Act of 2002 section 404, the external auditor must assess the work of the internal audit activity in order to rely on their work. The IIA strongly encourages that the results of an external QA be considered in order to come to a conclusion as to the reliability of the internal audit activity's work.”14 Ultimately, the both the CEO, CFO and Audit Committee of the Board can rely on internal audit for establishment and evaluation of internal control as well as to assess fairness of financial reports. It needs to be equipped with skilled workforce and business processes sufficient to provide reliable assurance. IT Functions (IT) “The impact of the Sarbanes-Oxley Act on IT can be arrived at logically through the process of ripple-effect reasoning: Sarbanes-Oxley affects the CEO and CFO directly, as they must certify the authenticity and accuracy of certain documents, both financial and other. This certification responsibility, in turn, affects the corporate finance, governance and knowledge management systems that support the CEO and the CFO in generating those documents. This, in turn, affects the technology infrastructure that, to a large extent, encapsulates and automates the finance, governance, and knowledge management systems. The design and operation of a technology infrastructure are the responsibility of the IT department, which is headed up by a CIO and/or CTO.”15 Internal control is needed to be embedded in every stages of the design and development and application of IT infrastructure and should be appraised on continuous basis to enable the CEO and CFO to certify. One of the principal ways in which corporations and corporate executives can reduce their corporate, and now personal, liabilities is to implement changes to the IT systems that support the compliance and disclosure demands of Sarbanes-Oxley. Company Executives in general Prohibited to extend credit to any director or executive officer. (Section 402) 14 The IIA official Web, http://www.theiia.org/guidance/quality/quality-faq/search ‘Internal Auditor in Sarbanes-Oxley’; Accessed on 16 Oct 07 at 0006 15 Anand, Sanjay. “Sarbanes-Oxley Guide for Finance and Information Technology Professionals”, 2006, Page-95. Publisher: John Wiley & Sons, Inc. Page 22 of 51 Directors, officers, and 10% owners must report designated transactions by the end of the second business day following the day on which the transaction was executed involving management and principal stockholders. (Section 403) Prohibits the purchase or sale of stock by officers and directors and other insiders during blackout periods. (Section 306) Require each issuer to disclose whether or not, and if not, the reasons therefore, such issuer has adopted a code of ethics for senior financial officers. (Section 406) Employees of issuers and accounting firms are extended "whistleblower protection" that would prohibit the employer from taking certain actions against employees who lawfully disclose private employer information to, among others, parties in a judicial proceeding involving a fraud claim. (Section 806) ACTIONS AND PENALTIES The constituting the violations of the provisions of Sarbanes-Oxley Act are summarized below as have been updated up to 2006. The actions and the related penalties may vary from time to time. For update of this information, it is suggested to visit official webs of SEC (http://www.sec.gov) and PCAOB (http://www.pcaob.org). Action Altering, destroying or concealing any records with the intent of obstructing a federal investigation. Failure to maintain audit or review “working papers” for at least 5 years Anyone who “knowingly executes, or attempts to execute, a scheme” to defraud a purchaser of securities CEO or CFO who “recklessly” violates his or her certification of the company’s financial statements. If the violation is “willful,” the penalty increases. Conspiracy by two or more persons to commit any offense against, or to defraud, the United States or it’s agencies. Any person who “corruptly “ alters, destroys, conceals, etc., any records or documents with the intent of impairing the integrity of the record or document for use in an official proceeding. Mail and wire fraud Violating applicable Employee Retirement Income Security Act (ERISA) provisions. Penalty Fine and/or up to 10 years’ imprisonment. Fine and/or up to 5 years’ imprisonment. Fine and/or up to 10 years’ imprisonment Fine and/or up to $1 million and/or up to 10 years’ imprisonment. Fine and/or up to $5 million and/or up to 20 years’ imprisonment. Fine and/or up to 10 years’ imprisonment. Fine and/or up to 20 years’ imprisonment. Penalty increases from 5 to 20 years’ imprisonment. Various lengths depending on violation. Page 23 of 51 CERTIFICATIONS AND ENHANCED DISCLOSURES Certifications As per Section 302, the CEO and CFO must certify that the information fairly represents the financial position of the company and operational results in all material respects. Section 404 requires them to certify the status of company’s internal control. In the certification, the management must state their responsibility in establishing and maintaining the internal control structure and assesses the effectiveness of such processes. Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. Real time disclosures Sections 401 to 409 deal with the enhanced financial disclosure requirements. As per Section 409, issuers must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis. The Act significantly reduces the time allowed for filing of reports: Quarterly reports must be filed within 35 days of quarter-end (down from 45 days) by year 2005. See Form 10-Q at www.ses.gov/about/forms/form 10-Q.pdf Annual reports must be filed within 60 days of year-end (down from 75 days) by year 2005. See Form 10-K at www.ses.gov/about/forms/form 10-K.pdf Annual report on employee stock purchase to be reported within 9 days after the end of fiscal year. See Form 11-K at www.ses.gov/about/forms/form 11-K.pdf Material events must be filed within two days under section 409. The fundamental requirement is that the CEO and CFO would establish such monitoring system to ensure that the material changes are detected and would be reported within two days. The confusion regarding the specific meaning of “materiality” is still to define. However, the SEC (U.S.) listed the following events as material:16 #1 : Change in control. #6 : Publication of financial statements and exhibits. #8 : Any disclosure under regulation FD. #11: Results of operations and financial condition. #12: “Other materially important events”. #5 (new): Termination or reduction of a business relationship with a customer that constitutes a specified amount of the company’s revenue. #11: Events triggering a direct or contingent financial obligation that is material to the company, including any default on or acceleration of an obligation. 16 Anand, Sanjay. “Sarbanes-Oxley Guide for Finance and Information Technology Professionals”, 2006, Page-127. Publisher: John Wiley & Sons, Inc. Page 24 of 51 Materiality of events and weaknesses Material events must be filed within two days under section 409. The PCAOB's intent with AS5 is a less prescriptive standard that's risk-based and focuses auditors' attention on only those areas that could potentially lead to a material misstatement. Auditing Standard No. 5: “An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements” did not provide exclusive definition as to what are material events. As Sarah Johnson states “The new AS5 carefully avoids a bright-line definition of materiality, but both the PCAOB and the SEC are clearly feeling increasing pressure to put some hard numbers behind the definition of what is "material." 17 PCAOB has suggested that auditors who do not elect to comply with Auditing Standard No. 5 before its effective date should use the definition of "material weakness" contained in Auditing Standard No. 5 after SEC approval of the standard.18 Indeed, the SEC has long resisted any numerical definition of materiality. In 1999, SEC staff released guidance, which still applies today, that said relying solely on quantitative benchmarks to assess materiality for preparing and auditing financial statements is not acceptable. The document, SAB 99 (SEC Staff Accounting Bulletin: No. 99 – Materiality), gives examples for how companies and auditors should incorporate both quantitative and qualitative tests, saying a numerical threshold could be a starting point for figuring out an error's materiality, but they have to "consider all the relevant circumstances."19 SAB 99 indicated a quantitative measure. When combined, the misstatements result in a 4% overstatement of net income and a $.02 (4%) overstatement of earnings per share. Because no item in the registrant's consolidated financial statements is misstated by more than 5%, management and the independent auditor conclude that the deviation from generally accepted accounting principles ("GAAP") is immaterial and that the accounting is permissible.20 This staff accounting bulletin expresses the views of the staff that exclusive reliance on certain quantitative benchmarks to assess materiality in preparing financial statements and performing audits of those financial statements is inappropriate; misstatements are not immaterial simply because they fall beneath a numerical threshold. In certain circumstances, intentional immaterial misstatements are unlawful. 17 Johnson. Sarah, “SEC, PCAOB Pushed to Define Materiality”, page-1, www.CFO.com; 21 June 2007; visited on 22 June 2007 at 0507 GMT. 18 PCAOB, “Standards and Related Rules”, Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, http://www.pcaobus.org/Standards/Standards_and_Related_Rules/Auditing_Standard_No.5.aspx; Visited on 20 Nov 2007 at 1253 GMT 19 Johnson, Sarah. “SEC, PCAOB Pushed to Define Materiality”, at CFO.com on June 21, 2007. 20 SEC, “SEC Staff Accounting Bulletin: No. 99 – Materiality” 12 Aug 1999 at http://www.sec.gov/rules/acctrps/sab99.htm; visited on 23 Feb 2008 at 1630 GMT Page 25 of 51 IMPROVEMENT OF BUSINESS PROCESSES Definition of a Business Process Business process is defined as a set of established methods for conducting a function of an organization. A formal documented business process is a description of tasks and outcomes associated with a business activity. The business process is often drawn describing tasks, roles, resources and actions to be taken accordingly to the business needs. The purpose of the process description is to detail all transactions as they flow within the process, related key players and documents/systems involved. The real control lies in these areas where business unit establishes the formal procedures of different steps of a function are defined and monitored on a regular basis. Establishing internal control and any assurance over financial reporting can only be done when each and every steps or tasks are guided through a standard procedure, done by responsible player and is documented properly. Below is the example of a business process flow-chart for a procurement process: Sequential tasks: Need Stock Item ? Yes No Contract exists ? Yes Quotation / negotiation Purchase order Purchase order created (non created (non approved ) approved ) Approval No No New supplier Yes PO printed and sent to supplier New supplier set up Other examples of business processes are payroll processing, sales processing, payment processing, fixed assets management process, recruitment process, inventory management process, accounts receivable, credit management, etc. Description of tasks, segregation of duties, assignment of roles, documentation methods, reporting process, clear job description of employees are the preconditions of an effective business process. A process needs support by sound policies and continuous reviews. Page 26 of 51 Impact of the Act on Business Process Sarbanes-Oxley Act has come up with different types of compliances. Accordingly, the business processes are needed to be reviewed to ensure that the processes accommodate the compliance requirements that include among others, assurance towards effectiveness of internal control. These ultimately bring out some additional benefits like improved documentations and have brought-out better reliance on the systems. An effective compliance solution will: a. Reduce the risk of non-compliance with regulations; b. Reduce risk of financial re-statements and fraud; c. Create a sustainable monitoring process for continued compliance; and d. Lay the foundation for broadening the focus of operating process to identify improvements in process effectiveness and efficiency in order to reduce costs, compress closing time and better manage the business. Introduction of Sarbanes-Oxley Act has affected some Business Processes and Technologies like the following: Sections Business Process Technology Impacted 302 Financial Reporting 404 Internal Control 409 Reporting “Material Events” ERP, SCM, CRM, MIS, Reporting, Enterprise Integration, ETL, Data Warehousing, Business Intelligence ERP, SCM, CRM, Enterprise Security, Secure Enterprise Integration, Workflow ERP, CRM, SCM, EAI, Business Activity, Monitoring, Executive Dashboards, Business Performance Monitoring, Operational Intelligence 103 Document & Records Management Document Imaging and Records, Management System, Knowledge Management 301 Whistleblower Provision Secure Communication System, Workflow and Document Management Page 27 of 51 WHISTLEBLOWER RESPONSIBILITY AND PROTECTION Who is whistleblower A whistleblower is an employee, former employee, or member of an organization, especially a business or government agency, who reports misconduct to people or entities that have the power and presumed willingness to take corrective action. Generally the misconduct is a violation of law, rule, regulation and/or a direct threat to public interest, such as fraud, health/safety violations and corruption. The term whistleblower derives from the practice of English Bobbies who would blow their whistle when they noticed the commission of a crime. The blowing of the whistle would alert both law enforcement officers and the general public of danger. 21 An employee who reports alleged wrongdoing or improper conduct is defined as a “Whistleblower”. Whistleblowing is relevant to all organizations and all people. This is because every business and every public body faces the risk of things going wrong internally. Where such a risk arises, usually the first people to realize or suspect the wrongdoing will be those who work in or with the organization. Whistleblower under Sarbanes-Oxley Act Sarbanes-Oxley Act has come up with added responsibility at all levels of management starting from CEO’s assurance & certification and extending down to the entry –level executives’ “whistleblower” responsibility. As per section 301 of the Sarbanes-Oxley Act, Audit Committee has to establish procedures for the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal controls or auditing matters; and the confidential, anonymous submission by the employees of the issuer of the concerns regarding questionable accounting or auditing matters. Section 806 of the Sarbanes-Oxley Act provides protection for employees who provide evidence of fraud. Employees of issuers and accounting firms are extended "whistleblower protection" that would prohibit the employer from taking certain actions against employees who lawfully disclose private employer information to, among others, parties in a judicial proceeding involving a fraud claim. Whistle blowers are also granted a remedy of special damages and attorney's fees. Section 1107 delineates the penal provisions for retaliation against informants. Legal protection for whistleblowers Legal protection for whistleblowing varies from country to country. In the United Kingdom, the Public Interest Disclosure Act 1998 provides a framework of legal protection for individuals who disclose information so as to expose malpractice and matters of similar concern. In the United States, legal protections vary according to the 21 Winters v. Houston Chronicle Pub. Co., 795 S.W.2d 723, 727 (Tex. 1990) (Doggett, J., concurring). Page 28 of 51 subject matter of the whistleblowing and sometimes the state in which the case arises. In passing the 2002 Sarbanes-Oxley Act, the Senate Judiciary Committee found that whistleblower protections were dependent on the "patchwork and vagaries" of varying state statutes.22 The patchwork of laws means that victims of retaliation need to be alert to the laws at issue to determine the deadlines and means for making proper complaints. Some deadlines are as short as 10 days or as long as 180 days. Example for “means for making proper complaints” may be like, under certain acts, a person filing a complaint of discrimination or retaliation will be required to show that he or she engaged in protected activity, the employer knew about that activity, the employer subjected him or her to an adverse employment action and the protected activity contributed to the adverse action. Adverse employment action is generally defined as a material change in the terms or conditions of employment. Depending upon the circumstances of the case, "discrimination" can include:23 Firing or laying off Blacklisting Demoting Denying overtime or promotion Disciplining Denial of benefits Failure to hire or rehire Intimidation Reassignment affecting prospects for promotion Reducing pay or hours The first U.S. law adopted specifically to protect whistleblowers was the Lloyd-La Follette Act of 1912. It guaranteed the right of federal employees to furnish information to the United States Congress. At the latest, the U.S. Supreme Court's dealt a major blow to government whistleblowers when, in the case of Garcetti v. Ceballos, 04-473, it ruled that government employees did not have protection from retaliation by their employers under the First Amendment of the Constitution. In response to the Supreme Court decision, the House of Representatives passed H.R. 985, the Whistleblower Protection Act of 2007 and was approved by the Senate Committee on Homeland Security and Governmental Affairs on 13 June 2007. However, up to 31 October 2007, it was yet to reach a vote by Senate. 22 “Legal protection for whistleblowers” http://en.wikipedia.org/w/ index.php?title=Whistleblower&action =edit&section=5; visited on 11 Nov 2007 at 2040 GMT. 23 “The Whistleblower Protection Program”, U.S. Department of Labor, Occupational Safety & Health Administration; http://www.osha.gov/dep/oia/whistleblower/index.html; visited on 31 Oct 2007 at 0527 GMT Page 29 of 51 Whistleblower program “Whistleblower Program” is a procedure the company will employ in addressing reports of suspected fraudulent, wrong or improper conduct of company personnel; as well as suspected wrong doing or complaints related to the company’s accounting, internal controls, auditing or financial reporting matters. Effective whistleblower program is still more in literature than in practice due to the reality of the factors lying behind this. A company has to have an appropriate culture to do a good job at preventing and detecting the economic crimes. An effective whistleblower program in combination with appropriate internal controls can help organizations to build up this culture. Auditors cannot audit every process and transaction all the time. An analysis of business crises between 1990 and 2000 found that management is frequently aware of problems and ignores them until a crisis develops or an employee blows the whistle on the activity. According to a study from auditing firm PriceWaterhouseCoopers [PWC.UL] released on Tuesday, 16 October 2007, “Whistle-blowers still uncover the most incidents of corporate fraud even as companies invest in financial controls”. The study polled 5,400 executives in 40 countries, with respondents reporting total losses of about $4.2 billion from fraud. PriceWaterhouseCoopers found that 29 percent of frauds were detected through whistleblower hotlines and internal tip-offs, with an additional 14 percent discovered through external tip-offs. The internal audit department was the second-biggest fraud detector, detecting about 19 percent of all frauds, the survey showed.24 Cynthia Cooper of Worldcom and Sherron Watkins of Enron, who exposed corporate financial scandals, and Coleen Rowley of the FBI, who later outlined the agency's slow action prior to the 11 September 2001 attacks. The three were selected as Time's People of the Year in 2002.25 Risks and challenges of whistleblowers Whistleblower program is one of the biggest challenges for the organizations to establish specially in small companies where everybody is in close touch in terms of relationships and each others career. Whistleblowers are generally found reluctant to play active role because of the following reasons: Most whistleblowers suffer harassment, retaliation, alienation, intimidation, discrimination, job loss /blacklisting, stress /emotional hardship, family hardshipdivorce; 24 Emily Chasan, “Whistle-blowers still best at finding fraud-survey” Tuesday 16 October 2007; http://www.reuters.com /article/bankingfinancial-SP-A; page number-2; Visited on 18 Oct 2007 at 0958 GMT 25 From Wikipedia, the free encyclopedia; “Famous whistleblowers” at http://en.wikipedia.org /wiki/Whistleblower#_note-0; on 04 Nov 07 Page 30 of 51 Management could, knowingly or not, send message to break rules or employees misinterpret message; Fewer legal protections; Negative publicity; Corporate culture and sub-cultures; and Employees do not know / forget who to contact. Key factors for successful whistleblower program The program must be accessible easily and cheaply to all employees through multiple channels; Encourage internal disclosure to avoid public crisis - provide support, act quickly, offer feedback and reward; Establish strong and consistent “Tone at the Top” - management must send clear and consistent messages of what is expected of all employees; Ombudsperson should be active and visible; Establish strong support network - whistleblowers need support at work, home and from peers; and Build widespread awareness - of the program’s existence and avenues for disclosure; - of support from Management and Board of Directors; - of support from Audit Committee; and - of the connection to the organization’s Code of Ethics. Monitoring role of Audit Committee Possible roles of Audit Committee may be: Establishing strong Whistleblower Program; Monitoring the effectiveness and compliance of the Whistleblower Program; and Reviewed at least annually and make changes as necessary. Examples of non-retaliation provisions 1. No adverse personnel action will be taken against an employee of the Company, nor will retaliation against such person be tolerated, for the disclosure of information the employee made in good faith believing that their complaint involved: A violation of any law; Gross mismanagement; An abuse of authority; Fraudulent or dishonest conduct; A breach of internal controls; or Improper or fraudulent accounting, auditing or financial reporting. Page 31 of 51 2. No supervisor, manager, or any other employee with authority to make or materially influence significant personnel decisions shall take an adverse personnel action against an employee in knowingly retaliating for disclosing alleged wrongful conduct or improprieties. Any employee found to have so violated this procedure shall be disciplined, up to and including termination of employment. 3. Complaints of alleged retaliation are to be directed to the person that the Whistleblower Complaint was first reported to, to Human Resources, or to the President/CEO. Page 32 of 51 PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD (PCAOB) The PCAOB is a private-sector, nonprofit corporation, created by the Sarbanes-Oxley Act of 2002, to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair and independent audit reports. Standards-Setting responsibility of PCAOB Section 103(a)(1) of the Sarbanes-Oxley Act of 2002 (the Act) directs the Board to establish auditing and related attestation standards, quality control standards, and ethics standards to be used by registered public accounting firms in the preparation and issuance of audit reports, as required by the Act or the rules of the Commission, or as may be necessary or appropriate in the public interest or for the protection of investors. Similarly, Section 103(b) authorizes the Board to establish such rules as may be necessary or appropriate to implement the auditor independence requirements in, or as authorized under Title II of the Act, Auditor Independence. Section 103(a)(4) directs the Board to convene such expert advisory groups as may be appropriate to aid in standards-setting and affords the Board considerable discretion in determining the procedures by which it will develop and adopt auditing and related professional practice standards. The Board has convened a Standing Advisory Group (SAG) to advise the Board on the establishment of auditing and related professional practice standards. While the Board will, by rule, establish standards, it recognizes that the development of such standards should be an open, public process in which investors, the accounting profession, the preparers of financial statements and others have the opportunity to participate. The Board's staff is actively involved in drafting proposed standards and in advising the Board in its standards-setting. The Board also encourages proposals and recommendations on its standards-setting agenda and standards development projects from the public. The Board also may establish one or more ad hoc task forces to assist the staff with the drafting of technical language, among other things. After completing the development process, which ordinarily includes consultation with the SAG and may include discussion in other public forums such as roundtable discussions, the Board’s staff recommends to the Board in an open meeting a proposed standard. Proposed standards approved by the Board in an open meeting ordinarily will be published for public consideration and comment. After the Board and its staff evaluate the comments received, the Board’s staff recommends to the Board in an open meeting a final standard, revised as necessary and appropriate based on the evaluation of the comments received. Final standards adopted by the Board are submitted to the Securities and Page 33 of 51 Exchange Commission for approval and do not become effective unless approved by the Commission. Standards and Related Rules The following standards and related rules have been adopted by the PCAOB and approved by the SEC. This information is updated as of 31st December 2007. For updated information please visit the PCOAB website. 26 Auditing Standard No. 1: References in Auditors’ Reports to the Standards of the Public Company Accounting Oversight Board Auditing Standard No. 2: An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements Auditing Standard No. 3: Audit Documentation Auditing Standard No. 4: Reporting on Whether a Previously Reported Material Weakness Continues to Exist Auditing Standard No. 5: An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements Auditing Standard No. 6: Evaluating Consistency of Financial Statements Interim Standards: Pre-existing standards adopted by the Board as its interim standards to be used on an initial, transitional basis. Rule 3100: Compliance with Auditing and Related Professional Practice Standards Rule 3101: Certain Terms Used in Auditing and Related Professional Practice Standards Rules 3501, 3502, and 3520 to 3524: Ethics and Independence Rules and Related Information Concerning Independence, Tax Services, and Contingent Fees Rule 3525: Audit Committee Pre-Approval of Non-Audit Services Related to Internal Control 0ver Financial Reporting Pre-existing standards adopted by the Board On 16 April 2003, the Board adopted certain pre-existing standards as its interim standards to be used on an initial transitional basis. 27 The Board adopted following 26 PCAOB; at http://www.pcaobus.org/Standards/Standards_and_Related_Rules/index.aspx; visited on 29 Sep 07 at 1830 GMT 27 PCAOB; at http://www.pcaobus.org/Standards/Interim_Standards /index.aspx; visited on 29 Sep 20O7 at 1832 GMT Page 34 of 51 AICPA’s Auditing Standards Board’s Statements on standards and related interpretations as in existence on 16 April 2003, to the extent not superseded or amended by the Board. Standard Adopted Interim Auditing Standards Interim Attestation Standards Interim Quality Control Standards Interim Ethics Standards Interim Independence Standards Pursuant to PCAOB Rules Rule 3200T AICPA’s Auditing Standards Board’s Statement of Auditing Standards adopted Standards No. 95, and related interpretations Rule 3300T Attestation Engagements, and related interpretations Quality Control Standards Rule 3400T Rule 3500T Rule 3600T Code of Professional Conduct Rule 102, and interpretations and ruling Code of Professional Conduct Rule 101, and interpretations and rulings and Standards Nos. 1, 2, and 3, and Interpretations 99-1, 00-1, and 00-2, of the Independence Standards Board Policy regarding use of PCAOB Materials The Board allows the professionals as well as general public for knowledge and facilitates their easy access. The Public Company Accounting Oversight Board intends that public accounting firms, issuers, investors, and the general public have easy access to the rules and standards of the Board, as well as forms, releases, orders, notices, frequently asked questions, and reports that the PCAOB has disseminated to the general public, whether by posting to the Board’s website or otherwise providing such material to the general public (collectively, “PCAOB Public Materials”). Accordingly, it is the policy of the Board that the PCAOB will not assert copyright infringement claims based solely on the publication, distribution, or sale (collectively, “Publication”) of all or any portion of such PCAOB Public Materials, whether in the English language or in a faithful translation in any other language. This policy applies world-wide. This policy does not apply to materials in which the PCAOB does not hold a copyright, such as third-party materials displayed on the PCAOB website (e.g., the standards of the American Institute of Certified Public Accountants displayed in the “Interim Standards” section of the Web site). Further, this policy not to assert claims as set forth above does not waive any other rights the PCAOB may have in connection with the Publication or other use of PCAOB Public Materials or otherwise, whether with respect to the accuracy of the published materials (including the faithfulness of any translations) or of the source of the published materials, or otherwise. This policy should not be construed to indicate Page 35 of 51 that the PCAOB does or does not maintain any form of copyright interest in any particular materials. This policy may be amended from time to time. Any new restriction imposed by such an amendment will not apply to paper copies of PCAOB Public Materials that were printed prior to the effective date of the amendment. 28 28 PCAOB; at http://www.pcaobus.org/Copyright.aspx; visited 29 Sep 2007 at 1828 GMT Page 36 of 51 STANDING ADVISORY GROUP (SAG) The Public Company Accounting Oversight Board on 15 April 2004 announced the formation of a Standing Advisory Group to assist the Board in carrying out its standardssetting responsibilities. As per section 103(a)(4), the Board has convened a Standing Advisory Group (SAG) to advise the Board on the establishment of auditing and related professional practice standards. SAG selection process The Board began soliciting nominations for the group in November 2003 and received more than 170 nominations including self-nominations, received from any person or organization. The nominations included many prominent and highly experienced people. From this list, the Board selected 30 individuals with expertise in variety of fields, including accounting, auditing, corporate finance, corporate governance, and investing in public companies. The group is ex-officio chaired by the Board’s Chief Auditor and Director of Professional Standards. By The Public Company Accounting Oversight Board (PCAOB) Soliciting Nominations for the Group 170 nominations of prominent and highly experienced people Selected 30 individuals 15 for Term 2006-07 and 30 for Term 2007-08 From different individuals, professional associations and monitoring/regulatory agencies SAG selection criteria The members of the group are selected based on their qualifications and not the organizations they represent. The members are selected mostly from CPAs having proven records in public practice and/or in private jobs at top positions like senior consultants, CFOs and CEOs. The team comprises both male and female members. Few are from CFA background and some others are academicians in the fields of accounting and financial management. Almost all of them are having around 20 years of extensive working experiences in multifarious disciplines. Biographies of current SAG members Analysis of the qualifications, experiences and skills of 30 members of the SAG reveals that the Board emphasized on following qualities: Served as member of the governing council of the AICPA. Page 37 of 51 Served as member of the AICPA Assurance Services Executive Committee, AICPA’s Professional Ethics Executive Committee, etc. Served on professional committees, including standards-setting groups. Served as member of the International Federation of Accountants' (IFAC) Transnational Auditors' Committee. Served as member of the State Board of Accountancy, the Board of Directors of the National Association of State Boards of Accountancy. Member of the FASB User Advisory Council and speaker on global equity structure, hedge funds and executive compensation. Service on the Accountancy Advisory Board of universities. Experience in investigations, corporate governance and SEC regulatory matters and compliance with accounting and auditing standards. Experience in extensive research on corporate governance and on fraudulent financial reporting. Experience in developing the practicing firm’s audit policies and methodology. Coauthored the COSO-sponsored study on fraudulent financial. Experience in setting audit policy, designing education courses, office inspections, independence and other duties in practicing firms. Certified Fraud Examiner and Certified Information Systems Auditor. Experience in leadership and oversight of finance-related projects and initiatives. Skill in finance and accounting, internal and external reporting, response to governance and process requirements of Sarbanes-Oxley, and restructuring. Above-presented highlights resembles that the Board emphasized on practical job experience as well as experiences in professional practice while selecting the SAG members. The board was very happy to receive very good responses from well-qualified peoples. Doug Carmichael, the Board’s Chief Auditor and the advisory group’s first Chair said “I am pleased with the broad range of experience and expertise that the Board has chosen for this important group.”29 Meetings of SAG Membership is personal to the member and the duties and responsibilities of the member cannot be delegated to others. The Standing Advisory Group will meet in both open and executive sessions. Decisions on recommendations to the Board will be made at open meetings. The SAG meets in person approximately three times per year. 29 Carmichael, Doug. the PCAOB’s Chief Auditor and the advisory group’s first Chair. At http://www.pcaobus.com /news_and_events /news/2004/04-15.aspx; Visited on 20 October 2007 at 2131 GMT Page 38 of 51 Common agenda comprise Board's current standards-setting priorities, Board’s current standards-setting activities and the standards-related accomplishments during the past year. The agenda and other documents for meeting can generally be found on the Board's website at www.pcaobus.org under Standards and Standing Advisory Group. The meeting is open to the public and will be web-cast on the Board's web site.30 Observers at SAG meetings Chaired by the Board’s Chief Auditor and Director of Professional Standards, the SAG is composed of 31 highly qualified persons representing the auditing profession, public companies, investors, and others. The Board also has granted following six organizations observer status with speaking rights at all SAG meetings: i. Auditing Standards Board of the American Institute of Certified Public Accountants (ASB); ii. Department of Labor (DL); iii. Financial Accounting Standards Board (FASB); iv. Government Accountability Office (GAO); v. International Auditing and Assurance Standards Board (IAASB); and vi. Securities and Exchange Commission (SEC). Working methodology of SAG The group will help the Board review existing auditing standards to identify where necessary changes or updates are needed to improve audit quality. The Standing Advisory Group will bring a multi-disciplined perspective to the Board’s process of setting auditing standards. While the Board’s staff will draft the standards, this group of experts will give its advice to the Board on standard-setting priorities and policy implications of existing and proposed standards. Where necessary, the group will engage a panel discussion on the attributes of auditing issues. PCAOB’s staffs organize meetings and prepare Working Papers Standing Advisory Group > review existing standards > identify needs for updates > engage panel discussions Recommendations to the Board Observers at SAG Meetings having right to speak PCAOB’s staffs draft the ASB(AICPA); DL; FASB; GAO; IAASB; and SEC standards as per advices 30 PCAOB at http://www.pcaobus.com/news_and_events/news/ of the SAG Page 39 of 51 SMALLER PUBLIC COMPANIES Companies having less than $75 million market capitalizations were primarily supposed to start reporting under Sarbanes-Oxley Act from July 2007 which was subsequently extended up to 15 December 2007. Since it was signed into law five years ago in the wake of scandals at Enron and WorldCom, the Sarbanes-Oxley Act has had mixed results fighting corporate corruption. But despite criticism from many U.S. executives who call the requirements too costly and cumbersome especially to the small public companies. The U.S. Senate on Tuesday, 19 April 2007 defeated a Republican attempt to weaken 2002's post-Enron Sarbanes-Oxley laws by making it optional for many corporations to comply with a controversial section on internal controls. Republicans attempted to make compliance optional for companies with a market value of less than $700 million. In stead, the Senate adopted a statement expressing support for efforts already under way by federal regulators to fine-tune Section 404. SEC has been working on the process of easing the hardship of smaller public companies in the following ways: Established the Commission Advisory Committee on Smaller Public Companies to consider the impact of Commission rules - including the internal control reporting rules - on smaller companies. Encouraged the Committee of Sponsoring Organizations (COSO) of the Treadway Commission to develop additional guidance in applying its internal control framework to smaller companies. The PCAOB committed to work on developing guidance on auditing internal control over financial reporting in smaller public companies and additional guidance on applying the standard to audits of smaller public companies. Advisory Committee on Smaller Public Companies The Commission established the SEC Advisory Committee on Smaller Public Companies to assess the current regulatory system for smaller companies under the securities laws, including the impact of the Sarbanes-Oxley Act of 2002. The Advisory Committee delivered its Final Report on 23 April 2006.31 The SEC Advisory Committee provided some recommendations for smaller public companies unless and until a framework for assessing internal control over financial reporting for such companies is prescribed. 1. Recommendation II.P.1: 31 SEC Official Bulletin http://www.sec.gov/info/smallbus/acspc.shtml Visited on 21 Oct 2007 at 0322 GMT Page 40 of 51 Establish a new system of scaled or proportional securities regulation for smaller public companies using the following six determinants to define a “smaller public company”: the total market capitalization of the company; a measurement metric that facilitates scaling of regulation; a measurement metric that is self-calibrating; a standardized measurement and methodology for computing capitalization; a date for determining total market capitalization; and clear and firm transition rules i.e. small to large and large to small. market The Committee proposed to develop specific scaled or proportional regulation for companies under the system if they qualify as “microcap companies” and “smallcap companies”. 2. Recommendation III.P.1: Provide exemptive relief from Section 404 requirements to microcap companies with less than $125 million in annual revenue, and to smallcap companies with less than $10 million in annual product revenue. Provide exemptive relief from external auditor involvement in the Section 404 process to the following companies, subject to their compliance with the same corporate governance standards as detailed in the recommendation above: Smallcap companies with less than $250 million in annual revenues but more than $10 million in annual product revenue; and Microcap companies with annual revenue between $125 and $250 million. 3. Recommendation III.S.1: Request that COSO and the PCAOB provide additional guidance to help facilitate the assessment and design of internal controls and make processes related to internal controls more cost-effective; also, assess if and when it would be advisable to reevaluate and consider amending AS2. The Commission should ask COSO to provide additional guidance to help management of smaller companies assess internal controls because of the lack of practical guidance and the absence of a standard to enable management of smaller companies to address internal control. Page 41 of 51 Guidance on Auditing Internal Control in Smaller Public Companies The Public Company Accounting Oversight Board published for public comment staff guidance on auditing internal control over financial reporting in smaller public companies. The guidance explains how auditors can apply the Board's internal control auditing standard, Auditing Standard No. 5, An Audit of Internal Control over Financial Reporting that is integrated with an audit of financial statements, to audits of smaller, less complex public companies. Auditing Standard No. 5 provides direction to auditors on scaling the audit based on the company’s size and complexity. “This staff guidance is a key component of the PCAOB’s overall effort to support the successful implementation of AS No. 5. The guidance will assist auditors of smaller, less complex public companies in implementing AS No. 5. Importantly, it works in tandem with other efforts underway at the PCAOB to engage auditors as they move to implement the new standard”.32 This guidance demonstrates how auditors can apply the principles described in the standard and provides examples of approaches to particular auditing issues that might arise in audits of smaller and less complex companies. Topics discussed in the staff guidance include: entity-level controls, risk of management override, segregation of duties and alternative controls, information technology controls, financial reporting competencies, and testing controls with less formal documentation. 32 Mark W. Olson, PCAOB Chairman Washington, DC, 17 October, 2007; at http://www.pcaobus.org/News_and_Events/News/2007/1017.aspx; visited on 18 October 2007 at 0941 GMT Page 42 of 51 RELATIONSHIP BETWEEN PCAOB AND AICPA The AICPA strongly supports the goals of the Sarbanes-Oxley Act. The AICPA's mission is to provide members with the resources, information and leadership that enable them to provide valuable services in the highest professional manner to benefit the public as well as employers and clients. Consistent with that mission, they have developed necessary guidance and tools to assist members and the companies for which they work. Some provisions of the Act and the working methodology of SEC and PCAOB made AICPA an integral part of the overall process. Some provisions and related implications are below: As per section 101, the Board shall consist of five full time members of whom 2 are CPAs and 3 non-CPAs. All need to be expert in financial management. As per section 103(a)(4), the Board has convened a Standing Advisory Group (SAG) to advise the Board on the establishment of auditing and related professional practice standards. As per section 108, the SEC recognizes GAAP and all principles therein. 33 The PCAOB /SEC is authorized to recognize any accounting principles as 'generally accepted' that are established by a standard-setting body that meets the bill's criteria, which include requirements that the body: 34 a. be a private entity; b. be governed by a board of trustees (or equivalent body), the majority of whom are not or have not been associated persons with a public accounting firm for the past 2 years; c. be funded in a manner similar to the Board; d. have adopted procedures to ensure prompt consideration of changes to accounting principles by a majority vote; and e. consider, when adopting standards, the need to keep them current and These criteria not only recognize the standards set by AICPA but also prescribe an acceptability of standards set by IASB and similar organizations. 33 Anand, Sanjay. “Sarbanes-Oxley Guide for Finance and Information Technology Professionals”, 2006, Page-6. Publisher: John Wiley & Sons, Inc. 34 AICPA, “Summary of the Provisions of the Sarbanes-Oxley Act of 2002”; http://thecaq.aicpa.org/Resources/Sarbanes Oxley; path CAQ Home > Resources > Sarbanes-Oxley > Summary of the Provisions of the Sarbanes-Oxley Act of 2002; accessed on 30 Sep at 0114. Page 43 of 51 UNDERSTANDING SECTION 404 REQUIREMENTS Section 404 of the Act, Management Assessment of Internal Controls, may be the most challenging aspect of the Act, requires most publicly registered companies and their external auditors to report on the effectiveness of the company’s internal control over financial reporting. The report requires to: a. state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and b. contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. Section 404 is just one part of a comprehensive set of requirements that included the development of disclosure committees, certification of financial statements by CEO and CFO, attestation of the external auditor and the implementation of fraud risk management processes that would alert the appropriate levels of governance of potential frauds or illegal acts within the company. “Internal Control” under Sarbanes-Oxley In August 2003, the SEC introduced the term “internal control over financial reporting”. The SEC rule defines internal control over financial reporting process as: A process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers, or persons performing similar function, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that: Pertain to the maintenance of records that in reasonable details accurately and fairly reflect the transactions and dispositions of the assets of the issuer; Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements. Page 44 of 51 “Internal Control” under COSO For the purpose of establishing and maintaining an adequate internal control structure and to perform an assessment of its effectiveness, management is required to base on a suitable and well-defined control framework. In the U.S., the most broadly accepted framework for internal control is provided by the Committee of Sponsoring Organizations (COSO). COSO’s definition of internal control is: A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations; Reliability of financial reporting; and Compliance with applicable laws and regulations. SEC’s definition of internal control is a version of the COSO definition specific to Sarbanes-Oxley requirements. The SEC and PCAOB believe that the use of a framework other than the COSO framework will be rare, given the widespread acceptance of the COSO framework but has not mandated their use. SEC in its different promulgations, discussed about the definition of internal control offered by the COSO. As such, following the guidance of COSO for defining the framework of internal control arrived as indicative rather than directive. About COSO The Committee for Sponsoring Organizations of the Treadway Commission of U.S.A. commonly known as COSO, is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators and for educational institutions. The National Commission was jointly sponsored by five major professional associations in the United States, the American Accounting Association, the American Institute of Public Accountants, Financial Executives International, The Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants). The Commission was wholly independent of each of the sponsoring organizations and contained representatives from industry, public accounting, investment firms and the New York Stock Exchange. Page 45 of 51 The Chairman of the National Commission was James C. Treadway, Jr., Executive Vice President and General Counsel, Painne Webber Incorporated and a former Commissioner of the U.S. Securities and Exchange Commission and hence the popular name “Treadway Commission” was known. INTERNAL CONTROL - INTEGRATED FRAMEWORK In 1992, COSO published Internal Control – Integrated Framework, a multi-volume report that establish a common definition of internal control and provides a standard by which organizations can assess and improve their control system. Since then, Internal Control – Integrated Framework has been widely heralded as the comprehensive study ever undertaken on control. COSO’s concept of internal control assigns roles and responsibilities to everyone in the organization, including directors as key drivers of the control process. The COSO framework defines internal control as a process – effected by an organization’s board of directors, management and other personnel – that provides reasonable assurance regarding achievement of objectives in the following categories. a. Effective and efficient operations – Addresses a company’s basic business objectives, including performance and profitability goals and the safeguarding of resources. b. Reliable financial reporting – Covers the preparation of reliable financial statements and other financial information. This objective is the most relevant to management’s assessment of internal control over financial reporting under section 404. c. Compliance with applicable laws and regulations - Covers laws and regulations to which a company is subjects, to avoid damage to a company’s reputation or other negative consequences. Compliance with laws and regulations is not part of section 404 unless directly related to financial statement preparation. Components of internal control COSO identifies five components of internal control that need to be in place and integrated to achieve these objectives. a. Control Environment; b. Risk Assessment; c. Control Activities; d. Information and Communication; and e. Monitoring. Page 46 of 51 nc e Control Activities Process 3 Process 2 Information & Communication Process 1 Monitoring Process 4 pl ia om C O pe r at io ns l ting a ci por n na Re i F Risk Assessment Control Environment a. Control Environment: The control environment establishes the overall tone for the organization and is the foundation for all other components of the internal control. COSO identifies seven sub- components of the control environment: Integrity and ethical values Commitment to competence and development of people Management philosophy and operating style Organizational structure Assignment of authority and responsibility Human resources policies and procedures Participation by those charged with governance (Board of Director, audit committee) Examples of factors that management should consider when evaluating its control environment Management’s specification of the level of competence needed for particular jobs and the ultimate fulfillment of those specifications Management’s i. Commitment that integrity and ethical values cannot be comprised, and ii. Assurance that employees will receive and understand that message Management’s continuous demonstration, through words and actions, of a commitment to high ethical standards Page 47 of 51 A philosophy and operating style of management that have a pervasive, positive effect on the entity An organizational structure that is not so simple that a management can not adequately monitor the entity’s activities nor so complex that the structure inhibits the necessary flow of information. Executives that fully understand their control responsibilities and possess experience and levels of knowledge requisite to commensurate with their positions. The assignment of responsibility, delegation of authority, and establishment of policies that iii. Provide a basis for accountability and control; and iv. Set forth employees’ respective roles and responsibilities in the organization Human resource policies that are central to recruiting and retaining competent people who will enable the entity to carry out its plans and achieve its goals. The Standard specifies that management must also address anti-fraud programs and the effectiveness of the audit committee when evaluating the control environment. Anti-Fraud considerations The standards indicates that all controls should be evaluated that are intended to address the risks of fraud and have at least a reasonably possible likelihood of having a material effect on the Company’s financial statements. Anti-fraud program includes the following key elements a. Code of conducts / ethics b. Investigation and remediation of identified fraud c. Oversight by the audit committee and board d. Risk assessment Audit Committee Effectiveness The company’s Board of Director is responsible for evaluating the performance and effectiveness of the audit committee and demonstrating its assessment to the external auditor. When evaluating the effectiveness of the audit committee, we believe the board should consider the following: Independence of the audit committee from the members of the management Clarity with which the audit committee’s role & responsibilities are articulated and how well the audit committee and management understand those responsibilities Level of involvement and interaction with the external auditors Level of involvement and interaction with the Internal auditors Interaction with key members of financial management Page 48 of 51 The audit committee’s compliance with exchange listing standards The level of financial expertise among the audit committee members b. Risk Assessment Another component of internal control is risk assessment. As part of its risk assessment process, management should determine and consider the implications of relevant risks that could hinder the achievement of its objectives. For purposes of management’s section 404 assessments, the standard indicates that management should identify the risks of material misstatement in the significant accounts and disclosures and related assertions of the financial statements. Management should implement controls to prevent or detect errors or frauds that could result in material misstatements. c. Control Activities Control activities are the policies and procedures that help to ensure that management’s directives are implemented. Control activities occur throughout the organization, at all levels, and in all functions. The activities involve approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. COSO discusses many different types of control activities, including preventive controls, detective controls, manual controls, computer controls and management controls. d. Information and Communication The information and communications component includes the systems that support the identification, capture, and exchange of information in a form and time frame that enable personnel to carry out their responsibilities and financial reports to be generated accurately. When evaluating this component, management must consider internally generated and externally generated data that enable management to make informed business decisions about financial reports and disclosures. Examples of relevant external information include industry, economic and regulatory information. Communicating relevant data throughout all levels of the company and to the appropriate external parties is an important part of internal control. Management should focus on understanding the systems and process that are important in the accumulation of financial data, including the systems of controls that safeguard information, the process for authorizing transactions and the system for maintaining records. e. Monitoring Monitoring is the continuous processes that management uses to assess the quality of internal control performance over time. There are three sub-components to monitor: Page 49 of 51 Ongoing Monitoring - Ongoing monitoring occurs in the ordinary course of operations. Ongoing monitoring includes regular management and supervisory activities. Periodic Monitoring - Periodic monitoring involves less frequent ( i.e. Monthly or quarterly) activities by senior management Reporting deficiencies - The monitoring component should also include a process for reporting deficiencies to the appropriate level of management and the boards of directors and undertake remediation efforts Examples of monitoring controls: - Internal audit Management reviews Audit committee activities Factors & activities of internal control Control Environment Control environment factors include: Integrity, ethical values, and competence of the employees; Management philosophy and operating style; Assignment of authority and responsibility; Organizational structure; Training and development opportunities; and Degree of board involvement. Risk Assessment Risk assessment involves: identifying and analyzing risks that are relevant to the objectives; and forms a basis for determining how the identified risks should be managed. Control Activities Control activities occur throughout the organization and include such things as: approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties etc. Page 50 of 51 Information and Communication Effective communication must occur in a broader sense, i.e. flowing down, across and up the organisation; clear message from top management that control responsibilities must taken seriously; and must understand their own role in the internal control system. Monitoring Monitoring is a process that assesses the quality of the system’s performance which is accomplished through: ongoing monitoring activities - include regular management and supervisory activities those occur during the course of action; separate evaluation – scope and frequency of separate evaluations depend on assessment of risks and the effectiveness of ongoing monitoring; and combination of the two. __END__ Page 51 of 51
