Report to the Governor, Lt. Governor and Speaker of the House of Representatives VOLUME I Submitted by THE TEXAS STATE BOARD OF PUBLIC ACCOUNTANCY November 11, 2004 1 [THIS PAGE DELIBERATELY LEFT BLANK] 2 TABLE OF CONTENTS 1.0. EXECUTIVE SUMMARY .................................................................................................................................5 1.1. 1.2. 1.3. 1.4. 1.5. DEFINITION OF PUBLIC INTEREST ENTITIES ............................................................................................5 GENERAL CONCLUSIONS ..........................................................................................................................6 DEVELOPMENT OF RESPONSIBILITY TABLE ............................................................................................6 RECOMMENDATIONS .................................................................................................................................7 TSBPA ADOPTION OF REPORT .................................................................................................................7 STATUTORY AND REGULATORY RESPONSIBILITY TABLE FOR PUBLIC INTEREST ENTITIES....8 2.0. BACKGROUND................................................................................................................................................11 2.1. 2.2. THE TSBPA’S TASK FORCE ....................................................................................................................11 THE ACCOUNTING PROFESSION IN TEXAS .............................................................................................12 3.0. SARBANES-OXLEY ACT ISSUES ................................................................................................................13 4.0. TASK FORCE PROCESS ................................................................................................................................14 5.0. SOX REQUIREMENTS, RESTRICTIONS ...................................................................................................15 ON PUBLIC INTEREST ENTITIES AND OTHER ACTIONS NEEDED.........................................................15 5.1. 5.2. 5.3. 5.4. 5.5. 5.6. 5.7. THE NATIONAL ASSOCIATION OF STATE BOARDS OF ACCOUNTANCY. ................................................16 ACTIONS WITHIN OTHER STATES ..........................................................................................................17 THE AMERICAN ASSEMBLY REPORT ......................................................................................................18 VOLUNTARY ADOPTION ..........................................................................................................................19 REQUESTS FOR INPUT FROM PUBLIC INTEREST ENTITIES .....................................................................20 THE PUBLIC FORUM ................................................................................................................................22 THE TEXAS SOCIETY OF CPAS ...............................................................................................................23 6.0. GENERAL ACCOUNTING OFFICE STUDY AND REPORT ...................................................................24 7.0. TSBPA RULES AND ANALYSIS OF SOX PROVISIONS..........................................................................25 7.1. THE PUBLIC ACCOUNTANCY ACT AND TSBPA RULES..........................................................................25 7.2. ANALYSIS OF SOX PROVISIONS ..............................................................................................................26 7.2(a). SOX Sec. 101-109...........................................................................................................................26 7.2(a)(1). Independence................................................................................................................................27 7.2(a)(2). Ethics Education...........................................................................................................................27 7.2(a)(3). Continuing Education...................................................................................................................27 7.2(a)(4). Registration and Peer Review ......................................................................................................27 7.2(a)(5). Enforcement .................................................................................................................................28 7.2(b). SOX Sec. 201. Non-audit service restrictions...............................................................................28 7.2(c). SOX Sec. 202. Audit committee pre-approval of non-prohibited outside auditor services .........29 7.2(d). SOX Sec. 203. Rotation of lead and reviewing audit partner ......................................................29 7.2(e). SOX Sec. 204. Requirement of audit firm to report on specific items to audit committee (or its equivalent). ........................................................................................................................................................29 7.2(f).. SOX Sec. 206. Restrictions on hiring of key member of outside audit team (1-year coolingoff period) ...........................................................................................................................................................................29 7.2(g). SOX Sec. 207. GAO study on audit firm rotation ........................................................................30 7.2(h). SOX Sec. 209. State Board consideration ....................................................................................30 7.2(i). SOX Sec. 404. Reporting on internal controls. ............................................................................30 7.2(j). SOX Sec. 802. Criminal penalties for altering documents and 5 year retention of audit workpapers. .......................................................................................................................................................30 7.2(k). SOX Sec. 806. Whistleblower protection. .....................................................................................31 7.2(l). SOX Sec. 1102. Criminal penalties for altering documents. .......................................................31 7.2(m). SOX Sec. 1107. Whistleblower protection. ...................................................................................31 3 7.3. ACTION ITEM FOR THE TEXAS LEGISLATURE. ......................................................................................31 7.3(a). SOX Sec. 303. Unlawful for officer or director to fraudulently influence, coerce, manipulate or mislead outside auditor. ....................................................................................................................................31 8.0. COST OF COMPLIANCE ...............................................................................................................................32 9.0. CONCLUSION ..................................................................................................................................................34 9.1. RECOMMENDATIONS. ..............................................................................................................................34 ATTACHMENTS (Located in Volume II) ATTACHMENT 1 ATTACHMENT 2 ATTACHMENT 3 ATTACHMENT 4 ATTACHMENT 5 ATTACHMENT 6 ATTACHMENT 7 ATTACHMENT 8 ATTACHMENT 9 ATTACHMENT 10 ATTACHMENT 11 ATTACHMENT 12 ATTACHMENT ATTACHMENT ATTACHMENT ATTACHMENT 13 14 15 16 ATTACHMENT 17 Sarbanes-Oxley Act of 2002 “Sarbanes-Oxley’s Compliance Conundrum”, United Press International May 7, 2004 Texas State Board Report, October 2003, Vol. 80 “NASBA Regional Director’s Report”, November 2003 NASBA Discussion Memorandum “Answering the SOX Challenge – Guidelines for State Boards of Accountancy”, September 30, 2003 “The Future of the Accounting Profession” American Assembly Report, 103rd American Assembly, Columbia University, November 11-13, 2003 “The Sarbanes-Oxley Act of 2002: Recommendations for Higher Education”, Advisory Report 2003-3, National Association of College and University Business Officers, November 20, 2003 Matrix of SOX provisions sent to PIEs PIE responses Parties that submitted either written or oral testimony Written comments and matrices received from public forum attendees “A Report to Senate Committee on Banking, Housing and Urban Affairs and the House Committee on Financial Services,” General Accounting Office, November 2003 Board Rule 519.6 (Subpoenas) Board Rule 519.43 (Emergency Suspension) Board Rule 519.8 (Administrative Penalties) Board Rule 519.7 (Misdemeanors that Subject a Certificate or License Holder to Discipline by the Board) “Section 404 Could Cost Big Companies $4.6 Million or More” Accounting WEB, February 13, 2004 4 Report to the Governor, Lt. Governor and Speaker of the House of Representatives Implementation of the Sarbanes-Oxley Act in Texas The Texas State Board of Public Accountancy shall report to the governor, the lieutenant governor, and the speaker of the house of representatives, not later than December 31, 2004, regarding: (1) the requirements of the federal Sarbanes-Oxley Act (Pub. L. No. 107-204), including any restrictions on public interest entities, and any legislation or other action needed to conform state law to the requirements of that Act; (2) the federal General Accounting Office study on audit firm rotation and any legislation or other action needed to conform state law to the findings of that study; and (3) the rules adopted by the board that are intended to comply with the federal standards described by Subdivisions (1) and (2) of this section and the board's actions in implementing and enforcing those rules. Public Accountancy Act, Sec. 29 1.0. EXECUTIVE SUMMARY In response to Sec. 29 of the Public Accountancy Act, the Texas State Board of Public Accountancy (TSBPA) formed a task force to develop recommendations for the TSBPA to consider in making its report in accordance with Sec. 29’s requirements. The task force studied the Sarbanes-Oxley Act of 2002 (SOX, or the Act) and considered relevant activities of other states and regulatory bodies, existing studies and other relevant information. The task force received input from selected associations and regulators of public interest entities (PIEs) and held a public forum during which it received input from interested parties. The task force’s objective was to develop recommendations for the TSBPA that strike an appropriate balance between safeguarding the public’s interest while promoting a sound Texas business climate, which also is in the public interest. 1.1. Definition of Public Interest Entities. For purposes of this report, the task force defined PIEs as: Those entities whose audited financial statements are relied upon by significant numbers of stakeholders to make investment, credit, or similar decisions (e.g., in the case of a publicly held company) or by regulators in their oversight role (e.g., in the case of pension plans, banks, insurance companies, and school districts), and therefore, the potential extent of harm to the public from an audit failure involving one of these entities would generally be significant. 5 1.2. General Conclusions. The TSBPA cautions against state-by-state application of SOX-type legislation to public interest entities or to other non-publicly held entities as this is likely to be confusing for businesses operating in multiple states, complicate uniformity of enforcement, and increase costs to the Texas consumer as compared to consumers in other states. The task force found that many PIEs and their auditors are already subject to national standards or regulations that apply to Texas PIEs. Additionally, the TSBPA cautions that adoption of any particular SOX-type provision should not be presumed preferable to declining adoption. Rather, each provision should be evaluated considering the resultant protection provided to the public versus the cost and other negative impacts of the provision’s adoption, as well as the size of the entity affected. The TSBPA does not believe there should be an additional layer of regulation for public interest entities outside their respective regulatory agencies or bodies. However, the TSBPA does recommend that existing regulatory bodies of PIEs should review and adopt appropriate SOX provisions, where applicable, related to the governance and management functions of the PIEs for which these regulatory bodies are responsible. A tool to assist the PIEs in their review has been developed. Entitled “Statutory and Regulatory Responsibility Table for Public Interest Entities,” the table is discussed in this report. Each state agency that regulates PIEs should be required to formally address and report on its review of the SOX provisions indicated in the table. Regulations related to the CPA should remain the responsibility of the TSBPA. Under the Texas Public Accountancy Act (PAA), the TSBPA has the authority to implement all SOX-type provisions applicable to CPAs through its rulemaking process. In fact, all SOX provisions have been thoroughly considered and are discussed in this report. Rule review is an ongoing process, and the TSBPA will continue to monitor the situation and implement rule changes as they are needed. Consistent with the General Accounting Office (GAO)1 study and report, the TSBPA does not recommend mandatory audit firm rotation. The TSBPA does recommend potential legislation consistent with SOX Sec. 303 making it illegal for an officer, director or persons directed by them to fraudulently influence, coerce, manipulate, or mislead an independent public accounting firm performing an audit for PIEs in Texas. Existing statutes that are aimed at preventing fraudulent behavior should be reviewed to determine whether they are sufficient to cover such conduct caused by non-CPAs who are not within the TSBPA’s jurisdiction. We also believe it to be appropriate to provide penalties for such actions which are consistent with those in Chapter 26 of the PAA. This will result in felony penalties consistent with those of CPAs in Texas. Additionally, the Legislature should consider providing the TSBPA with the statutory authority to refer to the appropriate prosecutorial authority information on activities that appear to constitute criminal conduct or violation of a statute in Chapter 31, Theft, or Chapter 32, Fraud, Texas Penal Code, by individuals other than CPAs.. 1.3. Development of Responsibility Table. Using the input received from the regulatory bodies, public interest entities, and other interested parties, the task force developed a table to identify the appropriate oversight body to consider each of the SOX provisions. The SOX Statutory and Regulatory Responsibility Table details each of the relevant SOX provisions and recommends the regulatory body that should consider adoption, oversight and enforcement of those provisions. 1 Effective July 7, 2004, the General Accounting Office’s legal name became the Government Accountability Office. 6 In making its recommendation, the task force considered whether the particular SOX provision related to regulation of the CPA or regulation of the entity. Those provisions that relate to the CPA were assigned to the TSBPA. Those provisions relating to entity governance and management were assigned to other regulating bodies, as deemed appropriate. If a recommended provision requires legislative action, the task force assigned that responsibility to the Texas Legislature. Evaluators should consider the intent of each provision, rather than the specific wording. For example, Sec. 202 refers to audit committee pre-approval of certain services. Many entities do not have audit committees, and that function rests elsewhere, probably with its board or finance committee. Therefore, a regulatory body that concludes pre-approval of the auditor’s services should be required might require pre-approval of such services by the entity’s board or its designee other than management. This approach accomplishes the intent of the provision without mandating the existence of an audit committee. It should not be presumed that each provision is automatically applicable. Any adoption should consider the preference for uniformity with national standards and the appropriateness of the provision while considering such elements as size of the entity, the provision’s cost, and other negative impacts of such a requirement versus the resultant protection provided to the public. The SOX Statutory and Regulatory Responsibility Table begins on page 8. 1.4. Recommendations. In summary, the TSBPA: 1. cautions against state-by-state implementation of SOX-type legislation on public interest entities or on other non-publicly held entities; 2. recommends that existing regulatory bodies in Texas review relevant SOX provisions as identified in the Statutory and Regulatory Responsibility Table [pages 8-10 of this report] to determine which, if any, provisions or their objectives are appropriate for the regulatory bodies’ respective jurisdiction; and 3. recommends potential legislation consistent with SOX Sec. 303 making it illegal for an officer, director, or persons directed by them to fraudulently influence, coerce, manipulate, or mislead an independent public accounting firm performing an audit for PIEs in Texas to be accomplished by: a. reviewing existing statutes to determine whether they are sufficient to cover such conduct caused by non-CPAs who are not within the TSBPA’s jurisdiction; b. adopting penalties for such actions which are consistent with those in Chapter 26 of the PAA; and c. providing the TSBPA with the statutory authority to refer to the appropriate prosecutorial authority information on activities that appear to constitute criminal conduct or violation of a statute in Chapter 31, Theft, or Chapter 32, Fraud, Texas Penal Code, by individuals other than CPAs. 1.5. TSBPA Adoption of Report. The TSBPA reviewed the work of the task force and adopted this report at its November 11, 2004 meeting. Attachments to the report are contained in Volume II. The Texas State Board of Public Accountancy submits this report in accordance with Sec. 29 of the Public Accountancy Act and encourages the implementation of the recommendations contained within this report. 7 Sarbanes-Oxley Act Provisions Statutory and Regulatory Responsibility Table for Public Interest Entities The following table identifies relevant provisions of the Act and assigns responsibility for determining if similar regulations should be adopted. (Omitted Act sections are not considered pertinent to PIEs.) Evaluations should consider the intent of each provision, the size of the entity affected, the provision’s cost, and other negative impacts of adoption versus the resultant protection of the public. Evaluators should not presume that adoption of a particular provision is more preferable than declining adoption. SARBANES OXLEY ACT PROVISIONS Sec. No. Applicable Description RESPONSIBILITY OF Texas State Board of Public Accountancy Existing Regulatory Agency or Body General Provisions: (1) auditing, quality control, independence and ethics 101109 (2) registration and inspection of public X accounting firms (3) investigations and disciplinary proceedings 201 202 203 X Non-audit service restrictions Audit committee (or its equivalent) pre-approval of non-prohibited outside auditor services Rotation of lead and reviewing audit partner X X 204 Requirement of audit firm to report on specific items to audit committee (or its equivalent) X 206 Restrictions on hiring of key member of outside audit team (1 year cooling off period) X 207 209 X X X GAO study on audit firm rotation State Board consideration Audit committee (or its equivalent) responsibilities): 301 (1) Hire and compensate outside auditors (2) Comprised of independent directors X (3) Establish procedures for complaints, audit, accounting, and internal control matters (4) Hire independent advisors and counsel 8 Texas Legislature Sarbanes-Oxley Act Provisions Statutory and Regulatory Responsibility Table for Public Interest Entities (Continued) SARBANES OXLEY ACT PROVISIONS Sec. No. Applicable Description RESPONSIBILITY OF Texas State Board of Public Accountancy Existing Regulatory Agency or Body Texas Legislature CEO & CFO must certify their primary responsibility for:: (1) review of the financial statements 302 (2) no known misrepresentations within financial statements X (3) materially correct financial statements (4) establishment and maintenance of internal controls (5) required financial statement disclosures 303 Unlawful for officer or director to fraudulently influence, coerce, manipulate, or mislead outside auditor X 401 Forfeiture of bonus and profits: If a material misstatement occurs as a result of their misconduct, CEO and CFO must reimburse bonuses and incentive pay from prior 12 months Enhanced financial disclosures X 402 Prohibition against personal loans to director, CEO, and CFO (or equivalent) X 304 X Internal Controls (I/C): X (1) annual report contains I/C report detailing responsibility of management for establishing and maintaining adequate I/C and procedures for financial reports 404 (2) Independent auditor attests to and reports on I/C assessment by management X (a) requirements for outside auditors (b) requirements for audited entity X 406 Requirement of disclosure of company code of ethics for senior management X 407 Requirement of at least one "financial expert" on audit committee X 9 Sarbanes-Oxley Act Provisions Statutory and Regulatory Responsibility Table for Public Interest Entities (Continued) SARBANES OXLEY ACT PROVISIONS Sec. No. Applicable Description RESPONSIBILITY OF Texas State Board of Public Accountancy Existing Regulatory Agency or Body X X X X 806 901905 Criminal penalties for altering documents and 5-year retention of audit workpapers Whistleblower protection Strengthens criminal penalties for acts regarding financial statement certification 906 Corporate responsibility for financial reports X 1001 CEO, in addition to preparer of income tax returns, signs the corporate income tax or information returns X 802 X X 1105 Criminal penalties for altering documents Prohibition from serving as officers and directors 1107 Whistleblower protection X 1102 X X 10 X Texas Legislature 2.0. BACKGROUND The 78th Texas Legislature, Regular Session, in 2003 directed the TSBPA to report to the Governor, Lt. Governor, and Speaker of the House of Representatives on the mandates of Sec. 29 of the new Public Accountancy Act. This section requires the TSBPA to study and recommend appropriate SOX-like provisions in its report on “the requirements of the federal Sarbanes-Oxley Act (Pub. L. No. 107-204), including any restrictions on public interest entities, and any legislation or other action needed to conform state law to the requirements of that Act.” [See SarbanesOxley Act of 2002 [ATTACHMENT 1.]] Additionally, the TSBPA is to report on the GAO study on audit firm rotation and any legislation or other action necessary to conform state law to that study, as well as TSBPA rules adopted which are intended to comply with SOX legislation. 2.1. The TSBPA’s Task Force. Billy M. Atkinson, CPA, the TSBPA’s presiding officer, formed a task force to assist the agency in carrying out the Sec. 29 mandate. The task force was charged not only with developing recommendations that safeguard the public’s interest while protecting a sound Texas business climate, but also with determining what entities should be defined as “public interest entities” (PIEs) and determining which SOX provisions pertain to them. The task force is comprised of four regulators (TSBPA members); eight CPA non-TSBPA members with diverse backgrounds who are professionals in various industries and academia, representatives of the National Association of State Boards of Accountancy (NASBA), the American Institute of Certified Public Accountants (AICPA), and the Texas Society of CPAs (TSCPA). These individuals contributed significant time and resource to this effort to safeguard the public interest. Members of the task force are: TSBPA Task Force Members Other Task Force Members Melanie G. Thompson, CPA, chair Billy M. Atkinson, CPA, ex officio David D. Duree, CPA Paula M. Mendoza Sam Cotterell, CPA Kenneth Dakdduk, CPA Ygnacio D. Garza CPA Phillip D. Green, CPA Jennifer E. Hilton, CPA Gary D. McIntosh, CPA Robert R. Owen, CPA Jerry R. Strawser, CPA 11 TSBPA Staff William Treacy James Hamilton, CPA 2.2. The Accounting Profession in Texas. Both CPAs and CPA firms must be licensed by the state of Texas. As of August 31, 2004, individual active CPA licensees numbered 59,464. The TSBPA database reflects the following information regarding employment of individual licensees: INDUSTRY NUMBER PERCENT Public Accounting 13,955 23.47% Industry 22,007 37.01% Federal Government 1,119 1.88% State Government 1,023 1.72% Local Government 827 1.39% Education 1,329 2.23% Other 4,410 7.42% Not Employed 4,001 6.73% Retired/Disabled 2,507 4.22% Undeclared 8,286 13.93% Not only are most Texas CPAs not employed in public accounting, most of the CPAs in public accounting work as single practitioners or in small firms. In fact, the vast majority of public accounting firms in Texas are small, with many operating in rural areas. As of August 31, 2004, there were 10,108 active public accounting firms registered in the state of Texas. Of these firms, 9,546 had fewer than three employees. Of the 562 firms with more than three employees, only 201 have more than three owners. 12 3.0. SARBANES-OXLEY ACT ISSUES “Since the Sarbanes-Oxley Act was passed in July of 2002 hundreds, if not thousands, of articles White Papers and books have been written on this legislation.” Tim Leech in Distilling SOX 302,404 & 906 The Sarbanes-Oxley Act’s intent is to effect behavioral changes in public entities’ boards of directors, management, and their independent auditors. Much public attention has been focused on the roles and responsibilities of the independent auditors. However, the provisions of SOX also establish separate and new responsibilities for boards and management to assure the proper environment for continuous financial statement reporting and disclosure by public entities. “Sarbanes-Oxley is very wide-ranging in its scope. In addition to creating stiff new penalties, it establishes a new Public [Company] Accounting Oversight Board (PCAOB), restricts the various services an audit firm can offer to its clients, and limits the time audit firm partners can serve a single client,” reported the United Press International on May 7, 2004 in its article entitled “Sarbanes-Oxley’s Compliance Conundrum.” “For corporations, the greater effect is on complying with stringent new compliance and disclosure rules.” (ATTACHMENT 2) 2 The sections of SOX most relevant to this report are those dealing with auditor independence (Title II of SOX), new corporate responsibilities (Title III of SOX) and enhanced financial disclosures (Title IV of SOX). Because of the complexity of SOX and the requirement for implementing rules from both the PCAOB and SEC, TSBPA published in its Texas State Board Report in October 2003 a chart listing the various public concerns associated with SOX and how federal agencies and private standards-setting bodies were responding to these issues as of December 2002. (Vol. 80). (ATTACHMENT 3) The effective dates for compliance with portions of SOX are as late as November 15, 2004 for large companies and begin in 2005 for smaller and foreign companies. Both the SEC and PCAOB are continuously developing rules to implement SOX provisions. It will be some time before the full impact of both the benefits and costs of SOX on publicly traded entities is known. During this initial implementation period, it is a challenge for both state regulators and legislators to determine the right time for and extent of specific implementation of new rules and regulations. 13 4.0. TASK FORCE PROCESS The task force developed a strategy to properly address the Legislature’s charge by analyzing the individual provisions of SOX and by providing a mechanism whereby each provision’s intent could be reviewed for appropriateness to public interest entities. Sec. 29(1) of the Public Accountancy Act states: The Texas State Board of Public Accountancy shall report to the governor, the lieutenant governor, and the speaker of the house of representatives, not later than December 31, 2004, regarding: (1) the requirements of the federal Sarbanes-Oxley Act (Pub. L. No. 107-204), including any restrictions on public interest entities, and any legislation or other action needed to conform state law to the requirements of that Act ... The objective was to develop recommendations that safeguard the public’s interest while promoting a sound Texas business climate. For purposes of this report, the task force developed a definition of “public interest entities.” The task force considered the regulations being proposed nationally and in other states, entities affected by potential recommendations, the extent of current regulation on entities that fit within the TSBPA’s definition of public interest entity, and the costs versus the benefits of additional regulation. The task force also considered who should be responsible for the evaluation, adoption, implementation, and enforcement of any proposed rules. Additionally, the task force sought input from public interest entity trade groups, regulators, and the public. . . . (2).the federal General Accounting Office study on audit firm rotation and any legislation or other action needed to conform state law to the findings of that study . . . The task force reviewed the findings of the GAO study and their applicability to the State of Texas pursuant to Sec. 29(2) of the PAA. . . . (3) the rules adopted by the board that are intended to comply with the federal standards described by Subdivisions (1) and (2) of this section and the board's actions in implementing and enforcing those rules. Both the PAA and TSBPA rules were reviewed for compliance with subdivisions (1) and (2) of Sec. 29 of the PAA. Additionally, SOX provisions assigned to the TSBPA within the Statutory and Regulatory Responsibility Table were analyzed to determine which, if any, of the provisions should be adopted in Texas for the auditors of PIEs. 14 5.0. SOX REQUIREMENTS, RESTRICTIONS ON PUBLIC INTEREST ENTITIES AND OTHER ACTIONS NEEDED The Texas State Board of Public Accountancy shall report to the governor, the lieutenant governor, and the speaker of the house of representatives, not later than December 31, 2004, regarding . . . (1) the requirements of the federal Sarbanes-Oxley Act (Pub. L. No. 107-204), including any restrictions on public interest entities, and any legislation or other action needed to conform state law to the requirements of that Act . . . Public Accountancy Act, Sec. 29 The task force studied what other state legislatures and state accountancy boards were doing regarding the implementation of SOX provisions to “public interest entities” or non-publicly traded entities. The task force reviewed reports of national organizations such as the National Association of State Boards of Accountancy (NASBA), the General Accounting Office (GAO), and the PCAOB, the SEC, the American Institute of CPAs, and others. Some states, such as California, Illinois, and Texas are proactively addressing SOX at this time. The November 2003 “NASBA Regional Director’s Report” (ATTACHMENT 4) provides a summary of the status of other states’ activities in relation to implementation of SOX provisions. It is the consensus of the TSBPA task force that most states are in a wait-and-see position of requiring public interest entities to implement SOX-type provisions for two major reasons. First, inconsistent state-to-state regulation could possibly be confusing, costly, and create an uneven business climate hindering businesses within a SOX-specific state. Second, the cost of implementation of the SOX provisions could outweigh the benefits received. Thus, the benefit of implementation of a provision should be justified before enacting regulation. The task force reached the following general conclusions: 1. In addition to auditor restrictions, SOX establishes board governance and management behavioral standards which should be addressed by Texas Public Interest Entity regulators. 2. Texas should not enact laws that unfairly impact the state economic climate compared to other states. 3. Adoption of consistent national standards is preferable to a myriad of state-specific standards. 4. In any guidelines, cost of compliance versus benefits of public protection should be considered. 5 Small entities should not be unduly burdened with provisions pertinent to large entities unless the provision’s benefits clearly outweigh its costs. 6. SOX concepts are continuing to be addressed by multiple standard-setting and regulatory bodies at the national level and the requirements are continuing to evolve. Wherever possible, Texas should adopt the standards established by national standard-setting bodies and avoid implementing rules and regulations inconsistent with other states. 15 5.1. The National Association of State Boards of Accountancy. In supervising nonregistered public accounting firms and their associated persons, appropriate State regulatory authorities should make an independent determination of the proper standards applicable, particularly taking into consideration the size and nature of the business of the accounting firms they supervise and the size and nature of the business of the clients of those firms. The standards applied by the Board under this Act should not be presumed to be applicable for purposes of this section for small and medium sized nonregistered public accounting firms.” SOX, Sec. 209 The task force also reviewed the NASBA Discussion Memorandum “Answering the SOX Challenge – Guidelines for State Boards of Accountancy.” (ATTACHMENT 5) In its discussion memorandum on SOX, NASBA commented on the following areas: 1. Scope of services. By referencing nationally recognized professional standards in the states’ statutes and boards’ rules, charging a licensee with violating applicable standards becomes more straightforward. It is important that states agree on which, if any, SOX standards should be applied to non-public companies. If not, we will have uniform standards for public companies regulated by the PCAOB and a patchwork of different regulations for non-public companies depending on the states in which they do business. 2. Partner rotation. NASBA does not support partner rotation. Its document states, “Do not require rotation of the audit partner on non-public company audits because it would likely require small firms, with fewer qualified audit partners, to resign from audit engagements. As a result, fewer small firms would continue to perform audit services and less competition would offer less choice for services and possibly higher costs to consumers.” 3. Partner compensation. Compensation schemes that reward independence, as well as the development and conduct of business, should be emphasized during firm quality assessment. While this type of oversight does not easily fit into either the Accountancy Act or the boards’ rules, it should be considered in the overall firm quality assessment process. 4. Board composition. Public members bring important fresh views and perspectives to a board of accountancy. Given the technical expertise required to make informed judgments on the disciplinary actions boards must take, licensed accounting professionals should comprise at least a majority plus one of the state accountancy board. Case law affirms a board of accountancy with a majority of licensees does not have to retain an outside expert in the event of a disciplinary hearing. If the profession moves from rulesbased to principles-based accounting standards, as some expect, the professional judgment of licensees will become even more critical and those judgment calls are best evaluated by other professional accountants. There is a need for professional judgment that can weigh how standards were applied in specific situations. 16 5. Ethics. Before initial licensure, both a course and examination on professional ethics, including ethical reasoning, and the board’s rules, should be required. Following licensure, ethics training should be mandated at least every three years, as part of each state’s continuing professional education requirements. 6. Firm inspection. The AICPA [American Institute of Certified Public Accountants] is working to integrate/coordinate its peer review program with the PCAOB’s firm inspection of the auditors’ public company practice. State boards of accountancy should determine whether the PCAOB’s firm inspections will be sufficient to fulfill their quality review requirements. Should a major part of a firm’s audit and attest practice involve nonpublicly held companies (non-SEC registrants), results of firm inspections performed by the PCAOB on the publicly-held companies’ segment of the firm’s practice may not necessarily be reflective of the firm’s overall quality control and audit processes. 7. Relationship with other organizations. State boards should be involved in the regulation of accountants who are practicing within their jurisdiction. As the PCAOB develops its rules, NASBA has been offering comments to help ensure transparency between the new oversight board and the state boards of accountancy. Similarly, PCAOB representatives have indicated they are anticipating the state boards will cooperate with them in their information gathering. 8. Corporate governance. Auditors’ involvement in corporate governance issues must be limited in order to maintain independence. For example, auditors cannot be involved in the selection of financial experts for clients’ audit committees. The report does not address corporate governance issues other than from the perspective of the auditor’s involvement. 5.2. Actions Within Other States. As of November 2004, no significant action by other states seems imminent. Several state boards, including California, Maryland, New York, Texas, and Washington have done significant work toward understanding SOX and have implemented certain provisions of SOX regarding restrictions on the auditor. California has passed legislation adopting limited SOX-type provisions for charities. Further, it established a task force to study whether SOX-type provisions should be applied to non-public entities. That task force recommended that SOX not be “cascaded” to non-public entities. Massachusetts and New York have considered legislation that would require some SOX provisions to be adopted; however this legislation has not advanced. There appears to be no consideration in the various states for including a requirement for organizations to have a SOX Sec. 404-type of internal control documentation, testing, and reporting by management or by the auditor. Pennsylvania has considered legislation that would make it a misdemeanor for companies to make false statements intended to mislead shareholders about their financial condition. No significant developments on this proposal have occurred since May 2004. In July 2004, Illinois passed legislation that, among other things, requires auditors of privately-held entities exceeding a threshold size of more than $50 million in annual revenue or more than 500 employees, to provide notification of planned non-audit services. Criminal penalties were enacted for specified key officers of a company who intentionally mislead their auditor so as to make financial statements materially misleading. 17 In summary, from state legislative activities over the past three years, the trend has been to reject efforts to “cascade” SOX provisions into the states beyond the federal law, other than auditor working papers retention requirements. Texas requires working papers’ retention through its TSBPA rules. 5.3. The American Assembly Report. “On November 13, 2003, fifty-seven men and women, including leaders from the worlds of accounting, finance, law, academia, investment banking, journalism, non-governmental organizations, as well as the current and former regulatory officials from The Federal Reserve Board, the Securities and Exchange Commission (SEC), the General Accounting Office (GAO), the Public Company Accounting Oversight Board (PCAOB), The Financial Accounting Standards Board (FASB), and the International Accounting Standards Board (IASB) gathered at the Lansdowne Resort, Leesburg, Virginia, for the 103rd American Assembly entitled “The Future of the Accounting Profession.” Over the course of the Assembly, the distinguished professionals considered three broad areas of the accounting profession: its present state, its desired future state, and how it might reach that future state.” “The Future of the Accounting Profession” American Assembly Report 103rd American Assembly Columbia University Because regulation and oversight of the accounting profession is in a state of change, corporate heads have spent the last two years attempting to understand and comply with the provisions of SOX. In November 2003, Columbia University held the 103rd American Assembly which attempted to grasp the issues surround SOX implementation. A recurring theme of the Assembly was the need for more insight into the data upon which management depends. (ATTACHMENT 6) In describing the precipitators of the current accounting crisis, the Assembly’s report states: As the bubble economy encouraged corporate management to adopt increasingly creative accounting practices to deliver the kind of predictable and robust earnings and revenue growth demanded by investors, governance fell by the wayside. All too often, those whose mandate was to act as a gatekeeper were tempted by misguided compensation policies to forfeit their autonomy and independence. The Assembly attendees agreed that it is difficult to envision a corporate governance and financial reporting structure that does not entail the audit of a company’s financial statements by an independent auditor. However, the public and corporate audit committees may be expecting a level of assurance and accuracy in those audits that is unrealistic, at the same time that the auditor’s top expert judgment must have a larger function in the audit. In discussing what future financial reporting should look like, the Assembly suggested that improvement could begin by the implementation of new attestation standards to replace the current standard, which is deemed appropriate for some, but not all, transactions. The consensus is that auditors must offer more limited attestations when the facts require them, and further, that investors should be prepared to accept them. The Assembly’s report states: 18 . . . the PCAOB should adopt a supervisory approach to regulation. We define that “supervisory” role as a preventative one, as contrasted with the enforcement role, where regulators arrive on the scene only after malfeasance has been alleged or detected. A supervisory format should permit accounting regulators to operate protected by the same degree of confidentiality that currently governs the proceedings of bank examiners. The report criticized corporate governance as follows: . . . a corporate culture that treated financial reporting as little more than a numbers game. Managers made increasingly aggressive assumptions and estimates about their business and selected those alternative accounting practices that allowed them to report results that would match the unrealistic analyst expectations those managers had earlier promoted. The Assembly identified two important groups in addressing corporate governance issues: the audit committee and the directors. Members of the audit committee must be both financially qualified and able to challenge management on their particular judgments. Similarly, directors should be fully capable of discussing the company’s business and financial operations. Management, directors, and audit committees should adhere to the spirit of the law and not merely legal specifics. SOX sets numerous general requirements for both audit committees and corporate governance. However, while it stops short of requiring issuers to change auditing firms every few years; it does allow audit committees to use discretion in deciding what non-audit services a company may hire its auditors to provide (other than prohibited services). The Assembly supported these policies “. . . for leaving in the hands of audit committees the power to make these decisions, and believe that is where those decisions belong as audit committee members are the best qualified to make them. For instance, if rotation of auditors (audit firms) was made mandatory, much of the authority of audit committees over auditors would be forfeited.” In addition, the Assembly encouraged the right of audit committees to exercise their discretion in determining the scope of beneficial non-audit services an external auditor might provide. It concluded that audit committees “. . . must take charge of the audit, control the selection of both the audit firm and the partner engaged to lead it, and make the final decision when it comes time to set the audit fee. Above all else, they must protect the auditor’s independence.” In concluding its report, the Assembly stated: Most importantly, the accounting profession itself must recognize and expand its role, its responsibility, and its dedication to fulfill its mission to provide accurate and complete information to the investing public. 5.4. Voluntary Adoption. Through its study of SOX and its impact on the business and governmental community, the task force determined that some entities (e.g., the University of Texas and the United Way of Metropolitan Dallas, among others) were in the process of proposing implementation of many of the SOX provisions. The National Association of College and University Business Officers have adopted similar standards as guidelines for all colleges and universities to seriously consider implementing. (ATTACHMENT 7) 19 The United Way of Metropolitan Dallas, for instance, is voluntarily altering its financial operations in light of SOX legislation. It has reassessed its internal controls, asking the following questions: y y y y y y What does the internal control structure look like and how does it operate? Who is accountable? How does it deal with change? What are the critical control activities? Are they monitored? Is all of this documented? They have also developed a conflict of interest policy and a code of business conduct and ethics; procedures are in place for reporting ethical issues or questions. In addition, a code of ethics has been adopted for and acknowledged by all directors, volunteers, and staff with financial responsibilities. In all financial reports, the organization now includes a statement that management is responsible for completeness and accuracy of the financial report and for internal control. A separate audit committee was established and reviews completed of its roles and responsibilities. The audit committee members have all been reviewed for independence, and a financial expert has been identified. Both the finance and audit committees now have charters. Among the audit committee responsibilities are to ensure that management letter comments from the independent auditor are implemented and to more closely review proposed adjustments. We believe these to be sound business practices for public interest entities in today’s environment. They are not onerous, yet properly establish responsibilities. 5.5. Requests for Input from Public Interest Entities. In order to determine the potential impact that SOX provisions have on public interest entities, the task force solicited input from both industry and government. Twelve (12) various state regulatory agencies and private professional organizations were asked to participate. The following table identifies the entities and their responses: 20 TYPE OF ENTITY RESPONSE Association Matrix/Letter Office of Consumer Credit Commission State Agency Letter Office of the Texas State Auditor State Agency Letter/Matrix Property Casualty Insurers Association of America Association Letter Texas Association of County Auditors Association No information received Texas Bankers Association Association Matrix Texas Department of Banking State Agency Matrix Texas Department of Insurance 2 State Agency Letter/Matrix Texas Education Agency State Agency Matrix NAME OF ENTITY Independent Bankers Association of Texas Texas Independent Insurance Adjusters Association Association Texas Municipal League Association Texas Savings and Loan Department State Agency No information received No information received Letter 2 Subsequent to their evaluation of their response to our request, the State Board of Insurance examined the possibility of some rule changes related to the SOX provisions. In addition to the entities listed in the table above, the National Association of College andUniversity Business Offices was extremely helpful in providing the task force with the format for the matrix sent to those entities. The task force summarized relevant SOX provisions within a matrix format. (ATTACHMENT 8) Each entity was requested to review the matrix and determine the applicability of each provision to their regulated entities. While some declined to participate, as noted in the chart above, most recipients actively participated in the process. In one instance, the regulatory body (the Texas Department of Insurance) examined the possibility of some rule changes subsequent to its review of the matrix. In some situations the regulatory body may not have the authority to enact such changes, and legislative action would be required. Others believe adequate regulation is already in place and no changes are needed. For example, an excerpt from the Texas Department of Banking’s response addresses this issue: Institutions that are not public companies, but hold assets greater than $500 million (which are subject to Section 36 of the Federal Deposit Insurance Act), must comply with the SEC’s rules that implement provisions of sections 201, 202, 203, 206 and 404 of Sarbanes-Oxley . . . . . . Though the Department of Banking believes strongly that nonpublic banking organizations (with less than $500 million in total assets) can benefit from this 21 and other provisions of Sarbanes-Oxley, the agency is reluctant to require compliance for smaller organizations. In small towns and cities where many community banks are located, it may be impractical to contract with an out-of-area public accounting firm to perform these nonaudit services due to the costs involved. However, bank boards are encouraged to review and understand the risks associated with these tying arrangements. The specific responses are included in ATTACHMENT 9. 5.6. The Public Forum. Upon receiving the responses from the participating public interest entities, the task force reviewed the responses, and in an effort to gather more substantiation for the results, held a public forum on July 12, 2004 to receive both oral and written testimony from interested parties. ATTACHMENT 10 lists the parties that submitted either written or oral testimony. Participants in the public forum were asked to address the following questions: 1. Which provisions of SOX should be made applicable to public interest entities within the state? 2. What additional rules and regulations should be considered to accomplish this task? 3. What are the benefits of those rules and regulations? 4. What are the costs of those rules and regulations? 5. What other impacts should be considered? Texas Association of Life and Health Insurers executive director Mike Pollard and attorney Will Davis both testified on behalf of that sector of the insurance industry. Both referenced the extensive existing regulation of the industry and suggested that expansion of the SOX provisions were redundant for the protection of the public. The National Teachers Association Life Insurance Company, USAA, and the American Council of Life Insurers. presented similar opinions in written testimony. Brenda Nation, senior counsel for the American Council of Life Insurers, stated in her letter to the Board (July 9, 2004), “SOX was written to supplement existing securities laws for public companies, not to impose additional requirements on a highly regulated insurance industry.” Likewise, William H. McCartney, senior vice-president of USAA, stated in his letter of the same date, “These entities are heavily regulated to protect the public interest and the regulators and governing associations of these industries are already contemplating extending numerous provisions of the Act to them. Any additional requirements in this area would be duplicative and counterproductive.” In contrast, Luke Metzger, Advocate, TPIRG, stated in his June 7, 2004 letter, “The Sarbanes-Oxley Act should certainly be made applicable to non-publicly traded public interest entities in Texas”. His letter continued with, “Texas consumers deserve protections to ensure the integrity of financial statements of banks, insurance companies, school boards and pension plans.” Several representatives speaking at the forum agreed to complete the TSBPA matrix which had previously been completed by industry regulators. Their written comments and matrices received are attached to this report. (ATTACHMENT 11) 22 5.7. The Texas Society of CPAs. The state-by-state development of accounting, auditing and independence standards will ultimately confuse the public and unnecessarily increase the cost of accounting and auditing services for the public . . . The cost to public companies of implementing Sarbanes-Oxley has been substantial. Edward M. Polansky, CPA Chairman, Texas Society of CPAs In his July 9, 2004 letter to the task force, Texas Society of CPAs chairman Edward M. Polansky, CPA, stated: With these national organizations actively addressing the issue, we believe that any one state should be very cautious about establishing requirements related to corporate governance, auditing standards or accounting principles that might be different from national standards. There is much potential for public confusion if different standards apply in different states. We believe this concern is paramount and should guide all TSBPA deliberations on this subject. He went on to say: The Board’s current rules related to auditing standards effectively adopt national standards as Texas standards and require CPAs to conform to national standards as a matter of Texas law and regulation. It is very important that the Board review the standards, requirements and guidelines issued by the various national organizations. This review will hopefully lead to the Board adopting these standards as the standards for Texas. In testimony at the July 12, 2004 public forum, the TSCPA also said: The various regulators of public interest entities should make the determination as to which provisions of Sarbanes-Oxley might have benefits worth the cost and issue guidance or regulations as they see fit, especially in the areas of corporate governance and officers’ certifications of financial and internal control information. Here too we recommend that national standards and procedures be used wherever possible . . . it is appropriate to rely on current national standards for auditor independence rather than introduce new partner rotation rules for Texas entities. 23 6.0. GENERAL ACCOUNTING OFFICE STUDY AND REPORT The Texas State Board of Public Accountancy shall report to the governor, the lieutenant governor, and the speaker of the house of representatives, not later than December 31, 2004, regarding . . . the (2) federal General Accounting Office study on audit firm rotation and any legislation or other action needed to conform state law to the findings of that study . . . Public Accountancy Act, Sec. 29 In November 2003 the General Accounting Office issued “A Report to Senate Committee on Banking, Housing and Urban Affairs and the House Committee on Financial Services.” (ATTACHMENT 12) The report was entitled “Public Accounting Firms -- Required Study on the Potential Effects of Mandatory Audit Firm Rotation” and stated, “We believe that mandatory audit firm rotation may not be the most efficient way to enhance auditor independence and audit quality considering the additional financial costs and the loss of institutional knowledge of a public company’s previous auditor of record. The potential benefits of mandatory audit firm rotation are harder to predict and quantify, though we are fairly certain that there will be additional costs. In addition, the current reforms being implemented may also provide some of the intended benefits of mandatory audit firm rotation.” The report concluded by stating: “This report makes no recommendations.” It should be noted that five board members of the TSBPA were interviewed by the GAO as a part of their study of this issue. The TSBPA concurs with the GAO’s report and can find no compelling reason for Texas to adopt a mandatory audit firm rotation rule. 24 7.0. TSBPA RULES AND ANALYSIS OF SOX PROVISIONS The Texas State Board of Public Accountancy shall report to the governor, the lieutenant governor, and the speaker of the house of representatives, not later than December 31, 2004, regarding . . . (3) the rules adopted by the board that are intended to comply with the federal standards described by Subdivisions (1) and (2) of this section and the board's actions in implementing and enforcing those rules. . . . Public Accountancy Act, Sec. 29 The Texas Public Accountancy Act (PAA) affords the authority the TSBPA needs to adopt rules necessary to implement SOX. 7.1. The Public Accountancy Act and TSBPA Rules. The PAA specifically addresses the requirement to adopt rules and rules have been adopted by the TSBPA. Sec. 901.156 states: Sec. 901.156. Rules of Professional Conduct (PAA). The Board shall adopt rules of professional conduct to: (1) establish and maintain high standards of competence and integrity in the practice of public accountancy; and (2) ensure that the conduct and competitive practices of license holders serve the purposes of this chapter and the best interest of the public. Sec. 901.165 can be directly applied to the SOX provisions of Sec. 29 of the PAA by referencing national accounting standards. This provision in the PAA gives the TSBPA the authority it needs to issue SOX-type rules: Sec. 901.165. Rules for Attest Services (PAA). (a) The board by rule shall specify those services that constitute attest services. (b) Attest services are required to be performed in accordance with professional standards. The board may adopt by reference the standards developed for general application by the American Institute of Certified Public Accountants or another nationally recognized accountancy organization. [Emphasis added.] In addition, the PAA in Sec. 901.158 discusses independence by stating: Sec. 901.158. Rules Restricting Competitive Practices (PAA). The Board in its rules of professional conduct may regulate the competitive practices of a license holder as necessary to ensure that the license holder does not engage in a competitive practice that . . . impairs the independence or quality of a service provided by a license holder. 25 Therefore, in its Rules of Professional Conduct, the TSBPA adopted the following independence rule, which effectively adopts national standards: Sec. 501.70. Independence (Rules). A certificate or registration holder in the performance of professional services, including those who are not members of the AICPA, shall conform in fact and in appearance to the independence standards established by the AICPA and the board, and, where applicable, the U.S. Securities and Exchange Commission, the General Accounting Office and other regulatory or professional standard setting bodies. As a result of this rule, TSBPA actively comments on and initiates proposed changes at the national level (AICPA, SEC, GAO, etc.) Rule review is an ongoing process at TSBPA. The TSBPA is required by statute to review its entire body of rules every four years to assess whether each rule is necessary, and if not, to either amend, repeal, or replace it. When appropriate, new rules are adopted. The TSBPA has recently completed its second cycle of rule review, and has determined that its rules are in compliance with federal standards as described in Sec. 29 of the PAA. Because the PAA, and subsequently the TSBPA’s rules, contain specific language defining what constitutes financial statements, reports, independence, accounting and auditing standards, other professional standards, and ethical conduct by CPAs, the TSBPA believes that further legislation and rulemaking in this regard is not necessary. 7.2. Analysis of SOX Provisions. The Statutory and Regulatory Responsibility Table provided earlier in this report identifies the TSBPA as the responsible agency to determine if SOX similar regulation should be adopted in Texas for the auditors of PIEs. As expressed earlier in this report, TSBPA supports the application of consistent national standards in all states, including Texas. Unless an existing national standard is obviously inadequate and Texas cannot influence a change to be made, we believe Texas should not adopt a Texas-only rule. As stated in SOX Sec. 209, “The standards applied by the Board under this Act should not be presumed to be applicable for purposes of this section for small and medium sized nonregistered public accounting firms.” Recognizing the objective of this provision in SOX, the following outlines each SOX provision and the specific TSBPA response to the issues which pertain to auditors: 7.2(a). SOX Sec. 101-109. 1. auditing, quality control, independence and ethics; 2. registration and inspection of public accounting firms; and 3. investigations and disciplinary proceedings. 26 7.2(a)(1). Independence. SOX establishes some specific independence requirements for registered entities (public companies) and authorizes the SEC and PCAOB to further define those standards by rule. For non-registered entities, national independence standards are prescribed by the Governmental Accountability Office (for all entities that accept federal assistance above a specified level), federal banking regulators (for financial institutions), the National Association of Insurance Commissioners (for insurance companies), and the Auditing Standards Board and Professional Ethics Executive Committee of the American Institute of CPAs, among others. TSBPA rule Sec. 501.70 (quoted above) requires all Texas CPAs and auditors to conform to the highest standard of independence appropriate for each particular attest engagement. The applicability of these appropriate standards to PIEs is adequate to assure auditor independence. 7.2(a)(2). Ethics Education. In early 2003, TSBPA initiated efforts to establish more comprehensive ethics education both at the entry level of the CPA profession and on a recurring basis for Texas CPA’s. Beginning in 2005, CPA examination candidates in Texas will be required to have completed three semester hours in TSBPA-approved ethics education as part of their college curriculum. For all licensed CPAs, recurring ethics education course requirements will be increased in 2005 from a two-hour Board-approved rules course every three years to a four-hour approved ethics course every two years. Among other pertinent professional situations, the curriculum for the CPE ethics courses require case studies of ethical dilemmas where the CPA must use reasoning regarding the preparation and presentation of audited financial statement reports that both adhere to regulatory and ethical guidelines. 7.2(a)(3). Continuing Education. The TSBPA adopted rules to improve the quality of continuing professional education. While the current annual requirement for continuing professional education hours is considered sufficient to maintain a CPA’s competence, the quality of some programs has been deemed inadequate. Under the new sponsor review program, continuing professional education sponsors must register with the TSBPA for their programs to qualify for Texas CPAs. Beginning in 2005, sponsor programs will be reviewed at least once every three years to determine compliance with TSBPA quality standards. This program will be funded with sponsor registration fees so that it will be self-supporting. 7.2(a)(4). Registration and Peer Review. All individual CPAs and practice units, by law, must register annually with the TSBPA. Texas law has also required quality review, or peer review, of CPA firms for many years. In light of the newly established PCAOB inspection program, TSBPA has proposed rules (Sec. 527.1) clarifying that all auditing firms must undergo a TSBPA-approved peer review program in addition to the PCAOB inspection program. Further, the peer review program in Texas “. . . may include education, remediation, disciplinary sanctions or other corrective action where reporting does not comply with professional or regulatory standards.” The TSBPA now reviews peer review results on a bi-monthly basis. 27 7.2(a)(5). Enforcement. SOX requires a code of conduct for senior financial management, which may include CPAs who serve as financial officers. The TSBPA has stepped up its enforcement efforts by increasing its enforcement activities and penalties for CPAs who violate its Rules of Professional Conduct and the PAA. Such actions include results of SEC investigations, legal activities and response to complaints to the TSBPA by governmental units and individuals. The TSBPA has adopted formal rules, where applicable, to implement the new enforcement powers authorized by the 2003 revisions to the PAA, as follows: PUBLIC ACCOUNTANCY ACT TSBPA RULE Increase in the maximum administrative fine to $100,000 (Sec. 901.552) Subpoenas (Sec. 519.6) (ATTACHMENT 13) Emergency Suspension (Sec. 519.43) (ATTACHMENT 14) [Provision is included in Enforcement procedures and the application of judgment on a case-by-case basis when assessing penalties or license sanctions ] Administrative Penalties (Sec. 519.8) (ATTACHMENT 15) Authorized fines up to $25,000 for practicing without a license (Sec. 901.601) Administrative Penalties (Sec. 519.8) (ATTACHMENT 15) Restitution of fees (Sec. 901.6015) [See Sec. 901.511 above.] Felony criminal penalties for intentional fraud (Sec. 901.602) Sec. 901.602 is complete and in force. Also, Misdemeanors that Subject a Certificate or Registration Holder to Discipline by the Board (Sec. 519.7) (ATTACHMENT 16) Subpoena power (Sec. 901.066) Emergency license suspension (Sec. 901.5045) Enforcement for out of state offenses (Sec. 901.511) These additional enforcement tools, along with those already existing, are sufficient for the TSBPA to effectively enforce the PAA. 7.2(b). SOX Sec. 201. Non-audit service restrictions. SOX identifies seven specific services that auditors of registered companies are prohibited from providing to their audit clients. National standards of the GAO and the AICPA, which apply to non-registered PIEs, also prohibit auditors from performing services which would compromise independence. Although the specific terminology is different from SOX, the standards are based on the same essential concepts, and adherence to national standards has been adopted by TSBPA rule. Currently the national standards are in a process of evolution; therefore, the TSBPA will monitor the process and adopt additional rules if needed. No current action is needed. 28 7.2(c). SOX Sec. 202. Audit committee pre-approval of non-prohibited outside auditor services. While each regulatory agency should address this issue to determine if there are industryspecific reasons to adopt this procedure, the TSBPA sees no need to require PIEs across the board to follow this requirement. The TSBPA does, however, believe it to be good practice for boards, rather than management, to approve the auditor engagement, fees, and related services. 7.2(d). SOX Sec. 203. Rotation of lead and reviewing audit partner. The requirement for audit partner rotation is not new with SOX. It is a long-established practice for auditors of registered (publicly traded) entities, but has never been seriously considered for non-registered entities. The primary issue for non-registered entities is one of practicality or cost/benefit versus risk of audit failure. The TSBPA recognizes the purpose of mandatory audit engagement partner rotation to be the maintenance of a fresh and objective viewpoint of the auditor. Most accounting firms that audit registered entities are of sufficient size to have many partners and the necessary resources to relocate partners as necessary to meet the SOX five-year partner rotation requirement. Auditors of privately held and public interest entities include small firms of a few partners or even individual practitioners. As of August 31, 2004, there were 10,108 licensed practice units in Texas in the practice of public accounting, and 9,907 of those were comprised of three or fewer partners. Many of these practice units are located in rural communities with no other available alternative CPA firms. In such cases, there is no practical way to accomplish audit engagement partner rotation without it becoming an effective requirement for firm rotation or deploying out-of-town firms. The GAO study concluded (quoted previously in this report) that there was not sufficient evidence, even for registered entities, to suggest that firm rotation would improve audit quality. As quoted previously in this report, NASBA also recommends against mandatory audit partner rotation since it would lessen competition and raise costs to consumers. Thus, in a state as large and rural as Texas, imposition of mandatory audit partner rotation for PIEs could cause hardships and very possibly additional costs for PIEs, CPAs, and the communities they serve. Given these considerations, the TSBPA believes that because existing national auditing standards adequately address independence and objectivity issues, there is no need for Texas PIEs to have mandatory audit partner rotation. The TSBPA will continue to monitor its enforcement cases in this regard. If changes become necessary, it will make them. 7.2(e). SOX Sec. 204. Requirement of audit firm to report on specific items to audit committee (or its equivalent). SOX requires auditors to report to the entity’s audit committee/board “critical accounting policies and practices . . . alternative treatments of financial information within generally accepted accounting principles . . . and other written communications [with] management.” National auditing standards (SAS 61) requires similar communication for all audits and no additional auditor rule by TSBPA is necessary. 7.2(f). SOX Sec. 206. Restrictions on hiring of key member of outside audit team (1year cooling off period). 29 While existing national auditing standards do not specifically require a one-year cooling off period before an auditor or auditor’s employee can be employed by an audit client, there are specific GAO and AICPA standards that enumerate the circumstances under which an auditor’s independence is impaired. The intent of these standards is to avoid a continuing relationship or influence between the former employee and the auditor, that the auditor takes steps to alter audit procedures to guard against the risk of audit procedure compromise, and that the existing engagement team possess the requisite knowledge and experience to perform the engagement. The TSBPA believes these standards are adequate and applicable to PIEs. 7.2(g). SOX Sec. 207. GAO study on audit firm rotation This section relates to the GAO study which was previously discussed in this report. The report made no recommendation for mandatory audit firm rotation, and the TSBPA concurs with that conclusion. 7.2(h). SOX Sec. 209. State Board consideration This section recommends state regulatory authorities make an independent determination of standards considering the size and nature of the business of accounting firms and the size and nature of the businesses they serve. Standard-setting is an ongoing process, and the TSBPA will continue to monitor that process and adopt necessary rules. 7.2(i). SOX Sec. 404. Reporting on internal controls. Generally Accepted Auditing Standards (GAAS), as promulgated by the AICPA, are applicable to all non-public entity audits and contain specific auditor requirements for documentation and testing of internal controls by the auditor. However, SOX Sec. 404 expands this requirement for auditors and management of publicly traded companies. SOX mandates that management report on the company’s internal controls and that the auditors express an opinion on both management’s assertions and internal controls. The SEC and PCAOB have developed very specific standards for internal control documentation, testing, and reporting. These SOX Sec. 404 provisions are proving to be one of the most difficult and costly SOX requirements. The TSBPA believes there are fundamental differences between publicly traded companies and all other entities which make expansion of Sec. 404 unreasonable. Even if one believes that it should be applied to some class of public interest entities, it seems prudent to wait until the public company sector and their auditors have underwritten the substantial initial implementation costs and scaled the steep learning curve. Thus, it is perhaps too early in the process for a reasonable determination as to the cost versus benefits of such a requirement for PIEs. In any event, the regulating bodies should determine whether such a requirement should exist for a particular type of PIE. 7.2(j). SOX Sec. 802. Criminal penalties for altering documents and 5 year retention of audit workpapers. This section establishes criminal penalties for altering or destroying documents and establishes a five-year retention period for an auditor’s workpapers. TSBPA rules also require a five-year retention period for audit workpapers. Other actions prohibited under this section are considered by TSBPA as violations of professional standards. A number of rules relate to this area, including Sec. 501.60 (regarding Auditing Standards), 501.61 (regarding Accounting Principles), 501.62 (regarding Other Professional Standards), 501.90(2) (regarding dis30 honesty, fraud or gross negligence in the practice of public accountancy), 501.90(8) (regarding knowingly participating in the preparation of a false or misleading tax return or financial statement), and 501.90(12) (regarding misrepresenting facts or making a misleading or deceitful statement to a client). Therefore, no additional regulation for Texas CPAs is required at this time. [Also see Sec. 303, Items 1 through 2.] 7.2(k). SOX Sec. 806. Whistleblower protection. The PAA (Sec. 901.606) provides immunity from civil and criminal liability for reporting a violation. However, the PIE regulating bodies should determine whether employee protection of PIEs is important. 7.2(l). SOX Sec. 1102. Criminal penalties for altering documents. This section parallels Sec. 802 relating to the establishment of criminal penalties for altering or destroying documents. See comments above. [Also see Sec. 303, Items 1 through 2.] 7.2(m). SOX Sec. 1107. Whistleblower protection. This section parallels Sec. 806 relating to informant protection. See comments above. 7.3. Action Item for The Texas Legislature. As a result of analyzing the SOX provisions, the task force recommends that the Texas Legislature assume responsibility related to SOX Sec. 303. 7.3(a). SOX Sec. 303. Unlawful for officer or director to fraudulently influence, coerce, manipulate or mislead outside auditor. This section establishes as unlawful actions by officers, directors and any other persons acting under their direction to fraudulently influence, coerce, manipulate, or mislead independent CPAs engaged in the performance of an audit for the purpose of making the financial statements materially misleading. The TSBPA believes it to be imperative that the public should expect public interest entity boards and management to behave and be held to the same standards as independent auditors. It thus believes similar legislation in Texas would be beneficial in strengthening the reliability of financial statements and the environment in which they are prepared. The TSBPA further believes the criminal penalties for violations of such a law should be consistent with those levied on CPAs in Sec. 26 of the PAA. Additionally, the Legislature should consider providing the TSBPA with the statutory authority to refer to the appropriate prosecutorial authority information on activities that appear to constitute criminal conduct or violation of a statute in Chapter 31, Theft, or Chapter 32, Fraud, Texas Penal Code, by individuals other than CPAs. 31 8.0. COST OF COMPLIANCE States need to carefully deliberate whether or not to apply to non-public companies specific SOX requirements. . . . Many public companies have already reported significant cost increases arising from substantially higher audit fees, legal fees, consultant’s fees, director’s and officer’s insurance costs, director’s compensation, management compliance time and information technology requirements. NASBA Discussion Memorandum The cost of implementing SOX provisions, particularly as they relate to documentation and reporting on a company’s internal control systems will be substantial. Any recommendations to apply SOX-like provisions to PIEs or other non-publicly held entities must consider the costs of compliance compared to the benefits to be derived. Many publicly-traded companies have experienced significant increases in internal costs and fees from their auditors. The Accounting WEB article, “Section 404 Could Cost Big Companies $ 4.6 Million or More” (ATTACHMENT 17) states that the cost of compliance for big companies will be in the millions of dollars: Total costs of first-year compliance with Section 404 of the Sarbanes-Oxley Act could exceed $4.6 million for each of the largest U.S. companies, according to a survey of 321 companies by Financial Executives International (FEI). The added costs are driven by a projected investment of 35,000 hours of internal manpower, $1.3 million in spending on external consulting and software, and additional audit fees of $1.5 million (a jump of 35%). FEI is the leading professional organization serving chief financial officers (CFOs) and other senior financial executives. “Companies that are currently subject to the SOX requirements will be incurring substantial costs,” Brenda Nation of the American Council of Life Insurers told the task force in her letter of July 9, 2004. The May 21, 2004 National Accounting News stated, “The rising and unpredictable costs of complying with the Sarbanes-Oxley Act is causing some companies to consider going private to avoid being forced to adhere to the law’s provisions.” On May 7, 2004, a United Press International article entitled “Compliance Conundrum” noted that participants at the American Enterprise Institute generally thought that “. . . some secondary consequences [of SOX legislation] includes extra regulatory costs, not necessarily better management, and diverting staff away from running the business.” The article states: The costs are daunting for private companies with plans to go public, and are causing some public companies to de-list, and some private companies to try and sell the company so as to not have to pay the extra costs to become SOX compliant, according to accounting firm Grant Thornton. The firm reported that since the enactment of SOX, the number of companies seeking to go private has increased by 30 percent and the number of proposed management buyouts has increased 80 percent. 32 In addition to direct monetary costs of compliance, other negative impacts can result from state adoption of SOX-type regulation. To the extent Texas is less friendly to businesses than other states, some businesses may choose to move elsewhere or economic growth within our state might slow. A vibrant Texas business climate is also in the public’s interest... The Federal Reserve Bank of Dallas recently published an article on the state of the Texas economy which indicates that some of the state’s relative advantage to the nation’s economy has been diminishing. A number of factors are given for this recent phenomenon, including the state’s high tech concentration as well as labor competition from overseas. Regarding the short-term outlook, the Federal Reserve’s article states that positive attributes remain, but: . . . the state may have lost some of its comparative advantage as a low-cost base for economic expansion . . . Retaining a favorable business climate with smart and efficient government is essential to ensuring that the foundation for starting and building businesses and spurring strong growth remains. Increases in taxation or regulation that are not perceived to improve the quality of living and doing business in Texas will be harmful to future economic expansion. 33 9.0. CONCLUSION State boards should participate in the review process and develop board rules that reference the revised standards for non-public companies, rather than drafting rules that apply only to their jurisdiction. NASBA Discussion Memorandum The TSBPA firmly believes the public is better protected when boards of directors and management of entities have clear responsibilities and behavior consistent with good fiduciary stewardship It is the consensus of the TSBPA’s task force that: 1. there should not be an additional layer of regulation on PIE’s in Texas; 2. notwithstanding Item 1. above, existing regulatory bodies should review relevant SOX provisions to determine applicability, if any, to the corporate governance and management of the entities for which they are responsible; 3. SOX-type provisions should not be presumed to apply across the board; 4. the cost versus the benefit of SOX-type legislation must be justified; 5. in accordance with the GAO report, no requirement for mandatory audit firm rotation should be enacted. 6. the State of Texas should not impose SOX-like regulations on the private business community; and 7. the State of Texas should be involved in the development of national standards for accounting and the regulation of financial statements for public interest entities. 9.1. Recommendations. The TSBPA: 1. cautions against state-by-state implementation of SOX-type legislation on public interest entities or on other non-publicly held entities; 2. recommends that existing regulatory bodies in Texas review relevant SOX provisions as identified in the Statutory and Regulatory Responsibility Table [pages 8-10 of this report] to determine which, if any, provisions or their objectives are appropriate for the regulatory bodies’ respective jurisdiction; and 3. recommends potential legislation consistent with SOX Sec. 303 making it illegal for an officer, director, or persons directed by them to fraudulently influence, coerce, manipulate, or mislead an independent public accounting firm performing an audit for PIEs in Texas to be accomplished by: a. reviewing existing statutes to determine whether they are sufficient to cover such conduct caused by non-CPAs who are not within the TSBPA’s jurisdiction;. b. adopting penalties for such actions which are consistent with those in Chapter 26 of the PAA; and c. providing the TSBPA with the statutory authority to refer to the appropriate prosecutorial authority information on activities that appear to constitute criminal conduct or 34 violation of a statute in Chapter 31, Theft, or Chapter 32, Fraud, Texas Penal Code, by individuals other than CPAs. The TSBPA anticipates that during the upcoming Texas Legislative session, it will continue to work with the Legislature to further examine recommendations for improving the public’s confidence in audits and the resulting financial information on which the public relies. The TSBPA does not recommend legislation imposing added layers of regulation on Texas entities. Existing state regulators should be the source of the issuance of rules for those entities that they regulate, unless needed changes, if any, require legislation. Therefore: • The existing TSBPA rules have been reviewed and updated pursuant to the PAA and the latest national accounting standards. • Through the PAA, the TSBPA has the necessary authority to regulate the CPA profession in Texas and procure additional rules as they may become necessary. • The TSBPA recommends voluntary compliance with SOX-type provisions whenever practical for public interest entities and where determined by their respective regulatory agencies. The TSBPA does not recommend legislation which would result in unfunded mandates for political subdivisions or not-for-profit organizations. 35