15-1 15-2 15 Fraud and SOX Compliance McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. 15-3 SOX Regulatory Framework 15-4 SEC Oversight 15-5 The Sarbanes-Oxley Act The Sarbanes-Oxley Act. The full official title of the act is “Public Company Accounting Reform and Investor Protection Act of 2002. Title I—Public Company Accounting Oversight Board. The PCAOB consists of five members, only two of whom are permitted to either be or have previously been certified public accountants (CPAs). Furthermore, its chairperson cannot have been a practicing CPA anytime in the five years before serving on the board. 15-6 SOX and the PCAOB 15-7 SOX Titles II and III Title II—Auditor Independence Prohibits services Requires rotation of audit partners Title III—Corporate Responsibility Mandates audit committees CEO/CFO must certify reports SEC powers to bar executives for directorships SEC powers to seek equitable relief Reporting requirements for corporate attorneys 15-8 SOX Title IV Title IV—Enhanced Financial Disclosures Requires the disclosure of all material off-balance-sheet transactions and reconciliation of pro forma financial statements to GAAP. Forbids personal loans to directors and executives. Requires that senior management and directors disclose report changes in securities ownership within 2 days. Requires the CEO & CFO to “certify” internal controls, and that the auditor attest to and report on management’s assessment of the internal control structure and procedures. Requires that companies disclose whether they have adopted an ethics code for senior management and whether the audit committee includes at least one financial expert. 15-9 SOX Titles V-VIII Title V Requires independence of financial analysts Title VI and VII—Commission Resources and Authority and Studies and Reports Title VIII—Corporate and Criminal Fraud Accountability Provides for up to 20 years in prison for certain types of interference with any kind of federal-related investigation. Requires auditors to retain their working papers for 5 years. Makes non-dischargeable fines, penalties, and certain civil debts arising from violations of state and federal securities fraud laws. Whistle-blower protection. Up to 25 years in jail for securities-related fraud. 15-10 SOX Titles IX and X Title IX—White-Collar Crime Penalty Enhancements Increases maximum penalty for wire and mail fraud from 5 to 20 years. Makes it a criminal offense for officers to willfully and knowingly certify financial reports not in compliance with the act. Possible 20 years in jail. Title X—Corporate Tax Returns Recommend that the CEO sign the corporate tax return. 15-11 SOX Title XI Title XI—Corporate Fraud and Accountability Establishes a potential 20-year prison term for anyone who alters, destroys, mutilates, or conceals a record, document, or other object or otherwise impedes an official proceeding. Empowers the SEC to petition federal courts for temporary injunctions to freeze pending “extraordinary payments” to certain individuals under investigation for possible violations of federal securities law. Empowers the SEC to bar from serving as corporate officers any individuals who violate certain rules that govern certain manipulative, deceptive devices Increases penalties for filing a false or misleading SEC report to up to $25 million dollars and up to 20 years in prison. 15-12 SOX Compliance SOX Rules, Regulations, and Standards (SOX involves an ongoing rulemaking and regulatory process). The Federal Criminal Sentencing Guidelines (point system with mitigation for ethics and control processes). The COSO Reports Focus The on basic control processes and risk management. COBIT Standard Contains high-level and detailed control objectives, audit guidelines, and management guidelines. ISO 27002 Contains 11 major topics, with over 5,000 controls in total. Comparison of the Various Models for Control Practices. 15-13 SOX and Small Public Companies Sox 404 Compliance with Small Public Companies Leadership involvement and effective boards of directors Compensating for limited segregation of duties by management reviews Compensating for limited IT by using ASPs How Small Public Companies Can Achieve Efficiency in Internal Control Processes Apply a risk-based approach Focus on changes Manage reporting objectives Right-sizing documentation