Sarbanes Oxley Act (Sox)
Corporate and Auditing Accountability,
Responsibility and Transparency Act of
2002
Rick Stephan Hayes, Ph.D., CPA
California State University at Los
Angeles
Reasons for New
Legislation
Objectives
• In response to the Arthur Anderson, Enron and WorldCom
debacle, the Sarbanes-Oxley Act seeks to:
– Restore the public confidence in both public
accounting and publicly traded securities
– Assure ethical business practices through heightened
levels of executive awareness and accountability
Congressional Votes
Legalizing Marijuana** Securities Litigation Reform
Act
Yes
93
Yes
387
No
310
No
130
Not voting
31
Not voting
15
• SarbanesOxley Act
• Yes
522
• No
3
• Not voting 9
**House of Representatives only
Authorizing Force against
Iraq
Yes
373
No
156
Not voting
12
Criminal Penalties
• Escaping from prison
Kidnapping involving ransom
Second degree murder
• Air piracy
Sarbanes-Oxley Certification
1 to 2 years
3 to 5 years
11 to 14 years
20 to 25 years
10 to 20 years
The Sarbanes-Oxley Act
An Overview
SOX: Who is affected and how?
• Executives:
– Responsibility for financial reporting and keeping the markets
informed
– Certifications: - 302 “Disclosure controles & procedures”
- 404 “Internal controls for financial reporting”
- 906 “CEO/CFO’s written statement on fairness”
– Implement Code of Ethics and whistleblower procedure
• Supervisory Board:
– Enhanced oversight
– Appointment of a “financial expert”
• Auditors:
– Independence
– Attestation on internal controls
Definition of “internal control over financial reporting”:
- Encompasses subset of internal controls addressed in the COSO Report that pertains to
financial reporting objectives
- Including controls over safeguarding assets
Titles of the Act
I.
II.
III.
IV.
V.
VI.
VII.
VIII.
IX.
X.
XI.
Public Company Accounting
Establishes audit
governing board………
Oversight Board
Auditor Independence
Corporate Responsibility
Enhanced Financial Disclosures
Analyst Conflicts of Interest
Commission Resources and Authority
Studies and Reports
Corporate and Criminal Fraud
Accountability
White Collar Crime Penalty
Corporate Tax Returns
Corporate Fraud and Accountability
TITLE I – PUBLIC COMPANY
ACCOUNTING OVERSIGHT BOARD
•
Creation of the Public Company Oversight
Board (the Board)
 Created as a non-profit organization, the 5
member Board oversees audits of public
companies; it is under the authority of the SEC
but above other professional accounting
organizations such as the AICPA
General Provisions of SOx
o PCAOB To make rules governing audits of
public companies
o PCAOB To oversee audits and audit firms
o PCAOB independent of Federal Government
o PCAOB Self-funded through fees assessed
on CPA firms and publicly traded companies
o Regulations not applicable to Not For Profit
or some foreign listed companies
PCAOB Governing Members
o Five Members, three
of whom must NOT
be CPAs
o If the chair is a CPA,
that person must be
out of the business
of auditing for the
prior 5 years
PCAOB’s Duties
o Write audit standards, temporarily they have
adopted the AICPA’s
o Register public CPA firms to do audits
o Set Quality Control standards for audits
o Do peer reviews of CPA firms – at least every
three years
o Investigate and discipline
o Set Continuing Professional Education
requirements for auditors
o Review company disclosures and financial
statements at least every three years
PCAOB’s Audit Standards
• PCAOB has passed 15 audit
standards as of December
2010.
• They also enforce as
“temporary standards” the
existing audit standards by
the Audit Standards Board
called Statements of Audit
Standards (SAS)
PCAOB’s Audit Standards (Not in Text)
• AS No. 1: References in Auditors’ Reports to the
Standards of the Public Company Accounting Oversight
Board
• AS No. 3: Audit Documentation
• AS No. 4: Reporting on Whether a Previously Reported
Material Weakness Continues to Exist
• AS No. 5: An Audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of Financial
Statements
• AS No. 6: Evaluating Consistency of Financial
Statements
• AS No. 7: Engagement Quality Review
PCAOB’s Audit Standards (Not in Text)
•
•
•
•
•
•
•
•
AS No. 8: Audit Risk
AS No. 9: Audit Planning
AS No. 10: Supervision of the Audit Engagement
AS No. 11: Consideration of Materiality in
Planning and Performing an Audit
AS No. 12: Identifying and Assessing Risks of
Material Misstatement
AS No. 13: The Auditor's Responses to the Risks
of Material Misstatement
AS No. 14: Evaluating Audit Results
AS No. 15: Audit Evidence
TITLE II – AUDITOR
INDEPENDENCE
 Can’t do other types of work for clients,
including:
 Bookkeeping
 Systems design
 Valuation services
 Actuarial services
 Internal audit
 Management functions
 Other work needs pre-approval by audit
committee
 Can’t do audit if CEO, CFO from their firm, 1
year wait period
TITLE II (cont.)
A conflict of interest arises and an Registered
Public Accounting Firm (RPAF) may not
perform audit services for any issuer
employing – in the capacity of CEO,
controller, CFO or any other equivalent title –
a former audit engagement team member –
there is a “cooling-off period” for one year
 i.e., an employee of an RPAF who works on an audit of an
issuer may not turn around and directly go to work for that
issuer – they must wait one year
Provisions for Audit firms
•
•
•
•
•
Maintain audit papers for 7 years
Managing Partner rotation every 5 yrs.
Second partner rotation every 5 yrs.
Audit manager rotation every 7 years
Reports to audit committee
– All material deficiency findings
• Disclose fees for all types of services in
proxy statement
• Review disclosures of firm
• Attest to Internal Control of firm
CPAs Report to Audit Committee
• All critical accounting
policies
• Alternate treatments
• Internal Control findings
• Engagement letter
• Independence letter
• Management representation
letter
• Material weaknesses
SOx requires every public
accounting firm to use quality
control policies relating to
(i) monitoring of professional ethics and
independence from entities on which the firm
issues audit reports;
(ii) consultation within the firm on accounting
and auditing questions;
(iii) supervision of audit work;
(iv) hiring, professional development, and
advancement of personnel;
(v) the acceptance and continuation of audit
engagements;
(vi) internal inspection
TITLE III – CORPORATE
RESPONSIBILITY
 Audit Committee (committees est. by the board of a company
for the purpose of overseeing financial reporting)
Independence
Establishes minimum independence standards for audit
committees
Independence of the audit committee crucial in that it must (1)
oversee and compensate RPAF to perform audit, and (2) establish
procedures for addressing complaints by the issuer regarding
accounting, internal control, etc. (this lays the foundation for
anonymous whistleblowing)
 CEOs and CFOs must certify in any periodic report the
truthfulness and accurateness of that report – creates liability
 Under certain conditions of re-statement of financials due to
material non-compliance, CEOs and CFOs will be required to
forfeit certain bonuses and profits paid to them as a result of
material mis-information
SUMMARY OF SARBANES OXLEY PROVISIONS
AFFECTING DIRECTORS, CEOs AND CFOs
• Listed company audit committee independence requirements
and responsibilities (Section 301)
• CEO and CFO financial statement-related certifications
(Sections 302 and 906)
• Unlawful for any officer or director or person acting under the
direction thereof to fraudulently influence, coerce, manipulate
or mislead any independent accountant engaged to audit the
financial statements of an issuer for purposes of rendering the
financial statements materially misleading (Section 303)
• If there is a material restatement of an issuer’s reported
financial results due to the material noncompliance of the
company, as a result of misconduct, the CEO and CFO shall
reimburse the issuer for any bonus or incentive or equitybased compensation received within the 12 months following
the filing with the financial statements subsequently required
to be restated (Section 304)
SOx Company Audit Committee
Ω Under SOx Sec 301 public company audit
committees are directly responsible for the
appointment, compensation, and oversight of
the work of any registered public accounting firm
employed by their company (including resolution
of disagreements between management and the
auditor regarding financial reporting).
Ω Audit firm reports directly to the audit committee.
Auditors may also have to discuss accounting
complaints with the Audit Committee.
Audit Committee
Independent Directors
Audit committee members should not receive fees
other than for board service and should not be an
“affiliated person” of the company.
Financial Expert
At least one member of its audit committee must
be a "financial expert" (expertise in US GAAP).
Auditor Oversight
Responsible for oversight of external reporting,
internal controls and auditing, and the
appointment and compensation of the auditor.
Whistle-Blower Communications
Confidential and anonymous submissions by
employees.
Corporate Provisions
• Corporate Officers
– Can’t influence audit
– No stock transactions during blackout periods
when employees cannot trade
– In pro-formas, no material untrue statements,
reconciliation and equality with GAAP
– No officer loans
– File any trading information within two business
days
– Code of ethics
– Disclose off-balance sheet financing
– Disclose any non-GAAP financial measures
SOX: Section 302 certification
Section 302 requires:
Quarterly certification by the CEO / CFO
regarding the completeness and accuracy
of quarterly reports as well as the nature
and effectiveness of disclosure controls
and procedures (DC&P) supporting the
quality of information included in such
reports
Actions:
Enhance DC&P assessment and turn into
consistent and continous process
Ensure coverage of entire organization
(incl. all material subsidiairies)
Embed into regular review and monitoring
processes
Corporate Provisions
• Corporate Officers
– Certify that they have
• Reviewed the reports
• Reviewed internal control
• Certify that there are no
material weaknesses
• Certify that there is no fraud
• Report fairly presents the
financial condition of the
company
Management Responsibility for Audit Report - SOx
Sox Requires that the principal executive officer or officers and the
principal financial officer or officers, certify in each report filed
with the SEC the following:
the signing officer has reviewed the report;
the report does not contain any untrue statement
of a material fact or omit to state a material fact;
the financial statements, and other financial
information, fairly present in all material respects
the financial condition of the company;
the signing officers
• are responsible for establishing and maintaining internal
controls;
• have evaluated the effectiveness of the company’s
internal controls; and
• have presented in the report their conclusions about the
effectiveness of their internal controls based on their
evaluation;
Corporate Responsibility for Audit
Report under SOx (cont.)
Requires that the principal executive officer or officers and the
principal financial officer or officers, certify in each report filed
with the SEC the following:
the signing officers have disclosed to the
company’s auditors and the audit committee of
the board of directors —
• all significant deficiencies in the design or operation of
internal controls which could adversely affect the
company’s ability to record, process, summarize, and
report financial data and have identified for the
company’s auditors any material weaknesses in internal
controls; and
• any fraud, whether or not material, that involves
management or other employees who have a significant
role in the company’s internal controls;
SOX:Section 404 Assessment
•
– Management’s assessment must be based on
procedures sufficient both to evaluate design and test
operating effectiveness
– Management must maintain evidential matter,
including documentation, to provide reasonable support
for the assessment (both design and testing) of
effectiveness
– Any material weakness in internal control over financial
reporting precludes management from reporting that
internal control is effective
Reiteration of guidance regarding independence:
• Auditors may assist management in documenting
internal controls.
• Management must be actively involved in the
process; cannot delegate assessment responsibility
to the auditor
SOX:Meeting SEC Expectations
– Compliance with COSO control standards (or other
accepted standards; IT Governance Institute recently
recommended CobiT for general IT controls
assessment)
– Clear documentation of internal controls as well as
the testing processes
– Evidence that management have evaluated the
adequacy of the design and the effectiveness of
operation of the procedures and controls
– Evidence that the auditor has adequately
evaluated the design and operation of financial
controls
– Evidence that the audit committee and/or
disclosure committee have taken a keen interesting
the effectiveness of controls
TITLE V – ANALYST CONFLICTS
OF INTEREST
• National Securities Exchanges and registered
securities associations must adopt rules
designed to address conflicts of interest that
can arise when securities analysts recommend
securities in research reports
– To improve objectivity of research and provide
investors with useful and reliable information
TITLE VIII – CORPORATE AND
CRIMINAL FRAUD
ACCOUNTABILITY
• To knowingly destroy, create, manipulate documents
and/or impede or obstruct federal investigations is
considered felony, and violators will be subject to
fines or up to 20 years imprisonment, or both
• All audit report or related workpapers must be kept
by the auditor for at least 5 years – PCAOB AS 3
says 7 years.
• Whistleblower protection – employees of either
public companies or public accounting firms are
protected from employers taking actions against
them, and are granted certain fees and awards (such
as Attorney fees)
Penalties
General penalties
– If alter, destroy,
cover-up or falsify
documents with
objective to hinder
investigation – fines
and up to 20 years
TITLE IX – WHITE-COLLAR
CRIME PENALTY
ENHANCEMENTS
• Financial statements filed with the SEC by any public
company must be certified by CEOs and CFOs; all
financials must fairly present the true condition of the
issuer and comply with SEC regulations
– Violations will result in fines less than or equal to $5
million and /or a maximum of 20 years imprisonment
• Mail fraud/wire fraud convictions carry 20 year
sentences (previously 5 year sentences)
• Anyone convicted of securities fraud may be banned
by SEC from holding officer/director positions in
public companies
Penalties – Corporate Officers
• Give back to firms any bonuses, incentive
compensation or equity based
compensation earned within 12 months
• Give back profit on sales during blackout
period
• False certification - $1m and up to 10 yrs.
• Willful false cert. - $5 m and up to 20 yrs.
• Company can hold up any payments to
officers
Penalties
Audit firms
– Temporary suspension from industry
– Temporary or permanent revocation of license
– Can’t go to another firm if suspended or license
revoked
– Fines of up to $100,000 personal for each
violation, firm up to $2 m
– If intentional up to $750,000 personal, firm up to
$15 m
– Destroy working papers within 5 years – fine and
up to 10 years.
TITLE X – CORPORATE TAX
RETURNS
Federal income tax returns must be signed by the
CEO of an issuer
TITLE XI – CORPORATE FRAUD
ACCOUNTABILITY
 Destroying or altering a document or record with the
intent to impair the object’s integrity for the intended
use in a securities violation proceeding, or otherwise
obstructing that proceeding, will be subject to a fine
and/or up to 20 years imprisonment
 The SEC has the authority to freeze payments to any
individual involved in an investigation of a possible
security violation
 Any retaliatory act against whistleblowers or other
informants is subject to fine and/or 10 year
imprisonment