Corrections Technology Association
Sixth Annual Conference
Sarbanes-Oxley Act and
Impact of Noncompliance
Presented by:
Mr. Robert E. Kaelin, Partner
May 3, 2005
Agenda

Background

Sarbanes-Oxley (SOX) Overview

Impact on Vendors

Impact on Agencies

Future Impact

Conclusion
777/40/82924(ppt)
1
Background
Why Do I Care About Sarbanes-Oxley?
777/40/82924(ppt)
2
Background
The Problem

SOX was a reaction to corporate scandals and lack of investor
confidence:
» Enron.
» Arthur Andersen.
» MCI.

Intense competition and pressure, conflicts of interest, and poor
practices led to poor reporting and mismanagement.

Criminal activities also contributed to the problem.

Many other smaller examples of “dot com” booms that turned
out to be investor busts all combined to prompt congressional
action.
– Source: Bauer College of Business
777/40/82924(ppt)
3
Background
The Problem Continues Today

A May 2, 2005 headline stated: “Audit flaws wipe $2.7bn from
AIG.”

Discoveries of improper accounting at American International
Group (AIG) are to knock $2.7 billion off the value of the world's
biggest insurer.

AIG said it would restate its accounts for each of the last 5 years
from 2000 onwards, lowering the company’s value by 3.3%.

It said it had found “material weaknesses” in its control systems
and postponed filing its 2004 accounts.
– Source: http://news.bbc.co.uk/1/hi/business/4504865.stm
777/40/82924(ppt)
4
Background
Learning About SOX

Business Relationship:
» Advise clients on business process and implementation issues.
– Project issues.
– Client accountability.
» Manage and run our company.

My role on the IJIS Institute Board of Directors:
» Serve as chair of the Governance Committee.
» Responsible for the overall impact of SOX on the institute.
– Controls.
– Reporting.
777/40/82924(ppt)
5
Background
Learning About SOX (continued)

To understand SOX:
» Conducted Web research and evaluated SOX presentations.
» Conferred with compliance auditor.

Disclaimer:
» I am a Management consultant – not an auditor.
– I understand SOX but do not want to know it!
– SOX focuses on doing what is right.
» Contact your legal adviser and auditor for specific analysis.
» Rules are still being defined and refined.
777/40/82924(ppt)
6
Sarbanes-Oxley Overview
Sarbanes-Oxley Overview
What Is SOX?
777/40/82924(ppt)
7
Sarbanes-Oxley Overview
The Act

The act was signed into law on July 30, 2002.

It includes regulations regarding:
» Public Company Accounting Oversight Board (PCAOB).
» Auditor independence.
» Corporate responsibility.
» Enhanced financial disclosures.
» Corporate and criminal fraud accountability.

It applies primarily to publicly traded companies.

SOX is actually a combination of:
» Sarbanes Oxley Act of 2002 (H.R. 3763).
» Rules of the PCAOB.
» Rules of the SEC.
777/40/82924(ppt)
8
Sarbanes-Oxley Overview
The Scope of the Act

The scope of the act focuses on:
» Internal controls.
– Process.
– Policies.
– Activities.
» Compliance and reporting.
– Transparency.
– Accuracy.
» Governance.
– Accountability.
– Responsibility.
– Avoidance of conflict of interest.
777/40/82924(ppt)
9
Sarbanes-Oxley Overview
The Details of Act
Title I Public Company Accounting Oversight Board
Title II
Auditor Independence
Title III Corporate Responsibility
Title IV Enhanced Financial Disclosures
Title V
Analyst Conflicts of Interest
Title VI
Commission Resources and Authority
Title VII
Studies and Reports
Title VIII
Corporate and Criminal Fraud Accountability
Title IX
White-Collar Crime Penalty Enhancements
Title X
Corporate Tax Returns
Title XI
Corporate Fraud and Accountability
777/40/82924(ppt)
10
Sarbanes-Oxley Overview
Public Company Accounting Oversight Board

Established by SOX.

Nonprofit agency.

Responsibilities:
» Register and inspect public accounting firms.
» Establish standards for public accounting firms.
» Enforce compliance with the act and rules of the board.
» Investigate firms and impose sanctions.
– Source for all title details: Bauer College of Business.
777/40/82924(ppt)
11
Sarbanes-Oxley Overview
Corporate Responsibility

Assigns the responsibility to the audit committee to appoint,
compensate, and oversee the public accounting firm that
performs the audit.

Requires CEO and CFO to:
» Certify fairness of financial statements.
» Take responsibility for disclosure controls.

Makes it unlawful to fraudulently influence, coerce, or mislead
an auditor.

Provides for the forfeiture of certain compensation following the
issuance of a “non-compliant” financial document.

Provides the SEC with greater flexibility to remove management
or board members.

Requires attorneys to report evidence of material violations.
777/40/82924(ppt)
12
Sarbanes-Oxley Overview
Corporate Responsibility (continued)

Section 301: Public Company Audit Committees
» Companies that are not compliant with SEC audit committee
requirements are subject to delisting.
» Audit committees are responsible for oversight of auditors including
the resolution of disagreements between management and
auditors.
» Audit committees must set up procedures to receive and address
“whistle-blower” complaints.
» Employees and others may take concerns directly to the audit
committee.
» Audit committee members are required to be independent, and a
disclosure is required in proxy statements.
777/40/82924(ppt)
13
Sarbanes-Oxley Overview
Enhanced Financial Disclosures

Requires disclosure of material off balance sheet arrangements.

Prohibits companies from making loans to directors or
executives.

Requires management to establish and maintain adequate
internal controls and procedures for financial reporting.

Requires disclosure of a code of ethics for senior financial
officers.

Requires companies to disclose whether at least one of the audit
committee members is a financial expert.

Requires rapid disclosure of changes in financial condition.
777/40/82924(ppt)
14
Sarbanes-Oxley Overview
Enhanced Financial Disclosures (continued)

Section 404: Management Assessment of Internal Controls
» Requires management to establish and maintain adequate internal
controls and procedures for financial reporting.
» Requires that each annual report includes a statement:
– Describing management’s:
• Responsibility for internal controls and procedures for financial
reporting.
• Assessment of the effectiveness of the controls and financial
reporting procedures.
– Incorporating the independent auditor’s review of management’s
assessment of internal controls and financial reporting
procedures.
777/40/82924(ppt)
15
Sarbanes-Oxley Overview
Enhanced Financial Disclosures (continued)
» Related SEC releases define internal controls and procedures for
financial reporting as controls that provide reasonable assurances
that:
– Transactions are properly authorized.
– Assets are safeguarded against unauthorized or improper use.
– Transactions are properly recorded to permit the preparation of
financial statements that are presented in a manner consistent
with GAAP.
» To meet the assessment requirement, management must select a
suitable, recognized framework for assessing the effectiveness of
internal controls.
777/40/82924(ppt)
16
Impact on Vendors
Impact on Vendors
What Do Vendors Have to Do About SOX?
777/40/82924(ppt)
17
Impact on Vendors
SOX Is About Business Practices

SOX has implications for most business practices and processes
of publicly traded companies.
» Any errors or misstatements that could cause a company to have to
restate its financials are areas that require focus.
» Systems and processes must be in place to administer the pricing,
services, and discounts.
» Visibility and control must ensure that pricing and costs are captured
accurately and on a timely basis.
» Pricing services and discount processes often have the most people
involved and represent the largest risk area.

Combined implications create a very large potential for misstated
financial results and SOX scrutiny, sanctions, and bad press.
777/40/82924(ppt)
18
Impact on Vendors
SOX Impact

Skyrocketing SOX implementation costs:
» Have put high-tech companies in the position of having to delay
major projects.
» Force companies to struggle to compete with low-cost competition
from Asia.

The SOX impact is more than technical, more than analytical,
more than financial:
» SOX places a burden of responsibility on all employees, not just the
accountants.
» SOX impacts IT priorities and “To do” list.
» SOX will impact the role of IT in its users’ business and data.
» SOX will challenge any IT organization whose culture is one of
containment.
777/40/82924(ppt)
19
Impact on Vendors
SOX Requirements

Companies must ensure that:
» Bad news is reported upwards.
» IT project definitions include potential financial impact.

Ignoring problems is not allowed under SOX.

Different sections of the act are driving or will drive changes in the
financial organization.
» Sections 302 and 404.
– Process mapping.
– Systematic remedies.
– Process changes.
– Collaboration and teaming.
» Section 409.
– Systematic remedies.
– Major process changes.
777/40/82924(ppt)
20
Impact on Vendors
Compliance Process
Monitoring
Control Activities
 Assessment of a control system’s performance
 Policies/procedures that ensure management
 Combination of ongoing and separate
 Range of activities including approvals,
directives are carried out.
over time.
authorizations, verifications, recommendations,
performance reviews, asset security and segregation
of duties.
evaluation.
 Management and supervisory activities.
 Internal audit activities.
Information and Communication
Control Environment
Risk Assessment
 Pertinent information identified, captured and
 Sets tone of organization-influencing control
 Access to internal and externally generated
 Factors include integrity, ethical values,
 Flow of information that allows for successful
 Foundation for all other components of control.
communicated in a timely manner.
information.
control actions from instructions on
responsibilities to summary of findings for
management action.
consciousness of its people.
 Risk assessment is the identification and analysis of
relevant risks to achieving the entity’s objectivesforming the basis for determining control activities.
competence, authority, responsibility.
All five components must be in place
for a control to be effective.
777/40/82924(ppt)
21
Source: Pricewaterhouse Coopers
Impact on Agencies
How Does This Apply to a Corrections Agency?
777/40/82924(ppt)
22
Impact on Agencies
The World Has Changed

Agencies may experience direct impact.
» Correctional industries that are public organizations are directly
impacted.
– These organizations must comply.
» Titles I, III, and IV establish practices and standards that most auditing
organizations, including government auditors, follow.

Agencies will experience indirect impact:
» Contractors working with agencies will be required to comply.
– Internal reporting will increase.
– Time to complete and project status are significant elements in
contractor risk management efforts.
– Payment and contract issues will center on SOX compliance and
may limit previous flexibility.
» Costs will go up as companies cope with SOX costs.
777/40/82924(ppt)
23
Impact on Agencies
Audit Guidance

The implication of Title I is that now there are three audit
standards-setting bodies in the United States.
» PCAOB, which sets audit standards for publicly traded companies.
» Auditing Standards Board of the American Institute of Certified
Public Accountants, which sets standards for privately held
companies and not-for-profit organizations.
» U.S. General Accounting Office, which sets standards for federal,
state, and local governments through the Yellow Book.
777/40/82924(ppt)
24
Impact on Agencies
Government Auditors

Although SOX affects corporate auditing and internal controls,
the impact on government auditors is as follows:
» Government auditors should encourage good governance practices
with the entities they audit.
» Government auditors have a unique responsibility to ensure
accountability for public resources and government services.
» The fundamental role of government auditors should remain clear
and unchanged – provide assurance.
777/40/82924(ppt)
25
Impact on Agencies
Noncompliance

While most corrections agencies and their activities do not fall
directly under SOX, reasonable effort should be made to modify
processes to comply.

Where compliance is required, noncompliance can result in
criminal investigation to determine whether:
» Information was transmitted by mail.
» Information was withheld from investigators.
In these cases, felony charges can be brought.

In other cases, agencies may be ordered to comply with auditor
statements and requirements that:
» Add expensive processes with no additional funding source.
» Add reporting requirements not otherwise necessary.
777/40/82924(ppt)
26
Future Impact
Future Impact
Will This Go Away?
777/40/82924(ppt)
27
Future Impact
SOX Is Likely to Grow

The results of SOX, both positive and negative, have led to several
discussions on expanding the scope of SOX.
» Congress is reviewing options to expand to nonprofits to reduce
scandals like that of the United Way several years ago.
» Congress is also examining the reporting of privately held companies.
» The Government Accounting Office is reviewing procedures for
government agencies.
» Additional rules in support of SOX and auditing process are under
review or in draft form.

State and local governments are revising policies and in a few
cases, legislation, to require SOX-like activity reporting.
777/40/82924(ppt)
28
Future Impact
New York State Strengthens SOX

Attorney General Eliot Spitzer has proposed a series of reforms to
strengthen New York's corporate accountability laws. He stated:
» “Unfortunately, many of New York's laws are outdated and contain major
loopholes.”
» “For these reasons, we must act to strengthen state laws to protect
investors and donors.”

Mr. Spitzer's proposals cover the following areas:
» Protecting honest employees who report illegal activities.
» Protecting against fraud relating to nonprofit corporations.
» Preventing securities fraud.
» Preventing cover-ups of corporate crimes.
» Addressing misconduct by corporate officers.
» Improving oversight of the accounting industry.

Consumer advocates have applauded Mr. Spitzer's efforts.
777/40/82924(ppt)
29
Future Impact
Getting a Handle on SOX

Many auditors and accounting professionals offer programs to
assess SOX compliance that provide:
» Reports on areas of concerns.
» Recommended changes.
» Programs that align an organization’s practices to comply with
SOX.

All CFOs and agency budget officers should conduct reviews of
internal governance and compliance.
» Focus on financial and audit process understanding.
» Whistler-blower protections.

Key leaders should monitor SOX as well as state and local
policy changes.
777/40/82924(ppt)
30
Conclusion
Conclusion
What Are the Key Points?
777/40/82924(ppt)
31
Conclusion
Key Points

Understand that SOX is the model for legislative initiatives aimed at
both public and private companies in a number of states.

Maintain a strong and independent audit committee (where used).

Keep any arrangements for the auditor to provide non-audit services
independent of audit services.

Ensure executives understand the financial, compliance, and other
external information reporting.

Establish, maintain, and document significant financial and compliance
controls.

Maintain and archive all appropriate entity records.

Remember SOX is the benchmark against which every company’s
financial and corporate governance practices will be measured.
777/40/82924(ppt)
32
Conclusion
SOX Improvement Areas

Remediation efforts should focus on:
» Financial processes.
» Computer controls.
» Internal audit effectiveness.
» Security controls.
» Audit committee oversight.
» Fraud programs.

Process improvements for future compliance should focus on:
» Financial reporting.
» Risk identification and assessment.
» Risk mitigation.
» IT security strategy and implementation.
» Internal audits.
» Compliance management.
» IT oversight and operations.
777/40/82924(ppt)
33
Conclusion
Resources

www.aicpa.org

www.findlaw.com

www.pcaobus.org

www.sec.gov
» www.sec.gov/rules/final.shtml

www.isaca.org
Contact information: rkaelin@mtgmc.com or 206-442-5010
www.mtgmc.com
777/40/82924(ppt)
34