Update on Sarbanes-Oxley Act:
What Accountants Need to
Know Now
Presented to:
Georgia Society of CPAs
Buckhead Chapter
Atlanta, Georgia
December 16, 2003
Presented by:
Robert F. Dow, Esq.
Arnall Golden Gregory LLP
2800 One Atlantic Center
1201 W. Peachtree Street
Atlanta, Georgia 30309
404-873-8706
Robert.Dow@agg.com
Summary of Recent Issues
• CFO Certifications
• Assessment of Internal Controls
• Code of Ethics
• Audit Committee Financial Expert
• Improper Influence on Auditors
• Auditor Independence
• Public Company Accounting
Oversight Board
• Non GAAP Financial Measurers
• Revenue Recognition
CFO Certifications
(or “I’m Supposed
to Sign WHAT?!...”)
CEO/CFO Certification
• Two separate CEO/CFO certifications for
periodic reports – Section 302 and Section
906
• Both sections require the CEO and CFO to
include a certification for each annual or
quarterly report of the issuer
• Section 906 imposes criminal sanctions
• Section 302 is a civil provision
implemented by SEC regulations issued in
August 2002
CEO/CFO Certification
(cont’d)
The SEC regulations under Section 302
requires the CEO and CFO to certify in each
periodic report regarding:
• Financial and other information included in
the report
• The establishment, maintenance and
evaluation of disclosure controls and
procedures
• Internal control disclosures must be made to
auditors and AC
• Evaluation of internal controls and any
changes thereto must be disclosed to
auditors and AC
CEO/CFO Certification
(cont’d)
Does the company require management
below CEO/CFO to sign sub-certifications?
Percent of respondents to survey who said
yes:
• Controller/CAO – 68%
• Financial reporting personnel – 68%
• Treasury personnel – 54%
• Risk management – 32%
Source: Deloitte & Touche Survey of Consumer
Business Companies, November 2002
Information That Financial
Professionals Are Asked to
Certify
•
Specific disclosures in MD&A or footnotes –
63%
•
Specific account balances – 60%
•
Compliance with company policies and
procedures – 60%
•
Adequacy of internal controls in
department/area – 59%
•
Compliance with company code of conduct –
46%
•
Financial results of department – 21%
•
Financial results of a subsidiary – 21%
Source: The Association of Financial Professionals
(AFP), June 2003
Disclosure Controls
The new rules 13a-15 and 15d-14 define
disclosure controls and procedures:
• Controls and other procedures
• Designed to ensure required information is:
 recorded, processed, summarized and
reported
 within time specified in SEC rules
• Includes procedures to make sure that
information is communicated to CFO and CEO
• To allow timely decisions re: disclosure
Disclosure Controls
(cont’d)
Rules include four general requirements
about disclosure controls:
• Design and maintain
 Evaluate each quarter
 Disclose results of evaluation
 Certification
Observations From SEC
Comments on Section 302
Disclosure
• Management must:
 disclose whether controls are effective at
“reasonable assurance” level
 disclose plans to correct deficiencies,
including timetable
• SEC will ask for copies of auditor-AC
communications
• SEC asserts that errors may necessitate a
restatement
• SEC requires a risk factor regarding control
weaknesses
Disclosure Requirements
About Controls
Item 307 requires disclosure about controls:
• The CFO’s and CEO’s conclusions:
 about the effectiveness of
 the design and operation of disclosure
controls
 based on an evaluation as of the end of
the quarter
Disclosure Requirements
About Controls
(cont’d)
Item 307 requires disclosure about controls:
• Whether or not there were significant
changes
 in the internal controls or other factors
 that could significantly affect these
controls
 during the period covered by the report
 including any corrective actions for
significant deficiencies
Assessment of
Internal Control Over
Financial Reporting
(Who’s on First?)
Assessment of Internal Control
Sarbanes Section 404 requires:
• An issuer’s annual report must contain a
report from management on internal control
structure and procedures for financial
reporting
• The issuer’s auditor must attest to
management’s assertion concerning its
assessment
• Auditor’s attestation may not be a separate
engagement
Highlights of SEC Rules
on Internal Control
• Management must evaluate effectiveness of
internal control over financial reporting for
each annual report
• Each annual report must include a
statement of management’s responsibility
for adequate internal control and
conclusions about its effectiveness
• Each annual report must include the
auditor’s attestation and report on
management’s evaluation
Effective Dates for
Internal Control Rules
• Accelerated filers (generally issuers with a
market capitalization in excess of $75
million) will be required to comply with the
new requirements for fiscal year ending on
or after June 15, 2004
• All other issuers (including small business
issuers and foreign private issuers) will be
required to comply for fiscal year ending on
or after April 15, 2005
Evaluation Process
SEC says the company needs
to:
• Document controls
•
Perform actual tests of design and
operation of controls (inquiry alone not
sufficient)
•
Document testing and results
Role of Auditors in Evaluation
• Auditors can help document (but not design)
controls under management supervision (be
careful here!)
• Auditors cannot do evaluation for management
• Auditors can give limited assistance during
evaluation:
 point out areas to improve controls
 suggestions for improving testing of
controls
 provide software templates to document
controls or testing
 answer questions
What Happens If There
Is a “Material Weakness”?
• Precludes a “clean” report by management
• Must be reported to Audit Committee (AC)
• Must report to auditor
• Disclose under Item 307 (disclosure
controls)
• May be a violation of Foreign Corrupt
Practices Act
Code of Ethics
(Doing the Right Thing)
Code of Ethics
•
On January 15, 2003, the SEC adopted a
rule entitled “Disclosure Required by
Sections 406 and 407 of the SarbanesOxley Act of 2002” under Release No. 338177. The Release is available at
www.sec.gov under the Final Rules page
of the web site. The rule:
 Expands the statutory requirements
 Phases in by requiring issuers to include
the code of ethics disclosure in their annual
report for fiscal years ending on or after
July 15, 2003, and requires disclosure of
waivers to or amendments of the code of
conduct following the annual report in which
the code of ethics disclosure is first
contained
Summary of SEC’s Rule
On Code of Ethics
•
Under new Item 406 of Regulation S-K,
code of ethics is defined to mean standards
that are reasonably designed to deter
wrongdoing and to promote:
 Honest and ethical conduct, including
the ethical handling of actual or
apparent conflicts of interest between
personal and professional relationships
Summary of SEC’s Rule
On Code of Ethics
(cont’d)
 Full, fair, accurate, timely, and
understandable disclosure in reports and
documents that a registrant files with, or
submits to, the Commission and in other
public communications made by the
registrant
 Compliance with applicable governmental
laws, rules and regulations
 The prompt internal reporting of violations
of the code to an appropriate person or
persons identified in the code, and
 Accountability for adherence to the code
Summary of SEC’s Rule
On Code of Ethics
(cont’d)
• The code of ethics must apply to the issuer’s
principal executive officer, principal financial
officer, principal accounting officer or
controller, or persons performing similar
functions:
 Note that a registrant may have separate
codes of ethics for other purposes and
other persons
 The code of ethics required by Item 406
may be a portion of a broader document
that addresses additional topics or that
applies to more persons than the SEC
regulates by its rule
Summary of SEC’s Rule
On Code of Ethics
(cont’d)
 The company must make the required
code of ethics publicly available in one of
three alternative ways:
 File a copy as an exhibit to the 10-K
 Post the text on its Internet web site
(and contain appropriate references
in its 10-K to the web site posting)
 Provide an undertaking in its 10-K to
provide a copy of the code of ethics
to any person without charge upon
request
Disclosures of Waivers
and Amendments
• Disclosures of Waivers and Amendments
 The rule amends Form 8-K to require the
disclosure of:
 Any amendment of the code of ethics
 Any waiver, including any implicit
waiver, from a provision of the code of
ethics
• Two methods of required disclosure:
 File 8-K report within five business days
after amendment or waiver
Disclosures of Waivers
and Amendments
(cont’d)
 Use internet web site as a method of
disseminating disclosure if:
 The issuer has disclosed in its Form
10-K its intention to disclose these
events on its Internet web site
 The issuer must disclose within five
business days
 The issuer must continue to post
information for 12 months
Sample Codes of Ethics
•
http://ethics.bellsouth.com/commitmentboo
k%20doc.pdf
•
www.ge.com/en/commitment/social/integrit
y/integrity.htm
•
www.lockheedmartin.com/data/assets/360.
doc
•
www.raytheon.com/ethics/booklets/standar
ds.pdf
Audit Committee
Financial Expert
(Debits on the left,
credits on the right . . . )
Audit Committee
Financial Expert
SEC regulations under Section 407 define
“financial expert” as a person with all of these
attributes:
• An understanding of financial statements and
generally accepted accounting principles
• An ability to assess the general application of
such principles in connection with the
accounting for estimates, accruals, and
reserves
Audit Committee
Financial Expert
(cont’d)
• Experience
 Preparing, auditing, analyzing, or
evaluating financial statements with a level
of complexity of accounting issues that are
generally comparable to the company’s
financial statements, or
 Actively supervising one or more persons
engaged in such activities
• An understanding of internal controls and
procedures for financial reporting; and
• An understanding of AC functions
Audit Committee
Financial Expert
(cont’d)
A person can acquire the attributes through:
(1) Education and experience as a CFO, ACAO,
controller, public accountant or auditor, or
similar functions
(2) Experience:
 actively supervising one of these
positions, or
 overseeing or assessing the performance
of companies or public accountants with
respect to the preparation, auditing, or
evaluation of financial statements, or
(3) Other relevant experience
Audit Committee
Financial Expert
(cont’d)
SEC‘s regulations go beyond Sarbanes to
require:
 Disclosure of name of at least one financial
expert
 Disclosure of whether the financial expert is
independent
NYSE/Nasdaq
• Require all AC members to be “financially
literate”
• Expert must have accounting or financial
management expertise (NASDAQ)
Improper Influence
On Auditors
Improper Influence on Auditors
New SEC rules say that officers may not
fraudulently influence, coerce, manipulate or
mislead an independent auditor:
• To issue a report that is not warranted in the
circumstances
• Not to perform procedures required by GAAS
• Not to withdraw a report
• Not to communicate with AC
What is Improper Influence?
SEC says the following may be improper
influence
• Offering or paying bribes or other financial incentives,
including offering future employment
•
Providing an auditor with inaccurate or misleading legal
analysis
•
Threatening to cancel existing non-audit or audit
engagements if the auditor objects to the issuer’s
accounting
•
Seeking to have a partner removed from the audit
engagement because the partner objects to the issuer’s
accounting
•
Blackmailing, and
•
Making physical threats
Auditor Independence
(No More Hands in the
Cookie Jar)
Auditor Independence
The auditor may not perform for audit clients
any of these non-audit services:
 bookkeeping
 financial information systems design and
implementation
 appraisal or valuation services or fairness
opinions
 actuarial services
 internal audit outsourcing services
 management or human resource functions
 investment banking services
 legal services
 expert services
Auditor Independence
(cont’d)
•
Other non-audit services also may impair
independence
•
In evaluating non-audit work, the audit firm
should not:
 audit its own work
 function as part of management or an
employee of client
 act as an advocate for the client
 promote client’s stock or other financial
interests
Non-Audit Services
Sarbanes includes a definition of “non-audit
services,” as follows:
 The term “non-audit services” means
any professional services provided to an
issuer by a registered public accounting
firm, other than those provided to an
issuer in connection with an audit or a
review of the financial statements of an
issuer.” (emphasis added)
Non-Audit Services
(cont’d)
• All non-audit services must be preapproved
by the AC
• Preapproval requirement is waived if:
 total of all such non-audit services is 5%
or less of the total amounts paid to the
auditor, and
 company “did not recognize the services
to be non-audit services” at the time
they were provided, and
 the services are promptly brought to and
approved by the AC prior to the
completion of the audit
Partner Rotation
• Sarbanes requires the lead auditing and
review partners to rotate every 5 years;
• New regulations add 7 years rotation for all
“audit partners”
• “Audit partner” includes:
 decision-making on significant matters
affecting financial statement
 maintain regular contact with management
and AC
 lead partner on significant sub. (20% of
assets or revenues)
•
Small firm exemption (<10 partners and 5 SEC
clients)
Cooling Off
• A firm may not serve as auditor if:
 member of management with “financial
oversight” was a member of the audit
team last year
 a member of the audit team receives
compensation based on sale of nonaudit services to the company
Additional Communications
with Auditors
New SEC rules add requirements to report to
the AC on:
• All critical accounting policies and practices
• All alternative treatments under GAAP
discussed with management, including the
treatment preferred by the auditors, and
• Other material written communications with
management, including management letter
and schedule of unadjusted differences
Communications with
Auditors about Fraud
SAS No. 99 requires the auditor to:
• Consider the effectiveness of the AC when
the auditor is identifying fraud risks
• In understanding significant transactions,
consider whether the transaction has been
discussed with and approved by the AC
Communications with
Auditors about Fraud
(cont’d)
SAS No. 99 requires the auditor to
communicate with the AC regarding:
• Misstatements that may be the result of
fraud, if the financial statement impact
might
be material
• Any fraud involving senior management
• Any “reportable condition” (significant
internal control deficiency that could
adversely affect the company’s ability to
accurately record and report financial data)
Disclosures About Auditors
Under new SEC rules, the company must
disclose in its proxy statement:
• Fees paid to accounting firm classified by
four categories:
 audit fees
 audit-related fees
 tax fees
 all other fees
• Policies and procedures for approval of
non-
audit services
• What percentage of non-audit fees were
pre-approved
Public Company
Accounting Oversight
Board
(PCAOB)
(Big Brother is Watching You)
Public Company
Accounting Oversight Board
• Public Company Accounting Oversight
Board (PCAOB) established as a non-profit
organization to:
 oversee the audit of public companies
 establish audit report standards and
rules
 investigate, inspect and enforce
compliance relating to registered public
accounting firms
Appointment of New
PCAOB Members
The SEC has appointed the Chair and members of the
newly created Public Company Accounting Oversight
Board. The members are:
•
Chair – William J. McDonough, President of
Federal Reserve Bank of New York
•
Kayla J. Gillan, former general counsel of the
California Public Employee’s Retirement system
•
Daniel L. Goelzer, CPA and attorney, former
SEC general counsel
•
Charles D. Niemeier, CPA and attorney, chief
accountant of the SEC’s enforcement division
•
Willis D. Gradison, Jr., former Ohio
Congressman (R)
The Members of the Board
William J. McDonough
Kayla J. Gillan
Charles D. Niemeier
Daniel L. Goelzer
Willis D. Gradison, Jr.
PCAOB Audit Firm
Registration System
• A CPA firm must register if it issues reports on
public companies or “plays a substantial role”
• This includes foreign firms
• Electronic filing of lengthy application
• Confidential treatment of certain information -
everything else is publicly available
• PCAOB has 45 days to review from time it
receives complete application
• Firms are required to be registered by
10/22/03
PCAOB - “Substantial Role”
CPA firm “plays a substantial role in the
preparation or furnishing of an audit report” if it
performs:
• “material services” that a public
accounting firm uses in issuing all or part
of its report or
• performs audit procedures for a
subsidiary of component which
constitutes 20% of consolidated assets or
revenues
• “material services” = 20% of engagement
hours or fees
PCAOB - Support Fees
for Issuers
•
Issuers will pay a fee based on market
capitalization
•
PCAOB will spread its operating budget over the
population of SEC companies
•
Issuers <$25M in market cap are exempt
•
Estimate: $260,000 for largest issuer down to
$100
•
PCAOB also may act as collection agent for
FASB
•
Audit firm must confirm issuer has paid prior to
issuing unqualified opinion
Statutory Mandate
SOX Section 104(a):
The Board shall conduct a continuing
program of inspections to assess the degree
of compliance of each registered public
accounting firm and associated persons of
that firm with this Act, the rules of the Board,
the rules of the Commission, or professional
standards, in connection with its performance
of audits, issuance of audit reports, and
related matters involving issuers.
Frequency
Regulation Inspections:
• Every year for firms with >100 audits
• Every 3 years for other firms
Also Special Inspections as appropriate to
address issues that come to the Board’s
attention.
Inspectors
• 35 full time plus 6 consultants (as of
September)
• Plan to have 100 full time by 12/31/03
Inspection Reports
• Draft report to CPA firm – 30 days to respond
• Final report goes to CPA firm, SEC, and state
boards
• Firm has 12 months to remedy any criticisms or
defects in quality control system
• If fail to remedy, the criticisms and defects shall
be made public
“Big Four” Inspections
• To be complete by 12/31/03
• Focus on quality control systems
• Looking at partner compensation levels
Adoption of Interim Standards
PCAOB adopted interim standards as of
4/16/03:
• GAAS as described in SAS No. 95
• ASB Statements on Standards for Attestation
Engagements (and related SOPs)
• ASB Statements on Quality Control Standards
• SECPS Requirements for Membership
• AICPA Code of Professional Conduct Rule 101
• ISB Standards No. 1, 2, and 3 and
Interpretations 99-1, 00-1, and 00-2
Proposed Standard on
Audit Documentation
Audit documentation must:
• Contain sufficient information to enable
experienced auditor with no connection with
audit to understand work performed, who
performed it, when completed, and conclusions
• Exist to establish that work was performed
• Be assembled for retention within 45 days after
audit request
• Be retained for 7 years
PCAOB Pending Rulemaking
• Audit documentation
• Internal control attestation
Non-GAAP
Financial Measures
(EBBS – Everything but
the Bad Stuff)
Non-GAAP
Financial Information
New SEC requirements for companies that
want to use alternative, “non-GAAP” measures,
which measure financial performance, position
or cash flow and:
• exclude amounts (or is subject to adjustments
that have the effect of excluding amounts) that
would otherwise be included if calculated
according to GAAP; or
• include amounts (or is subject to adjustments
that have the effect of including amounts) that
are excluded from the comparable GAAP
measure
Non-GAAP
Financial Information
(cont’d)
Companies will have to:
• Provide a reconciliation of the differences
between the non-GAAP and the most
comparable GAAP measure
• Provide explanation as to why management
believes it provides useful information
• In SEC filings, always give at least equal
prominence to GAAP measure
• Post earnings press releases on Form 8-K
Non-GAAP
Financial Information
(cont’d)
Some prohibitions:
• Can’t exclude cash liabilities or charges
from liquidity measurers
• Can’t exclude non-recurring or unusual
items from performance measures if they
are likely to recur
• Don’t use confusingly similar GAAP titles
• Can’t present non-GAAP measures on face
of historical or proforma financial statements
SEC Enforcement
and
Revenue Recognition
(or “Accountants
Behaving Badly…”)
SEC Revenue Recognition
Issues
• Round tripping
• Side letters
• Multiple element arrangements
• Bill and hold
• Customer pass throughs
• Adequate disclosure of policies
SAB 101
Revenue generally is realized or realizable
and earned when all of the following criteria
are met:
• Persuasive evidence of an arrangement exists
• Delivery has occurred or services have been
rendered
• The seller’s price to the buyer is fixed or
determinable, and
• Collectibility is reasonably assured
EITF 00-21 “Accounting for
Revenue Arrangements with
Multiple Deliverables”
• The delivered items have stand-alone value to
the customer
• The fair value of any undelivered items can be
reliably determined
• If the arrangement includes a general right of
return, delivery of the undelivered item(s) is
probable and substantially controlled by the
seller
Sarbanes:
New Enforcement Tools
for the SEC
• Increased penalties and prison terms for
fraud
• Increased authority over professionals
practicing before the SEC (Section 602)
• Block “extraordinary payments” to executives
(Section 1103)
• “Fair Funds” provision (Section 308(a))
• Additional funding for SEC staff – 842 new
positions
• Securities fraud penalties no longer
dischargeable in bankruptcy (Section 803)
Are You “Practicing Before
the Commission”?
• CFO, controller, other financial professionals
• Internal and external auditors
• Consultants who provide data for SEC reports
or assist auditors
Recent Enforcement
Actions – Legato Systems
• Legato recorded income when customer
(Logicon) not committed to pay
• Side letter:
 Logicon has right to cancel
 Cancellation provision omitted from
purchase order “because of impact on
revenue recognition”
• SEC charges its CFO and two sales
executives
• SEC also charges Logicon’s VP of sales with
aiding and abetting
Recent Enforcement Actions –
Ernst & Young/NextCard
• NextCard under examination by banking
regulators
• Ernst & Young partner orders altering of
workpapers to show more support for accounting
• Also destroyed emails and documents from hard
drive
• Two Ernst & Young managers barred from
practicing before SEC
• Partner faces criminal charges with up to 20
years and $250,000 in fines
Recent Enforcement Actions Gemstar-TV Guide International
• Gemstar manipulated revenue in three ways:
 record revenue of expired, disputed, or
non-existent agreements
 Revenues from round-tripping or nonmonetary transactions
 Shifted revenues from other divisions to its
IPG sector
• SEC charged CEO and CFO with fraud and
internal control violations
• SEC used SOX 1103 to escrow $37 million in
payments
Recent Enforcement Actions –
Qwest Communication
International
•
Qwest inflated revenues by $144 million
•
“Bill and hold” contract
 Fabricated a fictitious delivery schedule
 Accelerated delivery of equipment
 Shipped non-conforming equipment
•
Sales and service contract
 Split service into separate contract
 Recorded all revenue despite continuing
service obligation
 Risk of loss did not pass
•
SEC charged the Company and eight executives
Recent Enforcement Actions –
Xerox
•
Xerox’s improper accounting techniques
resulted in $6.1 billion restatement
•
Abused sales-type lease accounting under
FASB 13:
 Misallocated costs between cost of equipment
and cost of service and financing
 Retroactively changed prior year estimates to
take more revenue into income
 In one case, mischaracterized an operating lease
as a sales lease
•
SEC charged Xerox in 2002 - $10 million fine
•
In 2003 – SEC charged four KPMG auditors with
fraud
Recent Enforcement Actions –
Homestore, Inc.
• Homestore inflated revenues with round
tripping transactions
• Misled auditors to cover up
• Criminal and/or civil charges against nine
Homestore managers and two officers of
outside vendor
• Criminal defendants face fines and penalties
up to $1 million and up to ten years in prison
• Several executives and one CPA are barred
from practicing before SEC or serving as
officers or directors
Recent Enforcement Actions –
Cutter & Buck
• $5.7 million in revenue from shipments to
distributors
• No obligation to pay
• CFO concealed transactions from auditors
• CFO overrode system to divide returns
among divisions
• SEC charges C&B, CFO and VP of sales
Recent Enforcement Actions –
Gateway, Inc.
• Management seeks to “close the gap” on analyst
expectations
• Improper revenue recognition:
 Bill and hold
 Consignment sales
 Payments for bundled services from AOL
• SEC charges CEO, CFO, and controller
FASB Project on
Revenue Recognition
•
The objective – develop comprehensive statement on
revenue recognition that is conceptually based and framed
in terms of principles
•
This Statement will:
 Eliminate inconsistencies in existing authoritative
literature and accepted practices
 Fill voids that have emerged in revenue recognition
guidance in recent years
 Provide guidance for addressing issues in the future
•
Focus on changes in assets and liabilities
•
Plan for exposure draft in 4Q04
THE END