Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan Agenda • Overview of Sarbanes-Oxley legislation (SOX) • Key sections of legislation and key players • SOX implementation issues for public insurance companies • Positives from implementation of SOX 2 Overview of Sarbanes-Oxley Act • Became law on July 30, 2002 • The Act established a board (PCAOB) to create auditing standards and regulation for all SEC registrants • Created specific corporate responsibility for financial reporting, internal controls and audit committee standards • Enacted rules relevant to attorneys, securities analysts, auditors and brokers • Established criminal penalties for non-compliance 3 Intent of Sarbanes-Oxley Act • Provide confidence and trust to investors and public in the post-Enron era. • Requires management accountability -focus on rapid identification & correction of control weaknesses along with additional financial disclosure requirements • Hold external auditors to a higher attestation standard 4 Key Sections of SOX • Section 302 requires the CEO and CFO on a quarterly basis to sign off on financial statement fairness and internal control effectiveness. They also must report any significant changes in internal controls since their last evaluation. • Section 404 requires a separate management report on internal control effectiveness and audit by the organization’s external financial statement auditor. It becomes effective for most large companies for their entire reporting year ending December 31, 2004 and has a 12/31/2005 effective date for other companies. • Section 906 is related to Sections 302 and 404, and requires that CEOs and CFOs ensure all financial reporting (including annual and periodic reports) fairly presents, in all material respects, the financial condition and results of operations of the issuer. It also provides for significant criminal penalties for non-compliance. 5 Key Sections of SOX (cont’d) • Section 201 prohibits a registered public accounting firm from performing both audit and non-audit services. • Section 301 requires an audit committee to establish “whistleblower” procedures to allow the confidential and anonymous submission of concerns regarding questionable accounting or auditing matters. • Section 409 requires disclosure to the public on a rapid and current basis additional information concerning material changes in the financial condition or operations of the issuer (Form 8-K). 6 Who are the key external players? Public Company Accounting Oversight Board (PCAOB) • Is a private-sector, non-profit corporation, created by the SarbanesOxley Act, to oversee the auditors of public companies. • Responsible for establishing auditing and related attestation standards, quality control standards, and ethics standards to be used by registered public accounting firms in the preparation and issuance of audit reports. • Proposed rules and standards must be submitted to the Securities and Exchange Commission for approval prior to becoming law. 7 Who are the key external players? Securities and Exchange Commission (SEC) • • Is the primary overseer and regulator of the U.S. securities markets. Reviews documents that publicly-held companies are required to file with the Commission. The documents include: 1. 2. 3. 4. 5. Registration statements for newly-offered securities; Annual and quarterly filings (Forms 10-K and 10-Q); Proxy materials sent to shareholders before an annual meeting; Annual reports to shareholders. Disclosure of current reportable events (Form 8-K) 8 Who are the key external players? • • COSO - Committee of Sponsoring Organizations COSO is the Internal Control Framework recommended by regulatory/industry bodies for use in Sarbanes-Oxley compliance purposes. Designed to provide reasonable assurance towards achieving business objectives in the following three categories: 1. 2. 3. Reliability of financial reporting (primary emphasis of SOX) Effectiveness and efficiency of operations Compliance with applicable laws and regulations • Establishes that management has primary responsibility for establishing and maintaining internal controls. 9 Internal Control Items COSO’s Five Internal Control Components 1. 2. 3. 4. 5. Control Environment (Assignment of authority & responsibility, Management’s philosophy and operating style) Risk Assessment (Establishment of objectives, Ability to manage internal & external change) Control Activities (Segregation of duties, Documentation of polices & procedures, reconciliations, Transaction approvals) Information & Communication (Is the right information provided to the right people at the right time?) Monitoring (Responding to control deficiencies, Frequency of monitoring procedures, Evidence that monitoring took place) 10 Implementation Issues for SOX • Sarbanes-Oxley Act requires education of employees and management across departments • Increased documentation, testing, walkthrough requirements for management and auditors • Efforts to correct any potential deficiencies identified during walkthrough • Development of testing and monitoring strategy for risk assessment and control activity 11 Implementation Issues for SOX • $$$$ --- Higher audit fees • Purchase of compliance software – which one? • Work with 3rd Party vendors on investor communications and establishment of a whistleblower program • Changes in IT Department on system controls utilizing the recommended Internal Control Framework established by COSO 12 Positives Results from Implementation of SOX • Improve process efficiencies through identification of weaknesses • Reduce internal fraud with implementation of improved controls • Create environment for corporate excellence! 13