Sarbanes-Oxley Act Summary The Sarbanes-Oxley Act of 2002 §201 Prohibited Non-Audit Services §202 Audit Committee Pre-Approval §203 Audit Partner Rotation §204 Auditor Reports to Audit Committee §206 Auditor Conflicts of Interest §301 Independent Audit Committee §302 Certification of Periodic Reports §303 Improper Influence on Conduct of Audits §306 Pension Fund Black-Out Restrictions §307 Conduct of Attorneys §401 Disclosure of Off-Balance Sheet Transactions §401 Disclosure of Pro-Forma Financial Information §401 Disclosure Material Correcting Adjustments §402 Prohibition on Loans to Directors and Executives §403 Insider Transactions – 2 Day Reporting §404 Management Report on Internal Controls §406 Code of Ethics Disclosure for Financial Officers §407 Financial Expert Disclosure Requirements §409 Real-Time Disclosure §806, 1107 Employee Whistleblower Protection §906 Criminal Certification of Periodic Reports VIII, IX, XI Fraud Accountability, White-Collar Penalty
Sarbanes-Oxley Background Accounting Scandals REGULATION LAW Sarbanes-Oxley Major Provisions Scams • US Congress approval Jan23’02. • Enacted July 30’02 • Underline objective of protecting investor & improve accuracy & reliability of corporate disclosures New standards for corporate accountability and penalties for wrong doing • Applies primarily to companies filing annual reports with the SEC • Creates new Public Company Accounting Oversight Board (PCAOB) for external auditors. (Section 103-105, 201-203). • Expands reporting requirements & accountabilities- requires CEO & CFO attestations / filing of internal control report with annual report. (Section 302). • Requires external auditors to attest to and report on management’s assessment in the internal controls report. (Section 404). • Makes audit committees and disclosure of a “financial expert” in audit committee. (Section 301 & 407). • Requires disclosures regarding code of ethics. (Section 406). • Increases civil and criminal penalties (Section 903-904). Off Balance Sheet Entity • Enron Improper Capitalization. • Tyco Improper Capitalization • Worldcom Improper Revenue booking • Xerox • Qwest Bodies Governing the Act PCAOB & SEC
Sec 404 of the Sarbanes Oxley Act • Sec 404 of this act establishes the following : • Responsibility of management for establishing and maintaining adequate internal control structure and procedures over financial reporting • Responsibility of management to disclose to shareholders the effectiveness of the internal control structure and procedures • Documentation and testing Must include the following steps: • Evaluate whether the control is preventive or detective • Document that tests were planned and performed • Disclose material weakness • Identify the internal control framework used • State that the external accounting firm has issued an attestation report • External Auditor Opinion • Opinion 1 : Management’s assessment of internal control over financial reporting • Opinion 2 : Effectiveness of internal control over financial reporting • Company Annual Report (On Form 10K) is filed
Key Impacts • Real time disclosures of Financial Statements as per US GAAP. • Internal control report duly attested by External Auditors included in 10K filings. • Disclosure of all off B/S transactions & Contractual obligations. • Adoption of code of ethics for senior finance officer. • Prohibition of credit or personal loan to director/CEO. DEFAULT Account owner (Financial Disclosures) • Certification of Financial Statements to be included in 10K and 10Q filings. • Potential Forfeiture of Bonuses & Profits due to Financial Statement Restatement. • Unlawful to exert improper influence upon an audit. • Disclosure in changes of securities ownerships of directors. Board of Directors & Senior Officers Corporate & Criminal Fraud Accountability Co. • Appoint Financial Expert on the committee & disclose in 10K filings. • Members must be independent of the Company. • Directly responsible for Auditor appointment. • One year lag for hiring an audit team member in the board. • Disclose pre approvals for audit & non-audit services. • Establish compliant procedures for accounting & auditing matters. • Disclosures of fees paid to auditors in two fiscal years. Related to Audit Committees
Sarbanes-Oxley Section 404 Approach
SOX Process flow Process Risk Compensating Control No Control Key Design GAP Material weakness Preventive Detective Reported to Audit Committee Highly Effective Ineffective Reported to Shareholders Operation GAP Effective Potential Significant deficiency Action plan to mitigate risk
Preventive Controls Detect problems before they arise. Prevent an error, omission from occurring . Examples:- Control access to physical facilities. Use encryption software to prevent unauthorized disclosure of data. Detective Controls Detect and report the occurrence of an error, omission. Examples:- Internal audit functions. Review of activity logs to detect unauthorized access attempts. Preventive & Detective Controls
Benefits of Internal Control • Complies with Rules and Regulations. • Promotes reliability and integrity of Financial Reporting. • Monitor Results. • Safeguard Assets. • Utilization of Resources Effectively and Efficiently.
Approach to SOX • Identify processes that are SOX significant • Conduct Process Risk Self Assessment Step 1 • PRSA Team works with Management to document and assess risks in their business Step 2 • Controls for each significant risk are documented Step 3 • Key controls are identified and test plans are developed and executed • Control Operator makes an assertion as to the effectiveness of each key control Step 4 • Action plans are developed for missing, poorly designed, or ineffective controls. Step 5 • Process owner certifies on the effectiveness of the collective controls • Process owner certifies on the adequacy of internal controls of the process
What is Process Risk Self Assessment • What is PRSA? • A robust approach that supports on-going self assessment by process owners. • A methodology for focusing on significant risks and key controls.. • PRSA will improve risk management and reduce loss, provide an automated single solution to meeting multiple regulatory requirements (Sarbanes-Oxley, Basle), strengthen customer relationships and improve shareholder value. • Most importantly, PRSA provides senior leaders the evidence to support their internal control assessment/report.
Implications of Control Effectiveness-Based on the results of Testing, the Control operator will assert the effectiveness of the control as follows:
Sox Roles & Responsibilities SOX Champion Serves as the liaison between the Process Owners and SOX 404 Project Office Process Owner Responsible for concluding whether or not their Process has effective internal controls over financial reporting Tester Executes the test plan, communicates the test results to Control operator/process owner SOX Project Office Supports the SOX effort through guidance documents, help etc. Internal Auditor Provides an objective assessment of the PRSA process External Auditor Gives an opinion on the effectiveness of management’s assessment of internal control over financial reporting