Download - SOX - Review of Key Provisions
1
Sarbanes-Oxley Act of 2002: Overview of
Sections Relevant to Management and Auditors
2
WHY SOX?
Enron Global Crossing WorldCom Adelphi HealthSouth Tyco Xerox Computer Associates And many others……
3
WHY SOX?
Consider this: Earnings restatements by public companies prior to 2001:
1990-97: 49 1998: 91 1999: 150 2000: 156
10% of all public U.S. companies restated their financials at least once between 1997 & 2000
HealthSouth overstated earnings by $4.6 billion Adelphi hid >$11 billion in debt Global Crossing hid $12.4 billion in debt
4
WHY SOX?
Consider this: Tyco’s accounting fraud cost investors $100 billion Xerox overstated revenue by $6.4 billion Enron stock price dropped from around $90 at the
beginning of 2001 to less than $1 at the end NASDAQ companies wiped out $148 billion in profits
between 1995 and 2000 Stock wealth collapsed by 6 trillion dollars with the
collapse of the dot.com bubble
5
WHY SOX?
The underlying issues of concern common to all these that triggered the need for drastic reform were:
Earnings management Audit deficiencies Lack of Auditor independence Ineffective audit committees Securities fraud Insider trading Corrupt tone at the top Internal control deficiencies
6
Sarbanes-Oxley Act of 2002 - Overview
The Sarbanes-Oxley Act of 2002 is intended to expand corporate governance, increase public confidence in financial reporting information and strengthen our capital markets systems.It’s the most significant securities law change since the original Securities Acts of 1933 & 1934The Act is resulting in sweeping changes in:
√ Corporate responsibilities of management and audit committees
√ Financial disclosures√ Independence of auditors and audit committees√ Oversight of public companies and auditors
Enacted July 30, 2002
7
SOX – Key Provisions
A. Creation of PCAOB
B. Requirements for senior financial officers to certify SEC filings and report on internal controls
C. New Standards for audit committee and auditor independence
D. Enhance financial disclosure requirements
E. Protection for corporate whistleblowers
F. Enhanced penalties for white-collar crime
8
A. Creation of PCAOB
Private, non-profit corporation, funded by: Accounting Support Fees charged to issuers Registration & Annual Fees paid by public accounting firms
SEC appoints Board members and exercises oversight and enforcement authority over it
Responsibilities Register public accounting firms that audit publicly traded
companies (mandatory; includes foreign accounting firms who audit companies listed on an American stock exchange).
Establish or adopt auditing, quality control, ethics, independence, and other standards relating to audits of publicly traded companies.
Inspect registered public accounting firms (annual for firms with more than 100 public company audits; every three years for others).
Investigate registered public accounting firms and their employees, conduct disciplinary hearings, and impose sanctions where justified.
Other as necessary and to enforce compliance with Sarbanes-Oxley Act.
Question - Can the PCAOB issue accounting standards?
9
EXERCISE
Go to the PCAOB website (http://www.pcaob.com/), locate a recent inspection report and consider the following: What parts of the report are public vs. non-public? When do the non-public parts become public? Peruse the report:
What are some of the key functional areas (and their respective objectives) reviewed by the PCAOB?
Identify 3 findings/deficiencies that surprised you most
Does it contain a letter of response from the firm? How would you characterize the tone of that letter?
10
B. Requirements for senior financial officers to certify SEC filings and report on Internal Controls
CEO and CFO must personally certify annual and quarterly SEC filings, and may not delegate this responsibility to subordinates and then claim ignorance when fraud is uncovered.
2 separate certifications Section 302 Section 906
Annual report on internal controls over financial reporting – section 404 (discussed later on in detail)
11
Exercise
Select a company, go to Edgar (http://www.sec.gov/edgar.shtml), and find the certification(s) With 10K and/or 10Q? Are 302 and 906 separate? What are they certifying?
12
B. Requirements for senior financial officers to certify SEC filings and report on Internal Controls
Section 302—CEO and CFO must personally certify the following: They have personally reviewed the report. Based on their knowledge, the report does not contain any material
misstatements or omit any material facts. Based on their knowledge, the financial information fairly represents in all
material respect the financial condition, results of operations, and cash flows for the company.
They are responsible for designing, maintaining, and evaluating the company’s disclosure controls & internal controls over financial reporting, they have evaluated the controls as of period end, and they have presented their conclusions about the effectiveness of those controls in the report
They have disclosed to the (external) auditors and the audit committee: all significant deficiencies and identified any material weaknesses in the
internal control over financial reporting and any fraud, whether material or not, that involves management or other
employees who have a significant role in the company’s internal control over financial reporting.
They have indicated in their report whether there have been significant changes in the company’s internal controls since the filing of their last report.
Required for all periodic reports, even if they don’t contain financial statements
13
B. Requirements for senior financial officers to certify SEC filings and report on Internal Controls Section 906—“Criminal certifications.”
To accompany reports that contain financial statements Certification indicates that report fully complies with SEC’s
requirements in that it fairly represents, in all material respects, the financial condition and result of operations for the company.
Penalties: Corporate officers who Knowingly violate the certification requirements are subject to
up to a $1,000,000 fine and up to 10 years’ imprisonment, or both.
Willfully violate the certification requirements are subject to the up $5,000,000 and up to 20 years’ imprisonment or both.
Both the 302 & 906 certifications must be in prescribed format (except for certifications accompanying amended filings – would cover
only information in the amendment)
14
B. Requirements for senior financial officers to certify SEC filings and report on Internal Controls
Section 404 requires that:
A. Management report on their internal controls over financial reporting in their annual report
B. External auditors issue their opinion on the company’s internal controls
Exemptions to Part B (JOBS Act of 2012): All companies with market capitalization <$700
million Start-up companies – for the first 5 years (or until
their market capitalization reaches $700 million)
15
C. Section 301--Audit Committee
Section 301—Audit committee responsible for appointing, compensating and overseeing work of external auditors.
Act also mandates auditors to report to audit committee—not management—and makes it responsibility of audit committee to resolve disputes between management and auditors.
Establish whistle blowing structure—Must establish procedures (e.g., a hotline) for receiving and dealing with complaints and anonymous employee tips regarding irregularities in the company’s accounting methods, internal control, or auditing matters.
16
C. Section 301--Audit Committee (ctd) Composition of audit committee
Each member must be “independent” Cannot be paid for any other consulting or advisory work.
Must include at least one Financial Expert Typically refers to individuals with several years of
experience as auditors, CFOs, controllers and/or CEOs.
A review of one company’s audit committee charter: http://www.microsoft.com/about/companyinformation/corporategovernance/committees/audit.mspx
17
Section 303
Section 303—Unlawful for any officer or director of a public company to fraudulently influence, coerce, manipulate, or mislead CPA in performance of audit for the purpose of rendering such financial statements materially misleading
Note--This is important, as subsequently the SEC operationalized it quite broadly.
18
SEC Implementation of 303
This applies not only to officers and directors, but also “any other person acting under the direction of”” those individuals
As indicated, the SEC interprets this “direction of” very broadly--it may include, for example Other lower level employees not necessarily under
supervision of that particular employee Customers or vendors who enter into side agreements
and do not report them to auditor or who misstate confirmations
Other CPA firm personnel (e.g., consultants), attorneys, securities professionals, etc.
19
SEC Implementation of 303
SEC examples of improper influence on auditor Bribes, other financial incentives, offering future
employment Providing auditor inaccurate or misleading legal analysis Threatening to cancel non-audit or audit engagements if the
auditor objects to the issuer’s accounting Seeking to have a partner removed because the partner
objects to the issuer’s accounting Blackmailing Physical threats
20
How independent were the auditors, anyway?Audit Fees Range $121,000 to $48,000,000
Mean$2,175,724
Median$1,059,000
As a Percent of revenues:
Company sales % of Sales
<$2 Billion .0473
$10 Billion to 15 Billion .0305
>$30,000,000 .0155
NonAudit Services Fees Mean2.7 times the audit fee
73% nonaudit fees
27% audit fees
Range0 to 32.33 times audit fee
IT NonAudit Services 126 of the 563 purchased
Highest = $46,800,000
2001 SEC Study of Audit Fees and NonAudit Fees—563 of Fortune 1000
21
C. New standards for auditor independence
Section 201 prohibits the following Bookkeeping or other services related to the accounting controls
or financial statements of the audit client. Financial information systems design and implementation. Appraisal or valuation services ( e.g., pension, post-employment
benefit liabilities) Actuarial services. Internal audit outsourcing. Management functions or human resources. Providing various investment services. Legal services. Any other service the PCAOB prescribes.
22
C. New standards for auditor independence Section 202—Other nonaudit services must generally be pre-
approved by the audit committee. Section 203—requires CPA firms to rotate lead audit partner
and partner responsible for reviewing audit: lead audit partner every 5 years (5 on, 5 off); quality review partner to rotate 7-2-7; Note: Firm rotation not required
Section 204—Audit firm reports to audit committee: All critical accounting policies and practices to be used. Alternative treatments that have been discussed with
management, ramifications of their use, and the treatment preferred by the CPA firm
Other material written communications between the CPA firm and management, such as any management letter or schedule of unadjusted earnings.
23
C. New standards for auditor independence Section 205—pass--definitional issues Section 206—unlawful for CPA firm to audit
company if, within prior year, the client’s CEO, CFO, controller or chief accounting officer worked with CPA firm and participated in company’ audit.
Section 207—Comptroller General of US (Head of GAO) conduct a study of mandatory rotation of firms
24
D. Enhance financial disclosure requirements Off-Balance Sheet transactions—must be disclosed Pro Forma Financial Information— SEC issued Reg. G requiring
reconciliation of pro forma financial statements to GAAP-based statements.
Prohibitions on personal loans to executives (Note: Tyco & Adelphi Communications CEOs looted their respective companies via undisclosed loans from the company that were never intended to be repaid)
Restrictions on insider trading - most transactions by insiders must be filed electronically with the SEC within 2 business days; also, companies must post this on their website by the end of the business day & disclose violators in their annual statements: Review a company’s filing on the SEC’s Edgar website
(http://www.sec.gov/edgar/searchedgar/companysearch.html); was the filing timely?
25
D. Enhance financial disclosure requirements (continued) Section 406—Code of ethics for senior financial officers
Must disclose whether they have one, and if not, why Must disclose publicly when changes are made to or waiver from are made. 10K, item 10
Section 408—SEC enhanced review of periodic filings – at least every 3 years Section 409—Must disclose material changes in financial conditions or
operations in “plain English” SEC is studying feasibility of real-time disclosure; towards that end:
10K & 10Q deadlines shortened for “Accelerated Filers”: Large Accelerated Filers (with public float >= $700 million) -
10K - 60 days for reports filed in 2006 and thereafter 10Q - 40 days for reports filed in 2006 and thereafter
Accelerated Filers (with public float >75 million but <$700 million): 10K - 75 days for reports filed in 2006 and thereafter 10Q - 40 days for reports filed in 2006 and thereafter
8Ks to be filed within 4 days of occurrence of significant event - 8K triggering events increased from 12 to 22 (see blank form at
http://www.sec.gov/about/forms/sec873.pdf)
26
The Case for Employee hotlines
27
E. Protection for corporate whistleblowers
Section 806—Civil liability for companies that retaliate against whistleblowers It is unlawful to fire, demote, suspend, threaten,
harass, or in any other manner discriminate against an employee for providing information or aiding in an investigation of securities fraud.
News item - Judge Orders Reinstatement for First Sarbanes-Oxley Whistleblower
28
E. Protection for corporate whistleblowers
Section 1107—Criminal liability for companies that knowingly, with intention to retaliate, taking any harmful action against a person for providing truthful information relating to the commission or possible commission of any federal offense. Covers all individuals regardless of where they work
(i.e., not just publicly traded companies) Punishments include fines up to $250,000 and up to 10
years in prison.
29
F. Enhanced penalties for white-collar crime
Attempt and conspiracy—“attempt” and “conspiracy to commit” have same penalties as offense itself.
Mail fraud and wire fraud—Maximum jail term changes from 5 to 20 years.
Securities fraud—Section 807 makes securities fraud a crime with fines up to $250,000 and up to 25 years in prison (note: Bernie Ebbers, age 63, of Worldcom was sentenced to 25
years in July 2005) Document destruction—Section 802 makes
destroying evidence to obstruct an investigation illegal and punishable by a fine up to $250,000 and 20 years in prison.
30
F. Enhanced penalties for white-collar crime In general working papers must be kept 7 years. Section 1102 makes it a criminal offense to corruptly alter,
destroy, mutilate or conceal a record of document with intent to impair its integrity or use in an official proceeding.
Freezing of assets—SEC can petition a federal court to issue a 45 day freeze on “extraordinary payments” to officers, directors, partners, agents, controlling persons or employees (eg. – Gemstar’s severance payments to former CEO & CFO were recently frozen while the company is under investigation).
There are also penalties addressing the freezing of assets of those accused, modifications of bankruptcy code rules, and disgorgements of bonuses under various circumstances.
31
Sarbanes-Oxley Act of 2002: Implications
32
Accounting Reform – SOX Implications
End of the self-regulation era for accountants Audit firms spun off their consulting branches and returned to their roots –
audit & tax Several companies purchasing audit and tax from separate firms (though not
required, done to enhance the appearance of independence) Partner rotation requirement reduces partner dependency on specific clients
for their livelihood Board of directors will be kept more in the loop with direct communications
from auditors (eg., AA would have had to inform audit committee about Enron’s Special Purpose Entities set up to move debt off balance sheet)
One-year cooling off period for future employment may practically translate to 2 years
Audit Firms disciplined: EY given 6-month ban in 2004 in connection with Computer Associates
independence issues In September 2005, KPMG put on a 9-month probationary period in
connection with the abusive tax shelters they aggressively marketed; former SEC chief Richard Breedon to oversee probation
33
Corporate Responsibility & Governance– SOX Implications Federal influence over corporate governance
(traditionally been in the State’s domain) Audit committees are now entirely independent
and very powerful A large number of CEOs have either resigned or
been forced out by audit committees Directors are spending 50% more time now than
before Greater responsibilities generally translate to
greater liabilities for audit committee members Greater personal legal liability on CEOs &
CFOs; since SOX, some executives have resigned rather than sign off on financial statements or internal controls
34
Corporate Responsibility & Governance– SOX Implications Corporate officials less aggressive in their
confrontations with auditors CEOs & CFOs (only) to reimburse any bonus,
incentive-based compensation & trading profits received during the 12 months after misleading financial statements were issued
Mere “unfitness” sufficient for SEC to bar individuals from ever serving as directors or officers of public companies
Directors and executive officers prohibited from trading in company securities during pension plan blackout period; disgorgement of all profit realized in violation of this rule
35
Other SOX Implications
Section 404 has greatly enhanced the cost of being a public company, though most of the increase could be attributed to first-year implementation
Many companies have reported significant cost savings because new controls revealed inefficiencies or frauds that were previously undetectable
Retired CFOs and auditors have become hot tickets for board of director positions
8K filings expected to increase from an annual average of 80,000 to 140,000
SOX 404 IMPACT
Percentage of adverse Section 404 auditor attestations declined every year from 2004 through 2009: 2004 – 16.9% 2005 – 10.3% 2006 – 9.1% 2007 – 7.7% 2008 – 5% 2009 – 2.8%
For companies who are exempt from auditor attestations (only management assessment required), the percentage of adverse assessments regarding internal controls was 28%
“Segregation of Duties” problems were found in 23.9% of the adverse filings in 2004, but only 11% of adverse filings in 2009.
36Source: Audit Analytics, a Sutton, MA, consulting and research firm