sox report

7/30/2019 SOX report

1/6

www.interalliancegroup.com

InterAlliance Group Services


Sarbanes Oxyley (SOX) Act

An

effective step towards

Corporate Governance

A report on

Sarbanes Oxyley Act

and

its impact on Indian Outsourcing Industry

Research by:

Palak Sharma & Rohit Adlakha - Law Students Panjab University, Chandigarh, INDIA,

under the guidance of Nitin Kumar, Sr. Consultant, InterAlliance Group Services

Apr 2011

ssue 43


2/6




SOX Act came in to

force in 2002 with an

aim to protect investors

and to introduce

improvements in

Corporate Governance.

SARBANES OXYLEY ACTThe legislation came into force in 2002 as a step to put curb on fraudulent events

and introduced stringent new rules with the stated objective: "to protect investors by

improving the accuracy and reliability of corporate disclosures made pursuant to the

securities laws".

Sarbanes Oxyley introduced major changes to the regulation of financial practice and

corporate governance in the US. Named after Senator Paul Sarbanes and

Representative Michael Oxley, who were its main architects, it also sets a number of

deadlines for compliance. The Sarbanes-Oxley Act is arranged into eleven titles. As

far as compliance is concerned, the most important sections within these are often

considered to be 302, 401, 404, 409, 802 and 906.

Sarbanes Oxyley Act introduced a number of deadlines, the prime ones being:

Most public companies must meet the financial reporting and certification

mandates for any end of year financial statements filed after November 15th

2004 (amended from June 15th).

Smaller companies and foreign companies must meet these mandates for any

statements filed after 15th July 2005 (amended from April 15th). .

The Sarbanes-Oxyley Act enacted with the intention of gaining the confidence of

public with respect to corporate financial statements. Prior to the enactment of this

Act, the investors suffered losses due to corporate failures brought by the wrongful

conduct of the public officials. This Act has been specifically introduced to address

the issues of accounting fraud with the objective of accuracy and reliability of

corporate disclosures. The Act was a direct consequence of the public nauseate with

a series of financial scandals that lead to abrupt failure of large firms in US. Some

companies which have not been in the lime light were engaged in massive

accounting frauds to a very large extent that they counteracted the antifraud and

mandatory disclosure provisions of federal security laws. These incidents blamed

directly towards the accounting profession, auditors etc.

The record revealed that the revenues that auditors generated from consulting

services from the firms they were auditing exceeded those generated from

conducting the audit. This immediately raised the question regarding the loss of

independence on the part of the auditors. In this chaotic environment, SOX was

engendered. It was conceived in controversy and has remained combative.

Proponents of SOX believe that it was necessary to restore public faith in published

financial statements by assuring that accounting records were accurate and could be

relied upon. There was a growing perception among the investing public that most

of the scandals could have been prevented had there been a governmental agencyresponsible for monitoring and preventing such accounting irregularities.


3/6




pponents argued that SOX would

e prejudicial to the economy; that

he burden would fall too heavily on

maller public firms; that the costs of

mplementing Sox with all its

equirements would far exceed the

enefits gained. The fact that there

as a spike in the number of publicompanies that were privately sold,

hat relocated outside the US and

elisted themselves on foreign

xchanges lends some credence to

he opposing view.

he Sarbanes-Oxley Act of 2002

often shortened to SOX) is

gislation enacted in response to the

gh-profile Enron and WorldCom

nancial scandals to protect

hareholders and the general public

om accounting errors and

audulent practices in the enterprise.

he act is administered by the

ecurities and Exchange Commission

EC), which sets deadlines for

ompliance and publishes rules onequirements. Sarbanes-Oxley is not

set of business practices and does

ot specify how a business should

ore records; rather, it defines which

ecords are to be stored and for how

ng. The legislation not only affects

he financial side of corporations, it

so affects the IT departments

hose job it is to store a

orporation's electronic records. The

arbanes-Oxley Act states that all

usiness records, including electronic

ecords and electronic messages,

ust be saved for "not less than five

ears." The consequences for non-

ompliance are fines, imprisonment,

r both.

Basic Objective of US Securities Act 1933Often referred to as the "truth in securities" law, the Securities Act of 1933 has two

basic objectives:

require that investors receive financial and other significant information

concerning securities being offered for public sale; and

prohibit deceit, misrepresentations, and other fraud in the sale of securities.

A primary means of accomplishing these goals is the disclosure of important

financial information through the registration of securities. This information enables

investors, not the government, to make informed judgments about whether to

purchase a company's securities. While the SEC requires that the information

provided be accurate, it does not guarantee it. Investors who purchase securities

and suffer losses have important recovery rights if they can prove that there was

incomplete or inaccurate disclosure of important information.

US Securities Act 1933


4/6




SARBANES OXYLEY ACT & INDIAThe legislation came into force in 2002 as a step to put curb on fraudulent events.

SOX which is applicable to all publically registered companies under the jurisdiction

of securities and exchange commission, is a far reaching legislation, effecting

significant changes to laws concerning directors and reporting obligations of public

companies mandating new regulations to prevent the securities fraud and other

abuses. The US SOX Act came into force on account of the collapse of the corporate

giants like Enron, Worldcom, Tyco. Quest , global crossing and the Xerox fiasco.

Reasons for the collapse was the failure on the part of the auditors and willful

neglect of the duties by the board of directors. The thrust of corporate India has also

been to prevent malpractices and restore the confidence of the investors. This Act

looks at the implications that usually arise in India in case of Companies, Audit

Profession and the BPO Industry.

Some of the key sections of SOX related to Audit and Financial Reporting are the

following:

Sections 101-109 of the Act has established a new body, the Public Accounting

Oversight Board (PCAOB), to oversee the auditing of public companies. All

accounting firms that audit the financial statements of The Securities Exchange Act of

1934 (1934 Act) Reporting Issuers (Issuers of Securities who are mandated to report

under the 1934 Act) must register with and provide periodic reports to the Board.

Registered accounting firms are subject to Board-adopted audit, quality control and

ethics standards, periodic inspections and possible disciplinary proceedings. Section106 of the Act specifically provides that it will apply to any foreign public accounting

firm (Indian Audit Firm) that prepares or furnishes an audit report with respect to any

1934 Act Reporting Issuer. The Board is also given the authority to determine, by

rule that a foreign accounting firm that does not issue an audit report for a 1934 Act

Reporting Issuer may nonetheless play such a substantial role in an audit that it is

appropriate that such firm should be subject to the Boards authority.

Section 302 (Corporate Responsibility for Financial Reports) directs the Security

Exchange Commission to adopt rules requiring the principal executive officer and the

principal financial officer (or equivalent) of 1934 Act Reporting Issuers to provide

certifications in each annual and quarterly report filed or submitted under the

1934 Act. The certification relates to the content of the report, internal controls of

the issuer and disclosure to the audit committee.

Section 404 - As directed by Section 404 of the Sarbanes Oxley Act of 2002, the

Securities and Exchange Commission (SEC) adopted rules regarding internal controls

at public companies in May 2003. Section 404 also requires that a companys

independent auditors attest to and report on managements controls assessments,

following standards established by the PCAOB.


5/6




US SEC rulesUnder the SEC rules, managements annual internal-control report must contain:

A statement of managements responsibility for establishing and maintaining

adequate internal control over financial reporting for the company.

A statement identifying managements framework for evaluating the effectiveness

of internalcontrols.

Managements assessment of the effectiveness of internal controls as of the end

of the companys most recent fiscal year.

A statement that the companys auditor has issued an attestation report on

managements assessment. Internal controls, according to the new rule, include

assurances of accurate records maintenance, as well as financial reporting that

comply with generally accepted accounting principles. The rule also stipulates that

managers and directors sign off on receipts and payouts, and that publicly traded

companies maintain adequate systems to prevent or detect unauthorized material

transactions. Management must disclose any material weakness in a companys

internal-controls structure. If material weaknesses exist, senior executives will be

unable to conclude that the companys internal control over financial reporting is

effective, according to the Security Exchange Commission.

SOX and Indian BPO IndustryIndia has seen huge growth in the Finance, Accounting, Payroll, Accounts Payable

and other financial processes to move to India from US business houses. It is

imperative that Indian BPO companies have a strong framework of Internal Controls

and are transparent to their clients. Well-defined processes, proper documentation

etc. will be of paramount importance in view of the Sarbanes Oxley Act, 2002.

Service organisations receive significant value from having a Statement on Auditing

Standards (SAS) No. 70 engagement performed.

A Service Auditors Report with an unqualified opinion that is issued by an

Independent Accounting Firm differentiates the service organisation from its peers by

demonstrating the establishment to effectively designed control objectives and

control activities. Without a current Service Auditors Report, a service organisation

may have to entertain multiple audit requests from its customers and their respective

auditors. Multiple visits from user auditors can place a strain on the service

organisations resources. A Service Auditors Report ensures that all user

organisations and their auditors have access to the same information and in many

cases this will satisfy the user auditors requirements. SAS 70 engagements are

generally performed by control oriented professionals who have experience in

accounting, auditing, and information security.

A Statement on Auditing

tandards (SAS) 70 engagement

llows a service organisation to

ave its control policies and

rocedures evaluated and tested

n the case of a Type II

ngagement) by an independent-

arty. Very often this process

esults in the identification of

pportunities for improvements

n many operational areas.


6/6

i t lli


www interalliancegroup com

Factors to be considered by management when a service organisationoutsources certain functions to another service organisation:

What is becoming a popular business model for BPOs in India, an interesting

situation could come up when an US corporate uses a service organisation (Indian

Company) that in turn uses another service organisation (a sub service organisation)

to perform the work. In such a scenario the Management of the User organisation

needs to consider controls at the sub service organisation.

In addition to that, the following also needs to be considered:

The nature and materiality of the transactions processed by the sub service

organisation

The contribution of the sub service organisations processes in the achievement

of the user organisations information processing objectives

The availability of a sub service organisations SAS 70 report

Because a user organisation typically does not have any contractual

relationship with the sub service organisation, a user organisation should

obtain available reports and information about the sub service organisationfrom the service organisation.

SAS OVERVIEWatement on Auditing Standards (SAS) No. 70,

r Service Organisations, is an auditing

andard developed by the American Institute

Certified Public Accountants (AICPA). A SAS

0 audit or service auditors examination is

dely recognised, because it represents that a

rvice organisation has been through an

-depth audit of their control activities, which

enerally include controls over information

chnology and related processes. In todays

obal economy, service organisations or

rvice providers must demonstrate that they

ve adequate controls and safeguards when

ey host or process data belonging to their

stomers. In addition, the requirements of

ction 404 of the Sarbanes-Oxley Act of 2002

ake SAS 70 audit reports even more

mportant to the process of reporting onfective internal controls at service

ganisations. SAS No. 70 is the authoritative

uidance that allows service organisations to

sclose their control activities and processes

their customers and their customers

ditors in a uniform reporting format. A SAS

0 examination signifies that a service

ganisation has had its control objectives and

ntrol activities examined by an independent

counting and auditing firm. A formal report

cluding the auditors opinion (Service

uditors Report) is issued to the service

ganisation at the conclusion of a SAS 70

amination. SAS 70 provides guidance to

nable an independent auditor (service

ditor) to issue an opinion on a service

ganisations description of controls through

Service Auditors Report. SAS 70 is not a pre

etermined set of control objectives or

ntrol activities that service organisations

ust achieve. Service auditors are required to

llow the AICPAs standards for fieldwork,

uality control, and reporting. A SAS 70

amination is not a checklist audit. SAS No.

0 is generally applicable when an auditor

user auditor) is auditing the financial

atements of an entity (user organisation)

at obtains services from another

ganisation (service organisation). Service

ganisations that provide such services could

e application service providers, bank trust

epartments, claims processing centers,

ternet data centers, or other data processing

rvice bureau.

SOX and Indian Audit FirmsAssignments to conduct a SAS 70 certification can prove to be a new area of work.

Management of US companies could rely on SAS 70 certification by non-US auditfirms as long as the reports are issued under other standards that follow the criteria

of SAS 70. Management would also need to evaluate the competency and

qualifications of the auditor performing the examination. The Indian Audit profession

is widely appreciated around the world for its high standards. Managements of US

companies should not have any issues with accepting SAS 70 certifications by Indian

Audit firms.

sox report

Documents