1 Sarbanes-Oxley Overview
2 Sarbanes-Oxley Act Summary The Sarbanes-Oxley Act of 2002 §201Prohibited Non-Audit Services §202Audit Committee Pre-Approval §203Audit Partner Rotation §204Auditor Reports to Audit Committee §206Auditor Conflicts of Interest §301Independent Audit Committee §302Certification of Periodic Reports §303Improper Influence on Conduct of Audits §306Pension Fund Black-Out Restrictions §307Conduct of Attorneys §401Disclosure of Off-Balance Sheet Transactions §401Disclosure of Pro-Forma Financial Information §401Disclosure Material Correcting Adjustments §402Prohibition on Loans to Directors and Executives §403Insider Transactions – 2 Day Reporting §404 Management Report on Internal Controls §406 Code of Ethics Disclosure for Financial Officers §407 Financial Expert Disclosure Requirements §409Real-Time Disclosure §806, 1107Employee Whistleblower Protection §906Criminal Certification of Periodic Reports VIII, IX, XIFraud Accountability, White-Collar Penalty
3 Sarbanes-Oxley Background US Congress approval Jan23’02. Enacted July 30’02 Underline objective of protecting investor & improve accuracy & reliability of corporate disclosures New standards for corporate accountability and penalties for wrong doing Applies primarily to companies filing annual reports with the SEC US Congress approval Jan23’02. Enacted July 30’02 Underline objective of protecting investor & improve accuracy & reliability of corporate disclosures New standards for corporate accountability and penalties for wrong doing Applies primarily to companies filing annual reports with the SEC Major Provisions Creates new Public Company Accounting Oversight Board (PCAOB) for external auditors. (Section , ). Expands reporting requirements & accountabilities- requires CEO & CFO attestations / filing of internal control report with annual report. (Section 302). Requires external auditors to attest to and report on management’s assessment in the internal controls report. (Section 404). Makes audit committees and disclosure of a “financial expert” in audit committee. (Section 301 & 407). Requires disclosures regarding code of ethics. (Section 406). Increases civil and criminal penalties (Section ). Creates new Public Company Accounting Oversight Board (PCAOB) for external auditors. (Section , ). Expands reporting requirements & accountabilities- requires CEO & CFO attestations / filing of internal control report with annual report. (Section 302). Requires external auditors to attest to and report on management’s assessment in the internal controls report. (Section 404). Makes audit committees and disclosure of a “financial expert” in audit committee. (Section 301 & 407). Requires disclosures regarding code of ethics. (Section 406). Increases civil and criminal penalties (Section ). Bodies Governing the Act PCAOB & SEC Sarbanes-Oxley Improper Revenue booking Scams Xerox Qwest Off Balance Sheet Entity Improper Capitalization. Tyco Improper Capitalization Worldcom Enron Accounting Scandals LAW REGULATION
4 Sec 404 of this act establishes the following : Responsibility of management for establishing and maintaining adequate internal control structure and procedures over financial reporting Responsibility of management to disclose to shareholders the effectiveness of the internal control structure and procedures Documentation and testing Must include the following steps: Evaluate whether the control is preventive or detective Document that tests were planned and performed Disclose material weakness Identify the internal control framework used State that the external accounting firm has issued an attestation report External Auditor Opinion Opinion 1 : Management’s assessment of internal control over financial reporting Opinion 2 : Effectiveness of internal control over financial reporting Company Annual Report (On Form 10K) is filed Sec 404 of the Sarbanes Oxley Act
5 Key Impacts Co. Board of Directors & Senior Officers Corporate & Criminal Fraud Accountability Account owner (Financial Disclosures) Related to Audit Committees Real time disclosures of Financial Statements as per US GAAP. Internal control report duly attested by External Auditors included in 10K filings. Disclosure of all off B/S transactions & Contractual obligations. Adoption of code of ethics for senior finance officer. Prohibition of credit or personal loan to director/CEO. Certification of Financial Statements to be included in 10K and 10Q filings. Potential Forfeiture of Bonuses & Profits due to Financial Statement Restatement. Unlawful to exert improper influence upon an audit. Disclosure in changes of securities ownerships of directors. DEFAULTDEFAULT Appoint Financial Expert on the committee & disclose in 10K filings. Members must be independent of the Company. Directly responsible for Auditor appointment. One year lag for hiring an audit team member in the board. Disclose pre approvals for audit & non-audit services. Establish compliant procedures for accounting & auditing matters. Disclosures of fees paid to auditors in two fiscal years.
6 Sarbanes-Oxley Section 404 Approach
7 SOX Process flow Process Risk Control PreventiveDetective Highly Effective Ineffective Potential Significant deficiency Material weakness Key Compensating Action plan to mitigate risk Reported to Audit Committee Effective Reported to Shareholders No Control Operation GAP Design GAP
8 Preventive & Detective Controls Preventive Controls Preventive Controls Detect problems before they arise. Detect problems before they arise. Prevent an error, omission from occurring. Prevent an error, omission from occurring.Examples:- 1. Control access to physical facilities. 2. Use encryption software to prevent unauthorized disclosure of data. Detective Controls Detect and report the occurrence of an error, omission. Examples:- 1. Internal audit functions. 2. Review of activity logs to detect unauthorized access attempts.
9 Benefits of Internal Control Complies with Rules and Regulations. Complies with Rules and Regulations. Promotes reliability and integrity of Financial Reporting. Promotes reliability and integrity of Financial Reporting. Monitor Results. Monitor Results. Safeguard Assets. Safeguard Assets. Utilization of Resources Effectively and Efficiently. Utilization of Resources Effectively and Efficiently.
10 Approach to SOX Identify processes that are SOX significant Conduct Process Risk Self Assessment Step 1 PRSA Team works with Management to document and assess risks in their business PRSA Team works with Management to document and assess risks in their business Step 2 Controls for each significant risk are documented Controls for each significant risk are documented Step 3 Key controls are identified and test plans are developed and executed Key controls are identified and test plans are developed and executed Control Operator makes an assertion as to the effectiveness of each key control Control Operator makes an assertion as to the effectiveness of each key control Step 4 Action plans are developed for missing, poorly designed, or ineffective controls. Action plans are developed for missing, poorly designed, or ineffective controls. Step 5 Process owner certifies on the effectiveness of the collective controls Process owner certifies on the effectiveness of the collective controls Process owner certifies on the adequacy of internal controls of the process Process owner certifies on the adequacy of internal controls of the process
11 What is Process Risk Self Assessment What is PRSA? What is PRSA? A robust approach that supports on-going self assessment by process owners. A robust approach that supports on-going self assessment by process owners. A methodology for focusing on significant risks and key controls.. A methodology for focusing on significant risks and key controls.. PRSA will improve risk management and reduce loss, provide an automated single solution to meeting multiple regulatory requirements (Sarbanes-Oxley, Basle), strengthen customer relationships and improve shareholder value. PRSA will improve risk management and reduce loss, provide an automated single solution to meeting multiple regulatory requirements (Sarbanes-Oxley, Basle), strengthen customer relationships and improve shareholder value. Most importantly, PRSA provides senior leaders the evidence to support their internal control assessment/report. Most importantly, PRSA provides senior leaders the evidence to support their internal control assessment/report.
12 Implications of Control Effectiveness- Based on the results of Testing, the Control operator will assert the effectiveness of the control as follows: Highly Effective Effective Not Effective Applies to only fully automated controls. Applies to only fully automated controls. Efficient use of internal resources Efficient use of internal resources No exception in testing No exception in testing Applies to Other than fully automated controls. Applies to Other than fully automated controls. No exception in testing. No exception in testing. Insufficient documentation to support management’s certification. Insufficient documentation to support management’s certification. Exception detected in testing. Exception detected in testing.
13 Sox Roles & Responsibilities SOX Champion Serves as the liaison between the Process Owners and SOX 404 Project Office Process Owner Responsible for concluding whether or not their Process has effective internal controls over financial reporting Tester Executes the test plan, communicates the test results to Control operator/process owner SOX Project Office Supports the SOX effort through guidance documents, help etc. Internal Auditor Provides an objective assessment of the PRSA process External Auditor Gives an opinion on the effectiveness of management’s assessment of internal control over financial reporting