1. Sarbanes Oxley Act (Sox) Corporate and Auditing Accountability, Responsibility and Transparency Act of 2002
Rick Stephan Hayes, Ph.D., CPA
California State University at Los Angeles

2. Reasons for New Legislation

3. Objectives
In response to the Arthur Anderson, Enron and WorldCom debacle, the Sarbanes-Oxley Act seeks to:
Restore the public confidence in both public accounting and publicly traded securities
Assure ethical business practices through heightened levels of executive awareness and accountability

4. Congressional Votes Sarbanes-Oxley Act Yes 522 No 3 Not voting 9
Legalizing Marijuana**
Yes No
Not voting
**House of Representatives only
Securities Litigation Reform Act
Yes No
Not voting
Authorizing Force against Iraq
Yes No
Not voting
Sarbanes-Oxley Act
Yes 522 No
Not voting 9
Just to show you how convinced the American Congres was about the Act – have a look at these voting results.

5. Criminal Penalties
Escaping from prison 1 to 2 years Kidnapping involving ransom 3 to 5 years Second degree murder 11 to 14 years
Air piracy to 25 years
And the severity of these criminal penalties.
Sarbanes-Oxley Certification to 20 years

6. The Sarbanes-Oxley Act An Overview
So let’s now have a look at some of the background of the Act

7. SOX: Who is affected and how?
Executives:
Responsibility for financial reporting and keeping the markets informed
Certifications: “Disclosure controles & procedures” “Internal controls for financial reporting” “CEO/CFO’s written statement on fairness”
Implement Code of Ethics and whistleblower procedure
Supervisory Board:
Enhanced oversight
Appointment of a “financial expert”
Auditors:
Independence
Attestation on internal controls
Definition of “internal control over financial reporting”:
Encompasses subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives
Including controls over safeguarding assets

8. Establishes audit governing board………
Titles of the Act
Public Company Accounting Oversight Board
Auditor Independence
Corporate Responsibility
Enhanced Financial Disclosures
Analyst Conflicts of Interest
Commission Resources and Authority
Studies and Reports
Corporate and Criminal Fraud Accountability
White Collar Crime Penalty
Corporate Tax Returns
Corporate Fraud and Accountability
Establishes audit governing board………
I PCAOB: must establish rules or adopt standards requiring auditing and related attestation standards

9. TITLE I – PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD
Creation of the Public Company Oversight Board (the Board)
Created as a non-profit organization, the 5 member Board oversees audits of public companies; it is under the authority of the SEC but above other professional accounting organizations such as the AICPA

10. General Provisions of SOx
PCAOB To make rules governing audits of public companies
PCAOB To oversee audits and audit firms
PCAOB independent of Federal Government
PCAOB Self-funded through fees assessed on CPA firms and publicly traded companies
Regulations not applicable to Not For Profit or some foreign listed companies

11. PCAOB Governing Members
Five Members, three of whom must NOT be CPAs
If the chair is a CPA, that person must be out of the business of auditing for the prior 5 years

12. PCAOB’s Duties
Write audit standards, temporarily they have adopted the AICPA’s
Register public CPA firms to do audits
Set Quality Control standards for audits
Do peer reviews of CPA firms – at least every three years
Investigate and discipline
Set Continuing Professional Education requirements for auditors
Review company disclosures and financial statements at least every three years

13. PCAOB’s Audit Standards
PCAOB has passed 15 audit standards as of December 2010.
They also enforce as “temporary standards” the existing audit standards by the Audit Standards Board called Statements of Audit Standards (SAS)
Not in Book
AUDIT STANDARD NO 1 Auditing Standard No. 1, References in Auditors' Reports to the Standards of the Public Company Accounting Oversight Board. This standard requires registered public accounting firms to include in their reports on engagements performed pursuant to the Board's auditing and related professional practice standards, including audits and reviews of financial statements, a reference to the standards of the Public Company Accounting Oversight Board (United States).
AUDIT STANDARD NO 2 AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING PERFORMED IN CONJUNCTION WITH AN AUDIT OF FINANCIAL STATEMENTS The Sarbanes-Oxley Act, in Section 404, requires company management to assess and report on the company's internal control. It also requires a company's independent, outside auditors to issue an "attestation" to management's assessment – in other words, to provide shareholders and the public at large with an independent reason to rely on management's description of the company's internal control over financial reporting. Throughout Auditing Standard No. 2, the auditor's attestation of management's assessment of the effectiveness of internal control is referred to as the audit of internal control over financial reporting.
The Board decided that these audits should be integrated because the objectives of, and work involved in performing, an audit of internal control over financial reporting and an audit of the financial statements are closely related. Furthermore, Section 404(b) of the Sarbanes-Oxley Act provides that the auditor's attestation of management's assessment of internal control shall not be the subject of a separate engagement.
AUDIT STANDARD NO 3 AUDIT DOCUMENTATION AND AMENDMENT TO INTERIM AUDITING STANDARDSSection 103(a)(2)(A)(i) of the Act expressly directs the Board to establish auditing
standards that require registered public accounting firms to prepare and maintain, for at least seven years, audit documentation "in sufficient detail to support the conclusions reached" in the auditor's report. Audit documentation is one of only a few topics that the Act expressly requires the Board to adopt standards.
Proposed Auditing Standard No. 4, Reporting on Whether a Previously Reported Material Weakness Continues to Exist Auditing Standard No. 4 establishes requirements that apply when an auditor is engaged to report on whether a previously reported material weakness in internal control over financial reporting continues to exist AS 5 AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS supersede its Auditing Standard No. 2. The PCAOB is also proposing a related auditing standard, Considering and Using the Work of Others in an Audit, an independence rule relating to the auditor's provision of internal control-related non-audit services, and certain amendments to its interim standards.

14. PCAOB’s Audit Standards (Not in Text)
AS No. 1: References in Auditors’ Reports to the Standards of the Public Company Accounting Oversight Board
AS No. 3: Audit Documentation
AS No. 4: Reporting on Whether a Previously Reported Material Weakness Continues to Exist
AS No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
AS No. 6: Evaluating Consistency of Financial Statements
AS No. 7: Engagement Quality Review

15. PCAOB’s Audit Standards (Not in Text)
AS No. 8: Audit Risk
AS No. 9: Audit Planning
AS No. 10: Supervision of the Audit Engagement
AS No. 11: Consideration of Materiality in Planning and Performing an Audit
AS No. 12: Identifying and Assessing Risks of Material Misstatement
AS No. 13: The Auditor's Responses to the Risks of Material Misstatement
AS No. 14: Evaluating Audit Results
AS No. 15: Audit Evidence

16. TITLE II – AUDITOR INDEPENDENCE
Can’t do other types of work for clients, including:
Bookkeeping
Systems design
Valuation services
Actuarial services
Internal audit
Management functions
Other work needs pre-approval by audit committee
Can’t do audit if CEO, CFO from their firm, 1 year wait period

17. TITLE II (cont.)
A conflict of interest arises and an Registered Public Accounting Firm (RPAF) may not perform audit services for any issuer employing – in the capacity of CEO, controller, CFO or any other equivalent title – a former audit engagement team member – there is a “cooling-off period” for one year
i.e., an employee of an RPAF who works on an audit of an issuer may not turn around and directly go to work for that issuer – they must wait one year

18. Provisions for Audit firms
Maintain audit papers for 7 years
Managing Partner rotation every 5 yrs.
Second partner rotation every 5 yrs.
Audit manager rotation every 7 years
Reports to audit committee
All material deficiency findings
Disclose fees for all types of services in proxy statement
Review disclosures of firm
Attest to Internal Control of firm

19. CPAs Report to Audit Committee
All critical accounting policies
Alternate treatments
Internal Control findings
Engagement letter
Independence letter
Management representation letter
Material weaknesses

20. SOx requires every public accounting firm to use quality control policies relating to
(i) monitoring of professional ethics and independence from entities on which the firm issues audit reports;
(ii) consultation within the firm on accounting and auditing questions;
(iii) supervision of audit work;
(iv) hiring, professional development, and advancement of personnel;
(v) the acceptance and continuation of audit engagements;
(vi) internal inspection
Page 428
The Sarbanes-Oxley Act [i] (SOx) requires that every registered public accounting firm auditing publicly traded companies include in their quality control policies standards relating to
(i) monitoring of professional ethics and independence from issuers on behalf of which the firm issues audit reports;
(ii) consultation within such firm on accounting and auditing questions;
(iii) supervision of audit work;
(iv) hiring, professional development, and advancement of personnel;
(v) the acceptance and continuation of audit engagements;
(vi) internal inspection; and
(vii) such other requirements as the Public Company Accounting Oversight Board (PCAOB) may prescribe.
[i] 107th U.S. Congress Sarbanes-Oxley Act of Public Law 107–204, SEC 103-a-2-B, Senate and House of Representatives of the United States of America in Congress assembled. Washington, D.C. July 30.

21. TITLE III – CORPORATE RESPONSIBILITY
Audit Committee (committees est. by the board of a company for the purpose of overseeing financial reporting) Independence
Establishes minimum independence standards for audit committees
Independence of the audit committee crucial in that it must (1) oversee and compensate RPAF to perform audit, and (2) establish procedures for addressing complaints by the issuer regarding accounting, internal control, etc. (this lays the foundation for anonymous whistleblowing)
CEOs and CFOs must certify in any periodic report the truthfulness and accurateness of that report – creates liability
Under certain conditions of re-statement of financials due to material non-compliance, CEOs and CFOs will be required to forfeit certain bonuses and profits paid to them as a result of material mis-information

22. SUMMARY OF SARBANES OXLEY PROVISIONS AFFECTING DIRECTORS, CEOs AND CFOs
Listed company audit committee independence requirements and responsibilities (Section 301)
CEO and CFO financial statement-related certifications (Sections 302 and 906)
Unlawful for any officer or director or person acting under the direction thereof to fraudulently influence, coerce, manipulate or mislead any independent accountant engaged to audit the financial statements of an issuer for purposes of rendering the financial statements materially misleading (Section 303)
If there is a material restatement of an issuer’s reported financial results due to the material noncompliance of the company, as a result of misconduct, the CEO and CFO shall reimburse the issuer for any bonus or incentive or equity-based compensation received within the 12 months following the filing with the financial statements subsequently required to be restated (Section 304)

23. SOx Company Audit Committee
Under SOx Sec 301 public company audit committees are directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by their company (including resolution of disagreements between management and the auditor regarding financial reporting).
Audit firm reports directly to the audit committee. Auditors may also have to discuss accounting complaints with the Audit Committee.
Page 429

24. Audit Committee Independent Directors Financial Expert
Audit committee members should not receive fees other than for board service and should not be an “affiliated person” of the company.
Financial Expert
At least one member of its audit committee must be a "financial expert" (expertise in US GAAP).
Auditor Oversight
Responsible for oversight of external reporting, internal controls and auditing, and the appointment and compensation of the auditor.
Whistle-Blower Communications
Confidential and anonymous submissions by employees.
Pages
Independent Directors
Sarbanes Oxley explicitly establishes an independence definition for audit committee members. Audit committee members should not receive fees other than for board service and should not be an “affiliated person” of the issuer (publicly listed company) or any subsidiary.
 Financial Expert
Section 407 of the Sarbanes-Oxley Act states[i] that :The SEC shall issue rules to require issuers to disclose whether at least one member of its audit committee is a "financial expert." The final SEC rules state[ii] that the audit committee financial expert's expertise should be related to the body of generally accepted accounting principles used in the issuer's primary financial statements filed with the SEC. The company must disclose the name of the audit committee financial expert and whether that person is independent.
 Auditor Oversight
As they are responsible for oversight of external reporting, internal controls and auditing, the audit committee should play a role in guarding independence of the auditor. In this respect, Sarbanes Oxley and “best practice” teach that the audit committee is directly responsible for the appointment, compensation and oversight of auditor.
 Auditor Reports to Audit Committee
To support the supervisory role of the audit committee, the Sarbanes Oxley Act requires the auditor to report directly to the audit committee: [iii]
·        all critical accounting policies and practices in use by the publicly listed company
·        GAAP alternatives discussed with management and any alternative preferred by the audit firm
·        other material written communications such as management letters and unadjusted audit differences
 Whistle-Blower Communications
To be able to perform its tasks, Sarbanes Oxley requires the audit committee to establish a protocol to address “whistle blower” communications [iv]. This duty comprises:
·        Receipt, retention and treatment of complaints received by the Company regarding accounting, internal controls, or auditing matters
Confidential and anonymous submissions by employees.
 [i] 107th U.S. Congress Sarbanes-Oxley Act of Public Law 107–204, Sec 407 “Disclosure of Audit Committee Financial Expert”.Senate and House of Representatives of the United States of America in Congress assembled. Washington, D.C. July 30.
 [ii] SEC, Release No File No. S “Standards Relating To Listed Company Audit Committees” U.S. Securities And Exchange Commission. 10 April
 [iii] 107th U.S. Congress SEC “Auditor Reports To Audit Committees”. Sarbanes-Oxley Act of Public Law 107–204,.Senate and House of Representatives of the United States of America in Congress assembled. Washington, D.C. July 30.
 [iv] 107th U.S. Congress SEC “Protection For Employees Of Publicly Traded Companies Who Provide Evidence Of Fraud”. Sarbanes-Oxley Act of Public Law 107–204,.Senate and House of Representatives of the United States of America in Congress assembled. Washington, D.C. July 30.

25. Corporate Provisions Corporate Officers Can’t influence audit
No stock transactions during blackout periods when employees cannot trade
In pro-formas, no material untrue statements, reconciliation and equality with GAAP
No officer loans
File any trading information within two business days
Code of ethics
Disclose off-balance sheet financing
Disclose any non-GAAP financial measures
Issuers must disclose “off-balance sheet transactions” in periodic reports and pro-forma financial statements must be true and equally presented with GAAP financials
No issuer shall make, extend, modify or renew any personal loan to CEOs, CFOs (limited exceptions include company credit cards)
Executives cannot trade their stock if employees are prohibited from trading their’s (black-out period)
In periodic reports filed, the issuer must disclose its code of ethics for senior financial officers, and if the issuer has not adopted such a policy, must disclose why not
SEC must review disclosures (in financials) made by any issuer at least once every three years (similar to Board review of registered public accounting firms)
Issuers must disclose in real time any additional information concerning material changes in the financial condition or operations of the issuer

26. SOX: Section 302 certification
Section 302 requires:
Quarterly certification by the CEO / CFO regarding the completeness and accuracy of quarterly reports as well as the nature and effectiveness of disclosure controls and procedures (DC&P) supporting the quality of information included in such reports
Actions:
Enhance DC&P assessment and turn into consistent and continous process
Ensure coverage of entire organization (incl. all material subsidiairies)
Embed into regular review and monitoring processes

27. Corporate Provisions Corporate Officers Certify that they have
Reviewed the reports
Reviewed internal control
Certify that there are no material weaknesses
Certify that there is no fraud
Report fairly presents the financial condition of the company

28. Management Responsibility for Audit Report - SOx
Sox Requires that the principal executive officer or officers and the principal financial officer or officers, certify in each report filed with the SEC the following:
the signing officer has reviewed the report;
the report does not contain any untrue statement of a material fact or omit to state a material fact;
the financial statements, and other financial information, fairly present in all material respects the financial condition of the company; 
the signing officers
are responsible for establishing and maintaining internal controls;
have evaluated the effectiveness of the company’s internal controls; and
have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation;
Page 491 Illustration 12.1 Certification of Schlumberger Financial Statements by Corporate Officers
the Sarbanes-Oxley Act of 2002 (SOx) which now requires[i] that the principal executive officer or officers and the principal financial officer or officers, certify in each annual or quarterly report filed or submitted to the U.S. Securities and Exchange Commission (SEC) the following:
(1) the signing officer has reviewed the report;
(2) the report does not contain any untrue statement of a material fact or omit to state a material fact;
(3) the financial statements, and other financial information, fairly present in all material respects the financial condition of the company;
(4) the signing officers (A) are responsible for establishing and maintaining internal controls; (B) have evaluated the effectiveness of the company’s internal controls; and (C) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation;
(5) the signing officers have disclosed to the company’s auditors and the audit committee of the board of directors —
(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the company’s ability to record, process, summarize, and report financial data and have identified for the company’s auditors any material weaknesses in internal controls; and
(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal controls; and
[i] 107th U.S. Congress Sarbanes-Oxley Act of Public Law 107–204. SEC “Corporate Responsibility For Financial Reports”. Senate and House of Representatives of the United States of America in Congress assembled. Washington, D.C. July 30.

29. Corporate Responsibility for Audit Report under SOx (cont.)
Requires that the principal executive officer or officers and the principal financial officer or officers, certify in each report filed with the SEC the following:
the signing officers have disclosed to the company’s auditors and the audit committee of the board of directors —
all significant deficiencies in the design or operation of internal controls which could adversely affect the company’s ability to record, process, summarize, and report financial data and have identified for the company’s auditors any material weaknesses in internal controls; and
any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal controls;
Page 491

30. SOX:Section 404 Assessment
Management’s assessment must be based on procedures sufficient both to evaluate design and test operating effectiveness
Management must maintain evidential matter, including documentation, to provide reasonable support for the assessment (both design and testing) of effectiveness
Any material weakness in internal control over financial reporting precludes management from reporting that internal control is effective
Reiteration of guidance regarding independence:
Auditors may assist management in documenting internal controls.
Management must be actively involved in the process; cannot delegate assessment responsibility to the auditor
KEY POINT:
Management’s documentation is key and is required to be maintained as evidential matter to support its assessment. Prior to the final issuance of this Rule, many companies were wavering on the necessity of their documentation of their internal controls; however, the final rule makes it clear that both their internal controls and their assessment of the design and operating effectiveness must be maintained.
Management must also report any material weaknesses they identify and such weaknesses will preclude them from reporting that internal control is effective.

31. SOX:Meeting SEC Expectations
Compliance with COSO control standards (or other accepted standards; IT Governance Institute recently recommended CobiT for general IT controls assessment)
Clear documentation of internal controls as well as the testing processes
Evidence that management have evaluated the adequacy of the design and the effectiveness of operation of the procedures and controls
Evidence that the auditor has adequately evaluated the design and operation of financial controls
Evidence that the audit committee and/or disclosure committee have taken a keen interesting the effectiveness of controls

32. TITLE V – ANALYST CONFLICTS OF INTEREST
National Securities Exchanges and registered securities associations must adopt rules designed to address conflicts of interest that can arise when securities analysts recommend securities in research reports
To improve objectivity of research and provide investors with useful and reliable information

33. TITLE VIII – CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY
To knowingly destroy, create, manipulate documents and/or impede or obstruct federal investigations is considered felony, and violators will be subject to fines or up to 20 years imprisonment, or both
All audit report or related workpapers must be kept by the auditor for at least 5 years – PCAOB AS 3 says 7 years.
Whistleblower protection – employees of either public companies or public accounting firms are protected from employers taking actions against them, and are granted certain fees and awards (such as Attorney fees)

34. Penalties General penalties
If alter, destroy, cover-up or falsify documents with objective to hinder investigation – fines and up to 20 years

35. TITLE IX – WHITE-COLLAR CRIME PENALTY ENHANCEMENTS
Financial statements filed with the SEC by any public company must be certified by CEOs and CFOs; all financials must fairly present the true condition of the issuer and comply with SEC regulations
Violations will result in fines less than or equal to $5 million and /or a maximum of 20 years imprisonment
Mail fraud/wire fraud convictions carry 20 year sentences (previously 5 year sentences)
Anyone convicted of securities fraud may be banned by SEC from holding officer/director positions in public companies

36. Penalties – Corporate Officers
Give back to firms any bonuses, incentive compensation or equity based compensation earned within 12 months
Give back profit on sales during blackout period
False certification - $1m and up to 10 yrs.
Willful false cert. - $5 m and up to 20 yrs.
Company can hold up any payments to officers

37. Penalties Audit firms Temporary suspension from industry
Temporary or permanent revocation of license
Can’t go to another firm if suspended or license revoked
Fines of up to $100,000 personal for each violation, firm up to $2 m
If intentional up to $750,000 personal, firm up to $15 m
Destroy working papers within 5 years – fine and up to 10 years.

38. TITLE X – CORPORATE TAX RETURNS
Federal income tax returns must be signed by the CEO of an issuer

39. TITLE XI – CORPORATE FRAUD ACCOUNTABILITY
Destroying or altering a document or record with the intent to impair the object’s integrity for the intended use in a securities violation proceeding, or otherwise obstructing that proceeding, will be subject to a fine and/or up to 20 years imprisonment
The SEC has the authority to freeze payments to any individual involved in an investigation of a possible security violation
Any retaliatory act against whistleblowers or other informants is subject to fine and/or 10 year imprisonment