SarbanesOxley Overview 1 SarbanesOxley Act Summary The SarbanesOxley
Sarbanes-Oxley Overview 1
Sarbanes-Oxley Act Summary The Sarbanes-Oxley Act of 2002 § 201 Prohibited Non-Audit Services § 202 Audit Committee Pre-Approval § 203 Audit Partner Rotation § 204 Auditor Reports to Audit Committee § 206 Auditor Conflicts of Interest § 301 Independent Audit Committee § 302 Certification of Periodic Reports § 303 Improper Influence on Conduct of Audits § 306 Pension Fund Black-Out Restrictions § 307 Conduct of Attorneys § 401 Disclosure of Off-Balance Sheet Transactions § 401 Disclosure of Pro-Forma Financial Information § 401 Disclosure Material Correcting Adjustments § 402 Prohibition on Loans to Directors and Executives § 403 Insider Transactions – 2 Day Reporting § 404 Management Report on Internal Controls § 406 Code of Ethics Disclosure for Financial Officers § 407 Financial Expert Disclosure Requirements § 409 Real-Time Disclosure § 806, 1107 Employee Whistleblower Protection § 906 Criminal Certification of Periodic Reports VIII, IX, XIFraud Accountability, White-Collar Penalty 2
Sarbanes-Oxley Background Accounting Scandals Scams Off Balance Sheet Entity • Enron Improper Capitalization. • Tyco Improper Capitalization • Worldcom Improper Revenue booking • Xerox • Qwest LAW Sarbanes-Oxley § US Congress approval Jan 23’ 02. § Enacted July 30’ 02 § Underline objective of protecting investor & improve accuracy & reliability of corporate disclosures New standards for corporate accountability and penalties for wrong doing § Applies primarily to companies filing annual reports with the SEC REGULATION Major Provisions § Creates new Public Company Accounting Oversight Board (PCAOB) for external auditors. (Section 103 -105, 201 -203). § Expands reporting requirements & accountabilities- requires CEO & CFO attestations / filing of internal control report with annual report. (Section 302). § Requires external auditors to attest to and report on management’s assessment in the internal controls report. (Section 404). § Makes audit committees and disclosure of a “financial expert” in audit committee. (Section 301 & 407). § Requires disclosures regarding code of ethics. (Section 406). § Increases civil and criminal penalties (Section 903 -904). Bodies Governing the Act PCAOB & SEC 3
Sec 404 of the Sarbanes Oxley Act Sec 404 of this act establishes the following : • Responsibility of management for establishing and maintaining adequate internal control structure and procedures over financial reporting • Responsibility of management to disclose to shareholders the effectiveness of the internal control structure and procedures Documentation and testing Must include the following steps: • Evaluate whether the control is preventive or detective • Document that tests were planned and performed • Disclose material weakness • Identify the internal control framework used • State that the external accounting firm has issued an attestation report External Auditor Opinion 1 : Management’s assessment of internal control over financial reporting Opinion 2 : Effectiveness of internal control over financial reporting Company Annual Report (On Form 10 K) is filed 4
Account owner (Financial Disclosures) Ø Real time disclosures of Financial Statements as per US GAAP. Ø Internal control report duly attested by External Auditors included in 10 K filings. Ø Disclosure of all off B/S transactions & Contractual obligations. Ø Adoption of code of ethics for senior finance officer. Ø Prohibition of credit or personal loan to director/CEO. Board of Directors & Senior Officers Ø Certification of Financial Statements to be included in 10 K and 10 Q filings. Ø Potential Forfeiture of Bonuses & Profits due to Financial Statement Restatement. Ø Unlawful to exert improper influence upon an audit. Ø Disclosure in changes of securities ownerships of directors. Related to Audit Committees Ø Appoint Financial Expert on the committee & disclose in 10 K filings. Ø Members must be independent of the Company. Ø Directly responsible for Auditor appointment. Ø One year lag for hiring an audit team member in the board. Ø Disclose pre approvals for audit & non-audit services. Ø Establish compliant procedures for accounting & auditing matters. Ø Disclosures of fees paid to auditors in two fiscal years. D E F A U L T Corporate & Criminal Fraud Accountability Co. Key Impacts 5
Sarbanes-Oxley Section 404 Approach 6
SOX Process flow Process Risk Compensating Control No Control Key Detective Effective Material weakness Reported to Shareholders Ineffective Operation GAP Highly Effective Design GAP Preventive Reported to Audit Committee Potential Significant deficiency Action plan to mitigate risk 7
Preventive & Detective Controls Preventive Controls n n Detect problems before they arise. Prevent an error, omission from occurring. Examples: 1. Control access to physical facilities. 2. Use encryption software to prevent unauthorized disclosure of data. Detective Controls n Detect and report the occurrence of an error, omission. Examples: 1. Internal audit functions. 2. Review of activity logs to detect unauthorized access attempts. 8
Benefits of Internal Control n n n Complies with Rules and Regulations. Promotes reliability and integrity of Financial Reporting. Monitor Results. Safeguard Assets. Utilization of Resources Effectively and Efficiently. 9
Approach to SOX § § Identify processes that are SOX significant Conduct Process Risk Self Assessment Step 1 n PRSA Team works with Management to document and assess risks in their business Step 2 n Controls for each significant risk are documented Step 3 n Key controls are identified and test plans are developed and executed n Control Operator makes an assertion as to the effectiveness of each key control Step 4 n Action plans are developed for missing, poorly designed, or ineffective controls. Step 5 n Process owner certifies on the effectiveness of the collective controls n Process owner certifies on the adequacy of internal controls of the process 10
What is Process Risk Self Assessment n What is PRSA? n n A robust approach that supports on-going self assessment by process owners. A methodology for focusing on significant risks and key controls. . n PRSA will improve risk management and reduce loss, provide an automated single solution to meeting multiple regulatory requirements (Sarbanes-Oxley, Basle), strengthen customer relationships and improve shareholder value. n Most importantly, PRSA provides senior leaders the evidence to support their internal control assessment/report. 11
Implications of Control Effectiveness-Based on the results of Testing, the Control operator will assert the effectiveness of the control as follows: Highly Effective Not Effective n Applies to only fully n Applies to Other than fully n. Insufficient automated controls. n Efficient use of internal resources n No exception in testing automated controls. n No exception in testing. documentation to support management’s certification. n. Exception detected in testing. 12
Sox Roles & Responsibilities SOX Champion Serves as the liaison between the Process Owners and SOX 404 Project Office Process Owner Responsible for concluding whether or not their Process has effective internal controls over financial reporting Tester Executes the test plan, communicates the test results to Control operator/process owner SOX Project Office Supports the SOX effort through guidance documents, help etc. Internal Auditor Provides an objective assessment of the PRSA process External Auditor Gives an opinion on the effectiveness of management’s assessment of internal control over financial reporting 13
- Slides: 13