Beyond Sarbanes-Oxley Compliance E-Book

Table of Contents

Cover

Title

Copyright

Dedication

ACKNOWLEDGMENTS

PREFACE

PART ONE: INITIAL COMPLIANCE

1 SARBANES-OXLEY ACT OVERVIEW

OVERVIEW OF THE ACT

INTERNAL CONTROLS ENVIRONMENT

EFFECTS ON FINANCIAL REPORTING PROCESS PARTICIPANT HIERARCHY

A RESOURCE FOR FINANCIAL MANAGERS

NOTES

2 OVERVIEW OF SARBANES-OXLEY SECTIONS 302, 404, AND 409

SECTION 302

SECTION 404

SECTION 409

NOTES

3 DETERMINING ORGANIZATIONAL READINESS

THE REAL COST OF COMPLIANCE

DEFINING THE SCOPE OF YOUR COMPLIANCE PROGRAM

CONSIDERATIONS PRIOR TO COMPLIANCE IMPLEMENTATION

COMPLIANCE IMPLEMENTATION CHALLENGES

NOTES

4 THE “PATH” TO COMPLIANCE

PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD AUDITING STANDARD NO. 2

THE PATH TO COMPLIANCE STEP 1: PLAN

STEP 2: REVIEW

STEP 3: IMPROVE CONTROL ENVIRONMENT

STEP 4: TEST

STEP 5: CERTIFY

STEP 6: MONITOR

NOTES

PART TWO: ONGOING MAINTENANCE AND MONITORING

5 CHANGE MANAGEMENT

READINESS FOR CHANGE

WHY CHANGE INITIATIVES FAIL

KEY CRITERIA FOR CHANGE MANAGEMENT SUCCESS

INTEGRATED CHANGE MANAGEMENT

6 ONGOING COMPLIANCE ACTIVITIES

IMPROVEMENT OPPORTUNITIES AND REMEDIATION EFFORTS

THE ROLE OF FINANCE

OPERATIONAL STRUCTURES

THE PATH TO ONGOING ACT COMPLIANCE

STEP 1: PLAN

STEP 2: ONGOING DOCUMENTATION

STEP 3: TEST

STEP 4: REMEDIATION

STEP 5: REPORT

NOTES

7 AUDIT FUNCTION CONSIDERATIONS

THE ROLE OF THE INTERNAL AUDIT DEPARTMENT

THE ROLE OF THE EXTERNAL AUDITOR

SAS 70 REPORTS

NOTES

8 OTHER ONGOING COMPLIANCE ISSUES

SOFTWARE APPLICATIONS TO ASSIST WITH COMPLIANCE EFFORTS

INFORMATION TECHNOLOGY SYSTEM IMPLEMENTATIONS

MERGERS AND ACQUISITIONS

BUSINESS SIZE

NOTES

PART THREE: BEYOND COMPLIANCE

9 PROCESS IMPROVEMENT CONSIDERATIONS

IMPLEMENTATION PHILOSOPHIES

PROCESS IMPROVEMENT

NOTES

10 INTERNATIONAL FINANCIAL REPORTING STANDARDS

COMMUNICATING THE IMPACT

THE ACCOUNTING ISSUE

THE SYSTEMS AND PROCESSES ISSUES

THE BUSINESS ISSUE

THE PEOPLE ISSUE

PREPARING FOR INTERNATIONAL FINANCIAL REPORTING STANDARDS

KEY ELEMENTS OF AN EFFECTIVE IFRS IMPLEMENTATION

11 NON-U.S.-BASED COMPANIES AND SARBANES-OXLEY COMPLIANCE

WHO IS AFFECTED BY SARBANES-OXLEY?

WHO SHOULD HAVE THIS ON THEIR AGENDA?

WHAT PREPARATION IS REQUIRED TO ENSURE COMPLIANCE?

NOTES

12 FINANCIAL SERVICES COMPLIANCE INITIATIVES

SARBANES-OXLEY AND EQUIVALENT LEGISLATION

EFFECTIVE COMPLIANCE TO DELIVER BUSINESS VALUE

NOTE

APPENDIX A: SARBANES-OXLEY SECTION

SEC. 302. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS

APPENDIX B: SARBANES-OXLEY SECTION

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS

APPENDIX C: SARBANES-OXLEY SECTION

SEC. 409. REAL TIME ISSUER DISCLOSURES

APPENDIX D: EVALUATION QUESTIONS TO UNDERSTAND THE CURRENT STATE OF CONTROL PROCESSES

APPENDIX E: INTERNAL CONTROL OVER FINANCIAL REPORTING

APPENDIX F: EVALUATING CONTROL DEFICIENCIES

APPENDIX G: SAMPLE DOCUMENTATION

SEGREGATION OF DUTIES IN SIGNIFICANT ACCOUNTING APPLICATIONS

FLOWCHART SUPPLEMENTAL NARRATIVES ACCOUNTS PAYABLE/CASH DISBURSEMENTS

TESTING PLAN

INTERNAL CONTROL DOCUMENTATION PROCESS WALK-THROUGH

INTERNAL CONTROL DOCUMENTATION CORRECTIVE ACTION LOG

PARSON CONSULTING INTERNAL CONTROL STRUCTURE AND RISK ASSESSMENT

APPENDIX H: AS2 CONTROL TESTING PROVISIONS

TESTING AND EVALUATING DESIGN EFFECTIVENESS

TESTING AND EVALUATING OPERATING EFFECTIVENESS

USING THE WORK OF OTHERS

EXAMPLE D-1. SIGNIFICANT DEFICIENCIES AND MATERIAL WEAKNESSES

EXAMPLE D-1. RECONCILIATIONS OF INTERCOMPANY ACCOUNTS ARE NOT PERFORMED ON A TIMELY BASIS

EXAMPLE D-2. EVALUATE IMPACT ON TIMING AND AMOUNT OF REVENUE RECOGNITION

EXAMPLE D-3. IDENTIFICATION OF SEVERAL DEFICIENCIES

APPENDIX I: RESPONSIBILITIES OF INTERNAL AUDITING

OBJECTIVE AND SCOPE

RESPONSIBILITIES AND AUTHORITY

INDEPENDENCE

APPENDIX J: ACTUAL INTERNAL CONTROL DISCLOSURES

INDEX

END USER LICENSE AGREEMENT

List of Illustrations

1 SARBANES-OXLEY ACT OVERVIEW

Exhibit 1.1 How Sarbanes-Oxley Affects Your Organization

Exhibit 1.2 COSO Internal Controls Approach

2 OVERVIEW OF SARBANES-OXLEY SECTIONS 302, 404, AND 409

Exhibit 2.1 Who Is Impacted?

Exhibit 2.2 Independence Standards: Who Does What?

Exhibit 2.3 Form 8-K and Section 409 Disclosure Triggering Events

3 DETERMINING ORGANIZATIONAL READINESS

Exhibit 3.1 Public Company Accounting Oversight Board Auditing Standards

Exhibit 3.2 Sarbanes-Oxley Compliance Concepts: The Spirit of the Act

4 THE “PATH” TO COMPLIANCE

Exhibit 4.1 The Path to Demonstrate Compliance

Exhibit 4.2 Internal Control Failure Hierarchy

5 CHANGE MANAGEMENT

Exhibit 5.1 Change Management Methodologies and Techniques

Exhibit 5.2 Are You Ready to Change?

Exhibit 5.3 Fragmented Approaches to Change Initiatives

Exhibit 5.4 Key Criteria for Change Management Success

Exhibit 5.5 Integrated Change Management

Exhibit 5.6 Change Management Implementation Framework

Exhibit 5.7 The Effects of Missing Change Elements

Exhibit 5.8 Results of Effective Change Management

6 ONGOING COMPLIANCE ACTIVITIES

Exhibit 6.1 Improvement Opportunity Prioritization Matrix

Exhibit 6.2 Compliance Effort Comparison: Initial Compliance versus Ongoing Compliance

Exhibit 6.3 The Path to Ongoing Compliance

Exhibit 6.4 Who Will Be in Charge of Ongoing Compliance?

7 AUDIT FUNCTION CONSIDERATIONS

Exhibit 7.1 SAS 70 Audit Report Types

9 PROCESS IMPROVEMENT CONSIDERATIONS

Exhibit 9.1 Predominant Views of Senior Management and Board Regarding Compliance with Sarbanes-Oxley

10 INTERNATIONAL FINANCIAL REPORTING STANDARDS

Exhibit 10.1 Comprehensive IFRS Transition Approach

12 FINANCIAL SERVICES COMPLIANCE INITIATIVES

Exhibit 12.1 Examine the Areas of Overlap

Exhibit 12.2 An Effective Compliance Model

Guide

Cover

Table of Contents

Begin Reading

Pages

C1

xi

iii

iv

v

vii

ix

1

3

4

5

6

7

9

8

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

133

134

135

136

137

138

139

140

141

142

143

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

187

189

191

193

194

195

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

241

242

243

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

267

268

269

270

271

BEYOND SARBANES-OXLEY COMPLIANCE

Effective Enterprise Risk Management

Copyright © 2005 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

For more information about Wiley products, visit our Web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

ISBN-13 978-0-471-72626-5

ISBN-10 0-471-72626-5

To my parents

ACKNOWLEDGMENTS

I would like to express sincere appreciation to Kathleen Hajduk and Robert Grenhart for their valuable contributions.

PREFACE

Through my work with public and private entities of all sizes in developing Sarbanes-Oxley compliance programs, the question I receive most often is “Once you establish compliance with Section 404, what’s next?” This book guides corporate accounting and financial executives through the requirements and value-added activities in the post-initial compliance environment. It demonstrates how to monitor and maintain strong internal control systems within finance and accounting operations. In addition, it outlines how to leverage the knowledge harvested through regulatory compliance to improve financial management and make the organization more efficient. In this book, I also suggest new ideas on how to identify and mitigate threats to the financial control environment. My objective for this book is to show readers how to meet compliance requirements, as well as build on initial compliance activities to improve the financial management processes.

PART ONEINITIAL COMPLIANCE

1SARBANES-OXLEY ACT OVERVIEW

Enron, Arthur Andersen, WorldCom, Tyco, Adelphia. These companies have become household names mostly because of their past display of corporate greed, fraud, and accounting improprieties. The offenses of these few organizations are not representative of the majority of more than 15,000 public companies in the United States, yet the results of their abuses are far reaching. When the details of corruption emerged, and stock prices and retirement savings plummeted, the American public became outraged and demanded reform. On July 30, the U.S. Congress answered this public outcry for change and enacted the Sarbanes-Oxley Act of 2002 (the “Act”).

The Act was signed into law to improve the accuracy and transparency of financial reports and corporate disclosures, as well as to reinforce the importance of corporate ethical standards. As a result, the Securities and Exchange Commission (SEC) issued rules outlining the provisions of the Act. In addition, the New York Stock Exchange (NYSE), the American Stock Exchange (Amex) and the over-the-counter Nasdaq Stock Market (Nasdaq), have all significantly modified the standards for listing stocks on their exchanges. Many view the Act’s provisions for internal controls over financial reporting (Section 404) and executive certifications (Section 302) as painful and costly to implement with little derived benefit. Others see the mandated changes as an opportunity to implement best business practices, drive greater performance, and boost investor confidence.

OVERVIEW OF THE ACT

The Act is the most significant legislation impacting the accounting profession since the Securities Acts of 1933 and 1934, which it amends. It addresses a wide range of matters relevant to publicly held issuers and their auditors, including auditor oversight and independence, corporate responsibility for financial reports, and enhanced financial disclosures. The Act is composed of 11 Titles as outlined below.

Title Summaries

Title 1. Public Company Accounting Oversight Board (PCAOB or “Board”)

The Act establishes the board as a private, nonprofit company funded by annual accounting support fees assessed to issuers1 (as defined in Section 3 of the Securities Exchange Act of 1934 (15 U.S.C.78c)). The board’s duties include the mandatory registering of public accounting firms that prepare audit reports; establishing auditing, quality control, ethics, and independence standards relating to the preparation of audit reports; conducting inspections of registered public accounting firms; and enforcing compliance with the Act.

Title 2. Auditor Independence

Title 2 prohibits registered public accountants conducting an issuers financial statement audit from performing nonauditing services such as bookkeeping, the design and implementation of financial information systems, appraisals, valuations, fairness opinions, internal audit outsourcing, and management functions. All audit and nonaudit services require preapproval by the audit committee of the issuer. Additionally, there are provisions for audit partner rotation, specific reporting requirements by registered public accounting firms to the issuers’ audit committee, and an absolute prohibition of an audit firm providing audit services to clients for one year if the client has hired certain employees of the registered public accounting firm in key financial positions.

Title 3. Corporate Responsibility

This provision of the Act mandates the SEC to direct the national securities exchanges and national securities associations to prohibit the listing of any security of an issuer that is not in compliance with the following Act requirements:

Existence of audit committee oversight of registered public accounting firm

Board of directors/audit committee independence

Procedures for receiving complaints concerning accounting or auditing matters and anonymous employee concerns relating to questionable accounting or auditing matters established by the audit committee

Audit committee authority to engage independent counsel and other advisors

Provision of appropriate funding, as determined by the audit committee, for payment to the registered public accounting firm and to advisors hired by the audit committee

Title 3 also requires chief executive officer (CEO) and chief financial officer (CFO) certifications of financial statements, outlines penalties for corporate officers and directors for material noncompliance, and prohibits insider trading during pension fund blackout periods.

Title 4. Enhanced Financial Disclosures

Title 4 outlines requirements to help assure the accuracy of financial statements and supporting financial disclosures. It requires reporting of material unconsolidated and off-balance sheet transactions as well as mandates that pro forma financial information is factual and complete, and reconciles with the financial condition and results of operations of the issuer. Personal loans to executives are prohibited; issuers are required to disclose whether or not they have a code of ethics for senior financial officers, and mandates that the audit committee include at least one financial expert as defined by the Act. This provision also outlines requirements regarding management’s assessment of internal controls and the real-time disclosure of material changes to financial conditions or operations.

Title 5. Analyst Conflicts of Interest

This section of the Act requires the SEC, or national securities exchanges and national securities associations, to implement rules to improve “public confidence in securities research, and to protect the objectivity and independence of securities analysts ….”2

Title 6. Commission Resources and Authority

Pursuant to Title 6, $98 million in funding is authorized to the SEC to hire an additional 200 professionals to provide enhanced oversight of auditors and audit services required by Federal securities laws.

Title 7. Studies and Reports

Title 7 authorizes the General Accounting Office (GAO) and the SEC to perform studies and issue reports investigating the consolidation of public accounting firms; the role of credit rating agencies in the securities market; the number of professionals found to have aided and abetted a violation of securities laws from the period January 1, 1998, to December 31, 2001; the enforcement actions taken by the Commission involving violations of reporting requirements; and whether investment banks and financial advisers assisted public companies in obfuscating their true financial condition.

Title 8. Corporate and Criminal Fraud Accountability

This provision of the Act, which is also referred to as the Corporate and Criminal Accountability Act of 2002, details the penalties for the destruction of corporate audit records and the willful destruction, alteration, or falsification of records in Federal investigations and bankruptcy proceedings. This section also establishes a five-year record retention period for audit or review workpapers and provides protection for whistleblowers.

Title 9. White-Collar Crime Penalty Enhancements

The Act in Title 9, which is also referred to as the White-Collar Crime Penalty Enhancement Act of 2002, modifies the Federal Sentencing Guidelines to increase the penalties for white-collar crimes. More importantly for issuers, it establishes a requirement for the CEO/CFO certification of periodic financial statements and specifies the penalties for the failure to certify and the willful certification of knowingly false financial reports. Penalties range from $1 million to $5 million and may include imprisonment for up to 20 years depending on the violation.

Title 10. Corporate Tax Returns

Title 10 simply states that “[I]t is the sense of the Senate that the Federal income tax return of a corporation should be signed by the CEO of such corporation.”3

Title 11. Corporate Fraud Accountability

The Corporate Fraud Accountability Act of 2002, or Title 11, provides for additional fines and penalties for individuals who fraudulently alter or destroy documents or impede an official proceeding.

Act Requirements

The requirements of the Act are intricate and complex and affect the entire organization regardless of the operational infrastructure. Exhibit 1.1 displays how the significant provisions of the Act influence specific aspects and individuals of a public company, including the relationship of the registered public auditor.

The provisions of the Act that address independence, officer codes of conduct, auditor oversight and hiring, audit approval, and prohibited services apply directly to the audit committee. Other provisions that deal with the forfeiture of incentive pay, the prohibition of personal loans, and whistleblower protection policies may be the responsibility of the human resources department, while provisions regarding interpretations as a matter of law, codes of ethics, and record retention policies are normally the responsibility of the general counsel. Although public company compliance with all aspects of the Act is required, this book focuses only on those aspects of compliance that directly impact financial managers: Sections 302, 404, and 409. Discussion of these sections is divided into three main parts: initial compliance, ongoing maintenance and monitoring, and beyond compliance.

Initial compliance provides an overview of the Act provisions for Sections 302, 404, and 409 and details suggested action steps necessary to comply with the requirements. This part also defines and contrasts the terms reportable conditions, material weaknesses, and significant deficiencies and provides practical examples of each.

Ongoing maintenance and monitoring details the responsibilities of the financial manager after initial compliance with the Act. Major subjects such as quarterly compliance processes, interfacing with both internal audit and registered public auditors, control testing, software considerations, and SAS 70 Letters are discussed in order to provide the financial manager with practical applications.

Beyond compliance addresses the opportunity to move Sarbanes-Oxley compliance from a routine checklist and one-time internal controls improvement process to a defining cultural change initiative. This Part addresses how the financial services industry may be affected by the ever-expanding local and global regulatory, compliance, and reporting requirements. The section concludes with a discussion on the implications for future European Union-listed companies with International Financial Reporting Standards (IFRS) and the differences that exist between IFRS and U.S. generally accepted accounting principles (GAAP).

Exhibit 1.1 How Sarbanes-Oxley Affects Your Organization

INTERNAL CONTROLS ENVIRONMENT

Most companies would profess to have a strong emphasis on internal controls to ensure the reliability of financial reporting, yet in the absence of specific guidelines, determining the necessary level of control has primarily been a subjective decision. Early on, the impetus for effective internal controls was driven by the Securities Exchange Act of 1934, a law designed to restore investor confidence after the stock market crash of 1929, by providing more structure and government oversight. Issuers were later required to maintain adequate systems of internal controls after the Securities Exchange Act was amended in 1977. However, the term adequate was not clearly defined. In response to this requirement, most companies developed their own approach to compliance through the cooperative efforts of management, internal audit, and external auditors.

In the early 1990s, companies began adopting the Internal Controls–Integrated Framework of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s study of internal controls.4 The COSO internal controls approach (Exhibit 1.2) is a framework designed to establish an internal control system for an entire company not limited to financial or financial reporting controls. This framework balances control objectives with the required control components necessary to maintain effective internal control within a company, process, or function. The three COSO control objectives are as follows: accurate and reliable financial reporting, effective and efficient operations, and compliance with laws and regulations. The COSO framework breaks effective internal control into five interrelated components:

1.

Control environment

2.

Risk assessment

3.

Control activities

4.

Information and communication

5.

Monitoring

Exhibit 1.2 COSO Internal Controls Approach

The Act has placed significant responsibility on issuers for designing, implementing, and maintaining effective systems of internal controls to assure adequate financial reporting to the SEC and investors. Paragraph 13 of PCAOB Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, sets forth the standards for registered public auditor attestation of issuers’ internal controls as required in Section 404(b) of the Act. Standard No. 2 requires issuers to “base its assessment of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment.”5 Paragraph 13 concludes by mandating that an internal control assessment framework is suitable only when it:

Is free from bias

Permits reasonably consistent qualitative and quantitative measurements of a company’s internal control over financial reporting

Is sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company’s internal control over financial reporting are not omitted

Is relevant to an evaluation of internal control over financial reporting

6

Additionally, Paragraph 13 states that the COSO integrated framework to internal controls “provides a suitable and available framework for purposes of management assessment” and “[f]or that reason, the performance and reporting directions in this standard are based on the COSO framework”7 even though other suitable standards may exist or may be developed in the future. The internal control delivery framework presented in Chapter 3 is based on the COSO Internal Control-Integrated Framework.

In addition to SEC- and COSO-driven internal control initiatives, many companies in specific industries such as pharmaceuticals and defense have historically placed a greater emphasis on internal controls because of specific regulatory requirements or other industry-specific environmental factors. These issuers may be in a better position than most issuers to more rapidly implement the requirements of the Act. They have already lived through a crisis similar to the one that prompted the Sarbanes-Oxley Act of 2002.

In the early and mid-1980s, the defense industry reeked of fraud, overcharges, and the perception of impropriety. In response to adverse headlines publicizing corruption, multiple congressional hearings, and the release of the Congressional report, A Quest for Excellence, the CEOs of 32 defense contractors met and established the Defense Industry Initiative on Business Ethics and Conduct (DII).8 The DII established six principles for doing business.

These principles, which establish a code of conduct or ethics, encourage internal reporting of violations of the code with the promise of no retaliation for such reporting. The principles also require the establishment of internal controls, a process for monitoring such controls, and a procedure for reporting violations. Defense contractors aggressively implement internal controls in part to protect themselves from the significant fines and penalties established for violating government contracting rules as well as fraud statutes and the Anti-Kickback Act of 1986. Most defense contractors incorporated the COSO framework into their internal control structures and as a result may have a good basis from which to implement the additional provisions of the Act.

Like the crisis in the defense industry, the scandals leading to the passing of the Act resulted in a loss of confidence and faith in corporate leadership and the integrity of financial reporting. The perception is that boards of directors had simply become that of a “rubber stamp” approver of management decisions. In the minds of many investors, boards had forgotten their most important role: corporate oversight and governance.

The Act and the resultant changes—including SEC requirement and regulations, the formation of the PCAOB, and changes to listing requirements of the NYSE, Nasdaq, and Amex—have all forced businesses to reevaluate their organizational structure and systems of internal control. These changes have created new roles as well as modified existing roles for the individuals involved in the financial reporting process.

EFFECTS ON FINANCIAL REPORTING PROCESS PARTICIPANT HIERARCHY

Simply reading the Act provides enough information to know that corporate America must change the way it conducts business. The Act affects all of the participants in the financial reporting process from the users of the financial reports and information released by issuers to the individual employee who enters data to record a transaction. The following briefly outlines the effect the Act will likely have on each participant.

Investors and Other Users of Financial Data

Why did anyone care about the financial scandals and fraudulent activities involving companies such as Enron, WorldCom, and Adelphia? Simply stated, it is because the market values of those companies declined significantly when the magnitude of the fraud was realized. This resulted in investments and retirement savings losses of billions of dollars.

For investors and other users of financial data, the Act and other resultant regulatory changes strengthen the controls over financial reporting by requiring issuers to ensure timely, accurate, and complete financial reporting and real-time disclosure of financial information. To encourage issuers to comply with the new requirements, the Act specifically imposes significant criminal penalties and fines for corporate executives. Will these rules prevent all future corporate scandals? Probably not, but they will likely be enough incentive to improve the quality, accuracy, and timeliness of financial data to allow investors to make informed decisions regarding their investments.

Regulatory Bodies

The Act resulted in several important changes to regulatory bodies. First, the Act mandated the creation of the PCAOB to oversee the public accounting industry and to set standards for conducting the review of issuer’s internal control over financial reporting. Second, the Act effected several changes to SEC reporting requirements, including provisions for mandatory real-time disclosures of certain changes to issuers’ financial conditions and new accelerated due dates for quarterly and year-end reports. Finally, the Act required the national securities exchanges to change their listing requirements for issuers subject to the Act.

The Board of Directors

The two primary responsibilities given to boards of directors are (1) strategic direction and leadership of the business, and (2) corporate oversight. The Act and changes made by the national listing exchanges reinforce those responsibilities and ensure they are taken seriously. These changes require boards to be composed of a majority of independent members, hold meetings with only independent directors, and implement corporate governance and codes of ethics.

Audit Committee

The role of the audit committee has also changed. First, the audit committee must consist of only independent directors, and the board must disclose if the audit committee does not contain at least one “financial expert” as defined by the SEC. Second, the audit committee is solely responsible for the engagement and compensation of the external auditor and oversight of the auditors work relating to the audit of financial statements. Finally, the external auditor now reports directly to the audit committee and no additional services can be provided without the committee’s preapproval.

External Auditors

In addition to now reporting directly to the audit committee, external auditors must register with the PCAOB, refrain from performing certain nonauditing services, and must comply with audit partner rotation requirements. The external auditor is also responsible for an attestation review of the issuer’s internal control over financial reporting and report on management’s assessment of the same.

Executive Management

Executive management is now explicitly responsible for establishing and maintaining a system of internal control over financial reporting and creating an annual assessment of the same. The CEO and CFO are responsible for the financial reports filed with the SEC and must certify the accuracy of such reports under the risk of criminal penalties and fines. Other members of the executive management team are responsible for the new requirements relating to codes of ethics, record retention, insider trading, attorney conduct rules, whistleblower policies, as well as other legal and human resource issues.

Management and Staff

While the Act does not specifically mention any requirements of managers and supporting staff, these individuals will likely be directly responsible for the majority of the additional work that will be required to comply. Since executive management is held accountable for compliance, it is in their best interest to ensure their financial managers are knowledgeable about the Act and its impact on their company.

Based on the work effort outlined, it is clear that companies will experience significant increases in costs and time necessary to comply with the provisions of the Act and the related regulatory changes. These increased costs will be related to:

More frequent board and audit committee meetings

Increased oversight activities

Continual communication with external auditors

Increased legal and human resource work resulting from new policies and procedures

By far, the most significant cost increases will result from the external auditor attestation of internal control over financial reporting and the internal cost of complying with the provisions of Section 302, Section 404, and Section 409 of the Act.

The cost of compliance will vary based on the size of the company, the number of operations, and the complexity of the business. Nonetheless the total is still significant for most organizations. A January 2004 Financial Executives International (FEI) survey suggests that Section 404 compliance will cost companies, on average, 12,265 internal people hours, 3,059 external resource hours to supplement internal hours, $732,100 for external consulting, and $590,100 for the external auditors attestation review.9 To determine a reasonable estimate of the cost of compliance, companies will first need to understand the requirements of the Act and what efforts will be needed to comply. The next three chapters discuss the specific requirements of Section 302, Section 404, and Section 409, respectively.

A RESOURCE FOR FINANCIAL MANAGERS

This book is intended to help financial managers go beyond mere compliance and seize the opportunity to improve business practices and/or processes, drive greater performance, and transform the perception of the finance organization into that of a value-added key contributor to the company. For discussion purposes, financial manager refers to anyone who is a CFO, controller, vice president of finance, divisional CFO, or a manager who directly works for someone in such a position.

This book focuses on the aspects of Sarbanes-Oxley that impact those employees working directly or indirectly for the CFO. It is designed to lead the reader from initial compliance with the Act, through ongoing maintenance and monitoring, and ultimately to beyond compliance; however, each section can be read and applied individually.

The PCAOB’s web site (www.pcaob.com) is a perfect complement to the information contained in this book. The web site lists the board’s current and pending regulatory actions regarding rules and the adoption of auditing standards. The site also maintains briefing papers and other documents that can serve as valuable information for financial managers who are responsible for implementing various sections of the Act, as well as Q&A documents clarifying opinions on issues related to the implementation of the standards of the PCAOB.10

NOTES

1

. The term

issuer

means an issuer (as defined in Section 3 of the Securities Exchange Act of 1934, the securities of which are registered under Section 12 of that Act or that is required to file reports under section 15(d) of that Act, or that files or has filed a registration statement with the Securities and Exchange Commission that has not yet become effective under the Securities Act of 1933, and that has not withdrawn).

2

. The Act, Title 5, Section 501.

3

. The Act, Title 10, Section 1001.

4

. Internal Controls–Integrated Framework. The Committee of Sponsoring Organizations of the Treadway Commotion, “Struggling to incorporate the COSO recommendations into your audit process?”

www.coso.org

.

5

. PCAOB Auditing Standard No. 2. An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements was approved by the SEC June 18, 2004, Paragraph 13.

6

.

Id

.

7

. PCAOB Auditing Standard No. 2. An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements was approved by the SEC June 18, 2004, Paragraph 14.

8

. Defense Industry Initiative,

www.dii.org

.

9

. FEI Survey on Sarbanes-Oxley Section 404 Implementation January 2004 available on the FEI web site at

www.fei.org

.

10

. PCAOB Staff Questions and Answers Auditing Internal Controls over Financial Statements, June 23, 2004, page 1.

2OVERVIEW OF SARBANES-OXLEY SECTIONS 302, 404, AND 409

SECTION 302

The Sarbanes-Oxley Act of 2002 has literally rewritten the rules for corporate governance, disclosure, and reporting. It has fundamentally changed the business and regulatory environment, leaving public companies with the demanding task of modifying their operations in order to comply.

Exhibit 2.1 outlines the key requirements of the Act, notes which departments within the corporation are affected, and displays the key compliance focus for the financial manager: Section 302 financial statement certification, Section 404 certification of internal controls, and Section 409 real-time disclosures of changes to reported information.

Section 302 requires chief executive officers (CEOs) and chief financial officers (CFOs) of companies filing reports pursuant to the provisions of the Securities Exchange Act of 1934 (15 USC 78m, 78o(d)) to submit a certification with the submission of the required reports (see Appendix A). The Act is silent as to whether the certification is a joint certification or whether each applicable company officer is required to certify individually. However, completing separate certifications, while not limiting the company’s liability for false certifications, would shield separate officers from improper certifications of other officers.

The Section 302 certification consists of six specific certification points:

1.

“[T]he signing officer has reviewed the report.”

1

Reviewing the report is not the same as reading the report. Simply reading the report does not meet the intention of the Act—holding corporations and their officers responsible for the content and accuracy of financial reports. Corporate officers must apply appropriate levels of scrutiny in order that they understand the material, sources, key assumptions, and estimates included in financial reports.

Exhibit 2.1 Who Is Impacted?

2.

“[B]ased on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading.”

2

In other words, based on the officer’s knowledge, the report must be accurate and complete. Accurate in that it is factual or not containing any “untrue statement of material fact.”

3

Complete in that it contains all relevant data so as to accurately present information and not mislead the reader.

An important aspect of this provision is the phrase “based on the officer’s knowledge.” Board interpretation of this phrase has yet to be determined, but applying a legal “reasonableness” test is appropriate. While the CFO of a large corporation my not be expected to know the details of the accounts payable balance at each operating division, it would not be reasonable for the CFO to certify a financial report knowing that one division’s accounts payable balance was disproportionately high for its size and nature. The CFO in this case should reasonably know that the accounts payable data may be inaccurate and delay certifying until the data are verified as accurate.

3.

“[B]ased on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report.”

4

In addition to the financial statements and information being accurate and complete, they must correctly represent the results of operations for the specific period presented in the report. As discussed in point 2, the officer’s knowledge and understanding of financial operations must be sufficient enough to apply a reasonableness test to the report. Ultimately, the signing officers must be comfortable with the content, accuracy, and completeness of financial reports, as well as such reports’ conformity with generally accepted accounting principles (GAAP).

4.

“[T]he signing officers

are responsible for establishing and maintaining internal controls;

have designed such internal controls to ensure that material information to the issuer and its consolidated subsidiaries is made to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and

have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.”

5

Certifying officers are ultimately responsible for the design, implementation, effectiveness, continuing operation, and evaluation of all internal controls that ensure accurate and complete disclosure of financial reports. A critical component of the internal control environment is ensuring that the appropriate level of information effectively flows through the organization to the certifying officers. This process should seek to prevent information from becoming distorted, clouded, or blocked altogether.

5.

“[T]he signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling that equivalent function):

all significant deficiencies in the design or operation of internal controls that could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and

any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal control.”

6

In addition to detailing the effectiveness of internal controls over financial reporting, the certifying officers must also disclose all “significant deficiencies” and incidences of management fraud discovered to the issuer’s audit committee (or equivalent function as defined in the Act) and the issuer’s registered public auditor. Fraud reporting is limited to situations involving management employees who, by nature of their position, play a substantive role in the issuer’s internal controls. Fraud reporting is required regardless of the materiality of the fraudulent action. Fraudulent activities, in and of themselves, require timely disclosure.

6.

“[T]he signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.”

7

The signing officers must further certify that their financial reports include disclosure, both affirmative and negative, and whether there were any changes to internal controls after the completion of the evaluation that could have a significant impact on internals controls. Such disclosures should also include all “other factors” that could affect internal controls. While the Act does not define “other factors,” it is likely that it is intentionally broad so it would encompass any internal change or external factor that could impact internal controls.

Examples of internal changes may include adjustments in accounting practices, implementation of new software systems, and restructuring activities. Examples of external factors include regulatory changes such as the Act, natural disasters, or acquisitions. While most of these examples represent operational changes, they all could potentially result in an immediate and permanent change to the internal control environment and thus, affect financial reporting.