User talk:Siddharth 2777

Sarbanes-Oxley Act From Wikipedia, the free encyclopedia Jump to: navigation, search Before the signing ceremony of the Sarbanes-Oxley Act, President George W. Bush meets with Senator Paul Sarbanes, Secretary of Labor Elaine Chao and other dignitaries in the Blue Room at the White House July 30, 2002.The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or SarBox; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, and WorldCom (now MCI). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D–Md.) and Representative Michael G. Oxley (R–Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company Boards, Management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Some believe the legislation was necessary and useful, others believe it does more economic damage than it prevents and yet others observe how essentially modest the Act is compared to the heavy rhetoric accompanying it.

The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance and enhanced financial disclosure. It is considered by some as one of the most significant changes to United States securities laws since the New Deal in the 1930s.

Contents [hide] 1 History 2 Provisions 3 Overview of PCAOB's requirements for auditor attestation of control disclosures 4 Internal controls 4.1 Information technology and SOX 404 4.2 IT controls, IT audit, and SOX 4.3 IT Impacts 5 Cost of implementation 6 Case studies 7 The future of SOX 404 compliance 8 Legislative information 9 Trivia 10 Law Review commentaries 11 See also 12 External links 12.1 Forum 12.2 Articles 12.3 Surveys 12.4 Similar legislation in other jurisdictions 12.4.1 Australia

[edit] History The House passed Rep. Oxley's bill (H.R. 3763) on April 25, 2002, by a vote of 334 to 90. The House then referred the "Corporate and Auditing Accountability, Responsibility, and Transparency Act" or "CAARTA" to the Senate Banking Committee with the support of President Bush and the SEC. At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal, Senate Bill 2673.

Senator Sarbanes’s bill passed the Senate Banking Committee on June 18, 2002, by a vote of seventeen to four. On June 25, 2002, WorldCom revealed that it had overstated its earnings by more than $3.8 billion during the past five quarters, primarily by improperly accounting for its operating costs. Senator Sarbanes introduced Senate Bill 2673 to the full Senate that very same day and it passed 97 to 0 less than three weeks later on July 15, 2002.

The House and the Senate formed a Conference Committee to reconcile the differences between Senator Sarbanes's bill (S. 2673) and Representative Oxley's bill (H.R. 3763). The conference committee relied heavily on Senate Bill 2673 and “most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions.” (John T. Bostelman, The Sarbanes-Oxley Deskbook § 2-31.)

The Committee approved the final conference bill on July 24, 2002 and gave it the name "the Sarbanes-Oxley Act of 2002." The next day, both houses of Congress voted on it without change, producing an overwhelming margin of victory: 423 to 3 in the House and 99 to 0 in the Senate. On July 30, 2002, President George W. Bush signed it into law, stating that it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt." (Elisabeth Bumiller: "Bush Signs Bill Aimed at Fraud in Corporations", The New York Times, July 31, 2002, page A1).

[edit] Provisions The Sarbanes-Oxley Act's major provisions include:

Creation of the Public Company Accounting Oversight Board (PCAOB) A requirement that public companies evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies "attest" (i.e., agree, or qualify) to such disclosure Certification of financial reports by chief executive officers and chief financial officers Auditor independence, including outright bans on certain types of work for audit clients and pre-certification by the company's Audit Committee of all other non-audit work A requirement that companies listed on stock exchanges have fully independent audit committees that oversee the relationship between the company and its auditor Ban on most personal loans to any executive officer or director Accelerated reporting of trades by insiders Prohibition on insider trades during pension fund blackout periods Additional disclosure Enhanced criminal and civil penalties for violations of securities law Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because judges generally follow the Federal Sentencing Guidelines in setting actual sentences Employee protections allowing those corporate fraud whistleblowers who file complaints with OSHA within 90 days to win reinstatement, back pay and benefits, compensatory damages, abatement orders, and reasonable attorney fees and costs.

[edit] Overview of PCAOB's requirements for auditor attestation of control disclosures (Source: KPMG report) Auditing Standard No. 2' of the Public Company Accounting Oversight Board (PCAOB) has the following key requirements:

The design of controls-relevant assertions related to all significant accounts and disclosures in the financial statements Information about how significant transactions are initiated, authorized, supported, processed, and reported Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur Controls designed to prevent or detect fraud, including who performs the controls and the regulated segregation of duties Controls over the period-end financial reporting process Controls over safeguarding of assets The results of management's testing and evaluation

[edit] Internal controls Under Sarbanes-Oxley, two separate certification sections came into effect – one civil and the other criminal. See 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” 15 U.S.C. § 7241(a)(4). The officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” Id..

Moreover, under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” 15 U.S.C. § 7262)a). The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Id. To do this, managers are generally adopting an internal control framework such as that described in COSO.

Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. (See Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5,2003), available at http://www.sec.gov/rules/final/33-8238.htm.)

In addition, outside auditors for companies must, for the first time, attest to managers' internal control assessment, pursuant to SEC rules, which currently require only large public companies comply with this part of SOX. This presents new challenges to businesses, specifically, documentation of control procedures related to information technology ("IT"). Public Company Accounting Oversight Board (PCAOB) has issued guidelines on how auditors should provide their attestations.

[edit] Information technology and SOX 404 The PCAOB suggests considering the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" for more appropriate standards of measure. This framework focuses on information technology (IT) processes while keeping in mind the big picture of COSO's "control activities" and "information and communication". However, these certain aspects of COBIT are outside the boundaries of Sarbanes-Oxley regulation.

[edit] IT controls, IT audit, and SOX The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing Standard 2" states:

"The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting." Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in the signoff of financial statements.

For a detailed discussion on the impact of SOX on IT audit and controls, see Information technology controls.

[edit] IT Impacts For another description of the COSO framework, see: COSO

The SEC identifies the COSO framework by name as a methodology for achieving compliance. The COSO framework defines five areas, which when implemented, can help support the requirements as set forth in the Sarbanes-Oxley legislation. These five areas and their impacts for the IT Department are as follows:

Risk Assessment. Before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports. They must examine how the company's systems are being used and the current level and accuracy of existing documentation. The areas of risk drive the definition of the other four components of the COSO framework.

Control Environment. An environment in which the employees take ownership for the success of their projects will encourage them to escalate issues and concerns, and feel that their time and efforts contribute to the success of the organization. This is the foundation on which the IT organization will thrive. Employees should cross train with design, implementation, quality assurance and deployment teams to better understand the entire technology lifecycle.

Control Activities. Design, implementation and quality assurance testing teams should be independent. ERP and CRM systems that collect data, but feed into manual spreadsheets are prone to human error. The organization will need to document usage rules and create an audit trail for each system that contributes financial information. Further, written policies should define the security protocols, technical specifications, business requirements and other documentation expected for each project.

Monitoring. Auditing processes and schedules should be developed to address the high risk areas within the IT organization. IT personnel should perform frequent internal audits. In addition, personnel from outside the IT organization should perform audits on a schedule that is appropriate to the level of risk. Management should clearly understand and be held responsible for the outcome of these audits.

Information and Communication. Without timely, accurate information, it will be difficult for IT management to proactively identify and address areas of risk. They will be unable to react to issues as they occur. IT management must demonstrate to company management an under-standing of what needs to be done to comply with Sarbanes-Oxley and how to get there.

[edit] Cost of implementation Some people in the business community have acknowledged that, as John Thain, CEO of the New York Stock Exchange states, "There is no question that, broadly speaking, Sarbanes-Oxley was necessary" [1]. However, the cost of implementing the new requirements has led some to widespread questioning of how effective or necessary the specific provisions of the law truly are.

For companies, a key concern is cost of updating information systems to comply with the control and reporting requirements. Systems which provide document management, access to financial data, or long-term storage of information must now provide auditing capabilities. In most cases this requires significant changes, or even complete replacement, of existing systems which were designed without the needed level of auditing details.

Costs associated with SOX 404 compliance have proven to be significant. According to the Financial Executives International (FEI), in a survey of 217 companies with average revenue above $5 billion, the cost of compliance was an average of $4.36 million. The high cost of compliance throughout the first year can be attributed to the sharp increase in hours charged per audit engagement. This has been a boon for the auditing profession, more than offsetting the reduced revenues arising from the Act's restriction against those firms conducting various non-audit services for audit clients.

Year One Resources Spent on Section 404 Compliance Roundtable Survey, December 2004, by Revenue Company Revenue < $5 B $5 B - $10 B $10 B – $50 B > $50 B Average Additional Audit Hours 6,285 20,756 11,540 19,000 Average Total Compliance Cost (millions) $1.9 $6.1 $20.6 $1230.3

As more companies and auditors gain experience with SOX 404, audit costs have been falling. Audit firm revenues are still higher than they were prior to the Act, although audit fees were rising prior to the Act, partly as a result of the accounting scandals that prompted the Act.

[edit] Case studies Case Studies of Companies with Sarbanes Oxley Certification Delays, Material Weaknesses, etc. Caused By Information Technology Issues:

Cray Inc. - numerous material weaknesses in internal control over financial reporting, specifically, inadequate review of third-party contracts and lack of software application controls and documentation

[edit] The future of SOX 404 compliance In a recent article by the accounting and consulting firm of Deloitte Touche Tohmatsu entitled "Under Control", the need for "sustainable compliance" is encouraged. The article suggests leveraging lessons learned to shift to a long-term strategy. The following areas are described as impediments to the process:

"Project mindset: … many companies understandably treated section 404 compliance as a discrete project with a clearly defined ending point." "Overextension of internal audit: If management continues to utilize internal audit for intensive 404 and 302 compliance-related work, then a significant infusion of resources (i.e., budget and headcount) to accommodate the additional workload will be needed." "Poorly defined roles: Internal control-related roles and responsibilities, often poorly defined and segregated from the day-to-day routine of employees during the first year, will require greater clarity and integration going forward" "Improvisational approach: Another symptom of deadline pressure showed up in the jerrybuilt practices that carried many companies through the first year." "Underestimation of technology impacts and implications: …IT is recognized as critical for achieving the goals of the Act, and the impact and implications of technology are widely regarded as significant and pervasive. In many year-one projects, organizations focused heavily on business processes and did not consider the broader role that IT plays in managing financial information and enabling controls… IT will make a huge impact on compliance going forward. At a minimum, technology investments will be necessary to support sustainable compliance in several areas, including repository, work flow, and audit trail functionality. Technology will also be used to enable the integration of financial and internal control monitoring and reporting — a critical requirement at most large and complex enterprises." "Ignored risks: Effective internal control is predicated on risk… the controls themselves — exist expressly for the purpose of minimizing the risk of financial reporting errors… In year one, risk assessment was treated as an afterthought — if addressed at all." The future of SOX 404 will depend on the ability of businesses to respond to the areas noted above by making it a part of every-day business. Deloitte has developed the "Sustained Compliance Solution Framework". Key areas of the framework are also taken from "Under Control":

Effective and efficient processes for evaluating testing, remediating, monitoring, and reporting on controls Integrated financial and internal control processes Technology to enable compliance Clearly articulated roles and responsibilities and assigned accountability Education and training to reinforce the "control environment" Adaptability and flexibility to respond to organizational and regulatory change. Deloitte and the other auditing industry firms will generate significant revenue from these elaborate exercises.

[edit] Legislative information House: 107 H.R. 3763, H. Rept. 107-414, H. Rept. 107-610 Senate: 107 S. 2673, S. Rept. 107-205 Law: Pub. L. 107-204, 116 Stat. 745.

[edit] Trivia Both the authors of the bill Paul Sarbanes and Michael Oxley both retired at the same time before the 2006 mid-term elections. There are a number of companies that used to be publicly traded that have since been privatized due to the overwhelming requirements of SOX compliance and the associated costs. Some companies have initiated very time consuming and costly internal standards that are beyond what is actually required for SOX compliance.

[edit] Law Review commentaries Carl Oxholm III, Sarbanes-Oxley in Higher Education: Bringing Corporate America’s “Best Practices” to Academia, 31 J.C. & U.L. 351 (2005).

"Sarbanes-Oxley §§ 302 & 906: Corporate reform or legislative redundancy? A critical look at the 'new' corporate responsibility for financial reports" by Luke Alverson, 33 Sec. Reg. L.J. 15 (2005)

"Company Liability After the Act Sarbanes-Oxley," by Peri Nielsen & Claudia Main, 18 No. 10 Insights 2 (Oct. 2004)

"Enron--The bankruptcy heard around the world and the international ricochet of Sarbanes-Oxley," by John Paul Lucci, 67 Alb. L. Rev. 211 (2003)

"A Pox on Both Your Houses: Enron, Sarbanes-Oxley and the Debate Concerning the Relative Efficacy of Mandatory Versus Enabling Rules," by Jonathan R. Macey, 81 Wash. U. L.Q. 329, 333 (2003)

"United States v. Simon and the new certification provisions," by Christian J. Mixter, 76 St.John's L.Rev. 699 (2002)

Roberta Romano, The Sarbanes-Oxley Act and the Making of Quack Corporate Governance, 114 Yale L.J. 1521 (2005)

Lawrence A. Cunningham, The Sarbanes-Oxley Yawn: Heavy Rhetoric, Light Reform (And It Might Just Work), 45 Conn. L. Rev. 915 (2003)

[edit] See also Information technology audit Information technology controls Cray Inc. Richard M. Scrushy, CEO of HealthSouth, the first executive charged under Sarbanes-Oxley Basel accord Reg FD

[edit] External links Summary of Sarbanes-Oxley Act of 2002 AICPA The text of the law (PDF) U.S. Government Printing Office The full text of the act in HTML format Signing Statement of George W. Bush Study Pursuant to Section 108(d) of the Sarbanes-Oxley Act of 2002 on the Adoption by the United States Financial Reporting System of a Principles-Based Accounting System

[edit] Forum An interactive forum dedicated to the Sarbanes-Oxley Act

[edit] Articles Sarbanes-Oxley Act Will Help Record Artists - April 22, 2004 MP3 Newswire story Five Steps to Success for Spreadsheet Compliance. Compliance Week, July 2006.

[edit] Surveys Sarbanes-Oxley Section 404 Work - Looking at the Benefits - January, 2005 by Larry Rittenberg & Patricia Miller

[edit] Similar legislation in other jurisdictions

[edit] Australia Corporate Law Economic Reform Program Act 2004: Otherwise known as "CLERP9": (Corporate reporting and disclosure law) CLERP 9 page at Australian Securities and Investment Commission

Retrieved from "http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act" Categories: 2002 in law | Auditing | Corporate governance | Corporations law | Eponymous laws | United States federal financial legislation | United States securities law

ViewsArticle Discussion Edit this page History Personal toolsSign in / create account Navigation Main Page Community Portal Featured articles Current events Recent changes Random article Help Contact Wikipedia Donations Search Toolbox What links here Related changes Upload file Special pages Printable version Permanent link Cite this article In other languages Deutsch Español Français Nederlands 日本語 Polski Português Русский Suomi 中文 Svenska

This page was last modified 05:58, 29 October 2006. All text is available under the terms of the GNU Free Documentation License. (See Copyrights for details.) Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. Privacy policy About Wikipedia Disclaimers