The Sarbanes-Oxley Act of 2002 Overview and Impact of Sarbanes Overview of the Sarbanes-Oxley Act of 2002 • The Sarbanes-Oxley Act.
Download ReportTranscript The Sarbanes-Oxley Act of 2002 Overview and Impact of Sarbanes Overview of the Sarbanes-Oxley Act of 2002 • The Sarbanes-Oxley Act.
The Sarbanes-Oxley Act of 2002 Overview and Impact of Sarbanes Overview of the Sarbanes-Oxley Act of 2002 • The Sarbanes-Oxley Act and the related SEC rule-making provide clarity and certainty on a number of highly debated issues by: – Establishing an independent, full-time oversight board (the Public Company Accounting Oversight Board) for capital-market participants; the SEC has oversight of the board – Establishing new responsibilities for audit committees and corporate officers – Defining “nonaudit” services that public accounting firms can provide to audit clients • Specifically prohibiting eight services to audit clients (most already eliminated in past years), including internal audit outsourcing and financial information systems design and implementation; the eight services are discussed in more detail later in this presentation • Permitting all other services, subject to audit committee pre-approval (the Public Company Accounting Oversight Board may establish other prohibited nonaudit services) – Strengthening penalties for corporate fraud – Requiring rules to address analyst conflict of interest – Significantly increasing the responsibilities and budget of the SEC 1 Overview and Impact of Sarbanes Potential Benefits of the Proposed Standard • Strengthens confidence in the reliability of the financial statements and the quality of reporting, because it should reduce the risk of material misstatement • Provides an opportunity to review the company’s processes and enhance efficiency throughout all significant financial and operating processes • Enables the company to put the most effective controls in place • Provides a method of setting the “tone at the top”— emphasizing the importance of a strong internal control structure • Provides management with a platform to hold individuals accountable for noncompliance • Provides accountability to management for resolving significant deficiencies and material weaknesses 2 Overview and Impact of Sarbanes Key Requirements Sections of the Act Key Requirement Implication 302 CEO and CFO Certification of Periodic SEC Filings Accuracy issues resulting in criminal prosecution of company officers must be identified and removed 404 CEO & CFO Certification of Internal Controls With Auditor Attestation Requires ongoing documentation, evaluation, testing, and remediation of financial reporting controls 409 Rapid and Current Basis Disclosure of Financial and Operating Events Monitoring, prevention, and real-time disclosure of material changes must be systematic and ongoing 802 Retention and Protection of Audit Documents and Related Records Digital vaulting and ready access to historical records, including correspondence and emails, must be implemented Other Mandatory Requirements 103 201 301 306 401 402 403 Audit Record Retention and Security Monitoring and Pre-Approval of Non-Audit Services Audit Committee Monitoring and Complaint/Issue Process Monitoring and Prevention of Insider Trading Financial Reporting Disclosure Monitoring and Prevention of Personal Loans to Executives >10% Ownership Disclosures Within Two Business Days 406 407 408 501 806 906 1102 Code of Ethics Creation and Disclosure Disclosure of Financial Expertise on the Audit Committee Facilitation of SEC Reviews Security Analyst Monitoring and Disclosure Whistle Blower Communications and Response Financial Reporting Certification Record Retention and Security 3 Overview and Impact of Sarbanes Section 404 Requirements • The most time intensive section of the • Sarbanes-Oxley legislation is expected to be Section 404. This Section requires management to assert to the design and operating effectiveness of the Company’s internal control as of its fiscal year end and to provide for an attestation by the independent auditor to such effectiveness. This section will require management to document the design of internal controls, as well as their process for evaluating the effectiveness of the internal controls over financial reporting. Current PCAOB Guidance (as updated March 9, 2004) •Implementation deadline extended –Years ending after November 15, 2004 for accelerated filers –Years ending after July 15, 2005 for others •Foreign filers and/or Companies with Market Cap ≤ $75 million held by non-affiliates •Remaining points to be clarified: •Reliance on Service Auditors (SAS 70) •Final Approval and Issuance by the SEC 4 Overview and Impact of Sarbanes Managements’ Responsibility for 404 Compliance • The Company should be prepared to perform the following in preparation for the 404 attestation: – Management must accept responsibility for the effectiveness of the internal control environment – The organization must evaluate the effectiveness of internal controls utilizing suitable criteria (such as COSO) – Sufficient evidence must be gathered that supports management’s assertion – Management must document internal controls and their assessment of effectiveness, and the monitoring and testing performed to ensure that controls are operating effectively – Management must provide a written assertion on the effectiveness of internal control over financial reporting • The external auditor will be responsible for performing the financial statement audit and the internal control audit: – The external auditor will examine and express an opinion of management’s written assertions of the Company’s internal control structure, including: • The design of internal controls • The operation of internal controls • The process management used for evaluating internal controls – The external auditor will examine and express an opinion of the financial statements 5 Overview and Impact of Sarbanes Managements’ Report (Assertion) A Company’s Annual Report must include: • A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; • A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company's internal control over financial reporting; • Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company's internal control over financial reporting is effective. The assessment must include disclosure of any "material weaknesses" in the company's internal control over financial reporting identified by management; and • A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the registrant's internal control over financial reporting. 6 Overview and Impact of Sarbanes Select a Suitable Internal Control Framework The process to determine whether internal control is adequately designed, executed effective and adaptive The process which ensures that relevant information is identified and communicated in a timely manner • Management Analysis • Messages from Senior Management • Disclosure Committee • Policies and Procedures • Internal Audits • Training • Code of Ethics The policies and procedures that help ensure that actions are identified to manage risk are executed and timely • Delegation of Authority • Approvals • Common Processes and Systems • Segregation of Duties • Account Reconciliations • Information Technology Controls The evaluation of internal and external factors that impact an organization’s performance • Business Risk Management • Process Risk Management • Internal Audit Risk Assessment The control conscience of an organization. The “tone at the top” • Code of Ethics • Documented Policies and Procedures • Cultural Assessment © 1992 by the American Institute of Certified Public Accountants, Inc. Reprinted with permission. 7 Overview and Impact of Sarbanes Deficiencies – Specific Guidance “At least” Significant Deficiencies • Selection and application of accounting policies • Antifraud programs and controls • Non-routine and nonsystematic • Period end financial reporting process, including journal entries “Strong Indicator” of Material Weakness • • • • • Restatement of previously issued financials Material audit adjustments Ineffective audit committee Ineffective control environment Ineffective internal audit or risk assessment function • Ineffective regulatory compliance function • Fraud of any magnitude by senior management • Failure to timely correct significant deficiencies Absence of misstatements detected does not provide evidence that controls are effective 8 Project Plan Establishing a Compliance Program and Infrastructure Example Project Organization Board/Audit Committee Disclosure Committee CEO Steering Committee CFO External Auditor Project Manager Internal Control Implementation Team 9 Project Plan Sample Project Timeline Estimated Timeline 2004 April May June July August Sept 2005 Oct Nov Dec Jan Scope & Plan External Audit Retesting Client Documentation, Testing and Remediation Ext. Audit Retesting Year-End Control s 10 Current Developments Lessons Learned from Early Implementers • • • • • Companies should understand outsourced business relationships as soon as possible. You have to understand the controls over these activities as well as activities conducted wholly within the organization. Our experience suggests that many service providers are not ready to provide the information and assistance you need. Companies are encouraged to build a sustainable process that becomes embedded in ‘the way you do business’. Remember, compliance is not a one-off event. Everything takes longer to complete than anticipated. Keep the “pedal to the metal” in the project! COSO contains five areas that need to be addressed for compliance. Do not focus on one to the detriment of the others. They all require time to address. Reporting the results of the assessments performed at diverse locations requires preplanning and consideration early 11 Current Developments Lessons Learned from Early Implementers, continued • Companies should consider how they can use this project as an opportunity to challenge current business practices and processes. The result can be reduced complexity, standardization, stronger and more effective controls, and – ultimately - a stronger and more manageable enterprise. • Ensure that anti-fraud programs and controls are addressed sufficiently. In essence, this is why Sarbanes-Oxley was enacted in the first place. • Understanding the nature of controls and how to test them appropriately can be a confusing and daunting task for individuals that have never had to face this before. Even those you think know how to identify, document and test controls – such as internal audit - often need much assistance. Companies should train their team early, often and well! 12