THE SARBANES–OXLEY ACT OF 2002 (STUDY OBJECTIVE 5)

The Sarbanes–Oxley Act was signed into law on July 30, 2002, for the purpose of improving financial reporting and reinforcing the importance of corporate ethics. The legislation was enacted in an effort to curb the corruption and accounting blunders that had been recently discovered in connection with the bankruptcies of such corporate giants as Enron and WorldCom. In these cases, many Americans suffered tremendously as the values of stock prices and employee retirement plans plunged. It became apparent that change was needed to improve investor faith in America's financial reporting systems.

The Sarbanes–Oxley Act (“the Act”) applies to public companies and the auditors of public companies. In order to carry out the provisions of the Act, the Public Company Accounting Oversight Board (PCAOB) was established. The PCAOB comprises five members who are appointed by the SEC. The PCAOB governs the work of auditors of public companies by providing standards related to quality controls. The PCAOB has investigative and disciplinary authority over the performance of public accounting firms.

The Act includes 11 “titles,” or categories of provisions. Each title includes several sections. Exhibit 5-2 summarizes the titles and certain key sections within each title. The sections identified in the exhibit are discussed in detail in this chapter because of their relevance to corporate governance and other topics within this text.

Exhibit 5-2 Summary of the Key Provisions of the Sarbanes–Oxley Act of 2002

Certain sections of the Act pertain to audit services. Audit services, including IT auditing, are addressed in Chapter 7. Titles II and III address the following auditing topics, among others:

Section 201—Services outside the scope of practice of auditors. Auditors of public companies are now prohibited from providing nonaudit services to their audit clients. Nonaudit services include the following:

• Bookkeeping or preparation of accounting records and financial statements
• Designing or implementation of accounting information systems
• Appraisal or other valuation services
• Actuarial services
• Internal audit outsourcing services
• Management advisory services or human resource management
• Investment advisory, investment banking, or brokerage services
• Legal advisory services

In the past, it was customary for auditors to perform many of these nonaudit services. In fact, a company could realize efficiencies by having its auditors involved in these areas, since the auditors were already familiar with these areas of the business. However, each of these services is now prohibited because of its potential to impair the auditor's objectivity. These types of services are deemed to put the auditor in the role of management or an employee or advisor of the client company. The Act recognizes that auditors who perform these types of services for their audit clients are likely to be placed in a situation of auditing their own work. An auditor who performs nonaudit services would therefore be faced with a conflict of interest; the auditor cannot be completely impartial while auditing financial information that he or she prepared. Likewise, if the auditor advises a client on financial matters, the auditor could not be neutral with respect to those matters with which he or she is already familiar.

It is particularly noteworthy that an auditor's involvement with the design and implementation of a client's accounting information systems can cause problems. Since auditors must be thoroughly familiar with a client's financial systems, they are often in a perfect position to advise clients regarding system improvements. However, if the auditor's involvement expands into areas of systems development, then the auditor is considered to have impaired independence. It is presumed that it would be difficult for that auditor to remain objective when auditing information that was processed by the system that he or she developed.

For other nonaudit services not included in this list, an auditor must obtain advance approval from the client's audit committee. For instance, auditors may perform income tax services for their audit clients as long as such services are preapproved by the board of directors.

Other sections of the Act address additional requirements for auditors to improve their impartiality with respect to their audit clients. One of the most significant changes affecting auditors includes a provision within Section 203 for the lead partner on a public company audit to rotate off the engagement after five years. This allows for a new partner to take over periodically and provide a fresh perspective on the overall audit. Section 206 introduces another requirement applicable to auditors who are hired away from the audit firm in order to take a job with the client. Such an auditor must take a “cooling off” period of one year if the new job is in a key accounting role. This is to allow for the separation of roles of accountant and auditor.

Section 301–Public company audit committees. Public companies must have an audit committee as a subcommittee of the board of directors. Although many companies had audit committees even before the Act was enacted, the audit committee now has more responsibility. The audit committee is responsible for hiring, firing, and overseeing the external auditors and serving as the liaison between both internal and external auditors and management on any points of disagreement. Hence, the auditors report directly to the audit committee on all matters related to the audit.

The members of the audit committee must be independent, meaning that they cannot be affiliated with the company, its employees, or its subsidiaries (other than through their service on the audit committee). In order to remain independent, members of the audit committee may not accept fees from the company beyond their compensation for being a director or committee member.

Certain sections of the Act that relate to enhanced financial disclosures are particularly important in the study of accounting information systems. Since accountants are responsible for the collection and presentation of financial information included in the reports, it is imperative that the underlying systems receive adequate attention. Financial statements can be only as good as the underlying systems that are used in their preparation. The following sections are not necessarily presented in the order that they appear in Exhibit 5-2; however, they appear along with other relevant sections of the Act.

Section 302–Corporate responsibility for financial reports. The CEO, CFO, and other responsible officers of the company must submit a certified statement accompanying each annual and quarterly report. The purpose of the certification is for the officers to acknowledge responsibility for the contents of the financial reports and for the underlying system of internal controls. This section requires that the top managers actually sign this statement. Their signatures indicate their acceptance of the responsibilities outlined in the following six points of acknowledgment that must be included in the certification:

1. The signing officers have reviewed the report in detail.
2. Based on the officer's knowledge, the report does not misstate any facts.
3. Based on the officer's knowledge, the financial statements and related disclosures are fairly presented.
4. The signing officers are responsible for the establishment, maintenance, and effectiveness of internal controls.
5. The signing officers have disclosed to the auditors and audit committee any instances of fraud or internal control deficiencies.
6. The signing officers indicate whether or not any significant changes in internal controls have occurred since the date of their most recent evaluation.

Notice that the fourth item on this list makes top management responsible for the internal control system. The types of internal controls discussed in Chapters 3 and 4 must be established and maintained. The Act requires that the certifications be prepared to accompany financial statements every time they are filed with the SEC. Accordingly, the certifications must be updated on a quarterly basis. It is expected that the certifications may be modified from period to period to reflect changes in internal controls as new systems are implemented and prior weaknesses and deficiencies are corrected.

Section 906–Failure of corporate officers to certify financial reports. If an officer of a public company does not comply with the requirements of Section 302 or if the officer certifies financial statements that are known to be misleading, stiff penalties may apply. Fines and/or prison terms may be imposed up to $5,000,000 and 20 years, respectively.

Section 401–Disclosures in periodic reports. The Act introduced requirements for information to be disclosed regarding off-balance-sheet transactions, including obligations or arrangements that may impact the financial position of the company. This requirement is intended to prevent repeated incidents like the problems encountered at Enron, where special-purpose entities were used to conceal debt.

Section 404–Management assessment of internal controls. An internal control report is required to accompany each financial statement filing. The internal control report must establish management's responsibility for the company's internal controls and related financial reporting systems. It must also include an assessment of the effectiveness of the company's internal controls and related financial reporting systems. If there are any weaknesses in internal controls, they must be disclosed in this report.

The SEC defines internal controls over financial reporting as a process that is the responsibility of the company CEO and CFO, to provide reasonable assurance that the financial reporting systems are reliable. A reliable system of internal controls must include policies and procedures to provide reasonable assurance that

• detailed records accurately reflect the underlying transactions
• transactions are recorded in accordance with generally accepted accounting principles
• transactions are being carried out only in accordance with management's authorization
• unauthorized transactions are being prevented or detected

Management's internal control evaluation must be based on a recognized framework. The framework that is used by most U.S. companies is COSO's Internal Control–Integrated Framework. Again, notice that these provisions of the Sarbanes–Oxley Act require establishment of the internal controls described in Chapters 3 and 4.

In addition to management's increased responsibility regarding internal controls, there are also legal requirements for the auditors of public companies regarding the internal control structure of their clients. As part of their audit procedures, auditors must attest to the internal control effectiveness. This means that an auditor's report on the overall fairness of financial statements must include a statement regarding the effectiveness of the company's controls over financial reporting.

Section 406–Code of ethics for senior financial officers. The Act requires all public companies to have in place a code of ethics covering its CFO and other key accounting officers. The code must include principles that advocate honesty and moral conduct, fairness in financial reporting, and compliance with applicable governmental rules and regulations.

Section 409–Real-time disclosures. The Act requires that certain issues must be reported immediately if they involve information necessary to protect investors. This requirement allows for better and more timely information to be provided to the public regarding important corporate events such as bankruptcy, new contracts, acquisitions and disposals, and changes in control. Such events must be reported within four business days of their occurrence.

Titles VIII and XI of the Act address the issues of corporate fraud and accountability, discussed next.

Section 802–Criminal penalties for altering documents. It is a felony to knowingly alter, destroy, falsify, or conceal any records or documents with the intent to influence an investigation. The provisions of this section apply to both the company and its auditors, so it affects company records as well as the auditor's working papers.

Since the provisions of Section 802 prohibit document destruction, it follows that documents must be maintained for a relevant length of time. Specifically, auditors are required to retain working papers for five years. Similarly, many companies are making sure that they maintain supporting financial records for a given period. Document retention and storage are also discussed in Chapters 2 and 13.

Section 1102–Tampering with a record or otherwise impeding an official proceeding. If a person or firm is found to be in violation of Section 802, stiff penalties may apply. Violations are punishable by both monetary fines and lengthy (10- to 20-year) prison sentences.

Section 806–Protection for employees of publicly traded companies who provide evidence of fraud. This section is often referred to as the “whistleblower protection” provision of the Act. A whistleblower is someone who reports instances of wrongdoing or assists in a fraud investigation. To protect a whistleblower from retaliation by the fraudulent company or its employees, the Act prohibits any form of ridicule or harassment, demotion, discrimination, or termination of employment against a person who has provided such information in a lawful manner.

As can be inferred from the descriptions of the various sections, the Sarbanes– Oxley Act has had a tremendous impact on the regulatory environment of public companies. It has reformed corporate governance and financial reporting. Many corporate customs that were previously thought of as “best practices” or supplemental controls are now required by law. The next section provides additional information about the corporate changes that have come about as a result of the Act.