Beyond Sarbanes-Oxley Compliance: Effective Enterprise Risk Managementby Anne M. Marchetti
Now that most accelerated filers have undergone the greatest initial challenge of the Sarbanes-Oxley ActSection 404 compliancewhat's next? What do you need to know to ensure ongoing monitoring and maintenance of strong systems of internal controls? How can you leverage the knowledge gained through regulatory compliance activities to positively impact… See more details below
Now that most accelerated filers have undergone the greatest initial challenge of the Sarbanes-Oxley ActSection 404 compliancewhat's next? What do you need to know to ensure ongoing monitoring and maintenance of strong systems of internal controls? How can you leverage the knowledge gained through regulatory compliance activities to positively impact the bottom line? What steps do you need to take to assume a proactive, forward-looking role of identifying and mitigating threats beyond basic regulatory compliance?
Written by Anne Marchetti, a practice leader for Sarbanes-Oxley, Beyond Sarbanes-Oxley Compliance guides accounting and finance managers through both the necessary requirements and value-added activities in enterprise risk management in the post-Sarbanes environment. This practical book includes a host of invaluable tools, including ongoing compliance checklists, key internal and external timelines, quarterly close checklists that incorporate SOX 302/404/409 compliance and financial reporting activities, and tables that summarize technology options and alternative approaches. Broken down into three accessible sectionsInitial Compliance, Ongoing Maintenance and Monitoring, and Beyond Compliancecoverage includes:
- An overview of the Act provisions for Sections 302, 404, and 409 and suggested action steps necessary to comply with the requirements
- A section that defines and contrasts the terms reportable conditions, material weaknesses, and significant deficiencies and provides practical examples of each
- The responsibilities of the financial manager, after initial compliance with the Act, including quarterly compliance processes, interfacing with both internal audit and registered public auditors, control testing, software considerations, and SAS 70 letters that provide the financial manager with practical applications
- The opportunity to move Sarbanes-Oxley compliance from a routine checklist, and one-time internal controls improvement process, to a defining cultural-change initiative
- How the financial services industry may be affected by the ever-expanding, local and global regulatory, compliance, and reporting requirements
- The implications for future European Unionlisted companies with International Financial Reporting Standards (IFRS) in 2005 and the differences that exist between IFRS and U.S. GAAP
Essential reading for controllers, finance managers, CFOs, compliance officers, and project managers in charge of Sarbanes-Oxley compliance, Beyond Sarbanes-Oxley Compliance is written for any financial manager who has a firm grasp on the present and a keen eye on the future.
Read an Excerpt
Beyond Sarbanes-Oxley Compliance
By Anne M. Marchetti
John Wiley & SonsISBN: 0-471-72626-5
SARBANES-OXLEY ACT OVERVIEW
Enron, Arthur Andersen, WorldCom, Tyco, Adelphia. These companies have become household names mostly because of their past display of corporate greed, fraud, and accounting improprieties. The offenses of these few organizations are not representative of the majority of more than 15,000 public companies in the United States, yet the results of their abuses are far reaching. When the details of corruption emerged, and stock prices and retirement savings plummeted, the American public became outraged and demanded reform. On July 30, the U.S. Congress answered this public outcry for change and enacted the Sarbanes-Oxley Act of 2002 (the "Act").
The Act was signed into law to improve the accuracy and transparency of financial reports and corporate disclosures, as well as to reinforce the importance of corporate ethical standards. As a result, the Securities and Exchange Commission (SEC) issued rules outlining the provisions of the Act. In addition, the New York Stock Exchange (NYSE), the American Stock Exchange (Amex) and the over-the-counter Nasdaq Stock Market (Nasdaq), have all significantly modified the standards for listing stocks on their exchanges. Many view the Act's provisions for internal controls over financial reporting (Section 404) and executive certifications (Section 302) as painful and costly to implement with little derived benefit. Others see the mandated changes as an opportunity to implement best business practices, drive greater performance, and boost investor confidence.
OVERVIEW OF THE ACT
The Act is the most significant legislation impacting the accounting profession since the Securities Acts of 1933 and 1934, which it amends. It addresses a wide range of matters relevant to publicly held issuers and their auditors, including auditor oversight and independence, corporate responsibility for financial reports, and enhanced financial disclosures. The Act is composed of 11 Titles as outlined below.
Title 1. Public Company Accounting Oversight Board (PCAOB or "Board")
The Act establishes the board as a private, nonprofit company funded by annual accounting support fees assessed to issuers (as defined in Section 3 of the Securities Exchange Act of 1934 (15 U.S.C.78c)). The board's duties include the mandatory registering of public accounting firms that prepare audit reports; establishing auditing, quality control, ethics, and independence standards relating to the preparation of audit reports; conducting inspections of registered public accounting firms; and enforcing compliance with the Act.
Title 2. Auditor Independence
Title 2 prohibits registered public accountants conducting an issuers financial statement audit from performing nonauditing services such as bookkeeping, the design and implementation of financial information systems, appraisals, valuations, fairness opinions, internal audit outsourcing, and management functions. All audit and nonaudit services require preapproval by the audit committee of the issuer. Additionally, there are provisions for audit partner rotation, specific reporting requirements by registered public accounting firms to the issuers' audit committee, and an absolute prohibition of an audit firm providing audit services to clients for one year if the client has hired certain employees of the registered public accounting firm in key financial positions.
Title 3. Corporate Responsibility
This provision of the Act mandates the SEC to direct the national securities exchanges and national securities associations to prohibit the listing of any security of an issuer that is not in compliance with the following Act requirements:
Existence of audit committee oversight of registered public accounting firm Board of directors/audit committee independence Procedures for receiving complaints concerning accounting or auditing matters and anonymous employee concerns relating to questionable accounting or auditing matters established by the audit committee Audit committee authority to engage independent counsel and other advisors Provision of appropriate funding, as determined by the audit committee, for payment to the registered public accounting firm and to advisors hired by the audit committee
Title 3 also requires chief executive officer (CEO) and chief financial officer (CFO) certifications of financial statements, outlines penalties for corporate officers and directors for material noncompliance, and prohibits insider trading during pension fund blackout periods.
Title 4. Enhanced Financial Disclosures
Title 4 outlines requirements to help assure the accuracy of financial statements and supporting financial disclosures. It requires reporting of material unconsolidated and off-balance sheet transactions as well as mandates that pro forma financial information is factual and complete, and reconciles with the financial condition and results of operations of the issuer. Personal loans to executives are prohibited; issuers are required to disclose whether or not they have a code of ethics for senior financial officers, and mandates that the audit committee include at least one financial expert as defined by the Act. This provision also outlines requirements regarding management's assessment of internal controls and the real-time disclosure of material changes to financial conditions or operations.
Title 5. Analyst Conflicts of Interest
This section of the Act requires the SEC, or national securities exchanges and national securities associations, to implement rules to improve "public confidence in securities research, and to protect the objectivity and independence of securities analysts...."
Title 6. Commission Resources and Authority
Pursuant to Title 6, $98 million in funding is authorized to the SEC to hire an additional 200 professionals to provide enhanced oversight of auditors and audit services required by Federal securities laws.
Title 7. Studies and Reports
Title 7 authorizes the General Accounting Office (GAO) and the SEC to perform studies and issue reports investigating the consolidation of public accounting firms; the role of credit rating agencies in the securities market; the number of professionals found to have aided and abetted a violation of securities laws from the period January 1, 1998, to December 31, 2001; the enforcement actions taken by the Commission involving violations of reporting requirements; and whether investment banks and financial advisers assisted public companies in obfuscating their true financial condition.
Title 8. Corporate and Criminal Fraud Accountability
This provision of the Act, which is also referred to as the Corporate and Criminal Accountability Act of 2002, details the penalties for the destruction of corporate audit records and the willful destruction, alteration, or falsification of records in Federal investigations and bankruptcy proceedings. This section also establishes a five-year record retention period for audit or review workpapers and provides protection for whistleblowers.
Title 9. White-Collar Crime Penalty Enhancements
The Act in Title 9, which is also referred to as the White-Collar Crime Penalty Enhancement Act of 2002, modifies the Federal Sentencing Guidelines to increase the penalties for white-collar crimes. More importantly for issuers, it establishes a requirement for the CEO/CFO certification of periodic financial statements and specifies the penalties for the failure to certify and the willful certification of knowingly false financial reports. Penalties range from $1 million to $5 million and may include imprisonment for up to 20 years depending on the violation.
Title 10. Corporate Tax Returns
Title 10 simply states that "[I]t is the sense of the Senate that the Federal income tax return of a corporation should be signed by the CEO of such corporation."
Title 11. Corporate Fraud Accountability
The Corporate Fraud Accountability Act of 2002, or Title 11, provides for additional fines and penalties for individuals who fraudulently alter or destroy documents or impede an official proceeding.
The requirements of the Act are intricate and complex and affect the entire organization regardless of the operational infrastructure. Exhibit 1.1 displays how the significant provisions of the Act influence specific aspects and individuals of a public company, including the relationship of the registered public auditor.
The provisions of the Act that address independence, officer codes of conduct, auditor oversight and hiring, audit approval, and prohibited services apply directly to the audit committee. Other provisions that deal with the forfeiture of incentive pay, the prohibition of personal loans, and whistleblower protection policies may be the responsibility of the human resources department, while provisions regarding interpretations as a matter of law, codes of ethics, and record retention policies are normally the responsibility of the general counsel. Although public company compliance with all aspects of the Act is required, this book focuses only on those aspects of compliance that directly impact financial managers: Sections 302, 404, and 409. Discussion of these sections is divided into three main parts: initial compliance, ongoing maintenance and monitoring, and beyond compliance.
Initial compliance provides an overview of the Act provisions for Sections 302, 404, and 409 and details suggested action steps necessary to comply with the requirements. This part also defines and contrasts the terms reportable conditions, material weaknesses, and significant deficiencies and provides practical examples of each.
Ongoing maintenance and monitoring details the responsibilities of the financial manager after initial compliance with the Act. Major subjects such as quarterly compliance processes, interfacing with both internal audit and registered public auditors, control testing, software considerations, and SAS 70 Letters are discussed in order to provide the financial manager with practical applications.
Beyond compliance addresses the opportunity to move Sarbanes-Oxley compliance from a routine checklist and one-time internal controls improvement process to a defining cultural change initiative. This Part addresses how the financial services industry may be affected by the ever-expanding local and global regulatory, compliance, and reporting requirements. The section concludes with a discussion on the implications for future European Union-listed companies with International Financial Reporting Standards (IFRS) and the differences that exist between IFRS and U.S. generally accepted accounting principles (GAAP).
INTERNAL CONTROLS ENVIRONMENT
Most companies would profess to have a strong emphasis on internal controls to ensure the reliability of financial reporting, yet in the absence of specific guidelines, determining the necessary level of control has primarily been a subjective decision. Early on, the impetus for effective internal controls was driven by the Securities Exchange Act of 1934, a law designed to restore investor confidence after the stock market crash of 1929, by providing more structure and government oversight. Issuers were later required to maintain adequate systems of internal controls after the Securities Exchange Act was amended in 1977. However, the term adequate was not clearly defined. In response to this requirement, most companies developed their own approach to compliance through the cooperative efforts of management, internal audit, and external auditors.
In the early 1990s, companies began adopting the Internal Controls-Integrated Framework of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's study of internal controls. The COSO internal controls approach (Exhibit 1.2) is a framework designed to establish an internal control system for an entire company not limited to financial or financial reporting controls. This framework balances control objectives with the required control components necessary to maintain effective internal control within a company, process, or function. The three COSO control objectives are as follows: accurate and reliable financial reporting, effective and efficient operations, and compliance with laws and regulations. The COSO framework breaks effective internal control into five interrelated components:
1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring
The Act has placed significant responsibility on issuers for designing, implementing, and maintaining effective systems of internal controls to assure adequate financial reporting to the SEC and investors. Paragraph 13 of PCAOB Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, sets forth the standards for registered public auditor attestation of issuers' internal controls as required in Section 404(b) of the Act. Standard No. 2 requires issuers to "base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment." Paragraph 13 concludes by mandating that an internal control assessment framework is suitable only when it:
Is free from bias Permits reasonably consistent qualitative and quantitative measurements of a company's internal control over financial reporting Is sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal control over financial reporting are not omitted Is relevant to an evaluation of internal control over financial reporting
Additionally, Paragraph 13 states that the COSO integrated framework to internal controls "provides a suitable and available framework for purposes of management assessment" and "[f]or that reason, the performance and reporting directions in this standard are based on the COSO framework" even though other suitable standards may exist or may be developed in the future. The internal control delivery framework presented in Chapter 3 is based on the COSO Internal Control-Integrated Framework.
In addition to SEC- and COSO-driven internal control initiatives, many companies in specific industries such as pharmaceuticals and defense have historically placed a greater emphasis on internal controls because of specific regulatory requirements or other industry-specific environmental factors. These issuers may be in a better position than most issuers to more rapidly implement the requirements of the Act. They have already lived through a crisis similar to the one that prompted the Sarbanes-Oxley Act of 2002.
In the early and mid-1980s, the defense industry reeked of fraud, overcharges, and the perception of impropriety. In response to adverse headlines publicizing corruption, multiple congressional hearings, and the release of the Congressional report, A Quest for Excellence, the CEOs of 32 defense contractors met and established the Defense Industry Initiative on Business Ethics and Conduct (DII). The DII established six principles for doing business.
These principles, which establish a code of conduct or ethics, encourage internal reporting of violations of the code with the promise of no retaliation for such reporting. The principles also require the establishment of internal controls, a process for monitoring such controls, and a procedure for reporting violations. Defense contractors aggressively implement internal controls in part to protect themselves from the significant fines and penalties established for violating government contracting rules as well as fraud statutes and the Anti-Kickback Act of 1986. Most defense contractors incorporated the COSO framework into their internal control structures and as a result may have a good basis from which to implement the additional provisions of the Act.
Excerpted from Beyond Sarbanes-Oxley Compliance by Anne M. Marchetti Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
and post it to your social network
Most Helpful Customer Reviews
See all customer reviews >