sarbanes-oxley 101 - webinars, webcasts, lms,...

1© 2008 Morrison & Foerster LLP All Rights Reserved

Sarbanes-Oxley 101:More than Just Checking the Boxes!

August 5, 2008

Presented by:

Andrew Thorpe, Morrison & Foerster LLP

David Lynn, The Corporate Counsel

Ricky White, Grant Thornton LLP


Agenda

Introduction

Background on Sarbanes-Oxley

Disclosures and Internal Controls Enhanced Disclosures CEO and CFO Certification Requirements Disclosure Controls and Procedures Internal Control Over Financial Reporting

Corporate Governance Audit Committees Forfeiture of Bonus and Profits Public Company Accounting Oversight Board Auditor Independence Enforcement


Background on Sarbanes-Oxley


Background of Sarbanes-Oxley Act of 2002

• Enacted on July 30, 2002

• Most significant and comprehensive reform of U.S.securities laws in over 60 years

• Drafted and adopted very quickly in July 2002 inresponse to widespread public concern in the U.S.following the Enron, WorldCom, Adelphia and othercorporate scandals

• Provides for broad corporate and accounting reform forU.S.-listed companies, including foreign private issuers,and auditors


Background of Sarbanes-Oxley Act of 2002

• Primary purpose is to re-establish investor confidencein the integrity of corporate disclosures and financialreporting.

• Mandated 15 separate rulemaking projects by the SEC.

• Called for several studies on aspects of the financialmarkets and financial reporting.

• Changes to federal code to provide enforcement tools.


Themes of the Sarbanes-Oxley Act

• To strengthen and restore confidence in the accountingprofession.

• To strengthen enforcement of the federal securities laws.

• To improve the “tone at the top” and executiveresponsibility.

• To improve disclosure and financial reporting.

• To improve the performance of “gatekeepers.”


Deep Thoughts…

“Good corporate governance is not primarily aboutcomplying with rules. It is about inculcating in acompany, and all of its directors, officers andemployees, a mindset to do the right thing. As I havesaid before, the focus on doing the right thing shouldbecome part of the DNA of a company and everyone inthe company from top to bottom. For companies thattake this approach, most of the major concerns aboutcompliance disappear.”

-- William H. Donaldson, Chairman of the SECSeptember 9, 2003


Sarbanes-Oxley Act of 2002 Big Ticket Items

• Enhanced Disclosures

• CEO/CFO Certification

• Disclosure Controls and Procedures

• Internal Controls

• Enhanced Role of Board Audit Committee

• Regulation of the Accounting Industry

• Mandated Auditor Independence

• Attorney Conduct Rules


Disclosures and Internal Controls


Sarbanes-Oxley Act - Enhanced Disclosures

• Officer certifications in SEC filings

• Accelerated timing for Section 16 reports

• Internal control report in annual reports (attested byauditors)

• Disclosure of “audit committee financial expert”

• Code of ethics for senior financial officers (anddisclosure of any waivers or changes)

• SEC review for each issuer at least every three years

• Accelerated filings of ’34 Act reports


Sarbanes-Oxley Act -Enhanced Disclosures (Cont’d)

• Disclosure in SEC reports of all material correctingadjustments identified by outside auditors

• Disclosure of material off-balance sheet transactions

• Restrictions on use of non-GAAP financial measures

• Reg G; S-K Item 10(h)

• Requirement to “furnish” earnings press releases andother public announcements containing material non-public information for a completed fiscal period in a Form8-K


CEO and CFO Certification Requirements

CEO and CFO “302” certifications

• Certifying officer has reviewed the report

• Based on his knowledge

• report contains no material misstatements or omissions

• the financial statements and other financial information in thereport “fairly present in all material respects” the company’sfinancial condition, results of operations and cash flows as of,and for, the period covered by the report

• Certifying officers are responsible for establishing and maintainingdisclosure controls and procedures and internal control overfinancial reporting


CEO and CFO Certification Requirements

• Certifying officers have designed the disclosure controls andprocedures to ensure that material information of the company(including consolidated subsidiaries) is made known to them,particularly during the period in which the periodic report is beingprepared

• Certifying officers have designed the internal control over financialreporting to provide reasonable assurance regarding the reliability offinancial reporting and the preparation of financial statements inaccordance with GAAP

• Certifying officers evaluated the effectiveness of the controls andprocedures and presented in the report their conclusions about theeffectiveness of the controls and procedures as of the end of theperiod covered by the report


CEO and CFO Certification Requirements(Cont'd)

• Certifying officers have disclosed, based on their most recentevaluation of internal control over financial reporting, to thecompany’s auditors and audit committee:

• All significant deficiencies and material weaknesses in the company’sinternal control over financial reporting that are reasonably likely toadversely affect the company’s ability to record and report financialinformation

• Any fraud (whether or not material) that involves management oremployees with a significant role in internal controls

• Certifying officers have disclosed any change in the internal control overfinancial reporting that has occurred during the most recent fiscalquarter that has materially, or is reasonably likely to materially affect,the company’s internal control over financial reporting


CEO and CFO Certification Requirements(Cont'd)

• Report “fully complies” with the periodic reporting requirements ofthe Exchange Act

• Information contained in the report “fairly presents, in all materialrespects,” the financial condition and results of operations of thecompany at the dates and for the periods indicated

• Criminal liability for officers who knowingly or willingly make falsecertifications

• CEO and CFO should each certify separately


Disclosure Controls and Procedures

• What are disclosure controls and procedures?

• SEC does not require any specific controls or procedures -- each company’sprogram must be tailored to the company’s specific circumstances

• Company’s controls and other procedures that are designed to ensure thatinformation required to be disclosed in the company’s Exchange Act reportsis recorded, processed, summarized and reported within applicabledisclosure deadlines

• Broadly cover company’s compliance with disclosure requirements --distinguish from “internal controls,” which specifically relate to financialstatements and accounting matters

• Procedures should identify information that is relevant for assessing theneed to disclose material developments and risks relating to the company’sbusiness, and information whose omission would make the public reportmisleading


Disclosure Controls and Procedures (Cont'd)

• Why are effective disclosure controls andprocedures important under Sarbanes-Oxley?

• Help provide foundation for 302 and 906 certifications by CEO and CFO

• 302 certifications must include specific statements about disclosure controlsand procedures

• CEO and CFO have designed effective controls and procedures

• CEO and CFO have evaluated controls and procedures as of the end ofthe period covered by the report

• Report contains CEO/CFO’s conclusions about the effectiveness of thecontrols and procedures


Section 404Internal Control Over Financial Reporting

• In addition to disclosure controls and procedures,an issuer is required to establish and maintaininternal control over financial reporting

• What is “internal control over financial reporting”?• A process designed by, or under the supervision of, the issuer’s

principal executive and financial officers to provide reasonableassurance regarding the reliability of financial reporting and thepreparation of financial statements for external purposes in accordancewith GAAP, and includes those policies and procedures that:

• Pertain to the maintenance of records that in reasonable detailaccurately and fairly reflect the transactions and dispositions of theissuer’s assets

• Provide reasonable assurance that transactions are recordedcorrectly for financial statement reporting purposes

• Provide reasonable assurance regarding prevention or timelydetection of unauthorized acquisitions or dispositions of the issuer’sassets that could materially affect its financial statements


Section 404Internal Control Over Financial Reporting

• How do internal controls differ from disclosurecontrols?

• Some elements of internal controls are a subset of disclosure controls.Disclosure controls and procedures include those components ofinternal control over financial reporting that provide reasonableassurance that transactions are recorded as necessary to permitpreparation of financial statements in accordance with GAAP. But note:effectiveness of an issuer’s compliance with laws, signature authority,asset safeguarding, etc. would not necessarily be considered a subsetof disclosure controls


Section 404Issuer’s Internal Control Report

• Section 404 of S-OX mandated the SEC to adopt rules requiring thatannual reports filed with the SEC contain an internal control reportby management

• The issuer’s internal control report must include:• A statement of management’s responsibility for establishing and

maintaining adequate control over financial reporting• A statement identifying the framework used to evaluate the

effectiveness of internal controls• An assessment of the effectiveness of the issuer’s internal controls,

including a statement as to whether or not internal control overfinancial reporting is effective, the disclosure of any “materialweaknesses” identified by management

• A statement that the issuer’s independent registered publicaccounting firm has issued an attestation report on the issuer’sassessment and that such report is included in the filing


Section 404Issuer’s Internal Control Report (Cont'd)

• The framework on which management's evaluation of the issuer'sinternal controls is based must be a widely-recognized controlsframework that is suitable under the circumstances (such as theIntegrated Control Framework of COSO, or the Committee ofSponsoring Organizations of the Treadway Commission)

• The purpose of management’s 404 evaluation is to assess whetherthere is a reasonable possibility of a material misstatement in thefinancial statements not being prevented or detected on a timely basisby the internal controls – the assessment focuses on whether anymaterial weakness exists as of the end of the fiscal year

• The independent registered public accounting firm performing thefinancial statement audit then must attest to and report onmanagement's assessment of its internal controls. If it is determinedthat a "material weakness" exists, then neither management nor theauditors can conclude that the company's internal control overfinancial reporting is effective, and management must disclose thisdetermination in the annual report


Section 404Issuer’s Internal Control Report (Cont'd)

• What is a “material weakness”?• A “material weakness” is a deficiency, or combination of deficiencies, in internal

control over financial reporting, such that there is a reasonable possibility that amaterial misstatement of the company’s annual or interim financial statementswill not be prevented or detected on a timely basis

• Actual misstatement not necessary. “Reasonable possibility” = reasonablypossible or probable

• Indicators of a material weakness:• Identification of fraud• Restatement of prior financials• Identification of material misstatement in current financials in circumstances that indicate that

issuer’s internal controls would not have detected it• Ineffective oversight by the issuer’s audit committee of external and internal financial

reporting

• Other potential indicators:• Internal audit function is ineffective• “significant deficiencies” that have been identified remain unaddressed after some

reasonable period of time


Section 404: Completing Management'sAssertion

Phase I

Scoping is one of the most critical phases in the Section 404project.

• Scoping involves:• identifying the significant accounts

• performing risk assessments

• obtaining a listing of locations

• determining scope coverage

• Management's overall assessment should be based on a top-down,risk based approach, focusing on areas of high fraud risk and materialmisstatements



Phase I (continued)

• Identify relevant financial statement assertions for each significantaccount

• Perform a risk assessment of the business processes / cycles• Risk factors should be ranked as low/medium/high for each activity• Completed at the consolidated level and the plant level• Results are used to determine the nature, timing and extent of

testing



Phase II: Corporate Governance and Non-IT Activities

• Components of Corporate Governance• Control Environment

• Risk Assessment

• Monitoring Controls

• Information and Communication

• Control Activities

• Corporate Governance can be viewed as the "tone at the top". ACompany's risk assessment process should be focused on risks thatcan have a direct bearing on financial reporting processes.



Phase II: Corporate Governance IT Activities

• Complementary frameworks:• COSO and COBIT/Information Technology Governance Institute

(ITGI)• COSO is a framework for an internal control environment• COBIT is a framework for managing risk and control of

Information Technology• for Sarbanes-Oxley Section 404 work, a company can use

subset of COBIT for IT-related controls (Information TechnologyGovernance Institute)

• Focus on risks that can have a direct bearing on financial reportingprocesses



Phase III: Testing

• A company has to develop a testing program that has sufficientsample sizes that should identify internal control deficiencies

• A company's documentation and testing framework should be morerigorous than their auditors

• If exceptions are identified during testing, sample sizes should beexpanded as appropriate in order to conclude a control is workingeffectively

• If it is determined that a control is not operating effectively,the Company must implement a remediation plan and retest

• If, after remediation, it is determined the control is notoperating effectively, the Company must assess theexception



Phase III: Testing Controls: Reporting

PCAOB Auditing Standard #5 defines three types of controldeficiencies:• Internal Control Deficiency

• Significant Deficiency

• Material Weakness


Section 404: Other Matters

Use of third parties to assist management• Many small to medium companies utilize a third party provider to

assist management with the design, testing, and assessment of theirinternal control environment.

• Management needs to understand that it is the company making theassertion on internal controls and not the third party provider.

• Management should appoint an individual or group of individuals tosupervise the third party provider and to understand the processbeing undertaken and the conclusions reached. This individualshould also be responsible for coordinating the timing of workperformed by the external auditor.


Section 404: Other Matters

Costs• Initial year of implementation of SOX 404 is most expensive.

• If third party provider is used, costs are incurred in developing,testing, and remediating, if necessary, controls.

• The audit of internal controls by the external auditor can cost asmuch, if not more, than the audit of the financial statements.This is based on how centralized the accounting function is, aswell as the number of key controls. The less centralized thecompany, the more expensive the effort will be.

• Years subsequent to implementation• Depending on changes to the internal control environment, it

tends to be less costly.• External auditor only has to update internal control

documentation, as opposed to fully documenting.


Corporate Governance


Sarbanes-Oxley Act -Corporate Governance

• Audit committee financial experts

• Audit committee powers and independence

• Loan prohibitions for officers & directors

• Disgorgement of CEO/CFO bonuses & profits foraccounting restatements attributable to misconduct


Sarbanes-Oxley Act -Corporate Governance

• Trading prohibition for officers & directors during pensionfund blackout periods

• Attorneys must report material misconduct to insidecounsel or board

• “Reporting up” requirement

• Prohibition against coercing, manipulating, misleading orfraudulently influencing auditor knowing that conduct, ifsuccessful, could make financial statements materiallymisleading


Audit Committee Financial Experts

• Must disclose if board of directors has designated anaudit committee financial expert• If yes, state name and whether independent from management

• If no, why not?

• If the person got expertise from “other relevant experience,”provide a brief listing


Audit Committee Listing Standards

• Only applicable to companies listed on a national securitiesexchange or a national securities association

• Directs the exchanges to prohibit the listing of companies not incompliance with the requirements of the rule

• Operate in tandem with complementary NYSE and Nasdaq listingstandards require significant additional governance reforms, suchas:

• majority of board of directors must be independent

• Board executive sessions held outside the presence ofmanagement

• Independent nominating and compensation committees

• Mandated responsibilities for audit, compensation andnominating committees



• Independence requirements:• Cannot accept any “consulting, advisory or compensatory fee”

from the company or any subsidiary (other than in capacity asboard member)

• Cannot be an “affiliated person” of the company or any subsidiary

• Directly responsible for appointment, compensation, retention andoversight of company’s outside auditors, including the resolutionof disagreements between the management and auditorsregarding financial reporting); auditors must report directly to auditcommittee



• Must establish procedures for receipt, retention and treatment ofcomplaints regarding accounting and auditing matters, includingprocedures for confidential, anonymous submissions of concernsby employees

• Company must establish funding for the audit committee,including means to retain and compensate independent counseland other advisors, as necessary, as determined by the auditcommittee


Forfeiture of Bonuses and Profits

• If issuer is required to restate financials due to materialnoncompliance of the issuer, as a result of misconduct,with any reporting requirement, then:• CEO and CFO of the issuer must reimburse issuer for bonus or

other cash or stock incentive pay received during 12 monthsfollowing first public issuance of the financial information

• SEC may exempt any person from application of theprovision


Public Company AccountingOversight Board

• All accounting firms auditing the financial statements of a companywith securities registered under Section 12 of the Exchange Act orrequired to file reports under Section 15(d) of the Exchange Act, orthat has filed a registration statement under the Securities Act, arerequired to register with the PCAOB. These firms are known as“independent registered public accounting firms”

• The PCAOB has oversight and disciplinary authority overindependent registered public accounting firms, including subpoenapower; the authority to bar individuals from association with aregistered firm; the authority to suspend or revoke the registration ofan independent registered public accounting firm; and the authorityto establish rules governing audits, conduct inspections andinvestigations and impose sanctions. The PCAOB also has theauthority to adopt auditing standards


Public Company AccountingOversight Board

• PCAOB and SEC have adopted numerous auditing standards,including attestation standard for S-OX Section 404 report oninternal control over financial reporting


Sarbanes-Oxley Act -Auditor Independence Regulation

• One-year “cooling off” period for hiring of formeremployees of auditor in financial oversight role

• Prohibited non-audit services

• Pre-approval of permitted services

• Partner rotation

• Increased communication with audit committees

• Expanded disclosure of audit and non-audit services


Auditor Records Retention

• Auditors required to retain certain records relevant toaudits and reviews of issuers financial statements for upto seven years

• Includes work papers and other documents containingconclusions, opinions, analyses or financial data relatedto auditor review

• Enhanced criminal penalties for destruction, alteration orfalsification of records in federal investigations andbankruptcy - see also § 1102


Enforcement

Various provisions of the Act give SEC authority to:

• Distribute civil money penalties to harmed investorsunder the “Fair Funds provision”

• Seek temporary freeze to escrow extraordinarypayments

• Access audit papers of foreign audit firms

• Seek officer and director bars in cease and desistproceedings under a more appropriate standardestablished by the Act for injunctive actions


Enforcement

• Authority to censure or restrict brokers, dealers,investment advisers, and associated persons subjectto state, federal banking agency or National CreditUnion Administration orders

• Authority to seek penny stock bars in injunctiveactions

• Increased criminal penalties under the Exchange Act,securities fraud, mail and wire fraud statutes, ERISAand enhanced whistleblower protections

• Debts not dischargeable in bankruptcy if incurred inviolation of securities fraud laws

• Extended the statute of limitations for securities fraud


Thank You!

sarbanes-oxley 101 - webinars, webcasts, lms,...

Documents