Sarbhe Sarbanes-Oxley Act of 2002 (the“Act”) is the driving force for the mostsignificant changes affecting the businessworld in decades. Most of the attentionto date has been on the Act’s impact on

publicly held companies. However, there is asignificant tangential effect to all companiesand to individuals.

The Act was Congress’ response to themajor accounting scandals, most notablyEnron, Global Crossing and WorldCom,and the resulting public outcry for change.At the root of these scandals were the abuseof accounting standards and the failure ofthe auditors to discern what was really goingon. The Act changed corporate governance,including the responsibilities of directorsand officers, the regulation of accountingfirms that audit public companies, corporatereporting and enforcement.

This article will focus on some of theAct’s key provisions, namely those related todisclosure controls and procedures, internalcontrol over financial reporting and codes ofconduct and ethics. It will also address issuesrelated to the newly formed Public Compa-ny Accounting Oversight Board and it willfocus on how all of this affects the typicalprivately held producer.

Also, this article will discuss the impactof Rule 101-3 of the American Institute ofCertified Public Accountants (“AICPA”)Ethics Committee, Performance of nonattestservices.

What the Act DoesCorporate responsibility – Publicly

held companies have long had audit com-mittees and the Act significantly increasestheir responsibility. The audit committeenow has greater auditor oversight, includingprior approval for non-audit services per-formed by the auditor and the disclosure ofall non-audit services of the auditorapproved by the committee. The CEO andCFO also must certify that both annual andquarterly financial reports are accurate and

68 ı SPRING 2005

feature

What EveryBusiness Needsto Know AboutSarbanes-Oxley By Joel Unger, CPA

T

anes-Oxleynature of the internal audit department andthe procedures performed by them, it waspossible for the external auditor to reducethe level of tests they performed on thecompanies’ controls. In some cases, especial-ly with smaller publicly held companieswith very small accounting staffs, the audi-tor might have chosen not to perform anysuch tests and, instead, perform a greateramount of tests on the actual accountingrecords.

As stated, the Act goes beyond this.Under Section 404 of the Act, all publiclyheld companies must perform an appropri-ate amount of tests to determine the effec-tiveness of their systems. In turn, the auditorhas to separately perform tests to confirmthat they agree with management’s assess-ment.

Developing procedures – To comply

with the Act, procedures have to be designedcarefully and senior management should beinvolved in the process. Procedures shouldbe written and provide guidance to employ-ees. Furthermore, they should be tailored tothe individual company – its structure,processes and industry. The resulting proce-dures need to be reviewed on a quarterlybasis.

The documentation requirements areextensive and should include the following:• The reports covered by the procedures.• The people responsible for each section

of the reports.• The business units or departments

involved.• How these units or departments collect

the information to be disclosed• How the information collected is com-

municated to those responsible forpreparing the report.

• Materiality thresholds.• How the process relates to the financial

reporting system.• How draft reports are reviewed and

revised, including review by outside advi-sors, such as auditors, other experts andoutside counsel, and by the board ofdirectors or audit committee.To meet their responsibilities, the CEO

and CFO must personally be involved inthis process. They are required to review allreports requiring their certification and needto question the actual report preparers ifthey themselves believe the disclosure is fair,accurate and complete or if they think anypart of the disclosure is questionable.

Internal Control Over Financial Reporting

Similar to the rules over disclosure con-trols, companies are required to include intheir annual reports a report of managementon the company’s internal control overfinancial reporting. The auditor must thenattest to, and report on, management’sassessment of the effectiveness of the compa-ny’s internal control over financial reporting.The auditor will also require the company todevelop and maintain evidence to supportmanagement’s assessment.

Internal control over financial reportingmeans a process designed by, or under thesupervision of, the company’s principal exec-utive and principal financial officers to pro-

not misleading. In addition, both must indi-cate they have met their personal responsi-bility for evaluating internal controls.

Auditor independence and regulationof auditors – Auditors have always beenrequired to be independent of the companiesthey audit. The Act has made these require-ments more stringent and calls for increasedregulation of auditors. Auditors are also nowprohibited from performing many non-auditservices other than tax services. This is adirect response to the perception that thelucrative consulting services performed bymany auditors for their audit clients wereaffecting the quality of the audit.

Disclosure Controls and Procedures

Overview – Among the most publicizedparts of the Act are the sections relating tointernal control. Specifically, the Act requirescompanies to maintain procedures to evalu-ate and make certain disclosures concerningtheir “disclosure controls and procedures”and “internal control over financial report-ing.” Furthermore, companies subject to theAct must also include an attestation fromtheir auditors confirming management’sconclusions in its evaluation of the internalcontrol over financial reporting.

This is a significant change from pre-Actrequirements. Companies have long hadcontrols and procedures in place related totheir accounting systems to make sure that,for example:• Cash receipts are properly deposited and

credited against receivables.• Cash disbursements are properly autho-

rized and supported by vendor invoices.• Inventories and property and equipment

are properly secured.• Accounts are promptly reconciled.

Many but not all companies had internalauditors to test the effectiveness of these sys-tems. The existence of internal audit depart-ments was more likely as the size ofcompanies increased. Depending on the

CONCRETE in focus ı 69

The Act changed corporate governance, including

the responsibilities of directors and officers, the

regulation of accounting firms that audit public

companies, corporate reporting and enforcement.

officer, principal accounting officer or con-troller, or persons performing similar func-tions. A company that already has such acode of ethics does not need to adopt a newone, but it must meet the requirements ofthe rule. However, a company that does nothave a code of ethics must explain why itdoes not have such a code.

Contents of the Code of Ethics –Under Section 40, a code of ethics meansstandards that are reasonably designed todeter wrongdoing and to promote the fol-lowing:• Honest and ethical conduct, including

ethical handling of actual or apparentconflicts of interest between personal andprofessional relationships

• Full, fair, accurate, timely and under-standable disclosure in reports and docu-ments that a company files with orsubmits to the SEC and in other publiccommunications;

• Compliance with applicable laws, rulesand regulations;

• Prompt internal reporting to an appro-priate person identified in the code ofviolations of the code; and

• Accountability for adherence to the code.Codes of ethics are expected to vary from

company to company. The Securities andExchange Commission has strongly encour-aged companies to adopt codes that arebroader and more comprehensive than nec-essary to meet the disclosure requirements.

Making Codes Publicly Available –The rules provide for the following threemethods of making a company’s code ofethics available:• Filing it as an exhibit to the company’s

annual report;• Posting it (or relevant portions) on its

website, provided that the company hasdisclosed its Internet address in itsapplicable annual report;

• Offering in its annual report to provide acopy to any person without charge onrequest.

The Public Company Accounting Oversight Board

Title I of the Act covers the establish-ment and organization of the Public Com-pany Accounting Oversight Board(“PCAOB”). Section 101 of the Act estab-lishes an independent, non-governmentalboard to oversee the audits of public compa-nies to protect the interest of investors andto further public confidence in independentaudit reports. The specific powers of thePCAOB are as follows:• To register and discipline accounting

firms that audit public companies;• To establish audit and accounting stan-

dards; and• To investigate financial irregularities.

Section 103 contains some of the mostsignificant aspects of the PCAOB. ThePCAOB now has the authority to establish,through the adoption of standards proposedby one or more professional groups ofaccountants, auditing standards and relatedattestation standards for register publicaccounting firms to use in preparing andissuing audit report. The Act effectively givesthe PCAOB the right to establish auditingand accounting standards.

To date, the PCAOB has decided toallow the Financial Accounting StandardsBoard (“FASB”) to establish accountingstandards. However, various parties, includ-ing accounting firms, had funded FASB.Taxes and fees now fund FASB, in an effortto increase its independence of users ofaccounting standards.

The Auditing Standards Board of theAICPA had long set auditing standards. Asmuch of the anger and blame toward theaccounting scandals had been directed at

vide reasonable assurance for the reliabilityof financial reporting and the preparation offinancial statements for external purposes inaccordance with generally accepted account-ing principles. This includes those policiesand procedures that:• Cover maintaining records, in reasonable

detail, that accurately and fairly reflectthe transactions and dispositions of thecompany’s assets;

• Provide reasonable assurance that trans-actions are recorded as necessary to pre-pare financial statements in accordancewith generally accepted accounting prin-ciples and that receipts and expendituresof the company are made only under theauthorizations of management; and

• Provide reasonable assurance for the pre-vention or timely detection of unautho-rized acquisition, use or disposition ofthe company’s assets that could material-ly affect the financial statements.While the Foreign Corrupt Practice Act

established requirements for companies tokeep books and records, in reasonable detail,that accurately reflect transactions, the Actexpends this requirement to maintaining a“system of internal accounting controls.” Thequarterly evaluations of internal control overfinancial reporting need not be as extensiveas the annual assessment. However, manage-ment, with the participation of the CEO andCFO, must evaluate any change in the com-pany’s internal control over financial report-ing that occurred during a fiscal quarter thathas materially affected, or is reasonably likelyto materially affect, the company’s internalcontrol over financial reporting.

Codes of Conduct and EthicsSection 406 of the Act requires compa-

nies to disclose whether they have adopted awritten code of ethics for the company’sprincipal executive officer, principal financial

70 ı SPRING 2005

feature

All public companies must be audited in accordance with PCAOB standards. Privately

held companies have two options – PCAOB standards or AICPA standards. Privately

held companies considering going public in the future may wish to consider having

their audits performed under PCAOB standards.

doesn’t have the bodies to take on morework right now.

Small producers that have been using BigFour or other large accounting firms mayfind that these firms are no longer able toprovide the same level of service as in thepast. Furthermore, growing producers whoare considering switching to a largeraccounting firm may find it difficult toobtain those services.

Future convergence – So far, publiclyheld companies have felt the vast majority ofthe direct impact of the Act. Many observersthink that it is only a matter of time until allor most of these standards will apply to allcompanies.

Rule 101-3 – Performance of Nonattest Services

The AICPA issued Rule 101-3 to furtherclarify when a CPA is considered indepen-dent of its client. Independence is requiredfor a CPA to perform an attest service, name-ly the audit, review or compilation of anentity’s financial statements. (A CPA that isnot independent of its client can still issue acompilation report if the lack of indepen-dence is disclosed in the compilation report.)

Traditionally, in its simplest form, inde-pendence meant that the CPA maintained acertain distance from their client. The CPAwas not allowed to invest in the client, havea family relationship with the owners andother criteria. These rules were instituted toprovide additional assurance to the users ofan audited or reviewed financial statementthat the CPA was able to provide an objec-tive report.

Rule 101-3 says:Before a member…performs nonattest

services (for example, tax or consulting ser-vices) for an attest client, the membershould determine that the requirementsdescribed in this interpretation have beenmet. In cases where the requirements havenot been met…, the member’s indepen-dence would be impaired.

Before Rule 101-3, tax services were notconsidered a nonattest service. Other nonat-test services include:• Bookkeeping• Payroll and other disbursement• Benefit plan administration• Investment advisory or management

• Corporate finance consulting• Executive or employee search• Business risk consulting• Information systems design, installation

or integrationThe Rule provides further clarification.

Assuming the CPA complies with Rule 101-3’s requirements, a CPA’s independencewould not be impaired if the CPA does thefollowing specific bookkeeping services:• Record transactions for which manage-

ment has determined or approved theappropriate account classification or postcoded transactions to a client’s generalledger.

• Prepare financial statements based oninformation in the trial balance.

• Post client-approved entries to a client’strial balance.

• Propose standard, adjusting or correctingjournal entries or other changes affectingthe financial statements to the client pro-vided the client reviews the entries andthe (CPA) is satisfied that managementunderstands the nature of the proposedentries and the impact the entries haveon the financial statements.On the other hand, the following nonat-

test services would always impair the CPA’sindependence:• Determine or change journal entries,

account codings or classification fortransactions, or other accounting recordswithout obtaining client approval.

• Authorize or approve transactions• Prepare source documents• Make changes to source documents with-

out client approval.Recall that a CPA must be independent

to issue a review or audit report. However,many companies use their CPA firm to notonly prepare their monthly financial state-ments but to actually maintain theiraccounting records. In this situation, theCPA would not be independent of the clientand could not issue a year-end audit orreview report.

A more likely instance to affect a produc-er is when the CPA maintains the deprecia-tion schedules for the producer. Manyproducers do not have large accountingstaffs or personnel with the needed knowl-edge to properly maintain these schedules.At year-end, the CPA calculates book depre-

auditors, the PCAOB has decided to setauditing standards. To date, they have con-tinued to use AICPA auditing standards sup-plemented by new standards. One result ofthis is that there are now effectively two setsof auditing standards in the United States –PCAOB and AICPA. All public companiesmust be audited in accordance with PCAOBstandards. Privately held companies havetwo options – PCAOB standards or AICPAstandards. Privately held companies consid-ering going public in the future may wish toconsider having their audits performedunder PCAOB standards.

Issues for ProducersThe privately held producer might look

at all of this and think, “I’m not publiclyheld, so this doesn’t affect me.” While theremay not be any direct impact right now,there are indirect impacts right now. Fur-thermore, many observers think it is only amatter of time until the standards resultingfrom the Act apply to all companies, bothprivate and public.

Impact on CPA Firms – The compli-ance burden from the Act, especially Section404, is draining the resources of not only theBig Four accounting firms (Deloitte &Touche, KPMG, PriceWaterhouseCoopers,and Ernst & Young), and the so-called “sec-ond tier” firms (such as Grant Thornton andBDO Seidman) but many local accountingfirms as well. As noted previously, manypublicly held companies do not have theresources to complete the testing required bySection 404. Prior to the Act, many of thesecompanies would have turned to their audi-tors for assistance in this testing. However,the Act prohibits a company’s auditors fromperforming the Section 404 testing. As aresult, these companies are turning to notjust the Big Four and second tier firms, butto local CPA firms. This additional work-load is draining the resources of many CPAfirms. The article “Is there an accountant inthe house?” in the November 15, 2004 issueof Crain’s Detroit Business noted:

For the past few months, Ernst & YoungL.L.P. has turned down all the new businessthat’s been knocking on the door, DetroitPractice Managing Partner Jeffrey Bergeronsaid. Overloaded with work generated by theSarbanes-Oxley Act of 2002, the firm just

72 ı SPRING 2005

feature

this results in an increase in fees incurred bythe client. One CPA in Washington Stateindicated that after making this change, hisclients saw an average in increase in profes-sional fees of 17 percent.

ConclusionThe Sarbanes Oxley Act and Rule 101-3

are already having far-reaching effects on

producers throughout the country in theform of increased procedures and increasedfees. Producers should consult with theirprofessional advisors to determine how thesechanges will continue to impact them. n

Joel Ungar is the founder of ConcreteAccounting and can be reached at 248/539-9160or via email at jungar@concreteaccounting.com.

ciation and proposes the correcting journalentry. Prior to Rule 101-3, this did not causeindependence problems for the CPA.

However, Rule 101-3 says this will notimpair the CPA’s independence if the CPAcompiles with the following requirements:1. The CPA must not perform manage-

ment functions or make managementdecisions for the client. (The CPA mayprovide advice, research and make rec-ommendations to assist client manage-ment).

2. The client must agree to perform the fol-lowing functions in connection with theengagement to perform nonattest ser-vices:a. Make all management decisions and

perform all management functions;b. Designate a competent employee,

preferably within senior management,to oversee the services;

c. Evaluate the adequacy and results ofthe services performed;

d. Accept responsibility for the results ofthe services; an

e. Establish and maintain internal con-trols, including monitoring ongoingactivities.

The CPA further must be satisfied thatthe clients will be able to meet all of thesecriteria.

Before performing nonattest services, themember should establish and document inwriting his or her understanding of theabove with the client.

These requirements are a significantchange from the past. In essence, it says thatin order for the CPA to perform certain ser-vices they routinely provided in the past, theclient must oversee these services and estab-lish its own controls to oversee the service. Ifthis does not occur, then the CPA would notbe independent for attest services it wouldprovide to the client. This is likely the firsttime that professional standards have beenspecific requirements on the client.

The end result is that many CPA firmsare forced to determine if they can continueto provide nonattest services to attest clients.For example, many CPA firms have decidedthey will only provide the nonattest servicesto a client and have the client retain a sepa-rate CPA firm to perform the audit orreview. The unfortunate side effect is that

CONCRETE in focus ı 73