The Sarbanes Oxley Act
The Sarbanes Oxley Act
Responding to corporate failures and fraud that resulted in substantial financial losses to institutional and individual investors, Congress passed the Sarbanes Oxley Act in 2002.
The Act contains provisions affecting corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting fraud and corruption.
Title I of the Sarbanes Oxley Act establishes the PCAOB as a nonprofit organization, that oversees the audits of public companies that are subject to the securities laws.
The Sarbanes Oxley Act gives to the PCAOB four primary responsibilities:
- registration of accounting firms that audit public companies in the U.S. securities markets;
- inspections of registered accounting firms;
- establishment of auditing, quality control, and ethics standards for registered accounting firms; and
- investigation and discipline of registered accounting firms for violations of law or professional standards.
Title II of the Sarbanes Oxley Act addresses auditor independence.
It prohibits the registered external auditor of a public company from providing certain nonaudit services to that public company audit client.
Title II also specifies communication that is required between the auditors and the public company's audit committee (or board of directors), and requires periodic rotation of the audit partners managing a public company's audits.
Titles III and IV of the Sarbanes Oxley Act focus on corporate responsibility and enhanced financial disclosures.
Title III asks for certifications by corporate officers in annual and quarterly reports.
Title IV addresses disclosures in financial reporting and transactions involving management and principal stockholders, and other provisions such as internal control over financial reporting.
More specifically, section 404 of the Sarbanes Oxley Act establishes requirements for companies to publicly report on management’s responsibility for establishing and maintaining an adequate internal control structure, including controls over financial reporting, and the results of management's assessment of the effectiveness of internal control over financial reporting.
External auditors must report if they agree with management’s assessment of the company’s internal control over financial reporting.
The SEC and the PCAOB have issued regulations, standards, and guidance to implement the Sarbanes-Oxley Act.
For instance, both SEC's regulations and PCAOB’s Auditing Standards state that management is required to base its assessment of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due process procedures, including the broad distribution of the framework for public comment.
Both the SEC's guidance and PCAOB's auditing standard cite the COSO principles as providing a suitable framework for purposes of section 404 compliance.
In 1992, COSO issued its “Internal Control—Integrated Framework” (the COSO Framework), to help businesses and other entities assess and enhance their internal control.
Since that time, the COSO framework (including the updated framework) has been recognized by regulatory standards setters and others, as a comprehensive framework for evaluating internal control, including internal control over financial reporting.
The COSO framework includes a common definition of internal control and criteria against which companies could evaluate the effectiveness of their internal control systems.
The framework consists of five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring.
While the SEC and the PCAOB do not mandate the use of any particular framework, PCAOB states that the framework used by a company should have elements that encompass the five COSO components on internal control.
Internal control generally serves as a first line of defense in safeguarding assets and preventing and detecting errors and fraud.
Internal control is defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the following objectives:
(1) effectiveness and efficiency of operations;
(2) reliability of financial reporting; and
(3) compliance with laws and regulations.
Internal control over financial reporting is further defined in the SEC regulations implementing section 404.
These regulations define internal control over financial reporting as providing reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements, including those policies and procedures that:
- pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
- provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
- provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
Steven B. Harris, PCAOB Member, in a presentation with title "Remarks on The Sarbanes-Oxley Act of 2002: Ten Years Later", has said:
"1. It restored investor confidence.
The Sarbanes-Oxley Act was not just a response to Enron despite the failures its collapse exposed. As the Los Angeles Times reported January 26, 2002, less than two months after Enron filed for bankruptcy: "There was a total failure by everyone, a complete breakdown in the system, in all the checks and balances. It was a failure by Wall Street analysts who just went along for the ride, and by the auditors who were collecting so much money they couldn't walk away from it, and by government agencies who are supposed to monitor those companies."
The Senate and House were already working on legislative responses to those failures when other corporate giants began to falter and collapse, including Tyco, Adelphia and, what was then the largest restatement in corporate history, WorldCom.
Former House Financial Services Committee Chairman, Michael Oxley recently described the effects of those business failures saying, "It was a severe shock to our system, to the core of the capital system that depends on honesty and integrity and on having investors believing in the companies they invest in." He added, "That was really the shock to me, as a pro-business Republican, who was looking at what I thought was the disintegration of the capital market."
Chairman Oxley was not exaggerating. In July 2002 alone, the Dow dropped over 15 percent. And between the time the House passed its bill in April and the Senate acted in July, the Dow declined almost 23 percent, or over 2,000 points. If nothing else, the Sarbanes-Oxley Act stopped cold the stock market hemorrhage at the time.
The need for the Act was clear in the final votes: 99-0 in the Senate and 423-3 in the House. Chairman Oxley called it a "blow out."
2. It established the PCAOB, ending more than 100 years of self-regulation by the accounting profession.
Ten years later, 44 non-U.S. countries have established independent regulatory regimes for auditors patterned after the PCAOB.
3. It dealt with the conflicts of interest in the accounting profession by prohibiting accounting firms from performing certain auditing and consulting services for the same company the firm was auditing.
For example, it prohibited a company from setting up a valuation system for valuing financial assets and then auditing that system.
4. It mandated independent audit committees and required issuers to disclose whether a "financial expert" is on the audit committee.
Audit firms now must report to an independent audit committee.
5. It increased corporate accountability and dealt with tone at the top by requiring CEOs and CFOs to personally certify their companies' financial statements.
It is my belief that this is one of the most important provisions in the Act that has had the greatest impact — and it came directly from then Securities and Exchange Commission Chairman Harvey Pitt.
6. It instituted "clawback" provisions, requiring CEOs and CFOs to give up bonuses or other financial incentives based on financial results that later had to be restated.
7. It essentially ended the backdating of stock options.
8. It established whistleblower protections for employees of public companies.
9. It required public companies to disclose off-balance sheet arrangements in quarterly and annual financial reports to the SEC and investors.
10. It restricted loans that public companies can make to officers and directors.
And, of course, it required publicly traded companies to have a system of internal controls over financial reporting. This precedent had already been established in the Foreign Corrupt Practices Act (1977) and the Federal Deposit Insurance Corporation Act (1991).
Under the Sarbanes-Oxley Act, management has to establish, assess and report on the issuer's system of internal controls over financial reporting, and auditors must report on the effectiveness of that system of internal controls. Studies show that better internal controls result in better financial reporting and more investor confidence in financial reports.
For the most part, I find that when people talk about repealing the Sarbanes-Oxley Act, they are talking about those provisions dealing with internal controls. When I ask what other provisions they believe should be altered, there is no clear response.
I would note that since the passage of the Act, financial restatements have steadily decreased since 2005. Fewer securities class action lawsuits are being filed — down by as much as 60 percent by some reports — and audit quality is generally recognized as having improved, although clearly more work needs to be done.
The stated purpose of the Act is "to protect investors by improving the accuracy and reliability of corporate disclosures."
I certainly think it has done that, and I would echo Senator Sarbanes in his recent comment on the future of the Sarbanes-Oxley Act:
"My hope is that the Act becomes so much a part of the way business is done in this country; so much a part of establishing the standards, that it is not seen as something separate and apart. It really becomes part of the very structure of the business world. And what comes out of that, of course, are higher standards, more ethical behavior and to the benefit of everyone."
Study of the Sarbanes-Oxley Act, Section 404, Securities and Exchange Commission, September 2009.
Note: This is important for Sarbanes-Oxley professionals
The Public Company Accounting Reform and Investor Protection Act, otherwise known as the Sarbanes-Oxley Act (the “Act”), was enacted in July 2002 after a series of high-profile corporate scandals involving companies such as Enron and Worldcom.
Section 404(a) of the Act requires management to assess and report on the effectiveness of internal control over financial reporting (“ICFR”). Section 404(b) requires that an independent auditor attest to management’s assessment of the effectiveness of those internal controls. Because the cost of complying with the requirements of Section 404 of the Act (“Section 404”) has been generally viewed as being unexpectedly high, efforts to reduce the costs while retaining the effectiveness of compliance resulted in a series of reforms in 2007.
Compliance costs vary with company size (increasing with size), compliance history (decreasing with increased compliance experience), and compliance regime (lower after the 2007 reforms). Larger companies tend to incur higher compliance costs in dollar terms (“absolute cost”), while smaller companies report higher costs as a fraction of asset value (“scaled cost”).
The evidence suggests that companies bear some fixed start-up costs of compliance that are not scalable. Some of these costs are recurring fixed costs, while others are one-time start-up costs borne in the first years of compliance that tend to dissipate over time. For companies complying with both parts of Section 404, the cost of complying with Section 404(b) is reportedly similar to the incremental cost of complying with Section 404(a) alone. The resource requirements of Section 404(a) and Section 404(b) compliance are quite different, however. The Section 404(a) cost is borne through increased internal labor and outside vendor expenses, while the Section 404(b) cost is experienced primarily through increased independent-auditor fees.
Section 404 of the Sarbanes-Oxley Act directs the SEC to adopt rules requiring annual reports of companies with publicly traded securities, other than registered investment companies, to disclose management’s assessment of the effectiveness of the company’s ICFR and an auditor’s independent attestation to the effectiveness of those internal controls.
When the Commission first adopted rules under Section 404, the expressed objectives included enhancing the quality of reporting and increasing investor confidence in the financial statements. The Commission release cited as a benefit the improvement of “public company disclosure to investors about the extent of management’s responsibility for the company’s financial statements and internal control over financial reporting.” This is an important aspect of the financial reporting process because weaknesses in internal controls create more opportunities for intentional earnings management as well as unintentional accounting estimation and reporting errors. According to the 2003 adopting release, with these rules, “investors will be able to better evaluate management’s performance of its stewardship responsibility and the reliability of a company’s financial statements and other unaudited financial information,” and that “improved disclosure may help companies detect fraudulent financial reporting earlier and perhaps thereby deter financial fraud or minimize its adverse effects.”
Concerns about the costs of complying with the requirements of Section 404 emerged and persisted over the first few years of implementation. By 2007, a number of organizations had published information regarding Section 404 compliance costs, with annual cost estimates ranging from $860,000 to $5.4 million per company depending on the source. To address concerns about the costs of compliance, the Commission, during June and July 2007, issued Management Guidance and approved the PCAOB’s new audit standard, AS5, for use by public company auditors. The 2007 reforms were intended to increase the efficiency and effectiveness of Section 404 implementation.
The Management Guidance described a top-down, risk-based approach to satisfying the requirements of Section 404. It was intended to reduce the costs of Section 404(a) compliance first by “allowing management to focus on the controls that are needed to adequately address the risk of a material misstatement of its financial statements” and second by allowing management “to align the nature and extent of its evaluation procedures [such as evidence gathering, documentation effort, and testing the controls] to those areas of financial reporting that pose the highest risks to reliable financial reporting.”
By stressing that “management should bring its own experience and informed judgment to bear” in the process of ICFR evaluation, the release encouraged more flexibility and discretion on management’s part in complying with Section 404. A companion release by the Commission also noted that the Management Guidance should help management to avoid the costs of excessive testing and documentation and allow smaller public companies to scale and tailor their evaluation methods and procedures to fit their facts and circumstances. The 2007 final release indicated that reliance on the Commission’s Management Guidance is voluntary.
In addition, on July 25, 2007—effective for audits of internal control for fiscal years ending on or after November 15 of the same year—the Commission approved PCAOB’s AS5, which established a new standard for the independent audit of ICFR required under Section 404(b). The expected benefits of AS5 included:
(i) allowing auditors to exercise their judgment,
(ii) scaling the level of internal control testing to match the size of the company,
(iii) eliminating unnecessary procedures for audit and allowing auditors to focus on matters they consider to be most important for internal control, and
(iv) allowing auditors to use a principles-based approach to decide the extent to which they can rely on work already done by others, including the effort exerted by management in complying with Section 404(a).
Important definitions, from the Improper Influence on Conduct of Audits, Securities and Exchange Commission, final rule.
This is important for Sarbanes-Oxley professionals
As directed by section 303 of the Sarbanes-Oxley Act of 2002, we are adopting rules to prohibit officers and directors of an issuer, and persons acting under the direction of an officer or director, from taking any action to coerce, manipulate, mislead, or fraudulently influence the auditor of the issuer's financial statements if that person knew or should have known that such action, if successful, could result in rendering the financial statements materially misleading.
On July 30, 2002, the Sarbanes-Oxley Act of 2002 (the "Act") was enacted. Section 303(a) of the Act states:
It shall be unlawful, in contravention of such rules or regulations as the Commission shall prescribe as necessary or appropriate in the public interest and for the protection of investors, for any officer or director of an issuer, or any other person acting under the direction thereof, to take any action to fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an audit of the financial statements of that issuer for the purpose of rendering such financial statements materially misleading.
As mandated by the Act, the Commission is adopting rules to implement section 303(a). The rules, in combination with the existing rules under Regulation 13B-2, are designed to ensure that management makes open and full disclosures to, and has honest discussions with, the auditor of the issuer's financial statements. These rules prohibit officers or directors of an issuer, or persons acting under their direction, from subverting the auditor's responsibilities to investors to conduct a diligent audit of the financial statements and to provide a true report of the auditor's findings.
Definition of "issuer." In the proposing release, we noted that the definition of the term "issuer" in section 3 of the Securities Exchange Act of 1934 ("Exchange Act") would apply to the term as used in the rule. This definition includes, with certain exceptions, any person who issues or proposes to issue securities. One commenter noted that this definition would include all private issuers of securities and suggested that we use the definition of "issuer" in the Sarbanes-Oxley Act. The definition in that Act generally would limit application of the rule to issuers whose securities are registered with the Commission under section 12 of the Exchange Act, that are required to file reports with the Commission under section 15(d) of the Exchange Act, or that have filed registration statements with the Commission that have not yet become effective and have not been withdrawn.
We continue to believe that the definition of the term "issuer" in section 3 of the Exchange Act applies to the use of the term in the new rules. The term "issuer," as defined in the Exchange Act, has been used in Rule 13b2-2 since it was adopted in 1979, and we believe that the amendments do not require a change in the meaning of the term. In addition, because the new rule specifically applies to improperly influencing auditors of issuers' financial statements "that are required to be filed with the Commission," the commenter's concern that this definition would extend the scope of the rule to all private issuers of securities has been addressed. Accordingly, the term "issuer" in the new rule should be defined as stated in section 3 of the Exchange Act.
Definition of "officer." New rule 13b2-2(b)(1) addresses activities by an officer or director of an issuer, or any other person acting under the direction of an officer or director. The Commission has defined the term "officer" to include the company's "president, vice president, secretary, treasurer or principal financial officer, comptroller or principal accounting officer, and any person routinely performing corresponding functions with respect to any organization whether incorporated or unincorporated." The term "executive officer" includes an issuer's chief executive officer and other officers who perform policy-making functions for the issuer.
Some commenters suggested that the term "officer" should include all those responsible for corporate governance matters or who influence the preparation of an issuer's financial statements.16 Commenters also suggested that the definition include an issuer's general counsel or chief legal officer. We do not believe at this time that it is necessary to amend the existing definition of "officer" or "executive officer," or to write a new definition specifically for Regulation 13B-2. The existing definitions cover, among others, those who set corporate governance policies and legal policies for an issuer. Should we note that members of management not encompassed by the existing definitions of "officer" and "executive officer" are engaging in the conduct addressed in the rule, we may revisit this issue.
Definition of "under the direction." As noted above, new rule 13b2-2(b)(1) covers the activities of not only officers and directors of the issuer who engage in an attempt to misstate financial statements but also "any other person acting under the direction thereof." Activities by such "other persons" currently may constitute violations of the anti-fraud or other provisions of the securities laws or aiding or abetting or causing an issuer's violations of the securities laws. Section 303(a) and the new rule provide the Commission with an additional means of addressing efforts by persons acting under the direction of an officer or director to improperly influence the audit process and the accuracy of the issuer's financial statements.
As noted in the proposing release, we interpret Congress' use of the term "direction" to encompass a broader category of behavior than "supervision." In other words, someone may be "acting under the direction" of an officer or director even if they are not under the supervision or control of that officer or director. Such persons might include not only the issuer's employees but also, for example, customers, vendors or creditors who, under the direction of an officer or director, provide false or misleading confirmations or other false or misleading information to auditors, or who enter into "side agreements" that enable the issuer to mislead the auditor.
In appropriate circumstances, persons acting under the direction of officers and directors also may include not only lower level employees of the issuer but also other partners or employees of the accounting firm (such as consultants or forensic accounting specialists retained by counsel for the issuer) and attorneys, securities professionals, or other advisers who, for example, pressure an auditor to limit the scope of the audit, to issue an unqualified report on the financial statements when such a report would be unwarranted, to not object to an inappropriate accounting treatment, or not to withdraw an issued audit report on the issuer's financial statements. In the case of a registered investment company, persons acting under the direction of officers and directors of the investment company may include, among others, officers, directors, and employees of the investment company's investment adviser, sponsor, depositor, administrator, principal underwriter, custodian, transfer agent, or other service providers.
Commenters on this discussion in the proposing release were divided. Some believe that some form of specific instruction or direction from an officer or director should be required before the rule should apply to "other persons." Others expressed the opposite view that no specific direction should be required, that the conduct should be considered illegal whether or not the person was acting under the direction of an officer or director, and that the rule should apply to anyone who lies to or misleads the auditor and to all those who have responsibilities or activities relevant to the financial statements. Still others suggested that we neither define the term "under the direction" nor provide examples. As noted above, we continue to believe that "direction" encompasses a broader category of behavior than supervision, and may include the activities of third parties who participate in an effort to improperly influence the auditor when those third parties knew or should have known that the effect of their conduct would be to render an issuer's financial statements materially misleading.
Some commenters were concerned that including customers, vendors and creditors in the discussion of those persons who, in appropriate circumstances, might be considered to be acting under the direction of an officer or director would have a chilling effect on communications between those persons and the auditors. Other commenters noted that this chilling effect would be enhanced by the Commission's position in the proposing release that negligently misleading the auditor was sufficient conduct to trigger application of the rule. In particular, some commenters noted that a misleading legal analysis should violate the rule only if accompanied by fraudulent or "bad" intent on the part of the attorney providing the analysis. These comments would appear to be based on the premise that in the past the Commission has not addressed the negligent communication of misleading information to auditors and that the new rule, therefore, would chill communications during the audit process and thereby lower the quality of the audit process. To the contrary, for many years we have initiated enforcement actions against those who, by negligently providing misleading confirmations to auditors, cause an issuer to violate the financial reporting or books and records provisions of the Securities Exchange Act of 1934.
The new rule, by providing an additional means of addressing such conduct, should provide more credibility and integrity to the audit process. We believe that third parties providing information or analyses to an auditor should exercise reasonable attention and care in those communications. A primary purpose for enactment of the Sarbanes-Oxley Act is the restoration of investor confidence in the integrity of financial reports, which will require the cooperation of all parties involved in the audit process. We do not intend to hold any party accountable for honest and reasonable mistakes or to sanction those who actively debate accounting or auditing issues. We do believe, however, that those third parties who, under the direction of an issuer's officers or directors, mislead or otherwise improperly influence auditors when they know or should know that their conduct could result in investors being provided with misleading financial statements or a misleading audit report, should be subject to sanction by the Commission.
"Fraudulently influence." New rules 13b2-2(b)(1) and (c)(2) address certain actions "to coerce, manipulate, mislead, or fraudulently influence" the auditor of the issuer's financial statements. Much of the conduct addressed by the rules, particularly efforts to "manipulate or mislead" the auditor, generally would be subject to other provisions of the securities laws and the Commission's regulations, including the existing rules in Regulation 13B-2. The new rules, however, would provide an additional means to address conduct to coerce, manipulate, mislead, or fraudulently influence an auditor during his or her examination or review of the issuer's financial statements, including conduct that did not succeed in affecting the audit or review.
In the proposing release, we noted that in the rule the word "fraudulently" modifies influence but not coerce, manipulate or mislead. Several commenters suggested that the Commission should amend this interpretation and state that "fraudulently" modifies all four types of conduct. Some commenters indicated that intent to materially mislead the auditor should be required and others stated any attempt to purposely skew the issuer's disclosure should violate the rule. One commenter noted that fraudulent intent should not be required for officers, directors or employees, but should be required for third parties such as vendors and customers.
We have decided not to amend our view that the word "fraudulently" modifies only "influence." To emphasize this point, we have reordered the words to place "fraudulently influence" at the end of the list instead of at the beginning. The new rule, therefore, reads that no officer or director or person acting under his or her direction "shall directly or indirectly take any action to coerce, manipulate, mislead, or fraudulently influence" any accountant engaged in the performance of an audit or review of an issuer's financial statements.
In the context of the new rule, the words "coerce" and "manipulate" imply compelling the auditor to act in a certain way through pressure, threats, trickery, intimidation or some other form of purposeful action, and further modifiers are not necessary. Regarding the term "mislead," pre-existing rule 13b2-2 for many years has prohibited officers and directors from directly or indirectly making or causing to be made materially misleading statements to auditors. Causing misleading statements to be made to auditors has included, and will continue to include, an officer or director entering into an arrangement with a third party to send a misleading confirmation or to provide other misleading information or data to the auditor of the issuer's financial statements.
The new rule does not alter this approach. As noted above, a primary purpose for enactment of the Sarbanes-Oxley Act is the restoration of investor confidence in the integrity of financial reports. Such a purpose would not be served by imposing what would amount to a new scienter requirement on the pre-existing provision prohibiting officers and directors from causing misleading statements or omissions to be made to auditors.
Types of Conduct. As stated in the proposing release, types of conduct that the Commission believes could constitute improper influence (if the person engaged in that conduct knows or should know that the conduct, if successful, could result in rendering the issuer's financial statements materially misleading) include, but are not limited to, directly or indirectly:
- Offering or paying bribes or other financial incentives, including offering future employment or contracts for non-audit services,
- Providing an auditor with an inaccurate or misleading legal analysis,
- Threatening to cancel or canceling existing non-audit or audit engagements if the auditor objects to the issuer's accounting,
- Seeking to have a partner removed from the audit engagement because the partner objects to the issuer's accounting,
- Blackmailing, and
- Making physical threats.
The facts and circumstances of each case would be relevant to determining whether the conduct would violate the new rule.
Commenters had varied reactions to the illustrative list of the types of conduct that could be covered by the rule. Some commenters suggested that providing inaccurate or misleading information to internal auditors, as well as to independent auditors, should be deemed a violation of the rule. While we believe that an officer or director, or person acting under the direction of an officer or director, providing misleading information to an internal auditor would be relevant to the status of the issuer's internal accounting controls or disclosure controls, it would not appear to be related to the purpose of section 303 of the Act and the new rule, which is to protect and enhance the independent audit function.
Other commenters suggested that, due to other safeguards in the Act, we should delete from the illustrative list the actions of offering future employment with the issuer and threatening to cancel audit or non-audit contracts for services. These commenters indicated that section 206 of the Act, which requires a one-year "cooling off" period from the time certain officers of the issuer last participated as a partner or employee of the accounting firm in an audit of the issuer's financial statements to the commencement of the audit, provides sufficient protection against offering employment as a means of improperly influencing the auditor.
Similarly, commenters indicated that the provisions in sections 201 and 202 requiring audit committee pre-approval of audit and non-audit services should be an adequate safeguard against the use of such services to improperly influence auditors.
Sections 201, 202 and 206, as well as the remainder of Title II of the Act, are designed to enhance the independence of auditors. We believe, however, services and employment opportunities that would not impair an auditor's independence nonetheless could provide financial incentives used to improperly influence or otherwise deter auditors from performing an appropriate audit. Accordingly, such actions continue to be possible mechanisms, assuming the other criteria in the rule are met, for violating the new rule.
Some commenters suggested qualifying other examples in the list. For example, commenters indicated that canceling or threatening to cancel an audit or non-audit engagement should be within the purview of the rule only if the action was taken because the auditor objects to the issuer's accounting. One commenter expressed this notion in terms of a clear quid pro quo linking the offering of a contract for non-audit services with the intent to fraudulently influence the audit. We acknowledge that there may be many legitimate reasons to replace individuals on an audit or review engagement, or to award or cancel audit or non-audit services. Such actions alone do not violate the new rule. When such actions, however, become the consideration used by an officer or director, or person acting under the direction of an officer or director, to improperly influence the auditor, and that person knew or should have known that the result of his or her conduct could be materially misleading financial statements, then the actions fall within the scope of the rule.
Still other commenters suggested adding to the list activities such as: knowingly providing to the auditor inadequate or misleading information that is key to the audit, transferring managers or principals from the audit engagement, and when predicated by an intent to defraud, verbal abuse, creating undue time pressure on the auditors, not providing information to auditors on a timely basis, and not being available to discuss matters with auditors on a timely basis. In the appropriate circumstances and upon satisfaction of the criteria in the rule, each of these actions could result in improper influence on the auditor.
Finally, most commenters addressing the issue stated that the Commission should not place in the rule any examples of the types of conduct that might violate the rule,61 and we have not done so.
Definition of "independent public or certified public accountant." The new rule addresses the improper influence of "any independent public or certified public accountant" engaged in the performance of an audit or review of an issuer's financial statements.62 Prior to the adoption of the Act, similar phrases commonly were used in the securities laws and the Commission's regulations to refer to the accountant providing audit and review services to a Commission registrant. Although the Act, in anticipation of accounting firms registering with the Public Company Accounting Oversight Board (the "Board"), changed several of these references, such terms continue to appear in certain sections of the securities laws and related schedules.
We believe that section 303 of the Act includes all accountants engaged in auditing or reviewing an issuer's financial statements or issuing attestation reports to be filed with the Commission. Once firms are registered with the Board, the term "independent public or certified public accountant," as used in the new rule, would include registered public accounting firms and persons associated with such a public accounting firm, as defined in the Act. While some commenters expressed concern with the use of different definitions to describe the independent auditor, they generally did not object to the use of the term in the new rule.
"Engaged in the performance of an audit." New rules 13b2-2(b)(1) and (c)(2) track the language in section 303(a) of the Act regarding the improper influence of an accountant "engaged in the performance of an audit" of the issuer's financial statements. Both the Commission and the accounting profession have recognized that the need for an auditor to maintain an independent and unbiased attitude begins when the accountant is selected to perform audit or review services and continues until there is a formal or informal public notification that the professional relationship has ended.
To effectuate the intent of Congress, we believe the phrase "engaged in the performance of an audit" should be given a broad reading. We believe Congress intended that the phrase encompass the professional engagement period and any other time the auditor is called upon to make decisions or judgments regarding the issuer's financial statements, including during negotiations for retention of the auditor and subsequent to the professional engagement period when the auditor is considering whether to issue a consent on the use of prior years' audit reports.
The new rules, therefore, would apply throughout the professional engagement and after the professional engagement has ended when the auditor is considering whether to consent to the use of, reissue, or withdraw prior audit reports. In limited circumstances, the new rules also may apply before the professional engagement period begins. For example, the new rules would apply if an officer, director, or person acting under the direction of an officer or director, offers to engage an accounting firm subject to a condition that could result in rendering the financial statements materially misleading, such as a condition that the firm issue an unqualified audit report on financial statements that do not conform with generally accepted accounting principles, or a condition that the firm limit the scope or performance of audit or review procedures in violation of generally accepted auditing standards.
Commenters generally agreed with this approach. Some suggested that we define in the rule the phrase "engaged in the performance of the audit." We believe, however, that the longer discussion in this release provides a better context to understand the meaning of the phrase.
"Rendering financial statements materially misleading." One of the criteria that must be met in order for the improper influence on the auditor by officers, directors, or persons acting under their direction to be actionable under the new rule is that the improper influence, if successful, could result in "rendering [the issuer's] financial statements materially misleading."
Because the financial statements are prepared by management and the auditor conducts an audit or review of those financial statements, the auditor would not directly "render [the] financial statements materially misleading." Rather, the auditor might be improperly influenced to, among other things, issue an unwarranted report on the financial statements, including suggesting or acquiescing in the use of inappropriate accounting treatments or not proposing adjustments required for the financial statements to conform with generally accepted accounting principles.
An auditor also might be coerced, manipulated, misled, or fraudulently influenced not to perform audit or review procedures that, if performed, might divulge material misstatements in the financial statements. Other examples of activities that would fall within the rule would be for an officer, director, or person acting under an officer or director's direction, to improperly influence an auditor either not to withdraw a previously issued audit report when required by generally accepted auditing standards, or not to communicate appropriate matters to the audit committee.
New rule 13b2-2(b)(2) makes it clear that subparagraph (b)(1) would apply in such circumstances. As noted, the rule is not limited to the audit of the annual financial statements, but would include, among other things, improperly influencing an auditor during a review of interim financial statements or in connection with the issuance of a consent to the use of an auditor's report. Conducting reviews of interim financial statements and issuing consents to use past audit reports are sufficiently connected to the audit process, and improper influences during those processes are sufficiently connected to the harms that the Act seeks to prevent, that they should be within the scope of the rule. The list of examples in the rule is only illustrative; other actions also could result in rendering the financial statements materially misleading.
Many commenters indicated that the examples in paragraph (b)(2) were appropriate and should be retained. Some commenters suggested that the list of examples be expanded to include improperly influencing the auditor to permit the inconsistent use of generally accepted accounting principles ("GAAP") or the use of "non-preferable" GAAP in the issuer's financial statements. Others suggested including improperly influencing an auditor in connection with the auditor's report on an issuer's assertions about its internal controls.
Another commenter suggested that the examples be replaced with a statement that actions that could result in "rendering the financial statements materially misleading" include improperly influencing an auditor during the performance of any procedures by the auditor.
We believe that the list of examples in paragraph (b)(2) is sufficiently broad to include the majority of instances, including under appropriate circumstances those addressed by commenters, where improperly influencing an auditor could result in the issuer publishing misleading financial statements. As noted above, the list of examples is not all-inclusive. Other actions, in appropriate circumstances, could result in rendering the issuer's financial statements materially misleading.
"Knew or should have known." Section 303(a) states that conduct by an officer, director, or person acting under the direction of the officer or director designed to improperly influence an issuer's auditor is actionable if undertaken "for the purpose of rendering [the issuer's] financial statements materially misleading." We proposed, however, the rule state that an officer, director, or person acting under the direction of the officer, who engaged in conduct to improperly influence an auditor would be culpable if he or she "knew or was unreasonable in not knowing" that the improper influence, if successful, could result in rendering financial statements materially misleading. In the proposing release we noted that we would consider changing this wording to another phrase to convey that proving a particular purpose or intent is not required. We are adopting in the final rule the phrase "knew or should have known," which historically has indicated the existence of a negligence standard. As noted elsewhere in this release, this standard is consistent with the Commission's enforcement actions in this area.
Several commenters suggested that the rule should contain the statutory language, which they believe requires a fraudulent intent, instead of the proposed language, which they believe reflected a negligence standard. Other commenters, however, indicated that the proposed language should be adopted or that, at a minimum, a reasonableness standard is appropriate when evaluating the actions of officers and directors.
We believe that the adopted language, particularly in the absence of any private right of action under the rule, best achieves the purpose of restoring investor confidence in the audit process. For example, if an officer of an issuer coerces an auditor not to conduct certain audit procedures required by generally accepted auditing standards ("GAAS") because the officer wants to conceal his embezzlement of funds from the issuer, then it is possible that his actions might not be found to be for the "purpose of rendering the financial statements misleading." If that officer, however, knew or should have known that not performing the procedures could result in the auditor not detecting and seeking correction of material errors in the financial statements, then we believe the officer's conduct should be subject to the rule. Excusing this conduct from the scope of the rule would be inconsistent with the restoration of investor confidence in financial statements and in the integrity of the audit process.
Response to Other Significant Comments. In the proposing release, we asked if we should replace the statement in paragraphs (b)(1) and (c) of the rule that no person acting "under the direction" of an officer or director shall improperly influence the auditors of the issuer's financial statements, with a statement that no person acting "at the behest of" or "on behalf of" an officer or director shall improperly influence the auditors. Although some commenters supported use of the phrase "on behalf of," in general commenters opposed changing this aspect of the proposed rule.
We agree that there may be circumstances where a person acting on behalf of an officer or director would be considered to be acting under the direction of that officer or director as contemplated by the rule. We believe, however, that the rule, as proposed and adopted, is sufficiently clear. Replacing "under the direction of" with "on behalf of" might be construed as narrowing the scope of the rule, and having both phrases in the rule might create confusion in the interpretation of the rule. Accordingly, we have adopted the rule as proposed.
We also asked in the proposing release if we should replace the word "fraudulently" in paragraphs (b)(1) and (c)(2) of the rule with the word "improperly" or some other word to convey a mental state short of scienter. Although some commenters noted that there is a need for the Commission to adopt rules intended to enhance investor confidence in issuers' financial statements, commenters generally opposed this change as exceeding the purpose and scope of section 303 of the Act. The new rule retains the statutory language of "fraudulently influence" because we are concerned about a lack of specificity associated with the word "improperly" in the context of the rule. As discussed above, "fraudulently" modifies only influence and not "coerce, manipulate or mislead."
Finally, commenters questioned whether an auditor would have an obligation to report violations of the new rule as "illegal acts" under section 10A(b) of the Exchange Act. Section 10A defines an "illegal act" to be an act or omission that violates any law or any rule or regulation having the force of law. Accordingly, violations of the new rule are illegal acts within section 10A and should be dealt with as required by that section.
In the Reading Room (RR) of the association you can find our monthly newsletter - "Top risk and compliance news stories and world events, that (for better or for worse) shaped the month's agenda, and what is next". Our Reading Room