The Sarbanes Oxley Act
The Sarbanes Oxley Act
Responding to corporate failures and fraud that resulted in substantial financial losses to institutional and individual investors, Congress passed the Sarbanes Oxley Act in 2002.
The Act contains provisions affecting corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting fraud and corruption.
Title I of the Sarbanes Oxley Act establishes the PCAOB as a nonprofit organization, that oversees the audits of public companies that are subject to the securities laws.
The Sarbanes Oxley Act gives to the PCAOB four primary responsibilities:
- registration of accounting firms that audit public companies in the U.S. securities markets;
- inspections of registered accounting firms;
- establishment of auditing, quality control, and ethics standards for registered accounting firms; and
- investigation and discipline of registered accounting firms for violations of law or professional standards.
Title II of the Sarbanes Oxley Act addresses auditor independence.
It prohibits the registered external auditor of a public company from providing certain nonaudit services to that public company audit client.
Title II also specifies communication that is required between the auditors and the public company's audit committee (or board of directors), and requires periodic rotation of the audit partners managing a public company's audits.
Titles III and IV of the Sarbanes Oxley Act focus on corporate responsibility and enhanced financial disclosures.
Title III asks for certifications by corporate officers in annual and quarterly reports.
Title IV addresses disclosures in financial reporting and transactions involving management and principal stockholders, and other provisions such as internal control over financial reporting.
More specifically, section 404 of the Sarbanes Oxley Act establishes requirements for companies to publicly report on management’s responsibility for establishing and maintaining an adequate internal control structure, including controls over financial reporting, and the results of management's assessment of the effectiveness of internal control over financial reporting.
External auditors must report if they agree with management’s assessment of the company’s internal control over financial reporting.
The SEC and the PCAOB have issued regulations, standards, and guidance to implement the Sarbanes-Oxley Act.
For instance, both SEC's regulations and PCAOB’s Auditing Standards state that management is required to base its assessment of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due process procedures, including the broad distribution of the framework for public comment.
Both the SEC's guidance and PCAOB's auditing standard cite the COSO principles as providing a suitable framework for purposes of section 404 compliance.
In 1992, COSO issued its “Internal Control—Integrated Framework” (the COSO Framework), to help businesses and other entities assess and enhance their internal control.
Since that time, the COSO framework (including the updated framework) has been recognized by regulatory standards setters and others, as a comprehensive framework for evaluating internal control, including internal control over financial reporting.
The COSO framework includes a common definition of internal control and criteria against which companies could evaluate the effectiveness of their internal control systems.
The framework consists of five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring.
While the SEC and the PCAOB do not mandate the use of any particular framework, PCAOB states that the framework used by a company should have elements that encompass the five COSO components on internal control.
Internal control generally serves as a first line of defense in safeguarding assets and preventing and detecting errors and fraud.
Internal control is defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the following objectives:
(1) effectiveness and efficiency of operations;
(2) reliability of financial reporting; and
(3) compliance with laws and regulations.
Internal control over financial reporting is further defined in the SEC regulations implementing section 404.
These regulations define internal control over financial reporting as providing reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements, including those policies and procedures that:
- pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
- provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
- provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
Steven B. Harris, PCAOB Member, in a presentation he gave in 2012 with title "Remarks on The Sarbanes-Oxley Act of 2002: Ten Years Later" said:
"1. It restored investor confidence.
The Sarbanes-Oxley Act was not just a response to Enron despite the failures its collapse exposed. As the Los Angeles Times reported January 26, 2002, less than two months after Enron filed for bankruptcy: "There was a total failure by everyone, a complete breakdown in the system, in all the checks and balances. It was a failure by Wall Street analysts who just went along for the ride, and by the auditors who were collecting so much money they couldn't walk away from it, and by government agencies who are supposed to monitor those companies."
The Senate and House were already working on legislative responses to those failures when other corporate giants began to falter and collapse, including Tyco, Adelphia and, what was then the largest restatement in corporate history, WorldCom.
Former House Financial Services Committee Chairman, Michael Oxley recently described the effects of those business failures saying, "It was a severe shock to our system, to the core of the capital system that depends on honesty and integrity and on having investors believing in the companies they invest in." He added, "That was really the shock to me, as a pro-business Republican, who was looking at what I thought was the disintegration of the capital market."
Chairman Oxley was not exaggerating. In July 2002 alone, the Dow dropped over 15 percent. And between the time the House passed its bill in April and the Senate acted in July, the Dow declined almost 23 percent, or over 2,000 points. If nothing else, the Sarbanes-Oxley Act stopped cold the stock market hemorrhage at the time.
The need for the Act was clear in the final votes: 99-0 in the Senate and 423-3 in the House. Chairman Oxley called it a "blow out."
2. It established the PCAOB, ending more than 100 years of self-regulation by the accounting profession.
Ten years later, 44 non-U.S. countries have established independent regulatory regimes for auditors patterned after the PCAOB.
3. It dealt with the conflicts of interest in the accounting profession by prohibiting accounting firms from performing certain auditing and consulting services for the same company the firm was auditing.
For example, it prohibited a company from setting up a valuation system for valuing financial assets and then auditing that system.
4. It mandated independent audit committees and required issuers to disclose whether a "financial expert" is on the audit committee.
Audit firms now must report to an independent audit committee.
5. It increased corporate accountability and dealt with tone at the top by requiring CEOs and CFOs to personally certify their companies' financial statements.
It is my belief that this is one of the most important provisions in the Act that has had the greatest impact — and it came directly from then Securities and Exchange Commission Chairman Harvey Pitt.
6. It instituted "clawback" provisions, requiring CEOs and CFOs to give up bonuses or other financial incentives based on financial results that later had to be restated.
7. It essentially ended the backdating of stock options.
8. It established whistleblower protections for employees of public companies.
9. It required public companies to disclose off-balance sheet arrangements in quarterly and annual financial reports to the SEC and investors.
10. It restricted loans that public companies can make to officers and directors.
And, of course, it required publicly traded companies to have a system of internal controls over financial reporting. This precedent had already been established in the Foreign Corrupt Practices Act (1977) and the Federal Deposit Insurance Corporation Act (1991).
Under the Sarbanes-Oxley Act, management has to establish, assess and report on the issuer's system of internal controls over financial reporting, and auditors must report on the effectiveness of that system of internal controls. Studies show that better internal controls result in better financial reporting and more investor confidence in financial reports.
For the most part, I find that when people talk about repealing the Sarbanes-Oxley Act, they are talking about those provisions dealing with internal controls. When I ask what other provisions they believe should be altered, there is no clear response.
I would note that since the passage of the Act, financial restatements have steadily decreased since 2005. Fewer securities class action lawsuits are being filed — down by as much as 60 percent by some reports — and audit quality is generally recognized as having improved, although clearly more work needs to be done.
The stated purpose of the Act is "to protect investors by improving the accuracy and reliability of corporate disclosures."
I certainly think it has done that, and I would echo Senator Sarbanes in his recent comment on the future of the Sarbanes-Oxley Act:
"My hope is that the Act becomes so much a part of the way business is done in this country; so much a part of establishing the standards, that it is not seen as something separate and apart. It really becomes part of the very structure of the business world. And what comes out of that, of course, are higher standards, more ethical behavior and to the benefit of everyone.""
In the Reading Room (RR) of the association you can find our monthly newsletter - "Top risk and compliance news stories and world events, that (for better or for worse) shaped the month's agenda, and what is next". Our Reading Room