Sarbanes-Oxley

Overview

1
Sarbanes-Oxley Act Summary
The Sarbanes-Oxley Act of 2002
§201 Prohibited Non-Audit Services
§202 Audit Committee Pre-Approval

§203 Audit Partner Rotation

§204 Auditor Reports to Audit Committee
§206 Auditor Conflicts of Interest
§301 Independent Audit Committee
§302 Certification of Periodic Reports
§303 Improper Influence on Conduct of Audits
§306 Pension Fund Black-Out Restrictions
§307 Conduct of Attorneys
§401 Disclosure of Off-Balance Sheet Transactions
§401 Disclosure of Pro-Forma Financial
Information
§401 Disclosure Material Correcting Adjustments
§402 Prohibition on Loans to Directors and
Executives
§403 Insider Transactions – 2 Day Reporting
§404 Management Report on Internal
Controls
§406 Code of Ethics Disclosure for Financial
Officers
§407 Financial Expert Disclosure Requirements
§409 Real-Time Disclosure
§806, 1107 Employee Whistleblower Protection 2
Sarbanes-Oxley Background
Accounting
LAW REGULATION
Scandals

Scams Sarbanes-Oxley Major Provisions

 US Congress  Creates new Public Company Accounting
Off Balance Sheet approval Jan23’02. Oversight Board (PCAOB) for external
Entity  Enacted July 30’02 auditors. (Section 103-105, 201-203).
•Enron  Underline objective of  Expands reporting requirements &
Improper protecting investor & accountabilities- requires CEO & CFO
Capitalization. improve accuracy & attestations / filing of internal control
reliability of corporate report with annual report. (Section 302).
•Tyco disclosures New  Requires external auditors to attest to
Improper standards for and report on management’s assessment
Capitalization corporate in the internal controls report. (Section
accountability and 404).
•Worldcom penalties for wrong
doing  Makes audit committees and disclosure of
Improper Revenue a “financial expert” in audit committee.
booking  Applies primarily to (Section 301 & 407).
companies filing
•Xerox annual reports with  Requires disclosures regarding code of
the SEC ethics. (Section 406).
•Qwest  Increases civil and criminal penalties
(Section 903-904).
Bodies Governing the Act PCAOB & SEC 3
Sec 404 of the Sarbanes Oxley Act
Sec 404 of this act establishes the following :
• Responsibility of management for establishing and maintaining adequate internal
control structure and procedures over financial reporting
• Responsibility of management to disclose to shareholders the effectiveness of the
internal control structure and procedures

Documentation and testing Must include the following steps:

• Evaluate whether the control is preventive or detective
• Document that tests were planned and performed
• Disclose material weakness
• Identify the internal control framework used
• State that the external accounting firm has issued an attestation report

External Auditor Opinion

Opinion 1 : Management’s assessment of internal control over financial reporting
Opinion 2 : Effectiveness of internal control over financial reporting

Company Annual Report (On Form 10K) is filed

4
 Key Impacts
 Real time disclosures of Financial Statements as per
US GAAP.
Account owner  Internal control report duly attested by External
(Financial Auditors included in 10K filings.
Disclosures)  Disclosure of all off B/S transactions & Contractual
obligations.
 Adoption of code of ethics for senior finance officer.
 Prohibition of credit or personal loan to director/CEO.
 Certification of Financial Statements to be included in
10K and 10Q filings.

Criminal Fraud
Accountability
Corporate &
Board of  Potential Forfeiture of Bonuses & Profits due to D
Directors & Financial Statement Restatement. E
Co.

Senior Officers F
 Unlawful to exert improper influence upon an audit.
A
 Disclosure in changes of securities ownerships of U
directors. L
T
 Appoint Financial Expert on the committee & disclose
in 10K filings.
Related to
 Members must be independent of the Company.
Audit
 Directly responsible for Auditor appointment.
Committees
 One year lag for hiring an audit team member in the
board.
 Disclose pre approvals for audit & non-audit services.
 Establish compliant procedures for accounting &
auditing matters.
 Disclosures of fees paid to auditors in two fiscal
5
years.
Sarbanes-Oxley Section 404
Approach

6
SOX Process flow
Process

Risk
Compensating

Control No Control
Key

Design GAP
Preventive Detective Material weakness

Reported to
Audit
Highly Ineffective Reported to
Committee
Effective Shareholders
Operation GAP

Effective
Potential Significant
deficiency

Action plan to
mitigate risk

7
 Preventive & Detective
Controls
Preventive Detective Controls
Controls  Detect and report the
occurrence of an error,
 Detect problems before
omission.
they arise.
 Prevent an error, omission
from occurring .
Examples:-
Examples:- 6. Internal audit functions.
6. Control access to physical 7. Review of activity logs to
facilities. detect unauthorized access
attempts.
7. Use encryption software to
prevent unauthorized
disclosure of data.

8
 Benefits of Internal
Control
 Complies with Rules and Regulations.
 Promotes reliability and integrity of Financial Reporting.
 Monitor Results.
 Safeguard Assets.
 Utilization of Resources Effectively and Efficiently.

9
 Approach to SOX
 Identify processes that are SOX significant
 Conduct Process Risk Self Assessment
Step 1
 PRSA Team works with Management to document and assess risks
in their business
Step 2
 Controls for each significant risk are documented

Step 3
 Key controls are identified and test plans are developed and
executed
 Control Operator makes an assertion as to the effectiveness of
each key control
Step 4
 Action plans are developed for missing, poorly designed, or
ineffective controls.
Step 5
 Process owner certifies on the effectiveness of the collective
controls 10

What is Process Risk Self Assessment

 What is PRSA?
 A robust approach that supports on-going self
assessment by process owners.
 A methodology for focusing on significant risks
and key controls..

 PRSA will improve risk management and reduce loss,

provide an automated single solution to meeting
multiple regulatory requirements (Sarbanes-Oxley,
Basle), strengthen customer relationships and improve
shareholder value.

 Most importantly, PRSA provides senior leaders the

evidence to support their internal control
assessment/report.

11
Implications of Control Effectiveness-Based on the
results of Testing, the Control operator will assert the effectiveness of the
control as follows:

Highly Effective Not Effective

Effective
 Applies to only fully  Applies to Other than Insufficient
automated controls. fully automated documentation to
 Efficient use of controls. support
internal resources  No exception in management’s
 No exception in testing. certification.
Exception
testing
detected in testing.

12
Sox Roles & Responsibilities
SOX Champion
Serves as the liaison between the Process Owners and SOX 404 Project
Office

Process Owner
Responsible for concluding whether or not their Process has effective
internal controls over financial reporting

Tester
Executes the test plan, communicates the test results to Control
operator/process owner

SOX Project Office

Supports the SOX effort through guidance documents, help etc.

Internal Auditor
Provides an objective assessment of the PRSA process

External Auditor
Gives an opinion on the effectiveness of management’s assessment of
internal control over financial reporting

13