The Sarbanes-Oxley Act of 2002

 The Need for Regulation

The late 1990’s and early 2000’s was a period of dramatic financial statement frauds. A number of companies had engaged in significant overstatements of their published financial statements.   Investors, creditors, and regulators relied on the independent auditors’ opinions, which turned out to be not so reliable.  In other cases, the executives effectively looted the companies for hundreds of millions of dollars.  Some of the frauds that occurred included:

• Rite-Aid
• Sunbeam
• Waste Management
• Tyco
• Adelphia Communications
• WorldCom
• Enron

In most cases, the top executives of the companies denied any wrong-doing or knowledge of the frauds.  After Enron collapsed in late 2001, investors lost confidence in audited financial reports.  Without the ability to rely on public and audited information, investors felt that they could no longer comfortably invest in the stock market.  The capital markets declined as investors sold their stock investments.   These capital markets are essential for the smooth functioning of a modern economy.

Significant Provisions of the Act

To calm the capital markets, Senator Paul Sarbanes (Maryland Democrat) and Congressional Representative Michael Oxley (Ohio Republican) each introduced bills in the Senate and House of representatives, respectively.   Senator Sarbanes introduced the Public Company Accounting Reform and Investor Protection Act to the United States Senate.  Representative Oxley introduced his own bill, the Corporate and Auditing Accountability and Responsibility Act, to the United States House of Representatives.  These two bills were later combined to become the Sarbanes-Oxley Act, which was enacted July 30, 2002.  The Act, sometimes referred to as SarBox or SOX, contained a number of provisions intended to discourage and reduce unethical conduct, enhance accountability and punishment for such behaviors, strengthen enforcement, and thus restore investor confidence.

Title 1: Public Company Accounting Oversight Board (PCAOB)

Title 1 created the PCAOB to establish auditing standards for audits of public companies and to provide government oversight of the auditors of public companies.  The PCAOB only has oversight of public companies and does not regulate audits of privately-held companies, governments, and non-profit organizations.  The Auditing Standards Board (ASB), which is a creation of the American Institute of Certified Public Accountants (AICPA), was responsible for auditing standards of public companies prior to the creation of the PCAOB.  The ASB continues to contribute auditing standards for privately-held companies, governments, and non-profit organizations.    Auditing standards for governments are also provided by the U.S. Government Accountability Office (GAO).

Title 1 provides the following:

• Auditors of public companies must register with the PCAOB
• The PCAOB establishes standards for auditing, quality control, independence, and other standards for auditors
• The PCAOB is authorized to conduct inspections of auditor’s work
• PCAOB is the regulatory body for investigating and imposing punishment on auditors

Because Arthur Andersen shredded Enron documents, section 103 requires that auditors retain all work papers for at least seven years.

Title 2 – Auditor Independence

Title 2 establishes provisions to increase auditor independence and reduce conflicts of interest between an auditor and the client who is being audited.  While these provisions may not completely eliminate conflicts of interest and other impairments of independence, they represent significant reform.   A brief summary of the important sections follows below.

Section 201

This section prohibits auditors of public companies from providing additional services to the client that might impair independence.  Prohibited work includes:

• Bookkeeping or other financial record keeping related to the financial statements
• Designing and implementing financial information systems
• Appraisal or valuation services
• Serving as internal auditor of the client
• Human Resource management
• Serving as investment advisor, broker/dealer, or providing investment banking services
• Providing legal or expert services (consulting) not related to the audit

Some other selected services, not listed above, may be provided if pre-approved by the client’s Board of Directors or the PCAOB.

Section 203

This section requires that the audit firm rotate partners at least every five years.  The partner-in-charge and the reviewing partner cannot serve a client for more than five years.

Section 206

This section prohibits an auditor from accepting any employment as an executive or senior financial officer with the client for one year.

Section 207

This section requires a study of the effects of mandatory rotation of audit firms.  The premise was that mandatory rotation of audit firms might enhance independence.  The study was conducted by the U.S. Government Accountability Office and released in November, 2003.  In their report, the GAO concluded that

“…mandatory audit firm rotation may not be the most efficient way to strengthen auditor independence and improve audit quality considering the additional financial costs and the loss of institutional knowledge of the public company’s previous auditor of record, as well as the current reforms being implemented. The potential benefits of mandatory audit firm rotation are harder to predict and quantify, though GAO is fairly certain that there will be additional costs.”^[1]

Title 3 – Corporate Responsibility

Title 3 establishes new responsibilities for board members and executives and provides punishment for violations of the law.

Section 301

This section established two important provisions: board independence and whistleblower programs.

The first requirement is that the Board of Directors of a publicly-traded company must include “independent” board members.   In this case, independent means not serving in any other capacity of the company such as an executive, employee, consultant, or other paid circumstances.  The audit committee (a subcommittee of the board) must be comprised entirely of independent board members.  The audit committee is solely responsible for hiring and receiving reports from the audit firm.

The second requirement is that the audit committee must establish a whistleblower program to provide an anonymous method for employees of the company to submit complaints or tips about accounting, internal control, or audit issues.  As we learned earlier, tips are the leading method that organizations uncover fraud.

Section 302

This section entitled “Corporate Responsibility for Financial Reports,” is a short but powerful section.   In prior frauds, the CEOs typically denied any knowledge of the fraud and blamed the fraud on subordinates, who supposedly hid the frauds from the CEO.  Section 302 was included in Sarbanes-Oxley to force the CEO to take responsibility for the reports filed with the SEC, including quarterly and annual audited financial statements.  Section 302 requires that the Chief Executive Officer and Chief Financial Officer sign a certification stating the following:

• The executives have reviewed the report filed with the SEC.
• To the best of the executives’ knowledge, all statements in the filing are accurate and there are no material omissions from the report.
• To the best of the executives’ knowledge, the financial statements and all other financial information are fairly presented (this is similar to the stated opinion the auditors will give).
• The signing officers state that (1) they are responsible for establishing and maintaining internal controls, (2) that those controls are adequate to bring all maters to the executives’ attention, (3) the executives have evaluated the effectiveness of the controls within the last 90 days, (4) and the executives have included their conclusions about the effectiveness of the controls in the filed report.
• The executives have stated in the filed report if there have been any changes in internal control since the above evaluation.
• The signing officers have disclosed all significant deficiencies in internal control to both the audit committee of the Board of Directors and the financial statement auditors. The executives have also informed the auditors of any material weakness in internal control.
• The signing officers have disclosed all frauds involving internal control, even minor frauds, to both the audit committee of the Board of Directors and auditors.

The certification required by Section 302 was intended to make top executives accountable for material errors in the financial statements, major weaknesses in internal control, and management fraud.  In many companies, the executives have responded by requiring subordinates to sign similar certifications.

Section 303

This section prohibits executives from misleading, influencing, manipulating, or coercing the auditors.  In several prior frauds, executives took actions such as promising lucrative consulting contracts for the right audit opinion, contacting executives of the audit firm to influence the audit process, and other techniques designed to gather an unqualified (clean) opinion from the auditors.

Section 304

This section provides for disgorgement.  If the filing company is required to file an restatement (reissuance) of a prior financial report, and that restatement is due to non-compliance with the law or as a result of misconduct, then that executives must disgorge (give back) any profits they made from bonuses or stock sales.

Section 306

This section prohibits and executive or director from buying or selling stock of the company during a period when employees were not allowed to buy or sell company stock.  This provision is likely based on the Enron fraud, where employees were prohibited from selling stock in their Enron 401(k) plan, but the executives were selling their own stock.  This blackout period caused many employees to lose most or all of their 401(k) savings.

Section 308

This section allows the SEC to seek civil damages from any executive that violates the law.  These damages are to be used to compensate the victims of the fraud.

Title 4 – Enhanced Financial Disclosures

Section 402

This section prohibits personal loans to executives.  In some of the frauds that preceded Sarbanes-Oxley, executives received substantial loans from the company.

Section 404

This section is a short but powerful section.  It is also the most controversial section of Sarbanes-Oxley.  This section requires management to include a certification with the financial report that:

1. Affirms that management is responsible for establishing and maintaining internal control over financial reporting, and
2. Contains management’s assessment of those internal controls.

The independent auditors are required to examine and attest to the accuracy of management’s assessment of internal control.  Essentially, management must evaluate internal controls and the auditors must audit the management assessment.  In many cases, companies hire a second CPA firm to perform management’s assessment of internal control and this is then audited by the CPA firm that opines on the financial statements.  This section is controversial in that it seems to duplicate efforts and increase costs.  These costs were particularly burdensome for small companies.  To alleviate the cost burden on smaller companies, PCAOB statement 5 allowed auditors to scale their examinations of management’s assessment.

Section 406

This section requires any public company to include a comment in their financial reports about their code of ethics for senior management.  If the company does not have a code of ethics, they must state why not.

Section 407

This section requires a public company to disclose if they have one or more financial experts on the board of directors.  Financial experts are board members who have:

• an understanding of GAAP,
• experience preparing financial statements, including estimates, accruals, and reserves,
• experience with internal controls
• an understanding of audit committee functions

If there are no financial experts on the board, the company must disclose why there is no financial expert.

Title 7 – Studies and Reports

Title 7 of the Sarbanes-Oxley Act of 2002 required several studies and reports, including

• Consolidation of public accounting firms (section 701)
• The role and function of credit rating agencies in the operation of the securities market (section 702)
• Securities violators and violations from 1998 to 2001 (section 703)
• Study of enforcement actions from 1997 to 2002 (section 704)

All of these reports have been completed.  Of most interest to accountants is the first report, required by section 701.  The report was conducted by the U.S. Government Accountability Office (GAO).   The GAO concluded that the four remaining audit firms (after the demise of Arthur Andersen) was inconclusive, but indicated that further consolidation to three or fewer firms may resulted in anti-competitive risks and required more study.Study of whether investment banks and financial advisors assisted in the frauds including Enron and Global Crossing (section 705)

Title 8 – Corporate and Criminal Fraud Accountability

Section 802

This section provides that any action to obstruct justice in an SEC investigation is subject to a fine and up to 20 years in prison.  This section was likely created in response to Arthur Andersen shredding documents on the eve of a subpoena from the U.S. Department of Justice.  Andersen was convicted of obstruction of justice, a felony which resulted in the demise of Arthur Andersen.  Section 802 strengthened existing penalties for obstruction of justice.

Section 803

This section states that any debts that are incurred for violation of federal or state securities fraud laws cannot be discharged in bankruptcy.

Section 806

This section provides job protections for whistleblowers.  If a company discriminates against a whistleblower in any way, the employee may sue for damages, potentially including (1) reinstatement, with seniority, (2) back pay, with interest, and (3) special damages including legal costs.

Section 807

This section enhances the criminal penalties for defrauding shareholders to as much as 25 years in prison, plus a fine.

Title 9 – White-Collar Crime Penalty Enhancements

Title 9 generally increase penalties for all of the following

• Conspiracy
• Mail fraud
• Wire fraud
• Violations of the Employee Retirement Income Security Act (ERISA)

Section 906

This section adds new penalties for filing a false certification (as required by Title 4).  If an executive knowingly signs a certification that does not comply with the provisions of the law, the penalty is up to $5,000,000 and 20 years in prison.

Yes, there is more

This chapter includes all of the Sarbanes-Oxley sections that are of most interest to accountants and auditors.  There are additional sections that we have not covered.   The sections that we did cover are summarized to help you understand the significant points of each section.  The full Sarbanes-Oxley Act of 2002 is 66 pages in length.

Does Sarbanes-Oxley cover everything?

The Sarbanes-Oxley Act of 2002 seems to create many new regulations that address every possible behavior that might contribute to fraudulent behavior.  In fact, many sections seem to be specifically targeted at the types of frauds that occurred at Sunbeam, Waste Management, WorldCom, and Enron.  The Act modifies existing securities laws by adding new provisions.   This leaves three important questions:

1. Will the provisions of Sarbanes-Oxley prevent all potential future corporate fraud?
2. What additional provisions will be needed as additions to Sarbanes-Oxley in the future?
3. Will regulators have the skill and resources to fully enforce the law?

The Sarbanes-Oxley Act of 2002, as with all laws, is a living document.  Congress can make modifications to the law at any time.   Regulatory bodies such as the SEC and PCAOB can create more detailed regulations, standards, and rules to further the intent of the law.