Sarbanes-Oxley: Auditing the Auditors?
By
Donald K. McConnell Jr. CPA, CFE, Ph D
Published in Oil, Gas, and Energy Quarterly
December 2003
With the passage of the Sarbanes-Oxley Act of 2002 (the Act) on July 30, 2002, the accounting profession's era of self-regulation effectively ended. Some legal experts have characterized the Act as the most significant securities legislation since the 1933 and 1934 Securities Acts. Congress enacted Sarbanes-Oxley in light of recent highly publicized corporate business failures and malfeasance to help restore investor trust and confidence in proper functioning of the capital markets. While some provisions of the Act were already in the process of voluntarily being assimilated by many public accounting firms, this watershed legislation provides legally backed momentum to that metamorphosis. Sarbanes-Oxley provides sweeping and, as of yet, not clearly defined powers regulating accountants, corporate management, boards of directors, and attorneys. This article outlines the general provisions of the Sarbanes-Oxley Act and how it impacts accountants and corporate governance.
General Provisions
The Sarbanes-Oxley Act mandates that the Securities and Exchange Commission (SEC) appoint a full-time five member Public Company Accounting Oversight Board (the Board) within 270 days of enactment of the Act. Board members are to be appointed by the SEC after consultation with the Chairman of the Federal Reserve Board and the Secretary of the Treasury. Members will serve five-year terms, and must be financially literate. Only two members can be, or have been, CPAs. The board chair can be a CPA; however, the chair cannot have practiced public accounting for five years. Members may not concurrently receive any form of remuneration from a public accounting firm other than for fixed continuing retirement payments.
While many implementational issues have to be resolved by the SEC, the Board will have broad powers to regulate, investigate, and punish offenders. CEO and CFO certification requirements and related potential penalties became immediately effective upon passage of the Act; however, the effective date for many other provisions in the Act are linked to either the Board’s establishment date, CPA firm registration dates, or SEC ruling dates. Among the duties of the Board are the following. The Board will be empowered to conduct inspections of public accounting firms, conduct investigations and disciplinary proceedings, and impose appropriate sanctions. Further, the Board will be able to establish, or adopt by rule, auditing, quality control, ethical, independence and other standards relating to public company (issuer) audit reports. In so doing, the Board will be required to actively involve itself in the deliberations of professional accounting and auditing standard-setting bodies. In what is likely to be a continuation of current practice, the Board can adopt, as deemed appropriate, standards proposed by private sector standard-setting bodies, but will have the authority to amend or reject standards recommended by those groups. To implement the Act’s provisions, Congress has appropriated to the SEC an additional $98 million in 2003 for purposes of hiring 200 additional employees to conduct oversight of registered public accounting firms.
Provisions Relating to Accountants
A public accounting firm auditing even one public company will be required to register with the Board, and must pay a registration fee and an annual fee in amounts sufficient, but not yet defined, to cover the costs of processing and reviewing annual reports. Firm registration will be required within 180 days of establishment of the Board. Once registered, a CPA firm auditing more than 100 issuers will be required to submit to an annual quality review or inspection. Otherwise, a registered CPA firm will be reviewed every three years. Furthermore, foreign accounting firms auditing U.S. companies must register with the Board, including foreign firms performing audit work to be relied upon by primary auditors. Either the SEC or the Board may order special inspections at any time. Auditors will be required to retain all audit documentation for a period of seven years. Further, it will be felonious to knowingly destroy or create documents to impede, obstruct, or influence any existing or contemplated federal investigation. Conviction of such activities can result in up to 20 years imprisonment and fines.
Many large CPA firms have in recent years sold their information technology (IT) consulting practices either privately or through initial public offerings. That process has accelerated in the past six months as firms sought to distance themselves from consulting services for audit clients in controversial areas such as IT. Although congressional committees had considered adopting complete prohibitions of non-audit services, the Act only bans registered public accounting firms from providing non-audit services to audit clients in several specific areas. In addition to information systems design and implementation consulting, other services which no longer can be provided to issuer audit clients include: (1) internal audit outsourcing, which the SEC had previously allowed, subject to a forty percent cap, and (2) other expert services unrelated to the audit, though this term has yet to be defined by the SEC. Also, the following services, which had already been proscribed by SEC rules, are banned by the Act: (3) bookkeeping or other accounting related services, (4) appraisal or valuation services, fairness opinions, or contribution-in-kind reports, (5) management or human resources functions, (6) broker/dealer, investment advising or investment banking services, (7) appraisal services, or (8) any other services that the Board determines to be impermissible. However, the Board may exempt these prohibitions on a case-by-case basis. It is noteworthy that some CPA firms had already ceased accepting new internal audit out-sourcing engagements.
CPA firms will be required to obtain audit committee pre-approval of audit engagements. Requirements also exist in providing allowable non-audit services provided to audit clients. Each activity, including tax services, must be pre-approved by the client's audit committee, all of whose members must be independent, as defined in section 301 of the Act. However audit committee pre-approval is waived if the aggregate fees for such allowable non-audit services is less than five percent of the total revenues paid to the auditor during the fiscal year in which the non-audit services are performed, the services were not recognized by the issuer at the time of the engagement to be non-audit services, and such services are promptly brought to the attention of the audit committee of the issuer and approved by the audit committee prior to the completion of the audit.
Sarbanes-Oxley requires engagement partners to rotate off issuer audits at least every five years; a practice already followed by some major CPA firms. Independent reviewing partners must similarly rotate off issuer audits at least every five years. AICPA SEC Practice Section requirements currently require seven-year engagement partner rotations. Further, the United States General Accounting Office (GAO) has been mandated to undertake a study of the potential effects of requiring mandatory CPA firm rotation. Hopefully, GAO will take into consideration the findings in the Cohen Commission Report which demonstrated the risks inherent in audits of new clients. CPA firms will be required to communicate to audit committees the nature and ramifications of accounting treatments alternative to those selected by issuer management. Additionally, auditors must communicate the nature of key issuer accounting practices and material written communications from the auditor to management, such as management letter comments and adjustments passed in the audit. The Act also mandates that an issuer cannot hire a CEO, controller, CFO, chief accounting officer, or equivalent who had been employed by the issuer’s CPA firm in the one-year period prior to the audit.
Provisions Relating to Audit Committees
Sarbanes-Oxley clearly strengthens the independence of audit committees while expanding and enhancing the strategic role and responsibilities of audit committee members. Many believe the Act will potentially affect audit committees more than corporate management; however, companies whose managements are already subjected to high levels of board oversight may be only slightly impacted. The Wall Street Journal recently cites the Chairman and CEO of Baxter International as saying, "this [Act] will have zero impact on how I think and behave, mostly because we already have a phenomenally high level of corporate governance." Some public companies are already reporting difficulties in obtaining audit committee members due to the increased perceived liability exposure, workload, and willingness to shoulder the additional responsibilities imposed by Sarbanes-Oxley.
The Sarbanes-Oxley Act requires that each member of the audit committee shall be an independent member of the Board of Directors; however, the SEC may grant independence exemptions for certain individuals on a case-by-case basis. The Act mandates that the audit committee will be responsible for appointment, compensation, and oversight of the CPA firm's work, and must preapprove all audit or non-audit services. While preapproval of non-audit services can be delegated to a single member, such preapprovals must be reported to the entire audit committee at the following meeting thereof. Audit committee ratification of non-audit services will have to be periodically disclosed to the SEC; however, the nature of this process is yet to be determined.
Additionally, audit committees must establish procedures for receipt, retention, and treatment of complaints regarding accounting, internal controls, or auditing matters. The law further requires that each audit committee have authority to engage independent counsel, or other experts, as deemed necessary, and that each company shall appropriately fund its audit committee. The SEC will also be requiring disclosure of whether at least one audit committee member is a "financial expert," or the reasons why no member is a "financial expert."
Provisions Relating to Management
In the summer of 2002, the SEC put into place provisions requiring that CEOs and CFOs "certify" to the accuracy and completeness of their most recent Forms 10-K and 10-Q. This requirement was for public companies whose revenues exceeded $1.2 billion. Sarbanes-Oxley has put those provisions into law, and will further require all public company CEOs and CFO's to prepare statements accompanying their audit reports certifying as to the appropriateness and materially fair presentation of their financial statements and disclosures. The same requirement exists for more than 1300 foreign companies traded on U.S. exchanges. The importance of this seemingly simple process cannot be overstated. Willfully misrepresenting and intentionally signing off on such statements can now subject CEOs and CFO's to criminal federal securities fraud and other civil charges to a maximum of $5,000,000 and/or imprisonment of up to twenty years. Also, the signing officers will be required to communicate to the issuer’s auditors and audit committee the nature of significant deficiencies in the design or operation of internal controls, or any fraud, whether or not material, that involves management or other employees who have significant internal control roles.
Another important provision in Sarbanes-Oxley is that it will be unlawful for a public company officer or director to fraudulently influence, coerce, manipulate, or mislead auditors for the purpose of creating materially misstated financial statements. Heretofore, no significant penalties arose from such practices. This provision is of vital importance to auditors, because management coercion and intimidation has been found to be a common denominator in numerous fraud cases where corporate managements have engaged in fraudulent financial reporting. Further, CEO’s (or chief legal counsel) will be required to take appropriate action in response to attorney reports of evidence of material securities law violations, breach of fiduciary duty, or "similar" violations. Failing to do so will require attorneys to report these matters to the audit committee.
Other provisions in the Act relate to officer/director restitution of ill-gotten bonuses and profits, as well as securities trading "blackout" practices and loans to officers or directors. Where financial statement restatements have arisen due to material noncompliance with financial reporting requirements, CEOs and CFOs shall be subject to reimbursing their companies for any bonus or other incentive-based or equity-based compensation received in the twelve months subsequent to the issuance or filing of a non-compliant document, as well as any profits realized from sale of the company's securities. Additionally, officers, directors, and other insiders will be prohibited from purchasing or selling company stock during pension blackout periods. Furthermore, should any such profits arise and the company fails to diligently prosecute for recovery of those profits, any security owner of the company can initiate suit for recovery of such profits. The latter requirements were enacted because of the egregious practices at Enron when officers allegedly profited from sales of Enron stock during trading "blackout" periods at a time when other employees were precluded from selling Enron stock. Reflecting congressional concerns with practices at Adelphia and WorldCom, issuers will be prohibited from extending credit to officers or directors. However consumer credit companies will be allowed to extend credit to officers or directors for home improvements, consumer credit loans, and credit cards, if done in the ordinary course of business on terms similar to those granted to the general public.
In light of other problems that existed at Enron, Sarbanes-Oxley also imposes additional financial statement disclosure requirements. Enron shielded its financial statements from significant debt, impaired assets, and related losses through the use of special-purpose entities (SPE’s) that apparently should have been consolidated. This was done by circumventing the three percent outside equity test for non-consolidation through substantive guarantees to various financial institutions against investment losses in those SPE's. Consequently, the Act requires that quarterly and annual financial statements must clearly disclose all material off-balance sheet transactions and other relationships with unconsolidated entities. Additionally, the SEC has been mandated to study the extent of existing off-balance sheet disclosures, and whether existing accounting principles generally accepted in the United States (GAAP) provide adequate transparency and disclosure of economic substance. The Act mandates that issuers must make timely disclosure “in plain English” of material changes in financial position or operations.
Other provisions of the Act require that issuer financial statements must reflect all material audit adjustments proposed by registered accounting firms, and that pro forma financial information must not contain any untrue statement, or material omission of fact. Issuers will be required to reconcile pro forma disclosures with GAAP. These pro forma requirements reflect the SEC's increasing concern that some pro forma disclosures have recently pushed the envelope of fair presentation. For example, in one case, the SEC criticized a registrant for presenting quarterly pro forma information reflecting the results of an unusual gain, while deleting the effects of an unusual charge to earnings. Additionally, management will we required to disclose if it has adopted a code of ethics for senior financial officers, the content of that code, and to promptly disclose on Form 8-K the nature of any change in, or waiver of an issuer's code of ethics. This provision also had its genesis in the revelation of SPE dealings between Enron’s CFO and Enron, whose board allegedly waived relevant corporate conflict of interest policies. Furthermore, the Act provides issuer employees and public accounting firm personnel with "whistleblower protections," as described more fully in Title VIII of the Act.
Sarbanes-Oxley also addresses significant issues relating to issuer internal controls, as well as mandating additional auditor attestation requirements. Each issuer Form 10-K will require management to present an internal control report acknowledging management responsibility for establishing and maintaining adequate internal controls over financial reporting. Perhaps more significantly, issuer auditors will be required to issue attestation reports on the effectiveness of issuer internal controls over financial reporting. This provision is ironic insofar as a similar proposal was defeated late in the process of enacting the Foreign Corrupt Practices Act, on the grounds that it would unnecessarily increase the cost of auditing the financial reporting process in light of perceived benefit. Nevertheless, it is disconcerting that committee language accompanying the bill states that "... the committee does not intend that the auditor's evaluation [of internal controls] be the subject of a separate engagement or the basis for increased charges or fees." Consequently, the intent is presumably that this significant increase in professional services should be done pro bono! Nevertheless, audit fees were already in the process of increasing by from fifteen to twenty-five percent in light of rising professional liability insurance premiums, and the costs of auditing more expansive disclosure packages.