Sarbanes-Oxley Simplified
Revised 2nd Edition
by
Mike Morley, CPA
Smashwords Edition
Published by Nixon-Carre Ltd. on Smashwords
Copyright © 2011 by Mike Morley
Smashwords Edition, License Notes
This ebook is licensed for your personal enjoyment only. This ebook may not be re-sold or given away to other people. If you would like to share this book with another person, please purchase an additional copy for each person you share it with. If you're reading this book and did not purchase it, or it was not purchased for your use only, then you should return to Smashwords.com and purchase your own copy. Thank you for respecting the author's work.
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage or retrieval system without written permission from the author, except for brief passages quoted in a review.
Published by Nixon-Carre Ltd. Toronto, ON
www.learnancientwisdom.com
www.mikemorley.com
Disclaimer: Nixon-Carre Ltd. does not participate in, endorse, or take any responsibility for any private business transactions between the author and the public. This publication is sold with the understanding that the publishers are not engaged in rendering legal, medical or other professional advice. The information contained herein represents the experiences and opinions of the author, but the author or the publisher are not responsible for the results of any action taken on the basis of information in this work, nor for any errors or omissions.
Table of Contents
Chapter 1 - The Birth of Sarbanes-Oxley
Chapter 3 - Corporate Responsibilities
Chapter 4 - The Events that Preceded Enron
Chapter 5 - Enhancing Investor Confidence
Chapter 6 - Conflict of Interest
Chapter 7 - The Compliance Process
Chapter 8 - Information Technology
Chapter 10 - Accounts Receivable
Chapter 13 - Bill 198 in Canada
Chapter 14 - Internal Reporting
Chapter 15 - Living with Sarbanes-Oxley
Introduction
The Sarbanes-Oxley Act of 2002, which makes company executives personally and criminally responsible for the financial disclosures of their US publicly traded companies, has been with us for a number of years. This second edition of this book is intended to update you on changes and to give you some pointers about how the SEC is enforcing the Act.
The SEC has given itself a lot of leeway when it comes to enforcing Sarbanes-Oxley. This unfortunately makes it more difficult for executives and auditors to know where the line they must not cross actually is. Although the SEC is working hard to improve its due diligence, their limited resources make it difficult to be watching every company. It has been helped to a certain extent by the current economic downturn which has exposed many fraudulent schemes that counted on increasing sales and apparent revenue growth to succeed.
Sarbanes-Oxley’s limited success in reducing the number and extent of fraud cases since its enactment is proof that the resourcefulness and ingenuity of human nature will always win out.
Mike Morley
www.mikemorley.com
Chapter 1: The Birth of Sarbanes-Oxley
A Simple Solution to A Complex Problem
Sarbanes-Oxley is a U.S. law that came into effect July 30, 2002 to strengthen corporate governance and restore investor confidence. Sponsored by Maryland Senator Paul Sarbanes and Ohio Congressman Michael Oxley, the Act is intended to provide a strong deterrent to those individuals who might be tempted to manipulate corporate financial data for their own gain. The penalties imposed by the Act include substantial fines and significant prison terms.
Ignorance is no longer an excuse. The Act makes CEO’s and CFO’s personally responsible not only for financial statements that accurately reflect the financial condition of the company, but also makes them responsible for setting up and maintaining systems that ensure that they actually know the truth about what is going on in the company. This requirement is a brilliantly simple solution to the ever present problem of fraud.
In the past, investors and lenders trusted executives of large, reputable public companies, investment banks, credit rating agencies, and, most of all, large auditing firms, to provide them with accurate financial information on which to make sound investing and lending decisions. Unfortunately, as we now know, many of these players traded their principles for money. Many had been profiting from unethical, if not downright illegal, practices for some time before Enron came crashing down. The collapse of Enron made it impossible for the US government to continue to ignore what was going on. Legislators were forced to take action in order to earn back the trust of investors.
Enron: The Destruction of Investor Confidence
The largest corporate bankruptcy in U.S. history (Enron) shook the very foundation upon which the securities exchange system was founded. The report card that investors and lenders used to make their decisions, the audited financial statement, could no longer be trusted. Investors and lenders lost confidence in public company senior management to tell them the truth.
Investors had trusted the accounting firm of Arthur Andersen, LLP, Enron’s auditor, to be their “watchdog.” However, Arthur Andersen, LLP, was receiving significant consulting contract revenue from Enron, in addition to being their auditing firm. SEC investigators ultimately concluded that this conflict of interest contributed in large part to Arthur Andersen, LLP’s, decision not to disclose Enron’s contingent liability arising out of certain loan guarantees. The companies whose loans they were guaranteeing were “Special Purpose Entities” (SPE) that happened to be owned by Enron’s CFO.
Special Purpose Entities
An SPE is a legal entity created by another entity (a sponsor) to carry out a specified purpose or activity. An SPE is often a financing vehicle that allows a sponsor entity to transfer assets to the SPE in exchange for cash, including “prepay transactions”, which are transactions that involve a contract for a service or product to be delivered at a later date. In other words, the SPE would borrow money to “sell” a service or product and recognize the revenue although the service had not yet been delivered.
Off-Balance-Sheet Items
Section 401 of the Act stipulates that off-balance-sheet transactions must be disclosed. In Enron’s case, because these loans were recorded on the SPE’s balance sheet instead of Enron’s, Enron appeared to be less debt ridden than it actually was, although it was still liable if the SPE defaulted on the loan. Enron used the lack of disclosure to hide the real indebtedness of the company.
In order for the scheme to work, the investment banks that provided the loans to the SPE’s had to keep quiet, and they did. The investment banks were related to the credit rating agencies that gave Enron a good rating right up to four days before its bankruptcy. As a result of this complicity on the part of all the players involved, investors no longer trusted the companies, the auditors, the investment banks, and the credit rating agencies.
Enron was by no means the only company whose questionable accounting practices illustrated the need for stronger regulations. Before Enron, especially in the high tech bubble of the 1990’s, there was an ever-growing pressure for companies to continually “beat expectations.” Expectations were met and exceeded, even if it meant manipulating financial data. In addition, because stock options were a large part of executive compensation packages, manipulating financial information to produce increasing stock prices proved too tempting for some executives who became millionaires almost overnight.
Revenue Recognition
In order for public companies to continue “beating expectations” and keep the stock price going up, (which allowed executives to collect big bonuses), one of the techniques they used was to manipulate the “timing” of revenue. Revenue recognition is supposed to be based on GAAP (Generally Accepted Accounting Principles).
Conservatism is one of the GAAP principles. It says that, when in doubt, do not recognize the revenue until you are sure. Unfortunately, some public companies anticipated recognition of revenue by including it in their current period instead of waiting for the evidence that revenue had actually been earned. As well, some companies received asset-financing money but classified it as revenue, although there was no evidence to support this accounting treatment.
Lack of Public Confidence
Investors felt betrayed by the accountants and auditors they had depended upon to be the gatekeepers. Auditors were supposed to be disinterested third parties who could be relied upon to ring the alarm if something was not right. Investors and lenders were let down also by the investment banks and the credit rating agencies whose expertise was never in question. The lack of confidence in the established financial reporting system threatened the ability of public companies to obtain equity financing from public securities exchanges.
This lack of confidence in public company financial statements was a crisis that could not be allowed to continue. Investors were withdrawing in large numbers from the rapidly declining markets until they could see what would happen next.
Lenders were scrambling to reassess their positions. While trying to protect their investments, they were reluctant to lend money to public companies based on audited financial statements. The outlook for public companies that needed financing became bleak.
Politically, the U.S. government had to stabilize the situation and restore investor confidence. The Sarbanes-Oxley Act of 2002 was drawn up to entice investors and lenders back into the markets. These dollars are needed to run large public companies. The Act has far reaching effects, well beyond the boardrooms of worldwide corporate head offices, public audit firms, investment banks, and credit rating agencies.
The Act is intended to provide a strong deterrent to those players who might be tempted to manipulate financial data for their own gain, including company executives, employees, auditors, investment banks and credit rating agencies.
Ignorance Is No Longer An Excuse
The penalties imposed by the Act include substantial fines and significant prison terms. The fines were originally set at a maximum of $5 million, but now there is no limit, leaving the amount to be set by the presiding judge in each case. In addition to substantial fines the judge can order the disgorgement of any profits made from selling shares, and up to 25 years in prison.
Bernard Ebbers, the former CEO of WorldCom, at 63 years of age was found guilty on nine counts in an $11 billion accounting fraud and sentenced to 25 years in prison in 2005. Ebbers, a former milkman, basketball coach and Best Western hotel owner, said he was unaware of the fraud (“I’m just a milkman from Edmonton”). The Supreme Court turned down his appeal in March 2007 and upheld his 25-year jail term which he is still serving.
Jeff Skilling was convicted in 2006 of multiple federal charges including conspiracy, insider trading, making false statements, and securities fraud, relating to Enron’s financial collapse, and is serving a 24-year, 4-month prison sentence at the Federal Correctional Institution in Englewood, Colorado. He has launched several appeals which are still pending.
Kenneth Lay, former CEO of Enron, was facing 175 years in prison and severe fines if found guilty when he passed away of heart disease on July 5, 2006 at the age of 64. Conveniently for his beneficiaries, all the lawsuits to recover Enron’s missing $300 million died with him.
A Simple Solution
The Sarbanes-Oxley Act of 2002 is a brilliant and simple solution to the “I didn’t know” defense. It makes CEO’s and CFO’s personally responsible not only for financial statements that accurately reflect the financial condition of the company, but also makes CEO’s and CFO’s personally responsible for setting up and maintaining systems that ensure that they know. In other words, the Act says that CEO’s and CFO’s must ensure that they know everything that they ought to know. For CEO’s and CFO’s, ignorance of what is going on in their company is no longer an excuse.
Three Questions
It takes 66 pages to do so, but in effect, The Sarbanes-Oxley Act of 2002 asks three simple questions that CEO’s and CFO’s must answer:
1) Is it accurate?
Are the financial statements free of any material misstatements so that they reflect the true financial condition of the company and can be relied upon by investors?
2) Are you sure?
CEO’s and CFO’s must certify that the internal financial controls of their companies work to the extent that they are informed about everything that they should know. In addition, they must determine if any of the procedures in place pose a significant risk of producing inaccurate or incomplete financial information and show how they have taken steps to eliminate that risk.
3) Can you prove it?
CEO’s and CFO’s need to have documentation that satisfies the auditors and the SEC that their companies are doing what they say they are doing.
Not Just For Publicly Traded Companies
While the financial controls imposed by the Sarbanes-Oxley Act of 2002 are a legal obligation for publicly traded companies, they also serve as an excellent guide for growing private companies. Although the intention of the Act was to restore investor confidence in the audited financial statements of public companies, the practice of establishing and continually evaluating financial controls is equally beneficial to private companies. In particular, the creditors of private companies will benefit from financial statements that reflect more closely the financial condition of the company. They will feel more confident in assessing the company’s ongoing ability to meet its covenants as required by the loan agreement.
When companies expand to the point beyond which a single person can run everything, they need control systems in place to manage operations. As they grow larger, these control systems need to become more sophisticated to adapt to the changing circumstances in the growing company.
Document Structure
The Sarbanes-Oxley Act of 2002 is divided into 11 chapters, or Titles, preceded by a table of contents and a list of definitions, with each section starting with the title number. For example, Section 802 is the second item in Title 8.
Summary
The Sarbanes-Oxley Act of 2002 is a U.S. law that came into effect July 30, 2002 to strengthen corporate governance and restore investor confidence.
The Act was enacted mainly as a response to the largest bankruptcy in United States history (Enron).
Undisclosed off-balance-sheet items made Enron appear to be less debt ridden than it actually was. Enron used this lack of disclosure to hide the real indebtedness of the company.
Enron was not the only company manipulating their financial data to influence the stock price. Revenue recognition issues including the “timing” of revenue and classifying asset-financing money as revenue were some of the problems that needed to be addressed.
Conflicts of interest and collusion between auditors, analysts, senior management, and credit rating agencies resulted in investors being misled about many companies’ true financial situations.
Ignorance is no longer an excuse. The Act makes CEO’s and CFO’s personally responsible not only for financial statements that accurately reflect the financial condition of the company, but also makes CEO’s and CFO’s personally responsible for setting up and maintaining systems that ensure that they know what they ought to know.
The Act is intended to provide a strong deterrent to those players who might be tempted to manipulate financial data for their own gain.
Chapter 2: The PCAOB
Watchdog for the SEC
The Sarbanes-Oxley Act of 2002 created the Public Company Accounting Oversight Board, (nicknamed Peek-A-Boo) a private, non-profit corporation to oversee the auditors of public companies. Up until then, audit firms had been pretty well left alone to regulate themselves. The PCAOB’s stated purpose is to “protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports”. In other words, they are the SEC’s watchdog.
This chapter is an overview of Titles I and VI specifically the portions of the Act that discuss the role of the Public Company Accounting Oversight Board.
TITLE I - The Public Company Accounting Oversight Board
The Public Company Accounting Oversight Board, made up of five members appointed by the Securities and Exchange Commission, reports directly to the Securities and Exchange Commission (who in turn reports to the federal government).
The Board’s Mandate
The Public Company Accounting Oversight Board’s mandate is to protect the interests of investors and the public by making sure that audits of public companies follow the securities laws and that audit reports are informative, accurate, and independent.
The Board’s Functions
The Public Company Accounting Oversight Board’s duties include:
Registering public accounting firms
Establishing standards of ethics and independence
Inspecting registered public accounting firms
Imposing sanctions
PCAOB Membership
The Public Company Accounting Oversight Board has five members. It is interesting to note that only two members can be Certified Public Accountants. If one of those two members is the chairperson, he or she is not allowed to have practiced as a Certified Public Accountant for at least five years prior to his or her appointment to the Public Company Accounting Oversight Board. The thought is that this will make the chairperson more objective and less likely to be influenced by any public company they may have done work for in the past.
While serving on the Board, members cannot be employed by anyone else, or share in any of the profits of, or receive payments from, a public accounting firm. Members serve for five years and are limited to two terms, regardless of whether the terms are consecutive or not.
Mandatory Registration
The Sarbanes-Oxley Act of 2002 prohibits any firm or person other than a registered public accounting firm from participating in the preparation of any public company audit report.
Other than proprietary information, the Board makes available for public inspection information supplied by registered firms such as:
The names of audit clients for the current and past year
Annual fees from each client for audit services, other accounting services, and non-audit services
Financial information for the recently completed fiscal year
Quality control policies of the audit firm
A list of all accountants (and their individual license or certification number) associated with the audit firm who contribute to audit reports
The State license numbers of the firm itself
Any pending criminal, civil, or administrative actions or disciplinary proceedings
Any accounting disagreements between the company and the audit firm filed with the Securities and Exchange Commission (The public disclosure of these disagreements is intended to draw the attention of investors to any potential conflict of interest. It can also serve to alert the SEC of misconduct by auditing firms.)
Auditing, quality control, and independence standards and rules
Audit Records to be kept for 7 Years
Section 103 of the Act requires registered public accounting firms to keep audit work papers, and other information related to any audit report, for seven years. The scope as well as the results of the auditor’s testing of the internal control structure and procedures, including material weaknesses in internal controls and any material noncompliance, must be recorded and kept for the same period. A second partner in the firm who was not in charge of the audit must also review every audit.
In addition, the auditor has to attest as to the adequacy of the public company’s internal control procedures and make sure that detailed records are kept. They must “…accurately and fairly reflect the transactions and dispositions of the assets.” (Sarbanes-Oxley Act of 2002, p.12)
In other words, the auditor must provide reasonable assurance that generally accepted accounting principles were followed and that receipts and expenditures were approved by management.
This rule was put in place largely as a result of the Anderson auditors shredding of critical Enron accounting records.
Quality Control and Independence
In order to ensure the auditor’s independence, the Sarbanes-Oxley Act of 2002 requires registered public accounting firms to uphold professional ethics and maintain independence from their audit clients and yet, in order to provide quality audit services, the public accounting firm must be intimately familiar with their client’s business. For example, the auditor needs to be aware of audit issues, such as timing of revenue recognition or amounts of reserves, as they come up. Unfortunately, the need to “stay in the loop” needs to be balanced with the need for the audit firm to remain independent.
This is a tough balancing act that the firm needs to maintain. If the client insists on not following the audit firm’s recommendations, the audit firm needs to examine the question and decide if they can continue being the company’s auditor.
Auditing and Consulting
When auditing firms are offered consulting opportunities, they must decide between auditing and consulting. If they decide to accept and continue the auditing engagement, they must forego the consulting revenue.
In addition to supervising audits and carrying out internal inspections, audit firms must specifically instruct their employees who deal with clients that they must behave in an ethical manner and maintain their independence at all times. Although the Act does not specifically forbid it, auditors should never take gifts from their clients or allow their clients to pay them inflated fees.
Inspections of Registered Public Accounting Firms
The Sarbanes-Oxley Act of 2002 calls for registered public accounting firms that issue more than 100 public company audits per year to be inspected by the Public Company Accounting Oversight Board every year. Those that prepare less than 100 are to be inspected at least every three years.
Regular inspections try to uncover any act or omission by a registered public accounting firm that may be in violation of The Sarbanes-Oxley Act of 2002, the rules of the Public Company Accounting Oversight Board and of the Securities and Exchange Commission. In addition, inspectors will look for violations of professional standards and of the auditing firm’s own quality control policies.
Limited Publication of Inspection Reports
Although inspection reports are to be made available to the public, defects in the quality control systems of the auditing firm under inspection, if corrected within 12 months, will not appear in the inspection report when it is made public. For example, if the auditing firm issues an unqualified opinion for an audit client only to discover later that the audit did not catch a material misstatement, it must not only take immediate corrective action to resolve the problem, the audit firm needs to implement changes in its quality control systems to prevent this situation from happening again. If it satisfies the Public Company Accounting Oversight Board within 12 months that it has resolved the issue and corrected its internal quality control systems to prevent future occurrences, then the “defect” will not be made public.
Investigations and Disciplinary Proceedings
The Board has sweeping powers to investigate any suspected violation of any provision of:
The Sarbanes-Oxley Act of 2002
The rules of the Public Company Accounting Oversight Board