What Boards Should Know about the Sarbanes-Oxley Act

John P. Beavers
October 2002

First, Enron captured the headlines. Then, the U.S. House of Representatives passed a bill directing the SEC to determine how to increase accountability. And before the U.S. Senate could consider the House’s version of the bill, Adelphia, Dynegy, ImClone, Qwest, Tyco, and WorldCom captured the headlines. The Senate and eventually all of Congress responded beginning with enactment of the Sarbanes-Oxley Act of 2002.

This legislation adopts broad reforms requiring government regulation of public accounting firms; independent-director oversight of the audit process; executive accountability for the financial reporting process; and new corporate responsibility for governance. Executives and directors, especially independent directors, of public corporations must educate themselves about this legislation and its impact upon the corporations they serve. Investors and regulators will undoubtedly scrutinize the commitment of corporations to good governance and compliance with the new requirements.

The message of Congress is clear: American businesses need to do a better job of governing themselves. The major thrusts of the Act are:

  • Provide federal government regulation of public accounting firms and the auditing process;
  • Restore authority in independent directors of boards for oversight of the auditing process of public reporting companies;
  • Increase accountability of executives for the financial reporting process; and
  • Increase corporate responsibility for independence, especially independence of the outside auditor, independence directors and independence of the oversight the audit process.

The following is a summary of the major provisions of the Act.

Government Regulation of Public Accounting Firms

One of the four major thrusts of the Act is providing federal government regulation of public accounting firms and the auditing process.

Regulation of Public Accounting Firms. The Act creates a new Public Company Accounting Oversight Board,1 and only public accounting firms registered with the Oversight Board may be engaged by companies to prepare or issue, or to participate in the preparation or issuance of, any audit report with respect to any of those companies.2 In addition to responsibility for registering,3 periodically inspecting,4 and investigating and disciplining5 public accounting firms, the Oversight Board has broad authority to establish or adopt auditing, attestation, quality control, ethics, independence standards.6

Control of Accounting Principles. The SEC is authorized to determine “generally accepted accounting principles” for public reporting companies relying either on a private standard-setting entity or the Oversight Board.7

Independent-Director Oversight of the Audit Process

Perhaps the farthest-reaching of the major thrusts of the Act is restoring authority in independent directors of boards for oversight of the auditing process. Although the Congressional intent was not to create additional liabilities under federal law for independent directors, the oversight provisions require numerous reports and information to flow to audit committees and independent directors that will have the intended result of increasing their knowledge, but likely have an unintended result of increasing the liability under state corporate laws. The increased knowledge will likely increase the degree of care that directors must take in order to comply with their fiduciary duties under state law. In other words, although the independent-director oversight provisions are not intended to increase directors’ exposure to liability under federal law, the resulting flow of information to directors under these provisions will likely increase directors’ exposure to liability under state law.

Audit Committee Oversight. The Act statutorily expands the authority of audit committees. The SEC is directed to adopt rules within 270 days that:

  • Make audit committees directly responsible for the appointment, compensation, and oversight of the work by that company (including resolution of disagreements between management and the auditor regarding financial reporting);8
  • Require each member of the audit committee to be independent, meaning that he or she does not receive any consulting, advisory, or other compensatory fee other than directors’ fees and is not an “affiliated person” of the company;9
  • Require each audit committee to establish procedures for handling complaints, including anonymous submissions by employees, regarding accounting, internal accounting controls, or auditing matters;10
  • Authorize each audit committee to engage independent counsel and other advisers, as it determines necessary to carry out its duties;11 and
  • Provide for appropriate funding, as determined by the audit committee and its functions, including those of the auditors as well as of the committee’s independent counsel and other advisers.12

Audit Committee’s Financial Expert. The Act13 directs and the SEC has proposed rules14 for companies to disclose whether or not, and if not, the reasons therefore, the audit committee of the company is comprised of at least one member who is a “financial expert” with an understanding of GAAP and audit committee functions and experience in preparing or auditing financial statements and with internal accounting controls.

Increased Knowledge Required of Audit Committees. Although Congress did not intend to increase liability of independent directors, the Act makes the audit committee or independent directors the recipients of numerous reports from others. The result will likely be increased fiduciary duties of care and loyalty under state corporate laws. The Act requires the following reports or flow of information to audit committees or independent directors:

  • Information detected by or otherwise coming to the attention of the outside auditor regarding an illegal act by the company or its agents having an impact on financial statements (whether or not perceived to have a material effect),15 as well as information about related party transactions not fully disclosed in financial statements and any doubts about the ability of the company to continue as a going concern;16
  • Information regarding all services performed and agreement to perform services for the company by the outside audit because all such services and agreements are required to be approved by the audit committee;17
  • Report by the outside auditor on (i) all critical accounting policies and practices to be used; (ii) all alternative treatments of financial information discussed with management, ramifications of the use of such alternative disclosures and treatments, and the treatment preferred by the registered public accounting firm; and (iii) other material written communications between the outside auditor and management, such as any management letter or schedule of unadjusted differences;18
  • Complaints received by the company regarding accounting, internal accounting controls, or auditing matters, including expressly any anonymous submission by employees of concerns regarding questionable accounting or auditing matters are to be received by the audit committee or otherwise are to be received, retained, and investigated pursuant to procedures established by the audit committee;19
  • Reports from the outside auditor on (i) critical accounting policies and practices to be used; (ii) all alternative treatments of financial information within generally accepted accounting principles that have been discussed with management, the ramifications of such alternatives, and the treatment preferred by the auditor; and (iii) other material written communications between the auditor and management;20
  • Disclosures from the company’s CEO and CFO, including (i) significant deficiencies in the design or operation of internal controls, and (ii) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls;21
  • Reports of the company’s CEO and CFO as part of the certification requirements, including each of their evaluations of the effectiveness of the company’s internal controls and significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluations;22
  • Reports of any action taken by any officer, director, or other person acting under the direction thereof to take any action to fraudulently influence, coerce, manipulate, or mislead the outside auditor in the performance of an audit;23
  • Reports from attorneys representing the issuer of any evidence received by them of material violations of securities law or material breaches of fiduciary duty not appropriately responded to by the company’s chief legal officer or chief executive officer;24
  • Information from the outside auditor regarding material correcting adjustments that have been identified by the auditor in accordance with generally accepted accounting principles and the rules and regulations of the SEC in order to assure compliance by the company with its obligations for accurate financial statements;25 and
  • Information regarding off-balance sheet transactions, arrangements, obligations (including contingent obligations), and other relationships of the company with unconsolidated entities or other persons, that may have a material current or future effect on the financial condition, changes in the financial condition, results of operations, liquidity, capital expenditures, capital resources, or significant components of revenues or expenses.26

Definition of Audit Committee. Directors of a public reporting company cannot escape responsibility or potential liability by not having an audit committee. The Act defines audit committee in such a way that, if there is no audit committee of independent directors, all of the independent directors of the board become the audit committee.27

Executive Accountability for the Financial Reporting Process

The CEO/CFO certificate provisions of the Act create the greatest potential liability under the Act. These provisions are designed to eliminate the possibility of another Kenneth Lay from successfully pleading “no knowledge” as a defense to Enron’s wrongdoings in the future. They are also designed to eliminate the possibility that another memorandum like Sherrin Watkins memorandum to Kenneth Lay of being ignored in the future.

CEO/CFO Certifications. On August 28, 2002, the SEC adopted rules28 as directed by the Act29 requiring CEOs and CFOs of each public reporting company to certify in each Form 10-Q and Form-10-K that:

(1) The signing officer has reviewed the report.

(2) Based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading.

(3) Based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the company as of, and for, the periods presented in the report.

(4) The signing officers:

(a) Are responsible for establishing and maintaining internal controls;

(b) Have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

(c) Have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report; and

(d) Have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.

(5) The signing officers have disclosed to the company’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function):

(a) All significant deficiencies in the design or operation of internal controls which could adversely affect the company’s ability to record, process, summarize, and report financial data and have identified for the company’s auditors any material weaknesses in internal controls; and

(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal controls.

(6) The signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.

18 USC 1350 Criminal Penalties. Although one section of the Act discussed above directs the SEC to adopt rules regarding CEO and CFO certifications, CEOs and CFOs are required by the Act30 beginning with any financial statement filed after July 30, 2002, under the 1934 Act to certify, subject to criminal penalties under the criminal code, that the report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the 34 Act and fairly presents, in all material respects, the financial condition and results of operations of the issuer. The criminal penalties for a false certification or otherwise failing to comport with the certification requirements can result in fines up to $5,000,000 and imprisonment of up to 20 years which is in addition to the SEC administrative and injunctive proceedings, rights of private action for damages, and criminal penalties under the Securities Exchange Act of 1934 (the “1934 Act”).

Forfeiture of Certain Compensation. The Act31 requires CEOs and CFOs to forfeit all incentive and equity-based compensation for a 12-month period following publication of any financial statement that is later restated as a result of misconduct.

Attorneys’ Duties to Boards. The Act32 directs the SEC to adopt rules within 180 days requiring attorneys to report evidence of a material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent thereof to the chief legal counsel or the CEO of the company and, if such counsel or officer does not appropriately respond, then to the audit committee or another independent board committee or to the board of directors as a whole.

Codes of Ethics. The Act33 directs and the SEC has proposed rules34 requiring companies to disclose whether or not, and if not, the reason therefore, such companies have adopted a code of ethics applicable to their principal financial officers and comptrollers or principal accounting officers or persons performing similar functions. The proposed SEC rules expands the code of ethics disclosure requirements to include chief executive officers and persons performing similar functions in additional to principal financial officers and comptrollers or principal accounting officers.

Criminal Penalties. The Act creates criminal penalties for the following:

  • Destruction, alteration, or falsification of records in federal investigations and bankruptcy;35
  • Destruction of audit records including work papers within five years of the end of the fiscal year for which the audit was concluded;36
  • Certain securities fraud;37
  • CEO’s and CFO’s failure to provide certifications discussed above;38 and
  • Retaliation against any whistleblower or informant.39

Increased Corporate Responsibility for Independence

The Act contains numerous provisions required increased corporate responsibility for independence of the outside auditor, independence of directors, and independence of oversight over the audit process and internal controls.

Prohibition against Non-Audit Services. The Act40 absolutely prohibits an outside auditor of a public reporting company from performing any of the following non-auditing services while serving as independent auditor:

  • Bookkeeping or other services related to the accounting records or financial statements of the audit client;
  • Financial information systems design and implementation;
  • Appraisal or valuation services, fairness opinions, or contribution-in-kind reports;
  • Actuarial services;
  • Internal audit outsourcing services;
  • Management functions or human resources;
  • Broker or dealer, investment adviser, or investment banking services;
  • Legal services or expert services unrelated to the audit; and
  • Any other service that the Oversight Board determines, by regulation, is impermissible.

Although other non-audit services other than the prohibited services described above may be performed, such services may be performed only if pre-approved by the audit committee and disclosed publicly to investors.41

Audit Partner Rotation. The Act42 requires the lead and reviewing audit partners of the outside auditor auditing any public reporting company to rotate at least every five fiscal years.

Prohibition of Auditor’s Employees from Serving as Officers. The Act43 prohibits any person employed by a public reporting company’s outside auditor from serving as the company’s chief executive officer, controller, chief financial officer, chief accounting officer, or similar position for a period of one year.

Prohibitions against Interfering with Audits. The Act44 directs the SEC to adopt rules preventing officers and directors from conduct tantamount to fraudulently influencing, coercing, manipulating, or misleading any independent public or certified accountant engaged in the performance of an audit of a public reporting company.

Bars from Serving as Officer or Director. The Act45 authorizes the SEC to prohibit a person found “unfit” because of a violation of federal securities laws from serving as officer or director of a public reporting company.

Insider Trading Prohibited During Blackouts. The Act46 makes it unlawful for any director or executive officer to engage directly or indirectly in any purchase or sale of an equity security of the company during any pension blackout period of more than three consecutive business days applicable to any defined contribution or individual account plan. The Act also sets forth detailed rules for setting blackout periods applicable to employee plans, including notification requirements.

Financial Reporting Requirements. The Act47 mandates and the SEC has proposed rules48 regarding a number of financial reporting requirements including:

  • Reflection in all financial statements, included in any report filed, of all material correcting adjustments that have been identified by a registered public accounting firm in accordance with generally accepted accounting principles and the rules and regulations of the SEC;
  • Disclosure in Forms 10-K and 10-Q of all material off-balance sheet transactions, arrangements, obligations (including contingent obligations), and other relationships of the company with unconsolidated entities or other persons; and
  • Reconciliation of pro forma financial information with the financial condition and results of operations of the company under generally accepted accounting principles.

Reporting of Changes in Ownership of Securities. The Act49 requires executive officers and directors to report on Form 4 any changes in their ownership of the company’s equity securities before the end of the second business day following the day on which the subject transaction has been executed (or within such other period as the SEC may establish by rule) and, within one year, the SEC shall require such reports to be filed electronically.

Prohibition of Loans to Directors and Executives. The Act50 makes it unlawful for companies directly or indirectly to arrange for the extension of credit, or to renew an extension of credit, in the form of a personal loan to or for any executive officer or director. The exceptions to the prohibition only permit home improvement loans, consumer credit, charge cards, and limited broker/dealer loans other than for the purchase of company stock. The prohibition does not apply to any loan made or maintained by an FDIC-insured depository institution if the loan is subject to the insider lending restrictions of section 22(h) of the Federal Reserve Act. There is a grandfather provision that loans and other extensions of credit in place as of July 30, 2002, will not be subject to this prohibition as long as there is no material modification to any term of any such loan or extension of credit or any renewal thereof after July 30, 2002.

Internal Control Evaluations. The Act51 directs and the SEC has proposed rules52 to require that each Form 10-K shall contain an internal accounting control report that:

(1) States the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) Contains an assessment, as of the end of the most recent fiscal year of the company, of the effectiveness of the internal control structure and procedures of the company for financial reporting.

Real Time Disclosures. The Act53 requires each reporting company to make immediate disclosure, likely through its web page and electronic filing of Forms 8-K, of information concerning material changes in the financial condition or operations.

Endnotes

 1.  §101 of the Act

 2.  §102 of the Act.

 3.  §102 of the Act.

 4.  §104 of the Act.

 5.  §105 of the Act

 6.   §103 of the Act.

 7.  §108 of the Act.

 8.  §202 of the Act adding new §10A(i) to the 1934 Act.

 9.  §301 of the Act adding new §10A(m) to the 1934 Act.

10.  §301 of the Act adding new §10A(m) to the 1934 Act.

11.  §301 of the Act adding new §10A(m) to the 1934 Act.

12.  §301 of the Act adding new §10A(m) to the 1934 Act.

13.  §407 of the Act.

14.  SEC Release 33-8138 (October 22, 2002)

15.  §10A(b) of the Securities Exchange Act of 1934.

16.  §10A(a) of the Securities Exchange Act of 1934.

17.  §§10A(h), (i) and (m)(2) added by the Act to the 1934 Act.

18.  §10(A)(k) added by the Act to the 1934 Act.

19.  §10A(m)(4) added by the Act to the 1934 Act.

20.  §204 of the Act.

21.  §302(a)(5) of the Act.

22.  §302(a)(5) of the Act.

23.  §303 of the Act.

24.  §307 of the Act.

25.  §401 adding new section 13(i) to the 1934 Act.

26.  §401 adding new section 13(j) to the 1934 Act.

27.  See §§2(a)(e) and 205 of the Act as read with §301 of the Act adding new §10A(m) to the 1934 Act.

28.  SEC Release 8124 (August 29, 2002)

29.  §302 of the Act.

30.  §906 of the Act new §1350 to 18 USC.

31.  §304 of the Act.

32.  §307 of the Act.

33.  §406 of the Act.

34.  SEC Release 33-8138 (October 22, 2002)

35.  §802 of the Act adding new §1519 to 18 USC.

36.  §802 of the Act adding new §1520 to 18 USC.

37.  §807 of the Act adding new §1348 to 18 USC

38.  §906 of the Act adding new §1350 to 18 USC.

39.  §806 adding new §1514A to 18 USC.

40.  §201 of the Act adding §10A(g) to the 1934 Act.

41.  §201 of the Act adding §10A(h) to the 1934 Act.

42.  §203 of the Act.

43.  §206 of the Act adding new section 10A(l) to the 1934 Act.

44.  §303 of the Act.

45.  §305 of the Act and §1105 of the Act amending §21C(f) to the 1934 Act.

46.  §306 of the Act.

47.  §401 of the Act.

48.  SEC News Release 2002-155

49.  §403 of the Act.

50.  §402 of the Act adding new §10A(k) of the 1934 Act.

51.  §404 of the Act.

52.  SEC Release 33-8138 (October 22, 2002)

53.  §409 of the Act.

 

More articles ...