Sarbanes-Oxley

Primer

Lynn A Fountain www.lynnafountain.com

SOX Legislation

• A variety of complex factors created

the conditions and culture creating a
series of corporate frauds between
2000–2002.
• The spectacular, highly publicized
frauds at Enron, WorldCom, and Tyco
exposed significant problems with
conflicts of interest and incentive
compensation practices.

Copyright@LynnFountain2015
Sarbanes-Oxley

• The analysis of their complex and

contentious root causes
contributed to the passage of SOX
in 2002
• The Sarbanes–Oxley Act of 2002,
enacted July 30, 2002, also known
as the "Public Company Accounting
Reform and Investor Protection
Act" (in the Senate) and
"Corporate and Auditing
Accountability and Responsibility
Act" (in the House).

Copyright@LynnFountain2015
 SOX Legislation
• The bill contains eleven sections.
• Sarbanes–Oxley was named after
sponsors U.S. Senator Paul Sarbanes (D-‐
MD) and U.S. Representative Michael
Oxley (R-‐OH).
• Significant opinion exists on the costs/
benefits with significant differences in
conclusions.
• Section 404 of the act is often singled
out for analysis.

Copyright@LynnFountain2015
 Sarbanes-Oxley Act of 2002
• Title I: Establishment of Public Company
Accounting Oversight Board (PCAOB)
– Auditing, quality control, independence
standards; registered public
Accounting firm inspections,
investigations/ disciplinary proceedings.
• Title II: Auditor Independence
– Includes: services outside scope of
practice, pre-approval requirements,
audit partner rotation, reports to
audit committees, conflicts of interest.

Copyright@LynnFountain2015
 Sarbanes-‐Oxley Act 2002
• Title III: Corporate Responsibility
– Section 302: Corporate responsibility
for financial reports. (ICFR)
– Other: Public company AC, insider trades,
forfeiture of certain bonuses and profits.
• Title IV: Enhanced Financial Disclosures
– Section 404: Management assessment of
internal controls.
– Other: code of ethics for senior financial
officers, enhanced review of periodic
disclosures, enhanced conflict of interest
provisions; audit committee financial expert.

Copyright@LynnFountain2015
 Sarbanes-‐Oxley Act 2002
• Title V – Analyst conflicts of interest
• Title VI – Commission resources and authority (Federal Trade
Commission)
• Title VII – Studies and Reports
• Report on violators and violations, enforcement actions.

Copyright@LynnFountain2015
 Sarbanes-‐Oxley Act 2002
• Title VIII – Corporate and criminal fraud
accountability
– Section 805 : Review for obstruction of
justice and criminal fraud
– Section 806: Protection for employees of
publicly traded companies who provide
evidence of fraud (whistleblower
hotline)
– Section 807: Criminal penalties for
defrauding shareholders of publicly
traded companies.

Copyright@LynnFountain2015
 Sarbanes-Oxley Act 2002
• Title IX: White Collar crime penalty
enhancements.
– Section 902: Conspiracies to commit
criminal fraud offenses.
• Title X: Corporate Tax Returns
– Signing of corporate tax returns by
CEO.
• Title XI: Corporate Fraud
and Accountability
– Increased criminal penalties under SEC
Act of ‘34; record tampering.

Copyright@LynnFountain2015
 Initial Challenges
• Legislation Interpretation.
• Terms and definitions.
• Understanding COSO.
• Developing an approach.
– Testing
– Resources
– Coordinating with external audit
• Training/knowledge/understanding.
• Buy-‐in.
SOX Jeopardy…..What is?

Copyright@LynnFountain2015
 Legislation
• May 05’ PCAOB directives:
– Top-down/risk based
approach.
– Focus on entity-level
controls.
– Scope & extent of testing:
discouraged “minutia of
detail”.
– Reliance on work of others.
– Adequacy of internal audit.

Copyright@LynnFountain2015
 Legislation
• Spring 06’ PCAOB directives:
– Reduce the cost of compliance
– Make AS2 more flexible and
scalable
– Focus on disclosures around
ICFR:
• Compensation disclosures
• Stock Options backdating
– Turn up volume on what is
really important.

Copyright@LynnFountain2015
 Legislation
May 07 – SEC Guidance
• Clarified Material Weakness definition:
“having a reasonable possibility of
leading to a material misstatement that
will not be prevented or detected on a
timely basis.
• Eliminated requirement for auditors to
attest to management’s process of
evaluating internal controls.

Copyright@LynnFountain2015
 Legislation
May 07 – PCAOB AS5
• Clarified need for top down
approach and focus on entity-level
controls.
• Emphasis placed on identification
of fraud risk assessment and
potential for management fraud.
• Eliminated the requirement for the
auditor to assess and give an
opinion on management’s
evaluation process.

Copyright@LynnFountain2015
Accounting Sequence of Events
Risk
Assessment Define priority accounts to be reviewed
Iden9fy significant accts./ disclosures and relevant assertions

Document
Document transaction flows that materially impact
processes financial statement elements

Source Use financial reporting assertions to source

What are the risks? Risks “what can go wrong” within the processes

Document controls at source of risk

What are the controls? Document (preventive )or downstream in
Who owns the controls? Controls process (detective)

How is the design of Assess effectiveness of controls design

the controls rated? Assess
Design
Test effectiveness of controls
opera9on
How are the controls Validate
performing? Operation
Report
Sequence of Steps

Copyright@LynnFountain2015
Where’s Waldo

Identify the difference in the cubes

COSO 1992

COSO 2013

Copyright@LynnFountain2015
SOX 404 and COSO
The annual report must idenI fy:
• Responsibility/a+est a Ion of
internal controls
• Control framework
COSO CONTROL FRAMEWORK
• Control Environment: Mangement’s assessment must be
supported with su fficient evidence and
• Risk Assessment documenta7on
• Control AcI viI es
• Informa I on & Communica I on
• Monitoring
 COSO Components
Control Environment
• Establishes “tone at the top”
• Refers to the overall opera I ng
environment including ethics, values,
management opera I ng style, commitment
to competence.
Risk Assessment
• IdenI fi es management ability to
set strategic and business objecI ves
• Evaluates components that contribute to
risk within the organizaI on.

Copyright@LynnFountain2015
COSO Components
Control Ac9vi9es
• Basic process in an organizaI on (e.g.
payroll, A/P, HR, Accounting).
• Evaluates manner in which each
process funcI ons to ensure proper
controls in place.

Copyright@LynnFountain2015
 COSO Components
Informa9on/Communica9on
• Management’s ability to obtain the
appropriate informa I on regarding
acI viI es.
• Much of this a+ribute I es to IT
informa I on, but it also relates to
management’s ability to communicate
informa I on.
Monitoring
• Processes in place to monitor and control
deficiencies.

Copyright@LynnFountain2015
SOX Primer Overview

• Undeniably one of the most significant

pieces of legisla I on for ICFR.
• Companies sI ll conI nue to adjust to meet
requirements.
• COSO 2013 will conI nue to provide
evoluI on to the legisla I on.
• PCAOB ongoing inspections will assist in
guidance.
• SOX will not go away. Companies must
understand the secI ons and the
requirements for compliance.

Copyright@LynnFountain2015