350 likes | 530 Views
Corrections Technology Association Sixth Annual Conference . Sarbanes-Oxley Act and Impact of Noncompliance . Presented by: Mr. Robert E. Kaelin, Partner. May 3, 2005. Agenda. Background Sarbanes-Oxley (SOX) Overview Impact on Vendors Impact on Agencies Future Impact Conclusion.
E N D
Corrections Technology AssociationSixth Annual Conference Sarbanes-Oxley Act andImpact of Noncompliance Presented by: Mr. Robert E. Kaelin, Partner May 3, 2005
Agenda • Background • Sarbanes-Oxley (SOX) Overview • Impact on Vendors • Impact on Agencies • Future Impact • Conclusion 777/40/82924(ppt)
Why Do I Care About Sarbanes-Oxley? Background 777/40/82924(ppt)
BackgroundThe Problem • SOX was a reaction to corporate scandals and lack of investor confidence: • Enron. • Arthur Andersen. • MCI. • Intense competition and pressure, conflicts of interest, and poor practices led to poor reporting and mismanagement. • Criminal activities also contributed to the problem. • Many other smaller examples of “dot com” booms that turned out to be investor busts all combined to prompt congressional action. • Source: Bauer College of Business 777/40/82924(ppt)
BackgroundThe Problem Continues Today • A May 2, 2005 headline stated: “Audit flaws wipe $2.7bn from AIG.” • Discoveries of improper accounting at American International Group (AIG) are to knock $2.7 billion off the value of the world's biggest insurer. • AIG said it would restate its accounts for each of the last 5 years from 2000 onwards, lowering the company’s value by 3.3%. • It said it had found “material weaknesses” in its control systems and postponed filing its 2004 accounts. • Source: http://news.bbc.co.uk/1/hi/business/4504865.stm 777/40/82924(ppt)
BackgroundLearning About SOX • Business Relationship: • Advise clients on business process and implementation issues. • Project issues. • Client accountability. • Manage and run our company. • My role on the IJIS Institute Board of Directors: • Serve as chair of the Governance Committee. • Responsible for the overall impact of SOX on the institute. • Controls. • Reporting. 777/40/82924(ppt)
BackgroundLearning About SOX(continued) • To understand SOX: • Conducted Web research and evaluated SOX presentations. • Conferred with compliance auditor. • Disclaimer: • I am a Management consultant – not an auditor. • I understand SOX but do not want to know it! • SOX focuses on doing what is right. • Contact your legal adviser and auditor for specific analysis. • Rules are still being defined and refined. 777/40/82924(ppt)
What Is SOX? Sarbanes-Oxley Overview Sarbanes-Oxley Overview 777/40/82924(ppt)
Sarbanes-Oxley OverviewThe Act • The act was signed into law on July 30, 2002. • It includes regulations regarding: • Public Company Accounting Oversight Board (PCAOB). • Auditor independence. • Corporate responsibility. • Enhanced financial disclosures. • Corporate and criminal fraud accountability. • It applies primarily to publicly traded companies. • SOX is actually a combination of: • Sarbanes Oxley Act of 2002 (H.R. 3763). • Rules of the PCAOB. • Rules of the SEC. 777/40/82924(ppt)
Sarbanes-Oxley OverviewThe Scope of the Act • The scope of the act focuses on: • Internal controls. • Process. • Policies. • Activities. • Compliance and reporting. • Transparency. • Accuracy. • Governance. • Accountability. • Responsibility. • Avoidance of conflict of interest. 777/40/82924(ppt)
Sarbanes-Oxley OverviewThe Details of Act Title I Public Company Accounting Oversight Board Title II Auditor Independence Title III Corporate Responsibility Title IV Enhanced Financial Disclosures Title V Analyst Conflicts of Interest Title VI Commission Resources and Authority Title VII Studies and Reports Title VIII Corporate and Criminal Fraud Accountability Title IX White-Collar Crime Penalty Enhancements Title X Corporate Tax Returns Title XI Corporate Fraud and Accountability 777/40/82924(ppt)
Sarbanes-Oxley OverviewPublic Company Accounting Oversight Board Title I • Established by SOX. • Nonprofit agency. • Responsibilities: • Register and inspect public accounting firms. • Establish standards for public accounting firms. • Enforce compliance with the act and rules of the board. • Investigate firms and impose sanctions. • Source for all title details: Bauer College of Business. 777/40/82924(ppt)
Sarbanes-Oxley OverviewCorporate Responsibility Title III • Assigns the responsibility to the audit committee to appoint, compensate, and oversee the public accounting firm that performs the audit. • Requires CEO and CFO to: • Certify fairness of financial statements. • Take responsibility for disclosure controls. • Makes it unlawful to fraudulently influence, coerce, or mislead an auditor. • Provides for the forfeiture of certain compensation following the issuance of a “non-compliant” financial document. • Provides the SEC with greater flexibility to remove management or board members. • Requires attorneys to report evidence of material violations. 777/40/82924(ppt)
Sarbanes-Oxley OverviewCorporate Responsibility (continued) Title III • Section 301: Public Company Audit Committees • Companies that are not compliant with SEC audit committee requirements are subject to delisting. • Audit committees are responsible for oversight of auditors including the resolution of disagreements between management and auditors. • Audit committees must set up procedures to receive and address “whistle-blower” complaints. • Employees and others may take concerns directly to the audit committee. • Audit committee members are required to be independent, and a disclosure is required in proxy statements. 777/40/82924(ppt)
Sarbanes-Oxley OverviewEnhanced Financial Disclosures Title IV • Requires disclosure of material off balance sheet arrangements. • Prohibits companies from making loans to directors or executives. • Requires management to establish and maintain adequate internal controls and procedures for financial reporting. • Requires disclosure of a code of ethics for senior financial officers. • Requires companies to disclose whether at least one of the audit committee members is a financial expert. • Requires rapid disclosure of changes in financial condition. 777/40/82924(ppt)
Sarbanes-Oxley OverviewEnhanced Financial Disclosures (continued) Title IV • Section 404: Management Assessment of Internal Controls • Requires management to establish and maintain adequate internal controls and procedures for financial reporting. • Requires that each annual report includes a statement: • Describing management’s: • Responsibility for internal controls and procedures for financial reporting. • Assessment of the effectiveness of the controls and financial reporting procedures. • Incorporating the independent auditor’s review of management’s assessment of internal controls and financial reporting procedures. 777/40/82924(ppt)
Sarbanes-Oxley OverviewEnhanced Financial Disclosures (continued) Title IV • Related SEC releases define internal controls and procedures for financial reporting as controls that provide reasonable assurances that: • Transactions are properly authorized. • Assets are safeguarded against unauthorized or improper use. • Transactions are properly recorded to permit the preparation of financial statements that are presented in a manner consistent with GAAP. • To meet the assessment requirement, management must select a suitable, recognized framework for assessing the effectiveness of internal controls. 777/40/82924(ppt)
Impact on Vendors Impact on Vendors What Do Vendors Have to Do About SOX? 777/40/82924(ppt)
Impact on VendorsSOX Is About Business Practices • SOX has implications for most business practices and processes of publicly traded companies. • Any errors or misstatements that could cause a company to have to restate its financials are areas that require focus. • Systems and processes must be in place to administer the pricing, services, and discounts. • Visibility and control must ensure that pricing and costs are captured accurately and on a timely basis. • Pricing services and discount processes often have the most people involved and represent the largest risk area. • Combined implications create a very large potential for misstated financial results and SOX scrutiny, sanctions, and bad press. 777/40/82924(ppt)
Impact on VendorsSOX Impact • Skyrocketing SOX implementation costs: • Have put high-tech companies in the position of having to delay major projects. • Force companies to struggle to compete with low-cost competition from Asia. • The SOX impact is more than technical, more than analytical, more than financial: • SOX places a burden of responsibility on all employees, not just the accountants. • SOX impacts IT priorities and “To do” list. • SOX will impact the role of IT in its users’ business and data. • SOX will challenge any IT organization whose culture is one of containment. 777/40/82924(ppt)
Impact on VendorsSOX Requirements • Companies must ensure that: • Bad news is reported upwards. • IT project definitions include potential financial impact. • Ignoring problems is not allowed under SOX. • Different sections of the act are driving or will drive changes in the financial organization. • Sections 302 and 404. • Process mapping. • Systematic remedies. • Process changes. • Collaboration and teaming. • Section 409. • Systematic remedies. • Major process changes. 777/40/82924(ppt)
Impact on VendorsCompliance Process Monitoring • Assessment of a control system’s performance over time. • Combination of ongoing and separate evaluation. • Management and supervisory activities. • Internal audit activities. Control Activities • Policies/procedures that ensure management directives are carried out. • Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. Information and Communication • Pertinent information identified, captured and communicated in a timely manner. • Access to internal and externally generated information. • Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. Control Environment • Sets tone of organization-influencing control consciousness of its people. • Factors include integrity, ethical values, competence, authority, responsibility. • Foundation for all other components of control. Risk Assessment • Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities. All five components must be in place for a control to be effective. Source: Pricewaterhouse Coopers 777/40/82924(ppt)
Impact on Agencies How Does This Apply to a Corrections Agency? 777/40/82924(ppt)
Impact on AgenciesThe World Has Changed • Agencies may experience direct impact. • Correctional industries that are public organizations are directly impacted. • These organizations must comply. • Titles I, III, and IV establish practices and standards that most auditing organizations, including government auditors, follow. • Agencies will experience indirect impact: • Contractors working with agencies will be required to comply. • Internal reporting will increase. • Time to complete and project status are significant elements in contractor risk management efforts. • Payment and contract issues will center on SOX compliance and may limit previous flexibility. • Costs will go up as companies cope with SOX costs. 777/40/82924(ppt)
Impact on AgenciesAudit Guidance • The implication of Title I is that now there are three audit standards-setting bodies in the United States. • PCAOB, which sets audit standards for publicly traded companies. • Auditing Standards Board of the American Institute of Certified Public Accountants, which sets standards for privately held companies and not-for-profit organizations. • U.S. General Accounting Office, which sets standards for federal, state, and local governments through the Yellow Book. 777/40/82924(ppt)
Impact on AgenciesGovernment Auditors • Although SOX affects corporate auditing and internal controls, the impact on government auditors is as follows: • Government auditors should encourage good governance practices with the entities they audit. • Government auditors have a unique responsibility to ensure accountability for public resources and government services. • The fundamental role of government auditors should remain clear and unchanged – provide assurance. 777/40/82924(ppt)
Impact on AgenciesNoncompliance • While most corrections agencies and their activities do not fall directly under SOX, reasonable effort should be made to modify processes to comply. • Where compliance is required, noncompliance can result in criminal investigation to determine whether: • Information was transmitted by mail. • Information was withheld from investigators. In these cases, felony charges can be brought. • In other cases, agencies may be ordered to comply with auditor statements and requirements that: • Add expensive processes with no additional funding source. • Add reporting requirements not otherwise necessary. 777/40/82924(ppt)
Future Impact Future Impact Will This Go Away? 777/40/82924(ppt)
Future ImpactSOX Is Likely to Grow • The results of SOX, both positive and negative, have led to several discussions on expanding the scope of SOX. • Congress is reviewing options to expand to nonprofits to reduce scandals like that of the United Way several years ago. • Congress is also examining the reporting of privately held companies. • The Government Accounting Office is reviewing procedures for government agencies. • Additional rules in support of SOX and auditing process are under review or in draft form. • State and local governments are revising policies and in a few cases, legislation, to require SOX-like activity reporting. 777/40/82924(ppt)
Future ImpactNew York State Strengthens SOX • Attorney General Eliot Spitzer has proposed a series of reforms to strengthen New York's corporate accountability laws. He stated: • “Unfortunately, many of New York's laws are outdated and contain major loopholes.” • “For these reasons, we must act to strengthen state laws to protect investors and donors.” • Mr. Spitzer's proposals cover the following areas: • Protecting honest employees who report illegal activities. • Protecting against fraud relating to nonprofit corporations. • Preventing securities fraud. • Preventing cover-ups of corporate crimes. • Addressing misconduct by corporate officers. • Improving oversight of the accounting industry. • Consumer advocates have applauded Mr. Spitzer's efforts. 777/40/82924(ppt)
Future ImpactGetting a Handle on SOX • Many auditors and accounting professionals offer programs to assess SOX compliance that provide: • Reports on areas of concerns. • Recommended changes. • Programs that align an organization’s practices to comply with SOX. • All CFOs and agency budget officers should conduct reviews of internal governance and compliance. • Focus on financial and audit process understanding. • Whistler-blower protections. • Key leaders should monitor SOX as well as state and local policy changes. 777/40/82924(ppt)
Conclusion Conclusion What Are the Key Points? 777/40/82924(ppt)
ConclusionKey Points • Understand that SOX is the model for legislative initiatives aimed at both public and private companies in a number of states. • Maintain a strong and independent audit committee (where used). • Keep any arrangements for the auditor to provide non-audit services independent of audit services. • Ensure executives understand the financial, compliance, and other external information reporting. • Establish, maintain, and document significant financial and compliance controls. • Maintain and archive all appropriate entity records. • Remember SOX is the benchmark against which every company’s financial and corporate governance practices will be measured. 777/40/82924(ppt)
ConclusionSOX Improvement Areas • Remediation efforts should focus on: • Financial processes. • Computer controls. • Internal audit effectiveness. • Security controls. • Audit committee oversight. • Fraud programs. • Process improvements for future compliance should focus on: • Financial reporting. • Risk identification and assessment. • Risk mitigation. • IT security strategy and implementation. • Internal audits. • Compliance management. • IT oversight and operations. 777/40/82924(ppt)
ConclusionResources • www.aicpa.org • www.findlaw.com • www.pcaobus.org • www.sec.gov • www.sec.gov/rules/final.shtml • www.isaca.org Contact information: rkaelin@mtgmc.com or 206-442-5010 www.mtgmc.com 777/40/82924(ppt)