Raising the emphasis on controls Additional accountability of CEOs Controls and the Impact on Operations
Cost range from .05% for $5 billion company to 2.5% of revenues for $100 million company. 45% was around IT controls. Davern Roundtable remarks. Did we spend $15 billion on a problem that did not exist?
Transcript of "Key Provisions"
The Sarbanes-Oxley Act and You Richard Pennington Colorado Department of Personnel & Administration September 1, 2005
The Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley Act) <ul><li>Section 302 – management to prepare a certification statement that accompanies the financial statements </li></ul><ul><li>Section 404 - every annual report of public companies to include an internal control report from management </li></ul><ul><li>Created Public Company Accounting Oversight Board (PCAOB) who set auditing standards </li></ul>
“ Section 404 may have the greatest potential to improve the accuracy and reliability of financial reporting. Strong controls are an important part of this goal, because our capital markets run on the basic premise that companies will present reliable and complete financial data for investment and policy decision-making.” SEC Chairman William Donaldson, April 13, 2005, Roundtable Discussion on Internal Control Reporting Provisions Sarbanes-Oxley (Cont’d)
Sarbanes-Oxley (Cont’d) <ul><li>“ Like the internal-controls provision, parts of Sarbanes-Oxley . . . spread far beyond finance and accounting, spilling over into operations reporting as well. . . The real-time rule would put "pressure on the operational side of the business," says Rick Fumo, a senior vice president with Parson Consulting, a financial management advisory firm. One for-instance: If a company truck delivering toxic chemicals springs a leak, operations employees might have to speed that news up the chain of command to the comptroller so that an 8-K form could be filed . . .” </li></ul><ul><li>David M. Katz, CFO.com, April 22, 2003 </li></ul>
SEC Rulemaking <ul><li>2004: clarified applicability </li></ul><ul><li>But . . . </li></ul><ul><ul><li>Some compliance issues, e.g. contract requirements, may implicate liability </li></ul></ul><ul><ul><li>Some operations issues may implicate liability in a material way </li></ul></ul>We recognize that our definition of the term "internal control over financial reporting" reflected in the final rules encompasses the subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives. Our definition does not encompass the elements of the COSO Report definition that relate to effectiveness and efficiency of a company's operations and a company's compliance with applicable laws and regulations . . .” SEC comments on Final Rule, effective August 14, 2003.
Where the Rubber Meets the Road: Financial Disclosures We have various agreements by which we may be obligated to indemnify the other party with respect to certain matters. Generally, these indemnification provisions are included in contracts arising in the normal course of business under which we customarily agree to hold the indemnified party harmless against losses arising from a breach of representations related to such matters as title to assets sold and licensed or certain intellectual property rights. Payments by us under such indemnification clauses are generally conditioned on the other party making a claim. Such claims are generally subject to challenge by us and dispute resolution procedures specified in the particular contract. (10-Q Disclosure) If we are not able to implement the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 or attain an unqualified report from our independent auditors as to our internal controls as required as of the end of the current fiscal year, our reputation, our financial results and the market price of our stock could suffer. (10-Q Disclosure)
Internal Controls <ul><li>Treadway Commission Committee of Sponsoring Organizations (COSO) </li></ul><ul><li>Breadth of “Internal Controls” </li></ul><ul><ul><li>Financial Reporting </li></ul></ul><ul><ul><li>Operations </li></ul></ul><ul><ul><li>Statutory Compliance </li></ul></ul><ul><li>Preventive versus detective controls </li></ul><ul><li>Internal controls audits as part of financial statements are new </li></ul>
Internal Controls Objectives <ul><li>Prevent Misstatements (from human error) </li></ul><ul><li>Prevent, Deter, and Detect Fraud </li></ul><ul><li>Examples </li></ul><ul><ul><li>Segregation between purchasing and payment approval </li></ul></ul><ul><ul><li>Restrictions on access to state assets, e.g. security controls </li></ul></ul>
Internal Controls Reporting Concepts <ul><li>“ Reasonable assurance” regarding the reliability of financial reporting: a “high level of assurance” </li></ul><ul><li>Control deficiencies </li></ul><ul><li>Significant deficiency ( .5% of income) </li></ul><ul><ul><li>More than a remote likelihood of a </li></ul></ul><ul><ul><li>Misstatement that is more than inconsequential </li></ul></ul><ul><li>Material weaknesses (material to financial statements) existing at end of reporting period are disclosed publicly ( 4% of income) </li></ul>
Internal Controls Audit Process <ul><li>“ Scope” the Audit </li></ul><ul><li>Look at documentation, e.g. i nformation about how significant transactions are initiated, authorized, recorded, processed and reported </li></ul><ul><li>Evaluate Controls Design Effectiveness </li></ul><ul><li>Test Operation of Controls </li></ul><ul><ul><li>Walkthroughs performed for major classes of transactions, e.g. “contracts” </li></ul></ul><ul><ul><li>Interviews of personnel: “skills” assessment </li></ul></ul><ul><li>“ Professional skepticism” standard </li></ul>
Corporate Findings Nancy Valley, National Industry Leader – Public Sector, KPMG (June 9, 2005) 8% of 2,500 issuers reporting by March 31st reported material deficiencies, with an average of 275 control deficiencies per company. <ul><li>Income tax matters </li></ul><ul><li>Revenue recognition </li></ul><ul><li>Financial staffing/expertise </li></ul><ul><li>Leases accounting </li></ul><ul><li>Application of GAAP </li></ul><ul><li>Financial Close process </li></ul><ul><li>Monitoring Controls </li></ul><ul><li>Segregation of Duties </li></ul><ul><li>Derivatives </li></ul><ul><li>Subsidiaries/Remote locations </li></ul>Top 10 Nature of Material Weaknesses
Differences in Usage of Terms For example, “risk assessment” the auditor should evaluate whether management has identified the risks of material misstatement in the significant accounts and disclosures and related assertions of the financial statements and has implemented controls to prevent or detect errors or fraud that could result in material misstatements. . . . the risk assessment process should address how management considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. (Audit Standard No. 2, paragraph 49)
April 13, 2005 SEC Roundtable <ul><li>“ Fear” of auditors from SEC inspection and litigation: reluctance to use risk-based methods </li></ul><ul><li>External auditor reliance on internal auditor work, and the annual certification requirement </li></ul><ul><li>Conservatism, annual audits, and disagreements on “materiality” and “significance” of deficiencies </li></ul><ul><li>Value of the amount of IT controls testing </li></ul><ul><li>“ One size fits all” or checklist approach </li></ul><ul><li>Chilling of nature of relationship with auditors </li></ul>
SOA and State Governments <ul><li>GAO “Yellow Book” includes internal controls </li></ul><ul><li>State Finance Accountability Acts </li></ul><ul><ul><li>“ Each department shall institute and maintain systems of internal accounting and administrative controls” </li></ul></ul><ul><li>Federal OMB Circulars, e.g. A-123 </li></ul><ul><ul><li>2005 revisions require a document and assessment process and a management statement regarding effectiveness. (June 2006) </li></ul></ul><ul><li>Internal controls audit standards are migrating </li></ul>
New OMB A-123 Assurance [Agency’s] management is responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The [Agency] conducted its assessment of the effectiveness of the [Agency’s] internal control over financial reporting in accordance with OMB Circular A-123, Management’s Responsibility for Internal Control. Based on the results of this evaluation, the [Agency] can provide reasonable assurance that the internal control over financial reporting as of June 30, 2XXX was operating effectively and no material weaknesses were found in the design or operation of the internal controls over financial reporting.
Possible Contracts Issues? <ul><li>Rebates </li></ul><ul><li>Performance Guarantees and Hardware/System SLAs Hardware System </li></ul><ul><li>Warranties </li></ul><ul><li>Acceptance Testing </li></ul><ul><li>Risk of Loss </li></ul><ul><li>Outsourced Financial operations: retaining contractual rights to audit/evaluate internal controls </li></ul>
PCAOB Auditing Standard No. 2 Example D-2 — Modifications to Standard Sales Contract Terms Not Reviewed To Evaluate Impact on Timing and Amount of Revenue Recognition Scenario A – Significant Deficiency . The company uses a standard sales contract for most transactions. Individual sales transactions are not material to the entity. Sales personnel are allowed to modify sales contract terms. The company's accounting function reviews significant or unusual modifications to the sales contract terms, but does not review changes in the standard shipping terms. The changes in the standard shipping terms could require a delay in the timing of revenue recognition. Management reviews gross margins on a monthly basis and investigates any significant or unusual relationships. In addition, management reviews the reasonableness of inventory levels at the end of each accounting period. The entity has experienced limited situations in which revenue has been inappropriately recorded in advance of shipment, but amounts have not been material.
Potential Impacts <ul><li>Negotiation of contract provisions regarding auditing, especially in outsourcing contracts </li></ul><ul><li>Increased attention to and knowledge of controls by purchasing personnel (p-cards?) </li></ul><ul><li>Increased conservatism relative to controls </li></ul><ul><li>Expanding scope of performance audits </li></ul><ul><li>Heightened attention on IT security </li></ul><ul><li>More emphasis on training/qualifications </li></ul>
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.