Sarbanes-Oxley Act of 2002 and Its Impact on Businesses

Jonathan Fink, CPA, Partner 1

Jonathan Fink, CPA Audit partner West Hartford, Connecticut office BlumShapiro works with companies on the management side to assist them in SOX compliance efforts and other internal control objectives BlumShapiro does not audit public companies My SOX experience includes the following industries: Utilities Manufacturing Pharmaceuticals Non-profits 2

Background on SOX SOX environment Where we were Where we are today Where we might be going Applying SOX to non-registrants 3

Sarbanes-Oxley Act of 2002 Passed in response to large public company frauds in early 2000 s Intended to toughen the penalties on senior executives at public companies where frauds occur 11 Sections of Act Establishment of Public Company Accounting Oversight Board (PCAOB) Some differences in compliance requirements for large and small public companies 4

Sarbanes-Oxley Act of 2002- Key Sections Section 302 Quarterly certification by officers Significant changes in internal control during the quarter Certain interim fraud disclosures Section 404 Assessment of effectiveness of internal controls over financial reporting Related report from independent registered accounting firm 5

Before we get into the business side, what was going on in popular culture in 2002? 6

2002- popular culture #1 song for the year- How You Remind Me by Nickelback 7

2002- popular culture #1 movie for the year- Spider-Man 8

2002- popular culture #1 TV show- CSI 9

2002- popular culture Trending celebrity stories in 2002 Jennifer Lopez and Ben Affleck The Osbournes show American Idol 10

Before the Sarbanes-Oxley Act (SOX), there were few restrictions on the services an auditor could provide to their client Internal audit Systems consulting Accounting assistance Stemming from the high-profile frauds at companies such as Enron, there was a public perception that auditors independence was not always maintained and that an auditor might be hesitant to challenge a client on an accounting or reporting issue that could damage their non-audit service revenues Public outcry over lost retirement savings in affected public stocks 11

Establishment of PCAOB Key mission of investor protection Oversight of auditors of public companies ( audit the auditors ) Profession was previously self-regulated New set of audit rules created solely for auditors of public companies Funded by fees charged to public companies Overseen by the SEC 12

Auditing Standard 2- 2004 This is the standard that governed companies and auditors approaches to SOX compliance in the early years Required 3 reports in connection with annual public company filing Management attestation on internal controls over financial reporting Auditor report on internal controls Auditor report on management s assessment of internal controls Auditor performed their traditional audit on the financial statements and then, in essence, performed a second audit over the company s internal controls 13

Auditing Standard 2- 2004 Formalized control deficiency reporting Significant deficiency- required to be reported to the Audit Committee Material weakness- required to be disclosed to public Internal controls work Detailed walkthroughs Linkage of all processes to financial statement element and/or disclosure Detailed testing- high standard for documentation required Sign-offs Evidence of meetings Verbal support or confirmation by company personnel was generally deemed inadequate Evolving interpretations by firms in the first year led to substantial work by both companies and auditors Significant increase in audit fees 14

AS 5- 2007 Based on feedback from public companies and auditors, the PCAOB issued a revised auditing standard in 2007 that replaced AS 2 Increased emphasis on risk assessment Top-down approach on controls assessment A bit more relaxed documentation requirement to evidence a control is operating Some related reduction in audit fees 15

PCAOB Now into its second decade of existence Very closely monitoring audit performance at public companies audit firms Annual inspection reports Public statements Strong focus on management estimates and more complex aspects of financial reporting Continues to express concerns with deficiencies noted in audit inspections Audit firms have responded with increased internal rules, risk management processes, and oversight More hours to complete audits In many cases, higher audit fees for registrants 16

Overall decreases in public company restatements PCAOB pushing for additional changes in public company audits Audit firm rotation Shelved for now Naming the engagement partner in public records Passed Adding auditor narrative/qualitative perspective to standard audit report Currently proposed 17

Trickle-down effect of public company audit standards on non-public companies Some companies voluntarily complying with aspects of SOX 404 standards Many non-profits have adopted SOX-like practices due to the influence of Board members who work at public companies Much stronger focus on auditor independence Increased focus on formal governance policies and practices More whistleblower programs More conflict of interest policies 18

Evolution of business risks Information technology is more important than ever and related risks have evolved Cybersecurity Disaster recovery Mobile devices Decentralized or virtual offices More automated processes Electronic transaction approvals Electronic data analytics 19

Evolution of business risks (continued) Economic challenges in the US Increased globalization of companies Rise of social media Decline of certain traditional industries Increased outsourcing of certain business functions (payroll, IT, accounting, etc.) Higher speed of information and technology 20

What have these changes meant for SOX? More IT audit expertise needed (in-house or outsourced) With shift to more automated controls, less basic sample-based controls testing and more sample of one testing Staffing needs have changed Certain controls can now be tested remotely vs. on-site With increased speed of information movement, outside risks have grown in potential significance Example: public relations impact of a company compliance issue SOX compliance has evolved from a special initiative to part of the ongoing compliance and business processes of a company 21

What has not changed? Continued demand for accountants (perhaps more now than ever) Can be hard to fill employee needs Risk of human error Fraud risks Companies managing staff sizes and, in some cases, those staff sizes do not allow for proper segregation of duties External employee pressures (gambling problems, divorces, etc.) Internal employee fraud motivations Assets Financial reporting 22

Further tightening of oversight and standards by PCAOB? Concerns related to continued audit deficiencies noted during inspections Pressure from external groups to improve audits Potential impact of a large company fraud or market crisis? Additional regulations possible Does SOX get replaced by a different law/standard? More real-time financial reporting beyond quarters and year-ends? More timely financial information Impact on how companies close their books, etc. 23

Expansion of SOX to cover more non-financial reporting risks? Cybersecurity Identity theft Ethics violations Increased market value placed on acquisition targets that are SOX-compliant? Simplification of public company disclosures? Concern that too much information prevents readers from identifying key facts and risks 24

There are many practices that have emerged from public companies SOX efforts that have benefits for non-public companies Risk assessment Periodic review and discussion of enterprise and fraud risks Many companies employees do this on an individual or departmental basis but do not necessarily get together to discuss risks across company functions Gather people from sales, finance, operations, human resources, information technology, and executive areas to compare thoughts on the risks that the company is facing The risks discussed should include anything that could have a negative impact on the company 25

Risk assessment (continued) Periodic review and discussion of enterprise and fraud risks Significance and likelihood are key factors Some risks (e.g. hurricane) are significant but may be low likelihood Other risks may have a high likelihood but the potential impact on the company is not significant Determine which risks are being adequately addressed by current controls and processes and which ones may represent a gap Prioritize the order and method in which gap risks will be addressed Set a timetable for action items This type of comprehensive assessment should be performed at least every 2-3 years 26

Documentation of internal controls Can be accomplished either through written memos or flowcharts Should capture what employees are actually doing- not what a policy says they do No set level of detail- choose the level of detail based on the perceived value to the company Can be valuable for several reasons: Allows for easier identification of gaps or weaknesses in controls and related processes Identifies potential areas where employee training may be needed Facilitates cross-training of existing employees or training of new employees 27

Documentation of controls performance The biggest challenge here is for employees to incorporate documentation into their everyday work habits Examples of controls documentation Approvals of transactions Memos describing key decisions Analysis of system reports Benefits of controls evidence documentation Internal reference for analysis or key decisions Support in compliance or legal matter 28

Internal monitoring or testing This could range from a full internal audit department to a review of select controls on an occasional basis Key is to not make the testing or review predictable Primary benefits Identification of potential issues on a more immediate basis Many employees will be more diligent about their work if they know it could be tested Deterrent for potential fraud 29

IT controls Establish and document formal policies and procedures related to information technology Security Data back-ups System development Data processing Consider the following: Friendly hackers/penetration studies Consulting with 3rdparty experts to evaluate a company s IT control structure 30

Overall key considerations and takeaways Incorporating SOX concepts in a non-public company is not a pass/fail approach Some companies pursue a full public company type approach and others pick certain concepts for their use Risk assessment is the key concept that should drive approach Different companies have different needs; consider where SOX concepts make sense for your company Many companies develop a plan and incorporate it over a multi-year period 31

Overall key considerations and takeaways (continued) Cost/benefit is an important consideration Consider getting feedback from valued 3rd party advisors as part of any decision making process as well as during implementation: Auditors/tax accountants Bankers Attorneys 32

Questions? 33

Jonathan H. Fink, CPA Blum, Shapiro & Company, P.C. 29 South Main Street West Hartford, CT 06127 (860) 561-6849 jfink@blumshapiro.com Blumshapiro.com 34