Before we throw any light on SOX and compliance thereof, lets understand some of the basic concepts around honesty, integrity, control framework with some statistics on corporate frauds.
Honesty & integrity is one of the important factors that companies conduct due verification of employees, while recruiting. William Shakespeare said, “No legacy is so rich as honesty”.
As per “2020 Report to the Nations” by The Association of Certified Fraud Examiners (ACFE)¹, some of the key findings are worth sharing. Organizations lose an estimated 5% of revenue to fraud each year, which is having a median loss of $125,000 per case.
As per the above said report, the corruption was the most common scheme globally dominated by the ‘Asset misappropriation schemes’ with 86% (median loss of $100,00) of cases and the ‘financial statement fraud schemes’ with 10% cases (median loss of $954,000). Around 14% of all occupational frauds were committed by Accounting department and 12% by executive / upper management. Owners / executives caused the largest losses of around $600,000 on average.
So, let us look around and try to understand how ethical our environment is. So, what about our corporate world, in fact things are well…!! and the corporate world I am in, my survival has no link with the compromise on my ethical standards, Are you serious? Ok, then move from this discussion and think about, what should be a good example of a control framework. Let us not reinvent the wheel when we have COSO framework².
The COSO framework for internal controls was issued in 1992, which defined internal control as a process, effected by an organization’s board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
The five components of internal controls, which are given below, encompass end-to-end organizational internal controls structure, which is linked with three vertical levels of financial reporting, compliance, and operations:
- Control Environment
- Risk Assessment
- Control Activities
- Information & Communications
SAS 78³, consideration of Internal Control in a Financial Statement Audit was issued as an amendment to SAS 55. SAS 78 required the usage of COSO internal Control standards for audits in US Corporations. The key objective was reliability of the financial reporting.
The COSO definition of internal control, forms the basis for SOX. Now connect these five important components of internal controls with the cases of major financial scandals of early 2000’s i.e. Enron, WorldCom and Tyco.
A strong foundation provides a strong building. Control environment is the foundation of COSO model. The fundamental cause of all the above cases is failure of corporate governance and absence of accountability at the executive management level. The key reason behind corporate failure of Enron, WorldCom and Tyco is abuse by those who were responsible to set the tone at the top and that is where SOX is so valuable.
The Basic Purpose
The basic purpose behind the SOX was to enhance shareholders’ confidence, tighten regulations of independent auditors by establishing Public Committee Accounting Oversight Board (PCAOB), to establish corporate responsibility for financial reports, the audit committee role, enhanced financial disclosures and accountabilities and penalties. Subsequently amendments to this ACT were made by the Dodd-Frank Wall Street Reform & Consumer Protection Act in 2010 (a subject of another article).
What SOX addressed
The SOX is a valuable effortfor the corporate world towards transparency and fairness, particularly for shareholders, who rely on financial statements and disclosures therein to be true and verified. SOX brought several changes in the Securities Exchange Act of 1934 as well as some other regulations, and in this section, we will be summarizing some of the important provisions of the SOX:
The SOX amended the SEC Act of 1934, by adding the prohibited activities, and established that the following activities are prohibited by the external auditors:
- Financial information systems design and implementation
- Appraisal or valuation services etc.
- Actuarial services
- Internal audit – outsourcing
- Management function or human resources
- Broker or dealer, investment advisor etc.
- Legal services
- Any other impermissible activity
The SOX required audit partner rotation where limit is set for 5 years maximum and also mandated for reporting to Audit Committee by the external auditors for all critical accounting policies and practices, alternative treatments of financial information and other material written communication with the management.
The SOX also recognized the importance of audit committee role and its formation. The key role required from audit committee was to make them responsible for the appointment, compensation, and oversight of the work of auditor, resolution of disagreements between management and auditor.
Audit committee members are required to be independent members of the board. The Audit committee shall also establish procedures for complain management, hence this identifies the minimum requirement of whistleblowing policy and mechanism.
One of the most important clause of the SOX Act is 302,which is to read with section 13(a) and 15(d) of The Securities Exchange Act of 1934, and requires principal executive officer(s) and principal finance officer(s) to certify annual or quarterly reports that the report has been reviewed and does not contain any untrue statement of a material fact or omit to state a material fact necessary. The certification requires from key officers (CEO/CFO) to attest the fair presentation of the financial condition materially.
The signing officer are made responsible for establishing and maintaining effective internal controls, to evaluate the effectiveness on frequent basis and records are maintained for such evaluations. The signing officers are also required to disclose to the Audit Committee and the auditors, all significant deficiencies in the design and operation of internal controls and/or any fraud which could adversely affect the financial statements.
Enhanced Financial Disclosures
The SOX also made companies responsible to prepare each financial report that contains financial statements, in accordance with the generally accepted accounting principles (GAAPs) and reflect all material correcting adjustments.
The enhanced financial disclosure included enhanced conflict of interest provisions whereby a prohibition was imposed on personal loans to the executives and directors. Section 16 of the Securities Exchange Act of 1934 was amended to include filing requirement for more than 10% shareholding by any director or officer.
One important addition was “Internal Control Report” as part of annual report, by confirming management’s responsibility for establishing and maintaining effective internal controls, financial reporting procedures and assessment of such effectiveness.
Evaluation of internal control and reporting thereof is a lengthy process and needs a robust procedure and system support to establish. This is also called “Internal Controls over Financial Reporting” (ICOFR).
Public Company Accounting Oversight Board (PCAOB)
A major development was establishment of Public Company Accounting & Oversight Board (PCAOB), a body corporate, to oversee audit of public companies that are subject to securities laws. Post-Enron and other financial scandals, the confidence of investors was shaken drastically, and this remedial measure was imminent to earn back that trust. On top of this, the PCAOB was kept independent and free from any interference.
The core functions of PCAOB are:
- Register public accounting firms
- Establish or adapt standards relating to preparation of audit reports
- Conduct inspections
- Conduct investigations and disciplinary proceedings and impose sanctions
- Duties relevant to promoting professional standards and improving audit quality.
- Enforce compliance with the SOX Act
Accountability &Penal actions
The act incorporated amendments to US Code by adding corporate and criminal fraud accountability and by enhancing white collar crime penalties as follows:
- A fine or imprisonment for not more than 20 years or both for knowingly altering, destroying etc. any record/document to influence the investigation or administration of any matter
- Auditor is required to retain all audit or review workpapers for a period of 5 years
- A fine or imprisonment for not more than 10 years or both for knowingly and wilfully violating any rule / regulations of SEC as specified.
- A fine or imprisonment for not more than 25 years for securities fraud.
- A fine upto $ 1 million or imprisonment for not more than 10 years, or both for knowingly certifying financial statements which are not fairly presented
- A fine upto $ 5 million or imprisonment for not more than 20 years, or bothfor wilfully certifying financial statements which are not fairly presented
- The SOX also enhanced criminal penalties for mail and wire fraud and Employee Retirement Income Security Act of 1974
Tauseef A. Mushtaq
During his career of over 22 years, Tauseef, has gained extensive experience working in audit, assurance, GRC, internal controls, finance, tax, and various advisory roles. He is also an expert in SOX and Control frameworks.Alongside experience in Big4 (Deloitte), he brings a valuable experience of multiple sectors globally i.e. banking, Islamic finance, manufacturing, engineering & construction, leasing, asset & fund management with global experience of MENA region (UAE, Qatar, KSA, Jordan, Bahrain, Egypt & Syria), South Asia (Pakistan and India), Central Asia & Europe (Kazakhstan, Russia and Italy).
He is also an expert in board affairs and proficient in Corporate Governance. As part of his assurance & advisory roles, he reported and worked with Board of Directors / Audit Committee (AC) on the best practices, adequacy & effectiveness of internal controls, IFRS disclosures, technological advancements & innovations.
Tauseef is a Chartered Accountant from England & Wales (ICAEW) & Pakistan (ICAP), a Harvard certified, and a Certified Internal Auditor (CIA), a Certified Fraud Examiner (CFE), a Certified Information Systems Auditor (CISA), a Certified Risk Based Auditor (CRBA) and a Certified Sarbanes Oxley Expert (CSOE).
¹Report to the Nations – 2020 Global study on Occupational Fraud and abuse by Association of Certified Fraud Examiners (ACFE)
²Committee of Sponsoring Organizations of the Treadway Commission, published by AICPA, Jersey City, NJ, 1992
³SAS 78, Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS no. 55, New York: AICPA, 1995.
COSO Enterprise Risk Management, by Robert R. Moeller, 2007, published by John Wiley & Sons Inc. Hoboken, New Jersey and simultaneously published in Canada.
Sarbanes Oxley Act 2002 published as Public Law 107-204 on July 30, 2002
The contents of this article are for information only and not offered as advice. Readers are encouraged to consult a suitably qualified professional adviser to obtain advice tailored to their specific requirements.