Contents
Foreword
Preface
Acknowledgments
Chapter 1: Background
Introduction
Corporate Scandals
Investor, Employee, and Public Trust
Corporate Governance
History of the Sarbanes-Oxley Act
SEC and PCAOB
Conclusion
Summary
Notes
Chapter 2: Introduction to the Sarbanes-Oxley Act
Introduction
Key Principles of SOX
Principle-and Rule-Based Legislation
Sox Compliance
General Compliance Requirements
Benefits of Compliance
Consequences of Noncompliance
Voluntary versus Mandatory Compliance
Corporate Perceptions of SOX
Conclusion
Summary
Note
Chapter 3: Selected SOX Sections
Introduction
Section 103: Auditing, Quality Control, and Independence Standards and Rules
Section 201: Services Outside the Scope of Practice of Auditors
Section 302: Corporate Responsibility for Financial Reports
Section 404: Management Assessment of Internal Controls
Requirements of Section 404 Internal Control Report
Requirements of the Executive Officers
Section 406: Code of Ethics for Senior Financial Officers
Section 409: Real Time Issuer Disclosures
Section 806: Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud
Conclusion
Summary
Notes
Chapter 4: Implementing a Strategy
Introduction
Challenges of Compliance
Strategy Outline
Original PCAOB Audit Standard No. 2
Updated PCAOB Audit Standard No. 2
Conclusion
Summary
Note
Chapter 5: Industry Frameworks
Introduction
Committee of Sponsoring Organizations
Control Objectives for Informational and Related Technology
Conclusion
Summary
Notes
Chapter 6: Achieving Sustainable Compliance
Introduction
Cost of Compliance
Factors Relating to High Initial Cost
Projected Decline of Costs
PCAOB Recommendations for Minimizing the Costs Associated with Section 404
Technology and Sustainable Compliance
Sustainable Compliance Strategies
Conclusion
Summary
Notes
Chapter 7: Technology Solutions
Introduction
IT Components Relevant to SOX Compliance
Relevant SOX Sections for IT
Steps for Successful Implementation of IT Controls
Subcertification
ISO/IEC 17799 Framework
Security Best Practices
IT Infrastructure Library
National Institute of Standards and Technology
Software
Benefits of IT in SOX Compliance
Conclusion
Summary
Chapter 8: Beyond the American Corporation
Introduction
Outsourcing Challenge
Uniqueness of Small Businesses
Impact on Foreign Issuers
Impact on Nonprofit Organizations
Conclusion
Summary
Notes
Afterword
Appendix: Summary of the Sarbanes-Oxley Act
Glossary
Index
Advertisement
Essentials Series
The Essentials Series was created for busy business advisory and corporate professionals. The books in this series were designed so that these busy professionals can quickly acquire knowledge and skills in core business areas.
Each book provides need-to-have fundamentals for those professionals who must:
- Get up to speed quickly, because they have been promoted to a new position or have broadened their responsibility scope
- Manage a new functional area
- Brush up on new developments in their area of responsibility
- Add more value to their company or clients
Other books in this series include:
Essentials of Accounts Payable, Mary S. Schaeffer
Essentials of Balanced Scorecard, Mohan Nair
Essentials of Capacity Management, Reginald Tomas Yu-Lee
Essentials of Capital Budgeting, James Sagner
Essentials of Cash Flow, H.A. Schaeffer, Jr.
Essentials of Corporate Performance Measurement, George T Friedlob, Lydia L.F. Schleifer, and Franklin J. Plewa, Jr.
Essentials of Cost Management, Joe and Catherine Stenzel
Essentials of Credit, Collections, and Accounts Receivable, Mary S. Schaeffer
Essentials of CRM: A Guide to Customer Relationship Management, Bryan Bergeron
Essentials of Financial Analysis, George T Friedlob and Lydia L. F. Schleifer
Essentials of Financial Risk Management, Karen A. Horcher
Essentials of Intellectual Property, Paul J. Lerner and Alexander I. Poltorak
Essentials of Knowledge Management, Bryan Bergeron
Essentials of Patents, Andy Gibbs and Bob DeMatteis
Essentials of Payroll Management and Accounting, Steven M. Bragg
Essentials of Shared Services, Bryan Bergeron
Essentials of Supply Chain Management, Michael Hugos
Essentials of Trademarks and Unfair Competition, Dana Shilling
Essentials of Treasury, Karen A. Horcher
Essentials of Managing Corporate Cash, Michele Allman-Ward and James Sagner
Essentials of XBRL, Bryan Bergeron
For more information on any of the above titles, please visit www.wiley.com
Copyright © 2007 by Sarbanes-Oxley Institute. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Wiley Bicentennial Logo: Richard J. Pacifico.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993, or fax 317-572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
For more information about Wiley products, visit our Web site at http://www.wiley.com.
Library of Congress Cataloging-in-Publication Data
Anand, Sanjay.
Essentials of Sarbanes-Oxley / Sanjay Anand.
p. cm.
Includes index.
ISBN 978-0-470-05668-4 (pbk.)
1. United States. Sarbanes-Oxley Act of 2002. 2. Corporations–Accounting–Law and legislation–United States. 3. Disclosure of information–Law and legislation–United States. 4. Financial statements–Law and legislation–United States. 5. Directors of corporations–Legal status, laws, etc.–United States. 6. Corporate governance–Law and legislation–United States. I. Title.
KF1446.A315A83 2007
346.73’0666–dc22
Foreword
In the past decade I, like so many others, observed carefully as the ethical fabric of corporate America fell to shreds. I watched CEO after CEO paraded in front of the public for their crimes. But I saw more than what the news cameras showed; I saw the danger of history repeating itself.
Fraud hurts business. When it occurs on as grand a scale as we witnessed, it hurts the economy as awhole. I anticipated and hoped that some measures would be taken to reinstate public trust in our markets.
When the Sarbanes-Oxley Act (SOX) was first introduced, I heard the collective gasp rise up from Corporate America. We all knew that this Act was not going to make life easy for corporations, but there was hope that the efforts would be worthwhile.
As someone who has dedicated his professional career to fraud prevention and education, I felt motivated and inspired. I knew that with education and assistance, companies could achieve compliance. In SOX I saw a chance to reinstate American corporations as pinnacles of business, fit for emulation.
The first years were as rough as I predicted they would be; costs were high and knowledge was low, which can be a disheartening situation. I believed that with the right guidance, companies could work within the SOX framework and build a balance between their needs and those of their shareholders.
We have seen this to be true. The costs of compliance are becoming increasingly more manageable as information and education have improved. I anticipate seeing even greater improvements in the years to come, and this book is going to have a hand in creating those improvements.
I have been privileged to work with Sanjay through the SOX Institute. He subscribes to the same belief that I do: Educating people makes the difference. Companies will have greater compliance success when they have a strong team holding them up.
Sanjay believes, and teaches, that when a company has the knowledge, the ethics, and the leadership, it will achieve compliance.
I am thrilled that Sanjay has chosen to complement his growing library and write a book that reaches out to the expanding audience of those impacted by SOX. His sharing of his knowledge of governance, his experience with companies and corporations around the globe, and his expertise with the Act is truly valuable.
As a strategic advisor and certified consultant, Sanjay has worked with the roll call of Fortune 500 and Global 2000 companies. These companies have benefited not only from his intelligence and knowledge, but also from his innovation and dedication. I know that they join my commendation of this book.
I have heard Sanjay referred to as the “consultant’s consultant.” Every time he sees a gap in knowledge and understanding, he works tirelessly to fill it. He sees the changing environment of SOX as an endless source of opportunities to educate.
This book does just that. It fills the gaps and ensures that everyone impacted by SOX will have the information at his or her fingertips. Better yet, it explains the concepts in a straightforward manner that is so refreshing in our world of jargon.
This is the book that should be on the CEO’s nightstand, in the board member’s gym bag, and the MBA student’s hand. It fills the gaps between theory and execution, and teaches us all those important lessons of compliance.
No professional should be without a copy of this book.
Professor Tommy Seah
CFE, CMC, FAIA, ACIB, MIIA, FIFA, AICFA, CSOXP
Vice-Chairman, Board of Regents
Association for Certified Fraud Examiners (ACFE)
Preface
In 2002 the U.S. Senate added the Sarbanes-Oxley Act (SOX)to the network of securities regulations that it has been building to keep corporate America in check. This Act was fledged from a desire to protect investors, and the U.S. economy, from the threat of scandal and corruption in publicly traded companies. In an effort toward off future Kenneth Lays and Arthur Andersens, SOX establishes strict expectations and imposes even stricter penalties for compliance failure.
Some would argue that the penalty of such rash legislation may be too high of a price for innocent companies to shoulder as punishment for sharing the title of “publicly traded” with a few bad apples.
Irrespective of whether SOX and its regulations are necessary or even desirable, they are a fact of life for publicly traded businesses in the U.S. markets. SOX is a reality that needs to be understood, accommodated, and, when possible, mastered in order for companies to balance their compliance efforts with their business interests
Who This Book Is For
This book is for the senior-level professionals, the executives, and the board members whose companies are impacted by SOX. It is for those who are looking for the knowledge to initiate a SOX projector allocate a budget.
This book is also for any professional or consultant who would like to be able to discuss SOX in an intelligent and informed manner.
SOX affects all company members, from the CEO to middle management and beyond. Compliance is a collective effort, and by understanding the Act, you will be able to question, discuss, and contribute.
How to Use This Book
In these pages you will find information that will help you to understand SOX and the implications that it has for your company, plus specific explanations on how to help your company achieve compliance.
In addition, this book has been designed with appreciation and respect for your demanding lifestyle and professional obligations. With a clear overview, as well as chapter summaries at both the start and end of chapters, this book ensures that information is easy to find and always at your fingertips.
Although the book is arranged in the manner that seemed to flow most logically, there is no need to read the chapters in their presented order. Feel confident to skip around, knowing that each chapter can be read as a stand-alone article, designed to present you with complete information.
What You Will Find
A brief summary of each of the chapters in this book follows. These summaries will help you to better understand why each topic was chosen and also assist you to find specific information that you are looking for.
- Chapter 1 begins our tour of SOX with a history lesson. It explains the events that led to the inception of the Act, as well as the two men who were so instrumental in its development, Congressman Oxley and Senator Sarbanes.
It is important to understand the circumstances surrounding the development of SOX in order to truly understand why it was developed and what it seeks to achieve. Essentially this Act is meant to reinstate the trust that investors, employees, and the general public once had for publicly traded companies. This trust is a vital part of our economy, and maintaining it is a worthwhile goal.
This chapter provides readers with a background of the Act that will serve as a springboard for the rest of the knowledge that they gain throughout the book. Only by understanding where it came from can we truly understand where SOX is today and where it is headed in the future.
- In Chapter 2 the issues of SOX are examined and the Act’s core concepts are discussed. This chapter walks through the key principles of the Act as well as those issues that are related to its compliance. Before taking a more in-depth look at how compliance can be achieved and the tools that are required for such an endeavor, it is important that the foundations of the Act are understood.
By taking a bird’s eye view of the Act and discussing some of the big issues, this chapter provides readers with a structured framework on which to build their SOX knowledge. The key to understanding SOX, legislation that was designed with a very specific purpose in mind, is found in understanding the big issues with which it deals.
- Chapter 3 provides an overview of some of the most applicable SOX sections. This chapter not only explains what the Act actually says, it also explains the consequences of the requirements and illustrates some challenges that companies may face in their compliance efforts.
While reading this chapter, it is important to keep in mind that although some sections of SOX receive more attention than others, the Act itself is meant to be treated as a whole. Unlike other pieces of legislation in which some sections apply to certain segments, SOX, for the most part, is applicable in its entirety.
By highlighting some of the most important sections of the Act, this chapter gives an overview of compliance efforts and provides a picture of what SOX, as a whole, is working to achieve.
- Chapter 4 offers practical information that has been designed to facilitate an understanding of SOX through the compliance process. Reading this chapter will not only provide a general framework for the compliance strategy; it will also illustrate the challenges that many companies face in meeting the SOX regulations.
Although each company will have its own unique strategy for compliance that will reflect the circumstances in which it finds itself, there is a general process that all SOX efforts follow.
Reading through the common steps taken for compliance will solidify the ideas learned in earlier chapters and provide concrete implications for SOX’s general principles and specific sections.
- No book related to SOX is complete without a discussion of the Committee of Sponsoring Organizations (COSO) and the Control Objectives for Information and Related Technology (COBIT). These two frameworks will be covered in Chapter 5. This chapter provides readers with information about these specific frameworks and further explains compliance efforts and the many forms that they can take.
Although the Securities and Exchange Commission (SEC), Public Company Accounting Oversight Board (PCAOB), and SOX do not provide very much guidance as to how to achieve compliance, the SEC has specifically recommended that management use COSO or a framework that is very similar. Almost all companies follow that recommendation.
As the templates used to evaluate the efficacy of all other frameworks, COSO, COBIT, and the information provided in this chapter are all vital components of SOX compliance.
- Chapter 6 takes ones of the largest issues dealing with compliance and breaks it down to explain why the cost of SOX compliance is a major concern and how that concern is manageable with the right strategies. Many of the factors that have contributed to high compliance costs in previous years are being mitigated by the development of new technology and more efficient systems. This chapter provides insight into the ways that technology contributes to sustainable compliance.
SOX compliance would be easily achieved with a limitless budget, but this is not reality. Companies do require cost controls in order to ensure that their compliance strategies are sustainable and that they fit within the parameters of maintaining a healthy bottom line.
- Chapter 7 focuses on information technology (IT). Although IT is not specifically mentioned in the Act, its involvement is implicit, given the technological nature of our times. This chapter is designed to provide readers with an overview of the role that IT and IT divisions play in SOX compliance efforts. Internal controls over financial processes are integrally linked to the IT systems that the company has established. IT is also instrumental in the establishment of controls and their testing processes, which actually helps to keep such tasks manageable and efficient.
After reading this chapter, readers should have an overall impression of what IT’s role is in compliance and an idea of the steps that an IT division should take to facilitate its company’s SOX efforts.
- Although publicly traded companies are the ones most obviously targeted by SOX, several other organizations are impacted by the Act as well. Chapter 8 explores the ways in which entities outside of Corporate America are dealing with SOX and what specific challenges they face. The four major groups that are impacted by SOX compliance are those that provide outsourcing services, the publicly traded companies, foreign issuers, and not-for-profit organizations.
This chapter takes the information learned throughout the book and extrapolates it to involve some of the issues just outside the realm of general SOX conversation. These issues provide readers with a chance to understand and become aware of the wide-reaching scope of this legislation.
My Goal for You
My goal in writing this book was to remove SOX from the philosophical and theoretical realm and bring it into the real world, which is where it is having its effect. It is time that SOX compliance was discussed in terms of action rather than ideals because it is the actions that create the compliance.
I hope that this book provides you with the knowledge and information to feel confident with the concept of SOX and the impact that it is having on the face of business.
Regardless of where SOX takes us from here or where we were before its inception, what matters is that it is impacting the face of business today. This book is designed to help those affected by SOX to understand their compliance efforts and make the most of the process.
Acknowledgments
My sincerest thanks to . . . (in alphabetical order by last name to be fair)
Shannon Brayford for patiently editing and reediting and re-reediting and . . . (you get the idea)
Sheck Cho, Executive Editor, and others on his team at John Wiley & Sons, Inc., for their guidance
Debi Deimling at Congressman Oxley’s office for her encouragement (she calls me “Mr. SOX”)
Congressman Michael Oxley, Honorary Chairperson, SOX Institute, for his encouragement
Dennis O’Connor of Paradigm Communications for helping to promote this book
Robert Schwind for his valuable inputs and insights to make sure I was “on track”
Tommy Seah, Certified Fraud Examiner in Practice, for agreeing to write the foreword for this book
Ethiopis Tafara, Director, Office of International Affairs, SEC for his article in Chapter 8.