A practicing CFE and subscriber to this blog contacted us to say that he’s been asked to make a presentation to the audit committee of a small public company client for whom he recently completed an examination of a financial fraud. The audit committee, in light of the control vulnerabilities uncovered by our CFE’s report, wants a briefing on its responsibilities under SOX (the Sarbanes-Oxley Act) so it, in turn, can assure that management’s future performance deters any fraud recurrence.
Since its inception in 2002, SOX has had a material impact on the way boards of directors, management, and accountants of publicly held companies operate. It has also had a dramatic impact on the certified public accountants of publicly held companies and the audits of those companies. Since the enactment of Sarbanes Oxley, the Securities and Exchange Commission (SEC) has issued numerous SEC Releases that support and expand the SOX requirements. Many of the most important provisions of SOX and of the corresponding SEC Releases relate to fraud detection and prevention.
SOX gave audit committees more power and responsibility over a company’s auditors. The intent of the rules is to make the audit committee (rather than company management) the auditor’s “client.” Companies can be delisted from the stock exchanges if they fail to comply with the rules.
- The auditor’s report is to be overseen by a company’s audit committee, not management;
- Audit committees are responsible for hiring, compensating, and overseeing the registered public accounting firms they employ, and hiring independent counsel and any other advisors they determine necessary;
- Each person on the audit committee must be a member of the board of directors and be otherwise independent of the company. SOX defines “independent” as not receiving any other compensation from the company and not being affiliated with the company or any of its subsidiaries;
- One member of the audit committee must be a financial expert. A company without a financial expert must disclose that fact and explain its rationale. The SEC has defined a financial expert as someone with:
–An understanding of GAAP and financial statements;
–The ability to assess whether GAAP was used in estimates, accruals, and reserves;
–Experience with financial statements of a similar breadth and complexity of issues;
–An understanding of internal controls and financial reporting procedures;
–An understanding of audit committee functions;
–The New York Stock Exchange requires the chair of the audit committee to have accounting or financial management experience. It also requires a nominating committee and a compensation committee composed of independent directors;
–Companies provide appropriate funding to their audit committee;
–Audit committees pre-approve all audit and non-audit services provided by their auditor that are not specifically prohibited by SOX;
–Audit committees set up procedures to receive and deal with any complaints the company receives about accounting, internal control, auditing, and similar issues.
On the other hand, the biggest requirement for management of public companies that SOX mandates is more responsibility for financial reports filed with the SEC. SOX requires both the chief executive officer (CEO) and chief financial officer (CFO) of a company to prepare a statement to accompany the audit report that certifies their quarterly and annual financial statements and disclosures. There are six elements to the management certification:
- The financial statements have been reviewed by management;
- The statements do not contain an untrue statement of a material fact or omit a material fact that makes the statements misleading;
- The statements fairly present, in all material respects, the operations, financial condition, and cash flow of the issuer;
- Management is responsible for designing, installing, and evaluating disclosure controls and procedures, and reporting its conclusions with respect to its effectiveness;
- All material internal control weaknesses and fraud are disclosed to the auditor;
- All significant changes to internal controls after management’s evaluation have been disclosed and corrected.
These rules were implemented to assure investors that the information in a company’s quarterly and annual reports is accurate and contains all of the company information that the executives believe is important to a reasonable investor. If management willfully and knowingly violates this certification process, it can be punished with imprisonment of up to 20 years and a fine of up to $5,000,000. In addition, if financial reports must be restated due to material noncompliance with financial reporting requirements, a violation of securities laws, or securities fraud, company management can be required to repay bonuses and incentives or equity-based compensation it realized during the twelve months following the issuance or filing of the noncompliant document. It can also be required to repay any profits it realized from the sale of company securities during the same period. As a result of these certification requirements, it’s not surprising that many public company CEOs and CFOs have spent a great deal of time since 2002 conducting due diligence procedures on their financial statements before certifying them.
From a specifically fraud prevention perspective, SOX also sets out the following the following requirements of interest to our CFE reader’s audit committee and executive management:
- Company officers and directors cannot take any action to fraudulently influence, coerce, manipulate, or mislead auditors to make the financial statements materially misleading;
- Company executives and directors cannot receive loans that are unavailable to those outside the company. There is an exception for loans, such as a home mortgage or a credit card agreement, if they are on the same terms and conditions as those made to the general public and done in the ordinary course of business;
- Company executives and directors cannot trade company stock during blackout periods when other employees are unable to do so. Profits from doing so can be recovered;
- All insider stock trades involving executives and individuals who own 10 percent or more of the company must be reported electronically to the SEC within two days and posted to the company’s website;
- All financial reports required by GAAP must contain all material correcting adjustments identified by the auditors;
- All annual and quarterly financial reports must disclose all material off-balance sheet transactions and relationships with unconsolidated entities likely to have a material effect on the company’s financial condition;
- Pro forma financial information must not contain any untrue statements or omit a material fact that would make it misleading, and it should be in conformance with company financial information prepared according to GAAP;
- Companies must disclose, in plain English, material changes to their financial condition on a rapid and current basis.
Also of interest to our reader’s audit committee would be the criminal penalties. Sarbanes-Oxley and the SEC rules implementing its requirements increased the maximum penalties for many white-collar crimes and created tougher penalties for people who destroy records, commit securities fraud, and fail to report fraud. CPA firms are required to preserve all audit or review work papers, including e-mail, for at least seven years after the audit is complete. Willfully failing to do so or intentionally destroying these records is a felony, with penalties of up to 10 years of incarceration. Sarbanes-Oxley also created a new felony, with penalties of up to 20 years of incarceration and a hefty fine, for destroying, altering, or fabricating documents to impede, obstruct, or influence any existing or contemplated federal investigation. The criminal penalty for securities fraud was increased to 25 years. The statute of limitations on securities fraud claims was extended from one to two years from the date the fraud is discovered, and from three to five years after the fraud took place. Sarbanes-Oxley increases the penalty for CEOs and CFOs who knowingly certify fraudulent financial statements or submit materially misleading statements to the SEC to a maximum of 10 years of imprisonment and a $1 million fine. CEOs and CFOs who willingly do so will face a maximum penalty of 20 years of imprisonment and a $5 million fine.