Additional Aspects of Sarbanes-Oxley Act Explained
Last month’s CPA Letter highlighted some of the more significant and better known provisions of the Sarbanes-Oxley Act of 2002. In response to member inquiries, this follow-up article briefly describes some additional provisions that have important ramifications, especially for public accounting firms auditing public companies.
After the new Public Company Accounting Oversight Board established by the Act is "certified" (that is, the Securities and Exchange Commission declares the PCAOB operational and able to carry out its responsibilities), which must occur no later than the end of Apr. 2003, public accounting firms will have 180 days to register with the board. Most of the provisions affecting practitioners will be effective upon the firm becoming registered.
The board has 45 days to act upon any application, and audit services cannot be performed for a public company after the 180-day period. Therefore, firms are cautioned to allow sufficient time to get registered — up to 135 days (180-45).
Who needs to register? Accounting firms that "prepare or issue" or "participate" in the preparation of an audit report for an "issuer" must sign up with the board. The term "issuer" is defined in the Act and is a key factor in determining whether registration is required. But the definition still leaves many unanswered questions that need to be addressed before the full breadth of the Act is known. Likewise, it is unclear what is meant by the word "participate" in the preparation of an audit report for an issuer. This, too, will have to await rulemaking to clarify what firms need to register.
Filing the registration is significant because it includes consent by the firm to cooperate with the board in requests for documents and testimony and an agreement to obtain similar consents from each person providing any audit services to issuers. It also requires similar consents and agreements for foreign firms. Finally, firms are required to update this information at least annually.
The only fees firms pay to the board are for the cost of processing and reviewing the applications and annual reports. The board will get its major funding from issuers in proportion to their equity market capitalization.
Most of the non-audit services that the Act says cannot be performed by audit firms for their public company clients were already prohibited by the SEC’s auditor independence rules. New to the list of banned non-audit services is "expert services." In addition, both internal audit outsourcing and information systems and design — which had exceptions under the SEC’s rules — are now strictly prohibited. All other services are considered to be permitted, including tax services, if pre-approved by the audit committee.
Document retention is governed by three provisions (which are not consistent): a seven-year period for all documents that support a firm’s report (not effective until a firm is registered); a five-year period in the criminal provisions of the Act that covers all audit and review workpapers (this appears to be effective immediately; the SEC will be releasing rules relating to documents covered by this section); and an undefined category of documents in connection with the board’s inspection program which awaits board rulemaking as to its nature and scope.
One of the board’s duties is to conduct inspections (formerly peer reviews) of the registered firms. For firms with more than 100 issuers as clients, the inspections will occur annually. For all others, an inspection will occur at least every three years. The board could adjust these schedules at its discretion. It does not appear that firms will pay the cost of these inspections.
But the board’s inspection concept is fundamentally different from the current peer review. It is no longer firm on firm and it is no longer remedial.
Inspections will be conducted by the board’s inspectors (although it remains to be seen whether the board will hire outside firms to assist in this process). Any violations of the Act, the rules of the board or the SEC, professional standards, or a firm’s own quality control policies, could be the basis for disciplinary action by the board and reported to the SEC and state accountancy boards. They also will inspect matters subject to litigation. (One further note, a question remains as to whether the board’s inspection program will satisfy the peer review requirements of some of the state accountancy boards.)
Disciplinary functions are another major activity of the PCAOB. Many are similar to what is already in place by the AICPA and the SEC. However, there is no deferral for matters subject to litigation. And while confidentiality provisions protect most documents prepared or received by the board in connection with investigations, they can be shared with regulators. Regarding sanctions, fines range from $100,000 for individual negligent conduct to $15 million to a firm for knowing or intentional conduct, including recklessness and repeated acts of negligence.
The Act applies to foreign firms which furnish reports with respect to any issuer and could apply, if the board so rules, to foreign firms that play a substantial role in the audit process. However, a U.S. registered firm that relies on the opinion of a foreign accounting firm is deemed to have consented to supplying the audit workpapers of the foreign firm in response to a request by the board or SEC and to have secured the agreement of the foreign firm to such production as a condition of its reliance on the opinion — but foreign law may not permit this. There is an exemption authority with the SEC and the board to deal with such matters.