On July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002. The Act-which applies in general to publicly held companies and their audit firms-dramatically affects the accounting profession and impacts not just the largest accounting firms, but any CPA actively working as an auditor of, or for, a publicly traded company. The basic implications of the Act for accountants are summarized below.
Public Company Accounting Oversight Board.Moving to a different private sector regulatory structure, a new Public Company Accounting Oversight Board (the Board) will be appointed and overseen by the SEC. The Board, made up of five full-time members, will oversee and investigate the audits and auditors of public companies, and sanction both firms and individuals for violations of laws, regulations and rules.
- Board Composition.Two of the five Board members must be or must have been CPAs. The remaining three must not be and cannot have been CPAs. The Chair may be held by one of the CPA members, but he or she must not have practiced accounting during the five years preceding his/her appointment.
- Funding. The Board will be funded by public companies through mandatory fees. Accounting firms that audit public companies must register with the Board ("registered firm"), and pay registration and annual fees.
- Standard Setting. The Board will issue standards or adopt standards set by other groups or organizations, for audit firm quality controls for the audits of public companies. These standards include: auditing and related attestation, quality control, ethics, independence and "other standards necessary to protect the public interest." The Board has the authority to set and enforce audit and quality control standards for public company audits.
- Investigative and Disciplinary Authority. The Board is empowered to regularly inspect registered accounting firms' operations and will investigate potential violations of securities laws, standards, competency and conduct. Sanctions may be imposed for non-cooperation, violations, or failure to supervise a partner or employee in a registered accounting firm. These include revocation or suspension of an accounting firm's registration, prohibition from auditing public companies, and imposition of civil penalties. During investigations, the Board can require testimony or document production from the registered accounting firm, or request information from relevant persons outside the firm. Investigations can be referred to the SEC, or with the SEC's approval, to the Department of Justice, state attorneys general or state boards of accountancy under certain circumstances.
- International Authority. Foreign accounting firms that "prepare or furnish" an audit report involving U.S. registrants will be subject to the authority of the Board. Additionally, if a registered U.S. accounting firm relies on the opinion of a foreign accounting firm, the foreign firm's audit workpapers must be supplied upon request to the Board or the Commission.
New Roles for Audit Committees and Auditors. The relationship between accounting firms and their publicly held audit clients is different under the new law. The basic implications are outlined below.
- Auditors Report to Audit Committee. Now, auditors will report to and be overseen by a company's audit committee, not management.
- Audit Committees Must Approve All Services. Audit committees must preapprove all services (both audit and non-audit services not specifically prohibited) provided by its auditor.
- Auditor Must Report New Information to Audit Committee. This information includes: critical accounting policies and practices to be used, alternative treatments of financial information within GAAP that have been discussed with management, accounting disagreements between the auditor and management, and other relevant communications between the auditor and management.
- Offering Specified Non-Audit Services Prohibited. The new law statutorily prohibits auditors from offering certain non-audit services to audit clients. These services include: bookkeeping, information systems design and implementation, appraisals or valuation services, actuarial services, internal audits, management and human resources services, broker/dealer and investment banking services, legal or expert services unrelated to audit services and other services the board determines by rule to be impermissible. Other nonaudit services not banned are allowed if preapproved by the audit committee.
- Audit Partner Rotation. The lead audit partner and audit review partner must be rotated every five years on public company engagements.
- Employment Implications. An accounting firm will not be able to provide audit services to a public company if one of that company's top officials (CEO, Controller, CFO, Chief Accounting Officer, etc.) was employed by the firm and worked on the company's audit during the previous year.
Criminal Penalties and Protection for Whistleblowers. The law creates tough penalties for those who destroy records, commit securities fraud and fail to report fraud.
- Failure to Maintain Workpapers. It is now a felony with penalties of up to 10 years to willfully fail to maintain "all audit or review workpapers" for at least five years. The SEC will establish a rule covering the retention of audit records and the Board will issue standards that compel auditors to keep other documentation for seven years.
- Document Destruction. It is a felony with penalties of up to 20 years to destroy documents in a federal or bankruptcy investigation.
- Securities Fraud.Criminal penalties for securities fraud have been increased to 25 years.
- Fraud Discovery. The statute of limitations for the discovery of fraud is extended to two years from the date of discovery and five years after the act. It was previously one year from discovery and three from the act.
- Other Provisions. Other provisions protect corporate whistleblowers, ban personal loans to executives, and prohibit insider trading during blackout periods.
Financial Reporting and Auditing Process Additions. Issuers of public stock and their auditors must now follow new rules and procedures in connection with the financial reporting and auditing process.
- Second Partner Review and Approval of Audit Reports. The new regulatory board will issue or adopt standards requiring auditors to have a thorough second partner review and approval of every public company audit report.
- Management Assessment of Internal Controls. Management must now assess and make representations about the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
- Audit Reports Must Contain Description of Internal Controls Testing. The new regulatory board will also issue or adopt standards that will require every audit report to attest to the assessment made by management on the company's internal control structures, including a specific notation about any significant defects or material noncompliance found on the basis of such testing.
Areas for CPAs to Watch. The ramifications of some of the provisions in the Sarbanes-Oxley Act will become known only as the SEC and the new Public Company Accounting Oversight Board begin implementing the bill.
- Consulting Services. The Act lists eight types of services that are "unlawful" if provided to a publicly held company by its auditor: bookkeeping, information systems design and implementation, appraisals or valuation services, actuarial services, internal audits, management and human resources services, broker/dealer and investment banking services, and legal or expert services related to audit services. It also has one catch-all category authorizing the board to determine by regulation any service it wishes to prohibit. Other non-audit services-including tax services-require pre-approval by the audit committee. Pre-approved non-audit services must be disclosed to investors in periodic reports.
- Implications for CPAs with Tax Practices. "Expert" services are not defined in the Act and we do not know how broadly the board or the SEC will define this term. It is conceivable that some tax services we view as traditional may be construed as "expert" services, and not permitted by any firm providing audit services to publicly held audit clients. We will encourage the Board or the SEC to understand the importance of auditors providing tax services for publicly held audit clients. In addition, tax services performed by an auditor for a publicly held company would require pre-approval by the client's audit committee.
- Cascade Effect. Of particular concern is the cascade effect that the scope of services restrictions could have on small businesses and accounting firms. Our major concern is that the new legislation by Congress may become the template for parallel federal and state legislative or rule changes that directly affect both non-public companies that are subject to other regulations and the CPAs that provide services to them. The AICPA and the state CPA societies are monitoring this situation closely and will continue to keep you informed.
- Additional Burdens for CPAs in Business and Industry. CPAs working in the financial management areas of public companies are directly impacted by the Act. These CPAs need to be aware of the new responsibilities of CEOs and CFOs, who are now required to certify company financial statements. They also have a greater duty to communicate and coordinate with corporate audit committees that are now responsible for hiring, compensating and overseeing the independent auditors. There are new requirements regarding enhanced financial disclosures as well. The AICPA is working to develop additional resources specifically tailored for members in corporate practice as they implement these new requirements.