Abstract. Introduction. The Sarbanes Oxley Act of 2002

Transcription

1 Abstract Sarbanes Oxley Act (SOX) raises the stakes for Chief Information Officers (CIO) and information technology departments in performing beyond what was previously the norm of providing technical solutions and IT resources. The only way for executives to mitigate their risks is to make their business processes real-time, transparent and auditable. In most companies today, information security is the hub for information flow. The security of this information is critical to SOX and the well being of the company. However many companies are still not in compliance and their IT processes must evolve if they are to be serious about information security. Introduction There is no denying that the Sarbanes Oxley act of 2002 has been the single most important piece of legislation affecting corporate governance, financial disclosure and the practice of public accounting since the US securities laws issued by the Securities and Exchange Commission (SEC) in the early 1930s. The Sarbanes-Oxley Act of 2002, Pub. L , 116 Stat. 745 (2002) was signed on July 30, 2002 and it has forever changed the way paper and electronic financial data will be treated. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. But what does record storing have to do with IT? Due to initiatives such as the Paperwork Reduction Act, more companies and government agencies are switching to electronic documents. Most financial data are stored in databases and financial applications. As a result the IT organizations have greater responsibility over the financial data that an organization possesses. The visibility of Sarbanes Oxley has been increased ten-fold over other IT responsibilities such as the CAN-SPAM Act for a very simple reason. Sarbanes spells out very clearly the parties responsible for compliance. The Act clearly states that the Chief Executive Officer (CEO), the Chief Financial Officer (CFO) and the Chief Information Officer (CIO) must sign off on financial reports and that they are confident in the accuracy of the financial statements. This takes away the defense that they where unaware of accounting errors and fraudulent practices in the enterprise. With this much at stake IT departments affected by the Sarbanes Oxley Act are no longer viewed as just infrastructure, but more like a business component of the corporate infrastructure. The Sarbanes Oxley Act of 2002 Senator Paul Sarbanes and Representative Michael Oxley drafted the Sarbanes-Oxley Act of 2002 (shortened as SOX). This act was passed with a 97-0 ratio and was recognized to be the most important corporate legislative act to be passed in years. The Sarbanes-Oxley Act created new standards for corporate accountability as well as new penalties for accounting errors and fraudulent practices in the enterprise. It changes the responsibility of corporate boards and executives and to what extent the Act will hold them liable for non-compliance. The SOX act is divided into sections that clearly define the operating financial boundaries of a company and what they are responsible to deliver to their stakeholders. (Shareholders and creditors). For details on the Sarbanes Oxley act please refer to Appendix A. Why was Sarbanes Oxley created? The Sarbanes Oxley Act was the US government s response to The Enron s and WorldCom s corporate scandals that left many shareholders holding share stocks that where valued less than the paper they where written on. This eroded investor confidence and affected new investments in an already shaky financial market. The broad strokes of Enron are familiar. First, when it collapsed on December 2, 2001 it destroyed over $60 billion in market value. Second, its accounting fraud was "massive." Reasonable men and women might quibble over some of the finer points in accounting, but in FY 2000, 96 percent of Enron's reported net income and 105 percent of its reported funds flow were attributed to accounting violations. Third, Enron's debt was underestimated by one half: $10 billion reported versus $22 billion actual debt. However, these factors, he continued, were "dwarfed" by bad strategy and management. - [CIO News, Martha Lagace, 12 th Jul 2004, retrieved 03/01/05 ] Page 1

2 The objective of the SOX act was to establish a clear, digital paper trail to prove to investors and auditors that the corporate financial reports are accurate and transparent. This is becoming more important in many litigation cases as more and more requests are being made for electronic communications such as s and digital documents. Ernst & Young LLP, the third-biggest U.S. accounting firm, was barred from accepting new audit clients for six months by a U.S. Securities and Exchange Commission judge. Ernst & Young's business venture with audit client PeopleSoft Inc. violated SEC rules that are designed to preserve the independence of audits, SEC Chief Judge Brenda Murray said in a ruling today. Murray also ordered Ernst & Young to pay $1.7 million and required the firm to be overseen by an independent monitor. Ernst & Young also has come under scrutiny for its audits of HealthSouth Corp., AOL Time Warner Inc. and Cendant Corp., which have announced the need to restate their finances. Under the Sarbanes-Oxley corporate-governance law enacted in July 2002, accounting firms are barred from performing nine types of non-audit services for clients, including information-technology consulting. - [SRiMedia Corporate Governance News, Ernst & Young violates Sarbanes Oxley; banned from accepting new audit clients for six months, Apr 16, 2004 Retrieved 02/28/05, How does Congress think the Act would address the problem? The SOX act has significantly increased the accountability of directors, corporate officers and auditing corporations. For example, a corporate officer who knowingly signs false financial reports can be fined up to one million dollars and face up to ten years in prison. Sarbanes-Oxley is designed to enhance corporate governance and strengthen corporate accountability to its investors and shareholders by: Ensuring that financial transaction affecting the financial health of a company is done with full transparency Ensuring that department heads are responsible by signing off statement to attest to this fact. Ensuring that financial reporting is performed with full disclosure Adding new levels of controls and disclosure Additionally, SOX requires that companies keep detailed records related to their financial systems. This broad-based requirement includes electronic as well as printed records. Under the same understanding that a company is expected to produce printed financial documents, they are also expected under SOX to produce electronic financial documents when requested. SOX outline the fact that ignorance is no defense with this regulation and this also applies to any contractors used by the company. Failure of a contractor to be in compliance can have severe repercussions for the contracting company and its board of directors. Why is Sarbanes Oxley important to Information Technology and Information Security? Originally the Public Company Accounting Oversight Board (PCAOB) was created out of the Sarbanes Oxley act in 2002 to govern the auditors of public companies. The Securities Exchange Commission appoints members of the board and their role is to ensure that public company financial statements are audited to the highest standards of quality and ethics. SOX sections 404 and section 409 however went beyond the role of financial professionals being the only persons accountable for the accuracy of financial disclosures SOX Section 404 makes executive managers and the Board of Directors of public organizations responsible for the processes and controls that affect the accuracy of financial information. They must also provide an assessment of the effectiveness of these controls and have an independent auditor attest to the effectiveness of the controls. Section 409 mandates that the same executives and board of directors must disclose in real time the information affecting the financial conditions or operations of the company, so that investors and the public interest can be protected. Risk assessment and compliancy experts quickly realized that in order to ensure the accuracy and integrity of financial statements they would need to ensure the accuracy and integrity of all the underlying processes, the majority of which resided in the company s IT infrastructure. Even though processes and tasks like sales, purchases, contract disclosure, development and inventory management, were not performed by IT personnel, the system supporting the data flow of information were executed on systems managed by the IT organization. Page 2

3 Remember that most of the great failures over the last few years had nothing to do with financial reporting. The companies were dead by the time the public read the annual report even though the financial statements followed generally accepted accounting standards. Companies such as Enron and WorldCom went bankrupt because the underlying physical processes of the organization were failing and the company did not have to report in publicly released financial statements for many periods. [Rob Smith, Sarbanes Oxley Committee for the Integration Consortium White Paper, Penguin Publishing As a company leverages more and more of its business processes in Information Technology it becomes very apparent that Information Technology is an enabler for business processes to meet their goals. This becomes important is processes that touch financial data. For almost any publicly traded company these days the data from sales, purchasing, overheads and marketing are fed through some sort of computer system before the final financial statement is produced. Thus IT finds its niche in the SOX act because the data that drives the financial reports are fed into, stored, calculated and outputted on IT equipment. State of Information Technology and Information Security before Sarbanes Oxley In July 2002 no IT organization at the time could have boasted that it was in compliance with the SOX act enacted that very same month. Unlike the Y2K issue where practically all vulnerable corporations were ready before the turn of the century, SOX caught most IT departments with their pants down. It would be unfair however to point fingers at these IT organizations for none compliance because up until the SOX act, most companies thought of their TI departments as an expense and not as an enabler for them to perform their business processes faster and more efficiently. Thus in latter years leading up to mid 2002 the expenditures for most IT departments were starved into maintenance mode with few upgrades. Departments where usually under staffed and with the threat from more visible issues like worms, viruses and spam, IT departments themselves placed most of their energy dealing with these issues. Currently most IT departments are divided among services, responsibilities or a combination of both. Until the SOX act most IT departments had a fuzzy line defining the responsibilities over systems affecting financial data. This was because some processes where still ad hoc. Movement of code from development to production was a different standard in different companies even in the financial sector. In some IT departments a password change could mean a call to a friend, a webpage on a vulnerable server or a secure token based change by asking the user time sensitive information over a secure line (Like an RSA token password). This demonstrates the variety of methods used in the enforcement of policy. On a more defined level IT departments at that time were deficient in the following areas: 1. Control Environment As demonstrated in the example above there was no controlled processes for implementing a changed and worse yet these processes were not aligned with the business goals of the company 2. Risk Assessment An IT department s definition of a risk was losing data and being compromised. In most cases not much thought was given to risks beyond this. 3. Control Activities These worked in tandem in the control environment and consisted of processes, policies and practices. Control activities have very little impact on the department meeting the business needs of providing services like . As a result, this did not make the company liable outside of its own four walls, and control activities were given a low priority. 4. Monitoring To most IT departments in July 2002, monitoring meant having a network management system that verified server availability, health, service availability and performance. Very few systems had a robust intrusion detection system and even less of a fraud and integrity management system for internally routed data and internal systems exposed to the intranet. From a survey by Network computing in 2004, 81% of respondents indicated that most of their viruses entered the network from an internal terminal rather than a direct attack from outside the company s network. This reinforces the view that companies pay more attention to service availability and less to fraud and intrusion detection. The SOX act has shown to companies that their neglected IT departments have many avenues for improvement, from aligning the business needs to tighter control and regulation. Many companies are also realizing that this Act is actually an opportunity that can achieve more than SOX compliance. It is a better business model and a better Page 3

4 executed IT strategy plan. It is clear that information technology, as a whole must evolve to meet these new challenges. Its evolution at minimum will be to plug the gaps that presently exist in most companies realizing that their processes are not robust or transparent enough to make the SEC or the auditors smile. The Cost of SOX Compliance. Estimates approach up to one trillion dollars for the cost of upgrading and replacing software to handle the new millennium worldwide - Mark Ripma, The effect of Sarbanes-Oxley on the Software Market, 26 th Sept 2003 commenting on the cost that the Y2K compliance cost industries worldwide Sarbanes-Oxley is the biggest single event since Y2K to shake up the Software and IT industry. This act has made financial system liable and accountable and have created numerous opportunities for the same type of software companies and consultants that provided services and solutions for the Y2K conversions Spending for Sarbanes-Oxley has however been more generous than that of Y2K. This can be attributed to a number of reasons. The one that rises to the top is the fact that in most companies affected by the Sarbanes-Oxley act the CEOs, CFOs and management have been shaken up by the liability they are open to, from the Sarbanes-Oxley Act. In most cases this is enough for them to open the coffers to ensure that their systems are compliant and that when they sign on the dotted line, they do so with full confidence. Recent surveys have shown that spending has increased on the purchase of consulting services from companies like Andrade. Companies are indeed shopping around for experts who understand the requirements, finer details and the business aspect of the Sarbanes-Oxley Act. Following the same trend that the Y2K conversions took, there is also increased spending on hardware and software like Quest s Reporter product or Enterprise Directory Reporter which are used to perform auditing tasks necessary for IT departments to prove to independent auditors, investors and the government that the company is compliant. Compliance however is not a one-time certification but an ongoing process. Thus after the consultants have completed their work to make the company compliant, IT departments will have to set aside resources in terms of manpower, revenue and equipment to maintain compliance. SOX compliance spending in 2005 will reach $6.1B, eclipsing 2004's spending by more than 10% as companies add to or improve their initial compliance and governance systems. No one argues that SOX compliance is a hot button for publicly traded companies. Spending will continue to increase in 2005 as companies move from a tactical attack to an ongoing process. As more companies-small cap firms and foreign registrants-enter the SOX fray in 2005, it's apparent that this issue will be with us for some time to come. - John Hagerty, Fenella Scott, AMR Research, Dec 16 th 2004 In preparation for SOX compliance, some companies have actually seen a shift of work that was usually contracted outside of the company being brought back under the company s direct control. One such instance was the loss of IT maintenance contracts by IBM from companies who felt that in order to provide the transparency, accountability and transaction trail, the process should be kept under the control of their IT department. Even tough IBM can provide lower costs due to scalability and consolidation of the workforce across many contracts, many executives were still unconvinced that their policies and processes were being fully maintained by the contracting company. Thus many IT organizations are seeing rising costs to meet the SOX requirements while still providing the same level of service prior to the SOX act. In order to meet the needs of SOX, IT will have to implement the following to provide the minimum that SOX requires. They are: 1. A Control Environment (e.g. CMDB as in HP 4. Monitoring Open View) 5. Standard data storage guidelines 2. Control Activities (e.g. Change Control) 6. Reporting service 3. Risk Assessment Page 4

5 IT expenditures can no longer be justified by their technical merit alone. IT expenses must be justified in clear business terms. Implementing these new processes and environments will create new direct costs for IT organization, which must be aligned with the business needs. Compliance is however mandatory and thus these costs will become part of the baseline cost of any IT organization. These costs are as follows 1. Training, for both employees and managers 2. Equipment and software for self auditing 3. Equipment and software for Document management (this is now very important under the new guidelines of the SOX act) 4. Consultant services 5. Control Environment and Change Controls Evolution of Information Technology and Information Security SOX does not regulate information technology but instead defines new expectations of the companies financial process as regards to information security. These expectations trickle down to the services that drive the financial processes of the company. Most companies in the process of revamping their financial processes to meet SOX compliance have found shortfalls in their information technology support infrastructure. These shortfalls are the driving force behind the evolution of information technology and information security to meet the new demands placed on it. Most companies after having executed a risk assessment on their financial related information technology systems have realized a common trend in compliance failure. This trend points to most information technology organizations lacking an effective control structure in place and very little control in ensuring that this information is secure. This opened the door for dishonest employees, hackers and software and hardware failures to compromise the accuracy of the company s financial report. Additionally few companies have found themselves in court simply because they had no standards or processes in place for managing electronic records and correspondence. To fill these gaps information technology must now operate not only as a service provider but also as a policy maker and policy enforcer. Since no process or software can be 100% self-governing information technology must now command the new role of being a policy maker. This is due to the fact that information technology must comply with policies upstream from business processes. For example the administrator of a database should not be modifying tuples in the database outside of the program designed to access that particular database. This is a violation of policy in most IT departments today, and if this database stored any financial information, then it was also a compliance failure of the SOX act. As a policy enforcer IT departments must provide solutions to ensure that users cannot perform actions that they are not allowed. This is not new to IT departments, many of which use policy management systems like Microsoft Active Directory or Adobe LiveCycle Policy Server to control what resources users have access to and the privilege level to which they are allowed to operate. IT must ensure however that the policies they enforce are aligned with both the business and the best practices for their type of organization. At the same time they should ensure that information is available so that employee performance is not affected. Alignment with both the business and the industry s best practices is very important, as companies must follow the norm for the handling of electronic documents, especially s. NEW YORK (July 21, 2004) - A federal judge presiding over the government s lawsuit against Philip Morris USA has penalized the company for the possible inadvertent loss of some s by company employees. The company said it is studying its legal options in light of the ruling. - Tobacco News, July 21, 2004, This change does not mean the new IT environment will be buried in bureaucracy, but will actually have more formalized policies and processes in place to ensure that no one entity can modify an item unnoticed, thus preserving information security. This requires the establishment of basic components of the evolved information technology department. Page 5

6 Components required to provide the security of sensitive data includes: 1. Control Environment -: This represents the foundation of all internal controls within the organization through corporate policies, integrity, and structure. It requires full cooperation from employees, managers, contractors and directors. 2. Risk Assessment -: This is the identification and threat analysis by management of the risks associated with the current scenario. It also covers possible solutions and the liability to which the company may expose itself to such risks. 3. Control Activities -: These are procedures, policies and practices used to align the business and achieve management objectives. These activities occur at all levels in the organizations structure and act as a safety net to ensure that information security is not compromised. 4. Monitoring -: This is a necessity and not an option in ensuring that internal control are performing as designed. This can be an ongoing process and performance improvements can be obtained from executing these activities in real-time. The implementations of initiatives due to SOX have far superseded what many analysts thought in terms of making business processes for efficient. In a poll by Network Computing where they asked their subscribers if they intend to implement more than what was required of them for SOX the response was 62% - Yes 28% - No 10% - Undecided/In the discovery phase From these polls the most common additions were in the areas of Change Management and Configuration Management. Configuration management-: is the discipline to establish and maintain the integrity of the configuration of a secured environment. No change occurs without a request, change owner, work order and audit trail. This enhances information security and buys value to an organization for SOX compliance, transparency and company security. Change management-: is the proactive management of an organization s environment. This proactive approach provides the extra level of security missing in pre-sox information technology initiatives. The feedback from the business community is that SOX gave many companies the initiatives to not only streamline their business processes, but to evolve and implement changes to both their information technology and security strategies. The hesitation was that for the most part these changes did not have a real deadline prior to the SOX act being enacted. This has indeed made enterprises more secure and more accountable to their stakeholders. Conclusion Prior to the Sarbanes-Oxley act, information technology departments were primarily concerned with delivering services. Security was an issue of securing passwords on systems, and data reliability was concerned with the availability of information. SOX however changed the roles that information technology had to fill and expanded the information security aspects to include data accuracy, data reliability, change control, change management and strict transparent processes to guard important financial data. The days of big corporate scandals have come and gone. In the future we will definitely see fewer scandals like Enron and WorldCom. Today the CFOs and CEOs are already thinking less about how they can create accounting irregularities and more about compliance. Page 6

7 Annotated Bibliography New technologies that support Sarbanes Oxley Network Computing, October 2004: p.17. The authors at network computing conducted a survey of the tools that IT departments are implementing to bring their organizations in compliance with Sarbanes Oxley. The Survey covered both the technologies, their purpose, cost, and value Section 404 compliance in the annual report: assessing control deficiencies now is a documented process required of management. Journal of Accountancy, v.198, no.4, (October 2004): p.43. Available at MICHAEL RAMOS discusses the report types that are required by the Sarbanes Oxley 404. He goes further into the problem of evaluating the internal control efficiencies that plague most companies seeking compliance. Change control and Change Management IT August 2004: p.9. The authors of IT, discuss the solutions to problems arising out of inefficiencies in the internal controls of many companies to ensure that the financial reports are driven by process that are under strict management control. For IT this means that systems, Applications, processes and Data must also be placed under strict management. Most IT departments are now looking at Change Management as the method to ensure that no key financial systems are changed without an e-trail and without authorization. Introduced are products like HP s Open View Help Desk application which connects System Change Management, Work orders and Help Desk functions into a tightly controlled business process. IT s new role for Sarbanes Oxley compliance Redmond Jan 2005: Redmond gives insight into the new role IT organizations and their managers must now be in as a facilitator of technology-driven business processes with the integrity, reliability, accuracy and conformance that was commonly thought of only applicable to financial intuitions Inside threats transaction incident monitoring can easily identify systems-based fraud, misuse, and errors and help organizations comply with Sarbanes-Oxley internal control requirements. Internal Auditing, v.19, no.5, (September/October 2004): p.3. A test of controls [section 404] The CPA Journal, v.74, no.8, (August 2004): p.26. Available at The CPA Journal covers the safety gate that each atomic change must pass before it can be implemented. It discusses the division of control of a single process among different entities. With each entity following a disclosed guideline of the implementation of the change. Going beyond Sarbanes-Oxley compliance: five keys to creating value. The CPA Journal, v.74, no.6, (June 2004): p.11. Available at Top 10 surprises from the Sarbanes-Oxley Act. CPA2Biz, Inc. (September 22, 2003). Available at One key point is the role of Financial Software Companies who have said that this is the biggest turn around in the industry since the year 2000 bug. Page 7

8 Appendix A: The Sarbanes Oxley Act New Public Company Accounting Oversight Board (PCAOB) The law establishes a five-member accounting oversight board that is subject to Securities and Exchange Commission (SEC) oversight. Though the board oversees accounting firms, only two members of the board may be CPAs. The SEC will appoint the board. Duties of the board include registering public accounting firms that prepare audit reports; and establishing or adopting auditing, quality control, ethics and independence standards. The board also inspects, investigates and disciplines public accounting firms and enforces compliance with the act. Registration With the Board Is Mandatory. For public accounting firms, foreign or domestic, that participates in the preparation or issuance of any audit report with respect to a public company. Registration and annual fees collected from each registered CPA firm will go towards the costs of processing and reviewing applications and annual reports. Seven-Year Record Retention Requirement. PCAOB must adopt a rule to require registered CPA firms to prepare and maintain audit work papers and other information related to an audit for at least seven years in sufficient detail to support the conclusions reached in the audit report. (A separate criminal provision requires retention of all audit and review work papers for five years from the end of the fiscal year in which the audit or review was completed.) Cooperation with CPA Groups. The board will cooperate with professional accountant groups and advisory groups to increase the effectiveness of the standards setting process. (The PCAOB may cooperate, but authority to set standards rests with the PCAOB, subject to SEC review.) Annual Inspections. Inspection of registered public accounting firms shall occur annually for every registered public accounting firm that regularly provides audit reports for more than 100 issuers (at least once every three years for registered firms that audit fewer than 100 issuers). Investigations. The board may investigate any act, omission or practice by a registered firm or an individual associated with a registered firm for any possible violation of the act, the board s rules, professional standards, or provisions of the securities laws relating to the preparation and issuance of audit reports. (a) The board may require testimony or documents and information (including audit work papers) from a registered firm or individual associated with a registered firm or in the possession of any other person. Sanctions for violations that the board finds may include: (a) Suspension or revocation of a registration; (b) Suspension or bar of a person from further associating with any registered public accounting firm; (c) Limitations on the activities of a firm or person associated with the firm; and (d) Penalize the firm up to $2 million per violation, up to a maximum of $15 million. (e) Individuals employed or associated with a registered firm who violate the act can face penalties that range from required additional continuing professional education (CPE) or training, disbarment of the individual from further association with any registered public accounting firm, or even a fine up to $100,00 for each violation, up to a maximum of $750,000. (1) A portion of the penalties collected will go to accounting scholarships. Funding. The law also provides independent funding for the Financial Accounting Standards Board (FASB). While the SEC and American Institute of CPAs (AICPA) both have recognized FASB as the standard setting body for accounting principles, federal authority to issue auditing, quality control, ethics and independence standards may seriously impact the AICPAs role in official pronouncements. (a) Source. The budget for the board and FASB will be payable from annual accounting support fees set by the board and approved by the Commission. The fees will be collected from publicly traded companies and will be determined by dividing the average monthly equity market capitalization of the company for the preceding fiscal year by the average monthly equity market capitalization of all such companies for that year. Page 8

9 Other Requirements for CPA Firms Most Consulting Banned for Audit Clients. Title II of the act prohibits most consulting services outside the scope of practice of auditors. (a) These services are prohibited even if pre-approved by the issuer s audit committee. (b) Prohibited services include: - Bookkeeping and related services, - Design and implementation of financial information systems, - Appraisal or valuation services (including fairness opinions and contribution-in-kind reports), - Actuarial services, - Internal audit outsourcing, - Services that provide any management or human resources, - Investment or broker/dealer services, and - Legal and expert services unrelated to the audit. - Any other service that the board determines, by regulation, is impermissible. (c) Services Not Prohibited. Firms, however, may provide tax services or others that are not listed, provided the firm receives pre-approval from the board. However, certain tax planning products, like tax avoidance services, may be considered prohibited nonaudit services. Audit Reports Require Concurring Partner Review. Requires a concurring or second partner s review and approval of all audit reports and their issuance. Revolving Door Employment of CPAs with Audit Clients Is Banned. A registered CPA firm is prohibited from auditing any SEC registered client whose chief executive, CFO, controller or equivalent was on the audit team of the firm within the past year. Audit Partner Rotation Required. Audit partners who either have performed audit services or been responsible for reviewing the audit of a particular client must be rotated every five consecutive years. CPAs should read carefully the requirements for rotation of both the partner-in-charge and the concurring review partner for certain organizational constraints. (a) No Firm Rotation Requirement. Firm rotation is not required. However, the U.S. Comptroller General will study and review the potential effects of mandatory rotation and will report its findings to the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services. CPA Firms Are Required to Report Directly to the Audit Committee. CPA Firm Consolidations to Be Studied. The U.S. Comptroller General will conduct a study analyzing the impact of the merger of CPA firms to determine if consolidation leads to higher costs, lower quality of services, impairment of auditor independence, or lack of choice. Corporate and Criminal Fraud Accountability. Changes to the securities laws can penalize anyone found to have destroyed, altered, hid or falsified records or documents to impede, obstruct or influence an investigation conducted by any federal agency, or in bankruptcy, with fines or up to 20 years imprisonment, or both. Current Requirements for Audit Firms. Accountants are required to maintain all audits or review workpapers for a period of five years from the end of the fiscal period in which the audit or review was concluded. Additional Rules. The law requires the SEC to promulgate rules and regulations on the retention of any and all materials related to an audit, including communications, correspondence and other documents created, sent or received in connection with an audit or review. (a) Penalties. For violating the requirement or the rules that will be developed will result in a fine, or up to 10 years imprisonment, or both. Page 9

10 Of Note to Industry Members Requirements for Corporations, Their Officers and Board Members No Lying to the Auditor. The act makes unlawful for an officer or director or anyone acting for a principal to take any action to fraudulently influence, coerce, manipulate or mislead the auditing CPA firm. Code of Ethics for Financial Officers. The SEC is mandated to issue rules adopting a code of ethics for senior financial officers. Financial Expert Requirement. The SEC is required to issue rules requiring a publicly traded company s audit committee to be comprised of at least one member who is a financial expert. Audit Committee Responsible for Public Accounting Firm. The act vests the audit committee of a publicly traded company with responsibility for the appointment, compensation and oversight of any registered public accounting firm employed to perform audit services. Audit Committee Independence. Requires audit committee members to be members of the board of directors of the company, and to otherwise be independent. CEOs & CFOs Required to Affirm Financials. Chief executive officers (CEOs) and CFOs must certify in every annual report that they have reviewed the report and that it does not contain untrue statements or omissions of material facts. (a) Penalty for Violation. If material noncompliance causes the company to restate its financials, the CEO and CFO forfeit any bonuses and other incentives received during the 12-month period following the first filing of the erroneous financials. CEOs & CFOs Must Enact Internal Controls. CEOs and CFOs will be responsible for establishing and maintaining internal controls to ensure they are notified of material information. Penalties for Fraud. The act also has stiffened penalties for corporate and criminal fraud by company insiders. The law makes it a crime to destroy, alter or falsify records in a federal investigation or if a company declares bankruptcy. The penalty for those found guilty includes fines, or up to 20 years imprisonment, or both. Companies Affected by the Act. Publicly traded companies affected by the act are those defined as an issuer under Section 3 of the Securities Exchange Act of 1934, whose securities are registered under Section 12 of the 1934 Act. An issuer also is considered a company that is required to file reports under Section 15(d) of the act, or that files or has filed a registration statement that has not yet become effective under the Securities Act of The SEC has yet to provide further guidance as to entities covered by the act. Debts Not Dischargeable in Bankruptcy. Amends federal bankruptcy law to make non-dischargeable in bankruptcy certain debts that result from a violation relating to federal or state securities law, or of common law fraud pertaining to securities sales or purchases. Expanded Statute of Limitations for Securities Fraud. For a civil action brought by a non-government entity or individual, an action involving a claim of securities fraud, deceit or manipulation may be brought not later than the earlier of two years after discovery or five years after the violation. No Listing on National Exchanges for Violators. The SEC will direct national securities exchanges and associations to prohibit the listing of securities of a noncompliant company. No Insider Trading. No insider trading is permitted during pension fund blackout periods. The insider must forfeit any profit during this period to the company. SEC Rules on Enhanced Financial Disclosures. (a) Off-Balance Sheet Transactions: All quarterly and annual financial reports filed with the SEC must disclose all material off-balance sheet transactions, arrangements, obligations (including contingent obligations), and other relationships of the issuer with unconsolidated entities. (b) Pro Forma Figures: Pro forma financial information in any report filed with the SEC or in any public release cannot contain false or misleading statements or omit material fact necessary to make the financial information not misleading. No Personal Loans. No personal loans or extensions of credit to company executives either directly or though a subsidiary, except for certain extensions of credit under an open-ended credit plan or charge card, home improvement and manufactured home loans, or extensions of credit by a broker or dealer to its employee to buy, trade or carry securities. (a) The terms of permitted loans cannot be more favorable than those offered to the general public. Page 10

11 Criminal Penalties Enhanced* BEHAVIOR The alteration, destruction, concealment of any records with the intent of obstructing a federal investigation. Failure to maintain audit or review workpapers for at least five years. Anyone who knowingly executes, or attempts to execute, a scheme to defraud a purchaser of securities. Any CEO or CFO who recklessly violates his or her certification of the company s financial statements. SENTENCE Fine and/or up to 10 years imprisonment. Fine and/or up to 5 years imprisonment. Fine and/or up to 10 years imprisonment. Fine of up to $1,000,000 and/or up tp 10 years imprisonment. If willfully violates. Two or more persons who conspire to commit any offense against or to defraud the U.S. or its agencies. Any person who corruptly alters, destroys, conceals, etc., any records or documents with the intent of impairing the integrity of the record or document for use in an official proceeding. Mail and wire fraud. Fine of up to $5 million and/or up to 20 years imprisonment. Fine and/or up to 10 years imprisonment. Fine and/or up to 20 years imprisonment. Increase from 5 to 20 years imprisonment. Violating applicable Employee Retirement Income Security Act (ERISA) provisions. Various lengths depending on violation. * Source: Sarbanes-Oxley Act of 2002 and New York City Office of the Comptroller. Analyst Conflicts of Interest No Retaliation Against Analysts. Brokers and dealers of securities are not allowed to retaliate or threaten to retaliate against an analyst employed by the broker or dealer as a result of an adverse, negative or unfavorable research report on a public company. Conflict of Interest Disclosures. Securities analysts and brokers or dealers are required to disclose conflicts of interest, such as: (a) Whether the analyst has investments or debt in the company it is reporting on; (b) Whether any compensation received by the broker, dealer or analyst is appropriate in the public interest and consistent with the protection of investors; (c) Whether an issuer has been a client of the broker or dealer; and (d) Whether the analyst received compensation with respect to a research report based on investment banking revenues. Attorney Requirements Requirement on Attorneys to Report Violations. The SEC is required to issue rules setting forth minimum standards of professional conduct for attorneys appearing and representing a public company in any manner in front of the Commission. As part of this requirement, the SEC will be required to issue rules on the following: (a) Requiring attorneys employed by a public company to report to the chief counsel or CEO of the company, evidence of a material violation of securities law, breach of fiduciary duty, or similar violation by the company or its agent. (b) Once reported, if the counsel or CEO does not appropriately respond to the evidence, the attorney must report the evidence to the board of directors or its audit committee. Page 11