Lorman Education - September 21, 2015 Sarbanes-Oxley Compliance: What Accountants Need to Know Now. Presented by: Robert F. Dow, Esq.

Lorman Education - September 21, 2015 Sarbanes-Oxley Compliance: What Accountants Need to Know Now Presented by: Robert F. Dow, Esq.

Overview of Significant Issues CFO Certifications Code of Ethics Audit Committee Financial Expert Improper Influence on Auditors Auditor Independence Non GAAP Financial Measures Assessment of Internal Controls Documentation Enforcement 2

CFO Certifications (or I m Supposed to Sign WHAT?!... )

CEO/CFO Certification Two separate CEO/CFO certifications for periodic reports Section 302 and Section 906 Both sections require the CEO and CFO to include a certification for each annual or quarterly report of the issuer Section 906 imposes criminal sanctions Section 302 is a civil provision implemented by SEC regulations issued in August 2002 4

CEO/CFO Certification (cont d) The SEC regulations under Section 302 requires the CEO and CFO to certify in each periodic report regarding: Financial and other information included in the report The establishment, maintenance and evaluation of disclosure controls and procedures Internal control disclosures must be made to auditors and AC Evaluation of internal controls and any changes thereto must be disclosed to auditors and AC 5

CEO/CFO Certification (cont d) Does the company require management below CEO/CFO to sign sub-certifications? Percent of respondents to survey who said yes: 68% 68% 54% 32% Controller / CAO Financial reporting personnel Treasury personnel Risk management Source: Deloitte & Touche Survey of Consumer Business Companies, November 2002 6

Disclosure Controls Rules 13a-15 and 15d-14 define disclosure controls and procedures: Controls and other procedures Designed to ensure required information is: recorded, processed, summarized and reported within time specified in SEC rules Includes procedures to make sure that information is communicated to CFO and CEO To allow timely decisions re: disclosure 7

Disclosure Controls (cont d) Rules include four general requirements about disclosure controls: Design and maintain Evaluate each quarter Disclose results of evaluation Certification 8

Observations From SEC Comments on Section 302 Disclosure Management must: disclose whether controls are effective at reasonable assurance level disclose plans to correct deficiencies, including timetable SEC will ask for copies of auditor-ac communications SEC asserts that errors may necessitate a restatement SEC requires a risk factor regarding control weaknesses 9

Disclosure Requirements About Controls Item 307 requires disclosure about controls: The CFO s and CEO s conclusions: about the effectiveness of the design and operation of disclosure controls based on an evaluation as of the end of the quarter 10

Disclosure Requirements About Controls (cont d) Item 307 requires disclosure about controls: Whether or not there were significant changes in the internal controls or other factors that could significantly affect these controls during the period covered by the report including any corrective actions for significant deficiencies 11

Disclosure Committees 96.8% Of companies have a disclosure committee Survey by Corporate Counsel Usually includes: CFO, controller, counsel, internal audit, investor relations 12

Code of Ethics (Doing the right Thing)

Code of Ethics On January 15, 2003, the SEC adopted a rule entitled Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002 under Release No. 33-8177. The Release is available at www.sec.gov under the Final Rules page of the web site. 14

Code of Ethics Summary of SEC s Rule Under new Item 406 of Regulation S-K, code of ethics is defined to mean standards that are reasonably designed to deter wrongdoing and to promote: Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships 15

Code of Ethics Summary of SEC s Rule (cont d) Full, fair, accurate, timely, and understandable disclosure in reports and documents that a registrant files with, or submits to, the Commission and in other public communications made by the registrant Compliance with applicable governmental laws, rules and regulations The prompt internal reporting of violations of the code to an appropriate person or persons identified in the code, and Accountability for adherence to the code 16

Code of Ethics Summary of SEC s Rule (cont d) The code of ethics must apply to the issuer s principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions: Note that a registrant may have separate codes of ethics for other purposes and other persons The code of ethics required by Item 406 may be a portion of a broader document that addresses additional topics or that applies to more persons than the SEC regulates by its rule 17

Code of Ethics Summary of SEC s Rule (cont d) The company must make the required code of ethics publicly available in one of three alternative ways: File a copy as an exhibit to the 10-K Post the text on its Internet web site (and contain appropriate references in its 10-K to the web site posting) Provide an undertaking in its 10-K to provide a copy of the code of ethics to any person without charge upon request 18

Sample Codes of Ethics http://www.ge.com/files/usa/citizenship/pdf/english.pdf http://www.lockheed.com/content/dam/lockheed/data/corp orate/documents/ethics/code-of-conduct.pdf http://www.raytheon.com/ourcompany/ourculture/code/ 19

Audit Committee Financial Expert (Debits on the left, credits on the right... )

Audit Committee Financial Expert SEC regulations under Section 407 define financial expert as a person with all of these attributes: An understanding of financial statements and generally accepted accounting principles An ability to assess the general application of such principles in connection with the accounting for estimates, accruals, and reserves 21

Audit Committee Financial Expert (cont d) Experience Preparing, auditing, analyzing, or evaluating financial statements with a level of complexity of accounting issues that are generally comparable to the company s financial statements, or Actively supervising one or more persons engaged in such activities An understanding of internal controls and procedures for financial reporting; and An understanding of AC functions 22

Audit Committee Financial Expert (cont d) A person can acquire the attributes through: (1) Education and experience as a CFO, ACAO, controller, public accountant or auditor, or similar functions (2) Experience: actively supervising one of these positions, or overseeing or assessing the performance of companies or public accountants with respect to the preparation, auditing, or evaluation of financial statements, or (3) Other relevant experience 23

Audit Committee Financial Expert (cont d) SEC s regulations go beyond Sarbanes to require: Disclosure of name of at least one financial expert Disclosure of whether the financial expert is independent 24

Improper Influence On Auditors

Improper Influence on Auditors SEC rules say that officers may not fraudulently influence, coerce, manipulate or mislead an independent auditor: To issue a report that is not warranted in the circumstances Not to perform procedures required by GAAS Not to withdraw a report Not to communicate with AC 26

What is Improper Influence? SEC says the following may be improper influence Offering or paying bribes or other financial incentives, including offering future employment Providing an auditor with inaccurate or misleading legal analysis Threatening to cancel existing non-audit or audit engagements if the auditor objects to the issuer s accounting Seeking to have a partner removed from the audit engagement because the partner objects to the issuer s accounting Blackmailing, and Making physical threats 27

Auditor Independence (No More Hands in the Cookie Jar)

Auditor Independence The auditor may not perform for audit clients any of these non-audit services: bookkeeping financial information systems design and implementation appraisal or valuation services or fairness opinions actuarial services internal audit outsourcing services management or human resource functions investment banking services legal services expert services 29

Auditor Independence (cont d) Other non-audit services also may impair independence In evaluating non-audit work, the audit firm should not: audit its own work function as part of management or an employee of client act as an advocate for the client promote client s stock or other financial interests 30

Non-Audit Services Sarbanes includes a definition of non-audit services, as follows: The term non-audit services means any professional services provided to an issuer by a registered public accounting firm, other than those provided to an issuer in connection with an audit or a review of the financial statements of an issuer. (emphasis added) 31

Non-Audit Services (cont d) All non-audit services must be preapproved by the AC Preapproval requirement is waived if: total of all such non-audit services is 5% or less of the total amounts paid to the auditor, and company did not recognize the services to be non-audit services at the time they were provided, and the services are promptly brought to and approved by the AC prior to the completion of the audit 32

Partner Rotation Sarbanes requires the lead auditing and review partners to rotate every 5 years; New regulations add 7 years rotation for all audit partners Audit partner includes: decision-making on significant matters affecting financial statement maintain regular contact with management and AC lead partner on significant sub. (20% of assets or revenues) Small firm exemption (<10 partners and 5 SEC clients) 33

Sarbanes-Oxley Whistleblower Provisions

Section 806 Who is Potentially Liable? Officers Employees Contractors Subcontractors Agents 35

Section 806 What Actions are Protected? Providing information or otherwise assisting in an investigation OR Filing, testifying, participating in or otherwise assisting in a proceeding that is filed or about to be filed (with any knowledge of the employer) 36

Section 806 What Investigations Are Covered? Investigations involving violations of: Federal criminal law involving securities fraud, mail fraud, bank fraud, or wire, radio and television fraud SEC rules or regulations; or Federal law relating to fraud against shareholder 37

Section 806 Blowing the Whistle - To Whom? Federal regulatory or law enforcement agency Any member or committee of Congress Persons working for the employer: Supervisory authority over employee Authority to investigate, discover, or terminate misconduct 38

Section 806 What Retaliation is Prohibited? Employer may not: Discharge Threaten Demote Harass Suspend In any other manner discriminate against an employee in terms and conditions of employment Because of any lawful act done by the employee in the whistleblowing 39

Section 1107 Criminal Penalties - Overview Very broad application Protection for providing to any law enforcement officer, any truthful information relating to any federal offense Applies to public and private companies Whistleblowing of violations of any federal law Employers and their agents may face: Fines up to $500,000 ($250,00 for individuals) Imprisonment up to 10 years 40

Private Sector Whistleblower Protection Lawson v. FMR Recent decision by the Supreme Court Recognizing that employees of private companies are protected by the whistleblower provisions of Sarbanes-Oxley Some previously thought that only employees of public companies blowing the whistle on fraud that might harm public investors were covered Two employees terminated after reporting fraud relating to mutual funds they provided services for 41

Private Sector Whistleblower Protection Lawson v. FMR The employees sued under Sarbanes-Oxley The statute: No [public] company... or any officer, employee, contractor, subcontractor, or agent of such company, may... [retaliate against a whistleblower employee]. 18 U.S.C. 1514A. The employers argued that the statute only applied to public companies, but the employees contended they were contractors of a public company because they provided services to the publicly-traded mutual funds 42

Whistleblower Complaint Do s and Don ts Preparing Develop and maintain a vigorous compliance program Effective internal compliance programs are most valuable prophylactic measures Culture of compliance Implement and Enforce a Whistleblower Policy How to report? How to handle/respond? Facilitate disclosures/make it safe to report Internal process to accepting, screening, and documenting complaints 43

Whistleblower Complaint Do s and Don ts Responding Promptly report allegations to General Counsel, Office of Compliance, or Senior Management Maintain appropriate levels of confidentiality Who needs to know? More importantly, who doesn t? Confidentiality helps defeat retaliation claims 44

Whistleblower Complaint Do s and Don ts Responding (cont d) Assess whether claims can or should be handled internally or whether outside counsel should be involved Are the allegations credible? Are the allegations serious? (true whistleblower scenario or tattling for violation of company policy?) Is immediate action warranted? Who is the accused? Internal or external? Consider whether there are any conflict of interest issues that might necessitate outside assistance Complaint relevant to financial reporting/audit committee? Investigate 45

Whistleblower Complaint Do s and Don ts Responding (cont d) Consult with counsel regarding the retention of evidence and issuance of a litigation hold Create a plan for the investigation What operations/divisions/groups are implemented? Who will be interviewed? Who will lead the investigation? Checks and balances What documents and other evidence will be looked at? What will the costs of the investigation be? Resolve the complaint Appropriate corrective actions Corrective Action Plan 46

Whistleblower Complaint Do s and Don ts Responding (cont d) Ensure that no retaliation against whistleblower Not just termination, but also transfer, demotion, slower career trajectory Protection even where allegation is wrong: reasonable belief standard What about disciplinary action? Allowed if complaint is made without justification and in bad faith, BUT very dicey Timing is everything... Wait before taking action Severance/release/confidentiality agreement: consult with counsel 47

Non-GAAP Financial Measures (EBBS Everything but the Bad Stuff)

Non-GAAP Financial Information SEC requirements for companies that want to use alternative, non-gaap measures, which measure financial performance, position or cash flow and: exclude amounts (or is subject to adjustments that have the effect of excluding amounts) that would otherwise be included if calculated according to GAAP; or include amounts (or is subject to adjustments that have the effect of including amounts) that are excluded from the comparable GAAP measure 49

Non-GAAP Financial Information (cont d) Companies required to: Provide a reconciliation of the differences between the non-gaap and the most comparable GAAP measure Provide explanation as to why management believes it provides useful information In SEC filings, always give at least equal prominence to GAAP measure Post earnings press releases on Form 8-K (See Reg. G and Reg. S-K, Item 10(e)) 50

Non-GAAP Financial Information (cont d) Some prohibitions in SEC filings: Can t exclude cash liabilities or charges from liquidity measures Can t exclude non-recurring or unusual items from performance measures if they are likely to recur Don t use confusingly similar GAAP titles Can t present non-gaap measures on face of historical or proforma financial statements 51

Assessment of Internal Control Over Financial Reporting

Assessment of Internal Control Sarbanes Section 404 requires: An issuer s annual report must contain a report from management on internal control structure and procedures for financial reporting The issuer s auditor must attest to management s assertion concerning its assessment Auditor s attestation may not be a separate engagement 53

Highlights of SEC Rules on Internal Control Management must evaluate effectiveness of internal control over financial reporting for each annual report Each annual report must include a statement of management s responsibility for adequate internal control and conclusions about its effectiveness Each annual report must include the auditor s attestation and report on management s evaluation 54

COSO 2013 Revised internal control framework 17 principles Points of focus Broader emphasis on the impact of technology Must disclose which framework you are using (1992 versus 2013) Effort of implementation has been diverse Generally, first year led to increased audit fees 55

Risk Assessment Model for assessing risk Identify risks of misstatement Which financial statement elements are susceptible to higher risk Assessing fraud risk Assessing risk environment More risk increased testing 56

Key Controls Definition Identifying key controls Identifying gaps Testing controls 57

Evaluation Process SEC says the company needs to: Document controls Perform actual tests of design and operation of controls (inquiry alone not sufficient) Document testing and results 58

Role of Auditors in Evaluation Auditors can help document (but not design) controls under management supervision (be careful here!) Auditors cannot do evaluation for management Auditors can give limited assistance during evaluation: point out areas to improve controls suggestions for improving testing of controls provide software templates to document controls or testing answer questions 59

What Happens If There Is a Material Weakness? Precludes a clean report by management Must be reported to Audit Committee (AC) Must report to auditor Disclose under Item 307 (disclosure controls) May be a violation of Foreign Corrupt Practices Act 60

Scoping Considerations for Smaller Companies Segregation of duties Lower materiality thresholds Management override Board engagement Information technology Increased management oversight 61

PCAOB Inspection Themes Continues to be most frequent comment area Concerns include: Identification and mapping of controls to the relevant risks of material misstatement Information Used in a Control Interfaces Application Systems Management Reviews 62

PCAOB Inspection Themes Documentation Expectations for documentation continue to increase If it wasn t documented, it wasn t performed. Comments are starting to appear to question documented auditor judgment Increased documentation leads to longer and more expensive audits Effect on trends of ICFR Opinions More adverse opinions are being issued Still an overall increase in restatements with a clean ICFR opinion 63

DOCUMENTATION AND DOCUMENT RETENTION

Internal Control/Documentation The SEC has stated that basic documentation is required for internal control to be effective As part of its evaluation of internal control, management must develop and maintain evidence to provide reasonable support for its work 65

Internal Control Evaluation This evidence should provide support: For the evaluation of whether the control is designed to prevent or detect material misstatements or omissions For the conclusion that the tests were appropriately planned and performed, and That the results of the tests were appropriately considered 66

PCAOB Standard The auditor must evaluate whether management s documentation includes the following: The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements, including the five components of internal control over financial reporting Information about how significant transactions are initiated, recorded, processed and reported 67

PCAOB Standard (cont d) Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties Controls over the period-end financial reporting process Controls over safeguarding of assets, and The results of management s testing and evaluation 68

PCAOB Standard (cont d) Documentation might take many forms of presentation and can include a variety of information, including: policy manuals process models flowcharts job descriptions documents and forms 69

Document Destruction Section 802 of Sarbanes also expands criminal liability for document destruction: Knowingly destroy Any records/documents With intent to impede Any investigation or case or in contemplation of a case 70

Document Destruction (cont d) Destruction, alteration, or falsification of records in Federal investigations and bankruptcy. Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both. 71

Enforcement Enhanced criminal penalties Longer statute of limitations for fraud Clawback of executive compensation in restatements Liability for false certifications 72

The Financial Reporting and Audit Task Force In July 2013, the SEC announced a new task force initiative to concentrate on expanding and strengthening the Division's efforts to identify securities-law violations relating to the preparation of financial statements, issuer reporting and disclosure, and audit failures. The principal goal will be fraud detection and increased prosecution of violations involving false or misleading financial statements and disclosures. The Task Force will focus on identifying and exploring areas susceptible to fraudulent financial reporting, including: on-going review of financial statement restatements and revisions, analysis of performance trends by industry, and use of technology-based tools such as the Accounting Quality Model. It will include Enforcement attorneys and accountants from across the country, working in close consultation with the Division's Office of the Chief Accountant, the SEC's Office of the Chief Accountant, the Division of Corporation Finance, and the Division of Economic and Risk Analysis. 73

Accounting Quality Model aka "RoboCop" Objective is to detect inappropriate earnings management. Use regression analysis to analyze financial statements. Compare financial measures across industry groups. Some focus factors: Discretionary accruals; Differences in tax vs. accrual; Net income versus cash flow from operations; Off-balance sheet arrangements; Certain phrases used in MD&A; Changes in auditor status. 74

Questions?

For more information, please contact: Robert F. Dow, Partner robert.dow@agg.com 404.873.8706 All rights reserved. This presentation is intended to provide general information on various regulatory and legal issues. It is NOT intended to serve as legal advice or counsel on any particular situation or circumstance.