sox report
TRANSCRIPT
-
7/30/2019 SOX report
1/6
www.interalliancegroup.com
InterAlliance Group Services
www.interalliancegroup.com
Sarbanes Oxyley (SOX) Act
An
effective step towards
Corporate Governance
A report on
Sarbanes Oxyley Act
and
its impact on Indian Outsourcing Industry
Research by:
Palak Sharma & Rohit Adlakha - Law Students Panjab University, Chandigarh, INDIA,
under the guidance of Nitin Kumar, Sr. Consultant, InterAlliance Group Services
Apr 2011
ssue 43
-
7/30/2019 SOX report
2/6
www.interalliancegroup.com
InterAlliance Group Services
www.interalliancegroup.com
SOX Act came in to
force in 2002 with an
aim to protect investors
and to introduce
improvements in
Corporate Governance.
SARBANES OXYLEY ACTThe legislation came into force in 2002 as a step to put curb on fraudulent events
and introduced stringent new rules with the stated objective: "to protect investors by
improving the accuracy and reliability of corporate disclosures made pursuant to the
securities laws".
Sarbanes Oxyley introduced major changes to the regulation of financial practice and
corporate governance in the US. Named after Senator Paul Sarbanes and
Representative Michael Oxley, who were its main architects, it also sets a number of
deadlines for compliance. The Sarbanes-Oxley Act is arranged into eleven titles. As
far as compliance is concerned, the most important sections within these are often
considered to be 302, 401, 404, 409, 802 and 906.
Sarbanes Oxyley Act introduced a number of deadlines, the prime ones being:
Most public companies must meet the financial reporting and certification
mandates for any end of year financial statements filed after November 15th
2004 (amended from June 15th).
Smaller companies and foreign companies must meet these mandates for any
statements filed after 15th July 2005 (amended from April 15th). .
The Sarbanes-Oxyley Act enacted with the intention of gaining the confidence of
public with respect to corporate financial statements. Prior to the enactment of this
Act, the investors suffered losses due to corporate failures brought by the wrongful
conduct of the public officials. This Act has been specifically introduced to address
the issues of accounting fraud with the objective of accuracy and reliability of
corporate disclosures. The Act was a direct consequence of the public nauseate with
a series of financial scandals that lead to abrupt failure of large firms in US. Some
companies which have not been in the lime light were engaged in massive
accounting frauds to a very large extent that they counteracted the antifraud and
mandatory disclosure provisions of federal security laws. These incidents blamed
directly towards the accounting profession, auditors etc.
The record revealed that the revenues that auditors generated from consulting
services from the firms they were auditing exceeded those generated from
conducting the audit. This immediately raised the question regarding the loss of
independence on the part of the auditors. In this chaotic environment, SOX was
engendered. It was conceived in controversy and has remained combative.
Proponents of SOX believe that it was necessary to restore public faith in published
financial statements by assuring that accounting records were accurate and could be
relied upon. There was a growing perception among the investing public that most
of the scandals could have been prevented had there been a governmental agencyresponsible for monitoring and preventing such accounting irregularities.
-
7/30/2019 SOX report
3/6
www.interalliancegroup.com
InterAlliance Group Services
www.interalliancegroup.com
pponents argued that SOX would
e prejudicial to the economy; that
he burden would fall too heavily on
maller public firms; that the costs of
mplementing Sox with all its
equirements would far exceed the
enefits gained. The fact that there
as a spike in the number of publicompanies that were privately sold,
hat relocated outside the US and
elisted themselves on foreign
xchanges lends some credence to
he opposing view.
he Sarbanes-Oxley Act of 2002
often shortened to SOX) is
gislation enacted in response to the
gh-profile Enron and WorldCom
nancial scandals to protect
hareholders and the general public
om accounting errors and
audulent practices in the enterprise.
he act is administered by the
ecurities and Exchange Commission
EC), which sets deadlines for
ompliance and publishes rules onequirements. Sarbanes-Oxley is not
set of business practices and does
ot specify how a business should
ore records; rather, it defines which
ecords are to be stored and for how
ng. The legislation not only affects
he financial side of corporations, it
so affects the IT departments
hose job it is to store a
orporation's electronic records. The
arbanes-Oxley Act states that all
usiness records, including electronic
ecords and electronic messages,
ust be saved for "not less than five
ears." The consequences for non-
ompliance are fines, imprisonment,
r both.
Basic Objective of US Securities Act 1933Often referred to as the "truth in securities" law, the Securities Act of 1933 has two
basic objectives:
require that investors receive financial and other significant information
concerning securities being offered for public sale; and
prohibit deceit, misrepresentations, and other fraud in the sale of securities.
A primary means of accomplishing these goals is the disclosure of important
financial information through the registration of securities. This information enables
investors, not the government, to make informed judgments about whether to
purchase a company's securities. While the SEC requires that the information
provided be accurate, it does not guarantee it. Investors who purchase securities
and suffer losses have important recovery rights if they can prove that there was
incomplete or inaccurate disclosure of important information.
US Securities Act 1933
-
7/30/2019 SOX report
4/6
www.interalliancegroup.com
InterAlliance Group Services
www.interalliancegroup.com
SARBANES OXYLEY ACT & INDIAThe legislation came into force in 2002 as a step to put curb on fraudulent events.
SOX which is applicable to all publically registered companies under the jurisdiction
of securities and exchange commission, is a far reaching legislation, effecting
significant changes to laws concerning directors and reporting obligations of public
companies mandating new regulations to prevent the securities fraud and other
abuses. The US SOX Act came into force on account of the collapse of the corporate
giants like Enron, Worldcom, Tyco. Quest , global crossing and the Xerox fiasco.
Reasons for the collapse was the failure on the part of the auditors and willful
neglect of the duties by the board of directors. The thrust of corporate India has also
been to prevent malpractices and restore the confidence of the investors. This Act
looks at the implications that usually arise in India in case of Companies, Audit
Profession and the BPO Industry.
Some of the key sections of SOX related to Audit and Financial Reporting are the
following:
Sections 101-109 of the Act has established a new body, the Public Accounting
Oversight Board (PCAOB), to oversee the auditing of public companies. All
accounting firms that audit the financial statements of The Securities Exchange Act of
1934 (1934 Act) Reporting Issuers (Issuers of Securities who are mandated to report
under the 1934 Act) must register with and provide periodic reports to the Board.
Registered accounting firms are subject to Board-adopted audit, quality control and
ethics standards, periodic inspections and possible disciplinary proceedings. Section106 of the Act specifically provides that it will apply to any foreign public accounting
firm (Indian Audit Firm) that prepares or furnishes an audit report with respect to any
1934 Act Reporting Issuer. The Board is also given the authority to determine, by
rule that a foreign accounting firm that does not issue an audit report for a 1934 Act
Reporting Issuer may nonetheless play such a substantial role in an audit that it is
appropriate that such firm should be subject to the Boards authority.
Section 302 (Corporate Responsibility for Financial Reports) directs the Security
Exchange Commission to adopt rules requiring the principal executive officer and the
principal financial officer (or equivalent) of 1934 Act Reporting Issuers to provide
certifications in each annual and quarterly report filed or submitted under the
1934 Act. The certification relates to the content of the report, internal controls of
the issuer and disclosure to the audit committee.
Section 404 - As directed by Section 404 of the Sarbanes Oxley Act of 2002, the
Securities and Exchange Commission (SEC) adopted rules regarding internal controls
at public companies in May 2003. Section 404 also requires that a companys
independent auditors attest to and report on managements controls assessments,
following standards established by the PCAOB.
-
7/30/2019 SOX report
5/6
www.interalliancegroup.com
InterAlliance Group Services
www.interalliancegroup.com
US SEC rulesUnder the SEC rules, managements annual internal-control report must contain:
A statement of managements responsibility for establishing and maintaining
adequate internal control over financial reporting for the company.
A statement identifying managements framework for evaluating the effectiveness
of internalcontrols.
Managements assessment of the effectiveness of internal controls as of the end
of the companys most recent fiscal year.
A statement that the companys auditor has issued an attestation report on
managements assessment. Internal controls, according to the new rule, include
assurances of accurate records maintenance, as well as financial reporting that
comply with generally accepted accounting principles. The rule also stipulates that
managers and directors sign off on receipts and payouts, and that publicly traded
companies maintain adequate systems to prevent or detect unauthorized material
transactions. Management must disclose any material weakness in a companys
internal-controls structure. If material weaknesses exist, senior executives will be
unable to conclude that the companys internal control over financial reporting is
effective, according to the Security Exchange Commission.
SOX and Indian BPO IndustryIndia has seen huge growth in the Finance, Accounting, Payroll, Accounts Payable
and other financial processes to move to India from US business houses. It is
imperative that Indian BPO companies have a strong framework of Internal Controls
and are transparent to their clients. Well-defined processes, proper documentation
etc. will be of paramount importance in view of the Sarbanes Oxley Act, 2002.
Service organisations receive significant value from having a Statement on Auditing
Standards (SAS) No. 70 engagement performed.
A Service Auditors Report with an unqualified opinion that is issued by an
Independent Accounting Firm differentiates the service organisation from its peers by
demonstrating the establishment to effectively designed control objectives and
control activities. Without a current Service Auditors Report, a service organisation
may have to entertain multiple audit requests from its customers and their respective
auditors. Multiple visits from user auditors can place a strain on the service
organisations resources. A Service Auditors Report ensures that all user
organisations and their auditors have access to the same information and in many
cases this will satisfy the user auditors requirements. SAS 70 engagements are
generally performed by control oriented professionals who have experience in
accounting, auditing, and information security.
A Statement on Auditing
tandards (SAS) 70 engagement
llows a service organisation to
ave its control policies and
rocedures evaluated and tested
n the case of a Type II
ngagement) by an independent-
arty. Very often this process
esults in the identification of
pportunities for improvements
n many operational areas.
-
7/30/2019 SOX report
6/6
i t lli
InterAlliance Group Services
www interalliancegroup com
Factors to be considered by management when a service organisationoutsources certain functions to another service organisation:
What is becoming a popular business model for BPOs in India, an interesting
situation could come up when an US corporate uses a service organisation (Indian
Company) that in turn uses another service organisation (a sub service organisation)
to perform the work. In such a scenario the Management of the User organisation
needs to consider controls at the sub service organisation.
In addition to that, the following also needs to be considered:
The nature and materiality of the transactions processed by the sub service
organisation
The contribution of the sub service organisations processes in the achievement
of the user organisations information processing objectives
The availability of a sub service organisations SAS 70 report
Because a user organisation typically does not have any contractual
relationship with the sub service organisation, a user organisation should
obtain available reports and information about the sub service organisationfrom the service organisation.
SAS OVERVIEWatement on Auditing Standards (SAS) No. 70,
r Service Organisations, is an auditing
andard developed by the American Institute
Certified Public Accountants (AICPA). A SAS
0 audit or service auditors examination is
dely recognised, because it represents that a
rvice organisation has been through an
-depth audit of their control activities, which
enerally include controls over information
chnology and related processes. In todays
obal economy, service organisations or
rvice providers must demonstrate that they
ve adequate controls and safeguards when
ey host or process data belonging to their
stomers. In addition, the requirements of
ction 404 of the Sarbanes-Oxley Act of 2002
ake SAS 70 audit reports even more
mportant to the process of reporting onfective internal controls at service
ganisations. SAS No. 70 is the authoritative
uidance that allows service organisations to
sclose their control activities and processes
their customers and their customers
ditors in a uniform reporting format. A SAS
0 examination signifies that a service
ganisation has had its control objectives and
ntrol activities examined by an independent
counting and auditing firm. A formal report
cluding the auditors opinion (Service
uditors Report) is issued to the service
ganisation at the conclusion of a SAS 70
amination. SAS 70 provides guidance to
nable an independent auditor (service
ditor) to issue an opinion on a service
ganisations description of controls through
Service Auditors Report. SAS 70 is not a pre
etermined set of control objectives or
ntrol activities that service organisations
ust achieve. Service auditors are required to
llow the AICPAs standards for fieldwork,
uality control, and reporting. A SAS 70
amination is not a checklist audit. SAS No.
0 is generally applicable when an auditor
user auditor) is auditing the financial
atements of an entity (user organisation)
at obtains services from another
ganisation (service organisation). Service
ganisations that provide such services could
e application service providers, bank trust
epartments, claims processing centers,
ternet data centers, or other data processing
rvice bureau.
SOX and Indian Audit FirmsAssignments to conduct a SAS 70 certification can prove to be a new area of work.
Management of US companies could rely on SAS 70 certification by non-US auditfirms as long as the reports are issued under other standards that follow the criteria
of SAS 70. Management would also need to evaluate the competency and
qualifications of the auditor performing the examination. The Indian Audit profession
is widely appreciated around the world for its high standards. Managements of US
companies should not have any issues with accepting SAS 70 certifications by Indian
Audit firms.