On 30 July, US President George W Bush signed into law the Sarbanes-Oxley Act of 2002 (the Act). The Act presents an extraordinary expansion of US securities law regulation of corporate governance, disclosure, reporting and accounting requirements and penalties. It signals the most intense scrutiny of public companies, and effects the most dramatic changes in the US federal securities laws since the adoption of the Securities Exchange Act of 1934 (the Exchange Act).
This article highlights the provisions of the Act that are most likely to impact the accounting process of issuers, both domestic and foreign, that are required to file reports with the US Securities and Exchange Commission. There are several other provisions of the Act that are directed to non-accounting matters and are beyond the scope of this article. Unless otherwise noted, the effective date of these provisions was 30 July 2002.
The Act applies to any issuer, domestic or foreign, that:
• has securities, including American Depositary Receipts (ADRs), registered under s12 of the Exchange Act;
• is required to file reports under ss13(a) or 15(d) of the Exchange Act (including all foreign companies filing Form 20-F - the equivalent in the UK of the statutory report and accounts);
• or has filed a registration statement that has not yet become effective (under the Securities Act of 1933) and that has not been withdrawn.
(The Act does not apply to European companies that submit information to the SEC pursuant to Rule 12g3-2(b) under the Exchange Act or that have a Level I ADR programme.)Accounting Oversight Board
To address the perceived deficiencies in the regulation of the accounting profession, the Act creates a Public Company Accounting Oversight Board. By 26 April 2003, the SEC is required to determine that the Oversight Board has been appropriately organised and has the capacity to carry out the requirements of the Act.
Accounting firms (including non-US firms) that prepare audit reports for issuers will be required to register with the Oversight Board within 180 days of this determination and thereafter to submit annual reports to the Oversight Board. The Act requires the Oversight Board to approve or disapprove a completed application for registration within 45 days after its receipt.
In registering, accounting firms must consent to comply with any request of the Oversight Board or the SEC for testimony or production of documents. If a registered accounting firm relies on an opinion or material services of a non-US accounting firm in issuing all or part of an audit report or opinion contained in an audit report, the non-US public accounting firm will be deemed to have given these consents. The registered accounting firm that relies on the opinion of a non-US accounting firm will be deemed to have consented to supplying the audit workpapers of the non-US accounting firm in response to a request from the Oversight Board or the SEC. It will also be deemed to have secured the agreement of the non-US accounting firm to such production as a condition of its reliance on the opinion of that non-US accounting firm.
The Oversight Board's other functions include:
• establishing rules governing auditing, quality control, ethics, independence and other standards relating to the preparation of audit reports of issuers;
• conducting inspections of registered accounting firms (annually for firms that audit more than 100 issuers and at least once every three years for other firms); and
• conducting investigations and disciplinary proceedings (including imposing appropriate sanctions) concerning registered accounting firms and their associated persons.
The SEC has oversight authority over the Oversight Board and the standards adopted by it, and disciplinary sanctions proposed to be imposed by the Oversight Board must be approved by the SEC. Funding for the Oversight Board's operations will be provided by a fee assessment on issuers and application fees and annual fees assessed against registered accounting firms.Audit Committees and Audit and Non-Audit Services Audit committees
The Act does not require that a public company have an audit committee. Rather, the Act requires the SEC by 26 April 2003 to direct the US securities exchanges, such as the New York Stock Exchange, and national securities associations, such as the Nasdaq Stock Market, to prohibit the listing of securities of an issuer that does not have an audit committee meeting the requirements described below.
Each member of the audit committee must be unaffiliated with the issuer and its subsidiaries and no member of the audit committee may accept any compensation from the issuer other than for service as a director. The SEC is empowered to provide exemptions from this restriction on a case-by-case basis.
A non-US issuer is required to disclose in its annual report on Form 20-F whether or not its audit committee includes at least one member who is a 'financial expert' (and, if not, the reasons). Practically speaking, this will result in each issuer having such a financial expert to avoid making this negative disclosure. The SEC must define the term 'financial expert' by 26 January 2003. In defining 'financial expert', the SEC must consider whether a person has, through education and experience as a public accountant or auditor or as the principal financial officer, comptroller or principal accounting officer of a company:
• an understanding of generally accepted accounting principles (GAAP) and financial statements;
• experience in preparing or auditing financial statements of companies comparable to the issuer and in the application of GAAP to accounting for estimates, accruals and reserves;
• experience with internal accounting controls; and
• an understanding of audit committees functions.
The SEC may recognise as 'generally accepted' for purposes of the US securities laws any accounting principles established by a standard-setting body meeting identified requirements, following a determination by the SEC that the body is capable of improving the accuracy and effectiveness of financial reporting and the protection of investors under the US securities laws.
The audit committee is to be responsible for the appointment, compensation and oversight of the issuer's independent auditor, who is required to report directly to the audit committee.
Under the Act, audit committees are required to:
• pre-approve the provision of all audit and non-audit services by the independent auditor (subject to a de minimis exception) (the SEC must adopt final rules implementing this provision by 26 January 2003);
• consider reports from the independent auditor on (i) the issuer's critical accounting policies and practices, (ii) all alternative treatments of financial information permitted within GAAP that have been discussed with management, the ramifications of the use of such treatments and the treatment preferred by the auditor, and (iii) all other material written communications between the accountants and management (the SEC must adopt final rules implementing this provision by 26 January 2003);
• resolve disagreements between the independent auditor and management regarding the issuer's financial reporting; and
• become involved in analysing any deficiencies in internal controls and any management or employee fraud identified in the CEO/CFO certifications described below (the SEC adopted rules implementing this requirement with effect from 29 August 2002).
Issuers are required to provide appropriate funding, as the audit committee determines necessary, to compensate the independent auditor and its advisers.
The audit committee must establish procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters and for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters.Regulation of audit services
The Act prohibits an accounting firm from providing any audit service to an issuer if the CEO, controller, CFO or chief accounting officer of the issuer was employed by that accounting firm and participated in any capacity in the audit of that issuer during the year preceding the date of the initiation of the audit. The lead audit partner responsible for the audit of an issuer and the audit partner responsible for reviewing the audit must rotate off the assignment if the partner has performed audit services for that issuer in each of the issuer's last five fiscal years. The SEC must adopt final rules implementing these provisions by 26 January 2003.Restrictions on non-audit services
The Act restricts any accounting firm that provides auditing services for an issuer from also providing non-audit services to that issuer. The Act absolutely prohibits accounting firms from providing:
• bookkeeping or other services related to the accounting records or financial statements of the issuer;
• financial information systems design and implementation;
• appraisal or valuation services, fairness opinions, or contribution-in-kind reports;
• actuarial services;
• internal audit outsourcing services;
• management functions or human resources;
• broker or dealer, investment adviser, or investment banking services;
• legal services and expert services unrelated to the audit; and
• any other service that the Oversight Board determines, by regulation, is impermissible.
These provisions are effective as of 180 days following commencement of the Oversight Board's operations, as discussed above. The SEC is empowered, on a case-by-case basis, to grant exemptions from these restrictions.
Other non-audit services, such as tax services, may only be provided to an issuer if approved in advance by the issuer's audit committee. Such approvals must be publicly disclosed in the issuer's periodic reports under the Exchange Act. Non-audit services do not need prior approval if the amount paid for such services meets a de minimus standard, the services were not recognised at the time of engagement to be non-audit services and the provision of the services was promptly brought to the attention of the audit committee and was approved prior to the completion of the audit.Directors and Executive Officers CEO/CFO Certifications
The Act contains two CEO/CFO certification requirements. The first requires the CEO and CFO to certify that, among other things, the Form 20-F is materially accurate and complete, the financial statements and other financial information included in the report present in all material respects the financial condition and results of operations of the company, and the existence and adequacy of the issuer's internal controls. The SEC adopted rules implementing this requirement with effect from 29 August 2002.
The second certification requirement subjects the CEO and CFO to potential criminal liability and requires them to certify that:
• the Form 20-F complies with the applicable reporting requirements of the Exchange Act; and
• the information contained in the report fairly presents, in all material respects, the financial conditions and results of operations of the issuer.Forfeiture of bonuses and profits
If an issuer is required to prepare an accounting restatement due to material non-compliance by the issuer, as a result of misconduct, with any financial reporting requirement under US securities laws, the CEO and CFO are required to reimburse the issuer for:
• any bonus or other incentive-based or equity-based compensation he or she received from the issuer during the 12-month period following the first public issuance or filing with the SEC of the financial document that did not comply with such financial reporting requirement; and
• any profits he or she realised from the sale of securities of the issuer during that same 12-month period.
The Act does not define or describe what is meant by 'misconduct' and the Act does not require that the misconduct be engaged in by the CEO or the CFO.Prohibition of improper influence on audits
The Act provides that no director or officer of an issuer, directly or indirectly, may fraudulently influence, coerce, manipulate or mislead any independent auditor for the purpose of rendering the issuer's financial statements materially misleading. The SEC is required to issue final rules implementing this prohibition by 26 April 2003.Expanded company disclosures Accuracy of financial reports
Each issuer's financial report filed with the SEC containing financial statements that are required to be prepared in accordance with, or reconciled to, GAAP must reflect all 'material correcting adjustments' that have been identified by the issuer's independent auditor in accordance with GAAP and SEC rules.Use of pro forma financial information
Pro forma financial information must be presented in a manner that does not contain an untrue statement of a material fact or omit to state a material fact necessary to render the information not misleading. The presentation must include a reconciliation of the pro forma disclosure to the issuer's financial condition and results of operations as prepared in accordance with GAAP. The new rules will apply to all pro forma information regardless of whether the information is contained in an SEC filing, in any press release or in some other public disclosure. The SEC is required to issue final rules implementing this requirement by 26 January 2003.Off balance sheet transactions
Each issuer must disclose in its annual report on Form 20-F all material off balance sheet transactions, arrangements, obligations (including contingent obligations), and other relationships with unconsolidated entities or persons that may have a material current or future effect on the issuer's financial condition, results of operations, liquidity, capital expenditures, capital resources, or significant components of revenues or expenses. The SEC is required to issue final rules implementing this requirement by 26 January 2003.Internal controls
An issuer's annual report on Form 20-F must contain an 'internal control report' stating that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and assessing the effectiveness of the internal control structure and procedures for financial reporting.
The issuer's independent auditor is required to attest to, and report on, management's assessment. This attestation will be deemed part of the audit engagement and is to be made in accordance with standards for attestation to be adopted by the Oversight Board. Accordingly, independent auditors will be subject to compulsory attestation of disclosures made in portions of an issuer's annual report on Form 20-F falling outside the financial statements. While the SEC is required to adopt rules implementing this requirement, Congress did not impose a deadline on the SEC.Increased enforcement and penalties Criminalisation of misconduct
The Act imposes criminal penalties for the following misconduct (some of which was already subject to criminal provisions of US federal securities and other laws), making it punishable by lengthy terms of imprisonment and, in some cases, substantial fines: knowingly or wilfully filing a false CEO/CFO certification under s906 of the Act; knowingly and wilfully destroying any audit workpapers; destroying, altering or falsifying records with the intent to impede, obstruct or influence any governmental investigation or the administration of any governmental function or any bankruptcy proceeding; and knowingly executing or attempting to execute a scheme or artifice to defraud any person in connection with any security of a public company or obtaining by means of false or fraudulent pretences, representations or promises, any money or property in connection with the purchase or sale of any security of a public company.Increased penalties and other remedies
The Act establishes new fines and criminal penalties for securities fraud violations involving accounting irregularities and financial fraud, including sanctions applicable to directors, officers and professionals that have committed, conspired with or 'aided and abetted' the commission of violations. Liabilities for judgments or settlements for violating US securities laws or committing securities fraud will be nondischargeable in bankruptcy.Statute of limitations
The Act extends the applicable statute of limitations for securities fraud to the earlier of: two years (from the existing one-year period) after discovery of the facts constituting the violation; and five years (from the existing three-year period) after such violation.
This extension may resurrect securities fraud cases that were previously cut off by the old statute of limitations but are now within the new statute of limitations.Required studies
The Act requires the SEC and other US government agencies to conduct studies of various financial and accounting-related issues and to report the results and make recommendations to the US Congress and/or the SEC for further legislation or rulemaking. These issues include: the adoption of a principles-based accounting system; mandatory rotation of registered accounting firms; the use of off balance sheet transactions and special purpose entities; the consolidation of public accounting firms and impact of such consolidation on capital formation and US and international securities markets, the problems faced by business organisations resulting from limited competition among accounting firms and the extent to which US federal or state regulations impede competition among accounting firms; and the areas of reporting that are most susceptible to fraud, inappropriate manipulation or inappropriate earnings management.Conclusion
The Act has already changed the operation of public companies, the procedures that they use in preparing reports filed with the SEC and the relationships between issuers and their accountants. The specific and extensive rulemaking required by the Act and additional legislation and rulemaking flowing from the numerous studies required by the Act will undoubtedly lead to further such changes in the next several months.
The text of the Act can be downloaded from http://financialservices.house.gov/media/pdf/H3763CR_HSE.PDF
Michael L Hermsen and Philip J Niehoff are partners in the Chicago office, and Mark R Uhrynuk is a partner in the London office, of Mayer, Brown, Rowe & Maw.