Sarbanes-Oxley For Dummies, 2nd Edition

Introduction 1

Part I: The Scene Before and After SOX 7

Chapter 1: The SOX Saga 9

Chapter 2: SOX in Sixty Seconds 27

Chapter 3: SOX and Securities Regulations 43

Chapter 4: SOX and Factual Financial Statements 67

Chapter 5: What’s New for Non-Accelerated Filers 83

Part II: SOX in the City: Meeting New Standards 89

Chapter 6: A New Audit Ambience 91

Chapter 7: A Board to Audit the Auditors 105

Chapter 8: The Almighty Audit Committee 119

Chapter 9: Building Boards That Can’t Be Bought 131

Chapter 10: SOX: Under New Management 143

Chapter 11: More Management Mandates 159

Part III: Scaling Down Section 404 169

Chapter 12: Clearing Up Confusion about Control 171

Chapter 13: Surviving a Section 404 Audit 183

Chapter 14: Taking the Terror Out of Testing 191

Part IV: SOX for Techies 207

Chapter 15: Getting Technical with SOX 209

Chapter 16: Surveying SOX Software 219

Chapter 17: Working with Some Actual SOX Software 233

Part V: To SOX-finity and Beyond 249

Chapter 18: Lawsuits under SOX 251

Chapter 19: The Surprising Scope of SOX  267

Part VI: The Part of Tens 273

Chapter 20: Ten Ways to Avoid Getting Sued or Criminally Prosecuted Under SOX 275

Chapter 21: Ten Tips for an Effective Audit Committee 281

Chapter 22: Ten Smart Management Moves 289

Chapter 23: Ten Things You Can’t Ask an Auditor to Do After SOX 295

Chapter 24: Top Ten Places to Get Smart about SOX  301

Part VII: Appendixes 307

Appendix A: Selected Sections, Auditing Standard No 5 309

Appendix B: Sample Certifications 313

Appendix C: Sample Audit Committee Charter 319

Appendix D: Sample Code of Ethics 329

Appendix E: Sample SAS 70 Report 337

Index 339

Table of Contents

Introduction 1

About This Book 1

Conventions Used in This Book 2

What You’re Not to Read 2

Foolish Assumptions 3

How This Book Is Organized 3

Part I: The Scene Before and After SOX 4

Part II: SOX in the City: Meeting New Standards 4

Part III: Scaling Down Section 404 4

Part IV: SOX for Techies 4

Part V: To SOX-finity and Beyond 4

Part VI: The Part of Tens 5

Part VII: Appendixes 5

Icons Used in This Book 5

Where to Go from Here 6

Feedback, Please  6

Part I: The Scene Before and After SOX 7

Chapter 1: The SOX Saga 9

Plowing Through the Politics of SOX 10

Taking advantage of a loophole 10

Not everyone’s a SOX fan 11

New ammunition for aggrieved investors 13

Corporate America after SOX 13

Combating Corruption under SOX: Everyone Has a Role 14

Assisting with internal control: The independent audit board 14

Testing the accounting data: Auditors 15

Using the new noisy liability: Lawyers 16

Certifying financial reports: CEOs and CFOs 17

Staying clean voluntarily: Small businesses and nonprofits 17

Adhering to procedures: The rank-and-file employees 18

Overseeing corporate policy: New high–paid governance gurus 18

A Summary of SOX: Taking It One Title at a Time 18

Title I: Aiming at the audit profession 18

Title II: Ensuring auditor independence 20

Title III: Requiring corporate accountability20

Title IV: Establishing financial disclosures, loans, and ethics codes 21

Title V: Protecting analyst integrity 22

Title VI: Doling out more money and authority 22

Title VII: Supporting studies and reports 22

Title VIII: Addressing criminal fraud and whistleblower provisions 23

Title IX: Setting penalties for white-collar crime 23

Title X: Signing corporate tax returns 24

Title XI: Enforcing payment freezes, blacklists, and prison terms 24

Some Things SOX Doesn’t Say: SOX Myths 24

Myth #1: SOX put Jeff Skilling (and other Enron execs) in jail 24

Myth#2: Auditors can’t provide tax services 25

Myth #3: Internal control means data security 25

Myth #4: The company isn’t responsible for functions it outsources 26

Myth #5: My company met the deadline for Section 404 first-year compliance We’re home free! 26

Chapter 2: SOX in Sixty Seconds 27

Reestablishing Control after the Scandals 28

Enron events everyone initially overlooked 28

More tales from the corporate tabloids 32

Four Squeaky Clean SOX Objectives 33

How SOX Protects the Investing Public 35

Creating a Public Company Accounting Oversight Board 35

Clamping down on auditors 36

Rotating auditors 37

Creating committees inside companies 37

Holding management accountable 38

Taking back bogus bonuses 38

Banning blackouts 38

Ratcheting up reporting 39

Purging company conflicts of interest 39

Exercising internal control 40

Looking at lawyers 40

Waiting seven years to shred 41

Putting bad management behind bars 41

Freezing bonuses 41

Blackballing officers and directors 41

Providing whistle-blower protection 42

Rapid Rulemaking Regrets 42

Chapter 3: SOX and Securities Regulations 43

Pre-SOX Securities Laws 44

The Securities Act of 1933: Arming investors with information 45

The Securities Exchange Act of 1934: Establishing the SEC 46

Other securities laws 49

Sarbanes-Oxley For Dummies, 2nd Edition xiv

The Scope of SOX: Securities and Issuers 49

What is a “security”? 50

Who is an “issuer”? 51

The SOX surprise 52

The Post-SOX Paper Trail 54

Form 10-K 55

Form 10-Q 55

Form 8-K 56

Behind the 8-K Ball after SOX 56

Adding new events to the list 56

Shuffling events from the 10-K and 10-Q 57

Creating four-day reporting events 58

Providing protection in the safe SOX harbor 58

Annual SEC Scrutiny after SOX 59

Mandatory review rule 59

Remedies for inaccurate registration materials 60

Why Privately Held Companies Care about SOX 60

Bolstering the bottom line 60

Defending company practices in court 62

Going public after SOX 62

Chapter 4: SOX and Factual Financial Statements 67

Auditing the Auditors: 2007 Guidance from the SEC 68

SOX’s Recipe for Seeking Out Cooked Books 69

Reviewing what the income statement reveals 70

Examining balance sheet (and off–balance sheet) transactions 72

Looking for funky footnotes 73

Complying with GAAP and GAAS 73

Finding Financial Information 75

The free stuff 75

The fee-based stuff 76

Accessing Annual Reports 77

The glossy pictures and the real figures 77

Management’s Discussion and Analysis79

Surfing SEC Filings 79

10-K reports 79

Other useful forms on EDGAR 80

Chapter 5: What’s New for Non-Accelerated Filers 83

A SOX Update for Small Companies 83

No relief for non-accelerated filers 84

Looking at what the rules require 84

Getting the Auditor’s Opinion 85

A kinder, gentler audit 85

Touting a top-down approach 86

Tips for adopting a new “audit-tude”86

Table of Contents xv

Sarbanes-Oxley For Dummies, 2nd Edition xvi

Part II: SOX in the City: Meeting New Standards 89

Chapter 6: A New Audit Ambience 91

How SOX Rocks the Accounting Profession 91

An Example of Audit Failure: Arthur Andersen 92

Chronology of a collapse 92

A vindicating verdict years later 93

Bridging the GAAP 94

SOX as a Substitute for Self-Regulation 94

Shifting the role of the AICPA 95

Whose turn is it to watch the CPA? 97

Is There an Independent Auditor in the House? 97

The importance of audit independence 98

Every auditor’s dilemma 99

What SOX Says to CPAs 99

Give the whole team a cooling-off period 100

Prohibit services that cause conflicts 100

Get prior permission for potential conflicts 101

Everybody change partners! 102

Wait seven years to shred 102

Recognize when auditors are “impaired” 102

Section 404: The Sin Eater Provision 102

CEOs and CFOs signing off 103

CPAs certifying the certifications 103

Chapter 7: A Board to Audit the Auditors 105

Taking a New Approach to Audit Oversight 106

The old ad hoc system of accounting oversight 106

Alphabet soup of accounting regulation 107

Primary Purposes of the PCAOB 108

Goals of the PCAOB 108

The seven statutory duties of the PCAOB 109

Some Practical PCAOB Matters 109

Who’s on the board? 110

Who pays for the PCAOB? 110

PCAOB Rules: Old Meets New 110

Sticking to the ol’ standby rules 111

Adjusting to some new rules 111

Evolving PCAOB Policies and Issues 113

Sanctioning sloppy auditors 113

Keeping an eye on small CPA firms 113

Extending authority internationally114

Communicating with the SEC 114

When the PCAOB Doesn’t Perform 114

Struggling for Standards 115

Adapting to Auditing Standard No 2 115

Implementing Auditing Standard No 5116

Chapter 8: The Almighty Audit Committee 119

Deliver or Delist: Rules of the Stock Exchanges 119

From the Audit Committee Annals 121

Mr Leavitt’s Blue Ribbon panel 121

Enron impetus 121

The quest for consistent committee rules 121

Starting with a Charter 122

The Audit Committee Interface 122

Some Stricter NYSE Rules 123

Membership Requirements 124

A few independent members 124

Figure in a financial expert 125

Day-to-Day Committee Responsibilities 125

Monitoring events and policing policies 126

Interfacing with the auditors 126

Preapproving nonaudit services 127

Handling complaints 128

Receiving CEO and CFO certifications 128

Monitoring conflicts and cooling-off periods 129

Ferreting out improper influence 129

Rotating the audit partners 129

Engaging advisors 130

Providing recognition in annual reports 130

Chapter 9: Building Boards That Can’t Be Bought 131

Some Background about Boards 132

What does a director do? 132

Looking at some bad, bad boards 133

In Search of Independent Directors 134

No relationships with related companies 135

Three-year look-back period 136

Prohibited payments 136

Family ties 136

Mandatory meetings 137

Forming Committees for Nominating Directors 137

NYSE nominating procedures 138

NASDAQ nominating rules 138

Regulating Director Compensation 138

Making governance guidelines public 139

Evaluating the board’s performance 139

Some Exempt Boards    For the Moment 140

Nonpublic companies 140

Nonprofit corporations141

Other exempt companies 141

Table of Contents xvii

Sarbanes-Oxley For Dummies, 2nd Edition xviii

Chapter 10: SOX: Under New Management 143

Chiefly Responsible: CEOs and CFOs 143

CEO: The chief in charge 144

CFO: The financial fact finder 144

Three SOX sections for the chiefs 145

A Section 302 Certification Checklist 146

Paragraph 1: Review of periodic report 147

Paragraph 2: Material accuracy 147

Paragraph 3: Fair presentation of financial information 147

Paragraph 4: Disclosure controls and procedures 148

Paragraph 5: Disclosure to auditors 148

Paragraph 6: Changes in internal controls 149

Clearing Up Common Section 302 Questions 149

What companies are required to file certifications under Section 302? 150

Which reports get certified? 150

Viewing Control as a Criminal Matter: Section 906 151

More Reporting Responsibilities for Management and Auditors: Section 404 153

What management has to do under Section 404 153

What the auditors need from management 153

Taking Internal Control Seriously 154

Considering the auditor’s perspective 154

What the SEC says 154

Management standards criteria for controls 155

Seeking Out Subcertifications 155

Some Good Advice for CEOs and CFOs 156

Establish a disclosure committee 157

Take an inventory 157

Woo the whistle-blowers 157

Chapter 11: More Management Mandates 159

Codifying the Corporate Conscience 159

Explaining the code 160

Establishing worthwhile objectives 160

Realizing one code doesn’t fit all companies 160

Disclosing amendments and waivers 161

Expecting ethics on the exchanges 161

A checklist of code contents 161

New Rules for Stock Selling and Telling 162

Faster disclosure 163

More disclosure 163

Prohibiting Personal Loans 164

Banning Blackout Trading 164

Avoiding media images of stricken retirees 165

Making some necessary exceptions 165

Making Managers Pay Personally 165

The freeze factor 166

The danger of disgorgement 166

Stopping Audit Inference 167

Identifying audit interlopers 167

Suing audit interlopers 168

Part III: Scaling Down Section 404 169

Chapter 12: Clearing Up Confusion about Control 171

The Nuts and Bolts of Section 404 171

What Section 404 says 172

What Section 404 really does 172

SEC rules under Section 404 173

PCAOB participation in the Section 404 process 173

When Do Companies Have to Comply with Section 404? 174

Section 302 “Internal Control” versus Section 404 “Internal Control” 175

Defining “disclosure controls and procedures” under Section 302 175

Interpreting “internal control over financial reporting” under Section 404 177

Controlling the Cost of Compliance 179

Cost-cutting measures by the PCAOB 179

Section 404 sticker shock 181

Decreasing costs in year two 181

Chapter 13: Surviving a Section 404 Audit 183

Dividing Responsibilities in a Section 404 Audit 183

Management’s role 184

The independent auditor’s role 184

What Is (and Is Not) Related to the Audit 185

Complying with Auditing Standard No 5 186

Integrating the audits 186

Planning the audits 187

Scaling the audits 187

Assessing the risk 188

Cutting costs by relying on the work of others 188

Using a top-down approach 189

Flunking a Section 404 Audit 189

How to fail a Section 404 audit 189

What to do if your company flunks 190

Chapter 14: Taking the Terror Out of Testing 191

The Price of the Project 191

The six most common Section 404 project costs 192

Meeting massive manpower requirements 192

The social challenges of Section 404 194

Table of Contents xix

Sarbanes-Oxley For Dummies, 2nd Edition xx

Hail to the Documenters 194

The right documentation skills 194

Getting the documentation down 195

Time tracking 195

Scoping out savings 196

Taking an inventory of your company processes 197

Organizing the documentation: Why form is equal to substance 200

Caveats about Controls 201

Key controls 202

Some common key controls 202

Ogling the Outside Vendors: SAS 70 Reports 203

Evaluating Control with the COSO Framework 204

How COSO breaks down companies’ controls 204

COSO guidance for your company 205

A Bit about COBIT 205

Part IV: SOX for Techies 207

Chapter 15: Getting Technical with SOX 209

Some Specific SOX Sections That Talk to Techies 210

Ramping up document retention policies 210

Disclosing critical events in real time 211

IT and the dreaded SOX Section 404  213

Getting a SOX-ified System in Place When 213

   Your company is starting from scratch 214

   Your company is already halfway there 214

   Your company has a larger budget 214

Evaluating Your Systems after SOX 215

Organizing company data 215

Getting into the GAAP 216

Preventing Control Problems before They Happen 216

Spelling out security 216

Logging it all in 217

Falling Back on COBIT 217

Chapter 16: Surveying SOX Software 219

Some SOX Software Trends 219

Identifying the Types of Software on the Market 221

Shopping for SOX Software 223

SOX Meets Cousin IT 224

Collecting scattered company data 225

Evaluating your company’s existing IT systems 225

The COSO Standards for Software 228

Complying with COBIT 231

Chapter 17: Working with Some Actual SOX Software 233

Doing Your Research before a Software Installation 233

Tracking the flow of information in your company 234

Following the trial balance trail 236

Getting to Know SarbOxPro 236

The SarbOxPro checklist 238

The SarbOxPro data tree 239

SarbOxPro stages 239

Opting for Other Types of Software Solutions 245

Part V: To SOX-finity and Beyond 249

Chapter 18: Lawsuits under SOX 251

The Smoking Gun: Knowledge 251

The First Big SOX Trial: Richard Scrushy 252

The squishy Scrushy facts 253

The prosecutors’ post-game recap 254

The Scrushy epilogue: Civil suits, a tax refund, and a new trial 255

Another Test of the “Ignorance” Defense: Kenneth Lay 255

Timing Is Everything: Andersen, Ernst, and KPMG Litigation Outcomes 257

Arthur Andersen’s victory: Three years too late 258

An Ernst error 259

Kid gloves for KPMG? 260

The Gemstar Case: Interpreting Section 1103 261

Suing under SOX Section 304 261

Suing under Section 806: The Whistle-Blower Provision 262

Blowing the whistle before and after SOX 262

What happens when the whistle blows? 263

Tips for defending against whistle-blower suits 265

Chapter 19: The Surprising Scope of SOX 267

Outsourcing under SOX 267

Summarizing SAS 70 268

Sidestepping SAS 70 269

Extending SOX Principles to Not-for-Profits 269

SOX and Foreign Companies 271

Part VI: The Part of Tens 273

Chapter 20: Ten Ways to Avoid Getting Sued or Criminally Prosecuted Under SOX 275

Maintain an Active and Visible Audit Committee 275

Communicate about How to Communicate 276

Table of Contents xxi

Combat Policy Paranoia and Section 404 Audit-Chondria 276

Keep Bonuses within Bounds 277

Separate the Whistle-Blowers from the Whiners 277

Invest in IT Tools and Tricks 277

Do Something with All That Data 278

Disclose Triggering Events on Time 278

Document What’s Delegated 278

Focus on Product and Service Delivery 279

Chapter 21: Ten Tips for an Effective Audit Committee 281

Pick the Right Number of Members 281

Set Up Subcommittees 282

Find a Financial Expert 283

Create Questionnaires 284

Adopt a Smart Charter 284

Keep Track of Complaints 285

Communicate Liberally 285

Report Annually 286

Identify Conflicts…and Nonconflicts 286

Give Notice When Needed 286

Chapter 22: Ten Smart Management Moves 289

Form a Disclosure Committee 289

Set Reporting Schedules 290

Have More Meetings and Send Less E-mail 290

Challenge Outdated and Overly Detailed Policies 291

Review Reports with Their Preparers 291

Keep Up with Current Certification Requirements 292

Avoid Animosity with the Audit Committee  292

Don’t Confuse Certification with Control 293

Consider Getting Subcertifications 293

Track All the Timelines 293

Chapter 23: Ten Things You Can’t Ask an Auditor to Do After SOX 295

Keep Your Books 296

Fix Your Financial Information Systems 296

Appraise Company Property 297

Act as an Actuary 297

Perform Internal Audit Services for Your Company 297

Fill In for Your Management Team  298

Be a Headhunter 298

Advise You on Investments 299

Dispense Legal Advice 299

Give You an Expert Opinion 299

Chapter 24: Top Ten Places to Get Smart about SOX 301

Sample SOX-online 301

Peruse the PCAOB Web Site 302

Sarbanes-Oxley For Dummies, 2nd Edition xxii

Visit the SEC Web Site 302

Get Inside Sarbanes-Oxley Trenches 302

Link to the AICPA Web Site 304

Frequent the Forum 304

Click On the COSO Web Site 304

Find the FEI Web Site 304

Spring for a Subscription to Compliance Week 305

Don’t Forget Wikipedia! 305

Part VII: Appendixes 307

Appendix A: Selected Sections, Auditing Standard No 5 309

Introduction 309

Integrating the Audits 310

Role of Risk Assessment 310

Scaling the Audit 311

Addressing the Risk of Fraud 311

Using the Work of Others 311

Using a Top-Down Approach 312

Appendix B: Sample Certifications 313

Sample General Section 302 Certification 313

Sample Section 906 Certification 315

Sample Subcertification of Employee 315

Appendix C: Sample Audit Committee Charter 319

Audit Committee Charter 319

Purpose 319

Authority 320

Composition 322

Meetings 322

Responsibilities 322

Appendix D: Sample Code of Ethics 329

Business Conduct and Ethics Policy 329

Policy 329

Scope 329

Responsibility 329

Provisions 330

Appendix E: Sample SAS 70 Report 337

Index 339

Table of Contents xxiii

Sarbanes-Oxley For Dummies, 2nd Edition xxiv