The constant reporting in news headlines of corporate scandals and failures, and the subsequent revelations regarding a lack of transparency in accounting practices and loose standards of auditor independence, have left the average person wary of investing in public companies. From this chaos has come the most sweeping corporate governance law since 1934The Sarbanes-Oxley Act of 2002 (the Act). The Act, which is designed to restore confidence in financial presentations, disclosures, and oversight of public companies, was signed into law by President George W. Bush on July 30, 2002. How will this law restore confidence in corporate America, and what does it mean for banking organizations? To answer these questions, this article will address the Act's foremost points.
The Public Company Accounting Oversight
Because of the numerous charges of conflicting interests among public companies and their external accountants, the Act established the Public Company Accounting Oversight Board (PCAOB). Although the PCAOB is an independent not-for-profit organization, it is subject to SEC oversight. The four members and the chair will be appointed by the SEC, in consultation with the Secretary of Treasury and the Chairman of the Federal Reserve System. On April 15, 2003, the SEC announced that it had selected William J. McDonough, current President of the Federal Reserve Bank of New York, as its nominee to chair the PCAOB.
The PCAOB is designed to protect the interests of investors in the preparation of accurate and independent external audit reports. As such, it will establish auditing, quality control, ethics, independence, and other standards; register, regulate, oversee, and discipline accounting firms that audit public companies; and enforce compliance with the Act. As a result, accounting firms that prepare audit reports for public companies must register with the PCAOB.
Independence and Corporate Responsibility
In restoring public confidence, one must first look to those who are most accountable for the oversight of a corporationthe board of directors. As such, the Act requires that a majority of a corporation's directors be independent; however, the Act has no requirement that the chairperson be a non-executive of the company. It is important to understand that the Act has not changed the fiduciary responsibilities or other fundamental tenets of corporate law applicable to boards of directors. Likewise, the Act did not weaken the structures that insulate directors from personal liability for non-negligent corporate actions, since without those structures competent people might be discouraged from serving as directors. Instead, the Act imposes greater independence and oversight responsibilities on corporate directors.
Generally, an independent director should have no material relationship with the company (whether directly or as a partner, shareholder, or officer of any organization that has a relationship with the company), and the basis for determining a relationship to be immaterial must be discussed in the corporation's proxy statement. The SEC's final rule 33-8183 provides detailed guidance on the SEC's expanded definitions of independence and lack thereof.1
To further improve corporate responsibility, the Act requires that each public company have an audit committee composed of independent directors of the company. In order to improve the effectiveness of a company's audit committee, each member of the audit committee must be "financially literate," and at least one member must be an "audit committee financial expert." For many banking organizations, these concepts may not be new since the FDIC has required that audit committee members of banking organizations be independent of management and not "large customers" of the institution. In addition, the FDIC has required that at least two members of the audit committee of large institutions have "banking or financial management expertise."
On January 23, 2003, the SEC released its final rule on "audit committee financial experts" and codes of ethics applicable to the company's principal officers.2 The SEC determined that the term "audit committee financial expert" better described the desired characteristics of the member of the audit committee filling that role than did the originally proposed term "financial expert." As defined in the final rule, an "audit committee financial expert" is someone who has:
The final rules contain guidance to assist companies in determining whether an audit committee member meets the above requirements. In addition, the final rules require that the board of directors disclose annually whether it has at least one audit committee financial expert serving on its audit committee. If there is an audit committee financial expert, his or her name must be disclosed. If there is no audit committee financial expert, the board of directors must explain why.
To further prevent harm to a company from insider misconduct, the Act requires the audit committee to establish a reporting procedure for receiving anonymous employee complaints regarding misconduct. In addition, the Act provides for greater protection for employees who fear retaliation for reporting evidence of fraud.
Other requirements under the Act designed to promote greater independence and corporate responsibility among directors and senior officers include the following.
Independence Within the Accounting
The Act also establishes new ground rules for external auditors of public companies, and prohibits an external auditor from providing a number of non-audit services to the public companies it audits. Again, the focus is on maintaining the auditor's independence from the entity that it is auditing. A list of prohibited services appears in Exhibit 1. Of note, the SEC has backed away from restricting auditors from providing tax services.
|Exhibit 1. |
Prohibited Non-Audit Services for
|Bookkeeping or other
services related to the accounting records or financial statements of the audit
Financial information systems design and implementation
Appraisal or valuation services, fairness opinions, or contribution-in-kind reports
Internal audit outsourcing services
Management functions or human resources
Broker or dealer, investment adviser, or investment banking services
Legal services and expert services unrelated to the audit
Although the PCAOB is authorized to adopt rules restricting other types of consulting service, to date it has not done so. However, the audit committee must approve in advance an external auditor providing such non-audit services, and the arrangements must be disclosed in the company's SEC filings.
To further ensure independence from its clients, every five fiscal years an audit firm must rotate both its lead audit partner and the audit partner responsible for reviewing the audit. While there is no requirement that the audit firm be rotated, the NYSE recommends that each audit committee consider whether, in the interest of assuring continuing auditor independence, there should be regular rotation of the audit firm.
Accountability and Disclosure
To enhance transparency and restore investor confidence in financial statements, the Act also places strong emphasis on accountability and disclosure. Section 302 of the Act requires a company's chief executive officer (CEO) and chief financial officer (CFO) to certify the accuracy of financial statements. Among other issues, this certification must indicate that the statements were (i) reviewed by the CEO and CFO, (ii) fairly state the financial condition of the company, and (iii) contain no material misstatements or omissions. The CEO and CFO are also required to certify that an internal control system has been designed, documented, and evaluated for effectiveness, and that any weaknesses have been reported to the audit committee. They must also certify that any fraudmaterial or immaterialthat involves management or employees who have a significant role in internal controls has been reported to the company's auditors and the audit committee of the board of directors.
Ignorance is not an acceptable defense for violation of these requirements, and certifying officers who violate this section of the Act will face criminal prosecution with punishment of up to 20 years in prison and/or a fine of $5 million.
In addition to financial statement certification, the Act requires the disclosure of numerous items. Disclosure should level the playing field for all investors and better protect employees, pension holders, and investors from management fraud. The list in Exhibit 2 is not all-inclusive, but represents an overview of some of the new areas of disclosure required by the Act.
Exhibit 2. |
Required Public Disclosures
|All material off-balance sheet transactions
and other relationships with unconsolidated entities, also known as Special
Purpose Entities (SPEs) |
Aggregate contractual obligations
Accelerated reporting of insider transactions
The required disclosures about off-balance sheet arrangements and aggregate contractual obligations in Exhibit 2 must be made in a separately captioned subsection of the Management's Discussion and Analysis. Disclosures about SPEs should include the nature and business purpose of the arrangement; the financial impact of the arrangement; and any known events, demands, commitments, trends, or uncertainties related to the SPEs.3 To enhance transparency and level the playing field between inside investors and the general public, insider transactions must be disclosed within 2 business days, not within 40 days as previously required. In addition, all financial statements filed with the SEC must reflect all material correcting adjustments identified by a registered public accounting firm in accordance with generally accepted accounting principles and SEC rules and regulations.
Accelerated and new disclosure requirements are not limited to company directors and senior officers, but also apply to securities analysts and attorneys. To address the widespread lack of faith in securities analysts and their research reports, the Act included tougher guidelines for stock research analysts to better ensure honest and unbiased evaluations. Analysts are required to disclose conflicts of interest that may cloud their judgement as well as compensation arrangements based on winning business for their employers.
In addition, attorneys appearing and practicing before the SEC are required to report evidence of a material violation of the securities laws or a breach of fiduciary responsibility to the company's CEO or general counsel. Outside attorneys must take appropriate action when they discover evidence of wrongdoing and can no longer use attorney-client privilege when the best interest of the public may be compromised.
Interagency Regulatory Guidance
The most anticipated regulatory guidance related to the Act within the banking community was released on March 17, 2003 in the Interagency Policy Statement on the Internal Audit Function and Its Outsourcing.4 This policy statement emphasizes that each FDIC-insured depository institution with total assets of $500 million or more is required to have an annual audit performed by an independent public accountant and that these institutions must meet the auditor independence requirements under the Act. Therefore, the financial institution must ensure that its external accounting firm remains independent and is not performing any prohibited non-audit services.
Institutions not subject to these laws are encouraged to follow the Act's prohibition regarding internal audit outsourcing. The policy statement does provide guidance for small public companies with less complex operations and limited staff, which, in certain circumstances, can use the same accounting firm to perform both an external audit and some or all of the institution's internal audit activities. When a small non-public institution decides to hire the same firm to perform internal and external audit work, the audit committee and the external auditor should pay particular attention to preserving the independence of both the internal and external audit functions.
As with all effectively developed and implemented corporate policies, the first step in assuring compliance with the Act is to establish a culture of sound business practices and ethics. A company's board of directors and senior management should set the tone regarding the expectations and quality of financial reporting. In doing so, institutions should ensure the independence of the board of directors and internal and external auditors and the adequacy of financial statement disclosures.
Restoring the public's confidence
begins with a return to
If you have questions on the application of The Sarbanes-Oxley Act or the Interagency Policy Statement on the Internal Audit Function and Its Outsourcing to your institution, please contact your primary banking regulator. If you are supervised by the Federal Reserve Bank of Philadelphia, please contact your institution's central point of contact or assigned manager at the Reserve Bank. Alternatively, you can contact Jennifer M. McCune at (215) 574-7214 or Jacqueline P. Fenton at (215) 574-6234.
|New Supervisory Guidance on Corporate Governance: SR 03-8 and FIL 17-2003|
|On May 5, 2003, the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (the agencies) issued a Statement on Application of Recent Corporate Governance Initiatives to Non-Public Banking Organizations. In general, the agencies do not expect to apply the board composition, director independence, audit committee, auditor independence and other corporate governance requirements of The Sarbanes-Oxley Act of 2002 to non-public organizations that are not otherwise subject to them. Rather, the Statement encourages non-public banking organizations to review their policies and procedures relating to corporate governance and auditing to ensure that they are consistent with applicable law, regulations, and supervisory guidance and are appropriate in light of the institution's size, operations, and resources. The Statement is available in the Board's SR Letter 03-8 of the same name.|
On March 5, 2003, the FDIC issued guidance addressing the interrelationships between The Sarbanes-Oxley Act and Part 363 of the FDIC's regulations, which applies to all insured depository institutions with $500 million or more in assets. This guidance is available in the FDIC's Financial Institution Letter 17-2003 Corporate Governance, Audits, and Reporting Requirements .
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.