392 Networking: A Beginner’s Guide Section 302 mandates that the principal executive officer (usually the CEO) and the principal financial officer (usually the CFO) certify each annual or quarterly report that is filed with the U.S. Securities and Exchange Commission (SEC). These certifications must state the following: N The certifying officer has reviewed the report. N Based on the officer's knowledge, the report does not contain any untrue statement of material facts, and does not fail to state any material facts that could result in the report being misleading. N The officer has evaluated the effectiveness of the company’s internal controls within 90 days of the report’s date. N The officers have presented in the periodic report their conclusions about the effectiveness of the internal controls of the company. N The officers have disclosed to the audit committee and to the auditors all significant deficiencies regarding the operation of the company’s internal controls, which could adversely affect the company’s ability to record, process, summarize, and report financial data, and that they have disclosed any fraud, material or not, that involves management or employees who have a significant role in the company’s internal controls. N The officers have disclosed any significant changes to the system of internal controls used by the company, including any corrective actions that were taken to address any weaknesses. NOTE For public companies, a periodic report is their annual report on SEC form 10-K and their quarterly reports on SEC form 10-Q. Section 303 makes illegal any improper influence on the conduct of audits. Specifically, it applies to any officer or director of the company, or any other person acting under the direction of an officer or director, to take any action that fraudulently influences, coerces, manipulates, or misleads the firm performing the audit of the company. I’ve emphasized the words in the preceding sentence because this rule applies to anyone who works with or provides information to the auditors, including IT personnel who are involved in the company’s internal controls. Section 304 states that the CEO and CFO must reimburse the company for any bonus they have received, including equity-based compensation, if the company is required to restate its financial reports as a result of any misconduct. (You can now see why CEOs and CFOs take SOX compliance very seriously!) Section 305 modifies the Securities Exchange Act of 1934 to decrease the level of unfitness of an officer or director that could bar that individual from serving as an officer or director of a public company. Section 306 bars directors and officers of a company from trading in the company’s stock or stock options during times when a pension fund blackout is in effect. 393 Appendix: Understanding the Sarbanes-Oxley Act Section 307 sets forth some professional obligations for any attorneys who represent a company with the SEC. For example, they are required to report to the company’s chief legal counsel or the CEO any evidence of a material violation of securities law or breach of fiduciary duty. If those two individuals do not appropriately respond to the evidence, then the attorney is required to report to the board of directors. Section 308 discusses that any civil penalties that are obtained from a person be added to any disgorgement of profits in a fund that is for the benefit of the victims of the underlying violation. Title IV: Enhanced Financial Disclosures Title IV covers disclosures in periodic reports, and it includes the famous Section 404, which impacts IT departments to a large extent. Section 401 requires that financial statements include any material correcting adjustments, that all material off-balance-sheet transactions be disclosed (Enron had a number of very material off-balance-sheet transactions that were not disclosed), and that any pro forma financial tables be presented in a way that is not misleading. Section 402 prohibits public companies from making personal loans that are not a routine part of the company’s business to any director or executive officer of a public company. A bank, for instance, can make normal credit card, home, or auto loans to its executives, provided that the terms are the same as it makes available to the general public. Section 403 requires that all directors, officers, and principal stockholders report any transactions in the company’s stock promptly. Section 404, despite it being one of the shorter sections of SOX, has caused a lot of headaches for accounting and IT departments. Because of its importance in these areas, following is the entirety of Section 404. SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS. (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall— (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. 394 Networking: A Beginner’s Guide In a nutshell, two items are mandated by Section 404: N The management of a company must set up an adequate system of internal controls and regularly report its assessment of the effectiveness of the internal controls in the company’s annual report. N The company’s auditors must examine the system of internal controls and attest to their adequacy. Later in this appendix, you’ll learn more about what Section 404 means in practice. Section 405 exempts registered investment companies from Sections 401, 402, and 404. Section 406 requires that a code of ethics be established for senior financial officers of a company, and enumerates several items that must be part of the code of ethics. Section 407 requires that each audit committee have at least one member who qualifies as a “financial expert.” Section 408 requires the SEC to review the disclosures made by public companies and their financial statements. Finally, Section 409 requires that any material financial changes be disclosed to the public on a rapid and current basis, in plain English. Titles V, VI, and VII Titles V, VI, and VII are not applicable to most public companies. Title V, “Analyst Conflicts of Interest,” concerns conflicts of interest for stock analysts. You may recall that during the stock market bubble, stock analysts often spoke favorably about offerings that were being handled by their firm, and in some cases received bonuses based on how they moved the stock price. This, of course, is illegal besides being unethical. Title VI, “Commission Resources and Authority,” discusses how the PCAOB is funded. Title VII, “Studies and Reports,” calls for a number of studies and reports of various federal agencies, including the following: N The U.S. Government Accounting Office (GAO) must conduct a study examining the consolidation of public accounting firms. N The PCAOB must conduct a study regarding the role of credit rating agencies and how they affect the stock market. N The PCAOB must study violations and violators of federal securities laws from January 1, 1998, to December 31, 2001. N The PCAOB must study all SEC enforcement actions involving reporting violations. N The GAO must conduct a study of investment banks and financial advisors, and whether those parties helped companies manipulate their earnings and hide their true financial condition. 395 Appendix: Understanding the Sarbanes-Oxley Act Titles VIII, IX, X, and XI The final titles of SOX do concern most companies, but probably won’t concern IT personnel directly. Title VIII, “Corporate and Criminal Fraud Accountability Act of 2002,” discusses audit document retention and penalties for destroying or altering important documents. It also enhances federal sentencing guidelines for fraud and obstruction of justice sentences. Finally, it protects “whistleblowers” of potential violations of securities laws. Title IX, “White-Collar Crime Penalty Enhancements,” does exactly as its name suggests: increases penalties for a number of white-collar crimes. Title X, “Corporate Tax Returns,” states that company tax returns should be signed by the company’s CEO. Title XI, “Corporate Fraud Accountability,” increases some other criminal penalties, and allows the SEC to ban anyone found to have violated the securities laws from serving as a director or officer of a public company, for as long as it determines. About Internal Controls Section 404 of SOX requires that public companies establish and evaluate a system of internal controls. Internal controls consist of procedures the company uses to help ensure the accuracy of financial reporting and minimize the chance of undetected fraud. Most companies start with an existing framework of internal controls and then modify it to better suit their particular needs and business. The most commonly used framework for SOX compliance, and the one the SEC recommends, is one provided by COSO, which stands for Committee of Sponsoring Organizations of the Treadway Commission (http://www.coso.org). COSO defines internal controls as a process, driven by a company’s board of directors, management, and other professionals. The internal control process provides reasonable assurance that the operation is efficient and effective, that financial reporting is reliable, and that the company is complying with all applicable laws and regulations. It’s important to note that any internal control process can provide only reasonable assurances, not absolute assurances. The team setting up a system of internal controls will examine all of the different business process areas, such as the accounts payable (AP) process, the general ledger process, or the IT process. Each of the processes will be analyzed to determine what risks to inaccurate financial reporting exist, including the probability and impact of each risk. From these risks will be generated a set of control objectives, which are designed to avoid or prevent the risks, or to detect when a risk has occurred and reduce its impact. For example, an AP process might have some of the following control objectives: N Invoices cannot be entered when they exceed 110 percent of the amount entered by the purchasing department, without controller approval. N All invoices are charged to valid account numbers in the general ledger. 396 Networking: A Beginner’s Guide N An AP operator cannot release checks to vendors that have a “hold” status on their account. N Uninvoiced receipts are reconciled every month. N Only authorized AP operators can access the AP functions in the accounting system. The complexity of the business and the analysis by the people implementing the internal control system will determine how many control objectives are put in place for each process area. Even for a small public company, there may be 20 to 50 control objectives for each business process. For a large enterprise, many more controls might be in place. NOTE Internal controls affect nearly every area of a business. Effective internal controls are the responsibility of the managers of each process area (“process owners”), not the accounting or internal audit department. A company's CEO and CFO are ultimately responsible for the adequacy of the systems. Key Procedures for an IT Internal Control System An IT department’s internal control system should minimally consist of various controls that support, either directly or indirectly, the controls of the areas involved in financial reporting. Accordingly, once the control objectives are known for the other areas of the business, the IT department can, with the assistance of the accounting or internal audit function, design these supporting controls. An IT department can also implement internal controls that help the IT department to function more effectively, and these can be included in the IT department’s system of internal controls. IT Department Narrative One of the first documents that an IT department should write is a narrative that overviews the IT department’s operations. This document is updated periodically, and it is used by the external and internal auditors to quickly understand the overall structure and operations of the IT department. The narrative should contain enough information to allow the readers to quickly familiarize themselves with the IT department and to understand its overall system of controls. Suggested contents include the following: N IT organization chart, including a breakdown of key responsibilities of the personnel N How duties are segregated . all material off-balance-sheet transactions be disclosed (Enron had a number of very material off-balance-sheet transactions that were not disclosed), and that any pro forma financial tables. adversely affect the company’s ability to record, process, summarize, and report financial data, and that they have disclosed any fraud, material or not, that involves management or employees who have. officer of a public company. A bank, for instance, can make normal credit card, home, or auto loans to its executives, provided that the terms are the same as it makes available to the general public. Section