Implementing the Sarbanes-Oxley Act
by Brian J. Kahle and Julie E. McGuire
(June 2003) American financial markets over the
past 24 months have undergone an unprecedented volatility and crisis of
integrity. After 2001's economic downturn was exacerbated by numerous
Enron-type scandals, Congress passed the Sarbanes-Oxley Act of 2002, 15
U.S.C. § 7201 et seq., (the "Act"), in an effort to help
restore stability and some measure of confidence in these markets. The Act
was signed into law by President Bush on July 30, 2002. Recently, the U.S.
Securities Exchange Commission, the agency charged with promulgating rules
and regulations to implement the Act, has experienced the most extensive
rulemaking period in its 70-year history.
Background - On January 22, 2003, the SEC voted
to adopt final rules to implement Title II of the Act: auditor
independence. Published in the Federal Register on February 5, 2003, the
rules will become effective on May 6, 2003. The issue of "auditor
independence" is regarded by some commentators as the focal point of
the legislation and the most important step toward restoring public
confidence in the markets. This issue is arguably also the most
controversial. What follows is a discussion of the new rule provisions and
also its various exceptions.
The Sarbanes-Oxley Act applies only to
registered public accounting firms alone, and does not seek to regulate
those small and medium-sized accounting firms that do not perform audits
of public companies. A "registered public accounting firm,"
defined in Section 2 of the Act, is a public accounting firm that must be
registered with the newly formed Public Company Accounting Oversight Board
("Oversight Board") before it is able to provide auditing
services to a public company registered with the SEC. Generally, then, the
rules discussed here apply only to those accounting firms that perform
audits for publicly traded companies.
A violation by any person of the Act or the
auditor independence rules discussed here will subject the person to the
same penalties as would a violation of the Securities Exchange Act of 1934
and related SEC rules. This could include civil penalties, criminal
penalties, or both.
The SEC rules on audit independence can be
organized into five key areas: (A) Prohibited Non-Audit Services; (B)
Audit Committee Pre-Approval of Services; (C) Partner Rotation; (D)
Conflict of Interest; and (E) Increased Communication and Disclosure.
A. Prohibited Non-Audit Services - Congress
enumerated in Section 201 of the Act nine non-audit services that are
prohibited from being contemporaneously performed for a public-company
client by any registered public accounting firm that is also serving as
auditor of the client. The SEC rules do not prohibit a firm from providing
non-audit services to clients they are not auditing. The prohibited
non-audit services are:
1. Bookkeeping. If an auditor firm provided
bookkeeping services for an audit client, it would later be placed in the
position of auditing its own work, and therefore would lack independence.
As a result, all bookkeeping services, such as maintaining accounting
records, preparing financial statements, or preparing source data, are
prohibited from being performed by an auditing firm. A narrow exception
allows such services where it is reasonable to conclude that the results
would not be subject to audit.
2. Financial Information System Design or
Implementation. An accounting firm may not provide any service related to
the audit client's information system, unless it is reasonable to conclude
that the results of these services will not be subject to audit procedures
during an audit of the client's financial statements. For example, an
accounting firm would be permitted to work on hardware or software systems
that are unrelated to the audit client's financial statements or
accounting records as long as those services are pre-approved by the audit
3. Appraisal and Valuation Services. An accounting firm is
prohibited from performing services of appraising or valuing assets or
liabilities or performing services involving a fairness opinion or
contribution-in-kind report for an audit client, unless it is reasonable
to conclude that the results of the services will not be subject to audit
procedures. The rule does not prohibit the firm from providing these
services when they are for non-financial reporting purposes.
Services. An accounting firm is prohibited from providing to an audit
client any actuarially-oriented advisory service involving the
determination of amounts recorded in the financial statements and related
accounts for the audit client other that assisting a client in
understanding the methods, models, assumptions, and inputs used in
computing an amount, unless it is reasonable to conclude that the results
of these services will not be subject to audit procedures.
Audit Outsourcing. Some companies outsource internal audit functions to
outside firms who in turn audit their internal controls. The SEC now
prohibits an accounting firm from providing to their audit client any
internal audit service that has been outsourced by the audit client and
that relates to the audit client's internal accounting controls, financial
systems, or financial statements. These services are permitted only if it
is reasonable to conclude that the results of these services will not be
subject to audit procedures. However, an auditor is free to make
recommendations for improvements to internal controls pursuant to
Generally Accepted Auditing Standards ("GAAS"), and such
recommendation would not be deemed an internal audit outsourcing
6. Management and Human Resources Functions. An accountant is
prohibited from acting as a director, officer, or employee of an audit
client or performing any decision-making, supervisory, or ongoing
monitoring function for the audit client. The rules also prohibit an
accounting firm from searching for employee candidates, performing
reference checks of candidates, engaging in testing or evaluation
programs, or recommending a specific candidate for a specific job.
Investment Advising Services. It is impermissible for an accounting firm
to perform brokerage, investment advising, or investment banking services
for an audit client. It cannot serve as an unregistered broker-dealer,
promoter, underwriter, make investment decisions for an audit client, or
otherwise have discretionary authority over an audit client's investments.
Doing so is incompatible with the auditor's responsibility to ensure that
the client's financial condition is fairly presented to the public.
Legal Services. An accounting firm is prohibited from providing to an
audit client any service that could only be provided by someone licensed
to practice law in the jurisdiction in which the service is provided. This
rule is based on the notion that an individual cannot be both a zealous
advocate for the client's management and maintain the objectivity required
for an audit. Importantly, because some countries have regulations
requiring a license to practice law in order to do tax work, this
restriction on legal practice does not prohibit foreign accounting firms
that are so regulated from providing accounting services that an American
accounting firm could provide under these rules.
9. Expert Services.
Expert services are those where an accounting firm's specialized knowledge
and expertise is used to support the audit client's positions in an
adversarial proceeding. An accountant is prohibited from providing expert
opinions or other services to an audit client, or a legal representative
of an audit client, for the purpose of advocating that audit client's
interests in litigation or administrative and regulatory proceedings. The
accountant would be free, however, to provide factual accounts in the form
of lay testimony for explanatory purposes. Further, an accounting firm is
free to perform internal investigations or fact-finding engagements to
assist the audit committee or its legal counsel in fulfilling its
Tax Services Exception. An accounting firm is
permitted to provide tax services such as tax compliance, tax planning,
and tax advice to audit clients; doing so is not deemed a violation of
auditor independence. It should be noted that such permitted services
cannot be performed without pre-approval by the audit committee. Further,
such tax services could be a violation of other SEC rules on auditor
independence, where, for example, the firm represents the audit client
before tax court or federal court of claims.
B. Audit Committee Pre-Approval of Services - An
audit committee is defined in Section 2 of the Act as a committee
established by and among the board of directors of a publicly-traded
client for the purpose of overseeing the accounting and financial
reporting processes of the client and audits of the financial statements
of the client. If no such committee of the board exists, the committee is
deemed to be the entire board of directors of the client.
In order for a registered firm to provide audit
or permitted non-audit services to a public company, the audit committee
of the company must give prior approval pursuant to Section 202 of the
Act. The rules require that the audit committee pre-approve all
permissible non-audit services and all audit, review or attest
engagements. This approval can occur either through express approval, or
upon compliance with specific pre-approval policies and procedures set in
place by the committee. These requirements are expected to promote auditor
independence by providing a forum away from management where less pressure
or influence may exist and accountants can more freely discuss particular
problems or concerns. The rules provide a de minimis exception for
non-audit related services, waiving the pre-approval requirement where all
non-audit services: (1) do not amount to more than five-percent of total
revenues paid by the audit client to the accounting firm in the fiscal
year services are provided; (2) were not recognized as non-audit services
at the time of the engagement; and (3) are promptly brought to the
attention of the audit committee and approved prior to completion of the
audit by the audit committee.
C. Partner Rotation - An audit engagement team
is defined as all partners and professional employees participating in an
audit, review, or attestation engagement of an audit client. To preserve
independence and maintain quality of audit services, Congress included in
section 203 of the Act a requirement that audit partners "rotate
off" of a particular client engagement after a specific period of
time. In developing rules on partner rotation, the rule has classified
partners into different levels and established rules for each level of
partner. The lead and concurring partners are required to rotate after
five (5) years, and then are subject to a five year "time out"
period where they cannot perform services for that audit client. Other
audit partners are required to rotate after no more than seven (7) years
and be subject to a two (2) year time-out period. "Audit
partner" is defined as a partner who, as a member of the audit
engagement team, has responsibility for decision-making on significant
auditing, accounting, and reporting matters that affect the financial
statements or who maintains regular contact with management and the audit
Small Firm Exception - In response to a
significant number of comments, the SEC adopted a small-firm exception
from the partner rotation rules. Audit firms that have fewer than five
audit clients that are public companies, and have fewer than ten partners,
are exempted from partner rotation rules. These firms still must be
subject to a full review by the Board at least once every three years,
D. Conflicts Of Interest - Section 206 of the
Act sets forth a conflict of interest rule whereby a one-year cooling off
period is required before a member of the audit engagement team can begin
working for the audit client in certain key positions.
The rule provides that when the lead partner,
concurring partner, or any other member of the audit engagement team who
provides more than ten hours of audit, review, or attest services for the
client accepts a position with the audit client in a financial reporting
oversight role within one year after they provided such services to the
client, the accounting firm is not independent. For purposes of the rule,
audit procedures are deemed to have commenced for the current audit
engagement period the day after the prior year's periodic annual report is
filed with the SEC. The cooling off period must be one year, and in order
to comply, the firm must complete one annual audit after the individual
was a member of the audit engagement team.
The final rule does provide exceptions to the
cooling off requirement. If a conflict is created through merger or
acquisition, the rule does not apply. Further, the rule has provided an
exception for emergency or unusual circumstances. The SEC has addressed
conflicts of interest arising where an audit partner receives compensation
based on the act of selling non-audit services to the client. It has
adopted the rule that an accountant is not independent if, at any point
during the audit and professional engagement period, any audit partner
earns or receives compensation based on the audit partner procuring
engagements with the audit client to provide any products or services
other than audit, review, or attest services.
E. Increased Communication and Disclosure
To Audit Committees - Section 204 requires the SEC to issue rules requiring timely
reporting of specific information to audit committees in order to assist
the committee in overseeing both management and the accountants. The SEC
has added substance to this rule by requiring disclosures for three types
of information that must occur prior to the filing of the audit report
with the SEC.
First, firms are required to disclose to audit
committees all critical accounting policies and practices. In defining
those accounting policies that are deemed critical, the SEC looked to its
Cautionary Guidance of December 12, 2001, and noted that critical policies
are those that are both most important to the portrayal of the company's
financial condition and require management's most difficult judgments due
to the need to make estimates about the effect of matters that are
Second, accounting firms are also required to
communicate to the audit committee, either orally or in writing, all
alternative treatments within generally accepted accounting principles
("GAAP") for policies and practices related to material items
that have been discussed with management. This includes discussions of the
ramifications of the use of such alternative treatments and the treatment
preferred by the accounting firm.
Third, the SEC also requires disclosure to the
committee of material written communications, such as management
representation letters, engagement letters, independence letters, reports
on internal controls, and schedules of unadjusted audit differences.
Accountants are urged to use proper discretion regarding what written
communications should be provided to the audit committees.
To Investing Public - Beyond the disclosures to
audit committees, the new rule requires that additional information be
provided to the public as well. Public companies must disclose fees paid
to their independent accountant(s) for: (1) audit fees, (2) audit-related
fees, (3) tax fees, and (4) all other fees. Further, the company must
disclose a description of the type of services being provided. Disclosure
must also be made of the audit committee's pre-approval policies and
procedures, if any. These disclosures are to be provided both in the
company's annual report and in their proxy statement, so that all
investors have equal information. The information must be included for the
two most recent fiscal years of the company.
Conclusion - This article has sought to provide
a summary of the final auditor independence rules. These rules were the
subject of significant debate during the rulemaking process, and will
surely be subject to further criticism as they begin to be implemented.
However, public companies and registered public accounting firms will
likely take very seriously these rules, in view of the Act's harsh
criminal penalties. These rules have been implemented in order to protect
auditor independence from management pressure and influence for the
purpose of restoring public confidence in the veracity of public company
disclosures. Whether they will prove effective and worth the burden will
be determined in the years, and hopefully bull markets, to come.
© 2003 Hull McGuire PC. All Rights Reserved.