SARBANES-OXLEY Act of 2002
Summary of Key Provisions and Possible Action Items for Financial Institutions
July 25, 2002
ABA Contact: Donna Fisher (202) 663-5318; [email protected]
Topics
Public
Company
Accounting
Oversight
Board
Establishment and
operation
Legislative Requirements
Possible Action Items for Banks
SEC to have oversight and enforcement authority over a new oversight board. (SEC to be responsible for oversight
during transition until board is established.) SEC to approve rules of Board and may relieve Board of many
responsibilities. Public accounting firms must register. With respect to accounting firms, Board will: establish auditing,
quality control, ethics, independence, and other standards; inspect accounting firms; conduct investigations and
disciplinary proceedings and impose sanctions; other duties to promote quality; enforce compliance; assess and collect
registration fee from accounting firms to cover costs of reviewing applications and annual reports.
Prior to audit work by external auditor,
confirm that your audit firm plans to register
with Public Oversight Board. Once rules for
registering are in place, confirm that the audit
firm is registered and is in compliance and
good standing with Public Oversight Board
rules. Consider requesting written
confirmation of both from firm.
Board may rely on professional groups of accountants to develop auditing standards, quality control standards, and ethics
standards. Second partner reviews are to be required for audits (Applies to 10-K filers). Audit reports are to include
scope of testing of compliance with internal controls, evaluations of control structure, material weaknesses.
Board to submit annual report to SEC, SEC to transmit copy to Senate Banking and House Financial Services
Committees.
Accounting firms must: disclose to Board names of issuer audit clients and annual fees received from each issuer for
audit services, other accounting services, and non-audit services (such information may be public, depending upon
decisions of Board); provide documents requested by Board.
If your bank is currently reporting on internal
controls and your external auditor is attesting
to it, then it may not be necessary for audit
costs to increase significantly as a result of
the new provisions requiring audit reports to
include information on internal controls.
Board may inspect and review audit and review engagements of accounting firms. Board may request testimony and
documents from any client (not limited to issuers) of accounting firm.
Board shall notify SEC of investigations involving potential violations of securities laws and coordinate with SEC. Board
may refer investigations to federal functional regulators and certain authorities.
Funding of Board to be paid by equitable allocation among issuers, subject to SEC approval. However, note exception
above for registration fees paid by accounting firms. (Any monetary penalties go to scholarship fund.)
*To the extent banks or thrifts (approximately 250) are required to file their ’34 Act reports with their primary federal banking regulator, bank regulators (and not the SEC) would have
enforcement authority with respect to the corporate governance and pension provisions in this chart that have an asterisk (“*”).
Additional notes:
•
This document should not be viewed as containing legal or accounting advice.
•
For full understanding, read the legislation (available at www.aba.com.).
•
The topic columns indicate to whom the provisions apply. If the notation states that it “Applies to 10-K filers”, and your institution does not file a 10-K, then the issue does
not apply to you. However, it should be noted that the banking regulators could change their rules.
AMERICAN BANKERS ASSOCIATION
Topics
Auditor
Independence
Segregation of
audit and other
services
(Applies to 10-K
filers)
Legislative Requirements
Possible Action Items for Banks
Audit must be separate from non-audit areas: bookkeeping or other services related to accounting records or financial
statements, financial information system design and implementation, appraisal or valuation services, fairness opinions,
contribution-in-kind reports, actuarial services, internal audit outsourcing, management functions or HR, broker/dealer,
investment adviser, investment banking, legal services, expert services unrelated to audit, other (as determined by the
oversight board). Auditing services (which may entail comfort letters and STAT audits for insurance companies) and any
other non-audit services (including tax) may be done by external auditor with advance approval by audit committee and
disclosure to investors; however, this is waived under certain de minimis criteria (if aggregate amount of non-audit services
is not more than 5% of total revenues paid by issuer to auditor during fiscal year of non-audit services; if such services were
not recognized by issuer at the time of engagement to be non-audit services; and if such services are promptly brought to
attention of audit committee and approved prior to completion of audit). Audit committee may delegate authority for preapprovals to a single member of audit committee. Public oversight board may make certain exceptions with SEC approval.
Request that bank’s accounting department
determine what payments have been made
and/or agreements signed with accounting
firms for services other than financial
statement audits. Determine whether those
functions need to be performed on an
ongoing basis and, if so, prioritize such
services to evaluate whether the services
should be performed by a different firm. (If
you have a significant amount of non-audit
services, you may want to prioritize them
also based on chronology to identify what
procedures should be addressed first.)
Discuss with audit committee any non-audit
services that need to be continued by the
external audit firm and request approval.
Establish procedures for a single member of
audit committee to approval non-audit
services that may need to be performed by
external audit firm.
Rotation
(Applies to 10-K
filers)
Lead audit partner and reviewing partner must rotate every 5 years.
Comptroller General to study mandatory rotation of audit firms. Study due within 1 year of enactment.
AMERICAN BANKERS ASSOCIATION
Inform audit committee that external audit
partner and reviewing partner will rotate
every 5 years.
2
Topics
Corporate
governance
Board of
directors
(Applies to 10-K
filers)
Legislative Requirements
Possible Action Items for Banks
Public accounting firm reports directly to audit committee. Audit committee is directly responsible for appointment,
compensation, oversight of accounting firm.* Auditor must timely report to audit committee: all critical accounting
policies/practices to be used; all alternative treatments of financial information within GAAP that have been discussed with
management, ramifications, and method preferred by auditor; any other material written communication between auditor
and management, including management letters and schedules of unadjusted differences.
Amend audit committee charter or
description to acknowledge that public
accounting firm reports directly to audit
committee and that audit committee is
directly responsible for functions described.
Establish procedures so that the functions
described are understood by the accounting
firm, the issues are discussed on a timely
basis, and on a time frame that is also
efficient for audit committee.
Audit committee must be independent. Cannot accept consulting, advisory, or other compensatory fee from issuer; cannot
be affiliated person with issuer or subsidiary. (SEC may make exceptions.)*
Audit committee must establish procedures for (1) complaints received by issuer regarding accounting, internal accounting
controls, auditing matters, and (2) confidential submissions by employees regarding questionable accounting or auditing
methods.*
Audit committee has authority to engage independent counsel or other advisors.*
Issuer to provide funds to audit committee for payment of compensation to accounting firm and advisers employed by audit
committee.*
SEC to issue final rules (within 180 days) to require issuers to disclose whether or not the audit committee includes at least
one member who is a financial expert (as defined in the Act).*
Request that bank’s accounting department,
along with its audit committee members,
determine whether any consulting, advisory,
or other compensatory fees are being paid to
such members.
Develop audit committee procedures for
reacting to complaints received from
employees on accounting and auditing
matters.
Change audit committee charter to include
authority to engage independent counsel or
other advisors.
Ensure that prompt payment procedures
exist for amounts owed to audit firm and
advisors.
Consider including at least one financial
expert on audit committee; otherwise, be
ready to disclose that a financial expert is not
on the audit committee.
Forfeiture of
profits
(Applies to 10-K
filers)
If restatements occur due to material noncompliance of issuer, CEO and CFO to reimburse issuer for their bonuses or other
incentive or equity based compensation and any profits realized from sales of securities of issuer during specified 12
months period. SEC may exempt persons from this.*
Improper
influence by
company on
audits
(Applies to 10-K
filers)
Unlawful for officers or directors to fraudulently mislead auditors for purpose of rendering financial statements materially
misleading.*
AMERICAN BANKERS ASSOCIATION
Consider developing internal policies for
those who work with auditors.
3
Topics
Corporate
governance
Insider
transactions
(Applies to 10-K
filers)
Certifications
and
responsibilities
for financials
(Applies to 10-K
filers)
Legislative Requirements
Possible Action Items for Banks
No issuer may, directly or indirectly, extend or maintain credit, or arrange for extension of credit, in the form of a personal
loan to or for any director or executive officer of the issuer. This excludes:
Please note that loans subject to Reg O are
acceptable loans. However, if your
subsidiary or holding company is not subject
to Reg O and loans are made by them, work
with directors and executive officers to
determine whether any personal loans are
outstanding. Determine whether those loans
qualify as acceptable transactions under the
law. If not, do not arrange for alternative
financing, either directly or indirectly.
(1)
credit existing on date of enactment if no material modifications are made after enactment,
(2)
home improvement and manufactured home loans (defined in section 5 of Home Owners Loan Act); consumer credit
(defined in section 103 of Truth in Lending Act); or any extension of credit under an open end credit plan (defined in
section 103 of Truth in Lending Act); or charge card (defined in section 127(a)(4)(e) of Truth in Lending Act; or any
extension of credit by broker/dealer (registered under section 15) to an employee to buy, trade, or carry securities that
is permitted by the Federal Reserve pursuant to section 7 (other than extension of credit to purchase stock of that
issuer. All in this section are permitted if: (1) made in the ordinary course of the consumer credit business of the
issuer, (2) of a type that is generally made available by issuer to the public, and (3) made by issuer on market terms, or
terms that are no more favorable than those offered by issuer to general public.
(3)
bank and savings association loans subject to Regulation O.
Principal executive officer or officers, principal financial officer or officers, or persons performing similar functions to certify in
each annual or quarterly report filed (under sections 13(a) or 15 (d) of SEC Act of 1934) that: the signing officer has
reviewed the report; based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or
omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which
statements were made, not misleading; based on the officer’s knowledge, the financial statements and other financial
information in the report fairly present in all material respects the financial condition and results of operations of issuer; the
signing officers are responsible for internal controls, signing officers have designed such controls to ensure that material
information is made known to such officers; signing officers have evaluated the effectiveness of internal controls within 90
days prior to report; signing officers have presented in the report their conclusions about the effectiveness of internal
controls; signing officers have disclosed to auditors and audit committee all significant deficiencies, any fraud that involves
management or other employees who have significant role in internal controls; signing officers have indicated in the report
whether there were significant changes in internal controls or other factors that could significantly affect controls subsequent
to date of evaluation. Effective not later than 30 days after enactment.*
Criminal penalties for certifications (not more than $1 million and/or not more than 10 years imprisonment) if known that the
periodic report does not comport with the requirements. Willful is $5 million and/or 20 years.
(Note: The Act includes a “Sense of the Senate” that corporate tax returns should be signed by the CEO.)
Management
assessment of
internal controls
(Applies to 10-K
filers)
NOTE: THIS IS EFFECTIVE WITHIN 30
DAYS AFTER ENACTMENT. Thus, it is
expected to apply for 9/30/02 quarterly
reports. The certification must state that the
officer has reviewed effectiveness of internal
controls within 90 days prior to the report.
Educated CEO, CFO and other financial
officers about these provisions. Consider
whether additional documentation is needed
in order for officer to certify.
If your institution currently reports on internal
controls, evaluate such reports,
assessments, and documentation to
determine whether any changes are
necessary.
If your institution does not currently report on
internal controls, develop procedures and
request that audit committee engage
external auditor to provide attestation.
SEC to require annual reports to include internal control report that will: (1) state management’s responsibility for
establishing and maintaining adequate internal control structure and procedures for financial reporting and (2) assess, as of
year end, the effectiveness of (1). Issuer’s auditor to attest to management’s assessment.*
AMERICAN BANKERS ASSOCIATION
4
Topics
Corporate
governance
Breaking
securities laws,
fraud,
obstruction of
justice
Legislative Requirements
Possible Action Items for Banks
Knowing destruction, alteration, or falsifications of records with intent to obstruct investigations result in fines and/or under
20 years imprisonment. Accountants who violate audit workpaper retention rules will result in fines and/or under 10 years
imprisonment.
Consider educating certain staff (possibly
senior management in HR, legal, accounting)
regarding whistleblower and retaliation
provisions, document destruction, etc.
Certain debts will not be dischargeable if incurred in violation of securities fraud laws.
Statute of limitations for securities fraud are amended.
U.S. Sentencing Commission to review and amend Federal Sentencing Guidelines.
Whistleblower protections for officers, employees, contractors, subcontractors, or agents of issuers for lawful acts: (1) to
provide information regarding any conduct reasonably believed to be in violation of certain rules, regulations, or Federal
laws relating to fraud against shareholders where information is to Federal regulatory or law enforcement agency, Member
of Congress or Committee, person with supervisory authority over employee, or (2) to file, testify or assist in proceeding filed
or about to be filed (with any knowledge of employer) in relation to rules, regulations, or Federal laws relating to fraud
against shareholders.
Retaliation against informants for providing to a law enforcement officer any truthful information relating to the commission
of possible commission of any Federal offense shall be fined and/or imprisoned not more than 10 years.
Increases criminal penalties for defrauding shareholders of issuers for knowingly executing or attempting to defraud, for
conspiracy to commit offense, mail and wire fraud, ERISA violations, tampering with a record or impeding an official
investigation, criminal penalties under SEC Act of 1934.
SEC to study (for 1998-2001) the number of securities professionals (public accountants, public accounting firms,
investment bankers, investment advisers, brokers, dealers, attorneys, and other securities professionals practicing before
the SEC) who have been found to have aided and abetted a violation of Federal securities laws, including rules or
regulations promulgated thereunder, but who have not been sanctioned, disciplined, or penalized as a primary violator, and
have been found to have been primary violators.
Code of ethics
(Applies to 10-K
filers)
Authority of bank
regulators
(Applies to 10-K
filers that file
with banking
regulators)
Pension funds
(First paragraph to the right
applies to 10-K filers; second
paragraph applies to companies
offering employee benefit plans
that are subject to ERISA)
SEC to issue final rules (within 180 days of enactment) to require issuer to disclose whether company has code of ethics
for senior financial officers. Changes to or waivers of code of ethics to be reported on Form 8-K. Code to include: honest
and ethical conduct, conflicts of interest, full and accurate disclosures in periodic reports, compliance with applicable
governmental rules and regulations.*
Review code of ethics and amend (and
report on 8-K) if necessary. Consider
establishing procedures for senior financial
officers and others to document on an
annual basis that they have read the code
and that they are in compliance with it.
To the extent banks or thrifts (approximately 250) are required to file their ’34 Act reports with their primary federal banking
regulator, bank regulators (and not the SEC) would have enforcement authority with respect to the corporate governance
and pension provisions in this chart that have an asterisk (“*”).
No director or executive officer may directly or indirectly purchase/sell/transfer equity security of issuer during blackout
period if acquired in conjunction with service or employment. Blackout periods defined. Any profits realized during blackout
period shall inure to issuer. Issuer to notify directors, officers, and SEC of blackout periods. SEC to issue rules and may
provide for exceptions such as for purchases of automatic dividend reinvestment programs or advance elections.
Work with department that is responsible for
over plans (such as 401(k)) and educate
them on notification procedures.
Plan administrators to notify participants and beneficiaries of blackouts in writing with 30 day notice, along with certain
additional details.
Effective 180 days after enactment.
AMERICAN BANKERS ASSOCIATION
5
Legislative Requirements
Possible Action Items for Banks
Real time
disclosure of
financial
information
(Applies to 10-K
filers)
Issuer to disclose to public on rapid and current basis such additional information concerning material changes in financial
condition or operations, in plain English, which may include trend and qualitative information and graphic presentations.
SEC to develop rules.
Continuously monitor business and the
resulting financial changes as they are taking
place to determine whether they are material
or represent a trend that needs to be
reported.
Accounting
standards
(Applies to 10-K
filers; however,
GAAP generally
applies to call
reports for all
banks and
thrifts)
SEC may recognize accounting principles established by standard setting body that: is organized as a private entity, has
board of trustees, is funded by fees established by this Act, has procedures to ensure prompt consideration of accounting
changes, and considers the need to keep standards current for protection of investors and the extent to which international
convergence is appropriate, is capable of improving accuracy and effectiveness of financial reporting and protection of
investors. Standard setting body must submit annual report to SEC and public. Funding of standard setting body to be paid
by allocation among issuers, subject to SEC approval.
Evaluate press releases and other public
information to determine if misleading, prior
to issuance. Ensure that MD&A is not
inconsistent with footnote disclosures and
financial statements.
Insider
transactions
(Applies to 10-K
filers)
Effective 30 days after enactment, every Section 16 insider or beneficial owner is to file with the SEC insider transaction
reporting forms before the end of the second business day following the date of the transaction. Electronic filing to be
required with Internet access and company website access to be required within 1 year of enactment.
Study
SEC to study principles-based accounting system, including economic analysis, within one year of enactment.
Topics
Enhanced
Financial
Disclosures
All material correcting adjustments that have been identified by auditor must be reflected in financials.
All material (current or future) off-balance sheet transactions (including contingent obligations) and other relationships with
unconsolidated entities must be disclosed. Pro forma financial information included in financials, press releases, or other
public information shall be presented in a manner that does not contain or omit an untrue statement of material fact and that
reconciles it with the financial condition and result of operations under GAAP. SEC to issue final rules (within 180 days of
enactment).
NOTE: THIS IS EFFECTIVE WITHIN 30
DAYS OF ENACTMENT. Develop
procedures to ensure second day reporting.
SEC to study filings of issuers to determine extent of off-balance sheet transactions and use of special purpose entities,
whether GAAP results in reflecting economics of such transactions, transparency, and recommendations within one year
after adoption of off-balance sheet disclosure rules required by this Act.
SEC to study (within 180 days of enactment) all enforcement actions by the SEC involving violations of reporting
requirements imposed under the securities laws, and restatements of financial statements, over 5 year period preceding
enactment. SEC to identify areas of reporting most susceptible to fraud, inappropriate manipulation or inappropriate
earnings management, such as revenue recognition and off balance sheet special purpose entities. Report to include
discussion of recommended regulatory or legislative steps. Findings are to be used to reviews SEC rules and regulations
as necessary. (* for pro formas only)
AMERICAN BANKERS ASSOCIATION
6
Topics
Legislative Requirements
Possible Action Items for Banks
SEC
(Applies to 10-K filers; however,
changes to GAAP generally would
apply to call reports for all banks
and thrifts)
SEC to be funded with $776 million for 2003 for compensation, information technology, security, terrorism, no fewer than
200 new positions for oversight of auditors and strengthen staff.
Educate officers and directors regarding
SEC’s rights to prohibit officers and directors
from serving.
SEC may censure any person from practicing before the SEC in certain circumstances, including accounting firm
employees.
SEC may petition a Federal court to require issuer to escrow money if it appears likely that an extraordinary payment will be
made involving violations of Federal securities laws by an issuer.
Educate financial staff regarding regular SEC
focus on issuers and other requirements in
the Act.
SEC may prohibit officers or directors from serving under certain circumstances.
SEC to review issuer disclosures on a regular basis. SEC shall consider issuers with material restatements, significant
volatility in stock price compared to others, largest market capitalization, emerging companies with disparities in price to
earnings ratios, operations that significantly affect any material sector of the economy, and other factors. Issuer reviews to
be done at least every 3 years.
SEC to study enforcement actions involving proceedings to obtain civil penalties or disgorgement over the last 5 years to
identify areas where proceedings may be used to provide restitution for injured investors. Funds from judicial or
administrative actions brought by SEC may be become part of a fund available to victims of such violations. SEC to report,
including discussion of regulatory or legislative steps needed, to House Financial Services and Senate Banking Committees
within 180 days of enactment.
Accounting firm consolidation
GAO to study (within 1 year of enactment) consolidation of accounting firms since 1989 and consequent reduction in
number of firms capable of providing audit services to large businesses, impact on capital formation and securities markets,
solutions, problems faced by companies (including costs, quality, etc.).
Discuss with audit committee whether
external audit firm has the expertise needed
to provide a quality audit.
Analysts’ independence
SEC to adopt rules (within 1year of enactment) to reasonably address conflicts of interest that can arise when research
analysts recommend equities, rules designed to foster greater public confidence in securities research (including analysts’
relationships with investment banking, supervision and compensation, retaliation), rules to define timing of publishing
research reports, rules to establish safeguards, etc.
If bank employs analysts, evaluate whether
there are any existing or potential conflicts of
interest that would either result in or appear
to result in a lack of independence. Consider
developing procedures for disclosures to
bank by analysts any conflicts on a
continuous basis.
SEC to adopt rules (within 1 year of enactment) reasonably designed to require disclosure in public appearances and
research reports potential conflicts of interest at the time of public appearances or research reports.
Attorneys
SEC to establish rules for minimum standards of professional conduct for attorneys appearing and practicing before the
SEC. Rules include requiring attorney to report evidence of material violation of securities law or breach of fiduciary duty or
similar violation by company to chief legal counsel or CEO. If they fail to respond to the evidence, attorney must report
evidence to audit committee or other committee of board of directors not employed directly or indirectly by issuer.
Credit rating agencies
SEC to study credit rating agencies, due within 180 days of enactment.
Investment banks, brokers,
dealers, investment advisors
Expands bases for SEC to bar individuals from associating with registered broker/dealers or registered investment advisers
to include certain orders issued by state securities and insurance regulators and state or federal banking regulators.
Request that legal department determine
whether any internal or external attorneys
are considered to be appearing and
practicing before the SEC. If so, develop
procedures for reporting material violations
to chief legal counsel or CEO and audit
committee.
GAO to study (within 180 days of enactment) whether investment banks and financial advisers assisted public companies in
manipulating earnings and obfuscating their true financial condition with Enron, Global Crossing, and generally in creating
and marketing transactions that may have been designed solely to enable companies to manipulate revenue streams,
obtain loans, or move liabilities off balance sheets without altering economic and business risks faced by companies or any
other mechanism to obscure a company’s financial picture. Report to include recommended regulatory or legislative steps.
AMERICAN BANKERS ASSOCIATION
7