Issue 43 Apr 2011

Sarbanes Oxyley (SOX) Act

An effective step towards Corporate Governance

A report on Sarbanes Oxyley Act and its impact on Indian Outsourcing Industry

Research by: Palak Sharma & Rohit Adlakha - Law Students Panjab University, Chandigarh, INDIA, under the guidance of Nitin Kumar, Sr. Consultant, InterAlliance Group Services

InterAlliance Group Services

www.interalliancegroup.com
www.interalliancegroup.com

SOX Act came in to force in 2002 with an aim to protect investors and to introduce improvements in Corporate Governance.

SARBANES OXYLEY ACT

The legislation came into force in 2002 as a step to put curb on fraudulent events and introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws". Sarbanes Oxyley introduced major changes to the regulation of financial practice and corporate governance in the US. Named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects, it also sets a number of deadlines for compliance. The Sarbanes-Oxley Act is arranged into eleven titles. As far as compliance is concerned, the most important sections within these are often considered to be 302, 401, 404, 409, 802 and 906. Sarbanes Oxyley Act introduced a number of deadlines, the prime ones being: Most public companies must meet the financial reporting and certification mandates for any end of year financial statements filed after November 15th 2004 (amended from June 15th). Smaller companies and foreign companies must meet these mandates for any statements filed after 15th July 2005 (amended from April 15th). . The Sarbanes-Oxyley Act enacted with the intention of gaining the confidence of public with respect to corporate financial statements. Prior to the enactment of this Act, the investors suffered losses due to corporate failures brought by the wrongful conduct of the public officials. This Act has been specifically introduced to address the issues of accounting fraud with the objective of accuracy and reliability of corporate disclosures. The Act was a direct consequence of the public nauseate with a series of financial scandals that lead to abrupt failure of large firms in US. Some companies which have not been in the lime light were engaged in massive accounting frauds to a very large extent that they counteracted the antifraud and mandatory disclosure provisions of federal security laws. These incidents blamed directly towards the accounting profession, auditors etc. The record revealed that the services from the firms revenues that auditors generated from consulting

they were auditing exceeded those generated from SOX was

conducting the audit. This immediately raised the question regarding the loss of independence on the part of the auditors. In this chaotic environment, engendered. It was conceived in controversy and has remained combative.

Proponents of SOX believe that it was necessary to restore public faith in published financial statements by assuring that accounting records were accurate and could be relied upon. There was a growing perception among the investing public that most of the scandals could have been prevented had there been a governmental agency responsible for monitoring and preventing such accounting irregularities.

InterAlliance Group Services

www.interalliancegroup.com www.interalliancegroup.com

Opponents argued that SOX would be prejudicial to the economy; that the burden would fall too heavily on smaller public firms; that the costs of implementing Sox with all its requirements would far exceed the benefits gained. The fact that there was a spike in the number of public companies that were privately sold, that relocated outside the US and relisted themselves on foreign exchanges lends some credence to the opposing view. The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial from The (SEC), scandals to protect and the for shareholders and the general public accounting act is errors by fraudulent practices in the enterprise. administered sets Securities and Exchange Commission which deadlines compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, it also affects job the it IT is departments to store a whose

US Securities Act 1933

Basic Objective of US Securities Act 1933

Often referred to as the "truth in securities" law, the Securities Act of 1933 has two basic objectives: require that investors receive financial and other significant information concerning securities being offered for public sale; and prohibit deceit, misrepresentations, and other fraud in the sale of securities. A primary means of accomplishing these goals is the disclosure of important financial information through the registration of securities. This information enables investors, not the government, to make informed judgments about whether to purchase a company's securities. While the SEC requires that the information provided be accurate, it does not guarantee it. Investors who purchase securities and suffer losses have important recovery rights if they can prove that there was incomplete or inaccurate disclosure of important information.

corporation's electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." The consequences for noncompliance are fines, imprisonment, or both.

InterAlliance Group Services

www.interalliancegroup.com www.interalliancegroup.com

SARBANES OXYLEY ACT & INDIA

The legislation came into force in 2002 as a step to put curb on fraudulent events. SOX which is applicable to all publically registered companies under the jurisdiction of securities and exchange commission, is a far reaching legislation, effecting significant changes to laws concerning directors and reporting obligations of public companies mandating new regulations to prevent the securities fraud and other abuses. The US SOX Act came into force on account of the collapse of the corporate giants like Enron, Worldcom, Tyco. Quest , global crossing and the Xerox fiasco. Reasons for the collapse was the failure on the part of the auditors and willful neglect of the duties by the board of directors. The thrust of corporate India has also been to prevent malpractices and restore the confidence of the investors. This Act looks at the implications that usually arise in India in case of Companies, Audit Profession and the BPO Industry.

Some of the key sections of SOX related to Audit and Financial Reporting are the following: Sections 101-109 of the Act has established a new body, the Public Accounting Oversight Board (PCAOB), to oversee the auditing of public companies. All accounting firms that audit the financial statements of The Securities Exchange Act of 1934 (1934 Act) Reporting Issuers (Issuers of Securities who are mandated to report under the 1934 Act) must register with and provide periodic reports to the Board. Registered accounting firms are subject to Board-adopted audit, quality control and ethics standards, periodic inspections and possible disciplinary proceedings. Section 106 of the Act specifically provides that it will apply to any foreign public accounting firm (Indian Audit Firm) that prepares or furnishes an audit report with respect to any 1934 Act Reporting Issuer. The Board is also given the authority to determine, by rule that a foreign accounting firm that does not issue an audit report for a 1934 Act Reporting Issuer may nonetheless play such a substantial role in an audit that it is appropriate that such firm should be subject to the Boards authority. Section 302 (Corporate Responsibility for Financial Reports) directs the Security Exchange Commission to adopt rules requiring the principal executive officer and the principal financial officer (or equivalent) of 1934 Act Reporting Issuers to provide certifications in each annual and quarterly report filed or submitted under the 1934 Act. The certification relates to the content of the report, internal controls of the issuer and disclosure to the audit committee. Section 404 - As directed by Section 404 of the Sarbanes Oxley Act of 2002, the Securities and Exchange Commission (SEC) adopted rules regarding internal controls at public companies in May 2003. Section 404 also requires that a companys independent auditors attest to and report on managements controls assessments, following standards established by the PCAOB.

InterAlliance Group Services

www.interalliancegroup.com www.interalliancegroup.com

US SEC rules
Under the SEC rules, managements annual internal-control report must contain: A statement of managements responsibility for establishing and maintaining adequate internal control over financial reporting for the company. A statement identifying managements framework for evaluating the effectiveness of internalcontrols. Managements assessment of the effectiveness of internal controls as of the end of the companys most recent fiscal year. A statement that the companys auditor has issued an attestation report on managements assessment. Internal controls, according to the new rule, include assurances of accurate records maintenance, as well as financial reporting that comply with generally accepted accounting principles. The rule also stipulates that managers and directors sign off on receipts and payouts, and that publicly traded companies maintain adequate systems to prevent or detect unauthorized material transactions. Management must disclose any material weakness in a companys internal-controls structure. If material weaknesses exist, senior executives will be unable to conclude that the companys internal control over financial reporting is effective, according to the Security Exchange Commission.

SOX and Indian BPO Industry

India has seen huge growth in the Finance, Accounting, Payroll, Accounts Payable and other financial processes to move to India from US business houses. It is imperative that Indian BPO companies have a strong framework of Internal Controls and are transparent to their clients. Well-defined processes, proper documentation etc. will be of paramount importance in view of the Sarbanes Oxley Act, 2002. A Statement on Auditing Service organisations receive significant value from having a Statement on Auditing Standards (SAS) No. 70 engagement performed. A Service Auditors Report with an unqualified opinion that is issued by an Independent Accounting Firm differentiates the service organisation from its peers by demonstrating the establishment to effectively designed control objectives and control activities. Without a current Service Auditors Report, a service organisation may have to entertain multiple audit requests from its customers and their respective auditors. Multiple visits from user auditors can place a strain on the service organisations resources. A Service Auditors Report ensures that all user organisations and their auditors have access to the same information and in many cases this will satisfy the user auditors requirements. SAS 70 engagements are generally performed by control oriented professionals who have experience in accounting, auditing, and information security. Standards (SAS) 70 engagement allows a service organisation to have (in its the control case of policies a and II procedures evaluated and tested Type engagement) by an independentparty. Very often this process results in the identification of opportunities for improvements in many operational areas.

InterAlliance Group Services

www.interalliancegroup.com www.interalliancegroup.com

SAS OVERVIEW
Statement on Auditing Standards (SAS) No. 70, for Service Organisations, is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS 70 audit or service auditors examination is widely recognised, because it represents that a service organisation has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes. In todays global economy, service organisations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even at more service important to the process of reporting on effective internal controls organisations. SAS No. 70 is the authoritative guidance that allows service organisations to disclose their control activities and processes to 70 their customers and their that customers a service auditors in a uniform reporting format. A SAS examination signifies organisation has had its control objectives and control activities examined by an independent accounting and auditing firm. A formal report including the auditors opinion (Service Auditors Report) is issued to the service organisation at the conclusion of a SAS 70 examination. SAS 70 provides guidance to enable an independent auditor (service auditor) to issue an opinion on a service organisations description of controls through a Service Auditors Report. SAS 70 is not a pre -determined set of control objectives or control activities that service organisations must achieve. Service auditors are required to follow the AICPAs standards for fieldwork, quality control, and reporting. A SAS 70 examination is not a checklist audit. SAS No. 70 is generally applicable when an auditor (user that auditor) obtains is auditing the financial another statements of an entity (user organisation) services from organisation (service organisation). Service organisations that provide such services could be application service providers, bank trust departments, service bureau. claims processing centers, Internet data centers, or other data processing

SOX and Indian Audit Firms

Assignments to conduct a SAS 70 certification can prove to be a new area of work. Management of US companies could rely on SAS 70 certification by non-US audit firms as long as the reports are issued under other standards that follow the criteria of SAS 70. Management would also need to evaluate the competency and qualifications of the auditor performing the examination. The Indian Audit profession is widely appreciated around the world for its high standards. Managements of US companies should not have any issues with accepting SAS 70 certifications by Indian Audit firms.

Factors to be considered by management when a service organisation outsources certain functions to another service organisation:
What is becoming a popular business model for BPOs in India, an interesting situation could come up when an US corporate uses a service organisation (Indian Company) that in turn uses another service organisation (a sub service organisation) to perform the work. In such a scenario the Management of the User organisation needs to consider controls at the sub service organisation. In addition to that, the following also needs to be considered: The nature and materiality of the transactions processed by the sub service organisation The contribution of the sub service organisations processes in the achievement of the user organisations information processing objectives The availability of a sub service organisations SAS 70 report Because a user organisation typically does not have any contractual relationship with the sub service organisation, a user organisation should obtain available reports and information about the sub service organisation from the service organisation.

InterAlliance Group Services

www.interalliancegroup.com www.interalliancegroup.com