Sarbanes-Oxley compliance: new opportunities for information technology professionals.
Schneider, Gary P. ; Bruton, Carol M.
ABSTRACT
Much has been written in the business press and in academic
journals about the SarbanesOxley Act of 2002 ( SOA) and how it will
affect corporate governance and the practice of auditing and public
accounting. Recent literature also discusses how the requirements of SOA
might or might not better protect investors. Very little has been
written that addresses how SOA will affect the duties and
responsibilities of information technology (IT) professionals. This
paper outlines the opportunities for IT professionals in designing the
systems that will enable companies to comply with the SOA. The paper
also contrasts the qualifications of IT professionals with respect to
SOA compliance work with those of public accounting firm staff members.
INTRODUCTION
The Sarbanes-Oxley Act of 2002 (SOA) was passed in the United
States (U.S. Code, 2002) in response to a series of significant failures
in corporate governance, including Enron (Schwartz, 2001) and the
related failure of accounting firm Arthur Andersen (Eichenwald, 2002),
HealthSouth (Day, 2003), Tyco (Sorkin, 2002), and WorldCom (Moules and
Larsen, 2003). Even Europeans, many of whom were convinced that this
rash of management frauds were a result of American's
hyper-capitalism mania and could never happen in the refined atmosphere
of the continent, found that they were not immune when Parmalat's
$15 billion in understated debt and huge overstatements of sales and
earnings were exposed (Adams, 2003).
The SOA imposes a number of requirements on companies, their
managers, and their directors. It also imposes a number of requirements
on the systems of internal control used in companies. In the next
section, we outline the requirements imposed by the SOA. In the section
following that, we outline the specific impacts that the law will have
on the job duties and responsibilities of IT professionals.
REQUIREMENTS OF THE SOA
The SOA includes 11 Titles (USC, 2002). Title I establishes the
Public Company Accounting Oversight Board. Title II defines auditor
independence. Title III discusses corporate responsibility. Title IV
discusses enhanced financial disclosures. Title V discusses securities
analyst conflicts of interest. Title VI discusses Securities and
Exchange Commission (SEC) resources and authority. Title VII discusses
the studies and reports that must be completed. Title VIII discusses
corporate and criminal fraud accountability. Title IX discusses
white-collar crime penalty enhancements. Title X discusses corporate tax
returns. Title XI discusses corporate fraud and accountability. In this
section, we review each relevant SOA Title to provide background for the
rest of the paper.
The Public Company Accounting Oversight Board
Title I of the SOA creates the Public Company Accounting Oversight
Board (PCAOB). The PCAOB is a new body that will oversee audits of
publicly-held companies. The board is composed of five full-time
independent members, only two of whom can be CPAs. Board members can
serve up to two-five year terms. The PCAOB must submit an audited annual
report to the SEC. Any public accounting firm wishing to audit public
companies must register with the PCAOB. The registered public accounting
firm must submit an annual report to the PCAOB including a list of the
firms they audited in the past year and the fees received by the firm
for audit services, other accounting services, and non-audit services.
Each registered public accounting firm must pay an annual fee to the
board to recover the cost of processing and reviewing applications and
annual reports.
Title I gives the PCAOB authority to establish auditing, quality
control, and ethical standards. The public accounting firms are required
to have audit working papers and a second partner review. They must
describe in the audit report the scope of the auditors testing of
internal control structure and procedures of the company. The current
audit standards for testing and reporting on internal control (as
contained in Statements on Auditing Standards No. 55, No. 78, and No.
94, AICPA, 2003) still apply under the SOA. The board is required to
conduct inspections of the registered public accounting firms to
determine their compliance with the SOA. The inspection must be annual
if the firm provides audit reports for more than 100 companies. If the
firm provides audit reports for less than 100 companies the inspections
are every three years. The PCAOB has the right to impose sanctions on
registered firms including suspension or permanent revocation of the
firm's registration. The SOA also applies to foreign public
accounting firms that prepare audit reports for registered companies.
Independence of Auditors
Title II of the SOA deals with auditor independence. SOA reiterates
the long-standing requirement that a public accounting firm cannot
provide an audit client with bookkeeping services and financial
information systems services. The SOA goes on to preclude the provision
of eight specific types of non-audit services, including appraisal and
valuation services, actuarial services, internal audit services,
management functions, human resource consulting services, investment
adviser services (including broker and dealer services), and legal
services. The SOA also gives the PCAOB a catch-all right to prohibit
other services in the future as it deems necessary or appropriate. Many
of these now-prohibited services provided large portions of public
accounting firm revenues in recent years.
The company's audit committee must approve any services
provided by the public accounting firm, including any tax work, as well
as any other services. Any services the audit committee approves and the
audit firm provides must be disclosed to investors.
Title II requires a rotation of audit partners every five years. It
also requires that the auditor report to the audit committee rather than
company management. The auditor must inform the audit committee of the
accounting policies used by the client and must disclose all accounting
treatments discussed with management. The auditor must provide the audit
committee with any other material written communication between the
auditor and any client personnel.
An employee of the audit firm cannot, upon leaving the firm, accept
a position with a client firm in the capacity of chief executive
officer, controller, chief financial officer, chief accounting officer,
or any other similar position within 12 months of ending employment with
the audit firm.
Corporate Responsibility and the Role of the Audit Committee
The SOA's Title III gives the audit committee full and
unencumbered responsibility for the appointment, compensation, and
oversight of the work of the audit firm. The members of the audit
committee must be independent of the company. They cannot be employees
or otherwise accept any consulting, advisory, or other compensatory fee
from the company.
Title III requires the audit committee to establish procedures for
the receipt and treatment of complaints received by the company
regarding accounting, internal controls, or auditing matters. There
needs to be a confidential and anonymous process within the company for
submitting issues, concerns, and information to the audit committee.
The chief executive officer and chief financial offer must sign the
SEC reports indicating that they have reviewed the report. These
officers must certify that, based on the officer's knowledge, the
report does not contain any untrue statement of a material fact and does
not omit the statement of any material fact. The signing officers are
responsible for establishing and maintaining internal controls and for
reviewing the controls' effectiveness within 90 days of the date of
the SEC report. The signing officers must report all significant
deficiencies in internal control to the audit firm and to the audit
committee and must report any fraud, whether or not the amount is
material, that involves management or other employees who play a
significant role in the design, operation, or evaluation of the
company's internal controls.
This section also includes the specification of responsibilities
for attorneys. One rule in this section requires attorneys to report
evidence of any material violation of securities law or breach of
fiduciary duty by the company or its agents to the chief legal counsel
or the chief executive officer of the company. If the chief legal
counsel or chief executive officer do not appropriately respond the
attorney must then report the evidence directly to the audit committee.
Financial Disclosures
The SOA's Title IV requires disclosure of all off-balance
sheet transactions and obligations, including contingent obligations,
that might have a material current or future effect on financial
condition. Title IV requires that the company monitor and review the
amount of off-balance sheet transactions and the use of any special
purpose entities. Pro forma information must be reconciled with
generally accepted accounting principles and must not contain an untrue
statement of material fact. Many types of executive loans, which have
been prevalent in recent years, are curtailed under provisions of Title
IV. The SOA requires that companies have a code of ethics for senior
financial officers.
The financial disclosure provisions also contain a requirement that
the annual report include a report on internal control. The report must
state that internal control is the responsibility of management and must
contain an assessment of the effectiveness of the internal control
structure and procedures. The auditors must attest to, and report on,
management's assessment. This does not mitigate the directors'
role, however. The company must disclose whether or not at least one
member of the audit committee is a financial expert. If one member is
not a financial expert they must explain the reason.
Conflicts of Interest of Securities Analysts
Title V of the SOA provides that rules must be enacted where
appropriate to address conflicts of interest that can arise when
securities analysts recommend equity securities in research reports and
public appearances. The goal of this SOA section is to improve the
objectivity of investment research and provide investors with more
reliable information.
Commission Resources and Authority
Title VI of the SOA discusses a need for increased resources for
the SEC to carry out their duties. Many observers have been critical of
the government's unwillingness to devote sufficient resources to
SEC enforcement units. As the scandals that led to the SOA were
unfolding, the SEC claimed it was understaffed. Since the SOA was
enacted, significant increases in SEC enforcement budgets have not been
forthcoming.
Studies and Reports
Title VII calls for a number of research studies to be conducted.
One study would include research regarding the factors that led to the
consolidation of public accounting. This consolidation has reduced the
number of different and distinct firms capable of providing auditing
services to large publicly-held companies. Another study is required
that will investigate the role and function of credit rating agencies in
the operation of the securities market. The SEC will conduct a study on
the number of securities professionals who have been found to have aided
and abetted a violation of Federal securities laws. The SEC will review
and analyze each of its enforcement actions that involve violations of
reporting requirements imposed under the securities laws and
restatements of financial statements. The Comptroller General of the
United States will conduct a study on whether investment banks and
financial advisers helped companies manipulate their earnings with a
goal of hiding the companies' true financial conditions.
Criminal Fraud and White Collar Crime Penalties
Titles VIII, IX, and XI include new definitions of criminal acts
and provide a variety of new penalties and some increased penalties for
existing crimes. Title VIII of the SOA provides penalties for
destruction, alteration, or falsification of records in federal
investigations and bankruptcy proceedings. It also prohibits and
provides penalties for destruction of corporate audit records. This
section calls for a review of Federal sentencing guidelines for
obstruction of justice and criminal fraud convictions. It also provides
whistleblower protection for employees of publicly traded companies.
Specific enhanced criminal penalties are imposed for the act of
defrauding the shareholders of publicly traded companies. Title IX
increases the penalties for white-collar crime including fines and
prison sentences.
Title XI provides new penalties for tampering with a record or
impeding an official proceeding. It also increases the authority of the
SEC to prohibit persons from serving as officers or directors. It
provides specific fines and imprisonment terms for persons or
organizations engaged in retaliation against informants.
Corporate Tax Returns
Title X states the opinion of the Senate that it would like to
require that corporate federal income tax returns be signed by the chief
executive officer of the filing entity. This is an additional indicator
of the degree of responsibility viewed by the drafters of the SOA to be
a necessary condition in the person of the chief executive officer. The
SOA includes several signing requirements that many critics believe to
be ceremonial and unsubstantial. However, many other observers note that
a signed document is far more difficult to deny and that the signature
requirements could lessen the weight of a defense based on the chief
executive officer not knowing what was happening in the company.
ROLE OF THE ACCOUNTING INDUSTRY IN SOA COMPLIANCE
The accounting industry has reacted rapidly to the passage of the
SOA (AICPA, 2002a; AICPA, 2002b, AICPA, 2002c). Its reactions have been
largely defensive. Many observers believe the accounting industry at
least partially responsible for not detecting many of the recent frauds
and accounting irregularities (Rezaee, 2003; Velayutham, 2003). Indeed,
it is interesting to note that since 2002, when many news stories began
reporting on these frauds and accounting failures, the news media has
referred to "the accounting industry." In earlier years, the
business was typically referred to as "the accounting
profession." When the SOA was passed many accountants saw it as a
combination of things. They saw it as an opportunity to repair their
tarnished reputation, a chance for real reform, and even a way to
replace lost consulting revenues with a new (and perfectly legal under
the SOA) revenue stream: consulting services designed to help companies
comply with the SOA (Munter, 2003). Needless to say, some accounting
industry critics found this turn of events ironic.
Recent History of the Industry
The recent history of the accounting industry is interesting. As
the market for audit services became increasingly competitive in the
1980s, firms attempted to contain costs and defend against litigation from users of financial statements that the firms had audited. To do
this, accounting firms have increasingly lobbied for precise, mechanical
accounting rules and have implemented standardized operating procedures.
The goal was to reduce variability in the performance of audit work.
Variations in audit work were perceived as costly and as opening the
door for zealous plaintiffs to confuse juries and judges about the
quality of the audit work performed (Healy, 2003). Because these
heavily-lobbied regulators were pressed to create rules and legislation
that would cover, specifically, all contingencies, accounting and audit
standards have become incredibly detailed. Healy (2003) notes that the
2,300 pages of Financial Accounting Standards Board (FASB) standards
that existed in 1985 had increased to 4,000 pages in 2002. This reliance
on detailed rules and regulations has, as the Enron case illustrated so
spectacularly (Schwartz, 2001), encouraged companies to enter business
arrangements that satisfy the terms of the detailed rules, but that
completely circumvent the intent of those rules.
A Trend Toward Standardization
Healy (2003) notes that a major problem with a standardized,
rule-based auditing approach is that it gives audit firms a way to avoid
judgment of the overall compliance of a auditee's financial
statements with generally accepted accounting principles. In effect, the
pre-1980s auditor would subject the financial disclosures to an overall
"smell test." If the detailed rules were followed, but the
overall presentation was misleading, a company in the old days could
count on a hard face-toface meeting with the audit partner (Zeff, 2003).
Healy (2003) notes that Arthur Andersen, in its audit of Enron's
special purpose entities, determined that the company had satisfied all
of the detailed rules for off-balance-sheet financing, but did not
report to Enron's investors that the financial statements did not
represent its true financial position. These entities met the
requirements of the detailed rules, but flaunted the overall spirit of
"fair presentation."
Decline in Quality of Inputs
In public accounting, a firm is only as good as the professional
staff that work for the firm (Zeff, 2003). Partners in the 1960s used to
describe their business as buying people by the year and renting them
out by the hour. The inputs in the accounting business are the people in
the business, particularly the new hires who perform most of the on-site
audit work at client locations. Healy (2003) noted that the end of
accounting as a "profession" probably occurred because the
industry was no longer able to attract the best and brightest students
graduating from college. Since the 1980s, fewer graduates with
accounting majors have entered public accounting. The effect is
particularly marked at top business schools. Healy (2003) reports that
only three percent of Wharton's accounting graduates entered public
accounting in 2002.
Need to Please Clients
Since the 1980s, audits have been viewed increasingly as a
commodity service. One audit firm is as good as another, and no client
really cares if they received a quality audit as long as they received
the auditor's unqualified opinion (Zeff, 2003). This perception of
audit services as a commodity lead to severe price competition (Healy,
2003). Accounting firms responded by offering a variety of consulting
services. These services had higher margins then audit work and could be
sold to audit clients. As clients provided more and more consulting
revenues to their audit firms, the objectivity and independence of
auditors came into question (Briloff, 1987; Stevens, 1991).
By the beginning of the 1980s, the large accounting firms had all
concluded that profit margins on audits would be painfully thin,
particularly relative to those on other financial services (Stevens,
1991). Their response was to diversify into other businesses--notably
consulting (Zeff, 2003). Since audit quality did not matter to clients,
auditors became more and more desperate to curry clients' favor by
maintaining friendly relationships with client accounting managers and
top executives so that the firm could bid on more and more lucrative
consulting work with the client. Client retention and expansion of
non-audit fee revenue became important parts of accounting firm
employees' compensation arrangements. For partners in the firms, it
was a critical element (Healy, 2003; Zeff, 2003).
Ability of Accounting Firms to Provide SOA Assistance
Clearly, accountants and public accounting firms have the technical
skills to provide help to companies that need assistance in complying
with SOA (Coustan, et al., 2004; Winters, 2004). Lanza (2004) suggests
that company's internal audit staff might be valuable consultants
for SOA compliance and systems design and development. Indeed, many
current textbooks for the accounting information systems course, which
is required of accounting majors at most universities, include detailed
coverage of internal controls, internal control assessment techniques,
and current applications of information technology to the tasks needed
to comply with SOA (see, for example, Gelinas and Sutton, 2002; Hall,
2004; or Romney and Steinbart, 2002). Despite these arguments for
technical competence, the decline in the quality of recruits to
accounting firms and the public accounting industry's recent
failure to show itself to be a deserving recipient of companies'
(and the public's) trust, we argue that many of the important
elements required by SOA might be best addressed by using the consulting
expertise of IT professionals.
IT PROFESSIONALS AND THE DEMANDS OF THE SOA
An understanding of internal control demands an understanding of
the underlying accounting and administrative systems of the company
(Hall, 2004). As every business of any size has computerized its
accounting and administrative systems, the people who know these systems
well and who understand their design are increasingly members of the
ranks of IT professionals. In this section, we argue that IT
professionals, both inside the company and in consulting firms outside
the company, can provide valuable services to the company as it attempts
to comply with the internal control standards set by the SOA. Further,
the IT professionals who have gone on to become lawyers practicing in
the area of high technology are especially well-qualified to offer SOA
consulting services because of their unique combination of IT knowledge
and legal training.
Technical Skills and Business Knowledge of IT Professionals
IT professionals have been engaged in the design and implementation
of systems for decades, far longer than accountants have been seriously
involved in these issues (Gelinas and Sutton, 2002). They have a keen
understanding of what it takes to make these systems work. Increasingly,
IT professionals are educated, trained, and respected as business
analysts as well as for their technical knowledge.
Lanza (2004) notes that two of the most important elements of any
SOA compliance program is the proper use of data analysis tools and data
mining software. Data analysis functions include the use of query tools
that allow users to ask questions of the enterprise-wide information
system (Gelinas, 2002). In large organizations such as those subject to
SOA, this system will, in most cases, have been designed and implemented
by the company's IT staff. It will definitely be maintained by IT
staff. The people who know the most about the enterprise-wide
information system will always be IT professionals. Many companies have
undertaken major knowledge management initiatives in recent years
(Angus, 2003; Awad and Ghaziri, 2003). These initiatives have, in most
cases, been designed and implemented by IT professionals. As SOA
requirements become part of the fabric of large companies, they will be
included as part of these companies' knowledge management systems
(Lanza, 2004).
Winters (2004) outlines three questions that an SOA consultant
should be able to help a company answer: (1) is it better to develop a
short term solution or a more sustainable one for the long term, (2)
which software tools are best able to provide complete, effective, and
sustainable compliance, and (3) what other policies, training programs,
and other investments are needed to comply with SOA and maximize the
utilization of the software in the context of the company's
existing information systems. We argue that IT professionals would
provide better advice regarding each of these three questions given the
skill sets and business knowledge generally agreed to reside in IT staff
(Laudon and Laudon, 2004; McLeod and Schell, 2004; Oz, 2004).
Independence of IT Professionals
Although IT professionals employed by the company are not, by
definition, independent, they often operate with considerable latitude.
Because IT professionals have a level of expertise that can be critical
to company operations, they often can derive a level of mystique that
provides a level of independence (Burns and Haga, 1977). External
consultants that offer companies IT advice are likely to be much more
independent than public accounting firms and they are not tarnished by
association with the very evils that prompted the legislation.
CONCLUSION
We have examined the requirements of the SOA and what companies
must do to their accounting and internal control systems to comply with
the law. After considering accountants in the company and external
public accounting firms as likely candidates for the job of advising
companies what they must do to comply with the SOA, we find them lacking
in the key elements of technical expertise, independence, and overall
business knowledge. We argue that IT professionals have higher degrees
of relevant technical expertise and sufficient levels of overall
business knowledge to be very qualified to advise companies on SOA
compliance efforts, especially if their technical knowledge is augmented
by legal training. This legal training is relevant to some areas of SOA
compliance than others. In the final analysis, IT professionals have a
strong advantage over the accounting industry in this comparison: IT
professionals are not tarred by an association with the frauds,
irregularities, and crimes that motivated the SOA's passage.
Accountants in general and public accounting firms in particular, cannot
make that claim.
Table 5 provides information concerning race.
PRIMARY HYPOTHESIS
The Study sought to determine if a relationship existed between
personality type and choice of major. It was discovered that a
relationship exist with a significance level of .001. The null
hypothesis is rejected and the alternate is accepted. To explain the
found significance in this study.
REFERENCES
American Institute of Certified Public Accountants (AICPA) (2002a).
How the Sarbanes-Oxley Act of 2002 impacts the accounting profession,
AICPA Web site. Retrieved August 13, 2003, from
http://www.aicpa.org/info/SarbanesOxley2002.asp
American Institute of Certified Public Accountants (AICPA) (2002b).
Landmark accounting reform legislation signed into law, CPA Letter.
Retrieved August 19, 2003, from
http://www.aicpa.org/pubs/cpaltr/Sept2002/landmark.htm
American Institute of Certified Public Accountants (AICPA). 2002c.
Additional aspects of Sarbanes-Oxley Act explained, CPA Letter.
Retrieved August 20, 2003, from
http://www.aicpa.org/pubs/cpaltr/Oct2002/add.htm
American Institute of Certified Public Accountants (AICPA) (2003).
AICPA Professional Standards. New York: AICPA.
Angus, J. (2003). Rethinking knowledge management. InfoWorld,
25(17), March 17, 32-35.
Awad, E. & H. Ghaziri (2003). Knowledge management. Upper
Saddle River, NJ: Prentice-Hall.
Briloff. A. (1987). Do management services endanger independence
and objectivity? The CPA Journal, 57(8), August, 22-29.
Burns D. & W. Haga (1977). Much ado about professionalism: A
second look at accounting. Accounting Review, 52(3), July, 705-715.
Coustan, H., L. Leinicke, W. Rexroad & J. Ostrosky (2004).
Sarbanes-Oxley: What it means to the marketplace. Journal of
Accountancy, 197(2), February, 43-47.
Day, K. (2003). SEC sues HealthSouth, CEO over earnings: Former CEO
pleads guilty to fraud, The Washington Post, March 20, E1.
Eichenwald, K. (2002). Andersen guilty in effort to block inquiry
on Enron, The New York Times, June 16, 1.
Gelinas, U. & S. Sutton (2002). Accounting information systems,
(5th ed.) Cincinnati: South-Western..
Hall, J. (2004). Accounting information systems, (4th ed.)
Cincinnati: South-Western.
Hardesty, D. (2004). Practical guide to corporate governance and
accounting: Implementing the requirements of the Sarbanes-Oxley Act.
Boston: Warren, Gorham & Lamont.
Healy, P. (2003). How the quest for efficiency corroded the market,
Harvard Business Review, 81(7), July,
Lanza, R. (2004). Making sense of Sarbanes-Oxley tools, Internal
Auditor, 61(1), February, 45-49.
Laudon, K, & J. Laudon (2004). Management information systems,
(8th ed.) Upper Saddle River, NJ: Prentice-Hall.
McLeod, R. & G. Schell (2004). Management information systems,
(9th ed.). Upper Saddle River, NJ: Prentice-Hall.
Moules, J.& P. Larsen (2003). Reports condemn culture of fraud
at WorldCom, Financial Times, June 10, 1.
Munter, P. (2003). Evaluating internal controls and auditor
independence under Sarbanes-Oxley. Financial Executive, 19(7), October,
26-27.
Oz, E. (2004). Management information systems, (4th ed.) Boston:
Course Technology.
Rezaee, Z. (2003). Restoring public trust in the accounting
profession by developing anti-fraud education, programs, and auditing,
Managerial Auditing Journal, 19(1), 134-148.
Romney, M. & P. Steinbart (2002). Accounting information
systems, (9th ed.) Upper Saddle River, NJ: Prentice-Hall.
Schwartz, N. (2001). Enron fallout: Wide, but not deep, Fortune,
144(13), December 24, 71-72.
Sorkin, A. (2002). Tyco figure pays $22.5 million in guilt plea,
The New York Times, December 18, 1.
Stevens, M. (1991). The big six: The selling out of America's
top accounting firms. New York: Simon & Schuster.
United States Code (2002). Sarbanes-Oxley Act of 2002, Public Law
No. 107-204, codified at 15 U.S.C. [section]7201
Velayutham, S. (2003). The accounting profession's code of
ethics: Is it a code of ethics or a code of quality assurance? Critical
Perspectives on Accounting, 14(4), May, 483-503.
Winters, B. (2004). Choose the right tools for internal control
reporting, Journal of Accountancy, 197(2), February, 3440.
Zeff, S. (2003). How the U.S. accounting profession got where it is
today: Part II, Accounting Horizons, 17(4), December, 267-286.
Gary P. Schneider, University of San Diego
Carol M. Bruton, California State University San Marcos
