Sarbanes-Oxley & COSO Internal Controls and the Dodd-Frank Act

An act passed by U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. TheSarbanes-Oxley Act (SOX) mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud. Source.

What is the Dodd-Frank Wall Street Reform and Consumer Protection Act?

The Dodd-Frank Wall Street Reform and Consumer Protection Act is a massive piece of financial reform legislation passed during the Obama administration in 2010 as a response to the financial crisis of 2008. Named after sponsors Sen. Christopher J. Dodd (D-Conn.) and Rep. Barney Frank (D-Mass.), the act contains numerous provisions, spelled out over roughly 2,300 pages, that were to be implemented over a period of several years.

PEMI^® seeks to gain the benefits of SOX and Dodd-Frank by applying its principles of disclosure, transparency and accountability to the business of private equity mortgages.

What is Sarbanes-Oxley?

According to Investopedia:

The Sarbanes-Oxley Act

SOX mandated a number of reforms relating to increasing corporate responsibility, more transparent financial disclosures, and to protect investors against corporate and accounting fraud. Section 302 of SOX requires that management certify the information contained in financial disclosures. Section 404 requires corporate management and their auditors to maintain internal controls with appropriate reporting methods.

Fraudulent accounting scandals caused large and complex bankruptcies for Enron and Tyco. These scandals put thousands of people out of jobs and cost stockholders billions in share value. (Source)

According to Wikipedia:

The Sarbanes–Oxley Act of 2002 (Pub.L. 107–204, 116 Stat. 745, enacted July 30, 2002), also known as the 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing Accountability and Responsibility Act' (in the House) and more commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law that set new or enhanced standards for all U.S. public companyboards, management and public accounting firms. It was named after sponsors U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH). As a result of SOX, top management must individually certify the accuracy of financial information. In addition, penalties for fraudulent financial activity are much more severe. Also, SOX increased the oversight role of boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements.^[1] (Source)

Why was Sarbanes-Oxley created?

According to Wikipedia:

The bill was enacted as a reaction to a number of major corporate and accounting scandals, including those affecting Enron, Tyco International,Adelphia, Peregrine Systems, and WorldCom. These scandals cost investors billions of dollars when the share prices of affected companies collapsed and shook public confidence in the US securities markets. (Source)

What is so good about Sarbanes-Oxley?

According to Wikipedia: (Source)

Praise

Former Federal Reserve Chairman Alan Greenspan praised the Sarbanes–Oxley Act in 2005: "I am surprised that the Sarbanes–Oxley Act, so rapidly developed and enacted, has functioned as well as it has...the act importantly reinforced the principle that shareholders own our corporations and that corporate managers should be working on behalf of shareholders to allocate business resources to their optimum use."^[52]

SOX has been praised by a cross-section of financial industry experts, citing improved investor confidence and more accurate, reliable financial statements. The CEO and CFO are now required to unequivocally take ownership for their financial statements under Section 302, which was not the case prior to SOX. Further, auditor conflicts of interest have been addressed, by prohibiting auditors from also having lucrative consulting agreements with the firms they audit under Section 201. SEC Chairman Christopher Cox stated in 2007: "Sarbanes–Oxley helped restore trust in U.S. markets by increasing accountability, speeding up reporting, and making audits more independent."^[53]

The Financial Executives International (FEI) 2007 study and research by the Institute of Internal Auditors (IIA) also indicate SOX has improved investor confidence in financial reporting, a primary objective of the legislation. The IIA study also indicated improvements in board, audit committee, and senior management engagement in financial reporting and improvements in financial controls.^[54][55]

Financial restatements increased significantly in the wake of the SOX legislation, as companies "cleaned up" their books. Glass, Lewis & Co. LLC is a San Francisco-based firm that tracks the volume of do-overs by public companies. Its March 2006 report, "Getting It Wrong the First Time," shows 1,295 restatements of financial earnings in 2005 for companies listed on U.S. securities markets, almost twice the number for 2004. "That's about one restatement for every 12 public companies—up from one for every 23 in 2004," says the report.^[56]

One fraud uncovered by the Securities and Exchange Commission (SEC) in November 2009 ^[57] may be directly credited to Sarbanes-Oxley. The fraud, which spanned nearly 20 years and involved over $24 million, was committed by Value Line (NASDAQ: VALU) against its mutual fund shareholders. The fraud was first reported to the SEC in 2004 by the then Value Line Fund (NASDAQ: VLIFX) portfolio manager and Chief Quantitative Strategist, Mr. John (Jack) R. Dempsey of Easton, Connecticut, who was required to sign a Code of Business Ethics as part of SOX.^[58][59][60] Restitution totaling $34 million was placed in a fair fund and returned to the affected Value Line mutual fund investors.^[61] The Commission ordered Value Line to pay a total of $43,705,765 in disgorgement, prejudgment interest and civil penalty, and ordered Buttner, CEO and Henigson, COO to pay civil penalties of $1,000,000 and $250,000, respectively. The Commission further imposed officer and director bars and broker-dealer, investment adviser, and investment company associational bars (“Associational Bars”) against Buttner and Henigson. No criminal charges were filed.

Sarbanes Oxley Act has been praised for nurturing an ethical culture as it forces top management to be transparent and employees to be responsible for their acts whilst protecting whistleblowers.^[62]

What is the Canadian jurisdiction equivalent?

According to Wikipedia:

The Keeping the Promise for a Strong Economy Act (Budget Measures), 2002, also known as Bill 198, was an Ontario legislative bill effective April 7, 2003,^[1] which provides for regulation of securities issued in the province of Ontario. The legislation encompasses many areas. It is perhaps best known for clauses that provide equivalent legislation to the U.S. Sarbanes-Oxley Act to protect investors by improving the accuracy and reliability of corporate disclosures. Thus, it is also known as the "Canadian Sarbanes-Oxley" Act or C-SOX (see-socks).

According to the Canadian Parliament:

CANADIAN RESPONSE TO THE U.S. SARBANES-OXLEY ACT OF 2002: NEW DIRECTIONS FOR CORPORATE GOVERNANCE

Click here for complete report

What are the major elements of Sarbanes-Oxely?

According to Wikipedia:

Major elements (Source)

1. Public Company Accounting Oversight Board (PCAOB)

1. Auditor Independence

1. Corporate Responsibility

1. Enhanced Financial Disclosures

1. Analyst Conflicts of Interest

1. Commission Resources and Authority

1. Studies and Reports

1. Corporate and Criminal Fraud Accountability

1. White Collar Crime Penalty Enhancement

What are the key provisions of Sarbanes-Oxley?

According to Wikipedia:

Implementation of key provisions (Source)

Sarbanes–Oxley Section 302: Disclosure controls

Under Sarbanes–Oxley, two separate sections came into effect—one civil and the other criminal. 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are "responsible for establishing and maintaining internal controls" and "have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared." 15 U.S.C. § 7241(a)(4). The officers must "have evaluated the effectiveness of the company's internal controls as of a date within 90 days prior to the report" and "have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date." Id..

The SEC interpreted the intention of Sec. 302 in Final Rule 33–8124. In it, the SEC defines the new term "disclosure controls and procedures," which are distinct from "internal controls over financial reporting."^[26] Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions.^[27]

External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in 2007.

Sarbanes–Oxley Section 303: Improper Influence on Conduct of Audits

a. Rules To Prohibit. It shall be unlawful, in contravention of such rules or regulations as the Commission shall prescribe as necessary and appropriate in the public interest or for the protection of investors, for any officer or director of an issuer, or any other person acting under the direction thereof, to take any action to fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an audit of the financial statements of that issuer for the purpose of rendering such financial statements materially misleading.

b. Enforcement. In any civil proceeding, the Commission shall have exclusive authority to enforce this section and any rule or regulation issued under this section.

c. No Preemption of Other Law. The provisions of subsection (a) shall be in addition to, and shall not supersede or preempt, any other provision of law or any rule or regulation issued thereunder.

d. Deadline for Rulemaking. The Commission shall --

1. propose the rules or regulations required by this section, not later than 90 days after the date of enactment of this Act; and 2. issue final rules or regulations required by this section, not later than 270 days after that date of enactment.[2]

Sarbanes–Oxley Section 401: Disclosures in periodic reports (Off-balance sheet items)

The bankruptcy of Enron drew attention to off-balance sheet instruments that were used fraudulently. During 2010, the court examiner's review of the Lehman Brothers bankruptcy also brought these instruments back into focus, as Lehman had used an instrument called "Repo 105" to allegedly move assets and debt off-balance sheet to make its financial position look more favorable to investors. Sarbanes-Oxley required the disclosure of all material off-balance sheet items. It also required an SEC study and report to better understand the extent of usage of such instruments and whether accounting principles adequately addressed these instruments; the SEC report was issued June 15, 2005.^[28][29] Interim guidance was issued in May 2006, which was later finalized.^[30] Critics argued the SEC did not take adequate steps to regulate and monitor this activity.^[31]

Sarbanes–Oxley Section 404: Assessment of internal control: COSO Internal Controls

Two components:

2017 Enterprise Risk Management – Integrated Framework - 2017 Summary

• Why update the 2004 Enterprise Risk Management–Integrated Framework? Read FAQ.
• FAQ:
• Enterprise Risk Management– Integrating with Strategy and Performance
• 10 Key Changes
  • Adopts a structure of components and principles
  • 2. Simplifies the definition of enterprise risk management
  • 3 Emphasizes the relationship between risk and value
  • 4 Emphasizes the relationship between risk and value
  • 5 Examines the role of culture
  • 6 Elevates discussion of strategy - failures in recent times have occurred when a strategy is selected that does not align to the mission, vision and core values of an entity. Further, if that that alignment is established, many organizations still do not understand the implications of a selected strategy on their risk profile.
    • With MQCC: CEO's and Boards can answer the questions, cogently as follows:
      • • The possibility of strategy and business objectives not aligning with mission, vision and values;
      • • The implications from the strategy chosen; and
      • • Risk to executing the strategy.
    • By distinguishing the three potential manifestations of risk impacting strategy, the Updated Document provides for a more detailed analysis and recognition of the role and importance of enterprise risk management. The concepts are examined progressively throughout the document, exploring the considerations for the identification, assessment and management of risk and the impact to strategy for each.
  • 7Enhances the alignment between performance and enterprise risk management
  • 8. Links enterprise risk management into decision-making more explicitly
  • 9. Delineates between enterprise risk management and internal control
  • 10. Refines risk appetite tolerance

Examines the role of culture

2013 Internal Control – Integrated Framework - 2019 Summary

Further information: SOX 404 top-down risk assessment

The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control on financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.^[32]

Under Section 404 of the Act, management is required to produce an "internal control report" as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting." 15 U.S.C. § 7262(a). The report must also "contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." To do this, managers are generally adopting an internal control framework such as that described in Committee of Sponsoring Organizations of the Treadway Commission (COSO).

To help alleviate the high costs of compliance, guidance and practice have continued to evolve. The Public Company Accounting Oversight Board (PCAOB) approved Auditing Standard No. 5 for public accounting firms on July 25, 2007.^[33] This standard superseded Auditing Standard No. 2, the initial guidance provided in 2004. The SEC also released its interpretive guidance ^[34] on June 27, 2007. It is generally consistent with the PCAOB's guidance, but intended to provide guidance for management. Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. This gives management wider discretion in its assessment approach. These two standards together require management to:

• Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;
• Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise;
• Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;
• Perform a fraud risk assessment;
• Evaluate controls designed to prevent or detect fraud, including management override of controls;
  • Evaluate controls over the period-end financial reporting process;
  • Scale the assessment based on the size and complexity of the company;
  • Rely on management's work based on factors such as competency, objectivity, and risk;
  • Conclude on the adequacy of internal control over financial reporting.

SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems. This is apparent in the comparative costs of companies with decentralized operations and systems, versus those with centralized, more efficient systems. For example, the 2007 Financial Executives International (FEI) survey indicated average compliance costs for decentralized companies were $1.9 million, while centralized company costs were $1.3 million.^[35] Costs of evaluating manual control procedures are dramatically reduced through automation.

Sarbanes–Oxley 404 and smaller public companies

The cost of complying with SOX 404 impacts smaller companies disproportionately, as there is a significant fixed cost involved in completing the assessment. For example, during 2004 U.S. companies with revenues exceeding $5 billion spent 0.06% of revenue on SOX compliance, while companies with less than $100 million in revenue spent 2.55%.^[36]

This disparity is a focal point of 2007 SEC and U.S. Senate action.^[37] The PCAOB intends to issue further guidance to help companies scale their assessment based on company size and complexity during 2007. The SEC issued their guidance to management in June, 2007.^[34]

After the SEC and PCAOB issued their guidance, the SEC required smaller public companies (non-accelerated filers) with fiscal years ending after December 15, 2007 to document a Management Assessment of their Internal Controls over Financial Reporting (ICFR). Outside auditors of non-accelerated filers however opine or test internal controls under PCAOB (Public Company Accounting Oversight Board) Auditing Standards for years ending after December 15, 2008. Another extension was granted by the SEC for the outside auditor assessment until years ending after December 15, 2009. The reason for the timing disparity was to address the House Committee on Small Business concern that the cost of complying with Section 404 of the Sarbanes–Oxley Act of 2002 was still unknown and could therefore be disproportionately high for smaller publicly held companies.^[38] On October 2, 2009, the SEC granted another extension for the outside auditor assessment until fiscal years ending after June 15, 2010. The SEC stated in their release that the extension was granted so that the SEC's Office of Economic Analysis could complete a study of whether additional guidance provided to company managers and auditors in 2007 was effective in reducing the costs of compliance. They also stated that there will be no further extensions in the future.^[39]

On September 15, 2010 the SEC issued final rule 33-9142 the permanently exempts registrants that are neither accelerated nor large accelerated filers as defined by Rule 12b-2 of the Securities and Exchange Act of 1934 from Section 404(b) internal control audit requirement.^[40]

Sarbanes–Oxley Section 802: Criminal penalties for influencing US Agency investigation/proper administration

Section 802(a) of the SOX, 18 U.S.C. § 1519 states:

Sarbanes–Oxley Section 906: Criminal Penalties for CEO/CFO financial statement certification

§ 1350. Section 906 states: Failure of corporate officers to certify financial reports

(a) Certification of Periodic Financial Reports.— Each periodic report containing financial statements filed by an issuer with the Securities Exchange Commission pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m (a) or 78o (d)) shall be accompanied bySection 802(a) of the SOX a written statement by the chief executive officer and chief financial officer (or equivalent thereof) of the issuer.

(b) Content.— The statement required under subsection (a) shall certify that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of [1] 1934 (15 U.S.C. 78m or 78o (d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.

(c) Criminal Penalties.— Whoever— (1) certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both; or

(2) willfully certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $5,000,000, or imprisoned not more than 20 years, or both. [3]

Sarbanes–Oxley Section 1107: Criminal penalties for retaliation against whistleblowers

Section 1107 of the SOX 18 U.S.C. § 1513(e) states:^[41]

Sarbanes-Oxley for Real Estate Finance (Mortgages)?

Yes, absolutely.

Companies that subscribe to the principles of SOX are leaders in their industry in terms of quality, compliance and audit (accountability). The mortgage industry suffered greatly from the effects of poorly managed companies and poorly designed policies. A rigorous adherence to the best practices of SOX will enable mortgage companies to be the very best that they can be, to the benefit of all their stakeholders.

Internal Control Mechanisms: ISO 9000 Family of International Standards - Sarbanes-Oxley for Real Estate Finance

Internal Controls are the main driver to ensure a successfully accountable management system. Sarbanes-Oxley addresses the matter of internal controls in section: 404. ISO 9000 family of international standards nicely enables an effective internal control programme.

According to William A. Stimson, President of SCI Associates; Mr. Stimson recommends:

"An existing ISO 9000 structure lends itself to integration with a company’s financial system, and quality personnel can provide the expertise to help achieve SOX compliance." (Source)

According to Dexter Hansen:

Integrating Sarbanes-Oxley Act Internal Controls Auditing into an ISO9001:2008 Quality Management System

According to Sandford Liebesman, Ph.D

Where SOX and your QMS Converge

Mitigate SOX Risk With ISO 9001 and 14001

According to Maureen A. McAllister

Leveraging Your ISO 9001 System for Sarbanes Oxley Compliance

Using a QMS Audit to Address Sarbanes-Oxley Compliance

According to Paul Palmes:

Sarbanes-Oxley Act – threat or opportunity for quality professionals?

How the Dodd-Frank Wall Street Reform and Consumer Protection Act Works

The Dodd-Frank Wall Street Reform and Consumer Protection Act has many components. These are some of its key provisions and how they work:

Financial stability

Under Dodd-Frank, the Financial Stability Oversight Council and Orderly Liquidation Authority monitor the financial stability of major financial firms whose failure could have a serious negative impact on the U.S. economy (companies deemed "too big to fail"). The law also provides for liquidations or restructurings via the Orderly Liquidation Fund, established to assist with the dismantling of financial companies that have been placed in receivership and prevent tax dollars from being used to prop up such firms.

The council has the authority to break up banks that are considered so large as to pose a systemic risk; it can also force them to increase their reserve requirements. Similarly, the new Federal Insurance Office was tasked with identifying and monitoring insurance companies considered "too big to fail."

Consumer Financial Protection Bureau

The Consumer Financial Protection Bureau (CFPB), established under Dodd-Frank, was given the job of preventing predatory mortgage lending (reflecting the widespread sentiment that the subprime mortgage market was the underlying cause of the 2008 catastrophe) and make it easier for consumers to understand the terms of a mortgage before agreeing to them. It deters mortgage brokers from earning higher commissions for closing loans with higher fees and/or higher interest rates and requires that mortgage originators not steer potential borrowers to the loan that will result in the highest payment for the originator.

The Dodd-Frank Wall Street Reform and Consumer Protection Act was intended to prevent another financial crisis like the one in 2008.

The CFPB also governs other types of consumer lending, including credit and debit cards, and addresses consumer complaints. It requires lenders, excluding automobile lenders, to disclose information in a form that is easy for consumers to read and understand; an example is the simplified terms now on credit card applications.

The Volcker Rule

Another key component of Dodd-Frank, the Volcker Rule, restricts the ways banks can invest, limiting speculative trading and eliminating proprietary trading. Banks are not allowed to be involved with hedge funds or private equity firms, which are considered too risky. In an effort to minimize possible conflict of interests, financial firms are not allowed to trade proprietarily without sufficient "skin in the game." The Volcker Rule is clearly a push back in the direction of the Glass-Steagall Act of 1933, which first recognized the inherent dangers of financial entities extending commercial and investment banking services at the same time.

The act also contains a provision for regulating derivatives, such as the credit default swaps that were widely blamed for contributing to the 2008 financial crisis. Dodd-Frank set up centralized exchanges for swaps trading to reduce the possibility of counterparty default and also required greater disclosure of swaps trading information to increase transparency in those markets. The Volcker Rule also regulates financial firms' use of derivatives in an attempt to prevent "too big to fail" institutions from taking large risks that might wreak havoc on the broader economy.

SEC Office of Credit Ratings

Because credit rating agencies were accused of contributing to the financial crisis by giving out misleadingly favorable investment ratings, Dodd-Frank established the SEC Office of Credit Ratings. The office is charged with ensuring that agencies provide meaningful and reliable credit ratings of the businesses, municipalities and other entities they evaluate.

Whistleblower program

Dodd-Frank also strengthened and expanded the existing whistleblower program promulgated by the Sarbanes-Oxley Act (SOX). Specifically, it established a mandatory bounty program under which whistleblowers can receive from 10% to 30% of the proceeds from a litigation settlement, broadened the scope of a covered employee by including employees of a company's subsidiaries and affiliates, and extended the statute of limitations under which whistleblowers can bring forward a claim against their employer from 90 to 180 days after a violation is discovered.