Professional Documents
Culture Documents
Abstract
Accounting in shaped by economic and political forces. It follows that increased
worldwide integration of both markets and politics makes increased integration of
financial reporting standards and practice almost inevitable. But most market and
political forces will remain local for the foreseeable future, so it is unclear how much
convergence in actual financial reporting practice will occur. Furthermore, there is little
settled theory or evidence on which to build an assessment of the advantages and
disadvantages of uniform accounting rules within a country, let alone internationally. The
pros and cons of IFRS therefore are somewhat conjectural, the unbridled enthusiasm of
allegedly altruistic proponents notwithstanding. On the “pro” side of the ledger, I
conclude that extraordinary success has been achieved in developing a comprehensive set
of “high quality” IFRS standards, in persuading almost 100 countries to adopt them, and
in obtaining convergence in standards with important non-adopters A deeper concern is
that there inevitably will be substantial differences among countries in implementation of
IFRS, which now risk being concealed by a veneer of uniformity. The notion that
uniform standards alone will produce uniform financial reporting seems naive. In
addition, I express several longer run concerns. The Sarbanes-Oxley Act of 2002 (SOX)
is the public company accounting reform and investor protection act signed into law on
July 30, 2002 in response to a number of Fortune 500 companies� involvement in
corporate and accounting scandals. These widely published corporate debacles, including
those affecting Enron, WorldCom and Tyco cost investors billions of dollars when the
share prices of the affected companies collapsed. In affect, investor confidence in the
securities markets hit rock bottom. The purpose of SOX was to empower the Securities
and Exchange Commission (SEC) of the U.S. so that it could oversee corporate
governance of public organizations in hopes of restoring investor confidence. President
Bush reflected the impact of this act stating that no law of such significance to businesses
has been signed since the presidency of Franklin D. Roosevelt in the U.S. The SOX Act
of 2002 was named after its main architect’s, Senator Paul Sarbanes and Representative
Michael Oxley. SOX establish a number of compliance rules for financial practice that
ensures occur.
Page 1 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Accounting Scandals
Several big firms have come under scrutiny recently for questionable accounting
practices. Some of the world’s biggest accounting scandals
Enron
In just 15 years, Enron grew from to be America's seventh largest company,
employing 21,000 staff in more than 40 countries.
1It started out as a pipeline company, and transformed itself into an energy trader,
buying and selling power. Among other businesses, Enron was engaged in the purchase
and sale of natural gas, construction and ownership of pipelines and power facilities,
provision of telecommunications services, and trading in contracts to buy and sell various
commodities. It expanded into many diverse industries for which it had no unifying
strategies and no expertise.
Fortune magazine named it the most innovative company in America six years in a row,
not spotting that much of the innovation was sleight-of-hand accounting that amounted to
fraud. Enron lied about its profits and used off-the-books partnerships to conceal $1
billion in debt and to inflate profits.
2EARNINGS MANIPULATION
3
1 From at least 1998 through late 2001, Enron's executives and senior managers engaged
in wide-ranging schemes to deceive the investing public about the true nature and
profitability of Enron's businesses by manipulating Enron's publicly reported financial
results and making false and misleading public representations.
2
3The scheme's objectives were,
• To meet or exceed, without fail, the expectations of investment analysts about Enron's
EPS.
• To persuade the investing public that Enron's future profitability would continue to
grow.
Page 2 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
4
5To achieve these objectives,
6Quarterly earnings targets were imposed on each of the company's business units
based on EPS goals and not true forecasts. When the budget targets could not be met,
through results from business operations, they were achieved through the use of
fraudulent devices. The primary purpose was to increase the share price which increased
from $30 per share in 1998 to $80 in 2001 even after a stock split.
7
The rising stock prices enriched Enron’s senior managers in the form of salary, bonuses,
grants of artificially appreciating stock options, restricted stock, and phantom stock, and
prestige within their professions and communities.
1
2Other methods used were :
⇒ manipulating reserve accounts to maintain the appearance of continual earnings
growth and to mask volatility in earnings by concealing earnings during highly
profitable periods and releasing them for use during less profitable periods;
⇒ concealing losses in individual "business segments" through fraudulent manipulation
of "segment reporting," and deceptive use of reserved earnings to cover losses in one
segment with earnings in another;
⇒ manufacturing earnings through fraudulent inflation of asset values and avoiding
losses through the use of fraudulent devices designed to "hedge," or lock-in, inflated
asset values; and
⇒ Structuring of financial transactions using improper accounting techniques in order to
achieve earnings objectives .
1During 2000, Enron's wholesale energy trading business, primarily its Enron North
America business, generated larger profits mostly due to rapidly rising energy prices in
the western United States, especially in California. This growth was more than the
smooth, predictable annual earnings growth of 15 to 20 percent. Beginning in the first
quarter of 2000 and continuing throughout 2000 and 2001, Enron improperly reserved
hundreds of millions of dollars of earnings, and used large amounts of those reserves to
cover-up losses in ENA's "merchant" asset portfolio and from other business units such
as EES. This misuse of reserves was discussed and approved among Enron's and ENA's
senior commercial and accounting managers.
Page 3 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Enron's ENA business unit managed a large "merchant" asset portfolio, which consisted
primarily of ownership stakes in a group of energy and related companies that Enron
recorded on its quarterly financial statements at what it alleged to be "fair value." Senior
Enron and ENA commercial and accounting managers frequently generated earnings
needed to meet budget targets by artificially increasing the book value of certain of
these assets, many of which were volatile or poorly performing. Likewise, to avoid
recording losses on these assets, Enron's management fraudulently locked-in these assets'
value in improper "hedging" structures.
1ENA's largest merchant asset was an oil and gas exploration company known as
Mariner Energy ("Mariner"), which Enron was required to book at "fair value" every
quarter. During the fourth quarter of 2000, there was a shortfall of approximately $200
million in Enron's quarterly earnings objectives. Senior Enron and ENA managers
decided to increase artificially the value of the Mariner asset by approximately $100
million in order to close half of this gap.
1In the third quarter of 2000, other ENA "merchant" assets were similarly manipulated in
value before being inserted into an elaborate hedging mechanism known as the "Raptors."
Enron and ENA managers instructed ENA managers that Enron had constructed a device
that would allow ENA to lock in approximately $400 million in book value of its assets,
thereby protecting them from later write-downs,
Enron employed other devices fraudulently to manipulate the financial results of Enron
Wholesale and its predecessor ECT. For example, ECT entered into a large contract in
1997 to supply energy to the Tennessee Valley Authority ("TVA") that resulted in an
immediate "mark-to-market" earnings gain to Enron of approximately $50 million
dollars. But in mid-1998, when energy prices in the region in which the TVA was located
sharply increased, Enron's unheeded position in the TVA contract fell to a loss in the
hundreds of millions of dollars, which would have eliminated ECT's earnings at the end
of the then-current reporting period. To avoid this Enron’s managers removed the TVA
contract from Enron's "mark-to-market" accounting books by instead applying accrual
accounting to the contract. Enron then did not disclose the loss.
1Senior Enron and ECT managers devised a plan to avoid later disclosure of most of the
loss from TVA by investing hundreds of millions of dollars in the purchase of power-
plant turbines and the construction of "peaker" power plants that Enron otherwise would
not have purchased. This mechanism ultimately resulted, in a later reporting period, in a
Page 4 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
recorded loss to Enron from the TVA contract that was hundreds of millions of dollars
less than the actual loss incurred in 1998. Enron did not reveal this.
2
During 1999, Enron attempted unsuccessfully to shed itself of this costly investment in
turbines and "peaker" plants. Unable to sell the assets at a profit to satisfy budget targets,
Enron devised and executed a scheme to manufacture current earnings by agreeing to
entering into back-to-back trades with Merrill Lynch & Co., Inc. which to sell and then
repurchase energy generated by Enron's "peaker" plants. These trades with Merrill
Lynch, which virtually mirrored each other, ensured that ENA satisfied budget targets for
the fourth quarter of 1999.
Apart from this many of Enron’s senior managers were charged with insider trading and
indicted. Enron was also accused of creating phantom shortages in California’s
unregulated electricity market to fleece ratepayers of an estimated $30 billion during the
2001 energy crisis.
Outcome
Enron filed for Chapter 11 bankruptcy, allowing it to reorganize while protected from
creditors.
Enron has sought to salvage its business by spinning off various assets.
Enron’s core business, the energy trading arm, has been tied up in a complex deal with
UBS Warburg. The bank has not paid for the trading unit, but will share some of the
profits with Enron.
Centric a, part of the former British Gas has bought Enron's European retail arm for
£96.4m.
Summary
Charges : Boosted profits and hid debts totaling over $1 billion by improperly using off-
the-books partnerships; manipulated the Texas power market; bribed foreign
governments to win contracts abroad; manipulated California energy market
Latest Developments: Ex-Enron executive Michael Kopper pled guilty to two felony
charges; acting CEO Stephen Cooper said Enron may face $100 billion in claims and
liabilities; company filed Chapter 11; its auditor Andersen was convicted of obstruction
of justice for destroying Enron documents.
Page 5 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Adelphia
Starting in 2001, the U.S. economy experienced a period of economic instability,
somewhat reminiscent of the 1930s. What was similar was not the depth of the recession,
but the level of corporate misconduct, failure of checks and balances, and total loss of
investor confidence (Nussbaum, 2002). How did this happen? The common element
found in both time periods was the conflict of interest that benefited insiders (Kuttner,
2002). In contrast to the Chicago School of economic theory, which espouses the benefits
of a deregulated economy, market forces were unable to detect or discipline the self
dealing and opportunism that proved irresistible during the high growth years of the
1990’s. Despite President George W. Bush’s assertion that some corrupt individuals
failed the system, the argument can be made that it was the unchecked system of
deregulation that failed (“Let the Reforms Begin,” 2002). The telecommunications
industry in particular experienced a state of economic turmoil. Investors lost some $2
trillion as stock prices fell more than 95% from their previous highs. Since 2001, more
than a half a million workers lost their jobs in what was once regarded as the strongest
sector of the US economy. Dozens of debt ridden companies ranging from Winstar to
Global Crossing have filed for bankruptcy. Starting in early 2002, long distance carrier
WorldCom was targeted by US regulators and law enforcement officials after the
disclosure that the company had improperly overstated its earnings by $3.8 billion in
2001 and the first quarter of 2002 (now estimated at $11 billion). It was the largest
accounting fraud ever to occur by a US publicly traded company. WorldCom has
subsequently filed for bankruptcy (“WorldCom Plans Bankruptcy Filing,” 2002). In
January 2003, the media news and entertainment industry experienced an unprecedented
level of instability when transnational media giant
AOL Time Warner posted a $99 billion loss for the previous year; considered to be the
Largest financial loss in US corporate history.
Page 6 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
WorldCom
WorldCom was one of the big success stories of the 1990s. It was a symbol
aggressive capitalism. Founded by Bernie Embers, one of the most aggressive acquirer
during the US mergers and acquisitions boom of the 1990s. WorldCom's asset value had
soared to $180bn before the US capital market started witnessing a downtrend.
WorldCom admitted in March 2002 that it will have to restate its financial results to
account for billions of dollars in improper bookkeeping after an internal audit showed
transfers of about $3.06 billion for 2001 and $797 million for the first quarter of 2002
were not made in accordance with generally accepted accounting principles.
As a result of the discovery, WorldCom said that its financial statements for the year
2000 will have to be reissued.
The company also said it may now write off $50.6bn in intangible assets. Former chief
financial officer Scott Sullivan and ex-controller David Myers were arrested a week ago,
and face seven counts of securities fraud and filing false statements with the SEC.
The company filed for Chapter 11 bankruptcy protection on 22 July, a process that
protects it from its creditors while it tries to restructure. It became the largest bankruptcy
in US history, listing $107bn in total assets and $41bn in debts.
In May 2003, WorldCom agreed to pay a record amount to the US financial watchdog.
MCI (formerly WorldCom), while neither admitting nor denying any wrongdoing, came
to a settlement over its massive accountancy scandal. It will pay $500m to the Securities
and Exchange Commission, the highest fine ever imposed by the regulator. The original
figure of $1.5bn was scaled down as MCI declared itself bankrupt and so received
favorable treatment.
The settlement sorts out the civil lawsuits that have been filed. But the criminal cases
relating primarily to the actions of former employees at the company are still pending.
Page 7 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Summary
When scandal was discovered: March 2002
Charges: Overstated cash flow by booking $3.8 billion in operating expenses as capital
expenses;
The company found another $3.3 billion in improperly booked funds, taking the total
misstatement to $7.2 billion, and it may have to take a goodwill charge of $50 billion.
Outcome: Former CFO Scott Sullivan and ex-controller David Myers have been arrested
and criminally charged, while rumors of Bernie Ebbers' impending indictment persist. On
9th March 2005, four foreign banks agreed to pay $428.4 m for settling the class action
law suit by investors accusing them of hiding risks at WorldCom before its collapse.
Tyco
Allegations: Ex-CEO L. Dennis Kozlowski indicted for tax evasion. SEC investigating
whether the company was aware of his actions, possible improper use of company funds
and related-party transactions, as well as improper merger accounting practices
Latest Developments: Said it will not certify its financial results until after an internal
investigation is completed. The Bermuda-based company is not required to meet the
SEC's Aug. 14 deadline. Investors looking to unseat all board members who served under
Kozlowski may launch a proxy fight to do so.
Company Comment: The Company is conducting an internal investigation and we
cannot comment on its specifics, but we will file an 8-K on the initial results around Sept.
15.
Page 8 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
The Sarbanes-Oxley Act never mentions the words database or data, however, DBAs
must ensure their databases are in compliance with Sarbanes-Oxley. Sarbanes-Oxley
Section 404 simply states that management has the responsibility “for establishing and
maintaining an adequate internal control structure and procedures for financial
reporting.” How does this sentence relate to a database being compliant with Sarbanes-
Oxley? Well, directly it doesn’t. But since the Oracle Applications database contains data
related to financial reporting and manipulation of this data “could adversely affect the
[company’s] ability to record, process, summarize, and report financial data”, the Oracle
Applications database must be compliant with the requirements of Sarbanes-Oxley for
effective internal controls as stated in Sections 302 and 404 of the Act. The most
frustrating aspect for DBAs is that there are no definitive requirements, checklists, or
guidelines on how an Oracle Applications implementation must comply with Sarbanes-
Oxley. From Section 404, the phrase “an adequate internal control structure and
procedures for financial reporting” must be interpreted and extended to the database.
Unfortunately, it is not clear who should provide this interpretation: external auditors,
internal auditors, management, IT, etc. In most cases, the external audit firm provides
“their” version of requirements in the form of a Sarbanes-Oxley assessment and findings.
Often this assessment is performed by audit generalists who do not have experience with
Oracle Applications, but instead understand financial controls and business processes.
These findings are then forced on the DBA to remediate, usually in a short timeframe
with little understanding or direction on what is truly required.
What is Sarbanes-Oxley?
The Sarbanes-Oxley Act of 2002 (SOX) provides for a new set of corporate governance
rules and regulations for public companies. Two sections, (1) Section 302 “Corporate
Responsibility for Financial Reports” and (2) Section 404 “Management Assessment of
Internal Controls”; specifically address internal controls over financial reporting. The
Sarbanes-Oxley Act is high-level and only addresses such requirements as corporate
officers “are responsible for establishing and maintaining internal controls” and are
required to periodically assess and report on the effectiveness of such internal controls.
There are no details on what are effective internal controls and to what extent internal
controls are required for “financial reporting”. The Securities and Exchange Commission
(SEC) and the Public Company Accounting Oversight Board (PCAOB) are required by
the Act to develop the final rules regarding compliance for the establishment,
maintenance, and assessment of internal controls over “financial reporting”.
Section 302 requires the Chief Executive Officer and Chief Financial Officer on a
quarterly or annual basis to have “designed internal controls” over financial reporting,
Page 9 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
“evaluated the effectiveness” of internal controls, and reported to the Audit Committee
and external auditors “all significant deficiencies in the design or operation of internal
controls which could adversely affect the ability to record, process, summarize, and
report financial data and have identified for the [external] auditors any material
weaknesses in the internal controls” and to report “any fraud”.
Section 404 requires a corporation’s annual report to contain an internal control report
that states “the responsibility of management for establishing and maintaining an
adequate internal control structure and procedures for financial reporting” and that
management has performed “an assessment of the effectiveness of the internal control
structure and procedures for financial reporting.” In addition, the external auditor must
independently assess the corporation’s internal control report.
So after looking at the Sarbanes-Oxley Act, you have only learned that “internal controls”
are required for “financial reporting” and that the “internal controls” must be assessed on
an annual basis. The SEC and PCAOB are responsible for implementing the actual rules.
The SEC final rules require corporations to use a recognized internal control framework
and specifically reference the Sponsoring Organizations of the Tread way Commission
(COSO) internal control framework. We are finally getting somewhere – a framework
and usually frameworks are good things.
The PCAOB as part of its rule making process released “Auditing Standard No. 2” that
emphasizes the important of IT controls, but does not provide any details on what IT
controls are required. The PCAOB auditing standards look for each corporation to
develop IT controls that support their internal control program.
Both the PCAOB auditing standards and COSO suggest, in a roundabout way, the use of
an IT control framework. The most widely recognized IT control framework is the
Information Systems Audit and Control Association (ISACA) framework Control
Objectives for Information and related Technology (COBIT). Many corporations have
adopted COBIT as their standard IT control framework, especially related to SOX
Page 10 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
compliance. To assist companies, the ISACA has developed a whitepaper “IT Control
Objectives for Sarbanes-Oxley”, which maps COBIT to Sarbanes-Oxley compliance.
COBIT is framework for IT governance for the entire organization and provides high-
level control objectives for applications and infrastructure, but the control objectives are
not to a level that can be immediately implemented by a DBA or system administrator.
The control objectives provide high-level characteristics for what the implemented
internal control should include, but does provide any level of detail. An example of a
COBIT control objective is –
Identity Management
All users (internal, external and temporary) and their activity on IT systems (business
application, system operation, development and maintenance) should be uniquely
identifiable. User access rights to systems and data should be in line with defined and
documented business needs and job requirements. User access rights are requested by
user management, approved by system owner and implemented by the security-
responsible person. User identities and access rights are maintained in a central
repository. Cost-effective technical and procedural measures are deployed and kept
current to establish user identification, implement authentication and enforce access
rights.
Other sources of guidelines and best practices for IT controls are ISO 17799 (security
related) and the Information Technology Infrastructure Library (ITIL). Both provide
varying levels of detail, but still are too high-level for immediate use by the DBA.
Sarbanes-Oxley Compliance
As you can see, there is no single point of reference or comprehensive guidelines for
SOX compliance. The definition of SOX compliance is defined by the corporation
referencing a set of internal controls frameworks. It is important to understand the
foundation for the SOX compliance requirements, since these requirements may differ
from organization to organization. Some companies may choose to implement only
COSO and not an IT controls framework such as COBIT, while other companies may
choose to use multiple control frameworks. Essentially, because every business assesses
risks differently, the controls each business requires will be different.
While understanding the principles and requirements for SOX compliance for the
corporation helps, it does not answer the questions of what must be done to the database,
applications servers, applications, and operations to achieve SOX compliance.
There are really two groups of people who look at SOX compliance – (1) corporate
officers who must attest to the corporation’s internal controls and (2) external auditors
that assess the effectiveness of such internal controls. Corporate officers rely on internal
audit and SOX compliance teams to catalog and assess the corporation’s internal
controls.
Page 11 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
For external auditors, the PCAOB standards require auditors to understand the flow of
transactions (how transactions are initiated, authorized, recorded, processed, and
reported), which may involve IT systems and applications. In most cases, the external
audit firm provides “their” version of requirements in the form of a Sarbanes-Oxley
assessment and findings. Often this assessment is performed by audit generalists who do
not have experience with Oracle Applications, but instead understand financial controls
and business processes.
The first and foremost concept when thinking about SOX is that SOX is primarily
focused on write events, not read events. SOX are most concerned with any and all
changes to the financial data and the processing of the financial data. The processing of
financial data includes the programs, reports, and configuration settings that may affect
how the data is processed or reported. Processing includes the actual manipulation of the
data such as GL Posting, but also includes changes to the programs and reports.
Think about every way that financial data may be inserted, updated, and deleted in Oracle
Applications. Now add in the all the programs, interfaces, reports, and configuration
settings that affect how the data is processed and reported. The scope can be staggering in
terms of the number of ways and methods that data is changed in Oracle Applications –
even the simplest use of the APPS account must now be scrutinized.
Even though SOX compliance may not be focused on read events, unauthorized querying
or viewing of Oracle Applications data may be an issue in terms of HIPAA, GLBA, US
and European privacy laws, and SEC rules. Also, a strong argument can be made that
SOX compliance includes read events since fraud and other financial manipulation may
only require knowledge of bank account numbers or financial results prior to public
release. This argument can be countered with the following – (1) by implementing a
Page 12 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
strong set of internal controls for write events, these controls will probably prevent or
detect most unauthorized inquiry or query access to the data, (2) the risk to the
corporation of the write events probably far exceeds he limited risk of such unauthorized
query access, and (3) unauthorized query access probably will not result in a material
weakness in the audit report.
The foundation of SOX compliance is about risk. Internal controls are about controlling
and reducing risk. Unfortunately, the way a DBA views risk is much different than
management or an external auditor. For a DBA, risk is about having backups, able to
recover from disk failures, potential performance issues with a developers SQL
statement, and the possible impact of the latest Oracle patch. For management and
external auditors, risk is viewed in terms of cost/benefit and fraud.
SOX compliance should be done in the context for an enterprise-wide SOX initiative or
as part of an IT project. However, these initiatives and projects are either documentation
driven exercises or do not drive to the level of detail required for most Oracle
Applications implementations. Since Oracle Applications is often the financial system of
record, the auditors (both internal and external) will focus on this application
Since external auditors are required to examine the flow of key transactions through the
organization and IT systems, most likely such transactions will require the financial
system to garner close scrutiny. Thus, the DBA often is required to meet a higher
standard of SOX compliance than the rest of the IT department.
Page 13 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Approved manual policy and procedure must be documented for the password
requirements for these database accounts and the periodic changing of the passwords.
Due to weaknesses in the Oracle database password algorithm, it is strongly
recommended the minimum password length for these database accounts be 9 and the
passwords are changed every 90 days or when cloning the database to development and
test environments.
Essential for effective control and segregation of duties is the use of named and
unique accounts for all users.
Adherence to the enterprise security policy for passwords for all application
accounts (length, complexity, failure lock-out, etc.). For strict adherence to the
enterprise password policy may require a custom password validation routine
(Sign on Password Custom profile option).
New user account creation policy and procedure should require new accounts to be
created with a unique password and require the password to be changed upon first
login.
Developers and other support staff should have no access to production to register
programs, change profile options values, etc.
APPS Account
The APPS account and all other Oracle Applications database accounts should be
limited only to the DBA group or a subset of the DBA group.
Page 14 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
All DBAs and support staff should have individual database accounts with no
write access to the database when performing daily support and troubleshooting
activities.
A change control ticket should be required for any usage of the APPS or other
Oracle Applications database accounts.
Consider creating an “APPSIF” database account with insert, update, and delete
privileges to Oracle Applications and custom interfaces tables that may need to be
directly updated. A change control ticket should be required for any access to this
database account. A database login trigger can be used to automatically enable a
trace of the session.
Database Passwords
All database accounts should require periodic password changes and conformance
to the enterprise password policy.
o All other database accounts should have database password profiles enabled
with a custom password authentication function to enforce the enterprise
password policy.
All access to the standard Oracle operating system accounts oracle and applmgr
should be controlled and the appropriate logs maintained to identify the individual
accessing these shared accounts. It is not practical or feasible within Oracle
Applications to require individual administrators to use only named UNIX
accounts.
Page 15 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
All access to interface accounts should be controlled and the appropriate logs
maintained and monitored to ensure only authorized processes and users are
transmitting interface files.
2. Auditing
By default, the Oracle Database and Oracle Applications are not compliant with SOX. In
the default installation, there is no auditing enabled for either the Oracle Database or
Oracle Applications. Oracle Applications maintains creation and last modified
information for almost every record, but generally does not provide any history of
changes to records. For SOX compliance, a history of changes to critical configuration
settings and controls is required.
When enabling auditing, performance is always a valid concern. For the most part,
auditing non-transactional tables should only have a minimal performance impact.
Auditing transactional, high-volume tables can and will have a severe performance
impact. Prior to enabling any auditing, careful review of the exact tables and audit
settings is required. Assume at least 1-5% performance impact in terms of additional
database writes and table space for a minimum set of SOX auditing at the database and
application level. Many auditors look for auditing to be enabled on transactional tables
such as vendors (especially addresses), which most likely will require discussions with
management to assess the risk and potential impact on performance (and the cost of
hardware upgrades).
Configuring and enabling auditing is the simple part. Oracle does not provide any tools to
manage the audit data, such as archiving, purging, and reporting. Procedures, scripts, and
reports must be developed in order to have any gain meaningful results from audit data.
The complexity and effort required to develop these procedures, scripts, and reports
should be supported by management (i.e., resources and dollars) based on management’s
assessment of risk.
Page 16 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Oracle Applications Audit Trails is required for key user management tables like
FND_USER, FND_RESPONSIBILITY, FND_FORM_FUNCTIONS,
FND_MENUS, FND_RESP_FUNCTIONS, FND_USER_RESP_GROUPS, etc.
to maintain a history of changes.
All access to the APPLSYSPUB account not from an application server (ADI is an
exception to this rule) should generate an alert.
All access to the APPS account and all other Oracle Applications database
accounts (e.g., GL) not by the application (web, forms, or concurrent manager
server) should be limited and directly attributable to a change control ticket.
All access to the SYS and SYSTEM accounts should be audited using the database
initialization parameter AUDIT_SYS_OPERATIONS and all usage directly
attributable to a change control ticket.
Other Auditing
“AUDIT SYSTEM AUDIT;” will provide an audit trail of changes to the auditing.
“AUDIT USER;” will provide an audit trail of changes to the database accounts,
including add, changes, and deletes.
Page 17 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
3. Change Management
Change control is critical to SOX compliance since not only changes to data should
controlled, also any changes to the programs and reports that manipulate or summarize
financial data must controlled. Policies and procedures must be in place that provide
management approvals and detailed tracking of such changes. Auditors typically will
review changed objects, such as programs or reports, and trace the paper trail of these
changes back through the change management process. Not having a well-documented
change management process and poor or missing change control documentation may
result in a weakness or deficiency.
Change management should include all changes to all layers of the technology stack
including the application, database, application servers, operating system, and hardware.
Changes may include configuration of the application, object migrations (program,
reports, etc.), database schema changes, database configuration changes, and patches.
Each change must be logged, assessed, and authorized prior to implementation to ensure
the integrity and stability of the system and application. The key characteristics of a
change management process are that it is formal (well-documented), changes are handled
in a standardized manner, and changes are assessed in a structured way for impacts on the
system and its functionality. Even in a well-controlled change management process,
emergency changes are perfectly acceptable as long as there is a defined and documented
process for such changes.
Most organizations do have mature change control processes, but often lack the
appropriate documentation, lack a formal process for emergency changes, or do not
require all changes to use the change management process. One notable exception to the
change management process for many organizations is changes to application profile
options. Since the profile options may affect the processing of financial data, they should
be included in the change management process. However, in many organizations, users
outside of IT (usually super-users) have access to change the profile options of a module,
thus it is difficult to implementation change control for profile options.
Page 18 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
5. Availability
The loss of data, including transactions, could affect the accuracy and completeness of
financial reporting. Also, in adherence to SEC rules and regulations, a public company
must accurately and timely file financial reports, therefore, appropriate disaster recovery
and business continuity plans must be in place. Since the SEC defines the rules for SOX,
backup and recovery and business continuity are fully in scope for SOX compliance.
The auditor will be primarily looking that documented policies and procedures exist and
that these policies and procedures are tested on a periodic basis. The following policies
and procedures should be in place –
11 Chapter of Sarbanes-Oxley
TITLE I
Section 103 -- Auditing, Quality Control, and Independence Standards and Rules
Page 19 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
TITLE II
AUDITOR INDEPENDENCE
TITLE III
CORPORATE RESPONSIBILITY
Page 20 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
TITLE IV
TITLE V
TITLE VI
Page 21 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
TITLE VII
Section 701 -- GAO Study and Report Regarding Consolidation of Public Accounting
Firms
Section 702 -- Commission Study and Report Regarding Credit Rating Agencies
TITLE VIII
Section 805 -- Review of Federal Sentencing Guidelines for Obstruction of Justice and
Extensive Criminal Fraud
Section 806 -- Protection for Employees of Publicly Traded Companies Who Provide
Evidence of Fraud
Page 22 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
TITLE IX
Section 904 -- Criminal Penalties for Violations of the Employee Retirement Income
Security Act of 1974
TITLE X
Section 1001 -- Sense of the Senate Regarding the Signing of Corporate Tax Returns by
Chief Executive Officers
TITLE XI
Section 1103 --Temporary Freeze Authority for the Securities and Exchange Commission
Section 1106 -- Increased Criminal Penalties under Securities Exchange Act of 1934
Page 23 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Page 24 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Page 25 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Criticism of SOX
• SOX were an unnecessary and costly government intrusion into corporate
management that places U.S. corporations at a competitive disadvantage with
foreign firms, driving businesses out of the United States.
• The act provides an incentive for small US firms and foreign firms to deregister
from US stock exchanges. The number of American companies deregistering
from public stock exchanges nearly tripled during the year after Sarbanes-Oxley
became law.
• The reluctance of small businesses and foreign firms to register on American
stock exchanges are easily understood when one considers the costs Sarbanes-
Oxley imposes on businesses. A study by the law firm of Foley and Lardner
found the Act increased costs associated with being a publicly held company by
130 percent.
• The capital flight it initiated caused the London Stock Exchange to become the
new hub for capital markets.
• Critics blamed Sarbanes-Oxley for the low number of Initial Public Offerings
(IPO’s) on American stock exchanges during 2008.
Page 26 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
IASB
Formed in January 2001, the ISAB replaced its predecessor, the International Accounting
Standards Committee (IASC), as the international standards setting body. Looking
towards greater formalization of international accounting standards, IASB is structured
similarly to the FASB. It is currently the focus of the IASB, in collaboration with the
FASB and other accounting focused organizations, to "converged" standards and
develops a single, universally accepted set of biding international accounting standards.
The IASC, and now IASB, issue a series of standards known as International Financial
Reporting Standards (IFRS), formerly called International Accounting Standards the
International Accounting Standards Board is an independent, private-sector body that
develops and approves International Financial Reporting Standards. The IASB operates
under the oversight of the International Accounting Standards Committee Foundation.
The IASB was formed in 2001 to replace the International Accounting Standards
Committee.
IASB Framework
While not a standard, the IASB Framework for the Preparation and Presentation of
Financial Statements serves as a guide to resolving accounting issues that are not
addressed directly in a standard. Moreover, in the absence of a standard or an
interpretation that specifically applies to a transaction, IAS 8 requires that an entity must
use its judgment in developing and applying an accounting policy that results in
information that is relevant and reliable. In making that judgment, IAS 8.11 requires
management to consider the definitions, recognition criteria and measurement concepts
for assets, liabilities, income, and expenses in the Framework. The IASB adopted the
Framework in April 2001. It had originally been adopted by the IASC in 1989. Currently,
the IASB is working on a Project to Revise the Framework.
FASB
Since 1973 the FASB has been the organization designated to establish authoritative
financial accounting and reporting standards (Statements of Financial Accounting
Standards, SFAS) for business and other private-sector entities. Its mission is to be
responsive to the entire economic community and to operate in full view of the entire
community through a due-process system.
Page 27 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
What is IFRS
By 2011 more than 150 countries would have adopted IFRS. The term International
Financial Reporting Standards (IFRSs) has both a narrow and a broad meaning.
Narrowly, IFRSs refers to the new numbered series of pronouncements that the IASB
is issuing, as distinct from the International Accounting Standards (IASs) series
issued by its predecessor. More broadly, IFRSs refers to the entire body of IASB
pronouncements, including standards and interpretations approved by the IASB and
IASs and SIC interpretations approved by the predecessor International Accounting
Standards Committee.
[On this website, consistent with IASB policy, we abbreviate International Financial
Reporting Standards (plural) as IFRSs and International Accounting Standards (plural) as
IASs]
Page 28 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
its member countries starting 2005. Since then, IFRS has spread swiftly all over the
world. IFRS standards are principle-based whereas US GAAP standards are rule-based.
Indian standards are basically modeled on the basis of IFRS.
COVERGENCE
APPLICABILITY
As of now, 102 countries have either adopted or are converging to IFRS, including
Australia, New Zealand, Pakistan, Singapore, China, West Asia, Japan, Africa and
countries in the European Union (EU). Now, the ICAI, India’s premier accounting body,
has decided to adopt IFRS with effect from April 1, 2011, for public limited companies
and will be extended to other entities in a phased manner. The numerous union statuses to
IFRS came about after the EU made IFRS mandatory for all its listed companies starting
2005. Consequently, more than 8,000 EU-listed companies adopted IFRS in one go. In
the USA, the Securities and Exchange Commission (SEC, akin to our SEBI) is proposing
to eliminate, for IFRS foreign filers, the reconciliation requirement to US GAAP. In April
2007, SEC lined up proposals to allow companies listed in the US to choose between
IFRS or US GAAP for reporting purposes to make a choice from 2009.
BENEFITS OF IFRS
Page 29 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Rules of IFRS
⇒ IAS 2: Inventories
Page 30 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
IAS 1.
December 2003
Page 31 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Assistance
⇒ IAS 30: Disclosures in the Financial Statements of Banks and Similar Financial
Institutions – Superseded by IFRS 7 effective 2007
⇒ IAS 31: Interests In Joint Ventures
Page 32 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Page 33 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Page 34 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Both the academics and practitioners investigated the effects of Sarbanes-Oxley law on
non-US companies (like Telenor) cross-listed in the US markets. Some argued that the
law eventually displaced many foreign companies from NASDAQ. In a recent article
published in the Journal of Corporate Finance Kate Litvak (2007) reported that stock
prices of non-US companies under Sarbanes-Oxley law declined significantly as opposed
to those of the non-US companies that are not regulated under the law. In particular,
Litvak (2007) concludes that “investors expected the Sarbanes-Oxley Act to have a net
negative effect on cross-listed foreign companies, with high-disclosing companies and
low-growth suffering larger net costs, and faster-growing companies from poorly-
governed countries suffering smaller costs."
It is well documented that both the domestic and foreign firms voluntarily deleted from
NASDAQ especially after the introduction of Sarbanes-Oxley law had poor corporate
governance systems. Arguably, it is hard to believe that Telenor should be an exception.
It has been alleged that Telenor was also involved with the corruption, corporate fraud
and poor governance system of Vimple Com (a joint-venture of Telenor in Russia) during
2004-05.
Telenor provides high quality data, tale and media communications services such as fixed
and mobile telephone, internet, internet protocol based services, VOIP, satellite services,
cable television networks, etc. in Austria, Bangladesh, Bulgaria, Denmark, Finland,
Hungary, Malaysia, Montenegro, Norway, Pakistan, Poland, Russia, Serbia, Sweden,
Thailand, Ukraine etc. with an equity capital that varies from more than 50% to 100%.
Grameen Phone contributes to approximately 15% (12 out of 83 million) of Telenor’s
worldwide mobile phone subscribers. Currently, Telenor holds 62% of Grameen Phone's
equity capital even though it had 51% shares in 1996 when the Grameen Phone was
incepted. It has been alleged recently that Telenor violated its 1996 agreement with the
Grameen Phone. Telenor’s was supposed to relinquish its ownership over Grameen
Phone to 35% by 2002 but refused to do so even in 2007 on the ground that the
agreement was a declaration of intent but not an obligation at all.
It is a million dollar question whether Grameen Phone has any intention to float Initial
Public Offerings (IPO’s) in Bangladesh. The introduction of Grameen Phones' IPO’s will
bring more local ownership and add double digit market capitalization to the stock
Page 35 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
exchanges of Bangladesh. But it seems implausible especially after its recent debacle in
NASDAQ and continuous domination over Grameen Phone in terms of ownership.
Telenor argues that Grameen Phone is one of its numerous projects, which should be
considered as Socially Responsible Investment (SRI) because it invests in a developing
country like Bangladesh and contributes to her economy. Ethical investment or SRI is
also becoming popular in the Wall Street with combined assets of more than 2 trillion
dollars. The Wall Street accommodates firms that invest in SRI in compliance with the
SEC rules and regulations that may be appropriate for their typical shareholders and
ethical operations. Unfortunately Telenor is neither listed on any of the two bourses nor
has any physical shareholders in Bangladesh. Thus, the broader definition of SRI should
not be applicable to Telenor.
Like other foreign-based mobile companies in Bangladesh, Telenor is believed to
expatriate majority of profit that it generates through Grameen Phone. However, Telenor
claims that it couldn't recoup $87 million that it initially invested in Bangladesh. Instead,
it reinvests a significant portion of $1.08 billion profit that it earned over the last decade.
It is obvious that the delisting of Telenor from NASDAQ transmits a strong negative
message that Telenor lacks an appropriate corporate governance system, which is
indispensable for a transparent reporting responsibility to the SEC. It would undeniably
be very interesting to see whether Grameen Phone can initiate the so-called 'social
businesses' of its proponent and founder Professor Yuen’s especially under its current
legal set-up with Telenor.
Page 36 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
PROBLEM OF SOX
Sarbanes Establishes
Mainly, the Sarbox act establishes lots of wide ranging legislation for all U.S. public
company boards, management and public accounting firms. Some of the highlights
enacted by Sarbox include:
• The Establishment of a public and government agency called the Public Company
Accounting Oversight Board.
• The requirement that public companies must evaluate and openly disclose their
financial reporting.
• The need for CEO's and CFO's to certify the company's financial reports.
• Provisions for Auditor Independence.
• Companies that are listed on stock exchanges such as NASDAQ or NYSE must
have totally independent audit committees that can provide oversight to both the
company and the auditor.
• Additional financial disclosures that is more transparent and comprehensive.
• A company can no longer give a personal loan to any CEO or executive officer.
• Added criminal penalties for violations in the law dealing with securities fraud.
• Added civil penalties for violations in the law dealing with securities fraud.
Page 37 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Implementation of Sarbox
As you can see from some of the enhancements this law enacts, both large and small
publicly traded companies in the US. Must make extensive changes in how they report
their earnings, audit their business and improve transparency on financial decisions.
Because implementation of Sarbox can be a daunting task, even for a very small publicly
traded company, small companies that are able to, actually went private, in order to forgo
the cost of implementing the new requirements for Sarbox. For those companies that can
not go public, many companies are forced to make extensive changes to their financial
reporting structure, which while costly, ultimately benefits the investors. Companies can
easily increase the investor's faith in the company and hopefully add value to the
company by implementing Sarbox.
While most investors and executives of large corporate companies acknowledge a need
for legislation such as Sarbox Oxley due to the fact that many investors lost billions to
fraudulent financial reporting, the downside is that it can be costly to implement.
Usually the biggest cost to implementing Sarbox is to update the information systems in
order for them to comply with the new reporting and financial control requirements.
However, for the largest of the corporate entities that have switched over to Sarbox, the
initial cost of compliance was $4.36 million on average. This statistic comes from the
Financial Executives International (FEI) survey, which asked 217 companies with
average revenue of over 5 billion per year. It should be noted that first year costs will
probably be the highest. The more companies gain experience implementing Sarbox, the
less time and money it will cost for implementation and consultation.
Page 38 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Conclusion
The Sarbanes-Oxley Act of 2002 (SOX) is the public company accounting reform and
investor protection act signed into law on July 30, 2002 in response to a number of
Fortune 500 companies� involvement in corporate and accounting scandals. These
widely published corporate debacles, including those affecting Enron, WorldCom and
Tyco cost investors billions of dollars when the share prices of the affected companies
collapsed. In affect, investor confidence in the securities markets hit rock bottom. The
purpose of SOX was to empower the Securities and Exchange Commission (SEC) of the
U.S. so that it could oversee corporate governance of public organizations in hopes of
restoring investor confidence. President Bush reflected the impact of this act stating that
no law of such significance to businesses has been signed since the presidency of
Franklin D. Roosevelt in the U.S. The SOX Act of 2002 was named after its main
architects, Senator Paul Sarbanes and Representative Michael Oxley. SOX establish a
number of compliance rules for financial practice that ensures occur. The law generally is
practical and makes sense. However the rules used to implement the law are a primary
source of the confusion and massive costs.
This report exposes the range of flaws in the current U.S. SOX regulatory regime and
proposes cost effective and practical ideas to help the U.S. and other countries achieve
the fundamental aim of more reliable financial statements and more reliable external
audit opinions at a lower overall cost.
Page 39 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Reference
Page 40 of 41
Accounting Scandal & Sarbanes Oxley act of 2002
Page 41 of 41