Professional Documents
Culture Documents
Sarbanes Oxaley Act Indian Perspective
Sarbanes Oxaley Act Indian Perspective
Sarbanes Oxley
Act, 2002
– An Indian
Perspective
The Sarbanes Oxley Act 2002, which is applicable to all publicly-registered companies
under the jurisdiction of Securities and Exchange Commission, is a far reaching legisla-
tion, effecting significant changes to laws concerning directors and reporting obligations
of public companies, and mandating a myriad of new regulations to prevent securities
fraud and other abuses. This article primarily looks at the implications of the Act in India
– for Companies, Audit Profession and the BPO Industry.
“The Sarbanes Oxley Act will bring Exchange Com- (Section 404) among others.
the most far reaching reforms of mission (SEC). The Act has largely ignored the
American business practices since the SOX is a far differences in practices and corpo-
time of Franklin Delano Roosevelt” – reaching legisla- rate governance regimes between
said President George W Bush, while tion, effecting the United States and other coun-
signing of the Sarbanes-Oxley Act of significant chan- tries, and has extended the reach of
2002. Srikant ges to laws affect- the United States’ laws to many
In July 2002, the United States Sortur ing officers, dire- aspects of the internal affairs and
Congress passed the Sarbanes- ctors and report- governance regimes of foreign com-
Oxley Act (“the Act”/SOX) into ing obligations of public companies, panies and their auditors. There are
law. The Act was primarily designed and mandating a myriad of new reg- of course certain reliefs for Foreign
to restore investor confidence fol- ulations to prevent securities fraud Private Issuers (“FPI”) in the act.
lowing well-publicised bankrupt- and other abuses.
cies that brought chief executives, Some of the key sections related
audit committees, and the indepen- Overview of the Act to Audit and Financial Reporting
dent auditors under heavy scrutiny. are:
The Sarbanes Oxley Act called for
The Act is applicable to all publicly The PCAOB: Sections 101-109 of
the formation of a Public Company
registered companies under the the Act has established a new body,
Accounting Oversight Board
jurisdiction of the Securities and the Public Company Accounting
(PCAOB) and specified several
Oversight Board (PCAOB), to
requirements (“sections”) that
oversee the auditing of public com-
The author is a member of the include management’s quarterly cer-
panies. All accounting firms that
Institute as well as AICPA, work- tification of the financial results
audit the financial statements of
ing with Lason Systems Inc, MI, (Section 302) and management’s
The Securities Exchange Act of
USA. He can be reached at annual assertion that internal controls
1934 (“1934 Act”) Reporting
shrikant_sortur@yahoo.com over financial reporting are effective
Issuers (Issuers of Securities who
are mandated to report under the foreign firm’s work papers. chief executive officer and chief
1934 Act) must register with and Section 106(c) of the Act financial officer (or equivalent).
provide periodic reports to the authorises the Securities Exchange The statement must certify that the
Board. Registered accounting Commission (SEC) and the Board “periodic report containing the
firms are subject to Board-adopted to exempt foreign accounting firms financial statements” fully com-
audit, quality control and ethics from any provision of the Act or plies with the requirements of the
standards, periodic inspections and any rules of the SEC or the Board 1934 Act and also must certify that
possible disciplinary proceedings. issued under the Act (by rule or by the information contained in the
It will be illegal for a non-regis- order) as the SEC or the Board periodic report “fairly presents, in
tered accounting firm to “prepare “determines necessary or appro- all material respects, the financial
or issue, or to participate in the priate in the public interest or for condition and results of operations
preparation or issuance of, any the protection of investors.” of the issuer.” This Section con-
audit report” with respect to any Section 302 (Corporate tains no exceptions for Foreign
1934 Act Reporting Issuer. Responsibility for Financial Private Issuers, although the SEC
Section 106 of the Act specifi- Reports) directs the SEC to adopt has the authority under the 1934
cally provides that it will apply to rules requiring the principal execu- Act to determine the “periodic”
any foreign public accounting firm tive officer and the principal finan- reports that may be required to be
(Indian Audit Firm in the context cial officer (or equivalent) of 1934 “filed” under the 1934 Act.
of this article) that prepares or fur- Act Reporting Issuers to provide Section 404 (Management
nishes an audit report with respect certifications in each “annual” and Assessment of Internal Controls)
to any 1934 Act Reporting Issuer. “quarterly” report “filed” or “sub- requires the SEC to prescribe rules
The Board is also given the author- mitted” under the 1934 Act. The requiring each annual report
ity to determine, by rule that a for- certification relates to the content required under the 1934 Act to con-
eign accounting firm that does not of the report, internal controls of tain an internal control report stat-
issue an audit report for a 1934 Act the issuer and disclosure to the ing management’s responsibility
Reporting Issuer may nonetheless audit committee. for internal controls and assessing
play such a substantial role in an Section 906 (Failure of Corporate the effectiveness of internal con-
audit that it is appropriate that such Officers to Certify Reports), which trols. This section also requires the
firm should be subject to the is similar to but separate from auditors for the issuer to attest to and
Board’s authority. The Act pro- Section 302, is a criminal law pro- report on management’s assess-
vides that if a foreign firm issues an vision requiring that each “peri- ment in accordance with standards
audit opinion for a 1934 Act odic” report containing financial to be adopted by the Board.
Reporting Issuer or otherwise per- statements that is “filed” by a 1934 Section 404 has generated
forms material services upon Act Reporting Issuer be accompa- tremendous interest and debate for
which an auditing firm relies, that nied by a written statement of the accountants and is by far the most
foreign firm is deemed to have con- important one from the Financial
sented to producing its audit work Reporting perspective.
papers for the Board and to be sub-
The Sarbanes Oxley Act’s
ject to the jurisdiction of US courts Section 404, which deals What Does Section 404
for enforcement of requests for with Management Asses- Entail?
production of documents. In addi-
tion, a domestic auditing firm that sment of Internal Controls, As directed by Section 404 of the
relies upon the opinion of a foreign has generated tremendous Sarbanes Oxley Act of 2002, the
accounting firm in issuing an audit Securities and Exchange
interest and debate for Commission (SEC) adopted rules
opinion for a 1934 Act Reporting
Issuer is deemed (1) to have con- accountants and is by far regarding internal controls at pub-
sented to supplying the audit work the most important one lic companies in May 2003. Section
papers of the foreign accounting 404 also requires that a company’s
from the Financial independent auditors attest to and
firm to the Board and (2) to have
secured the agreement of that for- Reporting perspective. report on management’s controls
eign firm to the production of the assessments, following standards
Issuer. Probably the most important an audit opinion for a 1934 Act
SOX rule-making is evolv-
would be the compliance of Section Reporting Issuer or otherwise
404 – Management assessment of ing and it has an extraterri- performs material services upon
internal controls. The parent would torial reach beyond the US. which an auditing firm relies,
determine the multiple locations It is imperative that Indian that foreign firm is deemed to
that need to be covered for Internal BPO companies have a have consented to producing its
control testing. This is usually strong framework of audit work papers for the Board
based on the Significant accounts Internal Controls and are and to be subject to the jurisdic-
and the impact that the numbers of transparent to their clients. tion of US courts for enforce-
the subsidiary/business unit has on Well-defined processes, ment of requests for production
the overall company’s financial of documents. In addition, a
proper documentation etc.
reports. domestic auditing firm (US
PCAOB has not established will be of paramount impo- Audit Firm) that relies upon the
specific percentages to determine rtance in view of Sarbanes opinion of a foreign accounting
coverage. Often the goal of the par- Oxley Act, 2002. firm in issuing an audit opinion
ent company would be to determine for a 1934 Act Reporting Issuer
ny’s subsidiary will be subject to
which locations are individually is deemed (1) to have consented
rotation only if they are lead
important (financially significant) to supplying the audit work
partners and the subsidiary’s
and thus yield sufficient coverage papers of the foreign accounting
revenues constitute 20% or more
using meaningful quantitative met- firm to the Board and (2) to have
of the consolidated assets or rev-
rics. The usual benchmark seen in secured the agreement of that
enues of the parent.
practice is to cover at least 60 to 70 foreign firm to the production of
— The Act provides that if a foreign
per cent of the company’s opera- the foreign firm’s work papers.
firm (Indian Audit Firm) issues
tions and financial position. The
metrics could possibly be to cover
any location that has more than 5%
MULTI LOCATION TESTING CONSIDERATIONS
of annual revenues or pre tax
income or total assets or equity (if
applicable). Yes Evaluate documentation and
test significant controls at
Once a location is determined Is the location or business unit
each location or business
to be important, the planned proce- Individually important
unit
dures would include a detailed
evaluation and tests of controls No
over significant (or ‘specific risk’) Yes Evaluate documentation and
accounts and disclosures at that Are there specific significant test controls over specific
risks? risks
location and testing of company
level controls. No
Yes
Implications for the Indian Are there locations or
business units that are not No further action required for
Subsidiary/Business Unit important even when such units
— Need to work closely with the
aggregated with others?
parent to ensure proper controls,
risk management, disclosures, Evaluate documentation and
No test entity wide controls
and various other aspects. Yes
over group
Implications for the Auditors of Are there documented entity-
the Indian Subsidiary wide controls over this group?
Some testing of controls at
— Mandatory Audit partner rota-
individual locations or
tion will apply to partners that No
business units required
serve the client at the parent
level. Partners serving a compa-
its control objectives and control of the controls at the service organi- were suitably designed to achieve
activities examined by an indepen- zation. specified control objectives.
dent accounting and auditing firm. Service Auditor’s Reports: One In a Type II report, the service
A formal report including the audi- of the most effective ways a service auditor will express an opinion on
tor’s opinion (“Service Auditor’s organisation can communicate the same items noted above in a
Report”) is issued to the service information about its controls is Type I report, and (3) whether the
organisation at the conclusion of a through a Service Auditor’s controls that were tested were oper-
SAS 70 examination. Report. There are two types of ating with sufficient effectiveness
SAS 70 provides guidance to Service Auditor’s Reports: Type I to provide reasonable, but not
enable an independent auditor and Type II. absolute, assurance that the control
(“service auditor”) to issue an opin- A Type I report describes the objectives were achieved during
ion on a service organization’s service organization’s description the period specified.
description of controls through a of controls at a specific point in Implications for Indian BPO
Service Auditor’s Report. SAS 70 is time (e.g. December 31, 2004). A Companies: It is imperative that
not a pre-determined set of control Type II report not only includes the Indian BPO companies have a
objectives or control activities that service organization’s description strong framework of Internal
service organizations must of controls, but also includes Controls and are transparent to their
achieve. Service auditors are detailed testing of the service orga- clients. Well-defined processes,
required to follow the AICPA’s stan- nization’s controls over a minimum proper documentation etc. will be
dards for fieldwork, quality control, six month period (e.g. July 1, 2004 of paramount importance in view of
and reporting. A SAS 70 examina- to December 31, 2004). The con- the Sarbanex Oxley Act, 2002.
tion is not a “checklist” audit. tents of each type of report are Service organizations receive
SAS No. 70 is generally applic- described in the following table: significant value from having a
able when an auditor (“user audi- SAS 70 engage-
tor”) is auditing the financial state- Report Contents Type I Type II ment performed.
ments of an entity (“user organiza- Report Report A Service Audi-
tion”) that obtains services from tor’s Report with
1. Independent service auditor's
another organization (“service an unqualified
report (i.e. opinion). Included Included
organization”). Service organiza- opinion that is
tions that provide such services 2. Service organization's issued by an Ind-
could be application service description of controls. Included Included ependent Acc-
providers, bank trust departments, 3. Information provided by the ounting Firm dif-
claims processing centers, Internet independent service auditor; ferentiates the
data centers, or other data process- includes a description of the service organiza-
ing service bureaus. service auditor's tests of tion from its
In an audit of a user organiza- operating effectiveness and peers by demon-
tion’s financial statements, the user the results of those tests. Optional Included strating the estab-
auditor obtains an understanding of 4. Other information provided lishment of effec-
the entity’s internal control suffi- by the service organization tively designed
cient to plan the audit as required in (e.g. glossary of terms). Optional Optional control objec-
SAS No. 55, Consideration of tives and control
Internal Control in a Financial activities.
Statement Audit. Identifying and In a Type I report, the service audi- Without a current Service
evaluating relevant controls is gen- tor will express an opinion on (1) Auditor’s Report, a service organi-
erally an important step in the user whether the service organization’s zation may have to entertain multi-
auditor’s overall approach. If a ser- description of its controls presents ple audit requests from its cus-
vice organization provides transac- fairly, in all material respects, the tomers and their respective audi-
tion processing or other data pro- relevant aspects of the service orga- tors. Multiple visits from user audi-
cessing services to the user organi- nization’s controls that had been tors can place a strain on the service
zation, the user auditor may be placed in operation as of a specific organization’s resources. A
required to gain an understanding date, and (2) whether the controls Service Auditor’s Report ensures
Implications for Indian service organisation (a sub service 1993. There is an existing line of
Audit Firms organisation) to perform the work. thought that it is outdated in certain
In such a scenario the Management aspects and may not really cater to
Assignments to conduct a SAS 70 of the User organisation needs to the requirements of Section 404 of
certification can prove to be a new consider controls at the sub service SOX. Critics say that a major rehaul
area of work. Management of US organisation. In addition to that, the is needed.
companies could rely on SAS 70 following also needs to be consid- Even a Type II report, however,
certification by non-US audit firms ered: doesn’t guarantee airtight compli-
as long as the reports are issued ☞ The nature and materiality of the ance with Sarbanes-Oxley. For one
under other standards that follow transactions processed by the thing, the timing of the audit — if
the criteria of SAS 70. Management sub service organisation it’s performed by the service
would also need to evaluate the ☞ The contribution of the sub ser-
competency and qualifications of provider’s auditor — might be out
vice organisations processes in of sync with the client’s reporting
the auditor performing the exami- the achievement of the user
nation. The Indian Audit profession period. If the audit is performed in
organisations information pro-
is widely appreciated around the June and the client’s fiscal year
cessing objectives
world for its high standards. ends December 31, for instance,
☞ The availability of a sub service
Managements of US companies there’s a six-month gap in the attes-
organisations SAS 70 report
should not have any issues with tation of the outsourcer’s internal
Because a user organisation
accepting SAS 70 certifications by typically does not have any con- controls. If there are control slip ups
Indian Audit firms. tractual relationship with the sub during the second half of the year,
Factors to be considered by service organisation, a user organi- the accuracy and reliability of the
Management when a service organ- sation should obtain available client’s own year-end attestation
isation outsources certain functions reports and information about the could be compromised — and fair
to another service organisation: sub service organisation from the game for a Securities and Exchange
In what is becoming a popular service organisation. Commission inquiry.
business model for BPO’s in India, One response to the timing
an interesting situation could come Certain Issues related to issue is to request that the service
up when an US corporate uses a ser- provider undergo SAS 70 audits on
SAS 70
vice organisation (Indian Co- a quarterly basis or “fill in the gaps”
mpany) that in turn uses another SAS 70 was finalised in March with updates throughout the year.
Smaller service providers might bri- “Now, two-and-a-half years duce, improvements that help to
dle at the added cost during contract later (since SOX became opera- restore and reinforce investor con-
negotiations — but after all; it’s the tional), some critics claim the fidence in our markets, and lower
client’s attestation that’s on the line. Sarbanes-Oxley Act goes too far. In the cost of capital to issuers.
Another concern for outsourcer particular, these critics charge that Section 404, for example, reaffirms
auditor is just how much of the ser- requiring certification of internal that US. legislators are serious
vice provider’s audit is being controls - the so-called Section 404 about internal control require-
revealed. A service provider is provision of Sarbanes-Oxley - is ments. It is already clear that
required to inform its client only too expensive and unnecessary. Section 404 is helping to strengthen
about any failures of SAS 70 tests; Section 404 has even led some for- the business operations of those
there’s no requirement to spell out the eign issuers to declare that they may US. and foreign issuers who have
exact substance or scope of the audit. wish to leave America’s capital seized the opportunity to use the
Thus, for instance, a client’s markets altogether rather than have internal controls assessment as a
own external auditor would be their internal controls certified. managerial opportunity and not
unable ot tell the client whether a simply a compliance exercise.
It is easy for an individual issuer
test that unearthed two failures The SEC remains committed to
to look at the cost of compliance with
probed 40 processes, or only four. a level playing field for all its
US federal securities laws and balk.
That could lead to some poor assess- issuers, foreign and domestic alike.
But the cost of capital also comes
ments of service-provider controls. But we recognize that cross-border
with benefits. US. capital markets
listings frequently entail issuers
are deep and liquid. Nearly half of all
Conclusion having to navigate duplicative or
the world’s equity shares, by market
We can wrap up this discussion by even contradictory regulations in
capitalization, trade in the United
quoting from the speech by SEC different jurisdictions. While the
States. And non-US. investors have
Chairman, William H Donaldson SEC is unwilling to compromise
approximately $4.5 trillion invested
recently on the topic ‘US Capital where investor protections are con-
in US. stock markets.
Markets in the Post-Sarbanes- cerned, some duplicative or contra-
The requirements of Sarbanes- dictory regulations can compro-
Oxley World: Why Our Markets
Oxley cannot be evaluated in a vac- mise those protections and place an
Should Matter to Foreign Issuers’
uum. They are important because unnecessary burden on issuers,
in London. The following words are
they have produced, and will pro- firms and investors.”
relevant to this article:
Accounting Standards Financial Accounting Standards Financial Accounting Standards Board (FASB)
Board (FASB)