SOX education

by Paul Motion

The major ramifications of the Sarbanes-Oxley Act on accounting standards, the Basel II Agreement on bank capital, and the draft EU Auditing Directive, for IT managers and IT systems

The Journal, August 2004, page 44

---

The 29 July 2004 was the second anniversary of the following exchange in the House of Lords:

“Lord Sharman: My Lords, I beg leave to ask the Question standing in my name on the Order Paper. In so doing, I declare an interest as a paid adviser to KPMG.

‘To ask Her Majesty’s Government whether they will make representations to the United States government to limit the extraterritorial effect of Senator Sarbane’s bill regarding the regulation of auditors.’

“Lord Sainsbury of Turville: My Lords, high-level representations were made to the United States Government about the extra-territorial effect of the proposed Sarbane bill by the United Kingdom Government and by the European Commission. The Accounting Bill, which combines elements of both the Sarbane and the Oxley bills, is expected to be signed by President Bush this week. We believe that our lobbying has had some success, but concerns about the legislation remain. We are therefore continuing to pursue these matters at national and European level with the US administration.”

SOX and the City

A new law aimed at preventing Enron-style corporate scandals is about to come into force for corporate America, with possible knock-on effects for some undertakings in the UK. However the financial services and banking industries in the EU should also be gearing up for the impact of both the Basel II Agreement and draft EU Auditing Directive, dealt with later in this article.

The USA’s Sarbanes-Oxley Act 2002 (also known as “SOX” or “Sarbox” or “SOA”), was enacted on 30 July 2002 as a response to scandal-driven loss of confidence in the capital markets. The Act established the US Public Company Accounting Oversight Board (PCAOB). PCAOB is a private, non-profit corporation whose mission is to “protect investors in US securities markets and to further the public interest by ensuring that public company financial statements are audited according to the highest standards of quality, independence, and ethics”. The Board will be funded principally by fees from public companies.

On 6 May 2003, the PCAOB adopted Final Auditor Registration Rules. All non-US public accounting firms that wish to prepare or issue audit reports on US public companies, or make a substantial contribution to the preparation or issuance of such reports, should have been registered by 19 July 2004 if they wished to continue existing work.

The 15 November 2004 is the date on which the Act actually comes into force. But affected companies should have been working on their compliance issues for quite some time. According to Margaret Brooks, director of strategic business development and SOX specialist at Computer Associates, “Finance departments ‘get it’ but a lot of senior managers don’t know what’s going to hit them”.  

The Act covers a whole range of governance issues such as the types of trading that are allowed within a company. Other measures regulate the responsibilities of audit committees and offer protection to whistleblowers.

The IT challenges of SOX are ensuring it is observed, and that compliance can be demonstrated and reported. This has implications for the archiving of communications and the creation of transparent and auditable systems for recording transactions, dealings and any kind of business correspondence.

Many IT managers assume that every single file, email, or phone call is going to have to be recorded. It is true that this approach would achieve compliance but according to Mark Ellis, Computer Associates’ director of storage and information management, SOX is not quite so demanding. Ellis describes such a response as being “like a rabbit caught in the headlights”, and explains that “Legal compliance is not about what you need to keep, it’s about knowing what you can delete.” Companies need to find out more about the complicated legislation. Most companies are having to work with accredited auditors and consultants to ensure they have “ticked all the right boxes”. In the US, Ernst & Young and PwC account for about a fifth of this market each, with KPMG and Deloitte and Touche accounting for about 13 per cent. These firms can test compliance and search for “material weaknesses” – flaws that would fail the SOX test.

Though many UK firms are not legally required to meet the Sarbanes-Oxley level of auditing standards at present, this may soon change. Further, Oracle’s head of finance and compliance in the UK, Michelle Maden, argued that meeting those standards could in any event generate wider benefits. “The Sarbanes-Oxley Act incorporates sound aspects of corporate governance”, she explains.

Putting Y2K in the shade

EU financial institutions and their IT departments certainly need to be aware of the Basel II accord, agreed in June 2004, in relation to bank capital.

Jean-Claude Trichet, chairman of the G10 group of central banks, said that the new Basel II framework “will enhance banks’ safety and soundness, strengthen the stability of the financial system as a whole, and improve the financial sector’s ability to serve as a source for sustainable growth for the broader economy”.

The Basel II rules, which have been under discussion for more than five years, are intended to make the world’s banking system more stable and efficient by aligning the amount of capital banks hold with the level of risk on their books.

Implementation is set to begin at the end of 2006. The systems and data implications of Basel II are huge, and the workload to become compliant will be significant. Estimates vary but the cost of compliance for the global industry is generally agreed to be above £100 billion.

Basel II comprises three “Pillars”:

• Pillar 1 – Minimum Capital Requirement: this covers market, credit and operational risk.

• Pillar 2 – Supervisory Review Process: this sets the framework for supervision. Supervisors will be able to hold additional capital against risks not covered by pillar 1.

• Pillar 3 – Market Discipline: this sets out the framework for market disclosures by banks and financial institutions.

Implementation of Basel II will be achieved in the EU by way of the Risk-Based Capital Directive (CAD III). The UK will then implement this, with the FSA acting as the supervisory authority. The bottom line requirement is that data capture procedures, which enable operational risk factors to be identified and analysed, will require radical rethinking.

Issues for affected IT managers include identifying the correct data, integrating and managing the data, carrying out analysis and creating the required reports. New regulations from the FSA covering the reporting and management of mortgage applications, due to come into force in October 2004, will also require the mortgage applicant and the adviser to use point of sale software systems to take them through a sales process complying with FSA regulations.

A suggested Basel II checklist might be:

Impact assessment: What do the new laws require your organisation to do to its existing IT systems in order to achieve compliance?

• Timescale: By when do the changes need to be in place?

• Contract review: Your organisation should carry out an audit of existing contracts relevant to the IT systems which will require changes.

• Who is going to make the changes? Will it be your suppliers of existing or older software, support service providers, consultants, or the in-house IT team, or a combination?

Liability, warranties, rights of termination and IPR ownership will also need to be addressed.

• Who is going to pay for changes? Who is legally obliged to pay?

• Reporting and data retention: What reporting and data retention requirements are applicable to your organisation? How will you prove compliance?

• Could your organisation merge its content management practices with process issues such as  auditable workflows? Could the use of a data management language such as XML or XBRL bring benefits and assist with establishing compliance?
• Should you change the way you store emails?
• Should you establish and enforce a central store for all data?
Basel II has been described as the biggest IT challenge for the banking and financial services industry since Y2K. Unlike Y2K, however, these changes are definitely coming!

Matching SOX in the EU

The EC’s draft directive on auditing (Proposal for a Directive on statutory audit of annual accounts and consolidated accounts and amending Council Directives 78/660/EEC and 83/349/EEC), published on 16 March 2004 is potentially as tough on UK institutions as SOX. It will also have major implications for some IT managers.

Areas that affected IT managers may wish to assess include: consolidation of their current servers and storage; existing email management practice; current and potential archiving procedures; and information management generally. IT architecture will need to be viewed primarily in the light of compliance. “In the past the focus of compliance has been on the finance department,” said John Taylor, managing director at business performance management specialists Cartesis. “But the board will begin asking managers and IT managers what they’re doing to help the firm comply, as this area is so reliant on IT systems. Company boards will expect far more involvement from their IT departments to establish end-to-end auditing controls”, Taylor predicts. “They will want to know how they can be sure that data entering a system sees its way through to the legal reporting requirements.”

The penalties for failure to comply with the auditing directive are yet to be determined – the draft provides only that “Member States shall provide effective, proportionate and dissuasive civil, administrative or criminal penalties.”

One thing is certain – IT managers in affected companies may soon find themselves being asked to offer their boards guarantees that the firm’s accounting package is compliant in every respect, and totally free of defects. Change of career, anyone?

Current Issue Features Braving the storm How different types of legal firm are coping with the current economic downturn, and how they see their future Civil justice: where next? An abridged version of the keynote address delivered to the conference on civil justice held in Edinburgh on 20 June Title Conditions Act: new registration procedures New procedures are in place for deeds intended to create new real burdens, to assist solicitors in complying with the requirement for dual registration Young lawyers reborn Interview with Scottish Young Lawyers Association President Maryam Labaki on SYLA's ambitions as it relaunches Shining some more light... Second part of overview of this year's Finance Act looks at the provisions on savings, pensions, residence/domicile and business taxes, among others Power to the tribunal? An advocate's and a solicitor's views of how the Scottish Government's proposed reforms to arbitration law might work in practice Piece by piece A progress report from England & Wales on the setting up of the complex regulatory machinery under the Legal Services Act 2007 The poor in our midst Interview with Scottish Solicitors' Benevolent Fund convener Craig Bennet, who aims to raise awareness of the Fund so it can provide more help to those in need Current Issue Articles Shifting sands President's message: with economic issues dominating the profession's thoughts, the Society is taking steps to provide advice and support to those in need A rank bad rule Opinion by two advocates that the Faculty's response to the OFT does its members a disservice by defending the cab rank rule and by resisting the use of ABS The Society's future role in complaints handling A reminder, in the light of reactions to the first levy issued on behalf of the new Complaints Commission, of when and how the Society's responsibilities are changing Appreciation: Lord Johnston Report of the tribute paid in court by the Lord President Professional Practice Committee New guidelines on acting as a company director; and document control and file tracking Facing the lean years Some advice on how to pull through a recession and be ready for the next upturn, as word goes round of legal firms looking at staff cuts and other measures (part 1 of 2) It's a web 2.0 world The interactive nature of web 2.0 technology presents business opportunities, while posing new risks for those with inadequate precautions as to employee internet use Questions, questions In reviewing their risk profiles and risk controls, all firms might benefit from conducting a self-assessment by addressing questions put by some insurers elsewhere Bare necessities Latest criminal cases, including offensive weapons; Moorov rule; withdrawal of representation; evidence of a deceased; contempt of court by solicitor Coming on the blind side A technical-sounding consultation, currently open for comments, covers some significant aspects of dispute resolution in employment Relocation, relocation A recent decision explores the matters to consider when one parent wants to relocate abroad along with their child Worse than the disease? Has the UK quietly outlawed "alternative" medicine through the Consumer Protection from Unfair Trading Regulations? Sleeping bounty The Scottish Community Foundation has a scheme to breathe new life into dormant charitable trusts Scottish Solicitors' Discipline Tribunal Reports relating to Eileen Agnes Coogans; Zosia Marion Elizabeth Fraser; Annaline Webster; Ian Samuel Gerard Donnelly; Mark David Sheppard Website reviews Reviews of sites of organisations concerned with domain name disputes Book reviews Review of Child and Family Law (Sutherland) Industry standard A survey south of the border suggests that in-house work in commerce and industry doesn't always match expectations - but most in-house lawyers expect to stay Meet the committee Profile of In-house Lawyers Group committee member Sara Scott What's in a motto? A sample of In-house Lawyers Group members' notarial mottoes, collected by ILG secretary Tricia Sim Leasing by example "Green leases" appear to be some way off yet for the UK, but a Canadian model now published shows how they might work Good call? Reply to article questioning the Donald Trump planning application call-in argues that the decision is both competent and consistent with proper operation of the system Home reports - the practice questions Open letter over reservations as to the Society's proposed guidelines on the operation of home reports, in so far as they deal with conflict of interest