The SarbanesOxley Act of 2002 (Pub.L. 107-204, 116 Stat.

745, enacted July 30, 2002), also known as the 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing Accountability and Responsibility Act' (in the House) and commonly called SarbanesOxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002. It is named after sponsors U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH). The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets. The legislation set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It does not apply to privately held companies. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Harvey Pitt, the 26th chairman of the Securities and Exchange Commission (SEC), led the SEC in the adoption of dozens of rules to implement the SarbanesOxley Act. It created a new, quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, charged with overseeing, regulating, inspecting and disciplining accounting firms in their roles as auditors of public companies. The act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure. The act was approved by the House by a vote of 4233 and by the Senate 990. President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin [1] D. Roosevelt." Debate continues over the perceived benefits and costs of SOX. Supporters contend the legislation was necessary and has played a useful role in restoring public confidence in the nation's capital markets by, among other things, strengthening corporate accounting controls. Opponents of the bill claim it has reduced America's international competitive edge against foreign financial service providers, saying SOX has introduced an overly complex regulatory [2] environment into U.S. financial markets.

Overview
SarbanesOxley contains 11 titles that describe specific mandates and requirements for financial reporting. Each title consists of several sections, summarized below.

1. Public Company Accounting Oversight Board (PCAOB) Title I consists of nine sections and establishes the Public Company Accounting Oversight Board, to provide independent oversight of public accounting firms providing audit services ("auditors"). It also creates a central oversight board tasked with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX. 2. Auditor Independence Title II consists of nine sections and establishes standards for external auditor independence, to limit conflicts of interest. It also addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements. It restricts auditing companies from providing non-audit services (e.g., consulting) for the same clients. 3. Corporate Responsibility

Title III consists of eight sections and mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees, and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. It enumerates specific limits on the behaviors of corporate officers and describes specific forfeitures of benefits and civil penalties for non-compliance. For example, Section 302 requires that the company's "principal officers" (typically the Chief Executive Officer and Chief Financial Officer) certify and approve the integrity of their company financial reports quarterly [3] 4. Enhanced Financial Disclosures Title IV consists of nine sections. It describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports. 5. Analyst Conflicts of Interest Title V consists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts. It defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts of interest. 6. Commission Resources and Authority Title VI consists of four sections and defines practices to restore investor confidence in securities analysts. It also defines the SECs authority to censure or bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, advisor, or dealer. 7. Studies and Reports Title VII consists of five sections and requires the Comptroller General and the SEC to perform various studies and report their findings. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing and others to manipulate earnings and obfuscate true financial conditions. 8. Corporate and Criminal Fraud Accountability Title VIII consists of seven sections and is also referred to as the Corporate and Criminal Fraud Act of 2002. It describes specific criminal penalties for manipulation, destruction or alteration

of financial records or other interference with investigations, while providing certain protections for whistle-blowers. 9. White Collar Crime Penalty Enhancement Title IX consists of six sections. This section is also called the White Collar Crime Penalty Enhancement Act of 2002. This section increases the criminal penalties associated with whitecollar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense. 10. Corporate Tax Returns Title X consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return. 11. Corporate Fraud Accountability Title XI consists of seven sections. Section 1101 recommends a name for this title as Corporate Fraud Accountability Act of 2002. It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC the resort to temporarily freeze transactions or payments that have been deemed "large" or "unusual".

History and context: events contributing to the adoption of SarbanesOxley

The Enron scandal deeply influenced the development of new regulations to improve the reliability of financial reporting, and increased public awareness about the importance of having accounting standards that show the [4] financial reality of companies and the objectivity and independence of auditing firms. One consequence of these events was the passage of SarbanesOxley Act in 2002, as a result of the first admissions of fraudulent behavior made by Enron. The act significantly raises criminal penalties for securities fraud, for destroying, altering or [5][6] fabricating records in federal investigations or any scheme or attempt to defraud shareholders. A variety of complex factors created the conditions and culture in which a series of large corporate frauds occurred between 20002002. The spectacular, highly-publicized frauds at Enron, WorldCom, and Tyco exposed significant problems with conflicts of interest and incentive compensation practices. The analysis of their complex and [7] contentious root causes contributed to the passage of SOX in 2002. In a 2004 interview, Senator Paul Sarbanes stated:

The Senate Banking Committee undertook a series of hearings on the problems in the markets that had led to a loss of hundreds and hundreds of billions, indeed trillions of dollars in market value. The hearings set out to lay the foundation for legislation. We scheduled 10 hearings over a six-week period, during which we brought in some of the best people in the country to testify...The hearings produced remarkable consensus on the nature of the problems: inadequate oversight of accountants, lack of auditor independence, weak corporate governance procedures, stock analysts' conflict of interests, inadequate disclosure provisions, and grossly inadequate funding of the Securities and Exchange

Commission.[8]

Auditor conflicts of interest: Prior to SOX, auditing firms, the primary financial "watchdogs" for investors, were self-regulated. They also performed significant non-audit or consulting work for the companies they audited. Many of these consulting agreements were far more lucrative than the auditing engagement. This presented at least the appearance of a conflict of interest. For example, challenging the company's accounting approach might damage a client relationship, conceivably placing a significant consulting arrangement at risk, damaging the auditing firm's bottom line. Boardroom failures: Boards of Directors, specifically Audit Committees, are charged with establishing oversight mechanisms for financial reporting in U.S. corporations on the behalf of investors. These scandals identified Board members who either did not exercise their responsibilities or did not have the expertise to understand the complexities of the businesses. In many cases, Audit Committee members were not truly independent of management. Securities analysts' conflicts of interest: The roles of securities analysts, who make buy and sell recommendations on company stocks and bonds, and investment bankers, who help provide companies loans or handle mergers and acquisitions, provide opportunities for conflicts. Similar to the auditor conflict, issuing a buy or sell recommendation on a stock while providing lucrative investment banking services creates at least the appearance of a conflict of interest. Inadequate funding of the SEC: The SEC budget has steadily increased to nearly double the preSOX level.[9] In the interview cited above, Sarbanes indicated that enforcement and rule-making are more effective post-SOX. Banking practices: Lending to a firm sends signals to investors regarding the firm's risk. In the case of Enron, several major banks provided large loans to the company without understanding, or while ignoring, the risks of the company. Investors of these banks and their clients were hurt by such bad loans, resulting in large settlement payments by the banks. Others interpreted the willingness of banks to lend money to the company as an indication of its health and integrity, and were led to invest in Enron as a result. These investors were hurt as well. Internet bubble: Investors had been stung in 2000 by the sharp declines in technology stocks and to a lesser extent, by declines in the overall market. Certain mutual fund managers were alleged to have advocated the purchasing of particular technology stocks, while quietly selling them. The losses sustained also helped create a general anger among investors. Executive compensation: Stock option and bonus practices, combined with volatility in stock prices for even small earnings "misses," resulted in pressures to manage earnings.[10] Stock options were not treated as compensation expense by companies, encouraging this form of compensation. With a large stock-based bonus at risk, managers were pressured to meet their targets.

[edit] Timeline and passage of SarbanesOxley

The House passed Rep. Oxley's bill (H.R. 3763) on April 24, 2002, by a vote of 334 to 90. The House then referred the "Corporate and Auditing Accountability, Responsibility, and Transparency Act" or "CAARTA" to the Senate Banking Committee with the support of President George W. Bush and the SEC. At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal, Senate Bill 2673. Senator Sarbanes bill passed the Senate Banking Committee on June 18, 2002, by a vote of 17 to 4. On June 25, 2002, WorldCom revealed it had overstated its earnings by more than $3.8 billion during the past five quarters (15 months), primarily by improperly accounting for its operating costs. Sen. Sarbanes introduced Senate Bill 2673 to the full Senate that same day, and it passed 970 less than three weeks later on July 15, 2002. The House and the Senate formed a Conference Committee to reconcile the differences between Sen. Sarbanes's bill (S. 2673) and Rep. Oxley's bill (H.R. 3763). The conference committee relied heavily on S. 2673 and most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions. (John T. Bostelman, The SarbanesOxley Deskbook 231.) The Committee approved the final conference bill on July 24, 2002, and gave it the name "the SarbanesOxley Act of 2002." The next day, both houses of Congress voted on it without change, producing an overwhelming margin of victory: 423 to 3 in the House and 99 to 0 in the Senate. On July 30, 2002, President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. [1] Roosevelt."

[edit] Analyzing the cost-benefits of SarbanesOxley

A significant body of academic research and opinion exists regarding the costs and benefits of SOX, with significant differences in conclusions. This is due in part to the difficulty of isolating the impact of SOX from other variables [11][12] affecting the stock market and corporate earnings. Conclusions from several of these studies and related criticism are summarized below:

[edit] Compliance costs

FEI Survey (Annual): Finance Executives International (FEI) provides an annual survey on SOX Section 404 costs. These costs have continued to decline relative to revenues since 2004. The 2007 study indicated that, for 168 companies with average revenues of $4.7 billion, the average compliance costs were $1.7 million (0.036% of revenue).[13] The 2006 study indicated that, for 200 companies with average revenues of $6.8 billion, the average compliance costs were $2.9 million (0.043% of revenue), down 23% from 2005. Cost for decentralized companies (i.e., those with multiple segments or divisions) were considerably more than centralized companies. Survey scores related to the positive effect of SOX on investor confidence, reliability of financial statements, and fraud prevention continue to rise. However, when asked in 2006 whether the benefits of compliance with Section 404 have exceeded costs in 2006, only 22 percent agreed.[14] Foley & Lardner Survey (2007): This annual study focused on changes in the total costs of being a U.S. public company, which were significantly affected by SOX. Such costs include external auditor fees, directors and officers (D&O) insurance, board compensation, lost productivity, and legal costs. Each of these cost categories increased significantly between FY2001-FY2006. Nearly 70% of survey respondents indicated public companies with revenues under $251 million should be exempt from SOX Section 404.[15] Zhang (2005): This research paper estimated SOX compliance costs as high as $1.4 trillion, by measuring changes in market value around key SOX legislative "events." This number is based on the assumption that SOX was the cause of related short-duration market value changes, which the author acknowledges as a drawback of the study.[16] Butler/Ribstein (2006): Their book proposed a comprehensive overhaul or repeal of SOX and a variety of other reforms. For example, they indicate that investors could diversify their stock

investments, efficiently managing the risk of a few catastrophic corporate failures, whether due to fraud or competition. However, if each company is required to spend a significant amount of money and resources on SOX compliance, this cost is borne across all publicly traded companies and therefore cannot be diversified away by the investor.[17]
[edit] Benefits to firms and investors

Arping/Sautner (2010): This research paper analyzes whether SOX enhanced corporate transparency.[18] Looking at foreign firms that are cross-listed in the US, the paper indicates that, relative to a control sample of comparable firms that are not subject to SOX, cross-listed firms became significantly more transparent following SOX. Corporate transparency is measured based on the dispersion and accuracy of analyst earnings forecasts. Iliev (2007): This research paper indicated that SOX 404 indeed led to conservative reported earnings, but also reducedrightly or wronglystock valuations of small firms.[19] Lower earnings often cause the share price to decrease. Skaife/Collins/Kinney/LaFond (2006): This research paper indicates that borrowing costs are lower for companies that improved their internal control, by between 50 and 150 basis points (.5 to 1.5 percentage points).[20] Lord & Benoit Report (2006): Do the Benefits of 404 Exceed the Cost? A study of a population of nearly 2,500 companies indicated that those with no material weaknesses in their internal controls, or companies that corrected them in a timely manner, experienced much greater increases in share prices than companies that did not.[21][22] The report indicated that the benefits to a compliant company in share price (10% above Russell 3000 index) were greater than their SOX Section 404 costs. Institute of Internal Auditors (2005): The research paper indicates that corporations have improved their internal controls and that financial statements are perceived to be more reliable.[23]

[edit] Effects on exchange listing choice of non-US companies

Some have asserted that SarbanesOxley legislation has helped displace business from New York to London, where the Financial Services Authority regulates the financial sector with a lighter touch. In the UK, the non-statutory Combined Code of Corporate Governance plays a somewhat similar role to SOX. See Howell E. Jackson & Mark J. Roe, Public Enforcement of Securities Laws: Preliminary Evidence (Working Paper January 16, 2007). The Alternative Investment Market claims that its spectacular growth in listings almost entirely coincided with the Sarbanes Oxley legislation. In December 2006 Michael Bloomberg, New York's mayor, and Charles Schumer, a US [24] senator, expressed their concern. The SarbanesOxley Act's effect on non-US companies cross-listed in the US is different on firms from developed [25] and well regulated countries than on firms from less developed countries according to Kate Litvak. Companies from badly regulated countries see benefits that are higher than the costs from better credit ratings by complying to regulations in a highly regulated country (USA), but companies from developed countries only incur the costs, since transparency is adequate in their home countries as well. On the other hand, the benefit of better credit rating also comes with listing on other stock exchanges such as the London Stock Exchange. Piotroski and Srinivasan (2008) examine a comprehensive sample of international companies that list onto U.S. and U.K. stock exchanges before and after the enactment of the Act in 2002. Using a sample of all listing events onto

U.S. and U.K. exchanges from 19952006, they find that the listing preferences of large foreign firms choosing between U.S. exchanges and the LSE's Main Market did not change following SOX. In contrast, they find that the likelihood of a U.S. listing among small foreign firms choosing between the Nasdaq and LSE's Alternative Investment Market decreased following SOX. The negative effect among small firms is consistent with these companies being less able to absorb the incremental costs associated with SOX compliance. The screening of smaller firms with weaker governance attributes from U.S. exchanges is consistent with the heightened governance costs imposed by [26] the Act increasing the bonding-related benefits of a U.S. listing.

SUMMARY: As directed by Section 404 of the Sarbanes-Oxley Act of 2002, we are adopting rules requiring companies subject to the reporting requirements of the Securities Exchange Act of 1934, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The internal control report must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting. Under the new rules, a company is required to file the registered public accounting firm's attestation report as part of the annual report. Furthermore, we are adding a requirement that management evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. Finally, we are adopting amendments to our rules and forms under the Securities Exchange Act of 1934 and the Investment Company Act of 1940 to revise the Section 302 certification requirements and to require issuers to provide the certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002 as exhibits to certain periodic reports. A. Management's Report on Internal Control over Financial Reporting
In this release, we implement Section 404 of the Sarbanes-Oxley Act of 2002 (the "Sarbanes-Oxley Act"), which requires us to prescribe rules requiring each annual report that a company, other than a registered investment 24 company, files pursuant to Section 13(a) or 15(d) of the Exchange Act to contain an internal control report: (1) stating management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) containing an assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404 also requires every registered public accounting firm that prepares or issues an audit report on a company's annual financial statements to attest to, and report on, the assessment made by management. The attestation must be made in accordance with standards for attestation engagements issued or adopted by the Public 25 Company Accounting Oversight Board ("PCAOB"). Section 404 further stipulates that the attestation cannot be the subject of a separate engagement of the registered public accounting firm. We received over 200 comment letters in response to our release proposing requirements to implement Sections 26 404, 406 and 407 of the Sarbanes-Oxley Act. Of these, 61 respondents commented on the Section 404 27 proposals. These comment letters came from corporations, professional associations, accountants, law firms, consultants, academics, investors and others. In general, the commenters supported the objectives of the proposed new requirements. Investors supported the manner in which we proposed to achieve these objectives and, in some cases, urged us to require additional disclosure from companies. Other commenters, however, thought that we were requiring more disclosure than necessary to fulfill the mandates of the Sarbanes-Oxley Act and suggested modifications to the proposals. We have reviewed and considered all of the comments that we received on the proposals. The adopted rules reflect many of these comments -- we discuss our conclusions with respect to each topic and related comments in more detail throughout the release.
23

B. Certifications
We also are adopting amendments to require companies to file the certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to annual, semi-annual and quarterly reports. Section 302 required the Commission to adopt final rules that were to be effective by August 29, 2002, under which the principal executive and principal financial officers, or persons performing similar functions, of a company filing periodic reports under Section 28 13(a) or 15(d) of the Exchange Act must provide a certification in each quarterly and annual report filed with the 29 Commission. Section 906 of the Sarbanes-Oxley Act added new Section 1350 to Title 18 of the United States Code, which contains a certification requirement subject to specific federal criminal provisions and that is separate and 30 distinct from the certification requirement mandated by Section 302. On August 28, 2002, we adopted Exchange Act Rules 13a-14 and 15d-14 and Investment Company Act Rule 30a-2 and amended our periodic report forms to 31 implement the statutory directive in Section 302. These rules and amendments became effective on August 29, 2002. On January 27, 2003, we adopted Form N-CSR to be used by registered management investment companies 32 to file certified shareholder reports with the Commission. The provisions added to Title 18 by Section 906 were by their terms effective on enactment of the Sarbanes-Oxley Act. To enhance the ability of interested parties to effectively access the certifications through our Electronic Data Gathering, Analysis and Retrieval ("EDGAR") system and thereby enhance compliance with the certification requirements, we proposed to amend our rules and forms to require a company to file the certifications as an exhibit 33 to the periodic reports to which they relate. The proposals addressed both Section 302 and 906 certifications. After discussions with the Department of Justice, we concluded that, in light of the inconsistent methods that companies 34 have been employing to fulfill their obligations under Section 906, an exhibit requirement would consistently enable investors and the Commission staff, as well as the Department of Justice, to more effectively monitor compliance with this certification requirement.

In response, the Committee of Sponsoring Organizations of the Treadway Commission ("COSO")41 undertook an extensive study of internal control to establish a common definition that would serve the needs of companies, independent public accountants, legislators and regulatory agencies, and to provide a broad framework of criteria against which companies could evaluate the effectiveness of their internal control systems. In 1992, COSO published its Internal Control -- Integrated Framework.42 The COSO Framework defined internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives" in three categories--effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations. COSO further stated that internal control consists of: the control environment, risk assessment, control activities, information and communication, and monitoring. The scope of internal control therefore extends to policies, plans, procedures, processes, systems, activities, functions, projects, initiatives, and endeavors of all types at all levels of a company.

SarbanesOxley Section 302: Disclosure controls

Under SarbanesOxley, two separate sections came into effectone civil and the other criminal. 15 U.S.C. 7241 (Section 302) (civil provision); 18 U.S.C. 1350 (Section 906) (criminal provision). Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are responsible for establishing and maintaining internal controls and have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared. 15 U.S.C. 7241(a)(4). The officers must have evaluated the effectiveness of the companys internal controls as of a date within 90 days prior to the report and have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date. Id..

The SEC interpreted the intention of Sec. 302 in Final Rule 338124. In it, the SEC defines the new term "disclosure [27] controls and procedures", which are distinct from "internal controls over financial reporting". Under both Section [28] 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in 2007.

[edit] Sarbanes-Oxley Section 401: Disclosures in periodic reports (Off-balance sheet items)
The bankruptcy of Enron drew attention to off-balance sheet instruments that were used fraudulently. During 2010, the court examiner's review of the Lehman Brothers bankruptcy also brought these instruments back into focus, as Lehman had used an instrument called "Repo 105" to allegedly move assets and debt off-balance sheet to make its financial position look more favorable to investors. Sarbanes-Oxley required the disclosure of all material off-balance sheet items. It also required an SEC study and report to better understand the extent of usage of such instruments and whether accounting principles adequately addressed these instruments; the SEC report was issued June 15, [29][30] [31] 2005. Interim guidance was issued in May 2006, which was later finalized. Critics argued the SEC did not take [32] adequate steps to regulate and monitor this activity.

SarbanesOxley Section 404: Assessment of internal control

Further information: SOX 404 top-down risk assessment

The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated [33] controls requires enormous effort. Under Section 404 of the Act, management is required to produce an internal control report as part of each annual Exchange Act report. See 15 U.S.C. 7262. The report must affirm the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. 15 U.S.C. 7262(a). The report must also contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. To do this, managers are generally adopting an internal control framework such as that described in COSO. To help alleviate the high costs of compliance, guidance and practice have continued to evolve. The Public Company Accounting Oversight Board (PCAOB) approved Auditing Standard No. 5 for public accounting firms on July 25, [34] 2007. This standard superseded Auditing Standard No. 2, the initial guidance provided in 2004. The SEC also [35] released its interpretive guidance on June 27, 2007. It is generally consistent with the PCAOB's guidance, but intended to provide guidance for management. Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. This gives management wider discretion in its assessment approach. These two standards together require management to:

Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks; Understand the flow of transactions, including IT aspects, sufficient enough to identify points at which a misstatement could arise; Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework; Perform a fraud risk assessment;

Evaluate controls designed to prevent or detect fraud, including management override of controls; Evaluate controls over the period-end financial reporting process; Scale the assessment based on the size and complexity of the company; Rely on management's work based on factors such as competency, objectivity, and risk; Conclude on the adequacy of internal control over financial reporting.

SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems. This is apparent in the comparative costs of companies with decentralized operations and systems, versus those with centralized, more efficient systems. For example, the 2007 FEI survey indicated average compliance costs for decentralized companies were $1.9 million, while centralized company costs were $1.3 [36] million. Costs of evaluating manual control procedures are dramatically reduced through automation.

SarbanesOxley Section 302: Disclosure controls

Under SarbanesOxley, two separate sections came into effectone civil and the other criminal. 15 U.S.C. 7241 (Section 302) (civil provision); 18 U.S.C. 1350 (Section 906) (criminal provision). Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are responsible for establishing and maintaining internal controls and have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared. 15 U.S.C. 7241(a)(4). The officers must have evaluated the effectiveness of the companys internal controls as of a date within 90 days prior to the report and have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date. Id.. The SEC interpreted the intention of Sec. 302 in Final Rule 338124. In it, the SEC defines the new term "disclosure [27] controls and procedures", which are distinct from "internal controls over financial reporting". Under both Section [28] 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in 2007.

[edit] Sarbanes-Oxley Section 401: Disclosures in periodic reports (Off-balance sheet items)
The bankruptcy of Enron drew attention to off-balance sheet instruments that were used fraudulently. During 2010, the court examiner's review of the Lehman Brothers bankruptcy also brought these instruments back into focus, as Lehman had used an instrument called "Repo 105" to allegedly move assets and debt off-balance sheet to make its financial position look more favorable to investors. Sarbanes-Oxley required the disclosure of all material off-balance sheet items. It also required an SEC study and report to better understand the extent of usage of such instruments and whether accounting principles adequately addressed these instruments; the SEC report was issued June 15, [29][30] [31] 2005. Interim guidance was issued in May 2006, which was later finalized. Critics argued the SEC did not take [32] adequate steps to regulate and monitor this activity.

Definition of internal control and framework objectives

The COSO framework defines internal control as a process, effected by an entitys board of directors, management and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:

Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems.

[edit] Organizational overview

COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (the Treadway Commission). The Treadway Commission was originally jointly sponsored and funded by five main professional accounting associations and institutes headquartered in the United States: the American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA). The Treadway Commission recommended that the organizations sponsoring the Commission work together to develop integrated guidance on internal control. These five organizations formed what is now called the Committee of Sponsoring Organizations of the Treadway Commission. The original chairman of the Treadway Commission was James C. Treadway, Jr., Executive Vice President and General Counsel, Paine Webber Incorporated and a former Commissioner of the U.S. Securities and Exchange Commission. Hence, the popular name "Treadway Commission". David L. Landsittel is the COS Chairman; he replaced Larry E. Rittenberg.

[edit] History
Due to questionable corporate political campaign finance practices and foreign corrupt practices in the mid -1970s, the U.S. Securities and Exchange Commission (SEC) and the U.S. Congress enacted campaign finance law reforms and the 1977 Foreign Corrupt Practices Act (FCPA) which criminalized transnational bribery and required companies to implement internal control programs. In response, the Treadway Commission, a private-sector initiative, was formed in 1985 to inspect, analyze, and make recommendations on fraudulent corporate financial reporting. The Treadway Commission studied the financial information reporting system over the period from October 1985 to September 1987 and issued a report of findings and recommendations in October 1987 titled Report of the National Commission on Fraudulent Financial Reporting[1]. As a result of this initial report, the Committee of Sponsoring Organizations (COSO) was formed and it retained Coopers & Lybrand, a major CPA firm, to study the issues and author a report regarding an integrated framework of internal control. In September 1992, the four volume report entitled Internal Control Integrated Framework[2] was released by COSO and later re-published with minor amendments in 1994. This report presented a common definition of internal control and provided a framework against which internal control systems may be assessed and improved. This report is one standard that U.S. companies use to evaluate their compliance with FCPA. According to a poll by CFO Magazine released in 2006, 82% of respondents claimed they used COSOs framework for internal controls. Other frameworks used by respondents included COBIT, AS2 (Auditing Standard No. 2, PCAOB), and SAS 55/78 (AICPA).[3]

[edit] Internal control - integrated framework

[edit] Key concepts of the COSO framework
The COSO framework involves several key concepts:

Internal control is a process. It is a means to an end, not an end in itself.

Internal control is affected by people. Its not merely policy, manuals, and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entitys management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

[edit] Use of the capability maturity model

The capabilities of an organization in relation to the COSO model could be assessed based on states or plateaus that organizations typically target. The descriptions are incremental. The capability descriptions are based on evolution toward generally recognized best practices. Each organization determines which level of "maturity" would be the most appropriate in support of its business needs, priorities and availability of resources. A rating system of 0 to 5 is used. A rating of 5 does not necessarily mean goodness, but rather, maturity of capability. The ideal maturity rating for any area is dependent on the needs of the organization. The different and progressive plateaus are: 0 Non-existent when: The organization lacks procedures to monitor the effectiveness of internal controls. Management internal control reporting methods are absent. There is a general unawareness of and internal controls and assurance. Management and employees have an overall lack of awareness of internal controls. 1 Initial/Ad Hoc when: Management recognizes the need for internal controls and control assurance. Individual expertise in assessing internal control adequacy is applied on an ad hoc basis. Management has not formally assigned responsibility for monitoring the effectiveness of internal controls. Internal control assessments are conducted as part of traditional financial audits, with methodologies and skill sets that do not reflect the needs of the information services function. 2 Repeatable but Intuitive when: The organization uses informal control reports to initiate corrective action initiatives. Internal control assessment is dependent on the skill sets of key individuals. The organization has an increased awareness of internal control monitoring. Information service management performs monitoring over the effectiveness of what it believes are critical internal controls on a regular basis. Methodologies and tools for monitoring internal controls are starting to be used, but not based on a plan. Risk factors specific to the environment are identified based on the skills of individuals. 3 Defined when: Management supports and institutes internal control monitoring. Policies and procedures are developed for assessing and reporting on internal control monitoring activities. An education and training program for internal control monitoring is defined. A process is defined for self-assessments and internal control assurance reviews, with roles for responsible managers. Tools are being utilized but are not necessarily integrated into all processes. Process-specific risks and mitigation policies are defined. 4 Managed and Measurable when: Management implements a framework for internal control monitoring. The organization establishes tolerance levels for the internal control monitoring process. Tools are implemented to standardize assessments and automatically detect control exceptions. A formal internal control function is established, with specialized and certified professionals utilizing a formal control framework endorsed by senior management. Skilled staff members are routinely participating in internal control assessments. A metrics knowledge base for historical information on internal control monitoring is established. Peer reviews for internal control monitoring are established. 5 Optimized when: Management establishes an organization wide continuous improvement program that takes into account lessons learned and industry best practices for internal control monitoring and reporting. The organization uses integrated and updated tools, where appropriate, that allow effective assessment of critical controls and rapid detection of control

monitoring incidents. Knowledge sharing specific to the information services function is formally implemented. Benchmarking against industry standards and good practices is formalized.

[edit] Definition of internal control and framework objectives

The COSO framework defines internal control as a process, effected by an entitys board of directors, management and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:

Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations.

[edit] The five framework components

The COSO internal control framework consists of five interrelated components derived from the way management runs a business. According to COSO, these components provide an effective framework for describing and analyzing the internal control system implemented in an organization as required by financial regulations (see Securities Exchange Act of 1934, Section 240 15d-15). The five components are the following: Control environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization. Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to the achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed. Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. For example, formalized procedures exist for people to report suspected fraud. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders about related policy positions. Monitoring: Internal control systems need to be monitoreda process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.

[edit] Limitations
Internal control involves human action, which introduces the possibility of errors in processing or judgment. Internal control can also be overridden by collusion among employees (see separation of duties) or coercion by top management. CFO magazine reported that companies are struggling to apply the complex model provided by COSO. One of the biggest problems: limiting internal audits to one of the three key objectives of the framework. In the COSO model,

those objectives are applied to five key components (monitoring, information and communication, control activities, risk assessment, and control environment). Given the number of possible matrices, it's not surprising that the number of audits can get out of hand. [4]. CFO magazine continued by stating, that many organization are creating their own risk-and-control matrix by taking the COSO model and altering it to focus on the components that relate directly to Section 404 of the Sarbanes-Oxley Act.

[edit] Enterprise risk management - integrated framework

In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managements to evaluate and improve their organizations enterprise risk management. Highprofile business scandals and failures (e.g. Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom) lead to calls for enhanced corporate governance and risk management. As a result the Sarbanes-Oxley act was enacted. This law extends the long-standing requirement for public companies to maintain systems of internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. The Internal Control Integrated Framework continues to serves as the broadly accepted standard for satisfying those reporting requirements; however, in 2004 COSO published Enterprise Risk Management - Integrated Framework[5]. COSO believes this framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management.

[edit] Four categories of business objectives

This enterprise risk management framework is still geared to achieving an entitys objectives; however now includes four categories:

Strategic: high-level goals, aligned with and supporting its mission Operations: effective and efficient use of its resources Reporting: reliability of reporting Compliance: compliance with applicable laws and regulations

[edit] Eight framework components

The eight components of enterprise risk management encompass the previous five components of the Internal Control-Integrated Framework while expanding the model to meet the growing demand for risk management: Internal environment: The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entitys people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective setting: Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entitys mission and are consistent with its risk appetite. Event identification: Internal and external events affecting achievement of an entitys objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to managements strategy or objective-setting processes. Risk assessment: Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk response: Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entitys risk tolerances and risk appetite. Control activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.

Information and communication: Relevant information is identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring: The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. COSO believes the Enterprise Risk Management Integrated Framework provides a clearly defined interrelationship between an organization's risk management components and objectives that will fill the need to meet new law, regulation, and listing standards and expects it will become widely accepted by companies and other organizations and interested parties.

[edit] Limitations
COSO admits in their report that while enterprise risk management provides important benefits, limitations exist. Enterprise risk management is dependent on human judgment and therefore susceptible to decision making. Human failures such as simple errors or mistakes can lead to inadequate responses to risk. In addition, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions. These limitations preclude a board and management from having absolute assurance as to achievement of the entitys objectives. Although COSO claims their expanded model provides more risk management, companies are not required to switch to the new model and if they are using the Internal Control-Integrated Framework.

[edit] Other significant publication By COSO

[edit] ICoFR - Guidance for Smaller Public Companies
Although the components of the Internal ControlIntegrated Framework applies to all entities, small and mid-size companies may implement them differently than large ones. Small and mid-sized companies controls may be less formal and less structured, yet a small company can still have effective internal control. To help small and midsized companies COSO published Internal Control over Financial Reporting - Guidance for Smaller Public Companies[6] in 2006 to support smaller organizations in implementing adequate internal controls over financial reporting (ICoFR). This report is not intended to replace the frameworks but provide guidance on how to apply it. It is directed at smaller companies who have experience unanticipated challenges meeting the requirements. While each component of the control framework must be present and functioning, this does not mean, however, that each component should function identically or even at the same level in every company.

[edit] COSO Guidance on Monitoring Internal Control Systems

Companies have invested heavily in improving the quality of their internal controls; however, COSO noted that many organizations do not fully understand the importance of the monitoring component of the COSO framework and the role it plays in streamlining the assessment process. In January 2009, COSO published its Guidance on Monitoring Internal Control Systems[7](COSOs Monitoring Guidance) to clarify the monitoring component of internal control. Over time effective monitoring can lead to organizational efficiencies and reduced costs associated with public reporting on internal control because problems are identified and addressed in a proactive, rather than reactive, manner. COSOs Monitoring Guidance builds on two fundamental principles originally established in COSOs 2006 Guidance:

Ongoing and/or separate evaluations enable management to determine whether the other components of internal control continue to function over time, and

Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate.

The monitoring guidance further suggests that these principles are best achieved through monitoring that is based on three broad elements:

Establishing a foundation for monitoring, including (a) a proper tone at the top; (b) an effective organizational structure that assigns monitoring roles to people with appropriate capabilities, objectivity and authority; and (c) a starting point or baseline of known effective internal control from which ongoing monitoring and separate evaluations can be implemented; Designing and executing monitoring procedures focused on persuasive information about the operation of key controls that address meaningful risks to organizational objectives; and Assessing and reporting results, which includes evaluating the severity of any identified deficiencies and reporting the monitoring results to the appropriate personnel and the board for timely action and follow-up if needed.

[edit] The role of internal audit

Internal auditors play an important role in evaluating the effectiveness of control systems. As an independent function reporting to the top management, internal audit is able to assess the internal control systems implemented by the organization and contribute to ongoing effectiveness. As such, internal audit often plays a significant monitoring role. In order to preserve its independence of judgment Internal Audit should not take any direct responsibility in designing, establishing, or maintaining the controls it is supposed to evaluate. It may only advise on potential improvement to be made.

[edit] The role of external audit

Under Section 404 of the Sarbanes-Oxley Act, management and the external auditors are required to report on the adequacy of the companys internal control over financial reporting. Auditing Standard No. 5, published by the Public Company Accounting Oversight Board, requires auditors to use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting (AS No. 5.5) taken to ensure continuous improvement of the system.

Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70 and available full-text by permission of the AICPA, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) with its content codified as AU 324. SAS 70 provides guidance to service auditors when assessing the internal controls of a service organization and issuing a service auditors report. SAS 70 also provides guidance to auditors of financial statements of an entity that uses one or more service organizations. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses. There are two types of service auditor reports. A Type I service auditors report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditors report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review.

Contents
[hide]

1 Background o 1.1 SAS 55 o 1.2 SAS 94 o 1.3 SAS 109 2 Changing uses of the SAS 70 3 Users of SAS 70 audit reports o 3.1 User Auditor o 3.2 Other Third Parties External to Service Organizations o 3.3 Financial Statement Auditor of Service Organization 4 Audit frequency 5 SAS 70 Report Types o 5.1 Report on controls placed in operation o 5.2 Report on controls placed in operation and tests of operating effectiveness 6 SAS 70 and Sarbanes-Oxley Act of 2002 7 Proposed Changes to SAS 70 8 Similar International Guidance o 8.1 United Kingdom o 8.2 Canada o 8.3 India 9 See Also 10 References 11 External links

[edit] Background
SAS 70 was originally titled Reports on the Processing of Transactions by Service Organizations but was changed by Statement on Auditing Standards No. 88 to "Service Organizations". The guidance contained in SAS 70 is effective for all service auditors' reports dated after March 31, 1993.

[edit] SAS 55

In 1988, the AICPA issued SAS 55, titled Consideration of the Internal Control Structure in a Financial Statement Audit. SAS 55 required that financial statement auditors assess the internal control related to any process that could impact the clients financial reporting objectives. In cases where the client outsourced a critical process that impacted the financial statements, the auditor was required to assess the internal control of that process as it is performed by the service organization. For example, an auditor might be required to examine the manner in which a payroll processing company controls the processing of payroll for its client. This situation was very detrimental to many service organizations since all of their clients auditors have an obligation to perform the same internal control assessment on them. The overwhelming resources that service organizations were spending complying with requests from financial auditors led the AICPA to issue SAS 70. In laymans terms, SAS 70 allowed for one internal control review to be performed on service organizations that examined all of the areas that the financial statement auditors were required to consider to meet SAS 55 requirements. The resulting service auditors report (i.e. SAS 70 report) can be distributed and relied upon by all of the financial statement auditors of the service organizations' clients. The extent of that reliance is based on whether a Type I or Type II SAS 70 audit was performed.

[edit] SAS 94
In 2001, SAS 55 was amended by SAS 94, titled The Effect of Information Technology on the Auditors Consideration of Internal Control in a Financial Statement Audit. SAS 94 obliges the financial statement auditors to place an increased focus on the increasing role of information technology on meeting financial reporting objectives. Given this change, SAS 70 reports are now placing similar emphasis on information technologys role in the control environment of service organizations. This helps to ensure that the SAS 70 report contains all of the information required by user organization auditors.

[edit] SAS 109

In 2006, SAS 55 was superseded by SAS 109 (codified as AU 314) which provided an expanded theory regarding an auditor's responsibility to understand the entity under audit including the information systems employed by the entity under audit among other items. This understanding is to be used in determining certain risks associated with the financial statements and audit.

[edit] Changing uses of the SAS 70

Over the last few years, the use of the SAS 70 audit has migrated to be used in non-traditional ways. Companies in [citation needed] the financial services industry are being required to show adequate oversight of service providers , such as obtaining a SAS 70 review conducted to comply with Gramm-Leach-Bliley Act (GLBA) requirements. Service organizations which provide services to healthcare companies are often asked by their clients to have a SAS 70 audit conducted to ensure an independent third party has examined the controls over the processing of sensitive [citation needed] healthcare information . While some companies utilize the SAS 70 audit to promote themselves in the "Other Information Provided by Service [citation needed] Organziation" section , the more appropriate application is to utilize properly modified objectives from internal control framework(s) appropriate to their industry and company; such as COSO, COBIT for SOX, ISO, ITIL, BITS, or the AICPA's Trust Principles (which are specifically applicable to SysTrust or WebTrust services).

[edit] Users of SAS 70 audit reports

[edit] User Auditor
Traditionally, service auditor reports are primarily used as auditor-to-auditor communication. The auditors of the service organizations customers (i.e. user auditors) can use the service auditors report to gain an understanding of the internal controls in operation at the service organization. Additionally, Type II service auditor reports can be used by the user organizations auditors to assess internal control risk for the purposes of planning and executing their financial audit.

[edit] Other Third Parties External to Service Organizations

Service auditor reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of outsourcing companies. In some cases, these third parties are not intended users of the report, but still find value in using the report as third party independent verification that controls are in place and are operating effectively. Unless the report is noted for restricted use only by the CPA firm, the service organization retains control of distributing the report. Every Service Auditors report contains an auditors opinion letter. The opinion letter is required to contain a paragraph that defines the authorized user of the report. On rare occasions, this paragraph is limited to a specific third party, which may or may not be a user organization. Use of the report is typically restricted to the service organizations management, its customers, and the financial statement auditors of its customers. Typically, a statement in the final paragraph states:

This report is intended solely for use by the management of XYZ Service Organization, its user organizations, and the independent auditors of its user organizations.
[edit] Financial Statement Auditor of Service Organization
The report is not designed to support the financial statement auditors of the service organization, because the service organization's own financial reporting IT controls are not the target of a SAS 70 audit. The environment supporting user organization's processes is the SAS 70 audit scope. However, a service organization's external auditor's Entity Level Control Considerations may be useful for a SAS 70 report. Other auditing standards address the appropriate process to obtain client authorizations for auditors of different firms to obtain audit information about a shared client, which may include the sharing of workpapers and reports between the auditors.

[edit] Audit frequency

Type 1 audits are typically performed no more than once per year ; however, there is no technical reason for this practice. In fact, many companies use the type 1 audit as a primer and tend to move on to a type 2 audit for the purposes of subsequent audits. Sarbanes-Oxley Act (SOX) provisions that require a type 2 audit have made this [citation needed] a very common practice. Type 2 audits are also typically performed once per year ; however, a small percentage of companies undergo multiple type 2 audits during any 12 month period. There is no technical guidance that states, or even recommends, a type 2 audit frequency requirement. It is generally expected that the frequency will be no less than [citation needed] once per year. The SAS 70 audit guide recommends, but does not require, that type 2 examination periods be at least six months in length. Companies generally choose a review period between six and 12 months. There is no requirement or recommendation that the examination period fall completely within the calendar year. SAS 70 audits are performed throughout the calendar year. Each service organization is responsible for making their own decisions regarding the type of audit they undergo, the timing of the audit, and the review period of the audit in the case of a type 2 audit. User organizations will desire a type 2 audit report that has an examination period with as many months as possible falling within their own fiscal year and an examination period end date that is within three months of their fiscal year end. Most service organizations have many user organizations and often can not satisfy all of their clients if they only perform one audit per year, regardless of the length of their review period. For example, a company could have a 12 month Type 2 SAS 70 audit review period ending 12/31. This report would be less than ideal for clients with 6/30 fiscal year-ends because it will be six months "old" by that point in time. However, this issue does not render the report useless and audit guidance and SOX guidance provide specific directions for dealing with this common situation when it occurs.
[citation needed] [citation needed]

[edit] SAS 70 Report Types

[edit] Report on controls placed in operation
A report on controls placed in operation, referred to as a Type 1 report, opines on controls that are in place as of a date in time. The opinion states whether the controls are fairly presented, whether the controls are suitably designed to achieve defined control objectives, and whether the controls were in place as of a specific date. Since these reports only provide assurance over a single day, they are of limited value to third parties.

[edit] Report on controls placed in operation and tests of operating effectiveness

A report on controls placed in operation and tests of operating effectiveness, or Type 2 report, opines on controls that were in place over a period of time, which is typically a period of six months or more. The opinion states all that is covered by a Type 1 report and whether the controls were operating effectively enough to achieve the defined control objectives during a specified period. Third parties are better able to rely on these reports because a verification is [1] provided regarding these matters for a substantial period of time.

[edit] SAS 70 and Sarbanes-Oxley Act of 2002

With the introduction of the Sarbanes-Oxley Act of 2002 (SOX), SAS 70 took on increased importance. SOX adopted [citation needed] the COSO model of controls, which is the same model that SAS 70 audits have used since inception. SOX heightened the focus placed on understanding the controls over financial reporting and identified a Type II SAS 70 report as the only acceptable method for a third party to assure a service organization's controls. Security "certifications" are excluded as acceptable substitutes for a Type II SAS 70 audit report. PCAOB's Audit Standard No. [2] 5 (which replaced AS 2) details how a SAS 70 audit should be used in relation to SOX.

[edit] Proposed Changes to SAS 70

The AICPA has proposed changes that would move the guidance for Service Auditors to the Statements on Standards for Attestation Engagements (SSAE), naming the standard Reporting on Controls at a Service Organization. The guidance for User Auditors would remain in AU section 324 (codified location of SAS 70) but would [3] be renamed Audit Considerations Relating to an Entity Using a Service Organization. Service Auditors to the Statements on Standards for Attestation Engagements No. 16 (SSAE 16) will be formally issued in June 2010, effective June 15, 2011. Because many organizations have reporting periods that cover a full 12 [4] month period and begin in July, the new standards will affect many organizations as early as July 1, 2010.

[edit] Similar International Guidance

[edit] United Kingdom
A SAS 70 is similar to the United Kingdom guidance provided by the Audit and Assurance Faculty of the Institute of Chartered Accountants in England and Wales. The technical release is titled AAF 01/06 which supersedes the earlier FRAG 21/94 guidance.

[edit] Canada
In Canada, a similar report known as a Section 5970 report may be issued by a service organization auditor. It usually gives two separate audit opinions on the controls in place. Furthermore, it may also give an opinion on the operating effectiveness over a period. These reports tend to be quite long, with descriptions of the controls in place.

[edit] India

Similar to the SAS 70 Report in the United States of America, reporting requirements are defined in India's Audit and Assurance Standards 24 "Audit Consideration Relating to Entities Using Service Organizations". The AAS 24 is issued by the Institute of Chartered Accountants of India, and is operative for all audits relating to periods beginning on or after April 1, 2003.