SOX education
The 29 July 2004 was the second anniversary of the following exchange in the House of Lords:
“Lord Sharman: My Lords, I beg leave to ask the Question standing in my name on the Order Paper. In so doing, I declare an interest as a paid adviser to KPMG.
‘To ask Her Majesty’s Government whether they will make representations to the United States government to limit the extraterritorial effect of Senator Sarbane’s bill regarding the regulation of auditors.’
“Lord Sainsbury of Turville: My Lords, high-level representations were made to the United States Government about the extra-territorial effect of the proposed Sarbane bill by the United Kingdom Government and by the European Commission. The Accounting Bill, which combines elements of both the Sarbane and the Oxley bills, is expected to be signed by President Bush this week. We believe that our lobbying has had some success, but concerns about the legislation remain. We are therefore continuing to pursue these matters at national and European level with the US administration.”
SOX and the City
A new law aimed at preventing Enron-style corporate scandals is about to come into force for corporate America, with possible knock-on effects for some undertakings in the UK. However the financial services and banking industries in the EU should also be gearing up for the impact of both the Basel II Agreement and draft EU Auditing Directive, dealt with later in this article.The USA’s Sarbanes-Oxley Act 2002 (also known as “SOX” or “Sarbox” or “SOA”), was enacted on 30 July 2002 as a response to scandal-driven loss of confidence in the capital markets. The Act established the US Public Company Accounting Oversight Board (PCAOB). PCAOB is a private, non-profit corporation whose mission is to “protect investors in US securities markets and to further the public interest by ensuring that public company financial statements are audited according to the highest standards of quality, independence, and ethics”. The Board will be funded principally by fees from public companies.
On 6 May 2003, the PCAOB adopted Final Auditor Registration Rules. All non-US public accounting firms that wish to prepare or issue audit reports on US public companies, or make a substantial contribution to the preparation or issuance of such reports, should have been registered by 19 July 2004 if they wished to continue existing work.
The 15 November 2004 is the date on which the Act actually comes into force. But affected companies should have been working on their compliance issues for quite some time. According to Margaret Brooks, director of strategic business development and SOX specialist at Computer Associates, “Finance departments ‘get it’ but a lot of senior managers don’t know what’s going to hit them”.
The Act covers a whole range of governance issues such as the types of trading that are allowed within a company. Other measures regulate the responsibilities of audit committees and offer protection to whistleblowers.
The IT challenges of SOX are ensuring it is observed, and that compliance can be demonstrated and reported. This has implications for the archiving of communications and the creation of transparent and auditable systems for recording transactions, dealings and any kind of business correspondence.
Many IT managers assume that every single file, email, or phone call is going to have to be recorded. It is true that this approach would achieve compliance but according to Mark Ellis, Computer Associates’ director of storage and information management, SOX is not quite so demanding. Ellis describes such a response as being “like a rabbit caught in the headlights”, and explains that “Legal compliance is not about what you need to keep, it’s about knowing what you can delete.” Companies need to find out more about the complicated legislation. Most companies are having to work with accredited auditors and consultants to ensure they have “ticked all the right boxes”. In the US, Ernst & Young and PwC account for about a fifth of this market each, with KPMG and Deloitte and Touche accounting for about 13 per cent. These firms can test compliance and search for “material weaknesses” – flaws that would fail the SOX test.
Though many UK firms are not legally required to meet the Sarbanes-Oxley level of auditing standards at present, this may soon change. Further, Oracle’s head of finance and compliance in the UK, Michelle Maden, argued that meeting those standards could in any event generate wider benefits. “The Sarbanes-Oxley Act incorporates sound aspects of corporate governance”, she explains.
Putting Y2K in the shade
EU financial institutions and their IT departments certainly need to be aware of the Basel II accord, agreed in June 2004, in relation to bank capital.Jean-Claude Trichet, chairman of the G10 group of central banks, said that the new Basel II framework “will enhance banks’ safety and soundness, strengthen the stability of the financial system as a whole, and improve the financial sector’s ability to serve as a source for sustainable growth for the broader economy”.
The Basel II rules, which have been under discussion for more than five years, are intended to make the world’s banking system more stable and efficient by aligning the amount of capital banks hold with the level of risk on their books.
Implementation is set to begin at the end of 2006. The systems and data implications of Basel II are huge, and the workload to become compliant will be significant. Estimates vary but the cost of compliance for the global industry is generally agreed to be above £100 billion.
Basel II comprises three “Pillars”:
• Pillar 1 – Minimum Capital Requirement: this covers market, credit and operational risk.
• Pillar 2 – Supervisory Review Process: this sets the framework for supervision. Supervisors will be able to hold additional capital against risks not covered by pillar 1.
• Pillar 3 – Market Discipline: this sets out the framework for market disclosures by banks and financial institutions.
Implementation of Basel II will be achieved in the EU by way of the Risk-Based Capital Directive (CAD III). The UK will then implement this, with the FSA acting as the supervisory authority. The bottom line requirement is that data capture procedures, which enable operational risk factors to be identified and analysed, will require radical rethinking.
Issues for affected IT managers include identifying the correct data, integrating and managing the data, carrying out analysis and creating the required reports. New regulations from the FSA covering the reporting and management of mortgage applications, due to come into force in October 2004, will also require the mortgage applicant and the adviser to use point of sale software systems to take them through a sales process complying with FSA regulations.
A suggested Basel II checklist might be:
Impact assessment: What do the new laws require your organisation to do to its existing IT systems in order to achieve compliance?
• Timescale: By when do the changes need to be in place?
• Contract review: Your organisation should carry out an audit of existing contracts relevant to the IT systems which will require changes.
• Who is going to make the changes? Will it be your suppliers of existing or older software, support service providers, consultants, or the in-house IT team, or a combination?
Liability, warranties, rights of termination and IPR ownership will also need to be addressed.
• Who is going to pay for changes? Who is legally obliged to pay?
• Reporting and data retention: What reporting and data retention requirements are applicable to your organisation? How will you prove compliance?
• Could your organisation merge its content management practices with process issues such as auditable workflows? Could the use of a data management language such as XML or XBRL bring benefits and assist with establishing compliance?
• Should you change the way you store emails?
• Should you establish and enforce a central store for all data?
Basel II has been described as the biggest IT challenge for the banking and financial services industry since Y2K. Unlike Y2K, however, these changes are definitely coming!
Matching SOX in the EU
The EC’s draft directive on auditing (Proposal for a Directive on statutory audit of annual accounts and consolidated accounts and amending Council Directives 78/660/EEC and 83/349/EEC), published on 16 March 2004 is potentially as tough on UK institutions as SOX. It will also have major implications for some IT managers.Areas that affected IT managers may wish to assess include: consolidation of their current servers and storage; existing email management practice; current and potential archiving procedures; and information management generally. IT architecture will need to be viewed primarily in the light of compliance. “In the past the focus of compliance has been on the finance department,” said John Taylor, managing director at business performance management specialists Cartesis. “But the board will begin asking managers and IT managers what they’re doing to help the firm comply, as this area is so reliant on IT systems. Company boards will expect far more involvement from their IT departments to establish end-to-end auditing controls”, Taylor predicts. “They will want to know how they can be sure that data entering a system sees its way through to the legal reporting requirements.”
The penalties for failure to comply with the auditing directive are yet to be determined – the draft provides only that “Member States shall provide effective, proportionate and dissuasive civil, administrative or criminal penalties.”
One thing is certain – IT managers in affected companies may soon find themselves being asked to offer their boards guarantees that the firm’s accounting package is compliant in every respect, and totally free of defects. Change of career, anyone?
In this issue
- Making the system work
- Sole survivors?
- Firm foundations
- The paper trail
- Private lives in public
- IT: what next?
- Roll again
- Destiny's child
- The great day comes
- SOX education
- Peer review: staying on target
- Obituary: James D Wheelans, CBE
- Obituary: JAMES D WHEELANS, CBE (1)
- Time, gentlemen?
- Plain English has landed
- Tangle o' the Isles
- Hunting down the pirates
- Scottish Solicitors' Discipline Tribunal
- Website reviews
- Book reviews
- How much law, anyway?
- FSA's net widens