How Airports are Responding to the Sarbanes-Oxley Act (SOX) Airports Council International-North America 2006 Economic Specialty Conference June 5, 2006 Gail Flister Vallieres U.S. Government Accountability Office 1
Session Objectives To Provide guidance for adopting SOX provisions by reviewing key SOX provisions discussing how these provisions might apply in public sector entities 2
Integrity and Trust in Government Without integrity and trust, governments, institutions and leaders cannot succeed. With trust, governments, institutions and leaders can achieve great things. Getting it right with regard internal control and accountability will be critical to achieving and maintaining the public s trust in government. 3
Sarbanes-Oxley Act of 2002 Instituted sweeping changes for accountability profession and corporate governance in the following areas: oversight of the auditing profession auditor independence enhanced financial disclosure requirements (including internal control reporting) 4
Sarbanes-Oxley Act of 2002 Changes for accountability profession and corporate governance oversight of the auditing profession auditor independence enhanced financial disclosure requirements (including internal control reporting) 5
Sarbanes-Oxley Act Audit Profession Oversight Creation of Public Company Accounting Oversight Board (PCAOB). Principal duties: establish or adopt standards for public company audits enforce compliance with standards and the Act inspect and register public accounting firms conduct investigations of firms and disciplinary proceedings impose sanctions 6
Sarbanes-Oxley Act Impact on U.S. Auditing Standards Three US Auditing Standards-Setting Organizations Public Company Accounting Oversight Board (PCAOB) Audits of publicly traded companies Auditing Standards Board (ASB) of the AICPA Privately held companies Not-for-profit organizations U.S. Government Accountability Office Federal, state, local governments Not-for-profit organizations receiving federal funding 7
Sarbanes-Oxley Act: Impact on U.S. Auditing Standards Comptroller General established the U.S. Auditing Standards Coordinating Forum PCAOB, GAO, ASB Three principals meet several times a year. Key staff coordinate regularly to implement agenda. Rotating chair, based on who is hosting the meeting. Still defining role for IAASB 8
Sarbanes-Oxley Act Impact on U.S. Auditing Standards Purpose of U.S. Auditing Standards Coordinating Forum maximize complementary standards-setting agendas minimize duplicative or competing efforts identify any significant gaps not being addressed develop strategies for overcoming challenges and barriers to modernizing the auditing profession in the U.S. assure consistency where appropriate for core auditing standards, while seeking to modernize those standards 9
Sarbanes-Oxley Act of 2002 Changes for accountability profession and corporate governance oversight of the auditing profession auditor independence enhanced financial disclosure requirements (including internal control reporting) 10
Sarbanes-Oxley Act Auditor Independence It is now unlawful for a registered accounting firm to provide certain nonaudit services to audit clients, including: accounting and bookkeeping services financial information systems design and implementation appraisal, valuation, and actuarial services, internal audit outsourcing services management or human resources functions All other nonaudit services provided to audit clients require prior audit committee approval 11
Sarbanes Oxley Act Auditor Independence An accounting firm is not allowed to perform an audit of a registrant whose key financial or management personnel were employed by that accounting firm and participated in the audit within one year of the current audit. The auditor must report to the audit committee all critical accounting policies and practices used in preparing financial statements The lead audit, concurring and reviewing partners must rotate every 5 years. 12
Auditor Independence Implications for Government Yellow Book independence standards became effective in 2003 Auditor communications with audit committees. Audit Partner Rotation no related government requirement. Employment restrictions watch for situations that could result in appearance of independence problems under current Yellow Book independence standards. 13
Sarbanes-Oxley Act of 2002 Changes for accountability profession and corporate governance oversight of the auditing profession auditor independence enhanced financial disclosure requirements (including internal control reporting) 14
Sarbanes-Oxley Act Section 404: Internal Control Management is required to establish and maintain adequate internal control structure and procedures for financial reporting Include in the annual report a statement of management s responsibility for and management s assessment of the effectiveness of those controls. The company s auditors are required to attest to and report on management s assessment of the effectiveness of internal control over financial reporting. 15
Sarbanes-Oxley Act, Section 404: Implications for Government Audits Report on internal control We considered internal control over financial reporting to determine auditing procedures for the purpose of expressing an opinion on financial statements Opinion on internal control Management maintained in all material respects effective internal control over financial reporting 16
Sarbanes-Oxley Act Section 404: Internal Control PCAOB Auditing Standard No 2: Audit of Internal Control over Financial Reporting in conjunction with Audit of Financial Statements Requires auditor opinions on - internal control effectiveness -management s assessment of internal control effectiveness Internal control audit must be performed in conjunction with financial statement audit 17
Sarbanes-Oxley Act Section 404: Internal Control PCAOB Auditing Standard No 2 (cont): Requires walkthroughs for each major transaction class Limits on rotation testing of controls Limits on reliance on work of others New, more rigorous definitions of material weakness and significant deficiency (formerly reportable condition) 18
PCAOB AS 2: Terminology/Definitions for Internal Control Deficiencies Old Definitions Material weakness (GAGAS paragraph 5.14 and AU 325.15) Reportable condition (GAGAS paragraph 5.13 and AU 325.02) Management letter comment (GAGAS paragraph 5.16) New Definitions Material weakness (proposed revised SAS 60, paragraph 5) Significant deficiency (proposed revised SAS 60, Paragraph 5) Other matters related to internal control (proposed revised SAS 60, Paragraph 19) 19
Federal Gov t Internal Control Requirements FMFIA/OMB A-123 Office of Management and Budget (OMB) Circular A-123, Management Accountability and Control Implements FMFIA covers all aspects of an agencies operations (programmatic, financial, and compliance) Over the years, OMB Circular A-123, has broadened these requirements to include controls over all aspects of an agency s operations. Latest update (December 2004) provides updated internal control standards (incorporating the COSO elements) and new specific requirements for conducting management s assessment of the effectiveness of internal control 20
Federal Gov t Internal Control Requirements FMFIA/OMB A-123 December 2004, revised OMB Circular A-123 requires annual management assurances on internal control in Performance and Accountability Report. separate assurance on internal control over financial reporting using the COSO elements (for the 24 CFO-Act agencies) identification of material weaknesses, non-conformances, and corrective actions. Revised A-123 does not require audit of internal control over financial reporting GAO supported the revised A-123 in recent testimony before House Government Reform Subcommittee on Government Management. (GAO-05-321T, Feb. 16, 2005) 21
Sarbanes-Oxley Act Implementation: What We Have Learned and Future Directions The Sarbanes-Oxley Act reforms are sound and necessary Reforms have improved governance and management, including the involvement of the board, audit committees, and top management in financial reporting and internal control issues. Implementing section 404 has been challenging due to: The amount and nature of internal control work performed in the past Extensive audit work being performed due to real and/or perceived lack of flexibility in PCAOB Auditing Standard No. 2 Significant first-year implementation efforts 22
Sarbanes-Oxley Act Implementation: What We Have Learned and Future Directions GAO strongly supports the concepts behind section 404. However, we believe that economies and efficiencies can be gained in the process through: Auditor and management efficiencies and streamlining in the second year and beyond. Better integration of the financial and internal control audit. Additional PCAOB and SEC guidance that provides for a riskbased approach using reasoned risk and experience-based auditor judgments in areas such as rotation of testing and additional flexibility in using the work of others (similar to the approach in GAO s Financial Audit Manual). Ongoing feedback from the PCAOB inspection process 23
Contact Information Gail Flister Vallieres U.S. Government Accountability Office (202) 512-9370 vallieresg@gao.gov The Yellow Book is available on GAO s website at: www.gao.gov/govaud/ybk01.htm For technical assistance, contact us at yellowbook@gao.gov 24