Since its enactment in 2002, the Sarbanes-Oxley Act has led to a deluge of studies, reports, and regulations.

Public companies, auditors, regulators, attorneys, and U.S. federal, state and local, and foreign governments have all grappled with its implementation and implications.

This article provides an update on where things now stand. It covers many of the recent developments, and identifies still unsettled areas. The article will discuss Sarbanes-Oxley generally, with special attention to the international scope of Sarbanes-Oxley and exceptions for foreign entities, and the tax area.

The intent is to provide a general understanding of how Sarbanes-Oxley is shaping business operations, describe the provisions of greatest concern to public companies and their applicability to foreign persons, and give citations to additional guidance.

New Landscape Taking Shape

Corporate Governance. The New York Stock Exchange, Nasdaq, and other U.S. securities exchanges have adopted new corporate governance standards applicable to companies listed with them.1

These standards are in part mandated by Sarbanes- Oxley, but in part go beyond Sarbanes-Oxley and reflect voluntary market-driven responses to the various recent corporate scandals. Although the standards vary somewhat from exchange to exchange, some typical requirements are that:

  • the board consist of a majority of ‘‘independent directors’’;
  • independent directors meet without management on a regular basis;
  • the board establish nominating/corporate governance, compensation, and audit committees composed of independent directors (who in the case of the audit committee must be financially literate, and one of whom must have accounting or related financial expertise) and governed by written charters; and
  • the company adopt a code of ethics

Foreign private issuers2 are generally permitted to follow home country practices in lieu of these rules, except that they must follow the audit committee standards (a Sarbanes-Oxley mandate). The rules are generally in effect now.

These new corporate governance rules have had a significant impact on public companies.3 In some instances, it appears realignment of the board of directors has been necessary to meet the independence requirements. Directors have been receiving additional education and training to understand the new rules as well as financial statements, and meeting more frequently.

Audit committees have increased responsibility, importance and authority. The relationship between management and the board of directors has been perhaps made somewhat more arm’s length, creating more checks and balances.

Disclosure. To prevent fraud and help the capital markets operate more effectively, Sarbanes-Oxley endeavors to get more timely, truthful information to the market, making a company’s financial picture more transparent.

First, public companies must now establish and maintain ‘‘disclosure controls and procedures’’ to ensure that material developments are reported to the Securities and Exchange Commission in a timely manner.4

Second, the chief executive officer and chief financial officer must now provide personal 302 and 906 certifications in quarterly and annual periodic reports to the SEC (e.g., 10-Q, 10-K, and 20-F), stating that the report does not contain any untrue statements or omissions and fully complies with the Securities Exchange Act of 1934, that the financial information fairly presents the company’s financial condition, that internal controls relating to disclosure and financial reporting are present, and that any fraud has been disclosed to the auditor and audit committee.5 Knowingly making a false 906 certification under 18 U.S. Code 1350 is made a specific crime with stiff penalties.6 At many companies, the CEO and CFO have relied in part on mirror certifications from subordinates.

Finally, other new disclosure enhancements include:

  • phased-in shortening of the filing deadlines for accelerated filers to 60 days for annual 10-K reports and 35 days for quarterly 10-Q reports7;
  • expanded information and events required to be reported on Form 8-K with a shortened four business day general deadline8;
  • required reporting by an owner of 10 percent or more of a registered equity security, or any director or officer of an issuer thereof, of any change in his or her ownership thereof to the SEC within two business days after the transaction9;
  • greater disclosure of off-balance sheet arrangements10;
  • mandatory disclosure of material correcting adjustments identified by the auditor to any generally accepted accounting principle financial statements to be filed with the SEC11;
  • a bar on the use of misleading non-GAAP financial measures and a requirement that non-GAAP presentations include reconciliation to the most directly comparable GAAP financial measure12;
  • disclosure of whether the company has a financial expert on its audit committee and whether it has adopted a code of ethics, and if not, why not; and
  • SEC review of each public company’s 1934 Securities Exchange Act disclosures at least every three years.13

Document Retention. In response to document shredding that occurred in one scandal, Congress expanded the crimes covering document destruction to make it easier to prosecute such cases.

After Sarbanes-Oxley, it is a crime to destroy or alter documents with intent to impede a federal or official proceeding; there need be no ‘‘corrupt persuader’’ of document destruction, and the federal proceeding need not be pending at the time of the destruction.14

Given this breadth, the statute has led companies to review their document retention policies and procedures.

One concern is that without a system in place to identify, classify, and preserve potentially relevant documents, with documents being routinely destroyed or overwritten on a regular basis, regular operation could lead to violations under some circumstances. Both software companies and physical record storage companies are offering software and services to help ensure compliance with the new standards.

PCAOB. Not satisfied with the accounting profession’s self-regulation, Congress established the Public Company Accounting Oversight Board (PCAOB) as a quasi-governmental entity, under the oversight of the SEC, to oversee the auditing of public companies.

It is now staffed and operating, and becoming an influential voice in the area of financial accounting, auditing, and corporate governance generally.15

PCAOB’s basic functions are to register and inspect firms that audit public companies, and to promulgate and enforce the standards for auditing public companies. As of Nov. 3, there were 1,378 public accounting firms registered with the PCAOB, of which approximately 499 are headquartered outside the United States. BDO, Deloitte & Touche, Ernst & Young, Grant Thornton, KPMG, and PricewaterhouseCoopers and their foreign affiliates account for approximately 232 of these registrations, including six U.S. headquarters of- fices.16

PCAOB’s inspections of registered audit firms are intended to assess the degree of audit firms’ compliance with audit standards in conducting audits. These inspections may be very thorough, and could entail discussions with audit clients and restatements in the event accounting errors are discovered.

Rather than submit to full PCAOB inspections, a foreign registered public accounting firm can request the PCAOB to instead rely on an inspection by a non-U.S. overseer or regulator of audits, presumably the firm’s home country overseer or regulator.17 The extent to which the PCAOB will agree to this will depend on the level of the non-U.S. audit oversight system’s independence, rigor, adequacy, integrity, source of funding, transparency, and historical performance, and discussions with the appropriate entity or entities within the system concerning an inspection work program.

As noted, the PCAOB is also charged with setting the standards by which auditors audit public companies. Initially, the PCAOB began by adopting the existing auditing, attestation, quality control, ethics, and independence standards as its interim standards on a transitional basis pending its review, study, and promulgation of new standards.18 Since then, the PCAOB has promulgated, and received SEC approval of, three new standards—Standard No. 1, References in Auditors’ Reports to the Standards of the PCAOB (effective May 24, 2004); Standard No. 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (effective Nov. 15, 2004); and Standard No. 3, Audit Documentation (effective Nov. 15, 2004).

Auditor Independence. The recent corporate scandals showed that auditors must be tough, independent scrutinizers to be an effective check on corporate fraud. Sarbanes-Oxley therefore strengthened the standards by which public companies are audited.19

Sarbanes-Oxley and SEC rules contain a number of provisions intended to make auditors more independent of their public audit clients and management, including:

  • a requirement that the public company’s audit committee retain and oversee the auditor and preapprove all audit and non-audit services rendered by the auditor;
  • restrictions on an auditor’s performance of nonaudit services for an audit client,
  • a requirement that audit partners on an engagement rotate—lead and concurring audit partners being on a five-years-on/five-years-off rotation and others on a seven-on/two-off rotation;
  • a one-year ‘‘cooling off’’ period before members of an audit firm’s audit engagement team can go to work for the audit client as its CEO or in a financial reporting oversight role; and
  • a prohibition on an audit partner’s receiving compensation based on selling non-audit services.20

The restrictions on an auditor’s performance of nonaudit services for a public audit client are quite involved. They are based on the principles that an auditor should not audit its own work, function as a part of management, or act as an advocate for an audit client.

An auditor cannot render the following nine services to a public audit client (absent a PCAOB exemption order): bookkeeping; design and implementation of financial systems; valuation; actuarial services; internal audits; management or human resources; securities broker/dealer; legal services; and expert services. Other non-audit services may only be provided with ad hoc preapproval of the audit committee, or pursuant to preapproval policies and procedures established by the audit committee.

Detailed disclosure of fees paid to the auditor for non-audit services and of the nature of the non-audit services must be made in the annual proxy statement.

Foreign audit firms are subject to the final SEC rules. Nonetheless, the SEC has indicated that in certain areas it will take into account foreign laws and practices in applying the provisions to foreign accounting firms, in particular with regard to the restrictions on non-audit services. Moreover, the SEC indicated it will monitor the international impact of the rules and maintain dialogue with its foreign counterparts.

For its part, the PCAOB has not as yet formally weighed in on the auditor independence area (aside from initially adopting existing standards). It has held a roundtable on the independence issue, and may promulgate new standards in this area at some point.21

At this point, uncertainty continues to surround auditors’ rendition of non-audit services to their audit clients, particularly in the tax area. In part, this is due to lack of clarity of the legal lines drawn, i.e., what is legally permissible is not always clear. But beyond that, the markets have not reached a clear consensus over the extent to which auditors should perform non-audit services.

At least one influential institutional investor at one time reportedly took the position in voting on directors that it would not support directors who approved the use of the auditor for non-audit services, including tax services. However, that position appears to have proven untenable in a world where use of auditors for at least routine tax services has been commonplace, and the investor seems to have retreated somewhat.

In one noteworthy case, In re WorldCom, Inc.,22 the U.S. Bankruptcy Court refused to disqualify KPMG from serving as auditor of MCI (formerly WorldCom). Fourteen states had urged disqualification based on KPMG’s prior sale of state income tax savings strategies to MCI, which they were also challenging.

But the court found that KPMG met the U.S. bankruptcy law standards for being retained as a professional—that it not have an interest adverse to the debtor and be a disinterested person. The court made three basic findings:

  • KPMG’s sale of the state tax planning services did not give rise to an adverse interest becaue it was unlikely to lead to a claim by MCI against KPMG;
  • KPMG’s rendition of both auditor and tax services, which the states argued would require it to evaluate its own tax services on audit, did not create a conflict of interest preventing KPMG from being disinterested because such dual roles were permissible under Sarbanes- Oxley; and
  • KPMG’s dual role did not create an appearance of impropriety because, in addition to the foregoing, numerous safeguards protected the integrity of MCI’s corporate governance, including the SEC’s active involvement in the case, in which it never objected to KPMG’s dual role.

This is a significant case given that the tax strategy in question had already come under challenge, and the court’s reliance on Sarbanes-Oxley as permitting the service in question and the SEC’s involvement.

A related question involves the extent to which the auditor of a public company should provide tax services to its senior management or directors. Some companies have experienced problems with such arrangements, and adopted rules against this as well.23

In sum, although audit firms can continue to provide tax services to their publicly traded audit clients, some public companies have chosen to shift some tax and other non-audit services away from their auditors. Other public companies are continuing to use their auditors for non-audit services. Exactly where this will end up still remains to be seen.

Internal Control Over Financial Reporting. Since 1977, the Foreign Corrupt Practices Act of 1977 has required public companies to maintain financial accounting systems to reflect transactions, and a system of internal control to assure that transactions are properly authorized by management and recorded in GAAP financial statements and to maintain accountability for assets. Nonetheless, Congress felt that internal controls had not been sufficiently emphasized and that inadequate controls had allowed fraud to occur.

So Sarbanes-Oxley elevated internal control over financial reporting (ICOFR). Sarbanes-Oxley Section 404 and SEC regulations newly define ICOFR; require public companies to maintain ICOFR; require management and the auditor to evaluate the effectiveness of ICOFR as of the end of each fiscal year; and require the company’s annual report to the SEC (10-K, 20-F, or 40-F) to contain Management’s Annual Report on ICOFR and the auditor’s separate assessment of ICOFR and attestation to Management’s Annual Report on ICOFR.24 In addition, the CEO and CFO must state their responsibility for ICOFR in their 302 certifications to the quarterly and annual SEC reports.

Large public companies, so-called accelerated filers, must include Management’s Annual Report on ICOFR beginning with their annual report for the first fiscal year ended on or after Nov. 15, 2004. For nonaccelerated filers, and foreign private issuers filing annual reports on Form 20-F or 40-F, the requirement applies beginning with the annual report for the first fiscal year ended on or after July 15, 2005.

The 302 certification requirements generally apply with respect to the first annual report which is required to contain Management’s Annual Report on ICOFR and all periodic reports filed thereafter. In the case of a foreign private issuer that does not file quarterly reports, these requirements only apply with respect to its annual reports, for the fiscal years covered thereby.

Public companies and their auditors, particularly accelerated filers, are currently in the midst of establishing, documenting, testing, improving, and evaluating their internal controls. This is proving to be an immense undertaking. However, many see it as one of Sarbanes- Oxley’s most important measures in terms of ensuring the reliability of financial statements, while others see all the controls and documentation thereof as too burdensome and costly.

Management’s annual evaluation of and report on ICOFR must be based on ‘‘a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.’’ 25 The SEC stated that the framework for internal control established in 1992 by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (also know as the National Commission on Fraudulent Financial Reporting) meets this standard, and indeed the SEC drew heavily on the COSO framework in developing its new rules.26

The SEC did not mandate use of the COSO framework in recognition that other suitable evaluation standards are used outside the United States, or may be developed in the future. To be suitable, a framework must be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company’s internal control; be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of internal control are not omitted; and be relevant to an evaluation of internal control over financial reporting.

The SEC specifically confirmed that the Guidance on Assessing Control published by the Canadian Institute of Chartered Accountants and the Turnbull report published by the Institute of Chartered Accountants in England and Wales are suitable frameworks.27 In addition, the fact that a foreign company’s home country framework does not require a statement regarding the effectiveness of internal control does not relieve the company of including such a statement in its annual report to the SEC.

In contrast to the SEC, the PCAOB explicitly based its Auditing Standard No. 2 on the COSO framework. Although the PCAOB recognized the existence of other suitable frameworks in other countries, the PCAOB believed that they should encompass all of COSO’s general themes, and that the auditor should be able to apply Auditing Standard No. 2 in a reasonable manner even if management used a suitable framework other than COSO.28 Nonetheless, managements that do not use the COSO framework should consult with their auditors to ensure that their approach will pass Auditing Standard No. 2 on audit.

In promulgating their internal controls regulations and standards, both the SEC and PCAOB seemed to recognize the need for management to coordinate with its auditor in evaluating internal controls. It is permissible for the auditor, with audit committee preapproval, to work with management to gain an understanding of ICOFR at the company and assess the effectiveness, make recommendations for improvement, and assist with documentation, provided management remains actively, substantively, and extensively involved and does not delegate responsibility, and the services do not entail design or implementation of ICOFR.29

The PCAOB staff, in its Staff Questions and Answers, Auditing Internal Control Over Financial Reporting, made clear that the audit committee must preapprove internal-control related services even if the services might properly be classified as falling within the audit.

Whistleblowers. In several of the recent corporate scandals, whistleblowers played roles in bringing the corporate fraud to light. Thus Congress believed it important to encourage, foster, and protect such whistleblowing, to help prevent and detect fraud.

Accordingly, Sarbanes-Oxley makes it a federal crime for any person to retaliate against any person for providing truthful information to a law enforcement of- ficer relating to a federal offense.30 Note that this provision is very broad and is not limited to public companies or to financial fraud offenses.

Employees of public companies receive additional protection under new 18 U.S.C. Section 1514A. This provision prohibits a public company from retaliating against an employee because of the employee’s lawful provision of information or assistance to a federal agency, a member or committee of Congress, or a supervisor of the employee concerning a possible federal crime, 18 U.S.C. Sections 1341, 1343, 1344, and 1348 (mail, wire, bank, and securities fraud), or violation of federal securities laws.

An employee who alleges discharge or other discrimination in violation of this provision may bring an action for reinstatement, back pay, and compensatory damages. If retaliated against, a whistleblower’s first step in asserting these protections is to file a complaint with the Occupational Safety and Health Administration (OSHA) of the Department of Labor.31

OSHA’s handling of these whistleblower complaints is in keeping with OSHA’s mission to protect workers in the workplace, but some have questioned OSHA’s ability to handle complex corporate fraud questions.32 As of Aug. 23, OSHA had received a total of 307 employee complaints under Sarbanes-Oxley.

If OSHA does not pursue the case on behalf of an employee, the employee can proceed to court.

Some whistleblower cases have already been brought by corporate tax department employees, who allege they were retaliated against for raising questions about the companies’ tax positions. In one case, two former tax executives alleged they were discharged in retaliation for their refusing to conceal tax strategies of the company they considered improper from the Internal Revenue Service and the company’s auditor.33 Another whistleblower case filed by two former foreign employees of a Swiss company, arising out of their questioning the company’s international intercompany transfer pricing, was dismissed on the ground that Sarbanes- Oxley did not apply since the company did not have securities traded on any U.S. exchanges or registered with the SEC, and the employment occurred outside the United States.34

Sarbanes-Oxley has also created or inspired other whistleblower procedures. Under Sarbanes-Oxley, a public company’s audit committee must maintain a procedure for individuals to communicate perceived accounting problems to the audit committee. A number of companies are offering products or services to help audit committees fulfill this requirement.

In addition, the PCAOB has opened a hotline for communicating perceived accounting problems to the PCAOB, via its Web site at http://www.pcaobus.org/ tips/. The SEC also maintains a complaint procedure and tip hotline, at http://www.sec.gov/complaint.shtml.

Attorney-Client Relationship. Leaving few untouched, Sarbanes-Oxley also addressed the role of attorneys in policing corporate malfeasance. New SEC rules impose professional standards on attorneys ‘‘appearing and practicing before the SEC,’’ generally meaning representing a public company with respect to federal securities matters or filings, including in-house as well as outside attorneys.35

The rules make clear that the attorney’s client, to which he or she owes his or her professional and ethical duties, is the company as an organization, rather than its directors, officers, or employees.

The main thrust of the new rules is up-the-ladder reporting, which is akin to whistleblowing. The rules require an attorney who becomes aware of evidence of a material violation at the company of a U.S. federal or state securities law, or breach of fiduciary duty thereunder or similar violation, to report such evidence to the issuer’s chief legal officer, or both the chief legal officer and the CEO. The chief legal officer is to look into the matter and respond, notifying the reporting attorney of his or her action, and if the reporting attorney does not receive an appropriate response, he or she is required to report the matter to the issuer’s audit committee, other committee of independent directors, or the entire board.36 Alternatively, an issuer can form a qualified legal compliance committee of independent directors to receive and handle attorney reports. Special rules delineate the respective responsibilities of supervisory and subordinate attorneys.

Though not requiring it, the SEC rules permit an attorney to reveal confidential information to the SEC without the issuer’s consent if it is necessary to prevent the issuer from committing a material violation that is likely to cause substantial financial injury to the issuer or investors, or to rectify such an injury in furtherance of which the attorney’s services were used, or to prevent the issuer from committing or suborning perjury before or perpetrating fraud on the SEC.

The SEC rules do not apply to a ‘‘non-appearing foreign attorney,’’ defined as an attorney admitted to practice law in a jurisdiction outside the U.S., who does not hold himself or herself out as practicing, and does not give legal advice regarding U.S. federal or state securities laws, and is appearing and practicing before the SEC only incidentally to and in the ordinary course of practicing law outside the U.S., or in consultation with other counsel admitted to practice in the U.S. who is not a non-appearing foreign attorney.

The SEC rules are primarily intended to supplement standards of other ethics bodies, but purport to preempt standards of any state or other U.S. jurisdiction in the event of inconsistency. The American Bar Association recently amended its Model Rules of Professional Conduct (which many states adopt as their ethics rules that attorneys must abide by) to parallel the new SEC standards (although the new Model Rules are broader in that they apply in the representation of any organization and with regard to violations of any law).37 On the other hand, an attorney practicing outside the U.S. is not subject to the SEC rules to the extent foreign law prohibits compliance therewith.

International Scope And Exceptions

The international scope of businesses and the securities markets gives rise to many jurisdictional issues under Sarbanes-Oxley. Briefly, Sarbanes-Oxley extends internationally in the following ways:

  • A non-U.S. company with securities traded on a U.S. exchange or registered with the SEC is generally subject to all Sarbanes-Oxley provisions, just like a public U.S. company.
  • A non-U.S. auditor that audits or participates in the audit of a company with securities traded on a U.S. exchange or registered with the SEC must register with the PCAOB, and is generally subject to the Sarbanes- Oxley provisions governing audits of public companies.
  • The non-U.S. operations and subsidiaries of a public U.S. company are generally subject to Sarbanes- Oxley.

Such international application of Sarbanes-Oxley creates issues such as duplication of regulatory burdens, inconsistent regulatory requirements and laws, cultural differences, and concerns of sovereignty and comity. The SEC and PCAOB have been sensitive to these issues and taken some steps to ameliorate them in writing their rules.

Exceptions from the general Sarbanes-Oxley rules for non-U.S. persons, for the most part discussed above, are summarized as follows:

  • Foreign private issuers listed on the NYSE are generally permitted to follow home country practices in lieu of the NYSE Section 303A Corporate Governance Rules, although they must follow the Section 303A provisions relating to audit committees (with a deferred compliance date to July 31, 2005) and disclose significant differences between their home-country practices and NYSE listing standards, and their CEOs must report noncompliance with these requirements to the NYSE.
  • Foreign private issuers listed on Nasdaq may request exemption from Nasdaq’s corporate governance standards (Rule 4350) that are contrary to a law, rule, regulation, or generally accepted business practice in the issuer’s country of domicile, except for standards mandated by federal securities laws, such as those relating to the audit committee, and they have until July 15, 2005, to comply with the rules requiring a majority of independent directors, independent compensation and nominating committees, and notification of noncompliance.
  • Foreign private issuers do not need to provide a Management’s Annual Report on ICOFR until their annual Form 20-F or 40-F for the first fiscal year ending on or after July 15, 2005.
  • For foreign private issuers that do not file quarterly 10-Qs, the Section 302 and Section 906 certification requirements only apply to their annual 20-F or 40-F reports, and material changes in ICOFR need be evaluated only on an annual basis and disclosed in the annual 20-F and 40-F reports.
  • A special exemption from new Regulation G, governing the use of non-GAAP financial measures, is available for foreign private issuers’ use abroad of non- GAAP financial measures.38
  • Non-U.S. public accounting firms had an extended deadline until July 19, 2004, to register with the PCAOB.
  • PCAOB Rule 2105 allows an accounting firm to withhold information from its application for registration with the PCAOB when submission of such information would violate a non-U.S. law.
  • Rather than submit to a full PCAOB inspection, a foreign registered public accounting firm can request the PCAOB to instead partly rely on an inspection by its home country overseer or regulator of audits, pursuant to PCAOB Rules 4011 and 4012.
  • In regard to auditor independence, the SEC indicated it will take into account foreign laws and practices in applying the prohibitions on certain non-audit services. In particular, whether a tax service is a prohibited legal service is determined with reference to U.S. standards, so that such prohibition does not prevent auditors from providing tax services in foreign jurisdictions where such services are considered the practice of law.39
  • ‘‘Non-appearing foreign attorneys’’ are exempt from the new SEC Rules of Practice, and other attorneys practicing outside the U.S. are not subject to SEC Rules of Practice that conflict with applicable foreign law.

Extension Of Sarbanes-Oxley To Non-Public Companies

Despite questions concerning the costs and benefits of Sarbanes-Oxley even for public companies, regulators, states, and other authoritative bodies have been considering applying some of its provisions to nonpublic companies, insurance companies, not-for-profit organizations, and their auditors and attorneys. How far this extension will go remains to be seen.

Market Effects And Responses

Sarbanes-Oxley has helped to restore investor confidence in the public capital markets, but at significant cost and burden on public companies.

Much debate is occurring over whether the costs outweigh the benefits; whether certain provisions go too far; whether it has improved or reduced the pool of individuals willing to serve as directors; the extent to which it has caused private companies to avoid going public, smaller public companies to go private, or foreign companies to de-register from the U.S. stock markets, and whether these effects are good or bad; and whether the requirements should be relaxed to a greater extent for smaller companies.40

At this point, it is still too early to gauge the impact of Sarbanes-Oxley.

Sarbanes-Oxley Impact On Tax Arena

Sarbanes-Oxley has had direct impacts on the tax arena and public company tax departments. Among them are tax department compliance with Sarbanes- Oxley provisions (e.g., disclosure and internal controls, back-up 302 and 906 certifications); changes in the use of auditors for tax services, and the concomitant effects on the accounting firms and the tax consulting field; and changes in the substantive laws affecting the legal terms and conditions of transactions, thereby requiring new tax analysis.

A potential tax law change that has been proposed in various forms several times, but not enacted, is a requirement that the CEO certify on the federal return as to its accuracy.

Some indirect, secondary fallout that may be connected to Sarbanes-Oxley and Sarbanes-Oxley-related thinking includes IRS’s new Schedule M-3, suggesting greater reliance on financial statement income; renewed interest in accounting for federal income taxes, and convergence to international standards41; and increased emphasis on documentation of tax accruals and reserves, with heightened concern as to IRS access to such workpapers.

Conclusion

Sarbanes-Oxley is now more than two years old. The SEC and PCAOB have done much to implement Sarbanes-Oxley and the new environment is taking shape.

Nonetheless, Sarbanes-Oxley was such sweeping legislation, making major changes in so many areas, that a number of questions and gray areas remain. We are now starting to see secondary effects of Sarbanes-Oxley and related thinking as well.

It will probably be a few more years before Sarbanes- Oxley is fully digested.

Footnotes

1. See Section 303A of the NYSE’s Listed Company Manual; The Nasdaq Stock Market Inc. Corporate Governance Rules 4200, 4200A, 4350, 4350A, 4351 and 4360 and Associated Interpretative Materials (April 15, 2004); Securities and Exchange Commission Release No. 34-48745, NASD and NYSE Rulemaking: Relating to Corporate Governance (Nov. 4, 2003). In addition, the SEC has voted (i) to propose new rules relating to the governance, transparency, oversight, and ownership of the exchanges (self-regulatory organizations) themselves, including requiring a majority independent board and fully independent nominating, governance, audit, compensation, and regulatory oversight committees, and separation of regulatory and business operations, and (ii) to issue a concept release requesting comment on the efficacy of self-regulation versus an alternative regulatory model. See SEC Release 2004- 154 (Nov. 9, 2004). The major exchanges already reflect some of the measures.

2. A ‘‘foreign private issuer’’ generally means a corporation organized under the laws of foreign country, unless (i) more than 50 percent of its voting stock is held by U.S. residents and (ii) most of its executive officers or directors are U.S. persons, most of its assets are in the U.S., or its business is principally administered in the U.S. 17 Code of Federal Regulations 240.3b-2.

3. Other governance-related provisions include a prohibition on a public company’s making personal loans to its directors and executive officers, 15 U.S. Code 78m(k); a requirement that the chief executive officer and chief financial officer of a public company forfeit bonuses, incentive payments, and securities trading profits realized during the 12-month period following public issuance or filing of a financial document later restated due to wrongful noncompliance with SEC financial reporting requirements, Sarbanes-Oxley Section 304; and a prohibition on stock trading by directors and executive officers during ‘‘blackout periods’’ during which individuals in retirement accounts cannot trade, Sarbanes-Oxley Section 306.

4. 17 CFR 240.13a-15 and 240.15d-15.

5. Sarbanes-Oxley Sections 302 and 906; 17 CFR 240.13a-14 and 240.15d-15; 18 U.S.C. 1350.

6. In one high-profile case in which the U.S. brought criminal charges against a CEO for alleged violation of the 18 U.S.C. 1350 certification requirement, the CEO has moved to dismiss those counts on the ground that 18 U.S.C. 1350 is unconstitutional. United States v. Scrushy, No. CR-03-BE-0530-S (N.D. Ala.). See also SEC v. Symbol Technologies Inc., No. CV 04 2276 (E.D.N.Y.), SEC civil complaint alleging CFO made false 302 certifications as to allegedly fraudulent financial statements and as to disclosure of all significant internal control deficiencies and alleged management fraud to the audit committee and auditors, when no such disclosures had been made.

7. SEC Release No. 33-8128, Acceleration of Periodic Report Filing Dates (Sept. 5, 2002), and SEC Release No. 33-8477, Temporary Postponement of the Final Phase-In Period for the Acceleration of Periodic Report Filing Dates (Aug. 25, 2004) (proposing to push back final 60-day 10-K deadline to years ending on or after Dec. 15, 2005, and 35-day 10-Q deadline to subsequent quarters).

8. SEC Release No. 33-8400, Additional Form 8-K Disclosure Requirements and Acceleration of Filing Date (March 16, 2004), in keeping with Sarbanes-Oxley Section 409 (requiring rapid disclosure of changes in financial condition or operations ‘‘in plain English’’ pursuant to SEC rules).

9. 15 U.S.C. Section 78p.

10. SEC Release No. 33-8182, Disclosure in Management’s Discussion and Analysis about Off-Balance Sheet Arrangements and Aggregate Contractual Obligations (Jan. 28, 2004).

11. 15 U.S.C. 78m(i).

12. SEC Release No. 33-8176, Conditions for Use of Non- GAAP Financial Measures (Jan. 22, 2003).

13. Sarbanes-Oxley Section 408.

14. 18 U.S.C. 1512(e) and 1519.

15. Information about the PCAOB and its rulemaking, registrations, inspection, and other matters can be obtained from its Web site, http://www.pcaobus.org. Similarly, Sarbanes-Oxley- related developments at the SEC can be found on the SEC’s Web site, http://www.sec.gov.

16. Thus far, the PCAOB has disapproved four registration applications, which means that these firms and individuals are currently barred under Sarbanes-Oxley Section 102 from auditing or participating in the audit of public companies. In three cases, the disapproval was because the firms had issued an audit report on a public company without being registered with the PCAOB, and the PCAOB stated they could file new applications for registration after Feb. 15, 2005.

17. See Public Company Accounting Oversight Board Rules 4011 and 4012.

18. See PCAOB Release No. 2003-006, Interim Professional Auditing Standards (April 18, 2003).

19. In this regard, Sarbanes-Oxley also makes it specifically unlawful to mislead auditors of a public company. See SEC Release No. 34-47890, Improper Influence on Conduct of Audits (May 20, 2003). This could result in greater formality in relations between clients and auditors, and documentation of communications. SEC rules and PCAOB Auditing Standard No. 3 now also require auditors to retain audit records and workpapers for seven years. SEC Release No. 33-8180, Retention of Records Relevant to Audits and Reviews (Jan. 24, 2003).

20. See SEC Release No. 33-8183, Strengthening the Commission’s Requirements Regarding Auditor Independence (Jan. 28, 2003); see also Office of the SEC Chief Accountant, Application of the January 2003 Rules on Auditor Independence, Frequently Asked Questions (Aug. 13, 2003).

21. The transcript from the roundtable provides an excellent discussion of this issue. See PCAOB Transcript, Auditor Independence and Tax Services Roundtable (July 14, 2004), http:// www.pcaobus.org/Rules_of_the_Board/Documents/2004-07- 14_Roundtable_Transcript.pdf.

22. 311 B.R. 151, 2004 WL 1459455, No. 02-13533 (Bankr. S.D.N.Y. June 30, 2004).

23. See Sprint No Longer to Allow Auditors to Provide Tax Services to Executives, 55 BNA Daily Tax Report G-4 (March 21, 2003).

24. See SEC Release No. 33-8238, Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (June 5, 2003); PCAOB Release No. 2004-001, Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements (March 9, 2004); see also PCAOB Staff Questions and Answers, Auditing Internal Control Over Financial Reporting (June 23 and July 27, 2004).

25. 17 CFR 240.13a-15 and 240.15d-15.

26. The COSO framework is actually a much broader notion of internal control that encompasses not only reliability of financial reporting, but also effectiveness and efficiency of operations and compliance with applicable laws and regulations. Sarbanes-Oxley imposes only the dimension relating to reliability of financial reporting as a legal requirement, but companies may embrace the entire COSO framework as a matter of good management. See Goodman, Internal Controls for the Tax Department, Tax Notes, May 3, 2004, p. 579. Moreover, ‘‘effective’’ legal compliance programs are important in meeting fiduciary duties of good care and avoiding criminal prosecution or receiving leniency under federal sentencing guidelines. White Collar Defense & Corporate Compliance, a Foley & Lardner White Collar Defense & Corporate Compliance Practice Group Information Bulletin (July 2004).

27. SEC Release No. 33-8238, n. 67.

28. PCAOB Release 2004-001, p. 9; Auditing Standard No. 2, par. 14.

29. SEC Release No. 33-8183 (Jan. 28, 2003); PCAOB Auditing Standard No. 2, paragraphs 32-35.

30. 18 U.S.C. 1513.

31. See OSHA Procedures for the Handling of Discrimination Complaints Under Section 806 of the Corporate and Criminal Fraud Accountability Act of 2002, Title VIII of the Sarbanes-Oxley Act of 2002; Final Rule—69:52103-52117, 29 CFR Part 1980 (Aug. 24, 2004).

32. See For Financial Whistle-Blowers, New Shield Is an Imperfect One, Wall Street Journal, p. A-1 (Oct. 4, 2004).

33. See Schmidt v. Levi Strauss & Co., No. C04-01026 (N.D. Cal.).

34. See Ex-Swatch Managers’ Complaint Over Tax Evasion is Dismissed, Wall Street Journal, p. B3 (Aug. 16, 2004).

35. SEC Release No. 33-8185, 27 CFR Part 205, Standards of Professional Conduct for Attorneys Appearing and Practicing Before the Commission in the Representation of an Issuer (Jan. 29, 2003).

36. The SEC has not finalized its controversial ‘‘noisy withdrawal’’ proposal to require a reporting attorney, in the event an appropriate response is not received from the issuer’s board, to withdraw and disclose the matter to the SEC. This proposal was viewed as seriously undermining the need for confidentiality that is a basic tenet of an effective attorneyclient relationship.

37. See amended ABA Model Rules 1.13 and 1.6.

38. 17 CFR Part 244.

39. See SEC Release No. 33-8183.

40. See Citing Sarbanes, Foreign Companies Flee U.S. Exchanges, Wall Street Journal, p. C1 (Sept. 20, 2004) (discussing the increasing number of foreign firms that are delisting from U.S. stock markets and de-registering with the SEC to avoid increasing Sarbanes-Oxley compliance costs, and the difficulties encountered in deregistering from the SEC); MIPS Systems Inc. Goes Private, Press Release (Aug. 16, 2004) (company undertook 1-for-100 reverse stock split to reduce number of stockholders below 300 and de-register from SEC, in part to avoid dramatically increasing costs under Sarbanes-Oxley).

41. See Project Summaries, Uncertain Tax Positions (Aug. 18, 2004), and Short-Term Income Tax Convergence Project (Aug. 12, 2004), at http://www.fasb.org/project; FASB Weighing Possible Tightening of Rules on Income Tax Accounting, 144 BNA Daily Tax Report G-1 (July 28, 2004).

Reproduced with permission from Daily Tax Report, No. 219, pp. J-1 - J-8 (Nov. 15, 2004).
Copyright 2004 by The Bureau of National Affairs,Inc. (800-372-1033) http://www.bna.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.