The Substance Of Transparency: The Sarbanes-Oxley Act

Print Version

February 2003

BY JOHN MATTIE AND JACK MCCARTHY

The Sarbanes-Oxley Act, rather than being prohibitive, offers unparalleled discipline and direction, enabling its adherents to put their numbers on display.

LAST YEAR THE WORLD WITNESSED HOW QUICKLY FINANCIAL WRONGDOING AND A LACK of effective controls can devastate some of America's largest and most well-known companies. The Sarbanes-Oxley Act of 2002 (Sarbanes), enacted on July 30, was essentially a formal response to major corporate and accounting scandals.

Although Sarbanes applies to companies that register securities with the Securities and Exchange Commission (SEC), we believe that college and university business officers should regard Sarbanes as an opportunity to further the business officer's defining core objectives, namely, the enhancement of institutional accountability and responsibility. As the current climate has highly sensitized those outside the accounting field to the importance of good financial management practices, the time is particularly conducive to making yourself and your contributions known. Thus, in presenting a general accounting and discussion of the act, it is our intent to provide you with the following: a better understanding of the implications of Sarbanes, affording you the means of educating senior executives and boards of trustees; the ability to identify those practices required by Sarbanes that might be applied within a college and university environment and to determine how best to apply them; and a view of Sarbanes as an opportunity both to reassess best practices for audit committees and executives and to refresh the ongoing dialogue with external auditors.

Prudent Disclosures and Effective Monitoring

Among other provisions, Sarbanes requires the principal executive officer of an SEC registrant (i. e., the president, chancellor or chancellors in the university environment) and its principal financial officer (i. e., the CFO or the business officer or officers) to provide the following:

• Enhanced disclosures, including a report on the effectiveness of internal controls and procedures for financial reporting (along with the external auditor attestation of that report) and disclosures covering off-balance sheet transactions and pro forma financial information.
• Disclosures regarding the code of ethics for senior financial officers and the reporting of certain waivers of the code.

The key words include "disclosures," "internal controls," "procedures," and "code of ethics." In the university environment, "policies" and "compliance"—at a minimum—become part of this vocabulary. All of these words describe prudent business practices that should be adhered to in any sector, including higher education, to promote accountability and responsibility. Sarbanes provides a fresh opportunity for business officers to reassess and enhance these business practices.

For example, a recurring challenge for the business officer is how to monitor most effectively the risks associated with the activities of departments and other decentralized units. Although departmental and other leaders are not accountable to the business officer, their actions may have a formidable impact on financial reporting. Questions for you to consider include: Have responsible parties been identified? Are the internal controls effective? Are resources and systems being used efficiently, and are their costs being managed? Have we examined best practices for other organizations to see if they might apply to our institution? Can communications be improved? Are appropriate monitoring activities in place?

The present time is ideal for ensuring that adequate internal controls, policies and procedures, compliance programs, and monitoring activities are in place, in addition to reviewing and refining the disclosures in the institution's financial reports.

The following are provisions of Sarbanes, supplemented by the related responsibilities of college and university business officers and our view of current practices, as well as suggested best practices.

Sarbanes Must-Haves for the Business Officer Responsibility: Code of Ethics

• Defining the responsibility: Sarbanes requires that a code of ethics be in place for senior financial officers.
• Current practice: Research universities may have such a code but it may not be in place at other types of institutions.
• Best practice: Develop or revise and update a code of conduct, including a code of ethics and a conflict of interest statement for trustees, officers, faculty, and employees. The code should be broader than Sarbanes suggests and not just for senior financial officers. It should apply to all employees who have direct and indirect financial responsibilities.

Responsibility: Full Disclosure in Financial Reports

• Defining the responsibility: Sarbanes requires that financial statements be complete and accurate and include appropriate disclosure of significant transactions, including off-balance sheet financing.
• Current practice: College and university financial statements have adequate disclosures as defined by the FASB and GASB standards that currently apply to the industry. However, these standards differ from the more stringent accounting policies and disclosures required for SEC registrants.
• Best practice: Adopt reporting and disclosure procedures that are more closely aligned with those required by SEC registrants. In the current environment, greater financial reporting transparency might be considered with regard to the nature and terms of significant interfund borrowings; institutional financial guarantees—contractual and moral—of affiliated organizations; the nature and risks associated with joint ventures and alliances—domestic and global; consolidated and unconsolidated organizations; and the composition of the endowment funds in unrestricted, temporarily restricted, and restricted categories.

Responsibility: Certification of Financial Statements

• Defining the responsibility: The principal executive officer and the principal financial officer of SEC registrants are required to certify the financial statements, a process that signifies the following: they have reviewed the financial report; based on their knowledge, the financial report is true and does not omit any material facts; the financial statements are fairly presented in all material respects; they are responsible for internal controls; the signing officers have disclosed significant deficiencies in internal controls as well as fraud; and whether there are changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their assessment.
• Current practice: This provision of Sarbanes does not extend to higher education at the current time. However, a recently issued American Institute of Certified Public Accountants auditing standard requires auditors to make specific inquiries to CEOs and CFOs about the existence of fraud. This standard applies to all entities.
• Best practice: At a minimum, include in annual financial reports a statement of management's responsibility for the completeness and accuracy of the report as well as for the underlying system of internal controls.

Responsibility: Internal Controls

• Defining the responsibility: Sarbanes requires that management is responsible for establishing and maintaining an effective system of internal controls.
• Current practice: Many institutions have good internal control structures in place, but the internal controls are not well documented and related policies and procedures need to be updated and improved.
• Best practice: Define and document policies and procedures as well as a comprehensive system of internal controls. We find that best practices are in regulated industries other than higher education (e. g., financial services).

Responsibility: Disclosure of Internal Control Deficiencies and Known Fraud

• Defining the responsibility: Sarbanes stipulates that senior executives disclose to auditors and the audit committee all significant deficiencies in the design or operation of internal controls as well as significant changes in internal controls. They also must disclose known instances of fraud.
• Current practice: These responsibilities are not explicitly required for college and university business officers at this time.
• Best practice: Develop procedures to communicate among senior executives any known deficiencies in the system of internal controls as well as all instances of fraud.

Other Key Responsibilities to Consider Responsibility: Enterprisewide Risk Management

• Defining the responsibility: Although not required by Sarbanes, an enterprisewide risk management program can be a valuable tool for the business officer.
• Current practice: Some institutions have an enterprisewide risk management program, and others are considering establishing such a program.
• Best practice: Adopt an enterprisewide risk management program.

Responsibility: Compliance Programs

• Defining the responsibility: Although not required by Sarbanes, an institutional compliance program is a valuable tool for business officers, especially those with research universities. Such a program is a necessity for academic medical centers with clinical trials.
• Current practice: A growing number of institutions are adopting formal institutional compliance programs with monitoring by internal audit or other groups.
• Best practice: Adopt an integrated institutionwide compliance program in connection with an enterprisewide risk management program.

Responsibility: Education and Communication

• Defining the responsibility: In the post-Sarbanes environment, it is likely that the president, chancellor, executive vice president, and audit committee will want and need to be more fully informed and educated about financial matters than ever before.
• Current practice: Many business officers informally educate and communicate with institutional leaders and audit committees.
• Best practice: Adopt a communications program under which institutional leaders and audit committees would be informed about financial reporting issues at least quarterly. Also, provide ongoing assessments of financial and other internal control matters.

Audit Committee Performance

All SEC registrants are required to have audit committees. Sarbanes identifies audit committee responsibilities for SEC registrants, which include responsibility for overseeing the organization's accounting and financial reporting processes as well as audits of its financial statements. Sarbanes also requires that at least one audit committee member be a "financial expert." Section 407 of the act defines a financial expert as someone who possesses, through education and experience, an understanding of GAAP and financial statements; an understanding of audit committee functions; experience in the preparation or auditing of financial statements; experience in the application of principles surrounding accounting for estimates, accruals, and reserves; and experience with internal accounting controls. Finally, the audit committee must preapprove any services provided by its external audit firm.

Many stakeholders in the college and university community expect their audit committees to fulfill similar responsibilities. The following addresses audit committee responsibilities under Sarbanes, as well as current and best practices in higher education.

Sarbanes Must-Haves for Audit Committees Responsibility: Oversight of Accounting and Financial Reporting Practices

• Defining the responsibility: It is the audit committee's responsibility to oversee the organization's accounting and financial reporting processes as well as various other regulatory and audit matters as they relate to the financial statements.
• Current practice: In higher education, the audit committee is typically responsible for overseeing financial, legal, regulatory, and audit matters; however, not to the extent envisioned by Sarbanes.
• Best practice: Meet at least quarterly and allow adequate time for audit committee members to be well informed about financial operations and reporting, internal control systems, compliance, and related matters.

Responsibility: External Auditor

• Defining the responsibility: The audit committee is responsible for appointing, compensating, and overseeing the auditor as well as preapproving services.
• Current practice: The audit committee is responsible for understanding the services performed by the external auditor and reviewing all reports.
• Best practice: Engage actively with the external auditor and gain a complete understanding of all work planned (both audit and nonaudit services). Also, review thoroughly all work performed by the external auditor at the audit committee's direction.

Responsibility: Financial Expertise

• Defining the responsibility: The audit committee should include at least one member who is a financial expert in the registrant's industry.
• Current practice: Most audit committee members would not satisfy the definition of financial expert as currently defined by Sarbanes.
• Best practice: Include at least one audit committee member who meets the Sarbanes definition of a financial expert.

Responsibility: Independence

• Defining the responsibility: Audit committee members must be independent as defined by Sarbanes, that is, the audit committee member does not accept any consulting, advisory, or other fee from the institution.
• Current practice: Most audit committee members who are not members of management would meet the Sarbanes definition of independence.
• Best practice: The audit committee should only include trustees who are not members of management and who do not accept any consulting, advisory, or other type of fee from the institution.

From the Outside Looking In

Sarbanes reaffirms the necessity for the external auditor to be truly independent of management in fact and in appearance. It prohibits the external auditor from performing certain nonaudit services for audit clients, and it requires the external auditor to rotate the audit partners after five years of service. It also expands the external auditor's responsibility to provide an attestation report on the newly required management assertions on internal controls and procedures for financial reporting. However, neither the form of management's assertion or the auditor's attestation has been finalized at this time.

In our experience in higher education, it is very rare for management to provide a formal assessment of its system of internal control as part of any external financial reports. We are not aware of any external auditor attestations on such assessments.

In January 2002, the U. S. General Accounting Office (GAO) also addressed auditor independence in its Amendment No. 3, Independence, to Government Accounting Standards. Amendment No. 3 clarified GAO's position on auditor independence. The two core principles of this amendment are as follows:

• Audit organizations should not provide nonaudit services that involve performing management functions or making management decisions.
• Audit organizations should not audit their own work or provide nonaudit services in situations where the nonaudit services are significant/material to the subject matter of the audits.

While the provisions of Sarbanes do not apply in a legal sense to colleges and universities, the GAO standards apply to all recipients of federal funding. Accordingly, most colleges and universities need to be certain that the relationships with their external auditors meet the revised standards.

Over the years, audit committees have become much more active in dealings with the external auditors both in terms of understanding the nature of the services they provide and the process by which they are evaluated for appointment or reappointment. Many of the major auditing firms have announced that there are certain services that they will no longer provide for audit clients (e. g., design and implementation of major information systems and total internal audit outsourcing services). Auditor independence will continue to come under increased scrutiny. This is an area that bears watching, as best practices will evolve quickly in response to Sarbanes.

A Change Would Do You Good

The Sarbanes-Oxley Act of 2002 represents a significant change in the way that audit committees, management, and auditors of SEC registrants carry out their responsibilities and interact with one another. Because many of the provisions of Sarbanes direct the SEC to issue implementing guidance, its precise impact will continue to evolve throughout 2003. Without question, however, Sarbanes will lead to a higher level of responsibility, accountability, and financial reporting transparency in the corporate world. These changes are ultimately intended to return to investors the confidence they need to once again become active in the nation's financial markets.

Regarding the importance of Sarbanes to higher education, here are some final words of advice: Keep in mind that although colleges and universities are not required to comply with Sarbanes, there is clearly an expectation that these institutions will embrace its best practices. Consider Sarbanes as an opportunity to improve communications around the financial reporting process. And consider Sarbanes as an opportunity to reassess the system of internal controls in a much broader context than has previously been required. By employing Sarbanes, your institution can realize a higher level of accountability, responsibility, and financial reporting transparency.

Author Bios John A. Mattie heads the PricewaterhouseCoopers education advisory services practice. John H. McCarthy is the national education and nonprofit practice leader for PricewaterhouseCoopers. Both are based in the Boston office.

E-mail john.a.mattie@us.pwcglobal.com john.h.mccarthy@us.pwcglobal.com

Further Details on GAO Independence Standard

After a three-year deliberation process, the U. S. General Accounting Office (GAO) issued its Amendment No. 3, Independence, in January 2002. This amendment is now part of the Government Auditing Standards, which are also referenced as the "Yellow Book" standards. The independence standard was effective for audits of periods beginning on or after January 1, 2003, although early implementation was encouraged. It applies to audits of federal, state, and local governments as well as to not-for-profit and for-profit recipients of certain government grant and loan assistance, such as colleges and universities.

The amendment can be found at the following GAO Web site: http://www.gao.gov. Look for "The Yellow Book" on the GAO's home page.

Sarbanes Specifics

For more information on the Sarbanes-Oxley Act, consult the following:

• The legislation itself can be found by searching for bill number "H. R. 3763. ENR" on the following Web site maintained by the Library of Congress: http://thomas.loc.gov/
• A PricewaterhouseCoopers white paper, The Sarbanes-Oxley Act of 2002: Strategies for Meeting New Internal Control Reporting Challenges: A White Paper, can be found on PwC's The CFOdirect Network, which is an online resource for senior financial executives at http://www.cfodirect.com. You will also find links to emerging information on Sarbanes in the upper right hand corner of the home page on The CFOdirect Network.
• NACUBO and PricewaterhouseCoopers presented a Web conference on the Sarbanes-Oxley Act of 2002 on January 16. Archival information is available on NACUBO's Web site at http://www.nacubo.org.