The Sarbanes-Oxley Act:2002 (SOX), named after Senator Paul Sarbanes and Representative Michael G. Oxley and approved by overwhelming majorities- both in the House of Representatives and the Senate is considered as the most significant change in federal securities laws in the United States since the New Deal - the economic and political principles and policies adopted by Franklin Roosevelt in the 1930's to advance economic recovery and social welfare.

Investors' trust in accounting and reporting practices of US listed companies was badly shaken by a string of corporate financial scandals, including those affecting Enron, Arthur Andersen, and World Com.

The Act seeks to re-establish and strengthen public confidence in capital markets through the formulation of new standards for corporate boards and audit committees, new accountability standards and criminal penalties for corporate management, and new independence standards for external auditors.

SOX imposes new duties on public companies and significant penalties for non-compliance on their executives, directors, auditors, attorneys and securities analysts. Most of the provisions of this law apply to only those US public companies that file a form 10-K with the Securities and Exchange Commission. The major provisions of the Act include:

(a) certification of financial reports by CEOs and CFOs, who shall jointly attest the "appropriateness of financial statements and disclosures contained in the periodic report, and that these financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer."

(b) requirement for a management assessment of internal controls in annual reports in the form of an "internal control report", which shall:(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the financial year, of the effectiveness of the internal control structure and procedures in force for financial reporting.

(c) each company auditor shall attest to, and report on, the assessment of internal controls made by the management of the company.

(d) auditor's independence, including outright bans on audit firms providing extra "value-added" services to clients such as (1) book keeping or other services related to the accounting records or financial statements of the audit client; (2) financial information systems design and implementation; (3) appraisal or valuation services, fairness opinions, or contribution-in-kind reports; (4) actuarial services; (5) internal audit outsourcing services; (6) management functions or human resources; (7) broker or dealer, investment adviser, or investment banking services; and (8) legal services and expert services unrelated to the audit.

(e) US companies are now obliged to have an internal audit function, which will need to be certified by external auditors.

Enforcement of the law will be the responsibility of the newly-created Public Company Accounting Oversight Board (PCAOB) which has issued some guidelines on how management should render their opinion.

The main point is that management should use a risk management approach such as COSO (which describes how to assess the control environment, determine control objectives, perform risk assesments, and identify controls).

The auditor's attestation of the managements' assessment of internal controls, too, shall be in accordance with standards for attestation engagements issued or adopted by the PCAOB. It will be the responsibility of the PCAOB to:

(a) register public accounting firms. All registered firms will be required to "prepare, and maintain for a period of not less than seven years, audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such report."

(b) establish, or adopt, by rule, "auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports." Auditing standards are required to include (i) second partner review and approval; (ii) evaluation of whether internal control structure and procedures include records that accurately reflect transactions and disposition of assets; (iii) assurance that receipts and expenditures are made only with authorization of senior management and directors, and (iv) description of both material weaknesses in internal controls and of material non- compliance, and reasonable assurance that the transactions are recorded in a manner that will permit the preparation of financial statements in accordance with GAAP,

(c) conduct inspections (quality control reviews) of accounting firms; annually for firms that provide audit reports for more then 100 listed companies, and at least once every three years for all other accounting firms

(d) conduct investigations and disciplinary proceedings, and impose appropriate sanctions; and

(e) enforce compliance with the Act, the rules of the PCOAB, professional standards, and the securities laws relating to the preparation and issuance of audit reports and the obligations and liabilities of accountants with respect thereto;

One may well wonder whether this legislation has any impact on the auditing profession in Pakistan? It most decidedly does, as the Act subjects foreign accounting firms that audit a US company to register with the Board.

This would include foreign firms that perform some audit work, such as in a foreign subsidiary of a US company that is relied on by the primary auditor. As such the auditors of Pakistani subsidiaries of US-listed companies will not only need to register themselves with the PCAOB but also will have to comply with the Act, in particular with the contentious Section 404, which requires attestation by the external auditors of the management's assessment of the adequacy of internal controls.

This is not without its rewards. The SOX compliance requirement has brought a fee bonanza to accounting firms. The Act, also known cynically as the "Accountants Full Employment Act" - has led to a doubling of audit fees by the Big Four accounting firms, according to a new study.

Price water house Coopers saw an increase in audit fees averaging 134 per cent, thanks in large part to work related to Section 404 of the Sarbanes-Oxley Act, reported the Financial Times, citing the Corporate Executive Board, a consultancy. KPMG's audit fees rose an average of 109 per cent; Ernst & Young's, an average of 96 percent; and Deloitte's, 78 per cent.

The results were based on a Corporate Executive Board survey of 43 businesses - 40 of them Fortune 500 companies - that had to comply with Section 404 last year. The study found that the 43 companies spent an average of $5 million to $8 million to comply with Sarbanes-Oxley last year, according to the Financial Times.

Price water house Coopers stated that it believes "the overall audit fee increase is in the 80 to 100 per cent range, with significant variation depending on the specific client and the complexity of the work," according to the FT. Deloitte told the newspaper that average figures were difficult to compute, though the increase was the highest that the firm had seen. E&Y and KPMG declined to comment to the paper.

The Act has also pitted Chief Information Officers against Chief Financial Officers. Christopher Koch writing last year in the CIO magazine bemoans that, "CIOs are being relegated to a purely tactical role. And that may be the CFO's plan." He observes that "when CIOs began installing ERP systems in the '80s and '90s, they unwittingly took something that used to belong to CFOs: financial controls.

The things that accountants used to monitor manually-such as making sure that two signatures from the right people went on every cheque, or reconciling purchase orders against invoices-all became automated inside ERP systems.

The meticulous audit trail that controllers and accountants had established over generations for demonstrating that money was being handled properly (think of black, leather-bound ledgers and long ribbons of adding machine paper) disappeared into those ERP systems without a trace-or at least without being properly documented, and certainly not to the extent now required by the Sarbanes-Oxley Act, a.k.a. Sarbox".

He concedes that Section 404 of the SOX mandates that CFOs have to do more than simply pledge that the company's finances are correct; they have to vouch for the processes used to add up the numbers.

CFOs have taken control of Sarbanes-Oxley compliance efforts, but are CIOs fears that their CFOs' are conspiring to exclude them from the whole exercise mere paranoia? Some CIOs fear Sarbox has become a "stalking-horse" that CFOs are using to assert control over IT and displace the CIO as the company's business process expert.

Urging CFOs on, this theory goes, are the Big Four accounting firms, desperate to reassert themselves after the Enron fiasco (which turned the Big Five into the Big Four after Arthur Andersen bit the dust) and needing consulting revenue to substitute what they lost when most hived off their consulting divisions.

"Finance and accounting organizations have been pushed to the background recently as IT and supply chain have been driving where companies are going," says one disgruntled CIO.

"Sarbanes-Oxley is the revenge of the bean counters. It's a wedge for the accounting profession to get control of the business again."Can CIOs and CFOs get back on the same wavelength again?