24770724 Accounting Scandal Sarbanes Oxley (World Financial Scandal)

Accounting Scandal & Sarbanes Oxley act of 2002

Abstract

Accounting in shaped by economic and political forces. It follows that increased

worldwide integration of both markets and politics makes increased integration of

financial reporting standards and practice almost inevitable. But most market and

political forces will remain local for the foreseeable future, so it is unclear how much

convergence in actual financial reporting practice will occur. Furthermore, there is little

settled theory or evidence on which to build an assessment of the advantages and

disadvantages of uniform accounting rules within a country, let alone internationally. The

pros and cons of IFRS therefore are somewhat conjectural, the unbridled enthusiasm of

allegedly altruistic proponents notwithstanding. On the “pro” side of the ledger, I

conclude that extraordinary success has been achieved in developing a comprehensive set

of “high quality” IFRS standards, in persuading almost 100 countries to adopt them, and

in obtaining convergence in standards with important non-adopters A deeper concern is

that there inevitably will be substantial differences among countries in implementation of

IFRS, which now risk being concealed by a veneer of uniformity. The notion that

uniform standards alone will produce uniform financial reporting seems naive. In

addition, I express several longer run concerns. The Sarbanes-Oxley Act of 2002 (SOX)

is the public company accounting reform and investor protection act signed into law on

July 30, 2002 in response to a number of Fortune 500 companiesï¿½ involvement in

corporate and accounting scandals. These widely published corporate debacles, including

those affecting Enron, WorldCom and Tyco cost investors billions of dollars when the

share prices of the affected companies collapsed. In affect, investor confidence in the

securities markets hit rock bottom. The purpose of SOX was to empower the Securities

and Exchange Commission (SEC) of the U.S. so that it could oversee corporate

governance of public organizations in hopes of restoring investor confidence. President

Bush reflected the impact of this act stating that no law of such significance to businesses

has been signed since the presidency of Franklin D. Roosevelt in the U.S. The SOX Act

of 2002 was named after its main architect’s, Senator Paul Sarbanes and Representative

Michael Oxley. SOX establish a number of compliance rules for financial practice that

ensures occur.

Page 1 of 41


Accounting ScandalsSeveral big firms have come under scrutiny recently for questionable accounting

practices. Some of the world’s biggest accounting scandals

Enron

In just 15 years, Enron grew from to be America's seventh largest company, employing 21,000 staff in more than 40 countries.

1It started out as a pipeline company, and transformed itself into an energy trader, buying and selling power. Among other businesses, Enron was engaged in the purchase and sale of natural gas, construction and ownership of pipelines and power facilities, provision of telecommunications services, and trading in contracts to buy and sell various commodities. It expanded into many diverse industries for which it had no unifying strategies and no expertise.

Fortune magazine named it the most innovative company in America six years in a row, not spotting that much of the innovation was sleight-of-hand accounting that amounted to fraud. Enron lied about its profits and used off-the-books partnerships to conceal $1 billion in debt and to inflate profits.

Some of the tactics used by Enron:

2EARNINGS MANIPULATION31 From at least 1998 through late 2001, Enron's executives and senior managers engaged in wide-ranging schemes to deceive the investing public about the true nature and profitability of Enron's businesses by manipulating Enron's publicly reported financial results and making false and misleading public representations. 23The scheme's objectives were,

• To produce that reported earnings steadily grew by approximately 15-20% p.a.

• To meet or exceed, without fail, the expectations of investment analysts about Enron's EPS.

• To persuade the investing public that Enron's future profitability would continue to grow.

Page 2 of 41


45To achieve these objectives, 6Quarterly earnings targets were imposed on each of the company's business units based on EPS goals and not true forecasts. When the budget targets could not be met, through results from business operations, they were achieved through the use of fraudulent devices. The primary purpose was to increase the share price which increased from $30 per share in 1998 to $80 in 2001 even after a stock split. 7 The rising stock prices enriched Enron’s senior managers in the form of salary, bonuses, grants of artificially appreciating stock options, restricted stock, and phantom stock, and prestige within their professions and communities.12Other methods used were :⇒ manipulating reserve accounts to maintain the appearance of continual earnings

growth and to mask volatility in earnings by concealing earnings during highly profitable periods and releasing them for use during less profitable periods;

⇒ concealing losses in individual "business segments" through fraudulent manipulation of "segment reporting," and deceptive use of reserved earnings to cover losses in one segment with earnings in another;

⇒ manufacturing earnings through fraudulent inflation of asset values and avoiding losses through the use of fraudulent devices designed to "hedge," or lock-in, inflated asset values; and

⇒ Structuring of financial transactions using improper accounting techniques in order to achieve earnings objectives .

1During 2000, Enron's wholesale energy trading business, primarily its Enron North America business, generated larger profits mostly due to rapidly rising energy prices in the western United States, especially in California. This growth was more than the smooth, predictable annual earnings growth of 15 to 20 percent. Beginning in the first quarter of 2000 and continuing throughout 2000 and 2001, Enron improperly reserved hundreds of millions of dollars of earnings, and used large amounts of those reserves to cover-up losses in ENA's "merchant" asset portfolio and from other business units such as EES. This misuse of reserves was discussed and approved among Enron's and ENA's senior commercial and accounting managers.

Page 3 of 41


FRAUDULENT VALUATION OF "MERCHANT" ASSETS

Enron's ENA business unit managed a large "merchant" asset portfolio, which consisted primarily of ownership stakes in a group of energy and related companies that Enron recorded on its quarterly financial statements at what it alleged to be "fair value." Senior Enron and ENA commercial and accounting managers frequently generated earnings needed to meet budget targets by artificially increasing the book value of certain of these assets, many of which were volatile or poorly performing. Likewise, to avoid recording losses on these assets, Enron's management fraudulently locked-in these assets' value in improper "hedging" structures.

1ENA's largest merchant asset was an oil and gas exploration company known as Mariner Energy ("Mariner"), which Enron was required to book at "fair value" every quarter. During the fourth quarter of 2000, there was a shortfall of approximately $200 million in Enron's quarterly earnings objectives. Senior Enron and ENA managers decided to increase artificially the value of the Mariner asset by approximately $100 million in order to close half of this gap.

1In the third quarter of 2000, other ENA "merchant" assets were similarly manipulated in value before being inserted into an elaborate hedging mechanism known as the "Raptors." Enron and ENA managers instructed ENA managers that Enron had constructed a device that would allow ENA to lock in approximately $400 million in book value of its assets, thereby protecting them from later write-downs,

Other Manipulative Devices Used in Enron Wholesale

Enron employed other devices fraudulently to manipulate the financial results of Enron Wholesale and its predecessor ECT. For example, ECT entered into a large contract in 1997 to supply energy to the Tennessee Valley Authority ("TVA") that resulted in an immediate "mark-to-market" earnings gain to Enron of approximately $50 million dollars. But in mid-1998, when energy prices in the region in which the TVA was located sharply increased, Enron's unheeded position in the TVA contract fell to a loss in the hundreds of millions of dollars, which would have eliminated ECT's earnings at the end of the then-current reporting period. To avoid this Enron’s managers removed the TVA contract from Enron's "mark-to-market" accounting books by instead applying accrual accounting to the contract. Enron then did not disclose the loss.

1Senior Enron and ECT managers devised a plan to avoid later disclosure of most of the loss from TVA by investing hundreds of millions of dollars in the purchase of power-plant turbines and the construction of "peaker" power plants that Enron otherwise would not have purchased. This mechanism ultimately resulted, in a later reporting period, in a

Page 4 of 41


recorded loss to Enron from the TVA contract that was hundreds of millions of dollars less than the actual loss incurred in 1998. Enron did not reveal this. 2During 1999, Enron attempted unsuccessfully to shed itself of this costly investment in turbines and "peaker" plants. Unable to sell the assets at a profit to satisfy budget targets, Enron devised and executed a scheme to manufacture current earnings by agreeing to entering into back-to-back trades with Merrill Lynch & Co., Inc. which to sell and then repurchase energy generated by Enron's "peaker" plants. These trades with Merrill Lynch, which virtually mirrored each other, ensured that ENA satisfied budget targets for the fourth quarter of 1999.

Apart from this many of Enron’s senior managers were charged with insider trading and indicted. Enron was also accused of creating phantom shortages in California’s unregulated electricity market to fleece ratepayers of an estimated $30 billion during the 2001 energy crisis.

Outcome

Enron filed for Chapter 11 bankruptcy, allowing it to reorganize while protected from creditors.

Enron has sought to salvage its business by spinning off various assets.

Enron’s core business, the energy trading arm, has been tied up in a complex deal with UBS Warburg. The bank has not paid for the trading unit, but will share some of the profits with Enron.

Centric a, part of the former British Gas has bought Enron's European retail arm for £96.4m.

Summary

When scandal was discovered: October 2001

Charges : Boosted profits and hid debts totaling over $1 billion by improperly using off-the-books partnerships; manipulated the Texas power market; bribed foreign governments to win contracts abroad; manipulated California energy market

Latest Developments: Ex-Enron executive Michael Kopper pled guilty to two felony charges; acting CEO Stephen Cooper said Enron may face $100 billion in claims and liabilities; company filed Chapter 11; its auditor Andersen was convicted of obstruction of justice for destroying Enron documents.

Page 5 of 41


Adelphia

Starting in 2001, the U.S. economy experienced a period of economic instability,

somewhat reminiscent of the 1930s. What was similar was not the depth of the recession,

but the level of corporate misconduct, failure of checks and balances, and total loss of

investor confidence (Nussbaum, 2002). How did this happen? The common element

found in both time periods was the conflict of interest that benefited insiders (Kuttner,

2002). In contrast to the Chicago School of economic theory, which espouses the benefits

of a deregulated economy, market forces were unable to detect or discipline the self

dealing and opportunism that proved irresistible during the high growth years of the

1990’s. Despite President George W. Bush’s assertion that some corrupt individuals

failed the system, the argument can be made that it was the unchecked system of

deregulation that failed (“Let the Reforms Begin,” 2002). The telecommunications

industry in particular experienced a state of economic turmoil. Investors lost some $2

trillion as stock prices fell more than 95% from their previous highs. Since 2001, more

than a half a million workers lost their jobs in what was once regarded as the strongest

sector of the US economy. Dozens of debt ridden companies ranging from Winstar to

Global Crossing have filed for bankruptcy. Starting in early 2002, long distance carrier

WorldCom was targeted by US regulators and law enforcement officials after the

disclosure that the company had improperly overstated its earnings by $3.8 billion in

2001 and the first quarter of 2002 (now estimated at $11 billion). It was the largest

accounting fraud ever to occur by a US publicly traded company. WorldCom has

subsequently filed for bankruptcy (“WorldCom Plans Bankruptcy Filing,” 2002). In

January 2003, the media news and entertainment industry experienced an unprecedented

level of instability when transnational media giant

AOL Time Warner posted a $99 billion loss for the previous year; considered to be the

Largest financial loss in US corporate history.

Page 6 of 41


WorldCom

WorldCom was one of the big success stories of the 1990s. It was a symbol aggressive capitalism. Founded by Bernie Embers, one of the most aggressive acquirer during the US mergers and acquisitions boom of the 1990s. WorldCom's asset value had soared to $180bn before the US capital market started witnessing a downtrend.

WorldCom admitted in March 2002 that it will have to restate its financial results to account for billions of dollars in improper bookkeeping after an internal audit showed transfers of about $3.06 billion for 2001 and $797 million for the first quarter of 2002 were not made in accordance with generally accepted accounting principles.

In August 2002, an internal audit has revealed an additional $3.3bn (£2.2bn) of improperly reported earnings - taking the total to more than $7bn, double the level previously reported. $3.3bn was money from the company's reserves, which was misrepresented as operating income.

As a result of the discovery, WorldCom said that its financial statements for the year 2000 will have to be reissued.

The company also said it may now write off $50.6bn in intangible assets. Former chief financial officer Scott Sullivan and ex-controller David Myers were arrested a week ago, and face seven counts of securities fraud and filing false statements with the SEC.

The company filed for Chapter 11 bankruptcy protection on 22 July, a process that protects it from its creditors while it tries to restructure. It became the largest bankruptcy in US history, listing $107bn in total assets and $41bn in debts.

In May 2003, WorldCom agreed to pay a record amount to the US financial watchdog. MCI (formerly WorldCom), while neither admitting nor denying any wrongdoing, came to a settlement over its massive accountancy scandal. It will pay $500m to the Securities and Exchange Commission, the highest fine ever imposed by the regulator. The original figure of $1.5bn was scaled down as MCI declared itself bankrupt and so received favorable treatment.

The settlement sorts out the civil lawsuits that have been filed. But the criminal cases relating primarily to the actions of former employees at the company are still pending.

Page 7 of 41


Summary

When scandal was discovered: March 2002

Charges: Overstated cash flow by booking $3.8 billion in operating expenses as capital expenses;

Gave founder Bernard Ebbers $400 million in off-the-books loans.

The company found another $3.3 billion in improperly booked funds, taking the total misstatement to $7.2 billion, and it may have to take a goodwill charge of $50 billion.

Outcome: Former CFO Scott Sullivan and ex-controller David Myers have been arrested and criminally charged, while rumors of Bernie Ebbers' impending indictment persist. On 9th March 2005, four foreign banks agreed to pay $428.4 m for settling the class action law suit by investors accusing them of hiding risks at WorldCom before its collapse.

Tyco

When Scandal Went Public: May 2002

Allegations: Ex-CEO L. Dennis Kozlowski indicted for tax evasion. SEC investigating

whether the company was aware of his actions, possible improper use of company funds

and related-party transactions, as well as improper merger accounting practices

Investigating Agencies: Manhattan district attorney; SEC

Latest Developments: Said it will not certify its financial results until after an internal

investigation is completed. The Bermuda-based company is not required to meet the

SEC's Aug. 14 deadline. Investors looking to unseat all board members who served under

Kozlowski may launch a proxy fight to do so.

Company Comment: The Company is conducting an internal investigation and we

cannot comment on its specifics, but we will file an 8-K on the initial results around Sept.

15.

Page 8 of 41


Sarbanes Oxley act of 2002Introduction

The Sarbanes-Oxley Act never mentions the words database or data, however, DBAs must ensure their databases are in compliance with Sarbanes-Oxley. Sarbanes-Oxley Section 404 simply states that management has the responsibility “for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” How does this sentence relate to a database being compliant with Sarbanes-Oxley? Well, directly it doesn’t. But since the Oracle Applications database contains data related to financial reporting and manipulation of this data “could adversely affect the [company’s] ability to record, process, summarize, and report financial data”, the Oracle Applications database must be compliant with the requirements of Sarbanes-Oxley for effective internal controls as stated in Sections 302 and 404 of the Act. The most frustrating aspect for DBAs is that there are no definitive requirements, checklists, or guidelines on how an Oracle Applications implementation must comply with Sarbanes-Oxley. From Section 404, the phrase “an adequate internal control structure and procedures for financial reporting” must be interpreted and extended to the database. Unfortunately, it is not clear who should provide this interpretation: external auditors, internal auditors, management, IT, etc. In most cases, the external audit firm provides “their” version of requirements in the form of a Sarbanes-Oxley assessment and findings. Often this assessment is performed by audit generalists who do not have experience with Oracle Applications, but instead understand financial controls and business processes. These findings are then forced on the DBA to remediate, usually in a short timeframe with little understanding or direction on what is truly required.

What is Sarbanes-Oxley?

The Sarbanes-Oxley Act of 2002 (SOX) provides for a new set of corporate governance rules and regulations for public companies. Two sections, (1) Section 302 “Corporate Responsibility for Financial Reports” and (2) Section 404 “Management Assessment of Internal Controls”; specifically address internal controls over financial reporting. The Sarbanes-Oxley Act is high-level and only addresses such requirements as corporate officers “are responsible for establishing and maintaining internal controls” and are required to periodically assess and report on the effectiveness of such internal controls. There are no details on what are effective internal controls and to what extent internal controls are required for “financial reporting”. The Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) are required by the Act to develop the final rules regarding compliance for the establishment, maintenance, and assessment of internal controls over “financial reporting”.

Section 302 requires the Chief Executive Officer and Chief Financial Officer on a quarterly or annual basis to have “designed internal controls” over financial reporting,

Page 9 of 41


“evaluated the effectiveness” of internal controls, and reported to the Audit Committee and external auditors “all significant deficiencies in the design or operation of internal controls which could adversely affect the ability to record, process, summarize, and report financial data and have identified for the [external] auditors any material weaknesses in the internal controls” and to report “any fraud”. Section 404 requires a corporation’s annual report to contain an internal control report that states “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting” and that management has performed “an assessment of the effectiveness of the internal control structure and procedures for financial reporting.” In addition, the external auditor must independently assess the corporation’s internal control report. So after looking at the Sarbanes-Oxley Act, you have only learned that “internal controls” are required for “financial reporting” and that the “internal controls” must be assessed on an annual basis. The SEC and PCAOB are responsible for implementing the actual rules. The SEC final rules require corporations to use a recognized internal control framework and specifically reference the Sponsoring Organizations of the Tread way Commission (COSO) internal control framework. We are finally getting somewhere – a framework and usually frameworks are good things.

Sarbanes-Oxley Act of 2002SEC RulesPCAOB Standards COSO Framework COBITSEC Defines Rules for Corporations PCAOB Define Standards for Auditors Suggests COSO Suggests IT Framework Suggests IT Framework.

COSO provides a comprehensive framework for defining and evaluating internal controls, but only addresses IT controls in a very general manner and does not provide any specific requirements for IT control objectives or activities. IT general controls are defined as “Policies and procedures that help ensure the continued, proper operations of computer information systems. They include controls over data-center operations, systems software acquisition and maintenance, access security, and application system development and maintenance. General controls support the functioning of programmed application controls. Other terms sometimes used to describe general controls are general computer controls and information technology controls.” COSO identifies five essential components of effective internal control – (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring.

The PCAOB as part of its rule making process released “Auditing Standard No. 2” that emphasizes the important of IT controls, but does not provide any details on what IT controls are required. The PCAOB auditing standards look for each corporation to develop IT controls that support their internal control program.

Both the PCAOB auditing standards and COSO suggest, in a roundabout way, the use of an IT control framework. The most widely recognized IT control framework is the Information Systems Audit and Control Association (ISACA) framework Control Objectives for Information and related Technology (COBIT). Many corporations have adopted COBIT as their standard IT control framework, especially related to SOX

Page 10 of 41


compliance. To assist companies, the ISACA has developed a whitepaper “IT Control Objectives for Sarbanes-Oxley”, which maps COBIT to Sarbanes-Oxley compliance. COBIT is framework for IT governance for the entire organization and provides high-level control objectives for applications and infrastructure, but the control objectives are not to a level that can be immediately implemented by a DBA or system administrator. The control objectives provide high-level characteristics for what the implemented internal control should include, but does provide any level of detail. An example of a COBIT control objective is –

Identity Management

All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements. User access rights are requested by user management, approved by system owner and implemented by the security-responsible person. User identities and access rights are maintained in a central repository. Cost-effective technical and procedural measures are deployed and kept current to establish user identification, implement authentication and enforce access rights. Other sources of guidelines and best practices for IT controls are ISO 17799 (security related) and the Information Technology Infrastructure Library (ITIL). Both provide varying levels of detail, but still are too high-level for immediate use by the DBA.

Sarbanes-Oxley Compliance

As you can see, there is no single point of reference or comprehensive guidelines for SOX compliance. The definition of SOX compliance is defined by the corporation referencing a set of internal controls frameworks. It is important to understand the foundation for the SOX compliance requirements, since these requirements may differ from organization to organization. Some companies may choose to implement only COSO and not an IT controls framework such as COBIT, while other companies may choose to use multiple control frameworks. Essentially, because every business assesses risks differently, the controls each business requires will be different. While understanding the principles and requirements for SOX compliance for the corporation helps, it does not answer the questions of what must be done to the database, applications servers, applications, and operations to achieve SOX compliance.

Looking at SOX Compliance

There are really two groups of people who look at SOX compliance – (1) corporate officers who must attest to the corporation’s internal controls and (2) external auditors that assess the effectiveness of such internal controls. Corporate officers rely on internal audit and SOX compliance teams to catalog and assess the corporation’s internal controls.

Page 11 of 41


For external auditors, the PCAOB standards require auditors to understand the flow of transactions (how transactions are initiated, authorized, recorded, processed, and reported), which may involve IT systems and applications. In most cases, the external audit firm provides “their” version of requirements in the form of a Sarbanes-Oxley assessment and findings. Often this assessment is performed by audit generalists who do not have experience with Oracle Applications, but instead understand financial controls and business processes.

Reactive vs. Proactive SOX Compliance

Most Oracle Applications implementations take a reactive approach to SOX compliance. Few companies take a proactive approach to SOX compliance and put in place a set of general IT controls and application controls that will meet the stringent requirements of SOX. The IT organization most likely performed a SOX self-assessment and provided appropriate documentation on policies and procedures to a SOX compliance team. Some control weaknesses or deficiencies were probably identified and hopefully corrected. Depending on the knowledge and experience of the IT internal auditors or external audit firm, even a controls review of the Oracle Applications implementation may have been performed. Usually, the Oracle Applications controls review focused on segregation of duties and other functional aspects of the application. The auditors may have “poked around” the DBA’s realm and potentially identified some weaknesses in terms of generic account usage, default passwords, etc. Most companies have a reactive approach to SOX compliance Oracle Applications, with the exception of segregation of duties and other functional internal controls. The approach for Oracle Applications related IT general controls is if the auditors find it, we will fix it.

SOX is a WRITE Event The first and foremost concept when thinking about SOX is that SOX is primarily focused on write events, not read events. SOX are most concerned with any and all changes to the financial data and the processing of the financial data. The processing of financial data includes the programs, reports, and configuration settings that may affect how the data is processed or reported. Processing includes the actual manipulation of the data such as GL Posting, but also includes changes to the programs and reports. Think about every way that financial data may be inserted, updated, and deleted in Oracle Applications. Now add in the all the programs, interfaces, reports, and configuration settings that affect how the data is processed and reported. The scope can be staggering in terms of the number of ways and methods that data is changed in Oracle Applications – even the simplest use of the APPS account must now be scrutinized. Even though SOX compliance may not be focused on read events, unauthorized querying or viewing of Oracle Applications data may be an issue in terms of HIPAA, GLBA, US and European privacy laws, and SEC rules. Also, a strong argument can be made that SOX compliance includes read events since fraud and other financial manipulation may only require knowledge of bank account numbers or financial results prior to public release. This argument can be countered with the following – (1) by implementing a

Page 12 of 41


strong set of internal controls for write events, these controls will probably prevent or detect most unauthorized inquiry or query access to the data, (2) the risk to the corporation of the write events probably far exceeds he limited risk of such unauthorized query access, and (3) unauthorized query access probably will not result in a material weakness in the audit report.

About SOX Compliance

The foundation of SOX compliance is about risk. Internal controls are about controlling and reducing risk. Unfortunately, the way a DBA views risk is much different than management or an external auditor. For a DBA, risk is about having backups, able to recover from disk failures, potential performance issues with a developers SQL statement, and the possible impact of the latest Oracle patch. For management and external auditors, risk is viewed in terms of cost/benefit and fraud.

SOX compliance should be done in the context for an enterprise-wide SOX initiative or as part of an IT project. However, these initiatives and projects are either documentation driven exercises or do not drive to the level of detail required for most Oracle Applications implementations. Since Oracle Applications is often the financial system of record, the auditors (both internal and external) will focus on this application

Since external auditors are required to examine the flow of key transactions through the organization and IT systems, most likely such transactions will require the financial system to garner close scrutiny. Thus, the DBA often is required to meet a higher standard of SOX compliance than the rest of the IT department.

What are Internal Controls?

Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives. Controls can be classified as preventative or detective and the processes used to implement a control can be either automated or manual. Preventative controls are designed to discourage errors and irregularities from occurring. Detective controls are designed to find errors and irregularities after they have occurred. IT Controls can be grouped into two categories: IT General Controls and Application Controls. IT General Controls are related to common IT services like disaster recovery, incident response, change management, system development, and computer operations. Application Controls are embedded in the application and designed to achieve accuracy and validity and include authorization, input edits, reconciliations, and approvals. When designing and implementing controls, the preference for a preventative vs. detective or manual vs. automated control is entirely related to the context and risk associated with the activity being controlled. DBAs tend to prefer automated, preventative controls since in the database administration world automation of processes and prevention of issues are goals. There is nothing wrong with manual, detective controls, especially with low risk activities and when the cost of automating such a control can not be justified.

Page 13 of 41


Approved manual policy and procedure must be documented for the password requirements for these database accounts and the periodic changing of the passwords. Due to weaknesses in the Oracle database password algorithm, it is strongly recommended the minimum password length for these database accounts be 9 and the passwords are changed every 90 days or when cloning the database to development and test environments.

1.1 User Management

Essential for effective control and segregation of duties is the use of named and unique accounts for all users.

Adherence to the enterprise security policy for passwords for all application accounts (length, complexity, failure lock-out, etc.). For strict adherence to the enterprise password policy may require a custom password validation routine (Sign on Password Custom profile option).

New user account creation policy and procedure should require new accounts to be created with a unique password and require the password to be changed upon first login.

1.2 Segregation of Duties

Segregation of duties for functional responsibilities should be evaluated on a routine basis and on a periodic basis appropriate managers should review all responsibility assignments.

System administrators and developers should have inquiry only functional responsibilities.

Developers and other support staff should have no access to production to register programs, change profile options values, etc.

Custom system administration responsibilities should be created for system administrators and limited to only necessary functions. “System Administrator” should be limited and only used when required. Especially important is access to functions that allow for the execution of SQL statements (e.g., creating alerts).

1.3 Database Security

APPS Account

The APPS account and all other Oracle Applications database accounts should be limited only to the DBA group or a subset of the DBA group.

Page 14 of 41


All DBAs and support staff should have individual database accounts with no write access to the database when performing daily support and troubleshooting activities.

A change control ticket should be required for any usage of the APPS or other Oracle Applications database accounts.

Consider creating an “APPSIF” database account with insert, update, and delete privileges to Oracle Applications and custom interfaces tables that may need to be directly updated. A change control ticket should be required for any access to this database account. A database login trigger can be used to automatically enable a trace of the session.

Database Passwords

All database accounts should require periodic password changes and conformance to the enterprise password policy.

o Registered Oracle Applications database accounts should have a manual policy and procedure requiring changing every 90 days or during a routine maintenance window.

o All other database accounts should have database password profiles enabled with a custom password authentication function to enforce the enterprise password policy.

Privileges and Access

All database accounts should be reviewed on a periodic basis to verify appropriate access.

All database privileges should be reviewed on a periodic basis to verify appropriate privileges.

1.4 Operating System Security

All access to the standard Oracle operating system accounts oracle and applmgr should be controlled and the appropriate logs maintained to identify the individual accessing these shared accounts. It is not practical or feasible within Oracle Applications to require individual administrators to use only named UNIX accounts.

Page 15 of 41


⇒ Use tools like soda or Seamark Powerbroker to provide detailed tracking of commands and usage and mapping usage to individual operating system accounts

⇒ All usage should be tied to a change control ticket.

All access to interface accounts should be controlled and the appropriate logs maintained and monitored to ensure only authorized processes and users are transmitting interface files.

2. Auditing

By default, the Oracle Database and Oracle Applications are not compliant with SOX. In the default installation, there is no auditing enabled for either the Oracle Database or Oracle Applications. Oracle Applications maintains creation and last modified information for almost every record, but generally does not provide any history of changes to records. For SOX compliance, a history of changes to critical configuration settings and controls is required. When enabling auditing, performance is always a valid concern. For the most part, auditing non-transactional tables should only have a minimal performance impact. Auditing transactional, high-volume tables can and will have a severe performance impact. Prior to enabling any auditing, careful review of the exact tables and audit settings is required. Assume at least 1-5% performance impact in terms of additional database writes and table space for a minimum set of SOX auditing at the database and application level. Many auditors look for auditing to be enabled on transactional tables such as vendors (especially addresses), which most likely will require discussions with management to assess the risk and potential impact on performance (and the cost of hardware upgrades). Configuring and enabling auditing is the simple part. Oracle does not provide any tools to manage the audit data, such as archiving, purging, and reporting. Procedures, scripts, and reports must be developed in order to have any gain meaningful results from audit data. The complexity and effort required to develop these procedures, scripts, and reports should be supported by management (i.e., resources and dollars) based on management’s assessment of risk.

2.1 Application Auditing

Auditing Configuration Settings

Saigon: Audit should be set to FORM.

FND_UNSUCCESSFUL_LOGINS should be continuously monitored for repeated unsuccessful logins.

In 11.5.10 and onwards, Page Access Tracking should be enabled.

Page 16 of 41


Oracle Applications Audit Trails

Oracle Applications Audit Trails is required for key user management tables like FND_USER, FND_RESPONSIBILITY, FND_FORM_FUNCTIONS, FND_MENUS, FND_RESP_FUNCTIONS, FND_USER_RESP_GROUPS, etc. to maintain a history of changes.

FND_ORACLE_USERID should be audited to have a history of password changes to the registered Oracle Applications database accounts, since changing of these passwords is a manual control and a balancing detective control is required.

2.2 Database Auditing

Database Session Auditing

Database session auditing should be enabled.

All access to the APPLSYSPUB account not from an application server (ADI is an exception to this rule) should generate an alert.

All access to the APPS account and all other Oracle Applications database accounts (e.g., GL) not by the application (web, forms, or concurrent manager server) should be limited and directly attributable to a change control ticket.

All access to the SYS and SYSTEM accounts should be audited using the database initialization parameter AUDIT_SYS_OPERATIONS and all usage directly attributable to a change control ticket.

Other Auditing

The FND_PROFILE_OPTIONS and FND_PROFILE_OPTION_VALUES tables can not be audited using the Oracle Applications Audit Trail functionality, therefore, custom database triggers need to be created to track changes to these two tables.

“AUDIT SYSTEM AUDIT;” will provide an audit trail of changes to the auditing.

“AUDIT PROFILE;” will capture any changes to the database profiles.

“AUDIT USER;” will provide an audit trail of changes to the database accounts, including add, changes, and deletes.

Page 17 of 41


No other auditing should be mandatory for SOX compliance, but it is recommended to enable the following database audits: ALTER SYSTEM, ALTER DATABASE, and PUBLIC DATABASE LINK.

3. Change Management

Change control is critical to SOX compliance since not only changes to data should controlled, also any changes to the programs and reports that manipulate or summarize financial data must controlled. Policies and procedures must be in place that provide management approvals and detailed tracking of such changes. Auditors typically will review changed objects, such as programs or reports, and trace the paper trail of these changes back through the change management process. Not having a well-documented change management process and poor or missing change control documentation may result in a weakness or deficiency.

Change management should include all changes to all layers of the technology stack including the application, database, application servers, operating system, and hardware. Changes may include configuration of the application, object migrations (program, reports, etc.), database schema changes, database configuration changes, and patches. Each change must be logged, assessed, and authorized prior to implementation to ensure the integrity and stability of the system and application. The key characteristics of a change management process are that it is formal (well-documented), changes are handled in a standardized manner, and changes are assessed in a structured way for impacts on the system and its functionality. Even in a well-controlled change management process, emergency changes are perfectly acceptable as long as there is a defined and documented process for such changes.

Most organizations do have mature change control processes, but often lack the appropriate documentation, lack a formal process for emergency changes, or do not require all changes to use the change management process. One notable exception to the change management process for many organizations is changes to application profile options. Since the profile options may affect the processing of financial data, they should be included in the change management process. However, in many organizations, users outside of IT (usually super-users) have access to change the profile options of a module, thus it is difficult to implementation change control for profile options.

4. Monitoring and Troubleshooting

Monitoring and troubleshooting is often included in the scope of SOX compliance because a poorly managed environment could affect the accuracy and completeness of financial reporting. As an example, a daily interface program for journal entries that does not complete successfully and is not detected, may result in a misstatement (probably not material) of financials results. The auditor is typically looking at how are the system and application monitored for key activities and events related to financial processing. Are interface logs reviewed on a daily basis or is an alerting

Page 18 of 41


Mechanism in place in case of interface failures or errors? Does a problem resolution process exist that includes both functional users and IT? When errors do occur in financial programs (e.g., posting) or interfaces, how are the errors resolved (direct table updates, changes to the interface file, etc.)?

5. Availability

The loss of data, including transactions, could affect the accuracy and completeness of financial reporting. Also, in adherence to SEC rules and regulations, a public company must accurately and timely file financial reports, therefore, appropriate disaster recovery and business continuity plans must be in place. Since the SEC defines the rules for SOX, backup and recovery and business continuity are fully in scope for SOX compliance. The auditor will be primarily looking that documented policies and procedures exist and that these policies and procedures are tested on a periodic basis. The following policies and procedures should be in place –

Backup storage and retention policies and procedures

Backup and recovery procedures

Backup and recovery test plans and results

Disaster recovery and contingency plans

Disaster recovery test plans and results

11 Chapter of Sarbanes-Oxley

TITLE I

PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD

Section 101 -- Establishment; Administrative Provisions

Section 102 -- Registration with the Board

Section 103 -- Auditing, Quality Control, and Independence Standards and Rules

Section 104 -- Inspections of Registered Public Accounting Firms

Section 105 -- Investigations and Disciplinary Proceedings

Page 19 of 41

http://www.law.uc.edu/CCL/SOact/sec105.html






Section 106 -- Foreign Public Accounting Firms

Section 107 -- Commission Oversight of the Board

Section 108 -- Accounting Standards

Section 109 -- Funding

TITLE II

AUDITOR INDEPENDENCE

Section 201 -- Services outside the Scope of Practice of Auditors

Section 202 -- Preapproval Requirements

Section 203 -- Audit Partner Rotation

Section 204 -- Auditor Reports to Audit Committees

Section 205 -- Conforming Amendments

Section 206 -- Conflicts of Interest

Section 207 -- Study of Mandatory Rotation of Registered Public Accounting Firms

Section 208 -- Commission Authority

Section 209 -- Considerations by Appropriate State Regulatory Authorities

TITLE III

CORPORATE RESPONSIBILITY

Section 301 -- Public Company Audit Committees

Section 302 -- Corporate Responsibility for Financial Reports

Section 303 -- Improper Influence on Conduct of Audits

Section 304 -- Forfeiture of Certain Bonuses and Profits

Section 305 -- Officer and Director Bars and Penalties

Page 20 of 41




















Section 306 -- Insider Trades During Pension Fund Blackout Periods

Section 307 -- Rules of Professional Responsibility for Attorneys

Section 308 -- Fair Funds for Investors

TITLE IV

ENHANCED FINANCIAL DISCLOSURES

Section 401 -- Disclosures in Periodic Reports

Section 402 -- Enhanced Conflict of Interest Provisions

Section 403 -- Disclosures of Transactions Involving Management and Principal Stockholders

Section 404 -- Management Assessment of Internal Controls

Section 405 -- Exemption

Section 406 -- Code of Ethics for Senior Financial Officers

Section 407 -- Disclosure of Audit Committee Financial Expert

Section 408 -- Enhanced Review of Periodic Disclosures by Issuers

Section 409 -- Real Time Issuer Disclosures

TITLE V

ANALYST CONFLICTS OF INTEREST

Section 501 -- Treatment of Securities Analysts by Registered Securities Associations and National Securities Exchanges

TITLE VI

COMMISSION RESOURCES AND AUTHORITY

Section 601 -- Authorization of Appropriations

Section 602 -- Appearance and Practice before the Commission

Page 21 of 41

















Section 603 -- Federal Court Authority to Impose Penny Stock Bars

Section 604 -- Qualifications of Associated Persons of Brokers and Dealers

TITLE VII

STUDIES AND REPORTS

Section 701 -- GAO Study and Report Regarding Consolidation of Public Accounting Firms

Section 702 -- Commission Study and Report Regarding Credit Rating Agencies

Section 703 -- Study and Report on Violators and Violations

Section 704 -- Study of Enforcement Actions

Section 705 -- Study of Investment Banks

TITLE VIII

CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY

Section 801 -- Short Title

Section 802 -- Criminal Penalties for Altering Documents

Section 803 -- Debts No dischargeable if Incurred in Violation of Securities Fraud Laws

Section 804 -- Statute of Limitations for Securities Fraud

Section 805 -- Review of Federal Sentencing Guidelines for Obstruction of Justice and Extensive Criminal Fraud

Section 806 -- Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud

Section 807 -- Criminal Penalties for Defrauding Shareholders of Publicly Traded Companies

Page 22 of 41
















TITLE IX

WHITE-COLLAR CRIME PENALTY ENHANCEMENTS


Section 902 -- Attempts and Conspiracies to Commit Criminal Fraud Offenses

Section 903 -- Criminal Penalties for Mail and Wire Fraud

Section 904 -- Criminal Penalties for Violations of the Employee Retirement Income Security Act of 1974

Section 905 -- Amendment to Sentencing Guidelines Relating to Certain White-Collar Offenses

Section 906 -- Corporate Responsibility for Financial Reports

TITLE X

CORPORATE TAX RETURNS

Section 1001 -- Sense of the Senate Regarding the Signing of Corporate Tax Returns by Chief Executive Officers

TITLE XI

CORPORATE FRAUD AND ACCOUNTABILITY


Section 1102 -- Tampering with a Record or Otherwise Impeding an Official Proceeding

Section 1103 --Temporary Freeze Authority for the Securities and Exchange Commission

Section 1104 -- Amendment to the Federal Sentencing Guidelines

Section 1105 -- Authority of the Commission to Prohibit Persons from Serving as Officers or Directors

Section 1106 -- Increased Criminal Penalties under Securities Exchange Act of 1934

Section 1107 -- Retaliation against Informants

Page 23 of 41
















Summary of major Section of SOX

Summary of Section 302

• Sarbanes Oxley Section 302 addresses all financial information disclosed to investors including MD&A in the 10Q and 10K.

Under SOX Section 302, CEO and CFO must:• Certify quarter and annual financial statements and other published financial

information are fairly presented; no untrue facts or omissions • Establish and maintain disclosure controls and procedures as of period end and for

disclosing material changes in internal control • Disclose to auditors and Audit Committee if control deficiencies, material

weaknesses, or fraud exist.


• Financial statements are published by issuers are required to be accurate and presented in a manner that does not contain incorrect statements or admit to state material information. These financial statements shall also include all material off-balance sheet liabilities, obligations or transactions. The Commission was required to study and report on the extent of off-balance transactions resulting transparent reporting. The Commission is also required to determine whether generally accepted accounting principals or other regulations result in open and meaningful reporting by issuers.


• Section 404 is a subset of Section 302 and addresses Financial Statement Reporting controls

Under 404, CEO and CFO must:• Issue Internal Control Report in 2004 Company Annual Report • Certify Quarterly as to effectiveness of Internal Controls over Financial Reporting

beginning 2005 The Accounting Firm must:

• Issue two opinions on internal controls over financial reporting in Company 2004 Annual Report: (1) Management's assessment process and (2) effectiveness of controls.

Page 24 of 41



• Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations. These disclosures are to be presented in terms that are easy to understand supported by trend and qualitative information of graphic presentations as appropriate.


• This section imposes penalties of fines and/or up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation. This section also imposes penalties of fines and/or imprisonment up to 10 years on any accountant who knowingly and willfully violates the requirements of maintenance of all audit or review papers for a period of 5 years


• Section 906 addresses criminal penalties for certifying a misleading or fraudulent report. Under Sarbanes Oxley 906 penalties are:

• Up to $5 Million in fines • Up to 20 years in jail • Other sections of SOX provide additional authority to regulatory bodies and

courts relating to fines or imprisonment for matters involving corporate fraud.


Criminal penalties for retaliation against whistleblowers• Whoever knowingly, with the intent to retaliate, takes any action harmful to any

person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offense, shall be fined under this title, imprisoned not more than 10 years, or both?

Page 25 of 41


Criticism of SOX• SOX were an unnecessary and costly government intrusion into corporate

management that places U.S. corporations at a competitive disadvantage with foreign firms, driving businesses out of the United States.

• The act provides an incentive for small US firms and foreign firms to deregister from US stock exchanges. The number of American companies deregistering from public stock exchanges nearly tripled during the year after Sarbanes-Oxley became law.

• The reluctance of small businesses and foreign firms to register on American stock exchanges are easily understood when one considers the costs Sarbanes-Oxley imposes on businesses. A study by the law firm of Foley and Lardner found the Act increased costs associated with being a publicly held company by 130 percent.

• The capital flight it initiated caused the London Stock Exchange to become the new hub for capital markets.

• Critics blamed Sarbanes-Oxley for the low number of Initial Public Offerings (IPO’s) on American stock exchanges during 2008.

Praise for SOX

• The act importantly reinforced the principle that shareholders own our corporations and that corporate managers should be working on behalf of shareholders to allocate business resources to their optimum use.

• SOX have been praised by a cross-section of financial industry experts, citing improved investor confidence and more accurate, reliable financial statements. The CEO and CFO are now required to unequivocally take ownership for their financial statements, which was not the case prior to SOX.

• Further, auditor conflicts of interest have been addressed. • Sarbanes-Oxley helped restore trust in U.S. markets by increasing accountability,

speeding up reporting, and making audits more independent. • SOX has improved investor confidence in financial reporting, a primary objective

of the legislation. Improvements in board, audit committee, and senior management engagement in financial reporting and improvements in financial controls.

• Financial restatements increased significantly in the wake of the SOX legislation and have since dramatically declined, as companies "cleaned up" their books.

Page 26 of 41


IASB

Formed in January 2001, the ISAB replaced its predecessor, the International Accounting Standards Committee (IASC), as the international standards setting body. Looking towards greater formalization of international accounting standards, IASB is structured similarly to the FASB. It is currently the focus of the IASB, in collaboration with the FASB and other accounting focused organizations, to "converged" standards and develops a single, universally accepted set of biding international accounting standards. The IASC, and now IASB, issue a series of standards known as International Financial Reporting Standards (IFRS), formerly called International Accounting Standards the International Accounting Standards Board is an independent, private-sector body that develops and approves International Financial Reporting Standards. The IASB operates under the oversight of the International Accounting Standards Committee Foundation. The IASB was formed in 2001 to replace the International Accounting Standards Committee.

IASB Framework

While not a standard, the IASB Framework for the Preparation and Presentation of Financial Statements serves as a guide to resolving accounting issues that are not addressed directly in a standard. Moreover, in the absence of a standard or an interpretation that specifically applies to a transaction, IAS 8 requires that an entity must use its judgment in developing and applying an accounting policy that results in information that is relevant and reliable. In making that judgment, IAS 8.11 requires management to consider the definitions, recognition criteria and measurement concepts for assets, liabilities, income, and expenses in the Framework. The IASB adopted the Framework in April 2001. It had originally been adopted by the IASC in 1989. Currently, the IASB is working on a Project to Revise the Framework.

FASB

Since 1973 the FASB has been the organization designated to establish authoritative financial accounting and reporting standards (Statements of Financial Accounting Standards, SFAS) for business and other private-sector entities. Its mission is to be responsive to the entire economic community and to operate in full view of the entire community through a due-process system.

Page 27 of 41


International Financial Reporting Standards

International Financial Reporting Standards (IFRS) are developed by IASB,

private sector organization, based in London and began its operations in 2001.

International Accounting Standards (IAS) issued by IASC, predecessor body of

IASB, continues to be applicable.

IFRS Comprises: 8 IFRS and 31 IAS.

It started of with EU making IFRS mandatory from 2005 onwards.

What is IFRS

By 2011 more than 150 countries would have adopted IFRS. The term International

Financial Reporting Standards (IFRSs) has both a narrow and a broad meaning.

Narrowly, IFRSs refers to the new numbered series of pronouncements that the IASB

is issuing, as distinct from the International Accounting Standards (IASs) series

issued by its predecessor. More broadly, IFRSs refers to the entire body of IASB

pronouncements, including standards and interpretations approved by the IASB and

IASs and SIC interpretations approved by the predecessor International Accounting

Standards Committee.

[On this website, consistent with IASB policy, we abbreviate International FinancialReporting Standards (plural) as IFRSs and International Accounting Standards (plural) as IASs]

SALIENT FEATURE OF IFRS

GENESIS OF IFRSInternational Financial Reporting Standards are standards adopted by the International Accounting Standards Board (IASB), a body earlier known as IASC (C for Committee). The London-based Board started its operations in 2001 for developing global accounting standards. IFRS came into limelight when the European Union decided to adopt it for all

Page 28 of 41


its member countries starting 2005. Since then, IFRS has spread swiftly all over the world. IFRS standards are principle-based whereas US GAAP standards are rule-based. Indian standards are basically modeled on the basis of IFRS.

COVERGENCE

Convergence means a coming together from different directions, especially a merging of groups that were originally opposed or very different. In the accounting standards parlance, convergence means alignment of national requirements with the International norms.

APPLICABILITY

As of now, 102 countries have either adopted or are converging to IFRS, including Australia, New Zealand, Pakistan, Singapore, China, West Asia, Japan, Africa and countries in the European Union (EU). Now, the ICAI, India’s premier accounting body, has decided to adopt IFRS with effect from April 1, 2011, for public limited companies and will be extended to other entities in a phased manner. The numerous union statuses to IFRS came about after the EU made IFRS mandatory for all its listed companies starting 2005. Consequently, more than 8,000 EU-listed companies adopted IFRS in one go. In the USA, the Securities and Exchange Commission (SEC, akin to our SEBI) is proposing to eliminate, for IFRS foreign filers, the reconciliation requirement to US GAAP. In April 2007, SEC lined up proposals to allow companies listed in the US to choose between IFRS or US GAAP for reporting purposes to make a choice from 2009.

BENEFITS OF IFRS

Immediate benefits of convergence are comparability of financial statements, portability of professional skills across countries, ease of Mergers & Acquisitions process, and doing away with the need to translate to different accounting norms. There are several more benefits with the convergence of the IAS with the IFRS. They are:• This will greatly bolster the ability of Indian companies to raise and attract foreign capital at low cost• Once Indian companies adopt IFRS, the global acceptability of them will be enhanced• The adoption of IFRS is expected to increase transparency of financial statements• Indian companies will be able to save on costs concomitant with reconciliation procedures• The risk of being exposed to errors in reporting under different accounting frameworks for Indian multi-national companies will be eliminated

Page 29 of 41


Rules of IFRS

⇒ IFRS 1 : First-time Adoption of International Financial Reporting Standards

⇒ IFRS 2: Share-based Payment

⇒ IFRS 3: Business Combinations

⇒ IFRS 4: Insurance Contracts

⇒ IFRS 5: Non-current Assets Held for Sale and Discontinued Operations

⇒ IFRS 6: Exploration for and Evaluation of Mineral Assets

⇒ IFRS 7: Financial Instruments: Disclosures

⇒ IFRS 8: Operating Segments

⇒ IFRS 9: Financial Instruments

Rules of International Accounting Standards (IAS)

⇒ IAS 1 : Presentation of Financial Statements

⇒ IAS 2 : Inventories

⇒ IAS 3 : Consolidated Financial Statements – Originally issued 1976, effective 1

Jan 1977. Superseded in 1989 by IAS 27 and IAS 28.

Page 30 of 41

http://www.iasplus.com/standard/ias28.htm




http://www.iasplus.com/standard/ifrs01.htm


⇒ IAS 4: Depreciation Accounting – Withdrawn in 1999, replaced by IAS 16, 22,

and 38, all of which were issued or revised in 1998.

⇒ IAS 5 : Information to Be Disclosed in Financial Statements – Originally issued

October 1976, effective 1 January 1997. Superseded by IAS 1 in 1997.

⇒ IAS 6: Accounting Responses to Changing Prices – Superseded by IAS 15,

which was withdrawn December 2003

⇒ IAS 7 : Statement of Cash Flows

⇒ IAS 8 : Accounting Policies, Changes in Accounting Estimates and Errors

⇒ IAS 9: Accounting for Research and Development Activities – Superseded by

IAS 38 effective 1.7.99

⇒ IAS 10 : Events After the Reporting Period

⇒ IAS 11: Construction Contracts

⇒ IAS 12: Income Taxes

⇒ IAS 13: Presentation of Current Assets and Current Liabilities – Superseded by

IAS 1.

⇒ IAS 14 : Segment Reporting

⇒ IAS 15 : Information Reflecting the Effects of Changing Prices – Withdrawn

December 2003

⇒ IAS 16 : Property, Plant and Equipment

⇒ IAS 17 : Leases

⇒ IAS 18 : Revenue

Page 31 of 41














⇒ IAS 19 : Employee Benefits

⇒ IAS 20: Accounting for Government Grants and Disclosure of Government

Assistance

⇒ IAS 21: The Effects of Changes in Foreign Exchange Rates

⇒ IAS 22: Business Combinations – Superseded by IFRS 3 effective 31 March

2004

⇒ IAS 23: Borrowing Costs

⇒ IAS 24: Related Party Disclosures

⇒ IAS 25: Accounting for Investments – Superseded by IAS 39 and IAS 40

effective 2001

⇒ IAS 26: Accounting and Reporting by Retirement Benefit Plans

⇒ IAS 27: Consolidated and Separate Financial Statements

⇒ IAS 28: Investments in Associates

⇒ IAS 29: Financial Reporting in Hyperinflationary Economies

⇒ IAS 30: Disclosures in the Financial Statements of Banks and Similar Financial

Institutions – Superseded by IFRS 7 effective 2007

⇒ IAS 31: Interests In Joint Ventures

⇒ IAS 32: Financial Instruments: Presentation – Disclosure provisions superseded

by IFRS 7 effective 2007

⇒ IAS 33: Earnings Per Share

⇒ IAS 34: Interim Financial Reporting

⇒ IAS 35: Discontinuing Operations – Superseded by IFRS 5 effective 2005

⇒ IAS 36: Impairment of Assets

⇒ IAS 37: Provisions, Contingent Liabilities and Contingent Assets

⇒ IAS 38: Intangible Assets

⇒ IAS 39: Financial Instruments: Recognition and Measurement

Page 32 of 41









⇒ IAS 40: Investment Property

⇒ IAS 41: Agriculture

Sox Implementation of Bangladesh

IMPLEMENTATION

The Norway-based telecommunications operator Telenor (Parent Company of local

mobile phone giant Grameen Phone) announced withdrawal and delisting of its American

Depository Shares (ADS) from the National Association of Securities Dealers Automated

Quotations (NASDAQ).

Telenor believes that the regulation and reporting obligations under the Securities and

Exchange Commission (SEC) Act of 1934 were too expensive, onerous and outweigh the

benefits of listing. However, Telenor reiterates that it will not reduce focus on its

international markets or shareholders; instead it intends to continue strong focus on

corporate governance, transparency and internal controls etc. Whatever the focus of

Telenor is after the delisting, the big question remains unanswered Did Telenor fail to

comply with the SEC rules and regulations?

NASDAQ is considered as the third largest security markets (after New York and Tokyo

Stock Exchanges) in terms of listed firms, dollar volume, market capitalization etc.

Introduced in 1971, NASDAQ is also the world's largest electronic communication

network (ECN) in terms of shares traded. One of the important features of NASDAQ is

Small Order Execution System (also known as Super Sues or SOES introduced after the

market crash of 1987) that mitigates any liquidity problem. Big technology stocks like

Microsoft, Intel, Dell, and Cisco among others are typically listed and traded on

NASDAQ.

Under the reporting obligations of SEC's electronic data gathering, analysis, and retrieval

(EDGAR) system, companies listed on NASDAQ are required to file reports on

Page 33 of 41


registration; corporate restructuring and changes; transaction and transition; statement of

beneficial ownership of securities; sale of securities; and quarterly and annual reports

indicating risks, employee stock purchase, savings, security holders and financial

statements among others.

According to rules 12(g) and 12h-6(a) of the Securities Exchange Act of 1934, a foreign

firm may deregister and terminate the registration of a class of securities from NASDAQ.

Telenor will have to file form 15F (notice of termination of registration) as required

under section 13(a) and 15(d) of the Exchange Act indicating when it ceases reporting

obligations of its ADS to the SEC. Telenor's delisting from NASDAQ was supposed to

be effective from June 11, 2007.

However, Telenor will continue its listing on the Oslo Stock Exchange. Telenor will also

maintain its American Depository Receipts (ADR) facilities with the Program Chase

Bank and its ADS will be traded on over-the-counter (OTC) markets after June 11, 2007.

It is to be noted here that an organized exchange is an auction market whereas an OTC

market is a broker-dealer network for non-listed securities and derivatives where brokers

and dealers negotiate through wire networks such as computer, facsimile, phone etc. An

OTC market is neither scrutinized nor regulated like an organized exchange. As such,

small and risky companies mostly with poor credit records and unable to meet the

reporting obligations and other listing requirements with the SEC are traded on OTC

markets. Thus, OTC stocks suffer from non-synchronous trading and higher bid-ask

spreads.

The introduction of Sarbanes-Oxley Act especially after the collapse of Enron and

WorldCom made the corporate governance laws extremely tight in the USA. The

Sarbanes-Oxley law outlines the functions of auditors, independence of board members,

disclosures and internal audit procedures, disclosures of off-balance sheet transactions,

corporate responsibilities and executive accountabilities, strong code of ethics, high

monitoring and scrutiny by outside bodies such as the SEC etc. Delisting of US public

companies tripled in 2003 after the introduction of the law in July 2002 because small

and mid-cap companies found it costlier to comply with the reporting requirement under

the law.

Page 34 of 41


Both the academics and practitioners investigated the effects of Sarbanes-Oxley law on

non-US companies (like Telenor) cross-listed in the US markets. Some argued that the

law eventually displaced many foreign companies from NASDAQ. In a recent article

published in the Journal of Corporate Finance Kate Litvak (2007) reported that stock

prices of non-US companies under Sarbanes-Oxley law declined significantly as opposed

to those of the non-US companies that are not regulated under the law. In particular,

Litvak (2007) concludes that “investors expected the Sarbanes-Oxley Act to have a net

negative effect on cross-listed foreign companies, with high-disclosing companies and

low-growth suffering larger net costs, and faster-growing companies from poorly-

governed countries suffering smaller costs."

It is well documented that both the domestic and foreign firms voluntarily deleted from

NASDAQ especially after the introduction of Sarbanes-Oxley law had poor corporate

governance systems. Arguably, it is hard to believe that Telenor should be an exception.

It has been alleged that Telenor was also involved with the corruption, corporate fraud

and poor governance system of Vimple Com (a joint-venture of Telenor in Russia) during

2004-05.

Telenor provides high quality data, tale and media communications services such as fixed

and mobile telephone, internet, internet protocol based services, VOIP, satellite services,

cable television networks, etc. in Austria, Bangladesh, Bulgaria, Denmark, Finland,

Hungary, Malaysia, Montenegro, Norway, Pakistan, Poland, Russia, Serbia, Sweden,

Thailand, Ukraine etc. with an equity capital that varies from more than 50% to 100%.

Grameen Phone contributes to approximately 15% (12 out of 83 million) of Telenor’s

worldwide mobile phone subscribers. Currently, Telenor holds 62% of Grameen Phone's

equity capital even though it had 51% shares in 1996 when the Grameen Phone was

incepted. It has been alleged recently that Telenor violated its 1996 agreement with the

Grameen Phone. Telenor’s was supposed to relinquish its ownership over Grameen

Phone to 35% by 2002 but refused to do so even in 2007 on the ground that the

agreement was a declaration of intent but not an obligation at all.

It is a million dollar question whether Grameen Phone has any intention to float Initial

Public Offerings (IPO’s) in Bangladesh. The introduction of Grameen Phones' IPO’s will

bring more local ownership and add double digit market capitalization to the stock

Page 35 of 41


exchanges of Bangladesh. But it seems implausible especially after its recent debacle in

NASDAQ and continuous domination over Grameen Phone in terms of ownership.

Telenor argues that Grameen Phone is one of its numerous projects, which should be

considered as Socially Responsible Investment (SRI) because it invests in a developing

country like Bangladesh and contributes to her economy. Ethical investment or SRI is

also becoming popular in the Wall Street with combined assets of more than 2 trillion

dollars. The Wall Street accommodates firms that invest in SRI in compliance with the

SEC rules and regulations that may be appropriate for their typical shareholders and

ethical operations. Unfortunately Telenor is neither listed on any of the two bourses nor

has any physical shareholders in Bangladesh. Thus, the broader definition of SRI should

not be applicable to Telenor.

Like other foreign-based mobile companies in Bangladesh, Telenor is believed to

expatriate majority of profit that it generates through Grameen Phone. However, Telenor

claims that it couldn't recoup $87 million that it initially invested in Bangladesh. Instead,

it reinvests a significant portion of $1.08 billion profit that it earned over the last decade.

It is obvious that the delisting of Telenor from NASDAQ transmits a strong negative

message that Telenor lacks an appropriate corporate governance system, which is

indispensable for a transparent reporting responsibility to the SEC. It would undeniably

be very interesting to see whether Grameen Phone can initiate the so-called 'social

businesses' of its proponent and founder Professor Yuen’s especially under its current

legal set-up with Telenor.

Page 36 of 41


PROBLEM OF SOX

Sarbanes Establishes

Mainly, the Sarbox act establishes lots of wide ranging legislation for all U.S. public

company boards, management and public accounting firms. Some of the highlights

enacted by Sarbox include:

• The Establishment of a public and government agency called the Public Company

Accounting Oversight Board.

• The requirement that public companies must evaluate and openly disclose their

financial reporting.

• The need for CEO's and CFO's to certify the company's financial reports.

• Provisions for Auditor Independence.

• Companies that are listed on stock exchanges such as NASDAQ or NYSE must

have totally independent audit committees that can provide oversight to both the

company and the auditor.

• Additional financial disclosures that is more transparent and comprehensive.

• A company can no longer give a personal loan to any CEO or executive officer.

• Added criminal penalties for violations in the law dealing with securities fraud.

• Added civil penalties for violations in the law dealing with securities fraud.

Page 37 of 41


Implementation of Sarbox

As you can see from some of the enhancements this law enacts, both large and small

publicly traded companies in the US. Must make extensive changes in how they report

their earnings, audit their business and improve transparency on financial decisions.

Because implementation of Sarbox can be a daunting task, even for a very small publicly

traded company, small companies that are able to, actually went private, in order to forgo

the cost of implementing the new requirements for Sarbox. For those companies that can

not go public, many companies are forced to make extensive changes to their financial

reporting structure, which while costly, ultimately benefits the investors. Companies can

easily increase the investor's faith in the company and hopefully add value to the

company by implementing Sarbox.

Cost of Implementation of Sarbanes Oxley

While most investors and executives of large corporate companies acknowledge a need

for legislation such as Sarbox Oxley due to the fact that many investors lost billions to

fraudulent financial reporting, the downside is that it can be costly to implement.

Usually the biggest cost to implementing Sarbox is to update the information systems in

order for them to comply with the new reporting and financial control requirements.

However, for the largest of the corporate entities that have switched over to Sarbox, the

initial cost of compliance was $4.36 million on average. This statistic comes from the

Financial Executives International (FEI) survey, which asked 217 companies with

average revenue of over 5 billion per year. It should be noted that first year costs will

probably be the highest. The more companies gain experience implementing Sarbox, the

less time and money it will cost for implementation and consultation.

Page 38 of 41


Conclusion The Sarbanes-Oxley Act of 2002 (SOX) is the public company accounting reform and

investor protection act signed into law on July 30, 2002 in response to a number of

Fortune 500 companiesï¿½ involvement in corporate and accounting scandals. These

widely published corporate debacles, including those affecting Enron, WorldCom and

Tyco cost investors billions of dollars when the share prices of the affected companies

collapsed. In affect, investor confidence in the securities markets hit rock bottom. The

purpose of SOX was to empower the Securities and Exchange Commission (SEC) of the

U.S. so that it could oversee corporate governance of public organizations in hopes of

restoring investor confidence. President Bush reflected the impact of this act stating that

no law of such significance to businesses has been signed since the presidency of

Franklin D. Roosevelt in the U.S. The SOX Act of 2002 was named after its main

architects, Senator Paul Sarbanes and Representative Michael Oxley. SOX establish a

number of compliance rules for financial practice that ensures occur. The law generally is

practical and makes sense. However the rules used to implement the law are a primary

source of the confusion and massive costs.

This report exposes the range of flaws in the current U.S. SOX regulatory regime and

proposes cost effective and practical ideas to help the U.S. and other countries achieve

the fundamental aim of more reliable financial statements and more reliable external

audit opinions at a lower overall cost.

Page 39 of 41


Reference

Sarbanes-Oxley Act of 2002 - http://www.sec.gov/about/laws/soa2002.pdf

COSO Internal Control – Integrated Framework - www.coso.org

SACA COBIT 4.0 - www.isaca.org

PCAOB Auditing Standard #2 - www.pcaob.org

Integrity Guide to Auditing in Oracle Applications -

http://www.integrigy.com/info/IntegrigyOracleAppsAuditing.pdf

FEI 2006 Survey of SOX 404 Costs

The SOX Debacle

IIA Research SOX Looking at the Benefits

The Effect of Internal Control Deficiencies on Firm Risk and Cost of Capital

Zhang-Economic Costs of SOX

Price fluctuations around SOX passage

Dodd-Shelby Amendment

Sarbanes-Oxley: Progressive Punishment for Regressive Victimization, 44 House.

L. Rev. 95 (2007)

Page 40 of 41

http://fei.mediaroom.com/index.php?s=press_releases&item=187

http://www.integrigy.com/info/IntegrigyOracleAppsAuditing.pdf


Stephen M. Kohn, Michael D. Kohn, and David K. Cola pinto (2004).

Whistleblower Law: A Guide to Legal Protections for Corporate Employees.

Praeger Publishers. ISBN 0-275-98127-4

Repeal Sarbanes-Oxley! Ron Paul, April 14, 2005

Page 41 of 41