Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 has precipitated the most prevalent changes to financial reporting, corporate governance, and regulatory environment for public companies since the Securities Acts of 1933 and 1934. Section 404 of the Sarbanes-Oxley Act requires public companies to include with their annual report to the Securities and Exchange Commission ("SEC") a separate report by management on the assessment of the effectiveness of the entity's internal control. The entity's external auditors must attest to and report on the assessment made by management. The SEC issued its final rule on management's report on internal control in May 2003 with the rule becoming effective on August 14, 2003. To review the SEC rule, go to the SEC Web site at www.sec.gov/rules/final/33-8238.htm. For financial statement reporting, the requirements generally become effective for the entity's first fiscal year ending after November 15, 2004.

The external auditor's overall objective is to form an opinion about management's assessment of the effectiveness of internal control. Several key provisions of the reporting requirement that impact the external audit include:

• "As of" reporting. Management assesses the effectiveness of internal control as of the end of the fiscal year, rather than throughout the reporting period.

• Material weakness in internal control. Management is required to disclose any material weakness in the company's internal control. The existence of one or more material weaknesses precludes management from concluding that its internal control is effective.

Management's overall assessment is limited to internal control over only financial reporting. The SEC rules clarify that management is not required to consider other aspects of control, such as control pertaining to operating efficiencies. The rules only pertain to controls over financial reporting. The SEC's definition of internal control encompasses the integrated framework internal control definition developed and published by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO").

The COSO framework is not a fixed, prescriptive approach to internal control. Consequently, the approach recognizes that internal control cannot be evaluated against a detailed set of fixed, required procedures. The SEC has frowned on checklist, canned approaches used by certain companies. Management needs to exercise a great deal of judgment, customized to the needs of the entity, to determine the nature of the controls in place and whether they are functioning effectively. Proposed Public Accounting Oversight Board ("PCAOB") auditing standards and interpretations are expected to modify both the level of and the manner in which procedures are performed.

The PCAOB has released Draft Audit Standard relating to the independent auditor's audit of management's report on internal controls. The proposed standard provides the guidance to auditors on the requirements for auditing management's report on internal control. The PCAOB is expected to issue the final standard in early 2004 and post it to the PCAOB Web site at www.pcaobus.org.

Key provisions of the proposed standard are: (1) that inadequate documentation is a control deficiency that may rise to the level of a material weakness; (2) in certain areas of testing the outside auditors are prohibited from using management's tests. The auditor's non-reliance does not relieve management of its responsibilities to perform tests; and (3) entities that lack sufficient resources or expertise may look to third parties for assistance; however, management remains ultimately responsible for evaluating and reporting on the effectiveness of the entity's internal control.

The Sarbanes-Oxley Act has also changed the relationship between management and the audit committee of the Board of Directors. Previously, both sides worked as a team with the audit committee following the company's lead, but the Sarbanes-Oxley Act clarifies that the Audit Committee has direct oversight responsibility for hiring and firing of the external auditor. This was intended to motivate audit committees to identify and understand audit risks, as well as to make sure that audit scopes are designed to address those risks. Many audit committees do not currently have complete control of audit scopes and will need to migrate toward this control even though the audit committee may come into conflict with management's objectives.

Sarbanes-Oxley raises a noble challenge for companies and auditors to make the system work to regain the investing public's trust. An important aspect of Sarbanes-Oxley is the Section 404 Managements Assessment of Internal Controls. The Sarbanes-Oxley Act formalizes the approach to evaluating and testing the internal control structure while limiting the involvement of the external auditor. Also, the "Experienced Auditor Test" is the proposed measure for sufficient documentation.




THE INDIRECT CONSEQUENCE

Going Public

Sarbanes-Oxley makes it more difficult to access the public markets. For some companies the cost in time and expense to comply will be greater than the perceived reward.

Financial Institutions

The Sarbanes-Oxley Act applies to public companies. However, both the banking and insurance industries have made overtures that the Sarbanes-Oxley Act or parts thereof should be required for regulated financial institutions.

State Codifications

The ultimate cascade effect is that state legislatures will require Sarbanes-Oxley for private corporations.

Debt Financing

Lending institutions will require Sarbanes-Oxley provisions be followed as a requirement for borrowing funds. If there is noncompliance with Sarbanes-Oxley, the borrower's cost of financing will be increased.