sox AND BEYOND

Northwestern Financial Review, Mar 15-Mar 31, 2004 by Grandstrand, Karen L

The Sarbanes-Oxley Act of 2002 (SOX) was passed by Congress following several widely-publicized financial scandals. While SOX applies only to public companies and not to nonpublic community banks, it is important to have a basic understanding of SOX to understand current corporate governance issues for community banks.

OVERVIEW OF SOME KEY SOX PROVISIONS

In general, SOX addresses audits, financial reporting and disclosure, conflicts of interest and corporate governance.

With respect to audits, SOX requires a company's audit committee to be comprised of independent directors. The committee is responsible for appointing and compensating the outside auditor, overseeing the auditor's work, and establishing procedures to address complaints regarding accounting practices. The committee has the authority to retain and compensate independent counsel and other advisers.

Financial disclosure and reporting obligations include additional sec disclosure rules, CEO and CFO certification of financial information (the "Section 302 Certification"), and a requirement that management assess the company's internal controls (the so-called "Section 404 Report").

Other significant provisions in SOX include restrictions on loans to executive officers, accelerated timeframes for insiders to disclose purchases or sales, and executive compensation reimbursement if financials are restated. Also, a public company must disclose whether it has a code of ethics and if not, why not, and whether the audit committee includes a "financial expert." Significantly, all public company accounting firms must register with a new Public Company Accounting Oversight Board and comply with expanded independence rules.

SOX REGULATIONS APPLICABLE TO NONPUBLIC BANKING ORGANIZATIONS

As noted earlier, SOX expressly applies only to public companies. However, this does not mean that nonpublic financial institutions can ignore SOX. As of February 6, 2004, the federal banking agencies have issued several regulatory pronouncements directed at nonpublic entities as a result of SOX: (i) Corporate Governance, Audits, and Reporting Requirements (FDIC, FIL-17-2003, March 5, 2003); (ii) Interagency Policy Statement on the Internal Audit Function and Its Outsourcing (Federal Reserve, FDIC, OCC and OTS, March 17, 2003); (iii) Statement on Application of Recent Corporate Governance Initiatives to Nonpublic Banking Organizations (Federal Reserve, OCC and OTS, May 5, 2003); and (iv) Final Rule on Removal, Suspension, and Debarment of Accountants from Performing Audit Services (Federal Reserve, FDIC, OCC and OTS, August 13, 2003).

SOX REGULATIONS: BANKS WITH ASSETS OF $500 MILLION OR MORE

Public and nonpublic banks with assets of $500 million or more are subject to the annual audit and reporting requirements of section 36 of the FDI Act as implemented by Part 363 of the FDIC's regulations. Section 36 and Part 363 impose

* annual auditing and attestation;

* an annual management report, which includes a statement on management's responsibility for preparing annual financial statements, adequate internal controls, and compliance with laws and regulations, and management's assessment of the effectiveness of internal controls and compliance; and

* audit committee requirements.

Further, the FDIC's Part 363 rules incorporate the SEC's auditor independence rules.

SOX has several implications for nonpublic and public banks subject to section 36. First, the auditor independence requirements under Sections 201, 202, 203 and 206 of Title II of SOX apply. These sections contain restrictions on non-audit services, require the audit committee to preapprove services, and require audit partner rotation. second, the banking agencies have indicated that the SOX Section 302 certification cannot be used in place of the required section 36 management report. Third, the SOX section 404 Report does not replace the section 36 Report even though there is considerable overlap between the two.

BANKS UNDER $500 MILLION

The FDIC issued guidance in March 2003 explaining how SOX applies to banks under $500 million. The Fed, OCC and OTS issued separate guidance in May 2003. While the two issuances are similar, they are not identical.

The FDIC guidance encourages banks under $500 million to follow the SOX provisions. For example, it "encourages"

* prohibitions on internal audit outsourcing,

* the audit committee to preapprove audit services,

* incorporation of audit partner rotation and reporting practices in auditor engagement letters, and

* adoption of a code of ethics.

It strongly encourages compliance with section 303, which prohibits management from improperly influencing audits. The FDIC, however, "does not expect" a bank to disclose whether it has a financial expert on its audit committee.

The Fed, OCC and OTS guidance explains that the existing regulations encourage corporate governance and auditing practices similar to SOX. Existing regulations encourage annual audits by independent public accountants, audit committees that are independent of management, and the use of different firms for external and internal audit. In addition, Call Reports are certified, prepared in accordance with GAAP and disclose off-balance sheet assets. Further, Regulation O controls credit to insiders. Thus, these agencies concluded no new rules for banks under $500 million are needed, but stated that banking organizations are encouraged to "periodically review their policies and procedures relating to corporate governance and auditing matters."