SEC SOX Compliance相关规定之一：INTERNAL CONTROL OVER FINANCIAL REPORTING IN EXCHANGE ACT

建立符合SOX法案以及企业内部控制基本规范的内部审计思路2010-06-27随着企业规模的扩大以及社会经济环境的要求，对企业内部控制的制度建设正日益受到广泛关注，而作为内部控制最基本的一个环节内部审计，也正逐渐提上日程，并越来越多受到重视。

本文根据美国颁布的《萨班斯－奥克斯利法案》以及我国颁布的《企业内部控制基本规范》有关企业内部审计的要求，来探讨建立企业内部审计的思路。

一、SOX法案的产生背景及缘由SOX法案即《萨班斯－奥克斯利法案》。

在一般人眼中，美国一直是一个法治比较完备，企业管理相对规范、高效，社会诚信良好的国家。

但是, 2001年出现的安然事件，以及由此发现的一系列美国著名大公司在公司治理和财务管理力方面的问题，引发了美国社会特别是经济界、金融界的诚信危机。

安然公司的造假主要依靠三种途径，一是通过资本重组，建立了超过3000多个各类子公司、孙公司、合伙公司在内的复杂的公司结构体系，以便使公司进行大规模违规融资活动。

二是通过内部各类公司之间的复杂的关联交易，随意制造营业收入和利润。

三是创造出一套非常复杂的公司财务结构，使用了被称为SPE（特殊目的主体）的金融工具和其他资产负债表进行表外融资。

首先，我们从安然的故事中看到了一个缺乏责任的董事会。

如公司董事长兼首席执行官肯莱利用个人的影响通过巨额资助竞选。

此外，公司与董事利益相互交织互相利用安然公司签订了多份与独立董事的咨询服务和产品销售的业务合同，还向独立董事任职的非盈利机构大量捐款。

这种利益交织的情况下独立董事对公司管理层的监督形同虚设。

在缺乏监督和制约的条件下，公司就会被个人操纵和利用成为内部人牟取个人利益的手段。

另一个扮演着不光彩角色的是安达信公司。

安达信从20世纪80年代中开始承担安然的外部审计业务到90年代又承担了其内部审计业务。

这样，安达信一手为安然作帐，用另一手为其查帐。

当会计师事务所为同一个客户同时提供审计和咨询两种服务时，其审计的独立性就可能因此受到影响。

compliance协议
服从是一种符合已建立的指导方针、规范的状态，或者是与法律和过程相一致。

如在软件中，开发要服从一些规范，这些规范从一些标准团体而来，如电气和电子工程师协会（InstituteofElectricalandElectronicsEngineers，IEEE），或者是与供应商的许可协议一致。

在合法的系统中，服从通常是符合立法的行为，比如符合2003年的《美国垃圾邮件管理办法》（UnitedStates'CanSpamActof2003），2002年的《奥西利法案》（Sarbanes-OxleyAct(SOX)of2002），或者是1996年颁布的《健康保险便利及责任法案》（UnitedStatesHealthInsurancePortabilityandAccountabilityActof1996）。

在管理规章上，服从是一个普遍的商业行为，或许不断增长的规章制度条目缺乏理解，因此需要为公司指定新的服从制度。

在参政上，为回击惹人注目的Enron和WorldCom财政丑闻制定的SOX法案，对保护股东和一般公众从会计错误和欺诈中脱离起到了非常好的作用。

在医疗保健上，HIPAATitleII包含了一个卫生保健信息化系统委托标准化的行政简化部分。

随着服从越来越多的被公司管理结构关注，公司需要专门的软件、顾问，甚至是新的工作职位，如首席执法官（ChiefComplianceOfficer，CCO）。

中英对照《萨班斯－奥克斯利法案》与内部审计师相关的关键条款中英对照《萨班斯－奥克斯利法案》与内部审计师相关的关键条款sec. 2 definitions定义defines terms used in the bill, including the following:法案中对以下名词定义为：●'audit' means an examination of the financial statements of any issuer by an independentpublic accounting firm in accordance with the rules of the board or the commission for thepurpose of expressing an opinion on such statements.审计：为了对财务报表出具意见而由独立的会计师事务所根据本委员会的规则对某个报表发布者提供的财务报表进行的审查。

●'audit committee' means: (a) a committee established by and amongst the board of directors of an issuer for the purpose of overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer; or (b) the entire board of directors if nosuch committee exists.审计委员会：（a）由发布者的董事会组建并由董事会成员组成的一个委员会，对其会计和财务报告过程以及财务报表的审计过程进行监管；或（2）如果不存在这样的委员会，则整个董事会即为审计委员会。

sox 6个认定要求摘要：1.Sox 简介2.Sox 的6 个认定要求a.财务报告内部控制评估b.审计委员会c.内部审计功能d.首席执行官和财务总监的职责分离e.独立的外部审计师f.举报热线和程序3.Sox 的实施效果4.我国对Sox 的借鉴意义正文：Sox，全称为Sarbanes-Oxley Act，即萨班斯- 奥克斯利法案，是美国为了加强公司治理和财务报告透明度于2002 年通过的一部立法。

它被认为是自1933 年证券法以来美国证券市场最重大的改革。

Sox 包含了一系列的规定，其中最为重要的就是它的6 个认定要求。

首先，Sox 要求公司对其财务报告内部控制进行评估，并提交一份内部控制报告给SEC（美国证券交易委员会）。

这一要求旨在确保公司的财务报告准确、可靠，防止类似安然、世通等公司的财务造假事件再次发生。

其次，Sox 要求公司设立审计委员会，由独立、非行政的董事组成，负责监督公司的财务报告和内部控制。

这有助于防止企业管理层对财务报告的操控，保障财务报告的公正性。

再者，Sox 要求公司设立内部审计功能，负责对公司财务报告和内部控制进行独立的审计。

内部审计功能应向审计委员会和公司董事会报告，以确保其独立性和权威性。

此外，Sox 规定首席执行官和财务总监的职责必须分离，防止财务报告被操控。

这一要求意在确保财务报告的真实性和公正性，保护投资者的利益。

另外，Sox 要求公司的外部审计师必须保持独立。

这可以防止审计师与公司管理层勾结，共同伪造财务报告。

最后，Sox 要求公司设立举报热线和程序，以便员工可以安全、匿名地向公司报告可能的财务报告和内部控制问题。

这有助于发现和防止财务造假行为。

总的来说，Sox 的实施对于提高美国上市公司的财务报告透明度和公司治理水平起到了积极作用。

虽然Sox 的实施成本较高，但它对于保护投资者利益、维护市场秩序具有重要的意义。

of U.S.-Listed Chinese versus U.S. FirmsRaymond Reed Baker, Gary C. Biddle, Neale O’ConnorFaculty of Business and EconomicsThe University of Hong KongJuly 18th 2012(Preliminary Draft – Please Do Not Quote)This study compares Sarbanes Oxley Section 302 ineffective internal control disclosures (IICs) and auditors of U.S.-listed Chinese and U.S. domiciled firms with four main findings. First, U.S.-listed Chinese firms report significantly more IICs than matched U.S. domiciled firms. Second, IICs are concentrated among Chinese firms that list directly in the U.S. versus those that also cross-list in China with added Chinese regulatory oversight. Third, Chinese firms that list directly (cross-list) in the U.S. are significantly less (more) likely to employ Big 4 auditors than cross-listed Chinese and matched U.S. firms. Fourth, the IICs of U.S.-listed Chinese firms relate primarily to financial statement preparation, personnel and remediation. Finally, we compare the Big 4 auditors engaged by U.S.-listed Chinese and U.S. domiciled firms. To our knowledge, this study provides the first direct evidence regarding the IICs and auditors of U.S.-listed Chinese firms, matters of interest to regulatory authorities and firm stakeholders globally.Keywords: Sarbanes-Oxley, Section 302, ineffective internal control disclosures, U.S.-listed Chinese firmsData Availability: All data are available from public sources.JEL Classifications: G18, M41, M42, M48*Raymond Reed Baker Email: Ray.Baker@ Phone: (1)713-893-3501 Gary C. Biddle Email: biddle@hku.hk Phone: (852) 2219-4388 Neale O’Connor Email: nealeoconnor@ Phone: (852) 9304-5964 * Contact authorWe thank Jinji Hao, Ronald C.H. Chan and Chung Ngan Hung for their helpful research assistance, advice and suggestions. We also thank Tom Hardy for insights and feedback regarding Audit Analytics data. Any errors remain our responsibility.of U.S.-Listed Chinese versus U.S. FirmsI.INTRODUCTIONThis study augments prior research by comparing the Sarbanes-Oxley (SOX) Section 302 ineffective internal control disclosures (IICs) and Big 4 auditors of U.S.-listed Chinese and U.S. domiciled firms.1Evidence regarding the IICs and auditors of U.S.-listed Chinese firms has assumed added significance amid allegations that scores of U.S.-listed Chinese-domiciled firms filed misleading financial statements that would have benefitted from more effective audits and internal controls.2Our results reveal that IICs are significantly higher for U.S.-listed Chinese firms than for matched to U.S.-domiciled firms in 2009, that these findings are concentrated among Chinese firms that list directly in the U.S. rather than among Chinese firms that also cross-list in China, consistent with additional Chinese regulatory oversight, and that direct-listed (cross-listed) Chinese firms are significantly less (more) likely to employ Big 4 auditors than either U.S. domiciled or cross-listed Chinese firms. We further document the Big 4 auditors and nature of IICs of U.S.-listed Chinese firms, finding that the IIC types of U.S.-listed Chinese firms differed most from their matched U.S. counterparts with relation to financial statement preparation, personnel and remediation, and concentrated among Chinese direct-listed firms. To our knowledge, this study is the first to provide direct evidence regarding the IICs and auditors1Section 302 of SOX (2002) requires firms, on a quarterly basis, to certify in SEC filings the effectiveness of internal controls and to disclose any material weaknesses as well as any material changes in internal control since the last periodic financial report. Section 404 of SOX requires annual assessments of internal controls supporting financial reporting with an accompanying auditor attestation. Because Section 302 IIC are disclosed quarterly, they hold the potential to document IICs that can be remediated before fiscal year-ends and thus not reported under Section 404 provisions as detailed below.2 See for example, Economist (2011), Market Watch (July 10, 2011), Wall Street Journal (September 29, 2011) and Thomson Reuters(September 30, October 19 and November 11, 2011) that reports, “Auditors are not properly testing U.S. companies' internal accounting controls, the head of the main auditor watchdog said, while also reiterating urgent concerns about audit firm inspections in China.”of U.S.-listed Chinese firms. These are matters of immediate and continuing interest to regulators and other firm stakeholders in the U.S., China and other countries amid ongoing lawsuits, regulatory actions and jurisdictional disputes regarding the disclosures, internal controls and audits of Chinese firms listing on non-Chinese exchanges.3Prior to 2000, relatively few Chinese firms listed their shares in the U.S. (USCC 2004), with most raising equity capital on the Shanghai, Shenzhen and Hong Kong stock exchanges. By 2010, Chinese firms ranked behind only Canadian firms in U.S. stock exchange listings (Compustat). This success of Chinese firms at raising capital in the U.S. did not go unnoticed. In 2001, the U.S. Congress held hearings on “Chinese Fundraising Activities in U.S. Capital Markets” and in 2004 on “China’s Presence in the Global Capital Markets” (USCC 2001, 2004). The U.S.-China Economic and Security Review Commission warned in 2002 that U.S. investors possessed insufficient information to assess their risks, and further, that it would be difficult to pursue U.S.-listed Chinese firms for violations of financial statement certifications and internal control sign-offs mandated by SOX (USCC 2002). These concerns proved prophetic. Subsequent allegations of misleading financial disclosures by U.S.-listed Chinese firms triggered investigations by the U.S. Public Company Accounting Oversight Board (PCAOB), Securities and Exchange Commission (SEC), the U.S. Congress, U.S. courts, hedge funds and the financial press into their financial disclosures and audits, with related investigations underway in other countries.4These investigations include requests by U.S. regulatory authorities for working papers related to audits of Chinese firms, some of which have been deemed by Chinese authorities to constitute state secrets (Wall Street Journal, January 24, 2012).3 F or example, “China's auditing train wreck” (Wall Street Journal, May 3, 2012), “PCAOB warns China patience is wearing thin (Compliance Week, June 19, 2012).4For example, investigations in Canada are ongoing regarding financial disclosures and audit reports for Sino-Forrest Limited (Wall Street Journal, September 29, 2011).In response to these allegations, investigations and requests, the China Securities Regulatory Commission (CSRC) conveyed by letter to the PCAOB that U.S. regulators may neither independently nor jointly conduct SOX-related inspections in China (PCAOB 2009). In response to SEC requests to examine the auditing records of Chinese U.S.-listed firms, China’s Ministry of Finance instructed Big 4 firms to cede control of their China operations to local partners by year-end 2012 and appoint a Chinese partner-in-charge within three years (Wall Street Journal, May 9, 2012; May 10, 2012). China Development Bank, a state-owned lender, is providing financing to help Chinese firms delist from U.S. stock markets (South China Morning Post, July 12, 2012). Thus, U.S. regulators have limited and diminishing ability to gather evidence when questions arise concerning the financial disclosures of U.S-listed Chinese-domiciled firms, or the internal controls and auditors on which their veracity depends.5 Helpful to this ongoing regulatory conundrum and its resolution is evidence revealing whether and how U.S.-listed Chinese differ with regard to SOX Section 302 disclosures and auditors from U.S.-domiciled counterparts. This study provides evidence regarding these questions.Liu’s (2006) review of research on the financial reporting practices of domestically-listed Chinese firms documents previously weak corporate governance practices in China. More recently, Chinese regulatory authorities have implemented provisions designed to enhance both internal controls and reporting transparency among Mainland-listed Chinese firms. Salient features of these provisions are pre- and post-listing inspections, audits and certifications of internal controls and financial reports. Many Mainland-listed Chinese firms subsequently5 The PCAOB specifically cites challenges faced in enforcing SOX reporting requirements for U.S.-listed Chinese firms, particularly Section 302 provisions regarding internal controls in settings where audit work which has been outsourced by PCAOB-registered firms to local Chinese audit affiliates (see /Standards/QandA/2010-07-12_APA_6.pdf and /News/Releases/Pages/06012010_GuidanceForNon-USJurisdictions.aspx. This impasse directly challenges the position of the SEC’s Deputy Chief Accountant, Brian T. Croteau, who stated that “the ability for the PCAOB to conduct the inspections that are mandated by SOX is a very important element of investor protection” (/news/speech/2010/spch120610btc.htm).pursued stock exchange cross-listings in the U.S. Other Chinese firms chose to list directly in the U.S. without listing first or concurrently in China, either because they failed to satisfy China’s listing requirements or wished to avoid related delays. Whereas Chinese regulatory authorities assume responsibility for financial disclosures of Mainland-listed Chinese firms, including those that cross-list, they consider the financial and audit reports of Chinese firms that list directly in the U.S. to be the responsibilities of U.S. exchanges and regulators. This differential treatment by Chinese regulatory authorities raises the question of whether and how the SOX Section 302 disclosures and auditors of Chinese firms that directly list in the U.S. compare with those that cross-list with greater prior Chinese regulatory oversight. This study also provides evidence regarding these questions.If differences exist between Chinese and matched U.S. firms in the incidence and nature of IICs, a related question is their auditor. Specifically, it is of interest to know whether differences in IICs relate to auditor choice, and in particular, to their use of Big 4 auditors. Prior evidence suggests that Big 4 auditors are associated with more firm material weakness disclosures under Section 404 engagements (Ge and McVay 2005) and that audit fees are associated with more IICs under Section 302 (Hoitash et al. 2008).6 Big 4 firms are also less likely than smaller PCAOB-licensed auditors to rely on outsourced local Chinese affiliates for audit work in China rather than using own-firm China-based staff (Gillis 2011).Combined, these considerations suggest three related hypotheses examined in this study regarding the IICs and auditors of U.S.-listed Chinese and U.S. domiciled firms. First, we hypothesize that U.S.-listed Chinese firms will report more IICs than comparable U.S.-listed U.S. domiciled firms. Second, we hypothesize that among U.S.-listed Chinese firms, those that6 Big four auditors are examined rather than the largest six auditors as in Ge and McVay (2005) because in our sample there are six distinct auditing firms using letters BDO in their names, which would make interpretations and comparisons challenging.cross-list on a U.S. stock exchange will report fewer IICs than those that directly list in the U.S., consistent with their additional oversight by Chinese regulators. Third, we hypothesize that direct-listed Chinese firms will report fewer Big 4 audits than their U.S. counterparts in comparison with Chinese cross-listed firms. Finally, we will compare the IIC types and Big 4 auditors disclosed by U.S.-listed Chinese and matched U.S. domiciled firms.As detailed below, we examine fiscal year 2009 because at the time of collection it is the most recent fiscal year with available Section 302 data, it is the first year with comparable IICs following a period of experimentation and clarifications regarding SOX Section 302 disclosures, and it is the last year with IIC data unaffected by allegations of misleading financial disclosures by U.S.-listed Chinese firms that began in 2010. As such, fiscal 2009 is the only recent year with data applicable for this study. We compare for 2009 the IICs and Big 4 auditors of 198 U.S.-listed Chinese firms (68 cross-listed and 130 direct-listed) with matched U.S.-listed and domiciled firms and three-firm portfolios, augmented by multivariate tests to control for other factors found related to IICs in prior studies following Doyle et al. (2007b).Consistent with these hypotheses, our findings reveal significant differences in the IICs and Big 4 audits disclosed by the U.S.-listed Chinese and U.S. domiciled firms. First, we find that U.S.-listed Chinese firms disclosed internal controls as ineffective more than twice as often as matched U.S. domiciled counterparts. Second, Chinese direct-listed firms disclosed significantly more IICs than U.S. firms in comparison with cross-listed Chinese firms that receive more Chinese regulatory oversight. Third, direct-listed (cross-listed) Chinese firms report significantly fewer (more) Big 4 audits than Chinese cross-listed and U.S. domiciled firms. Fourth, the IICs of U.S.-listed Chinese firms relate primarily to financial statementpreparation, personnel and remediation with further evidence provided regarding Big 4 auditorsof U.S.-listed Chinese and U.S. domiciled firms.This study contributes to several research literatures. First, it extends research into how SOX Section 302 IICs differ between firms from different domiciles. Whereas several prior studies have examined SOX IICs, they have focused on Section 404 rather than Section 302 disclosures (e.g., Ghosh and Lubberink 2006; Ogneva et al. 2007; Bedard and Graham 2010; Kim et al. 2010; Ye et al. 2010; Brown et al. 2011; Chen et al. 2011; Dhaliwal et al. 2011; Rice and Weber 2011), pre-SOX rather than post-SOX periods (Ashbaugh-Skaife et al. 2007; Leone 2007) or the effects of IICs (e.g., DeFranco and Lu 2005; Doyle et al. 2007a, 2007b; Gupta and Nayar 2007; Hammersley et al. 2007; Ashbaugh-Skaife et al. 2008, 2009; Beneish et al. 2008; Gong et al. 2009, 2010). While several have examined IICs from different domiciles, they have done so at the aggregate level without separately comparing IICs of U.S.-listed Chinese and U.S. domiciled firms (e.g., Ge and McVay 2005; Ye et al. 2010).7Second, this study extends research on cross-listings, in particular, how internal controls and auditors differ between Chinese domiciled firms that directly list in the U.S. versus those that cross-list (e.g., Biddle and Saudagaran 1991, 1995; Karolyi 1998, 2006; Doidge 2004). Third, this study contributes to the corporate governance literature, particularly with regard to corporate governance practices and their effects for overseas listers (e.g., Licht 2003; Lins 2003; Krishnan 2005; Liu 2006; Aggarwal et al., 2007; Zhang et al. 2007). Specifically, our findings regarding the incidence and types of IICs exhibited by U.S.-listed Chinese firms will better equip firms, auditors and regulators to manage SOX compliance. Finally, our results extend anemerging literature on corporate governance practices that enhance the quality of accounting7Ye et al. (2010) provide evidence that firms with dominant shareholders domiciled in weak investor protection countries are less likely to disclose IICs in order to protect management’s private control benefits, which would bias against our proposed relations for Chinese versus U.S. domiciled U.S.-listed firms.information available to market participants (e.g., La Porta et al. 1998; Reese and Weisbach 2002; Dechow et al. 2009; Goh 2009; Hogan and Wilkins 2008; Johnstone et al. 2010). Regulatory authorities have long expressed their intent to advance and enforce provisions that improve corporate governance practices by domestic and foreign firms, with evidence on the incidence and nature of IICs an important indicator (e.g., PCAOB 2004, 2009; SEC 2002, 2003). We are unaware of prior evidence concerning auditors and SOX Section 302 IIC differences between U.S.-listed Chinese and U.S. domiciled firms. The following sections of this study present our hypotheses, data sources, test results and conclusions, respectively.II.PRIOR RESEARCH AND HYPOTHESESThe Sarbanes-Oxley Act of 2002 (SOX) requires managers to evaluate the effectiveness of their firms’ internal controls over financial reporting and report their conclusions to the public, together with any material changes in internal control since the last periodic financial report (Section 302) and their external auditor’s attestation (Section 404).8Whereas several prior studies examine Section 404 disclosures, this study utilizes SOX Section 302 disclosures for two primary reasons. First, while it has been argued that Section 404 disclosures provide greater validity because they are attested to by external auditors (e.g., Doyle et al. 2007b), it is perhaps underappreciated that in both the pre- and post-SOX periods, external auditors remained responsible for internal control assessments as part of generally accepted auditing standards and standards of fieldwork. Given that external auditors have similar responsibilities and legal exposures for both Section 302 and 404 assessments of internal controls, the validity of the Section 302 disclosures is unlikely to differ significantly from those for Section 404 disclosures.8 SOX Section 302 became effective for both U.S. firms and foreign firms listed in the U.S. on the passage of SOX, subject to subsequent clarifications described below; Section 404 was introduced in stages beginning with so-called accelerated U.S. filers in November 2004.Second, SOX Sections 302 and 404 differ significantly in reporting frequency and sensitivity. Specifically, Section 302 disclosures are required on a quarterly basis, whereas Section 404 disclosures are annual, with the opportunity to correct IICs prior to fiscal year end. Thus, a firm could have IICs for quarters one, two and/or three, then remediate in quarter fourth, and avoid reporting ineffective controls under Section 404. In contrast, IICs in any quarter require a Section 302 disclosure. Therefore, we examine SOX Section 302 disclosures so as to more completely capture IICs that firms are naturally reticent to report and will work hard to avoid disclosing under Section 404 provisions.Prior studies have examined both the factors that lead firms to disclose SOX IICs (e.g., Ashbaugh-Skaife et al. 2007; Doyle et al. 2000b) as well as the consequences of such disclosures (e.g., Ashbaugh-Skaife et al. 2008; Doyle et al. 2007a). These studies find that risk factors including organizational complexity and change, auditor resignations, relative investment in internal controls, and incentives to discover and disclose are positively related to IICs. Ge and McVay (2005) describe ten types of IICs: account specific, training, period end, accounting policies, revenue recognition, segregation of duties, account reconciliation, subsidiary specific, senior management, technology issues, and no detailed disclosure. However, they aggregate these deficiencies when comparing material weakness and non-material weakness firms. Doyle et al. (2007b) extend these studies by examining material weakness disclosures finding that these disclosures are more likely for firms that are smaller, younger, financially weaker, more complex, growing rapidly, and/or undergoing restructuring. Likewise, Doyle et al. (2007a) examine material weakness in the aggregate and do not examine or compare specific types of weaknesses in their sample. In comparison, Audit Analytics identifies eighty-two potential issue categories or types of IICs that are considered in this study. Specifically, we compare the IICsand Big 4 auditors of U.S.-listed Chinese firms and matched U.S. counterparts to address directly ongoing debates regarding the adequacy of financial disclosures, audits and internal controls of Chinese firms reporting under SOX.Our first research question directly addresses whether U.S.-listed Chinese firms differ from U.S. firms in the effectiveness of internal controls. Whereas prior studies (Doyle et al., 2007a; Ashbaugh-Skaife et al., 2008) have found that U.S. firms’ Section 302 IIC disclosures contain useful information about earnings quality, they did not specifically examine cross-listed firms (see Karolyi (2006) for a review of the cross-listing literature). However, the detection and disclosure of IICs may be weaker in countries where investor regulatory protection and corporate governance is weak (e.g., La Porta et al., 1998; Lins 2003). Ye et al. (2010) observe that, “managers of cross-listed firms have a weaker incentive to establish a sound internal control system and to expend resources and efforts in detecting and truthfully disclosing internal control deficiencies” (p. 3). Licht (2003) argues that the U.S. regulatory regime that applies to foreign firms is significantly inferior to that faced by U.S. firms and the SEC has largely adopted a “hands-off” enforcement policy toward cross-listed firms. Consistent with this view, Ye et al. (2010) find that the association between IIC disclosures and earnings quality is significantly weaker for cross-listed firms than for U.S. firms. This reasoning suggests the following hypothesis:H1: U.S.-listed Chinese firms will report more SOX Section 302 IICs than U.S.-listed and domiciled firms.Our second research question addresses differences in IICs between Chinese firms that list directly in the U.S. and those that also cross-list in China. To date, studies of foreign firms listing in the U.S. have not distinguished between foreign direct- and cross-listed firms, rather focusing on cross-listed firms only or grouping these types together. However, it is plausible tosuggest that direct-listed Chinese firms will lack experience and/or be subject to less scrutiny by Chinese regulators compared with Chinese cross-listed firms, thus making IIC disclosures more likely. Suggestive evidence is provided by Zhang and King (2010), who examine decisions to list abroad by Chinese companies during the period 1993-2005. They present evidence that cross-listing Chinese firms met more stringent legal and accounting standards, listing requirements and were subject to closer regulatory monitoring in foreign markets in order to obtain external capital for rapid growth, expand their shareholder base and gain expertise, with these motives differing by type of issue (ADR versus IPO) and by market (Hong Kong versus Singapore). By extension, China direct-listed firms could face higher hurdles given that they are not subject to the Chinese security laws (i.e., CSRC) and regulatory oversight prior to their U.S. listings. Indeed, the SEC has specifically targeted Chinese firms listing their shares in the U.S. for investigation in response to these concerns:“The SEC has publicly indicated it was examining accounting and disclosureissues regarding Chinese companies that engaged in "reverse mergers," whichallow companies to list on U.S. exchanges without as much regulatory scrutiny asan initial public offering. People familiar with the matter say the investigationalso includes auditors, which hadn't previously been known. As part of itsinquiry, the SEC has suspended trading on some Chinese companies, questioningtheir truthfulness about their finances and operations” (Wall Street Journal, June2, 2011).By this reasoning, evidence and immediacy, our second hypothesis is as follows:H2: Chinese firms that directly list in the U.S. will report more IICs than those that cross-list in the U.S. in comparison with U.S.-listed and domiciled firms.By this reasoning and recognizing the key role played by auditors in ensuring quality financial reporting, our third hypothesis considers differences in the use of Big 4 auditors by U.S.-listed Chinese and U.S. domiciled firms, and whether these differences extend to Chinese direct- versus cross-listed firms:H3: Chinese firms that directly list in the U.S. will report fewer Big 4 audits than those that cross-list in the U.S. in comparison with U.S.-listed and domiciled firms.Finally, to better understand the internal control environments of U.S.-listed Chinese and U.S. domiciled firms and their auditors in more detail, we present evidence regarding the IIC types and Big 4 auditors reported by U.S.-listed Chinese and U.S. domiciled firms, thus setting the stage for related follow-on research.III.DATA AND SAMPLE SELECTION PROCEDURESChina-headquartered firms with U.S. share listings are identified using Compustat. Fiscal year 2009 is selected for three reasons. First, 2009 is the most recent year with available data for this study.9 Second, 2009 is the first year with comparable IIC data following a period initial discovery, learning and interpretations that began with the passage of SOX, progressed with the release of Auditing Standard Number 2 in 2004 and culminated with much needed clarifications in Auditing Standard Number 5 issued in 2008. Third, SOX filings by Chinese firms after 2009 were subject to intense scrutiny by financial regulators, courts, stock exchanges and the media that potentially heighted auditor and management assessments of IICs for years after 2009.China headquarters addresses are confirmed using SEC filings, yielding an initial sample of 276 U.S.-listed Chinese firms shown in Table 1, Panel A. Omitting firms with missing SOX Section 302 disclosures in the Audit Analytics Disclosure Controls database (46), firms missing9 Although 2010 data are also technically available, sufficient time for restatements and amendments to internal control disclosures has not passed.Compustat data needed for matching (21),10 those in the top and bottom 1% by assets and return-on-assets (ROA) to reduce the influence of outliers (8) and those without suitable U.S. matches as described below (3), yields a final sample of 198 U.S.-listed Chinese firms (Table 1, Panel A). Panel B of Table 1 presents their exchange memberships, with most listed on NASDAQ; Panel C confirms a wide dispersion across industries.______________________Table 1 about here.______________________To ensure the closest possible control group matches between U.S.-listed Chinese and U.S. domiciled firms, we employ two approaches. One approach identifies for each Chinese firm a single U.S. domiciled firm that matches most closely according to criteria described below. To reduce the influence of idiosyncrasies in control firms, we also form for each U.S.-listed Chinese firm a portfolio of the three most closely matched U.S.-listed U.S. domiciled firms, using mean characteristics for comparisons. As indicated in Table 1, Panel A, control firms comprise the universe of all U.S.-listed U.S. domiciled firms in Compustat (7,192), minus those missing Audit Analytics data (1,861) or Compustat data needed for matching (552), resulting in a pool of 4,779 potential U.S. control firms.To reduce the role of judgment in the selection of control firms, we employ a Visual Basic Applications (VBA) matching program based on industry membership, performance and size following the precedents and findings of prior studies including Ge and McVay (2005), Ashbaugh-Skaife et al. (2007) and Zhang et al. (2007). Given findings in Beasley et al. (2000) and Bell and Carcello (2000) of industry concentrations for fraud and weak internal control10 F irms missing assets, revenues and market values are likely shells not representative of operational firms.。

C LIENTM EMORANDUM PCAOB APPROVES FINAL STANDARD FOR AUDITOR ATTESTATIONS OF INTERNAL CONTROL OVER FINANCIAL REPORTINGThe Public Company Accounting Oversight Board (the “PCAOB”) recently approved a final standard for auditor attestations of a company’s internal control over financial reporting. These attestations are required under Section 404 of the Sarbanes-Oxley Act of 2002 in connection with management’s assessment of such internal control.Management Assessment of Internal Control Over Financial ReportingPursuant to Section 404 of the Sarbanes-Oxley Act, on June 5, 2003, the Securities and Exchange Commission (the “SEC”) adopted final rules requiring management of a reporting company to assess the effectiveness of the company’s internal control over financial reporting1 as of the end of the company’s most recent fiscal year and to describe in the company’s annual report management’s conclusion, as a result of that assessment, whether the company’s internal control is effective. The rules require that management’s internal control report state that the registered public accounting firm that audited the company’s financial statements has issued an attestation report as to whether management’s assessment of the company’s internal control over financial reporting is “fairly stated in all material respects.” The company must then file the attestation report as part of its annual report.Companies that are “accelerated filers” (generally Form S-3 eligible companies) must comply with these requirements in their annual reports for their first fiscal year ending on or after November 15, 2004; non-accelerated filers and foreign private issuers must comply with these requirements in their annual reports for their first fiscal year ending on or after July 15, 2005. The Sarbanes-Oxley Act further directed the PCAOB to establish professional standards governing the independent auditors’ attestation report. Accordingly, on March 9, 2004, following a previously proposed version, the PCAOB adopted Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements (“Auditing Standard No. 2”). This Standard has been submitted to the SEC for its approval.1The SEC defines “internal control over financial reporting” as a “process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers . . . to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements” in accordance with GAAP. It includes policies and procedures for maintaining accounting records, recording transactions, authorizing receipts and expenditures and safeguarding assets.Audit of Internal Control Over Financial ReportingAlthough the work required to be performed by the independent auditors is referred to as an “attestation,” the PCAOB has stated that the attestation engagement requires the same level of work as an audit of internal control over financial reporting. Consequently, Auditing Standard No. 2 requires that the auditors not just evaluate the adequacy of management’s processes for assessing the effectiveness of the company’s internal control over financial reporting, but that the auditors independently test the effectiveness of the internal control itself.Because of the similar objectives and work involved in audits of internal control over financial reporting and audits of financial statements, the PCAOB decided that these two audits should be integrated. Accordingly, the auditors who conduct the audit of internal control over financial reporting must also audit the company’s financial statements. The two audit reports may be separate or combined, but should be dated the same date.The requirements in Auditing Standard No. 2 are based on the internal control framework established by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”). However, Auditing Standard No. 2 allows companies flexibility in choosing an alternative framework that encompasses all of COSO’s general themes.Commentary:Ø The COSO framework consists of five interrelated components: control environment (so-called “tone at the top”), risk assessment, control activities toensure that management directives are carried out, capture and communication ofinformation and monitoring activities.Ø Although the COSO framework addresses the effectiveness and efficiency of operations and compliance with applicable law as well as the reliability offinancial reporting, the SEC’s requirements regarding internal control overfinancial reporting focus on the latter category. However, controls on operationsand compliance with law, to the extent they may affect financial reporting, arealso part of the SEC’s requirements.Ø Auditing Standard No. 2 provides the auditors with some flexibility to use work performed by others, including the internal auditors and management’sassessment. The more extensive and reliable the work is, and the betterdocumented it is, the less extensive and costly the independent auditors’ workwill need to be. Still, the independent auditors’ own work must constitute theprincipal evidence, both quantitative and qualitative, for their audit opinion.Ø Embedded in the SEC definition of “internal control over financial reporting” is that management’s assessment of the company’s internal control must provide“reasonable assurance” of its effectiveness. The definition recognizes that thecontrol processes will reduce, but not eliminate, the risk of financial reportingissues.Management’s ResponsibilitiesFor the auditors to perform their audit of the internal control, management must: • accept responsibility for the effectiveness of the company’s internal control over financial reporting;• evaluate the effectiveness of the internal control using acceptable criteria;• support its evaluation with sufficient evidence, including documentation; and• present its written assessment of the effectiveness of the company’s internal control as of the end of the fiscal year.If the auditors conclude that management has not satisfied these responsibilities, they should communicate, in writing, to management and the audit committee that the audit cannot be completed.The Audit ProcessThe audit of internal control over financial reporting is an extensive process involving multiple steps. These steps include planning the audit, evaluating the process that management used to perform its assessment of the effectiveness of the internal control, evaluating the effectiveness of both the design and operation of the internal control and forming an opinion about whether the internal control is effective.In addition to testing management’s assessment process and the work on internal control by others, such as the internal auditors, the auditors must test the internal control directly. For example, the auditors are required to perform walkthroughs in each annual audit to trace transactions from origination, through the company’s accounting and information systems and financial report preparation processes, to their being reported in the company’s financial statements.Auditing Standard No. 2 emphasizes the importance of controls over possible fraud and requires the auditors to test controls specifically intended to prevent, deter and detect fraud. These controls start with the “tone at the top” and include, for example, controls to prevent the misappropriation of assets, risk assessment processes, codes of ethics, internal audit activities and audit committee oversight and whistleblower procedures.Commentary:Ø More limited procedures are required to be performed by the auditors in connection with management’s quarterly certifications regarding internal controlrequired under Section 302 of the Sarbanes-Oxley Act.Auditor IndependenceUnder Rule 2-01 of Regulation S-X, the auditors’ independence is compromised if the auditors audit their own work or act as management, such as by designing or implementing the internal control. These restrictions, however, do not preclude the auditors from making recommendations as to how management may improve the design or operation of the internal control as a by-product of an audit.Auditing Standard No. 2 prohibits the auditors from providing any internal control-related service, unless the service has been specifically pre-approved by the audit committee (rather than through a general categorical approval). At all times, management must be actively involved and retain responsibility for the control matters.Timing of TestingThe Sarbanes-Oxley Act requires management’s assessment and the auditor’s opinion to address whether the internal control was effective as of the end of the company’s most recent fiscal year. Obviously, performing all of the testing on December 31 is neither practical nor appropriate. Auditing Standard No. 2 recognizes that to express an opinion about whether the internal control was effective as of a point in time the auditors must obtain evidence that the internal control operated effectively over an appropriate period of time. Accordingly, the Standard provides that the auditors should obtain evidence about operating effectiveness at different times throughout the year and then update those tests at the end of the year.Commentary:Ø Controls “as of” a specific date include controls relevant to financial reporting “as of” that date, even if they may not operate until later. For example, certaincontrols over the period-end financial reporting process normally operate onlyafter the end of the period.Evaluating the Results of TestingAuditing Standard No. 2 differentiates among a control deficiency, a significant deficiency and a material weakness:• A control deficiency exists when the design or operation of a control does not allow the company’s management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.• A control deficiency is classified as a significant deficiency if, by itself or in combination with other control deficiencies, it results in more than a remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected.• A significant deficiency is classified as a material weakness if, by itself or in combination with other control deficiencies, it results in more than a remote likelihood that a material misstatement in the company’s annual or interim financial statements will not be prevented or detected.The auditors must evaluate the severity of all control deficiencies, communicate such deficiencies in writing to management and notify the audit committee that such communication has been made. All significant deficiencies and material weaknesses must also be communicated in writing to the audit committee.Auditing Standard No. 2 provides examples of circumstances that are significant deficiencies, as well as strong indicators of the existence of a material weakness, including:• ineffective oversight of the company’s external financial reporting and internal control over financial reporting by the company’s audit committee;Commentary:Ø Ironically, this means that the independent auditors, who are hired and supervised by the audit committee, must evaluate the effectiveness of theiroverseers.• any material misstatement in the financial statements not initially identified by the company’s internal control;• significant deficiencies that have been communicated to management and the audit committee, but that remain uncorrected after reasonable periods of time;• ineffective internal audit or risk assessment functions, particularly for large or complex companies;• an ineffective regulatory compliance function in regulated companies, where violations of applicable law could have a material effect on financial reporting; and • identification of fraud of any magnitude by senior management.Forming an Opinion and ReportingSimilar to management’s internal control report, only material weaknesses are required to be disclosed in the auditors’ report on the effectiveness of the control. If the auditors have identified a material weakness, they must conclude that the company’s internal control is not effective; a qualified opinion is not permitted if there is a material weakness.Auditing Standard No. 2 permits the auditors to express an unqualified opinion only if the auditors have not identified any material weaknesses in the internal control after having performed all of the procedures that the auditors consider necessary under the circumstances. Ifthe auditors cannot perform all necessary procedures, they are required to qualify or disclaim their opinion.Auditing Standard No. 2 further requires that the auditors report on management’s assessment of the internal control. In the event of a material weakness, the auditors could express an unqualified opinion on management’s assessment so long as management properly identified the material weakness and concluded in its assessment that the internal control was not effective. If the auditors and management disagree about the existence of a material weakness, then the auditors must render an adverse opinion on management’s assessment.ImplementationGiven the extensive amount of time required to evaluate a company’s internal control procedures and then design, implement and test any additional procedures that may be required, companies should already be well on their way in evaluating and implementing these requirements and preparing for management’s internal control report and the related auditors’ attestation report.Commentary:Ø Even though the independent auditors do not need to provide their attestation report until after year-end, make sure to involve them in the ongoing evaluationand testing processes to help ensure that there are no last minute surprises.Ø Pay attention to these requirements in connection with any business acquisition, particularly at the end of the year and particularly of private companies, whichmay not have the controls required of public companies. With no transitionperiod for newly acquired entities, any acquisition will need to be included aspart of the review of internal controls for the year in which the acquisition isconsummated. If necessary, consider adjusting the closing date.Ø Companies will need to obtain the auditors’ consent to the incorporation by reference of their attestation report in connection with any registration statementfiled under the Securities Act, similar to auditor consents to the incorporation oftheir report on the financial statements. As with the auditor consent regardingtheir report on the financial statements, this consent regarding their attestationreport will require that management deliver an updated representation letter tothe auditors.* * * * * * * * * * *If you wish to obtain additional information regarding this new PCAOB standard and related SEC regulations regarding management’s internal control report, please contact Serge Benchetrit, John S. D’Alimonte, Steven J. Gartner, Yaacov M. Gross, Jeffrey S. Hochman or the corporate partner with whom you regularly work. For help with a current investigative or regulatory issue, feel free to call litigators Stephen W. Greiner, Richard L. Posen or Michael R. Young of our Accounting Irregularities Practice Group.Willkie Farr & Gallagher LLP is headquartered at 787 Seventh Avenue, New York, NY 10019-6099. Our telephone number is 212-728-8000, and our facsimile number is 212-728-8111. Our website is located at .March 30, 2004Copyright © 2004 by Willkie Farr & Gallagher LLP.All Rights Reserved. This memorandum may not be reproduced or disseminated in any form without the express permission of Willkie Farr & Gallagher LLP. This memorandum is provided for news and information purposes only and does not constitute legal advice or an invitation to an attorney-client relationship. While every effort has been made to ensure the accuracy of the information contained herein, Willkie Farr & Gallagher LLP does not guarantee such accuracy and cannot be held liable for any errors in or any reliance upon this information.。

解读美国上市公司会计监管委员会内部控制审计新准则2004年3月9日，美国上市公司会计监管委员会（PCAOB)批准了第二号审计准则-“与财务报表审计相关的财务会计报告内部控制审计”。

该准则适用于审计师同时审计客户的财务报表和管理当局对财务会计报告内部控制有效性所出具的评估的情况。

委员会在准则草案发布后收到了190余封意见反馈信，随后对准则草案进行了一定的修订以提高其可理解度。

本文对第二号准则中的重要条款进行了探讨，并指出了新准则与草案的差异之处。

依照萨班斯-奥克斯莱法案，二号准则已提交美国证券交易委员会（SEC)，等候最后的审批。

综述PCAOB多次强调有效的内部控制结构的重要性。

委员会还特别说明，“有效的财务会计报告内部控制对公司管理其事务，尽到其对投资者的责任至关重要。

公司管理当局、公司所有者-投资公众-和其他相关方都需依赖公司呈报的财务信息来制定决策。

”委员会在其宣布采用第二号准则的公告中还指明，财务会计报告内部控制的审计是一个牵涉面很广的程序，维持有效内部控制，包括定期评估都是有成本的。

然而委员会强调开发、维护和提高内部控制系统所带来的利益是多样的，同时，“主要的利益……是给公司、公司管理当局、董事会和审计委员会、所有者和其他利益关联方提供了一个财务会计报告的可靠基础。

”与准则草案相比，新准则在成本效益原则方面迈进了一大步。

管理当局的责任准则指出了审计师执行一项符合要求的内部控制审计的必要条件。

正如SEC在实施萨班斯法案404节的规定中所要求的，管理当局必须：-对公司财务会计报告内部控制的有效性负责；-使用适当的控制标准（如C0S0标准），评价公司财务会计报告内部控制的有效性；-提供足够的证据，包括记录编制来支持评价，以及-在公司最近的财年末，就公司财务会计报告内部控制的有效性出具书面评价。

审计师如果得出管理当局没有履行上面提到的责任，不能完成对内部控制的审计，就应当拒绝表示意见。

管理当局的评价程序一个严格的内部控制有效性的评价程序应该提供信息帮助审计师理解公司的内部控制以及规划完成内部控制审计的必要工作。

SOXandinternalcontrol（萨班斯法案及内控）在内部控制的章节，我们看到了两个SOX法案：Sarbanes-Oxley Act of 2002 Section 404，Sarbanes-Oxley Act of 2002 Section 302，他们与内部控制之间是什么关系呢？下面我们讲讲1 SOX主要规定In July 2002, the US government pronounced the Sarbanes-Oxley Act, which included eleven chapters and 68 clauses.Major requirements of SOXSarbanes-Oxley Act of 2002CorporateresponsibilityCorporateresponsibility forfinancial reports(Section 302)Improperinfluence on conduct of audits Public CompanyAccountingOversight Board(PCAOB)AccountingstandardsAuditing,qualitycontrol, andindependencestandards andrulesEnhanced financial disclosures Enhanced conflict of interest provisions Management assessment of internal controls (Section 404) White-collar crimeAttempts and conspiracies to commit criminal fraud offenses Criminal penalties for failure to certify financial reports (Section 906) Auditor independencePre-approval requirements Services outside the scope of practice of auditorsAudit partnerrotationSections 302 and 404 emphasize good corporate governance practices through increasing theaccuracy and the reliability of information disclosure to meet its reporting obligationsCEOs and CFOs have to sign and declareSection 906 emphasizes on criminal penalties2 Sarbanes-Oxley Act of 2002 required Chief Executive Officers and Chief FinancialOfficers to sign an agreement upon the management responsibilities imposed by Sections 302and 404:（1）S 302–Management responsibilities over Financial ReportingIssuer has reviewed the report;The report does not contain any untrue statement of or omit to state a material fact;The financial statements, and other financial information are fairly presented in all material respects the company;Responsible for establishing and maintaining over internal controls;Ensure proper information disclosure;Disclose to the company’s auditors and the audit committee all significant deficiencies,material weakness and any fraud that involves any employee who have a significant rolein the company;Disclose and evaluate significant changes and improvements in the internal controls（2）Fore ign issuers were required to comply with SOX404requirements on management…sreport and auditor?s attestation since annual reports for fiscal years ending on or after July2006.The focus of SOX404 is on“internal control over financial reporting”.S 404 - Internal Control Report of ManagementManagement’s responsibility for establishing and maintaining adequate internal controlover financial reporting for the company;Identify the framework used by management to conduct the required evaluation of the effectiveness of the company’s internal control over financial reporting;Management’s assess ment of the effectiveness of the company’s internal control overfinancial reporting as of the end of the company’s most recent fiscal yearManagement’s opinion that there were no material weaknesses in ICFR based on management's assessment following a recognized framework for evaluation.要求公司的管理层通過对财务报告上的内部控制进行评估, 就财务报告上的内部控制(ICFR)没有实质的弱点, 发表意见An Auditor's opinion that there were no material weaknesses in the company's ICFR外部审计师必需对公司内部控制没有弱点的评估状况作审核及报告An opinion by the Auditor’s of the work performed b y management to issue it’s opinion (1 above)要求外部审计师对管理层在年报中的自我评价进行验证3 SOX and Information SecurityFinancial reporting system heavily dependent on well controlled IT environmentInternal controls include information security controlsSecurity controls required by SOX in the following areas are identified:-Security policySecurity standardsAccess and authenticationNetwork securityMonitoringSegregation of dutiesPhysical securityCompanies required to assess and report the effectiveness of these controls to becompliantExamples of Common Controls on ITNetwork Security –Firewalls, secure network configuration including 802.11xVirus Protection –anti-virus and anti-spyware updated regularlyBackups & Restore – Regularly tested proceduresIT Continuity – Disaster Recovery ProceduresFiles Access Privilege ControlsIdentity Management – password strength/age and access. Who has access and is that appropriate now?Management support/buy in – Executive level oversight of projects related to IT. ? IT as part of strategic planning –The business must be supported by technologies。