Internal Controls

The Sarbanes-Oxley Act of 2002 (the "Act") goes beyond any legislation passed since the 1930s in addressing not only the requirements for corporate disclosure but also how public companies actually are to be run. We know from experience that to sustain long-term growth, a company must be dynamic and responsive to change. We feel that it is essential for companies to be able to respond to the changes that the Act, as a work in process, is undergoing, and to be prepared for those rules we regard as most significant that the Act is requiring the SEC to implement over the next several months.

Section 404

Section 404 of the Act directs the SEC to implement rules requiring public companies to include in their annual reports an internal controls report (1) stating management's responsibilities for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and (2) containing an assessment of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404 also requires the report to be attested by the company's auditors under standards to be adopted by the Public Company Accounting Oversight Board.

In response to this statutory mandate, the SEC is proposing to require in annual reports a statement of management's responsibilities for establishing and maintaining adequate internal controls and procedures for financial reporting; conclusions about the effectiveness of the internal controls and procedures for financial reporting based on management's evaluation as of the end of the fiscal year; and an attestation to, and report on, management's evaluation by the independent auditors.

For purposes of this rule, "internal controls and procedures for financial reporting" would mean controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles as addressed by Section 319 of the Codification of Statements on Auditing Standards or any superseding definition adopted by the Public Company Accounting Oversight Board.

In connection with its rules under Section 404, the SEC is proposing to modify the certifications required under Section 302 of the Act. Under the proposals, the company's chief executive officer and chief financial officer would be required to conduct evaluations and make certifications with respect to internal controls and procedures for financial reporting as well as disclosure controls and procedures.

The SEC does not propose to implement the rules under Section 404 until the Oversight Board has had the opportunity to implement the attestation standards. Accordingly, under the proposal, the new requirements would not come into effect until the first annual report filed by a company for a fiscal year ending on or after September 15, 2003.

Section 406

Section 406 of the Act directs the SEC to adopt rules requiring disclosure by companies as to (1) whether the company has adopted a code of ethics applicable to its senior financial officers and if not, the reasons that the company has not adopted such a code and (2) any change in, or waiver of, the code of ethics for senior financial officers.

The SEC proposes to require, at a minimum, annual disclosure by public companies as to whether they have adopted a code of ethics (and if not, why not) applicable to their chief executive officer and their senior financial officers (principal financial officer, principal accounting officer and persons performing similar functions), and whether these officers have any potential conflicts of interest with the company. The SEC apparently believed it would be anomalous for the CEO not to be covered and invited comments as to whether others (e.g., directors, the general counsel, other officers) should be covered as well. The final proposed rules are to be issued in January 2003.

For purposes of the rule, a code of ethics would mean a codification of standards reasonably designed to deter wrongdoing and to promote:

1. Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships.
2. Avoidance of conflicts of interest, including disclosure to an appropriate person or persons of any material transaction or relationship that reasonably could be expected to give rise to such a conflict.
3. Full, fair, accurate, timely and understandable disclosure in reports and documents that a company files with, or submits to, the SEC and other public communications by the company.
4. Compliance with applicable governmental laws, rules and regulations.
5. Prompt internal reporting of violations of the code.
6. Accountability for adherence to the code.

Items 2, 5 and 6 were added by the SEC to supplement the specific requirements of Sarbanes-Oxley. The specific requirements of the statute are addressed in items 1, 3 and 4.

A company will be required to include a copy of its code of ethics as an exhibit to its annual report. Any changes to, or waivers of, the code of ethics will have to be reported on a Form 8-K, or by Internet disclosure on the company's website, if the company has made specified advance disclosures to allow it to take advantage of this option.

Many public companies already have codes of ethics applicable to their officers and employees that will meet many of the requirements of this rule. The codes need to be reviewed, however, against the specifics described above. Item 3, for example, may not be clearly covered in many existing codes of ethics, which are more likely to speak to compliance with the securities laws than "full, fair, accurate, timely and understandable disclosure". While the rule and the statute are written as disclosure requirements, rather than as mandates to adopt a code, few companies will wish to explain why they do not have a code of ethics that complies with the rule.

Section 407

Section 407 of the Act requires disclosure as to whether a company's audit committee includes at least one "financial expert."

Under the proposed rule, companies would have to disclose in their annual reports:

• The number and names of persons that the board of directors has determined to be financial experts serving on the audit committee.
  
• Whether the financial experts are independent as that term is used in Section 301 of the Act (i.e., the person is not an affiliated person of the company or any of its subsidiaries and has not accepted any consulting, advisory or other compensatory fee from the company other than board and committee fees).

If the company does not have a financial expert serving on its audit committee, it must disclose that fact and explain why it does not.

Under the proposed rule, a "financial expert" would be a person who through education and experience as a public accountant or auditor or a principal financial officer, principal accounting officer or controller of a public company, or experience in one or more positions that involve the performance of similar functions (or that results, in the judgment of the company's board of directors, in the person's having similar expertise or experience), has the following attributes:

1. An understanding of generally accepted accounting principles and financial statements.
2. Experience applying generally accepted accounting principles in connection with the accounting for estimates, accruals and reserves that are generally comparable to those used in the company's financial statements.
3. Experience preparing or auditing financial statements that present accounting issues comparable to those presented by the company's financial statements.
4. Experience with internal controls and procedures for financial reporting.
5. An understanding of audit committee functions.

As noted, this determination is to be made by the board of directors. The board must evaluate the totality of the individual's education and experience, including the following factors:

• The level of the person's accounting or financial education.
  
• Whether the person is a CPA or otherwise has certified expertise, and the length of time that the person has actively practiced as a CPA or the equivalent.
  
• Whether the person has served as the principal financial officer, principal accounting officer or controller of a public company and for how long.
  
• Duties of the person in the various positions in which he or she may have served.
  
• Familiarity with applicable laws and regulations.
  
• Experience in reviewing, preparing, auditing or analyzing public company financial statements.
  
• Past or current membership on audit committees.
  
• Familiarity and experience with the use and analysis of public company financial statements.
  
• Other relevant qualifications that would assist the individual in understanding and evaluating the company's financial statements and making knowledgeable and thorough inquires whether the financial statements and other financial information of the company fairly present its financial condition, results of operations and cash flows.

The list is not intended to be exhaustive and, fortunately, the SEC does not expect that all of the factors must be satisfied in order for an individual to qualify as a "financial expert." The SEC also notes that it is possible for a particularly knowledgeable and experienced individual to qualify as a financial expert even if he or she has not served in one of the enumerated positions (and, likewise, serving in one of the positions is not an automatic qualification). Again, the final proposed rules are to be issued in January 2003.

Corporate Governance Focus Reports (click to view the full text)
Executive Compensation, Loans, Bonuses and Insider Trading >>>
Financial Certification and Audit Committee Requirements >>>
Internal Controls >>>
Mandatory Electronic Filing >>>