Financial Experts, Internal Controls, Codes of Ethics and Improper Audit Influence: SEC Proposes New Batch of Sarbanes-Oxley Rules
On October 22, the SEC posted proposed rules to implement Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002. The proposed rules cover:
In addition, on October 21, the SEC posted proposed rules under Section 303 of Sarbanes-Oxley to prohibit company officials from improperly influencing an independent accounting firm in connection with an audit.
The SEC is accepting public comment on the Section 303 proposed rules through November 25, 2002, and on Sections 404, 406 and 407 proposed rules through November 29, 2002.
A. Audit Committee Financial Experts: An "Accounting"-Focused Expertise
Section 407 of Sarbanes-Oxley directs the SEC to issue rules requiring a public company to disclose whether or not (and if not, why not) at least one member of the company's audit committee is a "financial expert." The SEC's proposed definition of "financial expert" emphasizes accounting experience, raising the standard above traditional notions of financial expertise.
New S-K Item 309: Financial Expert Disclosure
The SEC has proposed a new Item 309 to Regulation S-K that would require a public company to disclose in its Forms 10-K:
If a company does not have at least one financial expert on its audit committee, or if a financial expert is not independent, the company must explain why. The SEC must issue final rules to implement Section 407 by January 26, 2002.
Who is a "Financial Expert?"
In its much-anticipated interpretation of "financial expert," the SEC has proposed a combination of factors, both objective (with five factors that closely follow the four mandated factors of Sarbanes-Oxley Section 407) and subjective (with 10 newly proposed criteria), for a board of directors to consider when making its "financial expert" determination. Instruction 1 to proposed Item 309 defines "financial expert" as a person who has developed the following five "attributes" through either (i) education and experience as a public accountant or auditor, or a CFO, controller or principal accounting officer, of a public company or (ii) experience in one or more positions that involve the performance of similar functions (or that results, in the board of directors' judgment, in the person's having similar expertise and experience):
Instruction 3 to proposed Item 309 lists 10 factors that a board of directors should consider "in the aggregate" when evaluating a potential expert's education and experience. The proposed rules clarify that these Instruction 3 factors do not replace, and that a financial expert must satisfy, each of the five above-listed "attributes." The 10 factors include:
The Section 407 proposed rules allow a company's board of directors to determine that an individual is a financial expert if, in the board's judgment, the individual has similar expertise and experience to those enumerated. The proposals make it clear that the company would need to disclose the basis for the board's determination.
The SEC does not intend that the 10 Instruction 3 factors be exclusive or exhaustive list of the factors that a board of directors considers.
"Independent" Financial Expert
In addition to the analysis above, to be considered "independent," the director named as a financial expert cannon be an affiliate of the company or receive any compensation except as a director or member of a board committee.
B. Internal Controls and Procedures for Financial Reporting
Section 404 of Sarbanes-Oxley calls upon the SEC to adopt rules requiring an annual internal controls report stating management's responsibility for internal controls and containing the company's assessment of the effectiveness of its internal controls as of the end of the preceding fiscal year. The SEC went a step further to harmonize the new rule proposals with the certification requirements under Sarbanes-Oxley Section 302. Because of anticipated complexities involved in complying with these proposed rules, the SEC has proposed to defer compliance until late next year.
S-K Item 307 Revised: Management's Internal Control Report
The SEC has proposed revising Item 307 of Regulation S-K to require a public company to include in its Forms 10-K a report of management on internal controls and procedures for financial reporting. Proposed Item 307(c) of Regulation S-K would require the report to include:
The Section 404 proposed rules would also implement the requirement of Section 404 of Sarbanes-Oxley that a company's independent auditor attest to and report on management's assessment of the company's internal controls. The auditor's attestation report must be included in the company's Forms 10-K, together with the management report, under new Item 307(c) of Regulation S-K.
"Internal Controls and Procedures for Financial Reporting"
The Section 404 proposed rules define the term "internal controls and procedures for financial reporting" by reference to the AICPA's Codification of Statements on Auditing Standards Section 319. Under the proposed definition, the term "internal controls and procedures for financial reporting" would mean "controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles as addressed by the Codification of Statements on Auditing Standards Section 319 or any superseding definition or other literature that is issued or adopted by the Public Company Accounting Oversight Board." The SEC also elaborated on its view of the purpose of internal controls and procedures for financial reporting, stating that they are intended to ensure that companies have processes designed to provide reasonable assurance that transactions are properly authorized, that assets are safeguarded against unauthorized use, and that transactions are properly recorded, to permit the preparation of the company's financial statements in accordance with GAAP.
Harmonizing the Section 404 Proposals with the Section 302 Rules
Since the August 29, 2002 adoption of the SEC's final rules under Section 302(a) of Sarbanes-Oxley relating to CEO and CFO certifications (302 Release), there has been uncertainty among public companies about the precise meaning of the term "internal controls" and how they relate to "disclosure controls and procedures" as defined in the 302 Release. Specifically, it was unclear whether internal controls should be considered a subset of disclosure controls and procedures or otherwise included within the scope of the quarterly evaluation of disclosure controls and procedures required under Exchange Act Rules 13a-14 and 15d-14. The Section 404 proposed rules propose several changes to the CEO and CFO certification requirements of Rules 13a-14 and 15d-14 adopted in the 302 Release to harmonize those requirements with the new internal controls disclosure proposals.
Currently, CEOs and CFOs must disclose in their quarterly certifications any "significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses." As the SEC points out, however, currently there is no affirmative requirement to conduct quarterly evaluations of the company's internal controls, only of disclosure controls and procedures.
Many companies and practitioners have nevertheless reasoned that the evaluation of disclosure controls and procedures should entail some level of internal controls review even if not explicitly stated in the rules or in the definition of "disclosure controls and procedures," particularly in light of the specific requirement to make disclosures regarding internal control issues in each quarterly certification. The SEC has now confirmed this reasoning and is proposing amendments to the certification rules adopted in the 302 Release to clarify that both "internal controls and procedures for financial reporting" and "disclosure controls and procedures" must be evaluated and certified on a quarterly basis.
The SEC would amend Rules 13a-14 and 15d-14 to require the CEO and CFO, with respect to each Form 10-K and Form 10-Q, to (i) evaluate (and to certify that they have evaluated) the effectiveness of the design and operation of the company's internal controls and procedures for financial reporting, and (ii) present in such periodic report conclusions about the effectiveness of such controls and procedures. Such evaluation and presentation requirements would be in addition to the existing certification and disclosure requirements.
In addition to clarifying that internal controls and procedures for financial reporting are included within the scope of the certification rules, the Section 404 proposed rules would modify existing rules to provide that the quarterly evaluation be made as of the end of the period covered by the report being certified, rather than within 90 days prior to the date the report is filed. This change could be significant in practice, particularly as the filing deadlines for Forms 10-K and 10-Q accelerate over the next three years, since it would require the quarterly evaluation process to occur between the end of the period and the filing of the report rather than over the course of the quarter.
Transition Period for Compliance with Rules Regarding Internal Controls and Procedures for Financial Reporting
To allow the Public Company Accounting Oversight Board (which Board the SEC is in the process of establishing) to establish attestation standards, and to allow companies and their auditors sufficient time to develop compliance procedures, the SEC has proposed to delay the effectiveness of these proposals. As contemplated, the proposals would first apply to a company beginning upon such company's first fiscal year end on or after September 15, 2003. As a result, the proposed rules will have no immediate effect on the content of certifications under Section 302.
C. Code of Ethics
Section 406 of Sarbanes-Oxley instructs the SEC to issue rules requiring a public company to disclose whether or not (and if not, why not) the company has adopted a code of ethics for its senior financial officers. Section 406 also mandates rules regarding immediate disclosure of changes to, and waivers of, the code of ethics. The SEC decided to expand the code of ethics requirement to apply also to the company's principal executive officer.
New S-K Item 406: Disclosure Regarding Code of Ethics
The SEC proposed new Item 406 of Regulation S-K, which requires a public company to disclose in its Forms 10-K whether or not it has adopted a code of ethics for its principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions. If a company does not adopt a code of ethics, that company would be required to disclose the reasons. As a practical matter, particularly in the current climate, we expect that this disclosure requirement will force most public companies to establish a code of ethics that complies with the proposed rules. Section 406 of Sarbanes-Oxley requires the SEC to issue final rules to implement Section 406 by January 26, 2002.
What is a Code of Ethics?
The proposed rules include helpful guidance on what the code of ethics should include. Instruction 1 to Item 406 defines the term "code of ethics" to mean standards that are reasonably necessary to deter wrongdoing and to promote:
What Form Should the Code of Ethics Take?
The SEC refrained from specifying a form of code, instead proposing to leave to each company decisions regarding specific code provisions, compliance procedures and disciplinary measures for code breaches.
Code of Ethics as Exhibit to Annual Report
The proposal would require a company that adopts a code of ethics to file the code of ethics as an exhibit to the company's Form 10-K.
Disclosure of Waivers Regarding, and Changes to, Code of Ethics
The Section 406 proposed rules would require a company to promptly report any waivers regarding breaches of its code of ethics (including implicit waivers due to the company's inaction regarding a reported or known violation of a code provision). The company must also promptly disclose changes to its code of ethics. Companies must disclose such waivers and changes on Form 8-K or on the company's web site within two business days after making the change or granting the waiver.
To take advantage of the web site disclosure option, a company must have disclosed its web site address in its most recently filed Form 10-K and indicated that it intends to disclose these events on its web site. In addition, a company that elects this option would need to maintain the disclosure on its web site for at least 12 months after posting the disclosure. The electing company must also retain the disclosure for at least five years and make it available to the SEC upon request.
D. Improper Influence on Audits
The SEC has proposed rules to implement Section 303 of Sarbanes-Oxley, relating to prohibitions on the improper influence on the conduct of audits.
The Section 303 proposed rules prohibit an officer or director, or other person acting at their direction, from taking any action to fraudulently influence, coerce, manipulate or mislead any auditor of such company's financial statements if that person knew, or was unreasonable in not knowing, that such action could, if successful, result in rendering such financial statements materially misleading. The SEC's intent, as described in the Section 303 proposed rules, is that such rules, in combination with existing rules under the Exchange Act, ensure management's full disclosures to, and honest discussions with, the auditor of the company's financial statements. Section 303 of Sarbanes-Oxley requires the SEC to issue final rules to implement Section 303 by April 26, 2002.
Scope of the Prohibition
The prohibition on improper influence would remain effective at all times while the auditor is "engaged in the performance of an audit." This phrase encompasses all times that the auditor is making decisions regarding the company's financial statements (e.g., during and prior to the engagement period while negotiations to engage the auditor are on-going, and after the engagement period when the auditor is considering whether to issue a consent regarding the company's ability to use audit reports for prior periods).
The SEC interprets "direction" broadly so that an individual may be said to be "acting under the direction" of an officer or director even if that individual is not under the officer's or director's supervision or control. These "under direction" individuals may include employees, customers, vendors, creditors or advisors who, under an officer's or director's direction, take a prohibited action.
The Section 303 proposed rules would extend to attempts to improperly affect the audit process, even if such attempts ultimately fail to result in misleading financial statements. As noted in the proposed rules, "[I]t is the act of fraudulently influencing, coercing, manipulating, or misleading the auditor, for the purpose of rendering misleading financial statements, that is unlawful. There is no requirement…that the purpose be achieved."
Examples of Prohibited Acts
The release lists several forms of conduct that the SEC believes might constitute improper influence, including, directly or indirectly:
Text of the Proposed Rules
You can find the full text of the Section 404 proposed rules, the Section 406 proposed rules and the Section 407 proposed rules at www.sec.gov/rules/proposed/33-8138.htm, and of the Section 303 proposed rules at www.sec.gov/rules/proposed/34-46685.htm. You can also find further discussion of the Sarbanes-Oxley Act and of recent laws and regulations of interest to public companies on our website.