New England Biz Law Update
Everyone knows that compliance with Section 404 of the Sarbanes-Oxley Act is the most expensive part of implementing the statute. And everyone knows that 404 won’t go away. It is an obligation that is continuous from year to year.
General counsel know that the nomenclature and interpretation of 404 falls within the special province of the most arcane of CPAs, often in closeted dialogue with your audit committee.
You are only a lawyer, and you don’t understand 404’s moving parts. What’s going on here?
This article is only a summary of an enormously complex subject. The cost per Fortune 500 company for first year compliance has been reported as ranging from $3.5 to $9.5 million.
There is no doubt but that 404 will continue to occupy general counsel’s attention so long as inaccuracy (or fraud) lurks in the far corners of any company with public ownership.
A Brief Orientation
Section 404 requires the Securities and Exchange Commission to establish rules requiring annual reporting concerning an issuer’s internal financial controls. Such reporting must acknowledge management responsibility for, and management assessment of, the effectiveness of those controls.
The accountants thereafter must opine upon that management assessment.
SEC regulations require each reporting company to maintain internal control of financial reporting. Management, including principal executive officers and financial officers, must evaluate the effectiveness of such internal controls as of the end of each fiscal quarter, must report annually as to such controls as required in 404, and must report at least quarterly as to changes in internal controls.
Internal control reports are required to be included within accelerated filers’ annual reports on Form 10-K for fiscal years ending on or after Nov. 15, 2004 (though the SEC has granted extensions for the approximately 40 percent of accelerated filers with public float below $700 million).
For all other issuers the first report is due with Form 10-K for fiscal years ending on or after July 15, 2006 (after the SEC, on March 2 of this year granted a one-year extension, no doubt in recognition of the difficulty encountered by smaller companies in achieving compliance).
What Is Important To In-House Counsel?
The simplicity of the regulatory scheme is confounded by a significant overlay of nomenclature, much of it with a long history in bank regulation and accountancy which makes this vocabulary resistant to any efforts to simplify it. Thus, general counsel must first master operant nomenclature, starting with attempting to understand just what an “internal control over financial reporting” looks like.
The regulatory definition of internal control begins our descent into complexity: “A process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers . . . and effected by the issuer’s board of directors [and] management . . . to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles . . . .”
These processes must adequately maintain records of transactions and transfers of assets, effect that recordation in the manner necessary to permit the preparation of GAAP financials, and contain such checks and controls for timely detection of improper use of issuer assets.
This definition is supplemented by pronouncements by the Committee of Sponsoring Organizations (known as COSO), which require processes that provide reasonable assurance of effective and efficient operations, reliability of financial reporting, and compliance with applicable law.
COSO states that internal controls consist of: “the control environment” (does management espouse the message of rapid and honest reporting?); risk assessment (has management properly identified where possible weaknesses in recordation or in fraud control should be addressed?); control activities (has the enterprise addressed these risk areas?); communication (is the information communicated to the right people to monitor?); and effective monitoring of that information (by management and the audit committee).
These controls must exist at every level of company operations.
In assessing your company’s internal controls over financial reporting, what should counsel be looking at?
You are looking at how your company operates, records transactions and assets, and protects assets.
You are looking at the intensity of involvement of your audit committee, making sure that the internal auditors have a direct line of communication to the audit committee, that the audit committee receives reports of all internal control breakdowns, and is conversant with the enterprise’s risk assessment.
You are making sure that there are procedures to appropriately authorize transactions and to control access to assets, and to periodically count physical assets against the recordkeeping.
You are looking at management’s general attitude towards ethics, compliance and cooperation, and the support afforded by management to the establishment and enforcement of internal controls (indeed, the SEC also considers such matters in determining whether issuers and individuals should be subject to civil monetary penalties in cases of identified financial misreporting).
In-house counsel must also understand the definitional progression that is the key to what gets reported to the public.
If there is a problem with an internal control, if it does not achieve its objective either by design or in operation, there exists a “deficiency.” The existence of a deficiency must be measured separate and apart from the existence of any other internal control which might separately backstop the deficient control.
A “significant deficiency” exists if a deficiency in internal control, either alone or in the aggregate with other such deficiencies, results “in more than a remote likelihood that a misstatement in the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected.” This triggering standard is far less than “more likely than not” that there will be a financial misstatement.
A “material weakness” exists if one or more significant deficiencies result “in more than a remote likelihood that a material misstatement in the company’s annual or interim financial statements will not be prevented or detected.” A “significant deficiency” may create risk of misstatemeººnt that is “more than inconsequential” but less than “material” (materiality in securities law is itself controlled by a whole set of legal principles not discussed in this article). It is the materiality of the misstatement that defines a “material weakness,” which in turn triggers a mandatory obligation to make disclosure.
What Must Your Management Certify?
Item 308 of SEC Regulation S-K requires that management’s annual internal control report certify that management is responsible for establishing and maintaining adequate internal control over financial reporting.
The report must also identify the framework (or standards) used by management in its evaluation of adequacy (generally, issuers rely upon the COSO standards).
It must also include management’s assessment of the effectiveness of its internal controls, stating whether internal controls are effective. The discussion must disclose all material weaknesses and, if there are any internal weaknesses, then management is not permitted to declare its internal controls “effective.”
Through periodic reporting (10-Qs and 8-Ks), management must disclose any change in internal control during the past quarter if that change has materially affected, or is reasonably likely to materially affect, internal controls.
To avoid 10b-5 liability and to demonstrate management’s true commitment to compliance and disclosure transparency, many issuers disclose the discovery of a material weakness immediately. It is not unusual to promptly file a Form 8-K identifying a newly discovered material weakness, describing it in detail, and discussing steps taken or planned to be taken in order to cure it. Indeed, many companies immediately issue press releases admitting the existence of a newly perceived year-end material weakness.
What Do The Auditors Do?
The most obvious contribution of the CPAs is to fulfill the statutory obligation of accompanying management’s annual report on internal control over financial reporting with the CPA’s own report.
Under Rule 2-02(f) of Regulation S-X, the accountants auditing an issuer’s financial statement must sign and include an opinion as to whether management’s assessment of the effectiveness of internal control over financial reporting is fairly stated in all material respects, or alternately state that an opinion can not be expressed.
An accounting firm may not provide this assessment unless such CPAs also have performed the financial audit, but it is also possible to issue a “clean” audit opinion while declining to find that internal control over financial reporting is in fact effective.
For example, financial reporting failures might be identified, these failures might have arisen through ineffective internal controls, and the accountants thereafter may have verified the financial information through other procedures to meet the standards for financial auditing, notwithstanding the continuation of those internal control defects.
The CPAs must accumulate sufficient competent evidence to constitute reasonable assurance that all material weaknesses are identified. They do this by reviewing management’s assessment process (which must be created by management itself, not by the CPA firm, or the CPAs would in effect be reviewing their own work).
Management’s assessment process must evaluate the likelihood of financial misstatement, identify the locations or business units to be evaluated (certain newly acquired entities can be omitted, where internal controls cannot timely be verified by issuer management), evaluate the effectiveness of the internal control designs, observe and interview line people to determine operational effectiveness, determine significant deficiencies, and make sure that these findings are communicated to the auditor and audit committee.
CPAs typically inspect management documentation to determine if these elements of the management assessment process are satisfactory. The accountants also observe the actual functioning of these controls, checking among other things the identification of significant accounts, processes and transactions.
Some Special Problems
What concerns should counsel have at this point in the life of 404 reporting?
First, we can start by evaluating those areas which, during 2004, were most often identified as giving rise to material weaknesses. Slightly over half of all reported material weaknesses arose in financial systems and procedures, while 29 percent arose in connection with personnel matters.
These statistics show that both aspects of internal control must be addressed. Do the systems and procedures properly identify, control and report on the risks involved; and are there sufficient numbers of properly trained human beings, with defined roles of redundancy and checks and balances and lines of reporting, so as to properly implement those procedures?
Second, some commentators have warned against “sophomore slump.” Many accelerated issuers have put tremendous effort into the first annual management reports under Section 404, which are falling due during the current 10-K season.
But 404 obligations are recurrent. Compliance must be monitored quarterly, changes must be reported quarterly, management and CPA certifications arise annually as of the end of each fiscal year, and all previously identified material weaknesses must be addressed by the end of the next following year.
The “team” assembled by accelerated filers to address 404 the first time therefore must be morphed into a permanent company function. (Non-accelerated issuers that are still working on their first 404 reports, while enjoying the SEC deferral until after July, 2006, should consider addressing creation of a permanent structure while they work towards initial compliance.)
Third, general counsel might particularly want to take a look at outsourced functions, all of which are subject to the requirement of complying with 404 financial reporting internal controls. How do you establish internal controls over outsourced accounting, IT, R&D and HR? What must you require of your outsourcing partners?
Fourth, another area attracting attention at least in the literature is the control and evaluation of intellectual property. Practitioners have noted that many companies do a poor job of inventorying and protecting their IP assets, and don’t have appropriate IP control systems, a problem compounded by the fact that intellectual property exists in radically different forms under the control of many different departments, business units or functions within a company.
Additionally, much intellectual property is not registered or otherwise formally protected. One commentator has noted that “studies now show about 60-80 percent of the market capital for public companies is represented by intangible assets.” General counsel wishing to begin penetrating this subject are referred to 69 Patent, Trademark & Copyright Journal No. 1709, Feb. 15, 2005.
Fifth, general counsel may have to deal with vendors whose confirmations are requested during the audit procedure and who are now, in growing number, declining to confirm financial information to an issuer’s CPAs.
Since SOX has radically criminalized misleading or giving false or inaccurate information to auditors in connection with financial reporting, independent third parties (absent an express contractual undertaking to respond) increasingly are finding it more convenient to refuse to reply to CPA inquiries. This is a sardonic result for processes designed to make financial reporting more complete and accurate.
