|Last update March 21, 2005
SOX enhances the independence of the auditors and the audit committee by eliminating peripheral sources of compensation, and tries to assure a degree of competence in the audit committee chairman. Not a bad idea. SOX adds to the existing protection for whistleblowers and penalties for management nondisclosure. Some problems, but on balance perhaps a good thing if cautiously enforced. SOX requires top management to explicitly certify financials and the efficacy of controls for which they were already responsible. Even if that made any sense, in practice the implementation is a witches brew of unintended consequences. The required COSO framework and detailed documentation has corporate America flow charting clerical and computer functions have never contributed to the distribution of any material misleading financial information. The problems with misstatements of earnings are not accidents brought on by the lack of a flow chart or a control.
Sarbanes-Oxley will impact life insurance companies in the same way as other publicly held companies. Audit fees will probably double, and consultant and lawyer fees will be substantial. While many of the provisions, such as audit committee procedures and whistle blower protections, will require careful implementation, if that was the main thrust of the act the impact would be limited. The real difficulties arise from three sections, 302, 404, and 906, all of which require that the CEO and CFO report on and certify the company's controls. That has always been the case, more or less, but Congress was tired of hearing that the CEO didn't know of a problem, or relied upon other officers or the auditors. Now personal involvement by the CEO and CFO is required. Lack of knowledge is still a defense, but the officer better have plenty of documented proof that he was looking. The result, in work and expense just to cover the assertions required, will be far greater than the outside accounting, legal, and consulting will generate.
There is plenty to read about SOX. Here is the Act. AICPA has "Implementation Central". The big firms such as PWC have detailed SOX sites. Deloitte's collection of articles is particularly helpful. So are the risk consultants and the lawyers. Here is a Foley & Larner November 2004 legal assessment.
There is valid criticism, (assuming you need more, after the above introduction) and there might be an outside chance of some further relief from Congress or the SEC, but you can't plan for it. There has already been a deferral on the 404 report (and the corresponding 302 certification of internal controls) from August 14, 2003 to June 14, 2004 (fiscal years ending on or after) for accelerated filers, and to 2005 for non accelerated filers, companies with a market cap of less than $75 million, not counting shares held by affiliates. The later may be significant to many medium sized life companies, particularly those with significant shareholdings by the officers, or with outside shareholders with 10% or more. The value of the holdings by affiliates don't count in the market cap, so more companies will be under the wire than you would expect.
If you tell the CEO he must certify to the landscaping around the building and could go to jail for any misstatement, he is going to be spending a lot of time outside and will be requiring sub-certifications from the maintenance people. The same goes for the clerical systems involved with the day to day transactions. I suspect that every level of supervision, and even some clerical people, will be signing certifications to support (and provide cover) for the assertions required of the CEO. Most companies have not previously documented internal controls in the absence of a specific problem. The clerks who perform these functions have no motive to falsify, exaggerate, or smooth the reported earnings. Only top management has motive, means and opportunity, and the creativity to slip something by the auditors.
Along with the supposed benefits of the new whistleblower rules and the increased power and responsibilities of the Board are going to come some time consuming and disheartening situations. An employee can now create instant job security with a well timed whistleblower letter, even if it is factually incorrect or irrelevant to any SOX concerns. Board members' increased concern for personal liability, coupled with enhanced influence, can be expected to complicate or block initiatives the CEO believes the company needs to take.
The consensus in the press is that SOX has wrought an improvement in corporate governance by "waking up" the board, presumably to increased surveillance and supervision of the business. Most effective business organizations, great and small, have been built by the vision and drive of a single person. If there are any that have been built by a committee of the board, they have somehow escaped notoriety.
As a practical matter, the condition, or at least the documentation, of the internal and disclosure controls in the real world is far more diaphanous than Congress must have presupposed. Just because a control is not documented doesn't mean it doesn't exist, and not being airtight doesn't mean anything goes wrong. In the absence of skullduggery at a high level, a material problem is extremely rare.
Thinking back on the various problems that insurance companies have experienced, it is hard to find one that would have been avoided by having the clerks flow chart how they handle checks, what goes into suspense, or anything else for that matter.
The best way to develop flow charts and effective controls, and eliminate some unnecessary work along the way, is to do plain old administrative systems work. It is unlikely many companies have sufficient qualified staff to complete that type of analysis in the SOX time frame. A sizeable systems staff might be able to complete the necessary SOX documentation, but not if they try to make any improvements while they are documenting what exists. In fact, most SOX consultants advise you not to change anything as you go along, since you will then just have to change your documentation, and test again. The theory seems to be that it is better to document it the way it is, problems and all, and then document the planned remediation. Actually fixing something apparently comes later.
In addition, the type of "flow chart" commonly used for SOX compliance is focused on controls and is not designed to reveal possible system improvements. All things considered, it is apparent that you would be better off to keep your staff assigned to improving your systems, and hire outside consultants to create SOX documentation. That will have the added advantage of producing the same form of documentation as everybody else produces, and what the auditors are expecting to see. It won't make any money for the stockholders, but that is not the purpose of this exercise.
Perhaps Congress thought companies had the skills, time, and patience to create all this documentation of its controls. Look at what one consultant lists as a to do list. If you started making flow charts, perhaps with the tutelage of your auditing firm, it probably wasn't long before you realized this was not a do it yourself project. It goes deeper than just not knowing what to do. Nobody really knows what to do, including the consultants and the auditors. The big benefit of using a consultant is similar to that of getting a legal opinion. If you have an expert consultant's opinion, you hopefully are covered. The CEO will feel more secure hearing that it is OK to sign when he hears it from an outside expert. The auditors are in the same position, as the consultant opinion gives them cover.
It is difficult for me to see how most CEOs are going to be able to certify as 302 (or 906) requires, so my expectation is that there will be many reports will be of material weaknesses and remediation plans. If that becomes the common result, the stockholding public may well disregard that news.
Let's take that a little further. Under 302 the officer may feel comfortable attesting to the financial information, but may not be prepared to say the disclosure controls or internal controls meet the standard of effectiveness. All that is required is that the officer evaluate and present the conclusions. If he isn't sure, he has to weigh the personal risk of certifying that the controls meet the standard, against the adverse effects of reporting material weakness. It seems inevitable that a lot of officers are going to be advised by their counsel to take the later course, particularly in view of the criminal liability in 906. You have to wonder, if there is enough of that, whether it might defeat the purposes of the Act. Then it becomes the Act Too Far.
The SEC is not going to continence (shades of Enron) a
CEO claiming he didn't know of a problem when he made a 302 certification.
Look at what the CEO and other certifying officers have to assert, in
addition to the usual affirmation of the statement itself:
If you are not the CEO, you really need to get the CEO to read the certification form, which has to be signed exactly as it appears in the rule, no changes permitted, now. This will take some getting used to.
It is important to recognize that disclosure controls relate to ALL material information, not just to information that relates to the financials. The narrower concept applies to internal controls.
what we believe to be Congress' intent - to have senior officers
certify that required material non-financial information, as well as financial
information, is included in an issuer's quarterly and annual reports.
Under this interpretation, we maintain the pre-existing concept of internal
controls without expanding it by relating it to non-financial information.
In Rule 302 the SEC makes an important distinction between disclosure controls and internal controls. The certification addresses both, but you get the distinct impression the SEC would have preferred, had the statute been more flexible on the point, to have 302 concern only disclosure controls, and leave the internal controls to section 404 and 906 (where the criminal charge teeth are).
For purposes of the new rules, "disclosure controls and procedures" are defined as controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports filed or submitted by it under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms."Disclosure controls and procedures" include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its Exchange Act reports is accumulated and communicated to the issuer's management, including its principal executive and financial officers, as appropriate to allow timely decisions regarding required disclosure. Rule 302
The content of the 302 certification is temporarily modified for registrants that are not accelerated filers (less than $75 million market cap held by non affiliates) to eliminate certain references to internal control over financial reporting. The final rule on 404 deferred the compliance date for managements report on internal control for non accelerated filers until the first fiscal year ending on or after April 15, 2005. Since the unmodified certification addresses both disclosure controls and internal controls, the SEC maintained the distinction by permitting deferral of the internal controls statements until section 404 was effective for the company.
Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports ....To account for the differences between the compliance date of the rules relating to internal control over financial reporting and the effective date of changes to the language of the Section 302 certification, a company's certifying officers may temporarily modify the content of their Section 302 certifications to eliminate certain references to internal control over financial reporting until the compliance date, as further explained in Section III.E.
For discussion see Dorsey
& Whitney LLP
There is a suggestion in the SEC discussion of 302. The SEC "recommends" that the issuer have a disclosure committee to assist in identifying all the material information needed in the reports. That makes the creation of such a committee a no-brainer for you. No matter what else you do, if you don't have the committee, there is a prima facie case against you if something goes wrong. It is clear that the disclosure controls have to regard all of the pertinent information, the business risks, explanatory charts, adverse material events or prospects, and for a life company, substantial sales information. If you leave the 10Q to the lawyers it is going to look like an expanded S-1, if you can imagine such a thing. This committee looks like a life line.
We do recommend, however, that, if it has not already done so, an issuer create a committee with responsibility for considering the materiality of information and determining disclosure obligations on a timely basis. As is implicit in Section 302(a)(4) of the Act, such a committee would report to senior management, including the principal executive and financial officers, who bear express responsibility for designing, establishing, maintaining, reviewing and evaluating the issuer's disclosure controls and procedures. Rule 302.
Here is a second no-brainer. The committee won't give you any cover unless
there are detailed minutes of much pondering, plus much discussion with
the top officers. If your minutes end up looking like an S-1, that is
Relationship of Sections 302, 404, and 906. In terms of the responsibility placed upon the top management there appears to be little difference in these sections. Section 302 requires certification of the disclosure and internal controls, Section 404 requires a report assessing the internal controls, and Section 906 requires a certification that the report complies with the Exchange Act section 13(a), thus regulation 13a-15 which requires evaluation of the effectiveness of the issuers disclosure controls and procedures. The work and documentation necessary to comply with 302 should also get you into compliance with the other two. It is likewise hard to see how you could violate 302 without running afoul of 906. If that is so, then the criminal sanctions in 906 might as well be read into 302, and less specifically but practically, into 404. The scienter seems to be the same for each: knowing.
Note. See the SEC home page index to rules. However, I find the Securities Lawyer Deskbook easier to use. As in this reference to the Act. Note also that my references to the SEC Rules and Regulations is by the statute section, not the correct notation of the rule.
Section 906 requires that every periodic report containing financial statements shall be accompanied by a statement by the CEO and CFO which:
shall certify that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act pf 1934 (15 U.S.C. 78m or 78o(d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.
and so on. Sound familiar?
A good Guide to CEO and CFO certifications and internal control reporting.
Google: Sarbanes Oxley Relationship of Sections 302, 404, and 906
New rule 13b2-2(b)(1) specifically prohibits officers and directors, and persons acting under their direction, from coercing, manipulating, misleading, or fraudulently influencing (collectively referred to herein as "improperly influencing") the auditor of the issuer's financial statements when the officer, director or other person knew or should have known that the action, if successful, could result in rendering the issuer's financial statements materially misleading.6 New rule 13b2-2(b)(2) provides examples of actions that improperly influence an auditor that could result in "rendering the issuer's financial statements materially misleading."
The adopting release noted that the word "fraudulently", which in the Act preceded "coerce, manipulate, mislead, or influence", has been moved to modify only "influence", noting that misleading the auditor has been prohibited by the existing rule for many years, and electing not to introduce "a new scienter requirement on the pre-existing provision prohibiting officers and directors from causing misleading statements or omissions to be made to auditors."
The release also provided examples of the types of conduct the SEC believes could constitute improper influence, including:
Providing an auditor with an inaccurate or misleading legal analysis
There is a formidable SOX documentation effort created by Section 404, which says:
[The] annual report…[shall] contain an internal control report,
… an assessment… of the effectiveness of the internal control
structure and procedures … for financial reporting.
The section 404 report will be required
for accelerated filers (those having $75 million market value of common
stock held by non-affiliates) for the first fiscal year ending on or after
November 15, 2004, and for non-accelerated filers, July 15, 2005.
The SEC Rule 404 adds that the report must identify the framework used by management to evaluate the effectiveness of the internal control. The only acceptable framework that currently exists in the U.S. is COSO. It is important to note that the definition of internal control adopted by the SEC is significantly narrower than that of COSO. The later includes the efficiency and effectiveness of a company's operations, plus compliance with laws and regulations unrelated to financial reporting. The SEC's definition of what management must evaluate excludes those elements. Management can state that there is effective control if it determines there are no material weaknesses in its internal control over financial reporting. Other than that, there is no prescribed method or procedure to be performed in an evaluation. What there must be is "evidential matter" to support the determination, and that means documentation sufficient to evaluate the design and test effectiveness. The SEC notes that inquiry alone doesn't get it. Documentation means flow charts. Your procedures manual isn't going to get the job done.
SOX is getting bad press, to the effect that it is counterproductive and unduly expensive. It seems doubtful that the framework-flow chart-certification approach would have prevented any financial misstatement problem of the types that precipitated SOX, particularly with respect to life insurance companies. Since the cost to every medium sized company is estimated to be around $1 million, the cure looks worse than the disease. There are also side effects, such as the expansion of the power of the Audit Committee, at the expense of the CEO, and the invitation to employees to make anonymous challenges to management.
Given the extensive protection of whistle blowers, including the penalties for anything that might be interpreted as retaliation, it seems reasonable that some poor performers will attempt to become whistle blowers to retain their job. That seems pretty easy to do, and that could become a real problem.
One probable side effect of SOX is to draw the board of directors into the details of the day to day management of the company. SOX is more than a license to interfere, should an individual director be so inclined, it is structured to INVITE undercutting the management of the company. For example, the Audit Committee is to receive directly and deal directly with complaints or concerns, including anonymous ones from employees. Section 301 provides:
‘‘(4) COMPLAINTS.—Each audit committee shall establish
That is just the set up steps required by section 301. The actual whistleblower section is much broader than "accounting", and will in practice encompass just about any type of complaint. Section 806:
provides whistleblower protection to employees who report a reasonable belief that a company subject to the SEC regulations has engaged in any of a number of fraudulent activities, including federal mail fraud, wire fraud, securities law fraud, bank fraud, or violation of SEC or other federal regulations prohibiting fraud against shareholders. Article, Williams, Kastner & Gibbs PLLC
There is nothing new about whistle blower protection, but SOX adds a new dimension by soliciting complaints by employees directly to the Audit Committee.
To encourage anonymous reports, the Public Company Accounting Oversight Board [PCAOB] has set up a whistle blower site, accessed from their web site. The SEC has long had such a site, and private firms are offering whistle blower services, the idea being that you are better off hearing of problems privately rather than from a regulator.
Encouraging whistle blowing sounds good, but then there is human nature. When people can complain without responsibility, a new avenue opens to the disgruntled employee. And there is a kicker. Even if the complaint is carefully handled, the employee may believe he is the victim of retaliation, and pursue a set of remedies with OSHA, and may sue regardless of the OSHA decision. On the other hand, the employee faces substantial problems relying on this protection.
One firm providing whistle blower services has this to say about the scope of employee concerns that must be dealt with"
One might incorrectly conclude that this whistle blowing
As a practical matter, the Audit Committee will have to investigate every complaint, even those that appear ridiculous, as an inarticulate or uninformed complaint may have some hidden basis. In addition, due caution to prevent claims of retaliation will require some action. Can the Committee simply forward complaints to management for comment or resolution? A cautious Committee will want to make a record of due consideration and investigation. That probably means confidential meetings with the complainant and some report back. It is easy to see how a company with a dysfunctional culture could become paralyzed by such procedures. One would also expect the process to have a chilling effect on management decision making. What manager would want to make a judgment call without preparing a full justification against the expected challenges from the Board?
While SOX greatly expands the responsibility of the Audit Committee, it also restricts the functions that the members of the committee can perform for the issuer with the independence requirement:
CRITERIA- In order to be considered to be independent ... a
member of an audit committee ... may not, other than in his or her capacity
as a member of the audit committee, the board of directors, or any other
board committee-- `(i) accept any consulting, advisory, or other compensatory
fee from the issuer;
One of the traditional functions of a good board member has been to provide advice and assistance to the CEO, sometimes for additional compensation or fees to the board member's company. At least for the member of the Audit Committee, that is no longer permitted, and to accept fees from the company for any service in any other capacity will compromise his independence, and thus disqualify him to continue to serve on the committee.
Failure of an audit committee member to satisfy the independence requirement would have a number of consequences. The national exchanges and the national securities associations would by prohibited by SEC rule from listing any security of the issuer. Issuers are required by the proxy rules to disclose whether their audit committee members are independent. See the full text of the SEC rule. Is is likely that the Section 302 certification of the disclosure controls (as opposed to the internal controls) by the CEO and CFO would require disclosure of the disqualification of a serving committee member.
The SEC rejected suggestions that issuers should have flexibility to pay some level of de minimis or immaterial fees to make the requirement less restrictive:
We are not persuaded that such an exception is an appropriate deviation from the explicit mandate in Exchange Act Section 10A(m). We believe the policies and purposes behind that section, and particularly the use of the term "any" when describing such fees in the statute, weighs against providing for such an exception.
Congress obviously intended to put some teeth into SOX, with an assortment of criminal penalties that could put the unwary corporate executive in jail. Section 906 is a criminal provision that added a new Section 1350 to the USC. Thus it will be interpreted and enforced by the Justice Department, not the SEC. Even if the SEC thinks 906 does not incorporate 302, Justice is free to take a different view.
The mere threat of the perp walk should be enough to get the attention of the CEO, even if some of these provisions are unconstitutionally vague. With the CEO and the CFO required to certify under sections 302 and 906 to things they can't possibly be sure of, and "do not pass go" if things go south, I wonder what their personal lawyers are advising. Beyond "retire". If you resign before the statement is filled, you are not "it" any more.
At the very least, the certifying office has to consider that criminal charges are one possible outcome if there is a significant problem with the 302 assertions, and should take, and document, reasonable steps to make sure he knows what someone may later think he should have known.
SOX 906 requires the CEO and CFO to certify that each periodic report containing financial statements "fully complies" with sec 13(a) of the Exchange Act. Take a look at one section of the Regulation. If you certify knowing it doesn't "comport", it is a fine of $1 million and/or 10 years. If you do it "willfully" it is $5 million and 20 years. I am not at all sure how you do it knowingly but not willfully, but at those prices, maybe it doesn't make any difference. And 906 isn't the only fearsome element. SOX 1102 gives 20 years for attempting to conceal a record or otherwise impede an official proceeding. It is also "unlawful" to mislead the auditors.
At this point it looks like the only defense is not "knowing" if some problem later comes up regarding the report. Normally "knowing" includes "knew or should have known". At the least, there is going to be a lot of people down the line certifying internally and a lot of paper trail before an alert CEO signs. How much protection the CEO gets from these internal certifications, which are likely to be enforced as well a perfunctory, probably depends upon the size of the organization. In the medium sized life company the CEO would be well advised to spend some time looking beyond these pieces of paper, and to document it.