Notes |
Discussion |
Sarbanes-Oxley
will impact life
insurance companies in the same way as other publicly held companies.
Audit fees will probably double, and consultant and lawyer fees will be
substantial. While many of the provisions, such as audit committee procedures
and whistle blower protections, will require careful implementation, if
that was the main thrust of the act the impact would be limited. The real
difficulties arise from three sections, 302, 404, and 906, all of which
require that the CEO and CFO report on and certify the company's controls.
That has always been the case, more or less, but Congress was tired of
hearing that the CEO didn't know of a problem, or relied upon other officers
or the auditors. Now personal involvement by the CEO and CFO is required.
Lack of knowledge is still a defense, but the officer better have plenty
of documented proof that he was looking. The result, in work and expense
just to cover the assertions required, will be far greater than the outside
accounting, legal, and consulting will generate.
|
There is plenty to read
about SOX. Here is the Act.
AICPA has "Implementation
Central". The big firms such as PWC
have detailed SOX sites. Deloitte's collection
of articles is particularly helpful. So are the risk
consultants and the lawyers. Here is a Foley & Larner November
2004 legal assessment.
There is valid
criticism, (assuming you need more, after the above introduction)
and there might be an outside chance of some further relief from Congress
or the SEC, but you can't plan for it. There has already been a deferral
on the 404 report (and the corresponding 302 certification of internal
controls) from August 14, 2003 to June 14, 2004 (fiscal years ending on
or after) for accelerated filers, and to 2005 for non accelerated filers,
companies with a market cap of less than $75 million, not counting shares
held by affiliates. The later may be significant to many medium sized
life companies, particularly those with significant shareholdings by the
officers, or with outside shareholders with 10% or more. The value of
the holdings by affiliates don't count in the market cap, so more companies
will be under the wire than you would expect.
|
If you tell the CEO he must certify to the landscaping
around the building and could go to jail for any misstatement, he is going
to be spending a lot of time outside and will be requiring sub-certifications
from the maintenance people. The same goes for the clerical systems involved
with the day to day transactions. I suspect that every level of supervision,
and even some clerical people, will be signing certifications to support
(and provide cover) for the assertions required of the CEO. Most companies
have not previously documented internal controls in the absence of a specific
problem. The clerks who perform these functions have no motive to falsify,
exaggerate, or smooth the reported earnings. Only top management has motive,
means and opportunity, and the creativity to slip something by the auditors.
|
Along with the supposed benefits of the new whistleblower
rules and the increased power and responsibilities of the Board are going
to come some time consuming and disheartening situations. An employee
can now create instant job security with a well timed whistleblower letter,
even if it is factually incorrect or irrelevant to any SOX concerns. Board
members' increased concern for personal liability, coupled with enhanced
influence, can be expected to complicate or block initiatives the CEO
believes the company needs to take.
The consensus in the press is that SOX has wrought an improvement in
corporate governance by "waking up" the board, presumably to
increased surveillance and supervision of the business. Most effective
business organizations, great and small, have been built by the vision
and drive of a single person. If there are any that have been built by
a committee of the board, they have somehow escaped notoriety.
|
As a practical matter, the condition, or at least the
documentation, of the internal and disclosure controls in the real world
is far more diaphanous than Congress must have presupposed. Just because
a control is not documented doesn't mean it doesn't exist, and not being
airtight doesn't mean anything goes wrong. In the absence of skullduggery
at a high level, a material problem is extremely rare.
Thinking back on the various problems that insurance companies have experienced,
it is hard to find one that would have been avoided by having the clerks
flow chart how they handle checks, what goes into suspense, or anything
else for that matter.
|
The best way to develop flow charts and effective controls,
and eliminate some unnecessary work along the way, is to do plain old
administrative systems work. It is unlikely many companies have sufficient
qualified staff to complete that type of analysis in the SOX time frame.
A sizeable systems staff might be able to complete the necessary SOX documentation,
but not if they try to make any improvements while they are documenting
what exists. In fact, most SOX consultants advise you not to change anything
as you go along, since you will then just have to change your documentation,
and test again. The theory seems to be that it is better to document it
the way it is, problems and all, and then document the planned remediation.
Actually fixing something apparently comes later.
In addition, the type of "flow chart" commonly used for SOX
compliance is focused on controls and is not designed to reveal possible
system improvements. All things considered, it is apparent that you would
be better off to keep your staff assigned to improving your systems, and
hire outside consultants to create SOX documentation. That will have the
added advantage of producing the same form of documentation as everybody
else produces, and what the auditors are expecting to see. It won't make
any money for the stockholders, but that is not the purpose of this exercise. |
Perhaps Congress thought companies had the skills, time,
and patience to create all this documentation of its controls. Look at
what one consultant
lists as a to do list. If you started making flow charts, perhaps
with the tutelage of your auditing firm, it probably wasn't long before
you realized this was not a do it yourself project. It goes deeper than
just not knowing what to do. Nobody really knows what to do, including
the consultants and the auditors. The big benefit of using a consultant
is similar to that of getting a legal opinion. If you have an expert consultant's
opinion, you hopefully are covered. The CEO will feel more secure hearing
that it is OK to sign when he hears it from an outside expert. The auditors
are in the same position, as the consultant opinion gives them cover. |
It is difficult for me to see how most CEOs are going
to be able to certify as 302 (or 906) requires, so my expectation is that
there will be many reports will be of material weaknesses and remediation
plans. If that becomes the common
result, the stockholding public may well disregard that news.
Let's take that a little further. Under 302 the officer may feel comfortable
attesting to the financial information, but may not be prepared to say
the disclosure controls or internal controls meet the standard of effectiveness.
All that is required is that the officer evaluate and present the conclusions.
If he isn't sure, he has to weigh the personal risk of certifying that
the controls meet the standard, against the adverse effects of reporting
material weakness. It seems inevitable that a lot of officers are going
to be advised by their counsel to take the later course, particularly
in view of the criminal liability in 906. You have to wonder, if there
is enough of that, whether it might defeat the purposes of the Act. Then
it becomes the Act Too Far. |
The SEC is not going to continence (shades of Enron) a
CEO claiming he didn't know of a problem when he made a 302 certification.
Look at what the CEO and other certifying officers have to assert, in
addition to the usual affirmation of the statement itself:
-he is responsible for establishing the disclosure controls
-he designed (or caused to be designed) the disclosure controls
-he evaluated the disclosure controls as of the end of the quarter
-he put his conclusion in the report
-nothing has changed since his evaluation that is likely to materially
affect internal control over financial reporting.
If you are not the CEO, you really need to get the CEO to read the certification
form, which has to be signed exactly as it appears in the rule, no changes
permitted, now. This will take some getting used to.
It is important to recognize that disclosure controls
relate to ALL material information, not just to information that relates
to the financials. The narrower concept applies to internal controls.
what we believe to be Congress' intent - to have senior officers
certify that required material non-financial information, as well as financial
information, is included in an issuer's quarterly and annual reports.
Under this interpretation, we maintain the pre-existing concept of internal
controls without expanding it by relating it to non-financial information.
Rule 302
|
In Rule 302 the SEC makes an important distinction between
disclosure controls and internal controls. The certification addresses
both, but you get the distinct impression the SEC would have preferred,
had the statute been more flexible on the point, to have 302 concern only
disclosure controls, and leave the internal controls to section 404 and
906 (where the criminal charge teeth are).
For purposes of the new rules,
"disclosure controls and procedures" are defined as controls
and other procedures of an issuer that are designed to ensure that information
required to be disclosed by the issuer in the reports filed or submitted
by it under the Exchange Act is recorded, processed, summarized and reported,
within the time periods specified in the Commission's rules and forms."Disclosure
controls and procedures" include, without limitation, controls and
procedures designed to ensure that information required to be disclosed
by an issuer in its Exchange Act reports is accumulated and communicated
to the issuer's management, including its principal executive and financial
officers, as appropriate to allow timely decisions regarding required
disclosure. Rule
302
|
The content of the 302 certification is temporarily modified
for registrants that are not accelerated filers (less than $75 million
market cap held by non affiliates) to eliminate certain references to
internal control over financial reporting. The final
rule on 404 deferred the compliance date for managements report on
internal control for non accelerated filers until the first fiscal year
ending on or after April 15, 2005. Since the unmodified certification
addresses both disclosure controls and internal controls, the SEC maintained
the distinction by permitting deferral of the internal controls statements
until section 404 was effective for the company. |
Final
Rule: Management's Reports on Internal Control Over Financial Reporting
and Certification of Disclosure in Exchange Act Periodic Reports ....To
account for the differences between the compliance date of the rules relating
to internal control over financial reporting and the effective date of
changes to the language of the Section 302 certification, a company's
certifying officers may temporarily modify the content of their Section
302 certifications to eliminate certain references to internal control
over financial reporting until the compliance date, as further explained
in Section III.E.
For discussion see Dorsey
& Whitney LLP
|
There is a suggestion in the SEC discussion of 302. The
SEC "recommends" that the issuer have a disclosure committee
to assist in identifying all the material information needed in the reports.
That makes the creation of such a committee a no-brainer for you. No matter
what else you do, if you don't have the committee, there is a prima facie
case against you if something goes wrong. It is clear that the disclosure
controls have to regard all of the pertinent information, the business
risks, explanatory charts, adverse material events or prospects, and for
a life company, substantial sales information. If you leave the 10Q to
the lawyers it is going to look like an expanded S-1, if you can imagine
such a thing. This committee looks like a life line. |
We do recommend, however, that, if it has not already
done so, an issuer create a committee with responsibility
for considering the materiality of information and determining disclosure
obligations on a timely basis. As is implicit in Section 302(a)(4) of
the Act, such a committee would report to senior management, including
the principal executive and financial officers, who bear express responsibility
for designing, establishing, maintaining, reviewing and evaluating the
issuer's disclosure controls and procedures. Rule
302.
Here is a second no-brainer. The committee won't give you any cover unless
there are detailed minutes of much pondering, plus much discussion with
the top officers. If your minutes end up looking like an S-1, that is
all right.
|
Relationship of Sections 302, 404, and 906. In terms of
the responsibility placed upon the top management there appears to be
little difference in these sections. Section 302 requires certification
of the disclosure and internal controls, Section 404 requires a report
assessing the internal controls, and Section 906 requires a certification
that the report complies with the Exchange Act section 13(a), thus regulation
13a-15
which requires evaluation of the effectiveness of the issuers disclosure
controls and procedures. The work and documentation necessary to comply
with 302 should also get you into compliance with the other two. It is
likewise hard to see how you could violate 302 without running afoul of
906. If that is so, then the criminal sanctions in 906 might as well be
read into 302, and less specifically but practically, into 404. The scienter
seems to be the same for each: knowing.
http://www.realcorporatelawyer.com/pdfs/ts062003.pdf
Note. See the SEC home page index
to rules. However, I find the Securities
Lawyer Deskbook easier to use. As in this reference to the Act.
Note also that my references to the SEC Rules and Regulations is by the
statute section, not the correct notation of the rule. |
Section 906 requires that every periodic report containing
financial statements shall be accompanied by a statement by the CEO and
CFO which:
shall certify that the periodic report containing the financial
statements fully complies with the requirements of section 13(a) or 15(d)
of the Securities Exchange Act pf 1934 (15 U.S.C. 78m or 78o(d)) and that
information contained in the periodic report fairly presents, in all material
respects, the financial condition and results of operations of the issuer.
Regulation 13a-15
provides:
management must evaluate, with the participation of the issuer's principal
executive and principal financial officers, or persons performing similar
functions, the effectiveness of the issuer's disclosure controls and procedures,
as of the end of each fiscal quarter
and so on. Sound familiar?
A good
Guide to CEO and CFO certifications and internal control reporting.
Google: Sarbanes Oxley Relationship of Sections 302, 404, and 906 |
SOX
303, Improper Influence on Conduct of Audits. The Rule
is implemented by amendments to the Exchange Act Reg 13B-2.
New rule 13b2-2(b)(1)
specifically prohibits officers and directors, and persons acting under
their direction, from coercing, manipulating, misleading, or fraudulently
influencing (collectively referred to herein as "improperly influencing")
the auditor of the issuer's financial statements when the officer, director
or other person knew or should have known that the action, if successful,
could result in rendering the issuer's financial statements materially
misleading.6 New rule 13b2-2(b)(2)
provides examples of actions that improperly influence an auditor that
could result in "rendering the issuer's financial statements materially
misleading." |
The adopting
release noted that the word "fraudulently", which in the
Act preceded "coerce, manipulate, mislead, or influence", has
been moved to modify only "influence", noting that misleading
the auditor has been prohibited by the existing rule for many years, and
electing not to introduce "a new scienter requirement on the
pre-existing provision prohibiting officers and directors from causing
misleading statements or omissions to be made to auditors."
The release also provided examples of the types of conduct the SEC believes
could constitute improper influence, including:
Providing an auditor with an inaccurate or misleading legal analysis
|
| There is a formidable SOX documentation effort created
by Section 404,
which says:
[The] annual report…[shall] contain an internal control report,
… an assessment… of the effectiveness of the internal control
structure and procedures … for financial reporting.
[The auditor] shall attest to, and report on, the assessment … in
accordance with standards… adopted by the Board
The section 404 report will be required
for accelerated filers (those having $75 million market value of common
stock held by non-affiliates) for the first fiscal year ending on or after
November 15, 2004, and for non-accelerated filers, July 15, 2005.
|
The SEC
Rule 404 adds that the report must identify the framework used by
management to evaluate the effectiveness of the internal control. The
only acceptable framework that currently exists in the U.S. is COSO. It
is important to note that the definition of internal control adopted by
the SEC is significantly narrower than that of COSO. The later includes
the efficiency and effectiveness of a company's operations, plus compliance
with laws and regulations unrelated to financial reporting. The SEC's
definition of what management must evaluate excludes those elements. Management
can state that there is effective control if it determines there are no
material weaknesses in its internal control over financial reporting.
Other than that, there is no prescribed method or procedure to be performed
in an evaluation. What there must be is "evidential matter"
to support the determination, and that means documentation sufficient
to evaluate the design and test effectiveness. The SEC notes that inquiry
alone doesn't get it. Documentation means flow charts. Your procedures
manual isn't going to get the job done. |
SOX is getting bad press, to the effect that it is counterproductive
and unduly expensive. It seems doubtful that the framework-flow chart-certification
approach would have prevented any financial misstatement problem of the
types that precipitated SOX, particularly with respect to life insurance
companies. Since the cost to every medium sized company is estimated to
be around $1 million, the cure looks worse than the disease. There are
also side effects, such as the expansion of the power of the Audit Committee,
at the expense of the CEO, and the invitation to employees to make anonymous
challenges to management.
Given the extensive protection of whistle blowers, including the penalties
for anything that might be interpreted as retaliation, it seems reasonable
that some poor performers will attempt to become whistle blowers to retain
their job. That seems pretty easy to do, and that could become a real
problem. |
One probable side effect of SOX is to draw the board of
directors into the details of the day to day management of the company.
SOX is more than a license to interfere, should an individual director
be so inclined, it is structured to INVITE undercutting the management
of the company. For example, the Audit Committee is to receive directly
and deal directly with complaints or concerns, including anonymous ones
from employees. Section
301 provides:
‘‘(4) COMPLAINTS.—Each audit committee shall establish
procedures for—
‘‘(A) the receipt, retention, and treatment of complaints
received by the issuer regarding accounting, internal
accounting controls, or auditing matters; and
‘‘(B) the confidential, anonymous submission by
employees of the issuer of concerns regarding questionable
accounting or auditing matters.
That is just the set up steps required by section 301. The actual whistleblower
section is much broader than "accounting", and will in practice
encompass just about any type of complaint. Section
806:
provides whistleblower protection to employees who report a reasonable
belief that a company subject to the SEC regulations has engaged in any
of a number of fraudulent activities, including federal mail fraud, wire
fraud, securities law fraud, bank fraud, or violation of SEC or other
federal regulations prohibiting fraud against shareholders. Article,
Williams, Kastner & Gibbs PLLC |
There is nothing new about whistle blower protection,
but SOX adds a new dimension by soliciting complaints by employees directly
to the Audit Committee.
To encourage anonymous reports, the Public Company Accounting Oversight
Board [PCAOB]
has set up a whistle blower site, accessed from their web site. The
SEC has long had such a site,
and private firms
are offering whistle blower services, the idea being that you are better
off hearing of problems privately rather than from a regulator.
Encouraging whistle blowing sounds good, but then there is human nature.
When people can complain without responsibility, a new avenue opens to
the disgruntled employee. And there is a kicker. Even if the complaint
is carefully handled, the employee may believe he is the victim of retaliation,
and pursue a set
of remedies with OSHA, and may sue regardless of the OSHA decision.
On the other hand, the employee
faces substantial problems relying on this protection. |
One firm providing
whistle blower services has this to say about the scope of employee
concerns that must be dealt with"
One might incorrectly conclude that this whistle blowing
provision is a narrow requirement that pertains to only
accounting matters. The Securities Exchange
Commission (SEC) says that internal controls relate to
processes that provide reasonable assurances that:
.. the company’s transactions are properly authorized;
.. the company’s assets are safeguarded against
unauthorized or improper use; and
.. the company’s transactions are properly recorded
and reported.
With this definition, little falls outside of accounting,
internal accounting controls, and auditing matters.
As a practical matter, the Audit Committee will have to investigate every
complaint, even those that appear ridiculous, as an inarticulate or uninformed
complaint may have some hidden basis. In addition, due caution to prevent
claims of retaliation will require some action. Can the Committee simply
forward complaints to management for comment or resolution? A cautious
Committee will want to make a record of due consideration and investigation.
That probably means confidential meetings with the complainant and some
report back. It is easy to see how a company with a dysfunctional culture
could become paralyzed by such procedures. One would also expect the process
to have a chilling effect on management decision making. What manager
would want to make a judgment call without preparing a full justification
against the expected challenges from the Board? |
While SOX greatly expands the responsibility of the Audit
Committee, it also restricts the functions that the members of the committee
can perform for the issuer with the independence requirement:
CRITERIA- In order to be considered to be independent ... a
member of an audit committee ... may not, other than in his or her capacity
as a member of the audit committee, the board of directors, or any other
board committee-- `(i) accept any consulting, advisory, or other compensatory
fee from the issuer;
|
One of the traditional functions of a good board member
has been to provide advice and assistance to the CEO, sometimes for additional
compensation or fees to the board member's company. At least for the member
of the Audit Committee, that is no longer permitted, and to accept fees
from the company for any service in any other capacity will compromise
his independence, and thus disqualify him to continue to serve on the
committee.
Failure of an audit committee member to satisfy the independence requirement
would have a number of consequences. The national exchanges and the national
securities associations would by prohibited by
SEC rule from listing any security of the issuer. Issuers are required
by the proxy rules to disclose whether their audit committee members are
independent. See the
full text of the SEC rule. Is is likely that the Section
302 certification of the disclosure controls (as opposed to the internal
controls) by the CEO and CFO would require disclosure of the disqualification
of a serving committee member.
The SEC rejected suggestions that issuers should have flexibility to
pay some level of de minimis or immaterial fees to make the requirement
less restrictive:
We are not persuaded that such an exception is an appropriate deviation
from the explicit mandate in Exchange Act Section 10A(m). We believe the
policies and purposes behind that section, and particularly the use of
the term "any" when describing such fees in the statute, weighs
against providing for such an exception. |
Congress obviously intended to put some teeth into SOX,
with an assortment of criminal penalties that could put the unwary corporate
executive in jail. Section 906 is a criminal provision that added a new
Section 1350 to the USC. Thus it will be interpreted and enforced by the
Justice Department, not the SEC. Even if the SEC thinks 906 does not incorporate
302, Justice is free to take a different view.
The mere threat of the perp
walk should be enough to get the attention of the CEO, even if some
of these provisions are unconstitutionally vague. With the CEO and the
CFO required to certify under sections 302 and 906 to things they can't
possibly be sure of, and "do not pass go" if things go south,
I wonder what their personal lawyers are advising. Beyond "retire".
If you resign before the statement is filled, you are not
"it" any more.
At the very least, the certifying office has to consider that criminal
charges are one possible outcome if there is a significant problem with
the 302 assertions, and should take, and document, reasonable steps to
make sure he knows what someone may later think he should have known. |
SOX
906 requires the CEO and CFO to certify that each periodic report
containing financial statements "fully complies" with sec 13(a)
of the Exchange Act. Take a look at one
section of the Regulation. If you certify knowing it doesn't "comport",
it is a fine of $1 million and/or 10 years. If you do it "willfully"
it is $5 million and 20 years. I am not at all sure how you do it knowingly
but not willfully, but at those prices, maybe it doesn't make any difference.
And 906 isn't the only fearsome element. SOX
1102 gives 20 years for attempting to conceal a record or otherwise
impede an official proceeding. It is also "unlawful" to mislead
the auditors.
At this point it looks like the only defense is not "knowing"
if some problem later comes up regarding the report. Normally "knowing"
includes "knew or should have known". At the least, there is
going to be a lot of people down the line certifying internally and a
lot of paper trail before an alert CEO signs. How much protection the
CEO gets from these internal certifications, which are likely to be enforced
as well a perfunctory, probably depends upon the size of the organization.
In the medium sized life company the CEO would be well advised to spend
some time looking beyond these pieces of paper, and to document it. |
Sarbanes Oxley is Congress' reaction to Enron, and the resultant demands
by the
investing public that it receive accurate financial information. SOX
promises to have a major impact, or at least its major beneficial
impact, on corporate governance. Given the existing Exchange Act and the
SEC Regulations, it is questionable whether anything more was needed in
terms of financial disclosure. By prescribing additional requirements
regarding disclosure and internal controls, Congress has imposed a staggering
cost in dollars and distraction for industry, for little or no discernable
benefit. Internal control deficiencies, if any, have had nothing to do
with the corporate misdeeds currently being prosecuted and have nothing
to do with preventing fraud by top management.