Frequently Asked Questions Regarding the Sarbanes-Oxley Act Executive Certification Requirements

Transcription

1 Frequently Asked Questions Regarding the Sarbanes-Oxley Act Executive Certification Requirements

2 Table of Contents Page No. Introduction 3 Applicability of Requirements 1. Which companies are subject to the executive certification requirements? 4 2. Which reports are subject to the requirements? 4 3. Who are the certifying officers? 4 4. Will the certification requirements be applied to other reports in the future? 4 5. Are unlisted companies with public debt required to comply with the executive certification requirements? 4 Executive Certification Requirements 6. When do companies have to comply with the certification requirements of Sarbanes-Oxley? 5 7. What is the form of the certification? 5 8. Can the wording of the certification be modified to fit the company s circumstances? 5 9. What will the certifying officers' report actually disclose related to their conclusion about the effectiveness of the controls based upon their evaluation, assuming the report is clean? What is the relationship between the executive certifications required under Sections 302 and 906 of the Sarbanes-Oxley Act? 6 Disclosure Controls and Procedures and Internal Controls Over Financial Reporting 11. What are disclosure controls and procedures? How are they distinguished from internal controls over financial reporting? What are internal controls over financial reporting (addressed by Section 404 of the Act)? When do companies have to comply with the requirement to conduct an evaluation of disclosure controls and procedures? When do companies have to comply with the requirement to conduct an evaluation of internal controls over financial reporting? What are examples of disclosure controls and procedures? What does it mean for the certifying officers to design disclosure controls and procedures? Is the application of disclosure controls and procedures limited to the public reports for which executive certification requirements are required? What steps can be taken to improve disclosure controls and procedures over the near term? What steps can be taken to improve disclosure controls and procedures over the longer term? 11 Management Evaluations of Control Effectiveness 20. How often must the certifying officers perform their evaluations of disclosure controls and procedures? How often must the certifying officers perform their evaluations of internal controls over financial reporting? How does management reconcile its activities on a quarterly basis to evaluate disclosure controls and procedures with its activities on an annual basis to assess internal controls over financial reporting? 13

3 Table of Contents (continued) Page No. 23. With respect to the certification requirements, what must the certifying CEOs and CFOs evaluate? What is the nature of the evaluation that certifying CEOs and CFOs must perform to comply with the new rules? Can a company take the position of maintaining the status quo and do nothing beyond what it has always done to support the certifications? Should management consider some kind of roll-up representation on internal control effectiveness and changes, particularly those employees with a significant internal control role? Can the certifying officers rely solely on self-assessments of their people for purposes of their evaluation? Can the certifying officers rely on the work of their internal auditors? Can the certifying officers rely on the work of their external auditors? Is there a control framework that may be used for purposes of conducting the evaluation? How does management define a deficiency for purposes of making disclosures to the audit committee and to the auditors? What are significant changes in internal controls and any factors which could affect the adequacy of the internal controls for purposes of complying with the Act? 17 Internal Audit Implementation 33. Does the NYSE standard require an internal audit function? What does the NYSE mean when it states in its commentary the following: It is enough for a company to have in place an appropriate control process for reviewing and approving its internal transactions and accounting? Can a company comply by simply demonstrating that there is a control process in place? When must companies comply with the NYSE requirement to implement an internal audit function? What should companies do if they are listed on other exchanges? Are they required to have an internal audit function? 18 Other 37. What are the new filing requirements with respect to Form 10-K and Form 10-Q? What are the new filing requirements with respect to Form 8-K? What are the required disclosures with respect to the company s code of ethics? 19

4 Introduction During recent weeks, we have witnessed more sweeping change in corporate governance requirements than at any time since the Great Depression. The loss of investor confidence and increased political and media attention, resulting from the actions of a few, have spawned more dialogue among directors, management and other parties about governance issues than most of us can recall in our lifetimes. The political will to provide more weapons to prosecutors and regulators to make examples of perpetrators of fraudulent financial reporting and gross neglect of duty has rarely been stronger. As an initiative to re-establish investor confidence, the Sarbanes-Oxley Act of 2002 has made executive certifications of financial statements a permanent requirement applicable to all publicly traded companies in the U.S. In its release on August 29, the Securities and Exchange Commission introduced a newly defined term, disclosure controls and procedures, to expand the concept of internal controls over financial reporting to the broader area of controls and procedures over disclosure of material financial and non-financial information in public reports. The focus of this booklet is on these new executive certification requirements. These requirements are a major area of emphasis for many companies preparing to make their first filing subsequent to August 29. While the certifying officers have always been responsible for and have been exposed to liability associated with financial and public reporting, Sarbanes-Oxley has raised the stakes. The risks are higher and the consequences are more significant. There are many questions on the minds of directors, certifying executives, other senior managers and auditors as they work together to facilitate compliance with these requirements. They may need independent advisors to assist them in addressing these questions. The questions listed in this booklet are the most common ones we have received in our discussions with many clients, attorneys and others in the marketplace who are dealing with these requirements. We have provided responses and views based on our experience that we hope will assist executives as they evaluate their company s disclosure controls infrastructure and processes supporting the executive certifications. We have also held discussions with the SEC to understand their views on certain points and confirm our interpretations in selected areas. This booklet is not intended to provide a legal analysis. Companies should seek legal counsel and appropriate risk advisors for advice on specific matters. Further, these issues are still subject to possible regulatory, judicial and legislative change and will continue to evolve. Protiviti will provide updates to these interpretations on its website ( Protiviti Inc. September 13,

5 Applicability of Requirements 1. Which companies are subject to the executive certification requirements? The Sarbanes-Oxley Act (the Act ) was passed on July 30, It contains two certification requirements, one under Section 302 and another under Section 906. The Section 302 certification became effective on August 29, when the SEC issued its rules on this requirement. The Section 906 certification requirement became effective immediately upon enactment of the Act. Section 302 of the Act states that the executive certification requirement applies to companies filing quarterly and annual reports with the SEC under either Section 13(a) or 15(d) of the Exchange Act of 1934 (the Exchange Act ). These companies include foreign private issuers (including Canadian issuers), banks and savings associations, issuers of asset-backed securities and small business issuers. 2. Which reports are subject to the requirements? The certification requirement applies to reports on Forms 10-K, 10-KSB, 10-Q, 10-QSB, 20-F and 40-F. The certification requirement applies to amendments to, and transition reports on, any of these foregoing reports. 3. Who are the certifying officers? Specifically, the SEC requires an issuer s principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, each to certify each quarterly or annual report. Generally, for most companies, the certifying officers are the CEO and CFO. Companies have the flexibility to have others sign the certification in addition to the CEO and CFO if they determine it is appropriate to do so because of the extent of their involvement in the financial reporting and disclosure process. 4. Will the certification requirements be applied to other reports in the future? The SEC is considering extending a certification requirement to other documents filed under the Exchange Act, such as registration statements on Forms 10 and 10-SB and definitive proxy and information statements. The commission is soliciting comment on whether any or all of these documents, or any other documents, should be certified by an issuer's senior officers. Some reports are often referred to as current reports to distinguish them from the periodic (quarterly and annual) reports. Current reports are on Forms 6-K and 8-K and are not covered by the certification requirement. Although there have been no indications as yet from the SEC, these and other reports that are not currently covered by the certification requirement could be covered in the future, including 1933 Securities Act filings. 5. Are unlisted companies with public debt required to comply with the executive certification requirements? Sarbanes-Oxley defines an issuer as an entity required to file reports under Section 15(d) [of the Securities Exchange Act of 1934] or that files or has filed a registration statement that has not yet become effective under the Securities Act of 1933 and that it has not withdrawn. The executive certification requirements under Sections 302 and 906 of Sarbanes-Oxley apply to all issuers because they are required to report under the securities laws. Unlisted companies with public debt must comply with the SEC s reporting requirements, including the executive certification requirements, in the fiscal year the registration statements for such debt are declared effective. Following that period, if at the end of any fiscal year there are fewer than 300 record holders of the debt outstanding, the company may elect to discontinue filing periodic reports with the SEC or may continue to file reports voluntarily. Many of these companies continue to report voluntarily to retain access to the markets. If they do elect to report voluntarily, they must issue periodic 10-Qs and 10-Ks and will be required to comply with the executive certification requirements because the SEC has made those requirements an 4

6 integral part of Forms 10-Q and 10-K. Therefore, if a company voluntarily files Forms 10-Q and 10-K, they must file the entire form, including the required certifications. As noted earlier, Section 15(d) of the Exchange Act applies to entities that have had a registration statement declared effective under the Securities Act. There are a number of types of securities that are exempt from the registration requirements of the Securities Act, including certain government and municipal securities. However, this is a question that must be addressed based upon the specific facts on a case-by-case basis. Companies having public debt with no listed stock should consult with their legal advisors to determine their specific reporting responsibilities under Sarbanes-Oxley. Executive Certification Requirements 6. When do companies have to comply with the certification requirements of Sarbanes-Oxley? A portion of the executive certification requirements are effective immediately for annual and quarterly reports filed or submitted subsequent to the issuance of the SEC s August 29 release. The remainder is effective for annual and quarterly reports for periods ending after August 29. By way of background, the SEC adopted rules to require an issuer's principal executive and financial officers each to certify the financial and other information contained in the issuer's quarterly and annual reports. This certification is effective immediately. The rules also require these officers to certify that they: are responsible for establishing, maintaining and regularly evaluating the effectiveness of the company's disclosure controls and procedures; have made certain disclosures to the company s auditors and the audit committee of the board of directors about the company s internal controls; and have included informatio in the quarterly and annual reports about their evaluation and whether there have been significant changes in the company s internal controls or in other factors that could significantly affect their evaluation. These certifications are effective for annual and quarterly reports filed for periods ending after August What is the form of the certification? In its August 29 release (available at the SEC specified the form of the certification in detail. Examples are provided for various forms required under the securities laws, including Form 10-K (annual report), Form 10-Q (quarterly report), Form 20-F (filed by foreign private issuers), Form 40-F (filed by Canadian issuers) and Form N-SAR (filed by registered investment companies). 8. Can the wording of the certification be modified to fit the company s circumstances? No. The certification required by the new rules must conform exactly to the form set forth by the SEC in its August 29 release, because Section 302 of the Sarbanes-Oxley Act prescribed this wording. While the SEC modified the language of Sarbanes-Oxley slightly, it did so based on the premise of Congressional intent. The SEC makes it clear that the wording of the required certification may not be changed in any way, even if the change would appear to be inconsequential in nature. For example, the certifying officers cannot include a modifier or limitation that states that the work to support the report was done at a point in time and that controls could change after that date. Alternatively, management cannot include any general limitation clause relating to the overall limitations as to the effectiveness of internal controls, e.g., that they are designed to provide reasonable but not absolute assurance. The SEC has not accepted certifications of companies that did not follow verbatim the prescribed wording. 9. What will the certifying officers report actually disclose related to their conclusion about the effectiveness of the controls based upon their evaluation, assuming the report is clean? Based upon the current SEC rules, the report form is the same, whether the report is clean or not. However, in addition to the specific wording as prescribed by the form provided by the SEC, new Item 307 of Regulation S-K makes reference to certain additional disclosures regarding both disclosure controls and procedures and internal controls that must be made in the reports in which the certification is contained. 5

7 The certifying officers must: Disclose their conclusions about the effectiveness of [the company's] disclosure controls and procedures based on [their] evaluation [of such controls and procedures] as of [the] date of their evaluation, which must be within 90 days of the filing date of the quarterly or annual report. Disclose whether or not there were significant changes in [the company's] internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation. See response to Question No. 32 for commentary as to how management makes these determinations. Disclose any corrective actions with regard to significant deficiencies and material weaknesses. See response to Question No. 31 for commentary as to how management makes the determination of significant deficiencies and material weaknesses. Corrective actions are the process and control improvements that management puts in place to correct a significant deficiency or material weakness. 10. What is the relationship between the executive certifications required under Sections 302 and 906 of the Sarbanes-Oxley Act? Section 906 of the Act requires a separate certification from the one required by Section 302, which was effective July 30, The Section 906 certification requirement differs from Section 302 in at least two respects. First, Section 906 imposes criminal penalties, whereas Section 302 does not. Second, the Section 906 certification is a shorter representation basically stating that the periodic report containing the financial statements fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934, and that the information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer. The two sets of certification requirements under Sections 302 and 906 surfaced from different facets of the legislative process and both are required even though both significantly overlap. The comprehensive evaluations and assessments required of the certifying officers under Section 302 will also enable these officers to sign the certification required by Section 906. Disclosure Controls and Procedures and Internal Controls Over Financial Reporting 11. What are disclosure controls and procedures? How are they distinguished from internal controls over financial reporting? It is our understanding that the SEC views internal controls over financial reporting as a subset of disclosure controls and procedures. The SEC has issued rules to require issuers to maintain, and regularly evaluate the effectiveness of, disclosure controls and procedures designed to ensure that the information required in reports filed under the Securities Exchange Act of 1934 is recorded, processed, summarized and reported on a timely basis. As defined by the SEC, disclosure controls and procedures apply to material financial and non-financial information required to be included in public reports. This definition is broader than the scope of internal controls over financial reporting. To the extent that internal controls over financial reporting impact disclosure, a company s disclosure controls and procedures are clearly inclusive of such internal controls because disclosure controls apply to all material information to be included in public reports, both within and outside the financial statements. Given the SEC s broad view of disclosure, as articulated in its August 29 release, it is difficult to identify any internal controls over financial reporting that would not be viewed as a subset of disclosure controls and procedures so long as such controls are relevant to the production of financial statements, which are a part of public reports. The SEC introduced disclosure controls and procedures as a new term rather than broaden internal controls beyond the objective of financial reporting. Disclosure controls and procedures are designed to ensure that all material information is accumulated and summarized for timely assessment and disclosure 6

8 pursuant to the SEC s rules and regulations. The SEC intended to make it explicit that the controls contemplated by Sarbanes-Oxley should embody controls and procedures addressing the quality and timeliness of disclosure in public reports. The SEC differentiates the concept of disclosure controls and procedures from the pre-existing concept of internal controls, which in the past the Commission has associated with a company's financial reporting and control of its assets. This distinction was based on the SEC s interpretation of Congressional intent: to have senior officers certify that required material non-financial information, as well as financial information, is included in an issuer's quarterly and annual reports. With its approach, the SEC has maintained the pre-existing concept of internal accounting controls by avoiding the expansion of it to non-financial information. With respect to these new rules, the SEC states the following: The certification statement regarding fair presentation of financial statements and other financial information is not limited to a representation that the financial statements and other financial information have been presented in accordance with generally accepted accounting principles ( GAAP ) and is not otherwise limited by reference to GAAP. We believe that Congress intended this statement to provide assurances that the financial information disclosed in a report, viewed in its entirety, meets a standard of overall material accuracy and completeness that is broader than financial reporting requirements under GAAP. A fair presentation of an issuer s financial condition, results of operations and cash flows encompasses the selection of appropriate accounting policies, proper application of appropriate accounting policies, disclosure of financial information that is informative and reasonably reflects the underlying transactions and events and the inclusion of any additional disclosure necessary to provide investors with a materially accurate and complete picture of an issuer's financial condition, results of operations and cash flows. In summary, disclosure procedures and controls are the activities in place that ensure that material information required to be disclosed is identified and communicated in a timely manner to appropriate management, including the certifying officers, so that timely decisions can be made regarding disclosure. Internal controls over financial reporting are a subset of disclosure controls and procedures. 12. What are internal controls over financial reporting (addressed by Section 404 of the Act)? Footnote 59 of the SEC release cites the AICPA definition of internal controls as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting; (b) effectiveness and efficiency of operations; and (c) compliance with applicable laws and regulations. The focus of Section 404 of Sarbanes-Oxley is on internal controls related to the first category of objectives (i.e., internal controls over financial reporting). Under Section 13(b) (2) of the Exchange Act, public companies must devise and maintain a system of internal accounting controls that is sufficient to provide reasonable assurance that the following objectives are met: Transactions are executed in accordance with management's general or specific authorization. Transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and to maintain accountability for assets. Access to assets is permitted only in accordance with management's general or specific authorization. The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences. These objectives provide the context for internal controls over financial reporting. 7

9 13. When do companies have to comply with the requirement to conduct an evaluation of disclosure controls and procedures? This requirement is effective for annual and quarterly reports filed for periods ending after August 29. To meet this requirement, a quarterly evaluation of disclosure controls and procedures must be conducted. 14. When do companies have to comply with the requirement to conduct an evaluation of internal controls over financial reporting? This evaluation is one that must be conducted each year. The results of this assessment are incorporated in the internal control report included in the annual report. The SEC has been directed by Sarbanes-Oxley to issue rules requiring this evaluation. From a practical standpoint, internal controls over financial reporting are evaluated quarterly if they impact disclosure and therefore fall within the scope of disclosure procedures. 15. What are examples of disclosure controls and procedures? Disclosure controls and procedures include, but are not limited to, controls and procedures designed to ensure that information required to be disclosed is accumulated and communicated to management, including the certifying officers, as appropriate to allow timely decisions regarding required disclosure. It is our understanding that the SEC believes that companies already (or should) have in place effectively designed and operating internal controls over financial reporting. The Commission intends for companies to ensure they have in place incremental disclosure controls and procedures related to non-financial information that are designed effectively, are repeating and are well-managed. These incremental disclosure controls and procedures are intended by the SEC to be comparable to financial reporting systems but are designed to capture non-financial information. In other words, ad hoc procedures and fire drills every quarter are not acceptable with respect to generating material non-financial information presented outside of the financial statements. The level of maturity expected for these non-financial information related processes is intended to be comparable to that which already exists in the internal controls over financial reporting. Effectively designed and operating disclosure controls and procedures require an infrastructure of policies, processes, people, reports and systems. For example: Form a disclosure controls committee. This committee considers the materiality of information, determines disclosure requirements on a timely basis, identifies disclosure issues and coordinates the development of the appropriate infrastructure to ensure that quality material information is disclosed promptly to management for consideration. These activities could become especially important once the SEC adopts new rules for rapid and current disclosure. See response to Question No. 18 for further discussion of this committee, including its composition. Create a standard reporting package or process to engage the appropriate people and funnel upward the required information. Upward communication is vital to effective disclosure controls and processes. A standard reporting package is a customary practice followed by many companies. If one is in place, management or a disclosure controls committee can review it with the objective of enhancing it to provide the certifying officers all of the information they need to conduct their evaluation. Inventory the reporting requirements and keep that inventory current. Regulation S-K, Regulation S-X, up-to-date GAAP checklists and other checklists provide a basis for determining the universe of requirements. Management or the disclosure controls committee should use these checklists to determine the applicable requirements and ensure that the requisite policies, activities and subject matter expertise are brought to bear so that an effective infrastructure is in place to identify, record, process, summarize and report the required information. Clarify roles, responsibilities and authorities for generating required disclosures. Accountability for generating the required disclosures should be established. Specific individuals or groups should be identified and specific timetables should be defined. Progress against established timetables must be monitored. 8

10 Monitor change, externally and internally. Changes in the environment and in the company s operations require special emphasis to evaluate their impact on the business, the financial statements and the required disclosures. Examples of changes requiring evaluation include mergers and acquisitions, divestitures, new innovative business practices, new systems, changes in personnel, significant market declines, and changes in laws and regulations. The disclosure controls committee, or an equivalent group of executives, should be designated with the responsibility to monitor change for purposes of identifying material information requiring disclosure. Align the organization with the objective of fair reporting. The disclosure controls and procedures infrastructure should consider the organization s performance expectations, incentive compensation programs and other behavior-influencing practices that may impact fair reporting. Reporting needs to be an integral part of every manager s job. For some organizations, this will be a mindset change. The disclosure controls committee could assume the responsibility of determining whether there are any aspects of the company s culture that could frustrate the goal of fair reporting. For example, if a significant component of the CFO s and accounting management s compensation is linked to profits, that approach should be examined to ensure that there is adequate balance given to quality reporting. Document and communicate disclosure controls and procedures to responsible individuals. The organization s disclosure controls and procedures should be documented by the disclosure controls committee, or an equivalent group of executives, and approved by appropriate management, including the certifying officers. The personnel responsible for executing these controls and procedures should receive the written documentation and acknowledge their understanding in writing. Staffing and training requirements should be evaluated to ensure everyone understands what is expected. 16. What does it mean for the certifying officers to design disclosure controls and procedures? We believe it means that the certifying officers, as a group, assume responsibility for the design of these controls and procedures to ensure that they receive the quality material information they need on a timely basis to enable them to certify to the fairness of the information in public reports. 17. Is the application of disclosure controls and procedures limited to the public reports for which executive certification requirements are required? No. Disclosure controls and procedures must be designed, maintained and evaluated to ensure full and timely disclosure in current reports of Forms 6-K and 8-K, as well as definitive proxy materials and definitive information statements, even though there is no specific certification requirement applicable to reports on those forms. 18. What steps can be taken to improve disclosure controls and procedures over the near term? See the examples cited in the response to Question No. 15. In addition, the following steps might facilitate the design and implementation of an interim solution over the near term: Form a disclosure controls committee to organize and oversee an immediate plan of action. The response to Question No. 15 refers to this example. In its August 29 release, the SEC recommended that companies, if they have not already done so, create a committee with responsibility for considering the materiality of information and determining disclosure requirements on a timely basis. This committee would report to senior management, specifically the certifying officers. The committee should consist of the principal accounting officer (or the controller), the general counsel (or other senior legal official with responsibility for disclosure matters who reports to the general counsel), the principal risk management officer, the chief investor relations officer (or an officer with equivalent corporate communications responsibilities), the chief information officer, appropriate representatives from the company s operating units and other executives the company deems appropriate. To be effective, the disclosure controls committee should include an expert in SEC reporting and filing requirements. 9

11 Engage unit managers and process owners and make them a part of the process to improve upward communications. The company must evaluate and improve upward communications from unit managers and process owners by making them an integral part of the disclosure process. For example, one company developed a standard monthly reporting package for all operating units that included, among other things, a representation letter, an analysis of variations and fluctuations in operations, an internal control evaluation, a risk assessment relating to changes in operations (e.g., changes in personnel, changes in systems, changes in business practices, etc.), a summary of related parties, and the financial statements. A corporate disclosure committee reviews each reporting package, follows up on questions and significant unresolved issues and documents the results of that follow-up. The reporting packages are subject to review by internal audit and the external auditor. This process funnels upward information about new risks, changes and issues to management and, ultimately, to the certifying officers. Identify critical processes that require immediate evaluation to ensure that the underlying controls are adequately designed and operating effectively. A quick diagnostic should be performed on critical processes that require immediate assessment of the controls and procedures to ensure that they are adequately designed, effectively operating and sufficiently documented to satisfy compliance with the rules. For example, the financial reporting process might be reviewed because of the non-routine activities that take place in that process. Decide how the company s collective knowledge will be captured and summarized for certifying officers to ensure timely action and disclosure. At least initially, a simple process should be in place to facilitate the flow of material information. This could be nothing more than formalizing existing disclosure processes. For the company requiring monthly reporting packages, as illustrated above, the disclosure committee forwards each unit s package to the CEO and CFO, the certifying officers, who review them as part of their ongoing evaluation process. Some companies use regular conference calls with business unit managers to identify new risks and emerging issues requiring attention. Create a checklist summarizing the key steps that must be carried out each quarter. The steps on the checklist should include steps that need to be completed before the designated officers sign the certification. For example, do they: Carefully read the report and ask relevant questions to understand its contents? Evaluate the internal controls over financial reporting to ensure that financial disclosures are complete and accurate? Evaluate the internal processes used to prepare the report, including the related disclosures? Discuss with key personnel involved in the process whether there are any unresolved issues with respect to disclosures or financial reporting? Take a close look at areas where there is a possibility for significant errors or omissions, i.e., past problem areas, revenue recognition, significant accounting estimates, asset impairments, loss contingencies, related party issues, significant industry problem areas and off-balance sheet issues? Discuss with the external auditor whether they have any concerns that could increase the company s compliance risks? Discuss the company s disclosure controls and procedures with the audit committee to confirm that it is satisfied with them? Follow up on open areas, e.g., disagreements with the external auditor, prior SEC comments, concerns of the audit committee, violations of the code of conduct, significant audit or other adjustments, issues raised by whistleblowers, instances or allegations of fraud, questions from analysts and unresolved issues in internal audit reports? These are just a few of the issues that should be addressed. The checklist serves as a written record of the steps the certifying officers take before signing the certification. 10

12 19. What steps can be taken to improve disclosure controls and procedures over the longer term? Once interim disclosure controls and procedures are in place, additional steps should be taken to assure compliance over the long term. Compliance for the first filing or during the first year is an important objective, but is not enough. A longer-term solution will ensure the company s disclosure controls and procedures will remain effective over time as operations and conditions change. There is no one-size-fits-all approach in determining the appropriate solution over the longer term. Every company will have a different solution depending on the level of depth required in understanding and documenting its processes, risks and control points. The extent, nature and timing of a solution depend on the risks and complexities inherent in a company s reporting and disclosure processes. For example, factors to consider when evaluating the appropriate longer-term solution would include: Key company characteristics: Extent of turnover in personnel management responsible for the financial reporting and disclosure process. The volume and complexity of transactions, and complexity of financial reporting systems. Limited or complex accounting guidance for industry issues or transactions. The extent to which compensation of executives is tied to stock options and profitability. There is an intense competitive environment and significant earnings pressure. There is a high market capitalization compared to competitors. Significant corporate change (reorganizations, restructuring, disposals, etc.) is underway. The effectiveness of the overall control environment. Limited knowledge of disclosure controls and procedures at the field level. The extent of decentralization. Susceptibility of asset theft or misappropriation. Significance of international operations. Investment in internal audit and other quality assurance functions. Qualifications of key accounting personnel. The existence of a corporate code of conduct or ethics policy and the effectiveness of its implementation. The extent of documentation of the company s processes. The extent and nature of related party transactions. Current known problem areas: revenue recognition, significant accounting estimates, asset impairments, loss contingencies, significant industry problem areas and off-balance sheet issues. Historical issues and problems raised in the past: Prior restatement of financial statements. The nature of existing internal control weaknesses, if any. The nature and amount of prior audit adjustments proposed by and the nature of prior management letter recommendations received from the external auditor. The nature of prior financial reporting and disclosure-related issues identified by internal audit and other internal sources. The number of recommendations from internal or external auditors that have not been implemented in a timely manner. The number of unimplemented recommendations from internal and external auditors (even if not yet due). Material weakness letters received from external auditors. The nature and magnitude of SEC comments received on prior public filings. The nature of prior regulatory examination issues, if any. Audit committee concerns with respect to the company s disclosure controls and procedures. Existence of fraud and/or violations of the code of conduct. Issues raised by whistleblowers. 11

13 Public allegations of mismanagement, fraud or ethics violations. Shareholder litigation. Unresolved questions from analysts. These are examples of the factors that management should consider when evaluating the level of depth required to address a longer-term solution. A company that does not have any of these or other risk factors may be considered lower risk than a company to which many of these risk factors apply. While management and its advisors must carefully consider the organization s longer-term needs, it is possible that a lower risk company may decide to do less to evaluate its disclosure controls and procedures than a higher risk company. This decision is one that management must carefully evaluate as the SEC s rules presume that adequate disclosure controls and procedures will be put in place. A high risk company will want to take a close look at carefully documenting its processes, risks and control points in the areas of specific need. Following are elements of a longer-term solution: Identify the primary business risks associated with company operations and the critical information essential for measuring, monitoring and reporting on each risk; in view of such risks, evaluate current disclosures to determine whether additional information is needed. Senior management and the board should concur as to the company s primary business risks, the appetite or tolerance for such risks and the plans for managing and monitoring the company s exposure to losses and potential for profits from such risks. As management recommends specific strategies and plans for action to the board, they should articulate the risks inherent in such strategies and plans, and evaluate the consistency of their recommendations with their expressed risk tolerance. The board, in turn, must understand and agree with management s assessment of and tolerance for risk and the impact of their recommendations on the organization s risk profile. An explicit understanding of the organization s risks and the uncertainties inherent in its performance goals will assist management in identifying material information for disclo sure in public reports. Management s assessment of business risk and the related impact on disclosure in public reports should be continuously updated over time. Source material information components in public reports back to upstream processes and points of origin, and identify the critical processes that generate them. As noted above, an interim solution might focus on evaluating the financial reporting process and the infrastructure that ensures effective disclosure controls and procedures. The critical upstream processes that feed the financial reporting and public disclosure process should then be reviewed, with the appropriate process owners assuming responsibility for that review. Management can identify these critical processes by decomposing the critical information in the public reports, working backwards to identify the relevant processes that record, process, summarize and report that information. These processes should be ranked according to criticality using appropriate criteria, such as pervasiveness of importance to the company s operations, impact on public reports, susceptibility to change, potential for material events, etc. The risk factors discussed above may affect the ranking of processes. Document the critical processes, including risks and control points. Identify gaps and action plans to close the gaps. The inputs, outputs, activities, policies, systems and metrics of the significant processes should be documented over, for example, a 12- to 24-month period, depending on management s assessment of criticality. As each process is documented, the risks and key control points are identified. These control points provide the basis for conducting an evaluation of controls. Any control deficiencies should be considered for disclosure and certification purposes and addressed as soon as possible. Align process owner monitoring and internal audit plans with evaluation requirements. Identified control points provide the basis for developing appropriate metrics and for focusing process owner monitoring. They also provide a business context for focusing internal audit plans. The results of process owner monitoring and internal audits should be reported to the disclosure committee for review. Design a process to identify operating and other changes that impact the adequacy of controls. Change is inevitable. For example, operational risks, new related party transactions, new litigation and other contingencies, strategic risks, regulatory developments, credit and market risks, and risks to reputation 12

14 and brand image can emerge that present issues requiring disclosure. Management should put in place an infrastructure that identifies issues on a timely basis that require action and possible disclosure. Management should satisfy itself that the company s disclosure controls and procedures are effective in addressing new issues and developments as they arise. Management Evaluations of Control Effectiveness 20. How often must the certifying officers perform their evaluations of disclosure controls and procedures? An evaluation must be performed in conjunction with the filing of each quarterly report and annual report. Such evaluations must be performed as of a date within 90 days prior to the filing date of the report. Note that the certifying officers will also need to disclose whether or not there were significant changes in the company's internal controls or in other factors that could significantly affect these controls subsequent to the date of their evaluation. This means that immediately prior to the filing, the certifying officers will need to develop procedures to inform them of such matters that would require disclosure. 21. How often must the certifying officers perform their evaluations of internal controls over financial reporting? As discussed in the response to Question No. 20, disclosure controls and procedures are evaluated and certified quarterly by management. Section 404 of Sarbanes-Oxley requires an internal controls report annually, and directs the SEC to issue rules requiring this report. The annual report must contain management's assessment as of the end of the fiscal year of the effectiveness of the internal control structure and the procedures for financial reporting. Once the SEC issues its rules on internal controls reporting, the independent auditor will be required to attest to and report on management's assessment, as communicated, in the annual internal controls report. 22. How does management reconcile its activities on a quarterly basis to evaluate disclosure controls and procedures with its activities on an annual basis to assess internal controls over financial reporting? As noted in our response to Question No. 11, the SEC views internal controls over financial reporting as a subset of disclosure controls and procedures. If that is the case, must management evaluate such controls on a quarterly basis as part of its evaluation of disclosure controls and procedures? We understand that the SEC is sensitive to the need for clarity on this point and intends to address it when the Commission releases its guidance on Section 404 of Sarbanes-Oxley to address the filing of an annual internal controls report. We understand that the SEC intends to recognize in its release on Section 404 that disclosure controls and procedures and internal controls over financial reporting are two sets of controls and procedures, one requiring a quarterly evaluation and the other requiring an annual assessment. In its release on Section 404, the Commission will also seek to harmonize how the quarterly evaluations of disclosure controls and procedures and the annual assessment of internal controls over financial reporting will work. The SEC s intent is to set forth a practical approach that will clearly distinguish between what's expected of management quarterly and what's expected of management annually. Unlike the August 29 release, we understand that the SEC intends to issue its release on Section 404 for public comment. The Commission believes feedback from companies will assist it in clarifying the expectations required of certifying officers on a quarterly and on an annual basis. While Sarbanes-Oxley does not specify the timing requirements for the SEC s release on Section 404, it is likely the Commission will issue this release sometime soon because of the need for guidance. 13

15 23. With respect to the certification requirements, what must the certifying CEOs and CFOs evaluate? The SEC requirements provide the context for defining the focus of the evaluation. The certifying officers must: State in the report that they are responsible for establishing and maintaining disclosure controls and procedures and have designed such disclosure controls and procedures to ensure that material information is made known to them, particularly during the period in which the periodic report is being prepared. State that they have evaluated the effectiveness of the issuer's disclosure controls and procedures as of a date within 90 days prior to the filing date of the report, and have presented in the report their conclusions about the effectiveness of the disclosure controls and procedures based on the required evaluation as of that date. State that they have reported to the auditors and to the audit committees (a) all significant deficiencies in the design or operation of internal controls which could adversely affect the company's ability to record, process, summarize and report financial data; (b) any material weaknesses in internal controls; and (c) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer s internal controls. Indicate in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses. 24. What is the nature of the evaluation that certifying CEOs and CFOs must perform to comply with the new rules? The evaluation requirements (see Question No. 23) provide a context for responding to this question. The evaluation itself must be responsive to these requirements. Given these requirements, there are several key points that must be addressed when understanding the nature of the evaluation: The concept of disclosure controls and procedures is intended to cover a broader range of information than what is covered by an issuer s internal controls over financial reporting. The SEC s rules are intended to hold certifying officers responsible for establishing, maintaining, supervising and evaluating these disclosure controls and procedures. While the new rules do not provide detailed procedures for an evaluation, the SEC states that the evaluation must, at a minimum, be carried out in a manner that would form the basis for the certification statements. Thus the evaluation is the process by which the certifying officers satisfy themselves that the disclosure controls and procedures as well as the internal controls over financial reporting are effective in both design (achieving the desired results) and operation (operating in accordance with prescribed design). The SEC states that the new rules require a company to grow and evolve [its control systems] with its business to produce reports that are timely, accurate and reliable. This point suggests that rapidly growing businesses need to be sensitive to the increased demands of growth on improving the infrastructure supporting disclosure controls and procedures. In its August 29 release, the SEC stated that it was not requiring any specific procedures for conducting the evaluation supporting the executive certifications. Each company must develop its own evaluation process that is consistent with its business and internal management and supervisory practices. The fundamental objective of the evaluation is to ensure that the certifying officers receive all material information in a timely and reliable manner so that they are able to sign the certifications and ensure the disclosure infrastructure is adequate to assure compliance over the long term as conditions change. 14

16 25. Can a company take the position of maintaining the status quo and do nothing beyond what it has always done to support the certifications? Some companies may assert that they can comply with the certification requirements while maintaining the status quo on the basis that the processes and controls they have always had in place have been performing, and are continuing to perform, effectively. In effect, the certifying officers place trust in the people of the organization that they will do what s right and get the job done. While there is nothing wrong with trusting people, a status quo approach may not always be appropriate. In this environment, it could be criticized as non-responsive and does not provide sufficient concrete evidence to outsiders if something goes wrong. The certifying officers should realize that when they sign their certifications, they are representing that they possess or have access to the collective knowledge of the company regarding any and all information that is material to investors. They are or should be, in effect, certifying management s internal processes. The days of ad hoc disclosure activities are over. What is needed is a more formal process. That is why we believe that companies should take a fresh look at their processes and controls to ensure that they are effective in capturing material information timely, reliably and completely. 26. Should management consider some kind of roll-up representation on internal control effectiveness and changes, particularly those employees with a significant internal control role? We are seeing some companies implement this practice. Requiring representations is a viable practice, if it has substance. As long as the focus is on the underlying processes and the controls over those processes, rather than a mere paper exercise, such approaches can be useful in establishing accountability. The objective is to provide substantive support to the certifying officers so that they will have the knowledge to sign their quarterly certifications. Some companies are creating a chain of certifications by requiring direct reports to individually certify results. Those direct reports may, in turn, require the same of their direct reports, and so on. This approach may engage process owners but it does not necessarily provide assurance that better information will be furnished to management for timely action and disclosure. If it becomes a ritualistic exercise and lacks substance, it will not identify issues that may exist in critical processes. 27. Can the certifying officers rely solely on self-assessments of their people for purposes of their evaluation? We believe that self-assessments by process owners can be a significant part of the certifying officers evaluation, but should not be the sole basis for their evaluation. 28. Can the certifying officers rely on the work of their internal auditors? The certifying officers have many sources on which to rely. First and foremost, the monitoring of process owners is an important area. Second, focused testing by internal auditors on key controls can be a part of the evaluation. Such testing is improved if the key processes and control points are documented effectively. 29. Can the certifying officers rely on the work of their external auditors? While the work of external auditors does in fact provide yet another checkpoint for management, it should not be the basis for management s evaluation. The external auditors responsibility is limited to reviewing the company s internal controls over financial reporting. However, management s responsibility to evaluate disclosure controls and procedures is broader. As noted in Question No. 12, internal controls over financial reporting are a subset of disclosure controls and procedures. Some certifying officers may assert that they can rely on the external auditor when formulating their assertions that the internal controls are well designed and operating effectively. However, this is not the primary role and responsibility of the external auditor. Management has the primary responsibility to design 15

17 and evaluate the effectiveness of disclosure controls and procedures, while the external auditor has the responsibility to assess and (if they choose to rely upon the controls) test the adequacy of the controls and procedures for purposes of establishing the scope of the external audit. When the SEC issues its guidance on Section 404 of Sarbanes-Oxley, the independent auditor will also be required to issue an opinion that attests to and reports on management s assertion in the internal controls report that the internal controls over financial reporting are operating effectively. This assertion is one that management must support with appropriate documentation. Because the external auditor will rely on management s supporting documentation, it would be circuitous logic for the external auditor s work to be the basis for management s assertions. 30. Is there a control framework that may be used for purposes of conducting the evaluation? We believe an authoritative framework is best. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is an example. 31. How does management define a deficiency for purposes of making disclosures to the audit committee and to the auditors? Management must report to the auditors and to the audit committees the following: All significant deficiencies in the design or operation of internal controls that could adversely affect the company s ability to record, process, summarize and report financial data. A deficiency in internal controls is significant if it could adversely affect the company s financial reporting process and the critical processes that feed data and information to the financial reporting process. The context for evaluating the significance of a deficiency in internal controls over financial reporting is management s assertions as to the fairness of presentation of financial condition, results of operations and cash flows, as expressed in or implied by both the financial statements and the executive certifications. A significant deficiency in internal controls arises if: The process, as it is designed, could lead to errors or omissions in the recording, processing, summarization and reporting of financial data that are inconsistent with the assertions of management; or Effectively designed internal controls fail to operate as they are intended. Whether the deficiency is in design or in operation, it is significant if management concludes that the effect of the deficiency is a condition that warrants management s attention and should be corrected as quickly as possible because it either is or could become a material weakness in internal control. The language used by the SEC to describe a significant deficiency in internal control is the same language used by the AICPA to define a reportable condition for purposes of reporting to the auditing committee by the external auditor. If the external auditor concludes that a deficiency in the design or operation of the internal controls over financial reporting could adversely affect a company s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements, that deficiency is a reportable condition. Thus management and the auditor have the same standard in terms of their responsibility to report to the audit committee. That standard is also management s for purposes of reporting to the external auditor. From a practical standpoint, if management identifies a deficiency in internal controls that it believes could adversely affect the company s ability to record, process, summarize and report financial data (and therefore is significant), it should discuss that deficiency with the external auditors, the internal auditors and the audit committee before finalizing its conclusion that the deficiency does have an adverse impact. This is particularly important because, as explained above, the external auditor must report to the audit committee all significant deficiencies it identifies in connection with the audit. This could result in situations where the external auditor reports significant deficiencies at the conclusion of the audit that were not reported by management to the auditors and audit committee earlier in the year. This situation could potentially increase management s exposure if these matters resulted in errors or omissions in the company s financial reporting and were not reported in a timely manner when they came to management s attention. 16

18 Any material weaknesses in internal controls. A material weakness is a significant deficiency in internal controls that could have a material effect on the financial statements. The AICPA defines a material weakness as a condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. A material weakness is a condition in internal controls in which there is a high probability that errors or irregularities in amounts material to the financial statements could occur and not be detected by employees and processes the company has in place. This is a complex determination that often must consider the financial statements taken as a whole and the overall financial reporting picture before an informed conclusion can be reached. There are many issues that come into play when making an assessment of whether a controls weakness is a material weakness. For example, the overall control environment, the nature of the identified control weakness and compensating controls, the nature of the assets at risk, the presence of other control weaknesses, the changes in company practices and procedures, and past experience are examples of such issues. Because of the complexity of these issues, management should consult with the external auditors if there is any question as to whether a particular weakness in internal controls is a material weakness. For example, the external auditors will evaluate the control weakness by considering the nature, timing, and extent of the audit tests they must perform to reduce residual audit risk to an acceptable level. Any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer s internal controls. 32. What are significant changes in internal controls and any factors which could affect the adequacy of the internal controls for purposes of complying with the Act? There is no specific guidance from the SEC on this question at this time. With respect to factors that could affect the adequacy of the internal controls, the SEC did provide one example: the effect of growth on the adequacy of existing disclosure processes. Other examples of changes in the company s operations that might affect the effectiveness of internal controls include significant loss or change of senior management, employee turnover, downsizing, introduction of new systems, significant acquisitions and the effects of unexpected catastrophic events. Internal Audit Implementation 33. Does the NYSE standard require an internal audit function? The new NYSE listing standards state that each listed company must have an internal audit function. In its commentary to that requirement, the NYSE allows companies a great deal of latitude as to how they implement it. For example, the NYSE states that the requirement does not necessarily mean that a company must establish a separate internal audit department or dedicate employees to internal auditing on a full-time basis. The available options suggested by the NYSE include staffing entire internal audit departments, utilizing part-time resources (meaning they have other responsibilities within the company and are independent of the area they are auditing), and outsourcing or co-sourcing of resources from external service providers. If a company elects to use part-time resources, it should do so carefully to ensure auditor independence, objectivity and effectiveness. 17

19 34. What does the NYSE mean when it states in its commentary the following: It is enough for a company to have in place an appropriate control process for reviewing and approving its internal transactions and accounting? Can a company comply by simply demonstrating that there is a control process in place? This statement by the NYSE must be reviewed in context. First, the NYSE rule is clear -- each listed company must have an internal audit function. Second, the statement in question is provided in the NYSE s commentary on that rule. It would be hard to sustain a view that the NYSE does not intend for bona fide internal audit activity to be in place. The NYSE takes a flexible stance and does not dictate how companies should comply, e.g., the internal audit function doesn t have to consist of employees dedicated full time to auditing activities, and it can be outsourced. The reference to a control process, when put into context of the rule and the rest of the commentary, suggests a process whereby the key activities are checked and monitored independently. The alternative interpretation that it means people can check their own work just won t hold up because that is not representative of an internal audit function. 35. When must companies comply with the NYSE requirement to implement an internal audit function? The NYSE rules allow listed companies up to six months from the date the SEC approves the listing requirements to comply with this requirement. SEC approval is expected by fall Therefore, the deadline for compliance with this requirement is likely to be sometime during spring 2003, but by no later than June 30, What should companies do if they are listed on other exchanges? Are they required to have an internal audit function? NASDAQ and AMEX did not address the internal audit function in their listing requirements. The fact that the NYSE has amended its listing requirements could lead other exchanges to follow suit. In today s world, companies without an internal audit function will be the exception, regardless of the legal requirements. Other 37. What are the new filing requirements with respect to Form 10-K and Form 10-Q? The SEC accelerated the filing of quarterly and annual reports under the Securities Exchange Act of 1934 for domestic reporting companies that have a common equity public float of at least $75 million, that have been subject to the Exchange Act s reporting requirements for at least 12 calendar months and that previously have filed at least one annual report. The changes for these accelerated filers will be phased in over three years. The annual report deadline will be reduced from 90 days to 60 days over the three-year period, while the quarterly report deadline will be reduced from 45 days to 35 days. The phase-in period will begin for accelerated filers with fiscal years ending on or after December 15, The following table illustrates the phased-in filing requirements: For Fiscal Years Ending Form 10-K Deadline Form 10-Q Deadline On or After December 15, days after fiscal year end 45 days after fiscal quarter end December 15, days after fiscal year end 45 days after fiscal quarter end December 15, days after fiscal year end 40 days after fiscal quarter end December 15, days after fiscal year end 35 days after fiscal quarter end 18

20 With respect to the public float test, the SEC s position is that this test serves as a reasonable measure of company size and market interest. This definition of accelerated filers excludes nearly half of all publicly traded companies. 38. What are the new filing requirements with respect to Form 8-K? All Form 8-K reports are to be filed by the end of the second business day after the reported event, effective August 29, What are the required disclosures with respect to the company s code of ethics? Sarbanes-Oxley directs the SEC to propose rules by October 28, 2002, to be enacted within 90 days thereafter, requiring companies to disclose in their periodic reports whether they have adopted a code of ethics for their senior financial officers and if not, the reasons why. These rules must apply to the principal financial officer and controller, or principal accounting officer, or persons performing similar functions. The code of ethics must include specific standards as are reasonably necessary to promote: Honest and ethical conduct, including the handling of conflicts of interest between professional and personal relationships. Full, fair, accurate, timely and understandable disclosure in the reports filed periodically by the company. Compliance with applicable laws and regulations. Any change in, or waiver to, the code of ethics adopted by a company must be disclosed promptly in a Form 8-K report. 19