ABA Section of Business Law
Volume 12, Number 5 - May/June 2003
The Bucks and the Books
Yes, we've all heard about Sarbanes-Oxley. But how do
the new rules work in practice? Read on.
Although "internal controls," as with any term of art, means different things to different people, the SEC limited its definition of the term "internal controls and procedures for financial reporting" to mean controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles as addressed by the Codification of Statements on Auditing Standards § 319 or any superseding definition or other literature that is issued or adopted by the Public Company Accounting Oversight Board.
In the accounting world, internal controls are usually referred to as a system of financial checks and balances designed to protect specific aspects of a business. A system of internal controls consists of measures used by a business to:
Typical examples include:
The Treadway Commission recommended that all public companies should be required by SEC rule to include in their annual reports to stockholders management reports signed by the chief executive officer and the chief accounting officer or the chief financial officer. The commission felt that the management report should acknowledge management's responsibilities for the financial statements and the internal controls, discuss how these responsibilities were fulfilled, and provide management's assessment of the effectiveness of the company's internal controls.
Had these recommendations been implemented, perhaps the abusive corporate practices evidenced by Enron, WorldCom and such other now famous companies could have been avoided.
Although an argument can be made that the term "internal control" touches all activities of an organization, auditors are primarily interested in (and primarily report on) internal controls of an accounting nature those controls that bear directly on the dependability of the accounting records and financial statements. Auditors may refer to those internal controls that have no bearing on the financial statements as administrative internal controls.
An example of an administrative internal control is a written directive to the personnel department establishing specific guidelines as to race, sex and ethnic background to be observed in the selection of new employees. Although this control is important to the successful operation of the company, it is not directly related to the dependability of the financial statements. Consequently, the independent auditors, whose objective is to express an opinion on the fairness of financial statements, would probably not concern themselves with whether the personnel department was actually following the stipulated criteria for the selection of new employees.
The SEC defined the term "disclosure control" to distinguish the types of activities that should be undertaken from this more limited concept of internal controls. In addition to encompassing all aspects of internal controls, the new disclosure controls and procedures must be designed, maintained and evaluated to ensure full and timely disclosure in current reports of all areas of operations of a business within the time periods specified in the SEC's rules and forms.
Under 17 C.F.R. §240.13a-14(c), disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Exchange Act is accumulated and communicated to the issuer's management, including its principal executive and financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.
Disclosure control should not be viewed as one event, but a series of actions and activities that continue throughout an entity's operations. Disclosure control should be recognized as an integral part of each system that management uses to regulate and guide its operations, rather than as a separate system within the business. These controls extend beyond matters related directly to the accounting and financial functions, and should encompass all areas of operation. Disclosure controls should encompass internal controls and include programs that:
Section 302 of the Sarbanes-Oxley Act requires that the issuer's principal executive officer or officers and the principal financial officer or officers certify that they are responsible for establishing and maintaining disclosure controls and procedures to ensure that material information relating to the company is made known to them by others within the company.
The act also requires the principal executive officer or officers and the principal financial officer or officers to evaluate the effectiveness of the company's disclosure controls and procedures as of a date within 90 days of the filing of the report and to disclose any significant changes in the issuer's internal controls or in other factors that could significantly affect these controls after the date of the officers' evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses. By conducting periodic evaluations, disclosure controls and procedures should evolve with a company's business over time.
Because the SEC has not mandated or even identified any specific set of disclosure controls, companies are reviewing what they currently do and wondering what they should do next.
Below are some items that companies should consider in developing and reviewing their internal disclosure control procedures. This list is not exhaustive, nor will it necessarily be applicable to all businesses. Because this is a new area, the SEC may, over time, offer additional guidance and procedures. Companies should stay abreast of new developments in this area, as well as keep in mind the changing nature of their businesses and personnel, when they periodically review their disclosure control procedures.
Top management sets the tone. The environment set by management will control the effectiveness of the disclosure system. Management must raise awareness of the problems created by lack of controls as well as the potential for detection and punishment. Virtually all employees produce information that will be used in the disclosure control system or take other actions needed to effect control. Personnel should be properly trained and responsible for communicating problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions upward in the system or to an independent ethics personnel committee.
Review internal controls. Because financial statements, sexual harassment policies, employee manuals, insider trading policies and other such documents should already be subject to disclosure controls, the new rules are a timely reminder to companies that they should review their internal and administrative controls as part of their design and review of disclosure controls.
Establish a disclosure controls and procedures policy. The existing controls and procedures should be evaluated in light of the recent legislation, and revisions or additions to existing policies and procedures should be proposed. Legal counsel and independent accountants can help by reviewing specific areas of concern and proposing specific improvements. The policy can be documented into a flow chart or memorandum and should be followed (and documented) when preparing each disclosure report. All policies and procedures should be evaluated and the CEO and CFO should approve a written document containing the company's disclosure controls and procedures policies, which should then be distributed throughout the company so that each person knows what is expected of him or her.
Evaluate the controls. Disclosure controls and procedures need to be evaluated periodically. Certifying officers should fully understand and evaluate the company's procedures for gathering and reporting information and should determine whether any additional or revised procedures are necessary for the company to meet its reporting obligations or whether there are any deficiencies or weaknesses by investigating the quality and timeliness of the company's controls and reporting systems.
Review the company's organization plan. A well-designed organization plan that defines the roles and responsibilities of managers and departments should provide assurance to the company's officers that transactions are executed in conformity with company policies, enhance the efficiency of operations, safeguard assets and promote the reliability of data. Managers responsible for specific areas should prepare a disclosure document as issues arise in their areas.
Establish and maintain an internal audit function. The job of the internal auditors is to investigate the system of internal controls and determine whether the controls are operating effectively. Internal auditors will often evaluate controls, check compliance with policies and procedures and test reporting systems in nonfinancial areas of corporate operations. The internal auditors also should determine whether each department has a clear understanding of its assignment, whether it is adequately staffed, maintains good records, cooperates harmoniously with other departments, and in general carries out effectively the function provided for in the overall plan and organization of the business.
Since internal auditors are employees of the company they serve, they obviously cannot achieve the independent auditors' independence in fact and in appearance. However, internal auditors should report directly to the audit committee of the board of directors so that they may achieve a greater degree of freedom, independence and objectivity.
Establish a disclosure committee. In the adopting release, the SEC specifically recommends (but does not mandate) the formation of a disclosure committee responsible for considering the materiality of information and determining the corresponding disclosure obligations on a timely basis. The committee would likely consist of the company's controller or principal accounting officer, general counsel, risk manager and investor relations manager and such other officers or employees as the company deems appropriate, including those individuals associated with the company's business units or other key functions involved in the preparation of the company's reports. The disclosure committee should have a charter defining its responsibilities and should report to the company's senior management. The committee members will be the key personnel the certifying officers will want to talk to in the evaluation certification process.
Presentation to the certifying officers. The disclosure committee should present to the certifying officers a description of the existing disclosure controls and procedures, as well as the proposed changes to the disclosure controls and procedures that the disclosure committee deems are necessary to comply with current legislation.
Obtain certificates from managers. Request other company officers or managers to sign more limited certificates about their areas of expertise or knowledge. By requiring others in the organization to be responsible for the disclosure process, it will assist the company in the defense, if needed, that it used adequate disclosure controls and procedures.
Review each report. The certifying officers must be actively involved in the preparation, review and approval of the company's disclosure reports. Certifying officers need to review the entire report before signing the certifications. They must have enough time to question employees or agents of the business regarding disclosures in areas involving significant business developments, accounting principles and practices, related- party transactions, off-balance-sheet debt, revenue- recognition policies, adequacy and amounts of financial reserves, and any other factors that could affect the business.
Review with audit committee. The audit committee is responsible for overseeing the company's financial reporting process and should be informed regarding disclosure controls. Certifying officers should present their report to the audit committee (or its chair), including the process they followed, the conclusions of their evaluations, any matters that should be brought to the attention of the audit committee and their willingness to make the required certifications.
Document the procedures. A detailed record of the procedures followed with respect to the SEC filing should be made to establish that the company has followed its standard disclosure guidelines.
Remember that disclosure controls are not a panacea for all that could go wrong, but should be designed and implemented based on the related costs and benefits. A disclosure control system, no matter how well defined, designed and operated, can only provide reasonable assurance to management and others that an entity has achieved its stated objectives. Like all systems, disclosure controls may be affected by poor judgment in decision making, errors or mistakes or collusion to circumvent control.
As programs and operational processes change because of technological developments or changes in the business, as weaknesses are uncovered, and as we all become more familiar with "disclosure controls," management must continually assess and evaluate its controls to assure that the program it has in place is effective.
Fedash is vice president and risk management analyst at PFPC Worldwide Inc., in Wilmington, Del. She was previously an associate in the Philadelphia office of Pepper Hamilton LLP. Her e-mail is firstname.lastname@example.org.