Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law


Volume 12, Number 5 - May/June 2003

The Bucks and the Books
A look at the new world of ‘disclosure controls’
    By Mary Fedash

Yes, we've all heard about Sarbanes-Oxley. But how do the new rules work in practice? Read on.

On Aug. 27, 2002, the Securities and Exchange Commission adopted rules under the Securities Exchange Act of 1934 that require an issuer's principal executive officer and principal financial offer to certify the accuracy of the issuer's quarterly and annual reports, the adequacy of the company's financial and nonfinancial reporting controls as well as disclosure of certain matters related to such controls. These rules obligate public companies to establish and maintain controls and procedures sufficient to meet financial and nonfinancial reporting obligations under the Exchange Act and periodically to evaluate and report the effectiveness of these controls.

The rules implement Section 302 of the Sarbanes-Oxley Act of 2002, which was enacted into law on July 30, 2002. The rules are intended to complement the existing requirements for reporting companies to establish and maintain a system of internal controls with respect to their financial reporting obligations under Section 13(b)(2) of the Exchange Act and Rules 13b2-1 and 13b2-2. Certifications regarding disclosure controls apply to companies that file quarterly and annual reports with the SEC under either Section 13(a) or 15(d) of the Exchange Act for periods ending on or after Aug. 29, 2002.

While the concept of internal controls is a familiar one to auditors and company management, disclosure controls are broader than internal controls. Therefore, the SEC's requirement that the top officers of a company certify disclosure controls requires additional scrutiny by company officials of the company's current policies and procedures. The SEC specifically used the term "disclosure controls and procedures" to make it clear that these controls are not the same as "internal controls," which the SEC defined as pertaining to an issuer's financial reporting and control of assets.

Disclosure controls, according to the SEC, are controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports filed or submitted under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC's rules and forms and includes material nonfinancial information as well as financial information.

However, as noted below, significant overlap is likely to occur between internal controls and the newly defined disclosure controls. The SEC has not issued rules that require any particular procedure for conducting the required review and evaluation, since it understands that each business will have different concerns that are significant to the business itself or to its industry in general. Therefore, each business should develop a process that is consistent with its own business, internal management and supervisory practices, and should take into account such things as a company's industry, size, systems, diversity and complexity of operations, culture and management philosophy.

Internal accounting controls were imposed on SEC- reporting issuers as substantive federal law by the passage of the Foreign Corrupt Practices Act in 1977. An issuer's controls and procedures for financial reporting purposes is required by Section 13(b) of the Exchange Act, which directs issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that:

  • transactions are executed in accordance with management's authorization
  • transactions are recorded that permit financial statements to be prepared in accordance with generally accepted accounting principles (GAAP) and that maintain accountability for assets
  • access to assets is limited to those with authorization
  • the books of the company are reconciled with a physical inventory of assets and differences are documented.
Although "internal controls," as with any term of art, means different things to different people, the SEC limited its definition of the term "internal controls and procedures for financial reporting" to mean controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles as addressed by the Codification of Statements on Auditing Standards § 319 or any superseding definition or other literature that is issued or adopted by the Public Company Accounting Oversight Board.

In the accounting world, internal controls are usually referred to as a system of financial checks and balances designed to protect specific aspects of a business. A system of internal controls consists of measures used by a business to:
  • safeguard its resources against waste, fraud and inefficiency;
  • promote accuracy and reliability in accounting and operating data;
  • encourage and measure compliance with company policies; and
  • judge the efficiency of operations in all divisions of the business.
Internal controls may address all areas of a business, but they are generally associated with providing accurate and reliable accounting data necessary for identifying and addressing the areas of greatest risk of fraud, waste, abuse and mismanagement.

Typical examples include:
  • Separation of duties. Duties are segregated among different people so that no one person has control over all aspects of any transaction.
  • Authorization and approval. Transactions are authorized by a person with delegated approval authority.
  • Review and reconciliation. Records are reviewed and reconciled by someone other than the person preparing the record.
  • Custodial and security arrangements. Assets are secured physically, counted periodically and compared with control records.
  • Analysis. A comparison is made of actual performance to planned or expected results, including an analysis of why the differences occurred.
  • Training and supervision. Employees are properly trained and provided with an appropriate level of direction and supervision.
  • Policies and procedures. Policies and procedures are formalized and communicated to employees.
  • Internal audit function. The company has a group of employees who monitor compliance with the internal control structure, assess its effectiveness, and report directly to the company's audit committee or an ethics officer.
As early as 1987, management certification of controls was discussed by an independent commission called the Committee of Sponsoring Organizations (COSO) of the National Commission of Fraudulent Financial Reporting (the Treadway Commission), which was sponsored and funded by the five major financial professional associations in the United States (the American Institute of Certified Public Accountants, the American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors and the National Association of Accountants) to study fraudulent financial reporting and develop recommendations to reduce its incidence.

The Treadway Commission recommended that all public companies should be required by SEC rule to include in their annual reports to stockholders management reports signed by the chief executive officer and the chief accounting officer or the chief financial officer. The commission felt that the management report should acknowledge management's responsibilities for the financial statements and the internal controls, discuss how these responsibilities were fulfilled, and provide management's assessment of the effectiveness of the company's internal controls.

Had these recommendations been implemented, perhaps the abusive corporate practices evidenced by Enron, WorldCom and such other now famous companies could have been avoided.

Although an argument can be made that the term "internal control" touches all activities of an organization, auditors are primarily interested in (and primarily report on) internal controls of an accounting nature — those controls that bear directly on the dependability of the accounting records and financial statements. Auditors may refer to those internal controls that have no bearing on the financial statements as administrative internal controls.

An example of an administrative internal control is a written directive to the personnel department establishing specific guidelines as to race, sex and ethnic background to be observed in the selection of new employees. Although this control is important to the successful operation of the company, it is not directly related to the dependability of the financial statements. Consequently, the independent auditors, whose objective is to express an opinion on the fairness of financial statements, would probably not concern themselves with whether the personnel department was actually following the stipulated criteria for the selection of new employees.

The SEC defined the term "disclosure control" to distinguish the types of activities that should be undertaken from this more limited concept of internal controls. In addition to encompassing all aspects of internal controls, the new disclosure controls and procedures must be designed, maintained and evaluated to ensure full and timely disclosure in current reports of all areas of operations of a business within the time periods specified in the SEC's rules and forms.

Under 17 C.F.R. §240.13a-14(c), disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Exchange Act is accumulated and communicated to the issuer's management, including its principal executive and financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.

Disclosure control should not be viewed as one event, but a series of actions and activities that continue throughout an entity's operations. Disclosure control should be recognized as an integral part of each system that management uses to regulate and guide its operations, rather than as a separate system within the business. These controls extend beyond matters related directly to the accounting and financial functions, and should encompass all areas of operation. Disclosure controls should encompass internal controls and include programs that:
  • ensure reliability and integrity of information
  • ensure compliance with policies, plans, procedures, laws and regulations
  • safeguard the company's assets
  • promote economical and efficient use of business resources
  • meet established objectives and goals for the operations of the business.
Many public companies already include a discussion of internal controls in their annual reports as a good corporate governance practice. The Sarbanes-Oxley Act now requires all public companies to devote time and attention to the broader requirements of disclosure controls.

Section 302 of the Sarbanes-Oxley Act requires that the issuer's principal executive officer or officers and the principal financial officer or officers certify that they are responsible for establishing and maintaining disclosure controls and procedures to ensure that material information relating to the company is made known to them by others within the company.

The act also requires the principal executive officer or officers and the principal financial officer or officers to evaluate the effectiveness of the company's disclosure controls and procedures as of a date within 90 days of the filing of the report and to disclose any significant changes in the issuer's internal controls or in other factors that could significantly affect these controls after the date of the officers' evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses. By conducting periodic evaluations, disclosure controls and procedures should evolve with a company's business over time.

Because the SEC has not mandated or even identified any specific set of disclosure controls, companies are reviewing what they currently do and wondering what they should do next.

Below are some items that companies should consider in developing and reviewing their internal disclosure control procedures. This list is not exhaustive, nor will it necessarily be applicable to all businesses. Because this is a new area, the SEC may, over time, offer additional guidance and procedures. Companies should stay abreast of new developments in this area, as well as keep in mind the changing nature of their businesses and personnel, when they periodically review their disclosure control procedures.

Top management sets the tone. The environment set by management will control the effectiveness of the disclosure system. Management must raise awareness of the problems created by lack of controls as well as the potential for detection and punishment. Virtually all employees produce information that will be used in the disclosure control system or take other actions needed to effect control. Personnel should be properly trained and responsible for communicating problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions upward in the system or to an independent ethics personnel committee.

Review internal controls. Because financial statements, sexual harassment policies, employee manuals, insider trading policies and other such documents should already be subject to disclosure controls, the new rules are a timely reminder to companies that they should review their internal and administrative controls as part of their design and review of disclosure controls.

Establish a disclosure controls and procedures policy. The existing controls and procedures should be evaluated in light of the recent legislation, and revisions or additions to existing policies and procedures should be proposed. Legal counsel and independent accountants can help by reviewing specific areas of concern and proposing specific improvements. The policy can be documented into a flow chart or memorandum and should be followed (and documented) when preparing each disclosure report. All policies and procedures should be evaluated and the CEO and CFO should approve a written document containing the company's disclosure controls and procedures policies, which should then be distributed throughout the company so that each person knows what is expected of him or her.

Evaluate the controls. Disclosure controls and procedures need to be evaluated periodically. Certifying officers should fully understand and evaluate the company's procedures for gathering and reporting information and should determine whether any additional or revised procedures are necessary for the company to meet its reporting obligations or whether there are any deficiencies or weaknesses by investigating the quality and timeliness of the company's controls and reporting systems.

Review the company's organization plan. A well-designed organization plan that defines the roles and responsibilities of managers and departments should provide assurance to the company's officers that transactions are executed in conformity with company policies, enhance the efficiency of operations, safeguard assets and promote the reliability of data. Managers responsible for specific areas should prepare a disclosure document as issues arise in their areas.

Establish and maintain an internal audit function. The job of the internal auditors is to investigate the system of internal controls and determine whether the controls are operating effectively. Internal auditors will often evaluate controls, check compliance with policies and procedures and test reporting systems in nonfinancial areas of corporate operations. The internal auditors also should determine whether each department has a clear understanding of its assignment, whether it is adequately staffed, maintains good records, cooperates harmoniously with other departments, and in general carries out effectively the function provided for in the overall plan and organization of the business.

Since internal auditors are employees of the company they serve, they obviously cannot achieve the independent auditors' independence in fact and in appearance. However, internal auditors should report directly to the audit committee of the board of directors so that they may achieve a greater degree of freedom, independence and objectivity.

Establish a disclosure committee. In the adopting release, the SEC specifically recommends (but does not mandate) the formation of a disclosure committee responsible for considering the materiality of information and determining the corresponding disclosure obligations on a timely basis. The committee would likely consist of the company's controller or principal accounting officer, general counsel, risk manager and investor relations manager and such other officers or employees as the company deems appropriate, including those individuals associated with the company's business units or other key functions involved in the preparation of the company's reports. The disclosure committee should have a charter defining its responsibilities and should report to the company's senior management. The committee members will be the key personnel the certifying officers will want to talk to in the evaluation certification process.

Presentation to the certifying officers. The disclosure committee should present to the certifying officers a description of the existing disclosure controls and procedures, as well as the proposed changes to the disclosure controls and procedures that the disclosure committee deems are necessary to comply with current legislation.

Obtain certificates from managers. Request other company officers or managers to sign more limited certificates about their areas of expertise or knowledge. By requiring others in the organization to be responsible for the disclosure process, it will assist the company in the defense, if needed, that it used adequate disclosure controls and procedures.

Review each report. The certifying officers must be actively involved in the preparation, review and approval of the company's disclosure reports. Certifying officers need to review the entire report before signing the certifications. They must have enough time to question employees or agents of the business regarding disclosures in areas involving significant business developments, accounting principles and practices, related- party transactions, off-balance-sheet debt, revenue- recognition policies, adequacy and amounts of financial reserves, and any other factors that could affect the business.

Review with audit committee. The audit committee is responsible for overseeing the company's financial reporting process and should be informed regarding disclosure controls. Certifying officers should present their report to the audit committee (or its chair), including the process they followed, the conclusions of their evaluations, any matters that should be brought to the attention of the audit committee and their willingness to make the required certifications.

Document the procedures. A detailed record of the procedures followed with respect to the SEC filing should be made to establish that the company has followed its standard disclosure guidelines.

Remember that disclosure controls are not a panacea for all that could go wrong, but should be designed and implemented based on the related costs and benefits. A disclosure control system, no matter how well defined, designed and operated, can only provide reasonable assurance to management and others that an entity has achieved its stated objectives. Like all systems, disclosure controls may be affected by poor judgment in decision making, errors or mistakes or collusion to circumvent control.

As programs and operational processes change because of technological developments or changes in the business, as weaknesses are uncovered, and as we all become more familiar with "disclosure controls," management must continually assess and evaluate its controls to assure that the program it has in place is effective.


Fedash is vice president and risk management analyst at PFPC Worldwide Inc., in Wilmington, Del. She was previously an associate in the Philadelphia office of Pepper Hamilton LLP. Her e-mail is mary.fedash@pfpc.com.

Back to Top