Upload File

disclosure controls and procedures john j. huber scott … · 2013. 7. 12. · 1. first, although...

  • Home
  • Documents
  • DISCLOSURE CONTROLS AND PROCEDURES John J. Huber Scott … · 2013. 7. 12. · 1. First, although the CEO and CFO certifications are required only for Form 10-Ks and Form 10-Qs, the
28
2002 Latham & Watkins. All rights reserved. DISCLOSURE CONTROLS AND PROCEDURES John J. Huber Scott Herlihy Thomas J. Kim of Latham & Watkins October 7, 2002

Upload: others

Post on 01-Feb-2021

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 2002 Latham & Watkins. All rights reserved.

    DISCLOSURE CONTROLS AND PROCEDURES

    John J. Huber Scott Herlihy

    Thomas J. Kim

    of

    Latham & Watkins

    October 7, 2002

  • I. INTRODUCTION1

    A. Among the items that the new officer certifications for periodic reports must cover is the CEO’s and CFO’s responsibility for establishing and maintaining “disclosure controls and procedures.” This is a new term, one which envisions a process in which all information responsive to financial and non-financial disclosure requirements is accumulated, tested for quality and communicated to management, including the CEO and CFO, which reviews the information before disclosing it in the periodic report filed in the required time period. The Commission defines the term as controls and other procedures “designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits” under the Securities Exchange Act of 1934, as amended (the “Act”), is:

    1. “Recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms; and

    2. “Accumulated and communicated to the issuer’s management, including its principal executive officer or officers and principal financial officer or officers . . . as appropriate to allow timely decisions regarding required disclosure.”

    In addition to establishing and maintaining disclosure controls and procedures, the CEO and CFO must evaluate the effectiveness of the disclosure controls and procedures within 90 days prior to filing a periodic report and disclose in the report their conclusions about the effectiveness of those controls and procedures. B. Disclosure controls and procedures are actually implemented by two new rules under the Exchange Act. Rules 13a-15 and 15d-15 require each issuer to have disclosure controls and procedures and to have management evaluate them within 90 days prior to filing a periodic report. Building on these two rules, new Rules 13a-14 and 15d-14 under the Exchange Act specify the reports that must include the officer certifications on disclosure controls and procedures and the text of the certification. The outside auditor does not attest to these CEO and CFO certifications.

    C. With respect to internal controls,2 the new certification rules change the dynamic

    1 This outline supplements the outline titled “The Response to Enron: The Sarbanes-Oxley Act of 2002 and Commission Rulemaking,” dated September 18, 2002, by John J. Huber and Thomas J. Kim (the “Post-Enron Outline”), which can be found on the website for Latham & Watkins at www.lw.com. 2 There is an issue concerning the relationship between internal controls and disclosure controls and procedures. Some believe that internal controls are a subset of disclosure controls and procedures because financial and non-financial disclosures cannot be presented in periodic reports without effective internal controls. Others believe that internal controls serve different purposes. Under this view, internal controls may overlap with or intersect with disclosure controls and procedures with respect to financial reporting, but generally are not part of disclosure controls and procedures. Section 13(b)(2)(B) of the Exchange Act defines internal controls as pertaining to both financial reporting and control of assets. Clearly, the financial reporting prong of internal controls lies within disclosure controls and procedures. Thus, the question is whether the control or accountability of assets prong of internal controls is also within disclosure controls and procedures. The answer to this issue is important because it

  • 2

    between management and the outside auditor by affirmatively requiring the CEO and CFO to disclose to the outside auditor and the audit committee all significant deficiencies and material weaknesses in internal controls and any fraud, whether or not material, involving management or other employees who have a significant role in internal controls. Significantly, the outside auditor, which is not relieved from its existing responsibilities under GAAS, will continue to “test” internal controls. Moreover, the CEO and CFO must disclose in the periodic report whether there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses. Thus, while the subject matter of the discussions between the CEO, CFO and the outside auditor is not required to be disclosed, the results of those discussions are disclosable if they result in significant changes or corrections.3

    D. The new rules do not require issuers to adopt any particular procedure and specify only what the end result of these controls and procedures must be – the exact wording of the certification, which cannot be modified or moved.4 However, as the Commission plainly points out, a company that fails to maintain adequate procedures, review them and otherwise comply with the new rules could be subject to Commission enforcement action for violating Section 13(a) of the Exchange Act, even if the failure does not lead to flawed disclosure. In turn, any such failure could lead to liability in private litigation for the certifying officer as a primary violator of Section 10(b) and Rule 10b-5 under the Exchange Act,5 and liability for the issuer under Sections 11 and 12(a)(2) of the

    (Footnote continued. . . ) affects the scope and content of the officer certifications (are they certifying that they are responsible for maintaining and establishing internal controls relating to the control or accountability of assets?) as well as the responsibilities of the disclosure committee (should the oversight of the disclosure committee include control or accountability of assets?). 3 Because this is a new requirement, practice will need to develop a sufficient basis for management’s assessment of the effectiveness of internal controls as well as the disclosure in periodic reports of significant changes or corrections. 4 Although the adopting release is firm on this point, we expect certain exceptions to be made. For example, certifications are required for any amendments to any periodic report. By necessity, the text of the certification provided in the form of the periodic report would need to be modified to reflect that the officer has reviewed the amendment to the periodic report, and not the periodic report itself. 5 The Commission can bring an action against the CEO or CFO as a primary violator or for aiding and abetting a violation. The potential violations include: aiding and abetting a violation by the issuer of Sections 13(a) or 15(d) of the Exchange Act; and being a primary violator or aider and abettor under Section 10(b) and Rule 10b-5 under the Exchange Act. A corporate officer who signs a Commission filing containing representations can be deemed to “make” the statement in the filing and can be liable as a primary violator of Section 10(b) and Rule 10b-5 under the Exchange Act. See Howard v. Everex Systems, Inc., 228 F.3d 1057 (9th Cir. 2000). Of course, Rule 10b-5 requires scienter for a violation. The Commission can bring these actions in court or before an administrative law judge, and the remedies can include barring the CEO or CFO from serving as an officer or director of a public company.

    In addition to civil liability, the Commission may refer the matter to the Department of Justice. Intentional misstatements or omissions of fact constitute federal criminal violations under 18 U.S.C. § 1001. This is the same provision that caused the stir with respect to the certification provided by many public companies in August 2002 pursuant to the Section 21(a) order. See File No. 4-460: Order Requiring the Filing of Sworn Statements Pursuant to

  • 3

    Securities Act of 1933, as amended (the “Securities Act”), where a quarterly or annual report is incorporated by reference into a registration statement on Form S-3.6

    E. Before addressing what disclosure controls and procedures should look like, it is important to describe what they must be able to do. Essentially, they must be able to produce quality information that meets disclosure requirements in a timely fashion:

    1. Disclosure controls and procedures must capture the information potentially subject to disclosure pursuant to Regulation S-X, Regulation S-K and Rule 12b-20 under the Exchange Act;

    2. They must accumulate the information in a manner that is capable of being tested so that the information is reliable;

    3. They have to be responsive on a real-time basis to inquiries from the CEO and the CFO; and

    4. They should be scalable – capable of growing and evolving with the issuer’s business – and flexible enough to adapt to new disclosure requirements.

    F. The capability of the disclosure controls and procedures is particularly important for two reasons:

    1. First, although the CEO and CFO certifications are required only for Form 10-Ks and Form 10-Qs, the disclosure controls and procedures themselves apply to all information required to be disclosed by the issuer in the reports it files or submits under the Exchange Act.7 These reports include required current reports on Form 8-K for domestic issuers, reports on Form 6-K for foreign private issuers and definitive proxy and information statements, even though these filings do not require a certification.

    2. Second, although the term “disclosure controls and procedures” applies only to required reports under the Exchange Act, issuers should consider how to

    (Footnote continued. . . ) Section 21(a)(1) of the Securities Exchange Act of 1934 (June 27, 2002)(available at http://www.sec.gov/rules/other/4-460.htm). 6 Because a false certification can also cause liability exposure to the issuer under Sections 11 and 12(a)(2) of the Securities Act where a certification is included in a Form 10-K or Form 10-Q that is incorporated by reference into a registration statement on Form S-3, incorporation by reference can change a Rule 10b-5 action against the CEO or CFO, in which scienter is required, into private litigation against the issuer where negligence is all that is required. 7 The CEO and CFO certification of the annual report includes the information required by Part III of Form 10-K, even if the issuer incorporates the information by reference from the definitive proxy statement or definitive information statement, which it can do if such statement is filed no later than 120 days after the end of the fiscal year. If the proxy statement or information statement is filed after the Form 10-K, then this forward incorporation by reference means that the CEO and CFO will be certifying to disclosure that has not yet been made. Hence, a draft of the information that will be incorporated by reference should be presented to the CEO and CFO at the time of filing the Form 10-K in order to support their certification of the information.

  • 4

    handle the overlap between the information disclosed in required reports under the Exchange Act and the information disclosed in other contexts, including non-Exchange Act filings with the Commission and informal communications, both oral and written. For example, annual and quarterly reports are incorporated by reference in a registration statement on Form S-3, and earnings press releases are often filed with the Commission on Item 5 or Item 9 of Form 8-K or not filed at all. It may be advantageous from a counseling point of view to include non-Exchange Act filings and informal communications within the responsibilities of disclosure committee to help ensure accuracy and to avoid inconsistency. As a practical matter, the individuals who participate in the Exchange Act reporting process are also likely to participate in the disclosure of information outside of the Exchange Act, which underscores the redundancy of separate controls and procedures for Exchange Act reports and non-Exchange Act disclosures. While not required to do so, it may be beneficial for disclosure controls and procedures to accommodate other disclosures such as:

    a. Public offering prospectuses and private placement memoranda;

    b. Earnings press releases;

    c. Earnings guidance at analyst conferences and meetings with market professionals subject to Regulation FD; and

    d. Disclosures required by self regulatory organizations, such as the rules of the New York Stock Exchange and NASDAQ.

    G. The design and effectiveness of disclosure controls and procedures should be considered in the context of the other provisions of the Sarbanes-Oxley Act and the Commission’s rulemaking proposals intended to implement the Sarbanes-Oxley Act and real-time reporting, as well as the Commission’s own initiatives to improve disclosure. For example: the Commission recently adopted accelerated deadlines for filing periodic reports and is expected to adopt rules requiring more events to be reported on Form 8-K in a shorter time period. Section 409 of the Sarbanes-Oxley Act also requires the Commission to adopt rules to effect real-time issuer disclosures. Hence, disclosure controls and procedures must enable issuers to report more information, more quickly than before but with at least the same level of reliability, as well as adapt to the new current reporting requirements that may be adopted. Another example: Section 401 of the Sarbanes-Oxley Act requires the Commission to adopt rules requiring that each annual and quarterly financial report disclose all material off-balance sheet transactions that may have a material current or future effect on financial condition or results of operations as well as rules requiring the fair presentation of pro forma financial information. Separately, the Commission has proposed a significant revision of Item 303 of Regulation S-K, the Management’s Discussion and Analysis section in periodic

  • 5

    reports, in its release on critical accounting estimates.8 Hence, if an issuer’s control policies and procedures did not account for these new types of information, upon effectiveness of the final rules, they will need to be revised so that this information is recorded, processed, summarized and reported for each Exchange Act report.

    H. Before adopting new procedures or creating new committees, each issuer should consider that complying with the new rules does not necessarily mean materially changing existing disclosure practices. Issuers should assess their existing capabilities and practices across a broad spectrum of formal and informal reporting within the issuer’s organization. This spectrum can range from, at one end, issuers that have the capability of evaluating the information about their business on an ongoing or dynamic basis. These issuers may have in place a business reporting process in which the CEO and other members of senior management are informed on a daily or weekly basis on how the business is doing, and this process may be coordinated with a press release review process and a Commission report review process, among others. Also, their internal controls may be capable of producing and evaluating different types of financial information at very frequent intervals. At the other end of the spectrum are issuers with a static capability of evaluating information, with information accumulated and evaluated less frequently at defined times during a quarter. Issuers at any point in this spectrum may recognize that formalizing practices that are currently performed on an informal basis, so that the information can be tested for reliability, or augmenting already formal processes, or supplementing existing reporting patterns or flows of information, or improving responsiveness in personnel to be able to disclose more information on a more timely basis, may go a long way in developing disclosure controls and procedures.

    I. Each issuer should also consider precedents from other areas that may prove useful in complying with the new rules. Rules 13a-14 and 15d-14 require the CEO and CFO to certify that they have reported significant deficiencies and material weaknesses in internal controls to the audit committee and the outside auditor. These are new responsibilities and duties for the management of most companies, except for the management of bank holding companies, which have been required, under the FDIC Improvement Act of 1991 (“FDICIA”), to evaluate and report on their internal controls since 1993.9 While not identical, both the rules under FDICIA and Rules 13a-14 and 15d-14 place affirmative duties upon management to evaluate the effectiveness of internal controls, to make representations to the outside auditor and to provide a public management report to shareholders. Thus, FDICIA offers a comparable framework from a different body of regulation. Under FDICIA:

    8 See Proposed Rule: Disclosure in Management’s Discussion and Analysis about the Application of Critical Accounting Policies, Release Nos. 33-8098, 34-45907, 67 Fed. Reg. 35,620 (May 20, 2002)(available at http://www.sec.gov/rules/proposed/33-8098.htm). The comment period expired on July 19, 2002, and the Commission has not yet acted on this proposed rule. For a discussion of this release, see the Post-Enron Outline at Section XII. 9 See Annual Independent Audits and Reporting Requirements, 58 Fed. Reg. 31,332 (July 2, 1993)(codified at 12 C.F.R. pt. 363).

  • 6

    1. Financial institution’s management must:

    a. Acknowledge responsibility for establishing and maintaining internal controls for financial report;

    b. Report on the effectiveness of those controls as of year-end; and

    c. Report on the validity and appropriateness of their representations to the outside auditor; and

    2. Outside auditor must attest to management’s report on the effectiveness of internal controls.

    J. In practice, the rules under FDICIA rely upon a widely recognized integrated framework for internal controls developed by the Committee on Sponsoring Organizations of the Treadway Commission (“COSO”).10 Both FDICIA and COSO can guide issuers and their CEOs and CFOs as they implement disclosure controls and procedures to comply with the certification rules on disclosing all significant deficiencies and material weaknesses in internal controls to the outside auditor and the audit committee.

    K. When adopted, the Commission’s new rules under Section 404 of the Sarbanes-Oxley Act will require each annual report to contain management’s assessment of the effectiveness of the internal control structure and the financial reporting procedures. These rules should provide guidance to CEOs and CFOs with respect to reporting significant deficiencies and material weaknesses in internal controls.

    L. The Sarbanes-Oxley Act has significantly changed the regulatory environment.11 Given the seismic changes to corporate reporting that will result from the Sarbanes-Oxley Act and the Commission’s rulemaking to implement the Sarbanes-Oxley Act over the next 12 months, the development of disclosure controls and procedures will be an iterative process.12 We believe that perfection is not required. A good-faith effort to

    10 The executive summary for the COSO framework can be found at http://www.coso.org/Publications/executive_summary_integrated_framework.htm. See AT 501, “Attestations on Internal Controls for Financial Reporting,” which permits an outside auditor to attest to a governmental standard that has been adopted after opportunity for public comment. 11 Executives still differ as to whether certification and the other corporate governance initiatives are necessary or are a waste of time. The views of CEOs attending the Business Council meeting in White Sulphur Springs in West Virginia in early October ranged from one executive who believed, “There’s going to be a lot of sand kicked through the wheels of capitalism,” and who focused on the compliance costs (“My insurance doubling – that’s a cost to my shareholders. Signing documents saying that nothing’s changed – that’s a cost to my shareholders”), to others who expressed the position that even though they had been through “a lot of cycles … it’s never been this way before.” See Timely, or a Waste of Time?: Issue of Governance Gets Executives’ Attention, But Only Mixed Approval, at Annual Retreat, Wash. Post, Oct. 5, 2002, at E1. 12 For example, Rule 12b-21 under the Exchange Act, which permits the omission of required information that is unknown and not reasonably available to the issuer because of unreasonable effort or expense, may be helpful in the

  • 7

    develop and implement disclosure controls and procedures should be adequate.13

    II. FIRST STEPS

    A. Evaluate Current Systems and Procedures

    1. The Commission has not specified or mandated any particular set of disclosure controls and procedures. Indeed, there may be no definitive or “best practices” disclosure controls and procedures that all issuers should aim to adopt because, given issuer diversity, one size does not fit all and procedures will vary from issuer to issuer, depending on size, history, corporate culture, industry and geography. Since issuers already make efforts to ensure that their disclosure is accurate, we suggest issuers focus initially on how to augment or improve current disclosure practices, rather than start from scratch. The first step should be to evaluate their current disclosure practices and procedures for all required Exchange Act reports.

    2. The evaluation should focus on how information flows from a “top-down” as well as from a “bottom-up” perspective to determine what information is currently “recorded, processed, summarized and reported” and the reliability and timeliness of that information. From a top-down perspective, the analysis can focus on involving or enhancing the involvement of senior executives in the discussion of trends, strategies and risks to the business of the issuer and its industry, as well as their vision of where the issuer and the economy are headed. In addition, this analysis can focus on how senior executives’ views and the tone at the top are communicated to, and perceived by, the lower echelons of the organization and persons outside the issuer. From the bottom-up perspective, an issuer should ascertain what and when information is currently communicated to the CEO and CFO – an example would be segment information supplied to the Chief Operating Decision Maker (“CODM”), as required under SFAS 131, Disclosures about Segments of an Enterprise and Related Information, which has been in effect since 1997. This evaluation can form the foundation for the action items to meet the new requirements.

    B. Focus on Internal Controls

    1. Internal controls should be a primary focus for complying with the new

    (Footnote continued. . . ) short term with respect to new disclosure rules, but it is not a long-term solution. Moreover, the disclosure controls developed for the 2002 third quarter Form 10-Q should be refined for the 2002 annual report on Form 10-K. 13 The definition of disclosure controls and procedures in Rules 13a-14 and 15d-14 refers to procedures “designed to ensure,” while the definition of internal controls set forth in AU Section 319 refers to a process designed to provide “reasonable assurance” regarding the achievement of objectives. Query whether the definition of disclosure controls and procedures means absolute assurance or reasonable assurance, and, if the former, whether issuers may undertake a cost/benefit analysis in designing their disclosure controls and procedures. We believe that the objective of disclosure controls and procedures is reasonable assurance, not absolute assurance.

  • 8

    rules for several reasons. First, the new certification rules require the CEO and CFO to evaluate internal controls every quarter and disclose to the outside auditor and the audit committee any significant deficiencies and material weaknesses and any fraud involving management or employees with a significant role in internal controls. This is a new responsibility for the management of most issuers, which cannot look to the outside auditor to report deficiencies in the “management’s letter” as it has in the past.

    2. Second, as the Commission observed, disclosure controls and procedures – the procedures for gathering, analyzing and disclosing all information required to be disclosed in Exchange Act reports – are intended to be “commensurate” with internal controls. We understand “commensurate” to mean equal in measure or scope with internal controls. Therefore, internal controls, which have been required since the late 1970s, can and should provide guidance and serve as a model in conceptualizing and implementing disclosure controls and procedures. As a model, internal controls are particularly apt because the salient question is how to revise existing disclosure practices so that they provide reasonable assurance for non-financial information similar to the reasonable assurance which internal controls should already be providing for financial information. Finally, since disclosure controls and procedures can be viewed as an extension or broadening of internal controls to non-financial information – or financial reporting under internal controls as a subset of disclosure controls and procedures – their similarity is appropriate.

    3. Internal controls are a formal system of checks and balances, overseen by management and the board of directors and reviewed by the outside auditor. Because of the formality of their structure, internal controls are capable of being evaluated or tested for their reliability. As noted in the accounting literature, in particular, AU Section 319 and the COSO framework, this system of checks and balances is intended to provide reasonable assurance that the following objectives can be achieved:

    a. Reliability of financial reporting;

    b. Effectiveness and efficiency of operations; and

    c. Compliance with applicable laws and regulations.

    4. In accordance with AU Section 319 and the COSO framework, internal controls generally consist of five interrelated components:

    a. Control Environment: Establishes the foundation of the internal control system by providing fundamental discipline and structure, setting the tone of an organization and influencing the “control” consciousness of its people;

    b. Risk Assessment: Identifies and analyzes the risks to the corporation and forms a basis for determining how the risks should be

  • 9

    managed;

    c. Control Activities: Comprise the policies, practices and procedures that help ensure that management objectives are achieved and risk mitigation strategies are carried out;

    d. Information and Communication Systems: Support the identification, capture and exchange of information in a form and timeframe that enable people to carry out their responsibilities; and

    e. Monitoring: Assesses the quality of internal controls by external oversight by management or third parties or by the application of independent methodologies within internal controls.

    5. These five internal control components work as a matrix. As such, they can be used to conceptualize and map out disclosure controls and procedures so that they can provide reasonable assurance as to the reliability of Exchange Act reporting and compliance with applicable laws and regulations. In evaluating disclosure controls and procedures, the CEO and CFO will consider both their design and their operation with respect to meeting these objectives. However the CEO and CFO choose to design the disclosure controls and procedures, there are some key attributes of internal controls that should apply to all systems of disclosure controls and procedures:

    a. Formality and Documentation:

    (1) Like internal controls, disclosure controls and procedures need to be documented and formalized so that they can be proven to exist and, once in existence, can be evaluated by the CEO and CFO. An informal or casual disclosure process, even if it results and has always resulted in accurate and timely Exchange Act filings, may not satisfy the new requirements because it cannot be effectively tested – i.e., subject to inquiry, inspection and observation – for reliability. Moreover, a formal process is likely to achieve greater efficiency and quality than an informal process.

    (2) Formality and documentation do not mean, however, that the specificity of detail that now accrues to the COSO framework for internal controls, which is spelled out in two volumes, is required for disclosure controls and procedures. Indeed, that level and specificity of detail may be unnecessary or even inappropriate for disclosure controls and procedures.

    b. Checks and Balances: To achieve reliability, disclosure controls and procedures must be designed to foster a system of checks and balances. Examples of checks and balances include coordinating with the outside auditor and the audit committee as well as allowing sufficient time for individuals to review and comment on each periodic report and to

  • 10

    implement corrective measures if needed or investigate any disclosure issues as they may arise.

    III. POSSIBLE COMPONENTS OF DISCLOSURE CONTROLS AND PROCEDURES

    A. Control Environment: Establishes the foundation of the control system by providing fundamental discipline and structure, setting the tone of an organization and influencing the “control” consciousness of its people; includes the integrity, ethical values and competence of officers and employees, management’s philosophy and operating style, the manner in which management assigns authority and responsibility and organizes and develops employees, and the attention and direction provided by the audit committee and the board of directors

    1. Tone at the Top

    a. In its 1987 report on fraudulent financial reporting, the Treadway Commission focused on the most important factor to the integrity of the financial reporting process and in preventing fraudulent financial reporting: the tone set by top management that influences the corporate environment within which financial reporting occurs. While this is not a new concept, the tone at the top is an essential element of the control environment for disclosure controls and procedures14 and should emphasize the importance of full, accurate and timely disclosure to the issuer, with accumulation and communication as the means to achieve those objectives.15 The attitude and behavior of the top officers and directors establish the tone at the top; in particular, the CEO has a special role, as his or her attitude, behavior and expectations influence the actions of other members of senior management and set an example for all employees.16 If reliable Exchange Act reporting is a priority to the CEO, then it will be to others. A code of corporate conduct can help to

    14 Commissioner Glassman reinforced this point in a speech delivered to the American Society of Corporate Secretaries: “First and foremost, Sarbanes-Oxley makes clear that a company’s senior officers are responsible for the culture they create, and must be faithful to the same rules they set out for other employees.” Commissioner Cynthia A. Glassman, Sarbanes-Oxley and the Idea of “Good” Governance, Speech Before the American Society of Corporate Secretaries (Sept. 27, 2002)(available at http://www.sec.gov/news/speech/spch586.htm)(the “Glassman Speech”). 15 Although one size does not fit all, this guidance can be illustrated by an example: A public company, Newco, is a retailer headquartered in Miami with three different business segments: large discount outlets, designer shoe boutiques and a chain of grocery stores. Newco’s CEO and CFO have posted to the internal website a statement of corporate principles about disclosure, emphasizing the importance of full, accurate and timely disclosure. Before being posted, this statement was drafted by Newco’s general counsel and outside counsel, reviewed with the audit committee and the outside auditors and approved by the entire board of directors. 16 The “tone at the top” may be the most effective step for mid-level executives who “are products of the corporate environment in which they work.” Kurt Eichenwald, Even if Heads Roll, Mistrust Will Live On, N.Y. Times, Oct. 6, 2002, at Section 3, page 1.

  • 11

    communicate the tone at the top throughout the organization because it signals to all employees the standards for the company’s reporting process.

    b. For the CEO and CFO, the tone at the top is particularly important. By virtue of their positions within the organization, their actions and attitudes establish the tone at the top. Because of the new certification requirements, they must, in turn, evaluate the effectiveness of their actions and attitudes with respect to setting the tone at the top and report their conclusions in the periodic report. Certification thus becomes self-criticism.

    2. Disclosure Policy

    a. An organization-wide, formal disclosure policy can provide the framework for disclosure controls and procedures.17 This could be similar to the documentation of other corporate policies for such topics as insider trading, conflicts of interest and corporate governance, in both tone and scope. In addition, the policy could indicate that disclosure controls and procedures include the financial reporting aspect of internal controls and are intended to complement other compliance policies and procedures, such as Regulation FD.

    b. The disclosure policy could include a statement of purpose to the effect that all disclosures made by the issuer to its shareholders and to the investment community should fairly present the issuer’s financial condition and results of operations in all material respects, and should be made on a timely basis as required by applicable laws and stock exchange requirements. The policy could also address, among other things, the corporation’s values or principles in preparing disclosure; the new disclosure controls and procedures and the reasons for them; the responsibilities of the disclosure committee, if any; the officers responsible for different sections of the issuer’s reports; and summaries of applicable laws. Implementing the policy could be the primary responsibility of the disclosure committee, with review by outside counsel and oversight by the audit committee. Like other corporate policies, the disclosure policy would be widely distributed throughout the company and discussed in internal employee training programs.

    c. The disclosure policy should be drafted as a policy of standards or principles, and not rules. Disclosure controls and procedures are new, and

    17 Newco has also adopted a corporate policy on disclosure, which provides more details and procedures about the disclosure process and what and who it entails. This policy will be reviewed in the annual employee training sessions. Like the statement of corporate principles, this policy was drafted by the general counsel and outside counsel, reviewed with the audit committee and the outside auditors and approved by the entire board of directors.

  • 12

    the expectations of what they should look like or how they should perform may change as the Commission implements the Sarbanes-Oxley Act and adopts other changes to the disclosure system. Principles can provide issuers with greater flexibility to adjust to changing circumstances and expectations, and are also more difficult to evade than rules, which can be both over- and under-inclusive. Hence, unlike the two volumes that implement the COSO standards, the disclosure policy should be specific enough to be capable of evaluation, but not constitute a “tic and tie” sheet.

    d. Here are some rules-of-the-road to consider in formalizing a disclosure policy:

    (1) Fit the policy to the needs of the company;

    (2) Do not adopt a policy that will not be followed;

    (3) If practice differs from the written policy, amend the policy (or the practice) so that, or until, they are in agreement; and

    (4) Until the process of designing disclosure controls and procedures is finished, continually evaluate how it is working and adjust it to meet the changing circumstances, particularly the changing business environment and new Commission rules.

    3. Review and Approval

    a. Oversight of the disclosure controls and procedures by the board of directors and/or audit committee is part of the “control environment,” particularly as the Sarbanes-Oxley Act now requires the audit committee to be responsible for the auditing and financial reporting process. The oversight function should complement and support disclosure controls and procedures. In addition, disclosure controls and procedures should be developed and maintained in consultation with the internal auditor, outside auditor and outside counsel.

    B. Risk Assessment: Identifies and analyzes the risks to achieving accurate and timely disclosure, and forms a basis for determining how the risks should be managed

    1. In designing disclosure controls and procedures, each issuer needs to implement a process for identifying, analyzing and managing risks to meeting Exchange Act disclosure obligations on a timely basis and in so doing, should consider what the worst-case scenario would be.18 Risks are those external and

    18 Before the new rules, Newco relied on a small group, consisting of the general counsel, the CFO, the CEO, internal audit and investor relations, to address any potential disclosure risks, such as investor conferences or integrating the IT systems of new acquisitions. This is also the same team that handles Regulation FD issues. To

  • 13

    internal events and circumstances that may lie outside the scope of, or put stress on, various components of disclosure controls and procedures, thereby potentially harming the issuer’s ability to meet its disclosure objectives. Therefore, risk assessment is an ongoing process and will need to be conducted in a fluid and dynamic manner. Risks could include:

    a. Changes in operating environment, such as new business models or products or indigenous growth and acquisitions or entry into foreign markets;

    b. Staffing levels and turnover;

    c. Acquisitions or dispositions or other corporate restructurings;

    d. New legal and accounting requirements; and

    e. Human error in decision-making.

    2. Senior management should consider a three-step framework for assessing an issuer’s risk of satisfying its disclosure objectives:

    a. Identify and understand the risks that can lead to failure to fulfill the issuer’s objective to disclosing reliable information on a timely basis – for example, entry into foreign markets in which the issuer lacks appropriate staffing or infrastructure, or the development of a new product which entails a new manufacturing or inventory process;

    b. Assess the factors that these risks create within the company – for example, the lack of qualified personnel in the foreign markets to accumulate or evaluate information or the need for auditing procedures for the new product; and

    c. Design and implement controls and procedures that will provide reasonable assurance that the issuer’s disclosure objectives will be met – for example, hiring and training bilingual staff in the foreign markets to communicate more effectively with headquarters or consulting with outside experts to adopt auditing standards that comply with GAAS for the new product.

    C. Control Activities: Comprise the policies, practices and procedures that help ensure that management objectives are achieved and risk mitigation strategies are carried out

    1. Disclosure Committee (Footnote continued. . . ) formalize a risk management process, Newco intends for now to rely upon the same people but to increase staffing in internal controls, which should help in improving the overall control environment.

  • 14

    a. Purpose

    (1) While not specifying particular disclosure controls and procedures, the Commission is recommending that issuers have disclosure committees. Given the scope of disclosure controls and procedures, the need for producing quality information on a timely basis, and the adverse consequences to the certifying individuals and the issuer for faulty certifications or inadequate disclosure controls and procedures, we also recommend the adoption of disclosure committees. The disclosure committee would receive information that is accumulated, assign responsibility for first drafts of reports or sections thereof, revise the drafts and make inquiries when it believes appropriate to assure itself of its completeness and reliability, and make determinations concerning materiality and required disclosure obligations on a timely basis, all in tandem with the CEO and CFO.

    (2) Creating a disclosure committee with the responsibility for establishing and supervising the issuer’s financial and non-financial disclosure process has the advantage of enhancing efficiency in producing timely information. The committee can also serve as the main vehicle through which the CEO and CFO are able:

    (a) To evaluate disclosure controls and procedures;

    (b) To ensure that the disclosure controls and procedures are designed to ensure that material information is communicated to them;

    (c) To make decisions about what information to disclose; and

    (d) To conduct the investigation necessary to be able to support their certification that the periodic report does not contain any untrue statement of a material fact or to omit to state a material fact necessary to make the statements made not misleading.

    b. Staffing

    (1) While the specific composition of the disclosure committee will vary from issuer to issuer, the members should have the skills, experience and position to exercise judgment as to materiality and disclosure and to monitor the disclosure process. The Commission has recommended that the committee include, among others: the principal accounting officer, the controller, the general counsel or other senior legal official, the principal risk management officer,

  • 15

    the chief investor relations officer and business unit heads. We would recommend that the internal auditor also be a member of the committee.19 If the disclosure committee is going to have responsibility for preparing initial drafts of Exchange Act reports rather than reviewing drafts prepared by junior personnel, it may be advantageous to designate draftspeople and change their other duties so that they have adequate time to fulfill their new duties. In addition, because immediate action may be required for some filings, or market-sensitive information may be at issue, a subgroup of the disclosure committee could be designated to act in lieu of the full disclosure committee under these circumstances.

    (2) Each issuer should consider designating a “disclosure coordinator,” who would serve the function of a traffic cop.20 The disclosure coordinator would be responsible for coordinating the activities of the disclosure committee, working with the various business units or departments within the corporation from which information is gathered and interfacing with the audit committee and the board of directors. To maximize effectiveness, the disclosure coordinator could be an executive-level individual charged with responsibility over all aspects of corporate disclosure, including ensuring that procedures are properly documented, communicated, implemented and enforced. The coordinator would also be responsible for preparing and implementing a time and responsibilities schedule and documenting compliance with disclosure policies. While the circumstances among issuers may vary, the disclosure coordinator could be the general counsel or a senior member of the finance department, such as the chief accounting officer.

    c. Responsibilities

    (1) The disclosure committee’s responsibilities should be

    19 Newco’s disclosure committee consists of the general counsel, the associate general counsel, the head of investor relations, the heads of the three business segments, the chief operating officer, the head of internal controls and the head of accounting. The general counsel also serves as the disclosure coordinator, and the committee is supported by a staff of five employees, three of whom are from the legal department and two are from internal controls. The disclosure committee consults often with outside counsel and the outside auditors. 20 Commissioner Glassman has proposed that each issuer have an officer with “ownership of corporate compliance and ethics issues,” who would be called the “corporate responsibility officer.” This officer would be responsible for all aspects of the disclosure process, including addressing worst-case scenarios, and would even have the ability to report directly to the board on matters of “significant import to the company or matters involving misconduct by senior management.” See Glassman Speech.

  • 16

    clear,21 and the committee should meet regularly to carry out its responsibilities, which could include, among other things:

    (a) Assisting the CEO and CFO in establishing and maintaining disclosure controls and procedures and also, in consultation with the internal auditor, internal controls;

    (b) Assuring that information that is potentially required to be disclosed is accumulated and communicated to the disclosure committee;

    (c) Testing the accumulated information for reliability;

    (d) Monitoring the integrity and effectiveness of disclosure controls and procedures;

    (e) Evaluating the accumulated information and applying the disclosure requirements to it so that timely required reports can be made in compliance with the federal securities laws;

    (f) Overseeing the preparation of annual, quarterly and current reports and proxy statements, and presenting them for review to the CEO and CFO as well as the audit committee or its representative;

    (g) Overseeing the preparation of non-Exchange Act disclosures, such as registration statements, press releases, earnings guidance, presentations to analysts and the investment community, presentations to ratings agencies, and presenting them for review to the CEO and CFO as well as the audit committee or its representative;

    (h) Consulting with the CEO and CFO to assist them in complying with their certification obligations;

    (i) Interfacing with the audit committee and the board of directors;

    (j) Preparing and updating a detailed time and responsibilities schedule for each required Exchange Act

    21 While these responsibilities can be embodied in a written charter, it may not be necessary; rather, it may be advisable to have only a clear understanding of what the disclosure committee should do. Creating specific duties raises the possibility that those duties will not be fulfilled. If a written charter is adopted, it should state principles, rather than specify all duties for which the disclosure committee is responsible, and it should be regularly reviewed and be capable of being amended to reflect changing circumstances and new rules.

  • 17

    report;

    (k) Providing a back-up certification to the CEO and CFO prior to the filing of each periodic report as to the committee’s compliance with its policies and procedures, the proper performance of its responsibilities, the accuracy and completeness of the information contained in the periodic report and the compliance of the periodic report with all legal requirements;

    (l) Evaluating, under the direction of the CEO and CFO, the company’s disclosure controls and procedures, including internal controls within 90 days prior to the filing of each Form 10-K and Form 10-Q; and

    (m) Being able to answer due diligence questions from underwriters or placement agents and their counsel in connection with public and private offerings.

    d. Interaction with Internal Controls

    (1) The disclosure committee should work closely with the finance department and the internal auditor so that both internal controls and disclosure controls and procedures are calibrated to result in consistent determinations of materiality and disclosure. Some areas of overlapping information between the two sets of control include:

    (a) Non-financial data used in deriving operational or production statistics;

    (b) Assessment of compliance with regulatory, contractual or legal requirements;

    (c) FASB No. 5 contingencies; and

    (d) Compliance with income tax laws and regulations.

    (2) In addition, the financial information disclosed in a periodic report, viewed in its entirety, must meet a standard of overall material accuracy and completeness that is broader than financial reporting requirements under GAAP. Thus compliance with GAAP and Regulation S-X or compliance with Regulation S-K may not be sufficient when additional statements are necessary to make the required statements that are made not misleading under Rule 12b-20 or Rule 10b-5 under the Exchange Act. Hence, the disclosure committee will need to interact with internal controls to determine whether additional disclosure is necessary to

  • 18

    ensure that the financial statements, as well as the non-financial disclosure, meet the standard of overall material accuracy and completeness.22

    e. Reporting to the Audit Committee

    (1) Although not required, given the focus of the Sarbanes-Oxley Act on the audit committee’s responsibility for the auditing and financial reporting process and its oversight over internal controls, it seems logical for the disclosure committee to report to the audit committee in addition to reporting to the CEO and CFO.23

    2. Documentation

    a. The preparation and review of periodic reports should be documented to provide the factual basis for the effectiveness of the disclosure controls and procedures as well as to show compliance with corporate policy. Because the CEO and CFO will rely, in large part, on the work of others, documenting each step of the disclosure process will help ensure that their directives are carried out. Documentation will also facilitate the audit committee’s and board of directors’ oversight of the disclosure committee.

    b. In addition to a certification from the disclosure committee, issuers may also want to consider back-up, underlying or sub-certifications from heads of principal business units or other divisions with respect to factual matters within each individual’s area of knowledge as a component of the review process. Some have also advocated back-up certifications from the members of the disclosure committee. Although it is unclear how effective these back-up certifications will be as a basis for the CEO’s and CFO’s certifications and requiring them could cause a morale problem if used indiscriminately, they may be effective as part of or a supplement to a system of disclosure controls and procedures. If back-up certifications are required, they should be coordinated with the issuer’s code of conduct. Issuers should consult in-house and outside counsel with respect to documenting this process, particularly in light of litigation-related issues that could arise in the future.

    D. Information and Communications Systems: Support the identification, capture and exchange of information in a form and timeframe that enable people to carry out their responsibilities; ensure that information is delivered and communication provided down, across and up the organization

    22 For a discussion on liability for material misstatements or omissions for false certifications, see footnote 5, supra. 23 See Section 301 of the Sarbanes-Oxley Act; Post-Enron Outline at Section V.

  • 19

    1. The Flow of Information

    a. One definition of “disclosure controls and procedures” refers to information being “recorded, processed, summarized and reported.” The other definition of the term refers to information being “accumulated and communicated.” Under AU Section 319, information must be “identified, captured and exchanged.” These three descriptions are synonymous, and their similarity underlines the inter-relationship between internal controls and disclosure controls and procedures and the importance to both of developing procedures of gathering and processing information.

    b. Each issuer should consider the flow of information that it needs: where that information comes from; how it can be captured or accumulated; how that information should be processed or summarized or communicated; who should see that information; and the various other steps and processes leading, ultimately, to the decision of whether and how to disclose the information in a periodic report.24 This apparently simple construct can be complex in application.25

    c. The flow of information from the top-down is as important as the flow of information from the bottom-up. Key decisions are made at the senior management and board level. Information about trends, strategy, competition and other material matters are oftentimes known only by senior management and the board. Although the disclosure committee reports to the CEO and CFO, the committee should also obtain

    24 Like many companies, Newco has not reviewed its information-gathering process since its IPO three years ago, when the due diligence document request list and the drafting process required everyone in the organization to focus on where to get the information necessary to meet the demands and requirements of a public offering. Now with the new certification rules in effect, the general counsel is concerned about developing disclosure controls and procedures. Upon advice of counsel, as the first step, she will convene meetings with outside counsel, the outside auditor, the heads of each business unit, marketing, internal audit, accounting, finance, investor relations and the CEO and CFO. The agenda for these meetings is to address, for the first time since the IPO and the due diligence request list, what information is available, where to find it and whether it is reliable. To organize the discussion, the general counsel has in hand: the most recent periodic report; a comprehensive list of items required to be disclosed in an annual report; the due diligence request list from the IPO; and a detailed description of Newco’s information technology systems and the information that they are programmed to collect and analyze. At the conclusion of these meetings, the general counsel should have a good picture of how and where information currently flows throughout the organization, which could provide the information necessary to begin formalizing a structure of disclosure controls and procedures. 25 For example, how does Newco determine a business trend for its chain of grocery stores in the Midwest? This could involve recording or accumulating or capturing information from all retail stores in the Midwest and summarizing the information in such a way as to form a basis for both quantitative and qualitative analysis, and exchanging or communicating that information with various other divisions within the organization, such as inventory, or contract management, or credit financing, in order to provide all of the data points necessary for management to determine that a business trend is occurring. Or, it could be accomplished by a customer survey already being conducted by telephone from New York. A business person may resolve this issue, and his or her input may be critical to the information-gathering process.

  • 20

    information from the CEO and CFO and involve them in the disclosure process at an earlier stage than at the end, which has often been the case in the past.

    d. In addition, each CEO and CFO should consider how far down the chain of responsibility to go in order to assure himself or herself of the completeness of the information-gathering process. One approach is to stop at the level of the heads of the principal business units and to require back-up certifications from each of these individuals as to the reliability of the information being reported from such principal business unit to the disclosure committee. However, input from business people who may not be members of the disclosure committee or who may not be the heads of a unit or division may be critical to the information-gathering process. This is ultimately a question for each CEO and CFO to decide, based on the issuer’s own facts and circumstances.

    e. Rather than develop new information flows, the issuer should first consider whether existing information flows are adequate or can be enhanced.

    (1) The segment information being provided to the CODM, who is typically the CEO, and which is typically already available to the CFO, can be augmented to provide additional data and be furnished to the disclosure committee without creating a new process.

    (2) The role of the internal auditor can be augmented by having the internal auditor test non-financial information as well as track or accumulate non-financial information for the disclosure committee.

    2. Time and Responsibilities Schedule

    a. To control and organize the flow of information and to coordinate that flow with the disclosure process, issuers should consider creating or augmenting an information and communications system such as a time and responsibilities schedule, which would identify the deadlines for preparing periodic reports and other disclosures as well as the division and delegation of responsibility for various aspects of the required disclosure. This schedule should be managed by the disclosure committee and, in fact, should be a primary focus of the work and activity of the disclosure committee.26

    26 Some of the steps that the general counsel of Newco will undertake to create a time and responsibilities schedule for updating the business description and the MD&A disclosure for the designer shoe boutique segment are:

  • 21

    b. The procedures for periodic reports and other disclosures may vary. For example, the timetable for a press release will differ from that for an annual report, and a formal time and responsibilities schedule may not be needed in every instance. Rather, an informal flow chart can serve to focus attention on the proper scope of actions for other communications, such as presentations to analysts or earnings guidance.27

    c. The detailed time and responsibilities schedule would be a “bottom up” approach to the preparation of the reports. In this respect it would be similar to the internal control procedures conducted by the internal auditor. To assemble a time and responsibilities schedule, issuers will need to determine what information is required to be disclosed – such as, in the case of periodic reports, each applicable item of Regulations S-K and S-X as well as Rule 12b-20 and any new or recent developments or changes in the issuer’s disclosure obligations – to plan where and how to obtain the necessary information. Issuers should consider making individual officers or employees responsible for clearly defined tasks in the disclosure process under the supervision and direction of the disclosure coordinator.

    d. The time and responsibilities schedule can specify timing for:

    (1) Preparing and commenting on periodic reports, including:

    (a) Accumulation of data;

    (b) Testing and review of data;

    (c) Review of specific sections of filings by individuals whose areas of expertise coincide with such sections;

    (d) Review and updating of “risk factor” language in

    (Footnote continued. . . ) working with the head of this business segment and internal audit to review the process for gathering information and testing the reliability of that information; charging the head of that unit with the responsibility for presenting information for that segment to the disclosure committee and to the CEO and CFO as well as overseeing the description of the segment and the discussion and analysis of the financial results for the segment; underscoring that responsibility by requiring the head to execute a back-up certification on the information process and disclosure; delegating responsibility to test the reliability of that information to the internal audit team or its equivalent; and including the head of this business segment in the disclosure committee discussions about disclosure. 27 To date, Newco has relied on its Form S-1 registration statement as the template for all of its subsequent periodic reports. Because of the new certifications required of the CEO and CFO and new Commission requirements, the general counsel has decided that for the next periodic filing, the disclosure committee should take a fresh look at the disclosure and approach the periodic filing as it did the registration statement. She has scheduled several drafting sessions for the disclosure committee in order to improve the quality of the disclosure. The outside counsel and outside auditors will also participate in these drafting sessions. She does not think this would be necessary for every filing, however.

  • 22

    light of the company’s changing operations;

    (e) Initial review by the disclosure committee including a “rules check” on each report so that it complies with Commission rules and regulations;

    (f) Review of competitors’ filings and industry analyst reports to determine any needed supplementation of the company’s filings;

    (g) Review by outside auditor and legal counsel;

    (h) Review by CEO and CFO and other senior management; and

    (i) Review by the audit committee/board of directors.

    (2) CEO and CFO meetings with internal and outside auditors and the company’s audit committee regarding internal controls;

    (3) CEO and CFO evaluation of disclosure controls and procedures within 90 days prior to the filing of the report;

    (4) CEO and CFO meetings with the disclosure committee to review periodic reports; and

    (5) Meetings with investor relations to coordinate and oversee earnings announcements.

    e. One size does not fit all. A time and responsibilities schedule should be customized to the facts and circumstances unique to an issuer. Several factors to consider in crafting the appropriate level of procedures and specific tasks in a time and responsibilities schedule include:

    (1) The benefit gained by a procedure or task should be compared against the cost to the company of such procedure or task;

    (2) Fewer detailed steps may require additional review steps and reliance on the judgments of senior management, which may be more difficult for the CEO and CFO to evaluate; and

    (3) Fewer detailed steps may be appropriate in light of other controls that an issuer may have in place. For example, staffing levels of participants in the disclosure process and their experience with public company disclosure can affect the level of detail necessary in describing the steps in a time and responsibilities schedule for a periodic report.

  • 23

    3. Reporting Information to the CEO and CFO

    a. Disclosure controls and procedures should be designed to ensure that information is known or made available to the CEO and CFO. In addition to direct transmittal of information, such as segment information, the disclosure committee could report information directly to the CEO and CFO and provide them with complete access to the disclosure committee’s database (and to any back-up information relied upon or used by the committee) to support their review prior to executing a certification.

    E. Monitoring: Assesses the quality of the system over time through ongoing monitoring and separate evaluations, including through regular management supervision or third-party testing, with report of deficiencies upstream

    1. Disclosure controls and procedures should be monitored by the disclosure committee or the disclosure coordinator on a regular basis to assess their quality. This can be accomplished by ongoing monitoring activities or external evaluations or a combination of both. The basic types of tests available include inquiry, inspection, observation and flowcharts. For example, a time and responsibilities schedule for a periodic report can be monitored – e.g., by inquiry or observation – throughout the drafting process to help ensure that accurate and timely disclosure will be made and that the CEO and CFO will have sufficient time to review the disclosures to make the required certifications.

    2. Because disclosure controls and procedures are a new concept, companies should consult with their outside auditor and outside counsel in developing controls and procedures that can be tested. Moreover, issuers may wish to consider outsourcing the monitoring function similar to outsourcing that sometimes occurs with respect to the internal audit function. Indeed, application of an independent evaluation methodology by an outside person under the oversight of the disclosure committee can be helpful in developing and maintaining effective disclosure control.

    3. Questions to consider when monitoring disclosure controls and procedures include the following:

    a. Are the controls and procedures designed to satisfy the issuer’s disclosure objectives?

    b. Are the established controls and procedures being acted upon?

    c. Have any new factors been identified that create a significant risk that the issuer’s disclosure objectives will not be satisfied?

    d. Are disclosure controls and procedures being documented appropriately?

  • 24

    IV. EVALUATING DISCLOSURE CONTROLS AND PROCEDURES AND INTERNAL CONTROLS

    A. Introduction

    1. Rules 13a-14 and 15d-14 under the Exchange Act require the CEO and CFO to certify that they have evaluated disclosure controls and procedures within 90 days prior to filing a periodic report. Correspondingly, Rules 13a-15 and 15d-15 under the Exchange Act require the issuer’s management, including the CEO and CFO, to supervise and participate in an evaluation of the effectiveness of the design and operations of the issuer’s disclosure controls and procedures. For practical purposes, these are one and the same evaluation. The purpose of the evaluation is to determine whether the disclosure controls and procedures are effective at providing reasonable assurance as to the reliability of Exchange Act reports.

    2. This evaluation can be viewed as an extension of the monitoring and risk assessment components of disclosure controls and procedures. Indeed, the purpose of monitoring is to assess the quality and effectiveness of disclosure controls and procedures, and risk assessment identifies and analyzes the risks to the corporation to achieving reliable Exchange Act reports. The difference, however, is that monitoring and risk assessment are parts of the system, whereas the evaluation must occur from a point of view outside of the system – i.e., by the CEO and CFO. Senior management should consider the role that external sources such as the issuer’s legal counsel and outside auditor can play in the process of evaluating the effectiveness of an issuer’s disclosure controls and procedures.

    B. Timing

    1. The new rules require management and the CEO and CFO to evaluate disclosure controls and procedures within 90 days of filing the report. There is a debate as to when disclosure controls and procedures should be evaluated since, for both quarterly and annual reports, the evaluation can occur even before the end of the period. A common answer is after the information is accumulated and a draft of the periodic report has been completed, which makes sense given that the purpose of the evaluation is to determine the effectiveness of the controls and procedures in providing reasonable assurance that the periodic report is reliable and timely. However, there may not be sufficient time at this point to perform the procedures necessary to conduct the evaluation – and there will be less time once the rules accelerating the deadlines for filing periodic reports take effect. Hence, evaluating disclosure controls and procedures may need to be conducted at the same time as, rather than after, preparing the periodic report. Moreover, in a dynamic reporting structure where business reports are furnished to the CEO on a daily or weekly basis, the evaluation process can be viewed as ongoing.

    2. With respect to internal controls, Item 307(b) of Regulation S-K requires the CEO and CFO to disclose in the periodic report any significant changes in

  • 25

    internal controls and corrective actions with regard to significant deficiencies and material weaknesses since the date of evaluation. Because this disclosure obligation begins on the date of the evaluation and ends on the date of the filing of the report, issuers can change the starting date of their disclosure obligation by changing the date of the evaluation. This can lead to issuers trying to cure any deficiencies or weaknesses in the design or operation of their internal controls prior to the date of the evaluation in order to avoid disclosing any significant changes or corrections to such deficiencies or weaknesses subsequent to the evaluation date in the periodic report. Issuers may be able to use the flexibility in scheduling their evaluations to shape the content of their disclosure.

    C. Scope and Scale of Evaluations

    1. Disclosure Controls and Procedures

    a. Since the new certification rules do not specify the type of evaluation necessary for a From 10-K or a Form 10-Q, there is an issue as to whether an evaluation for a quarterly report should be of the same scope and scale as that for an annual report. Because neither the rules nor the adopting release refers to different types of evaluations depending on the type of periodic report, it could be inferred that the evaluation should be the same for all periodic reports. We do not believe this should be the result.

    2. Internal Controls

    a. Although the CEO and CFO must report in each periodic report any significant changes to internal controls or any corrective actions to significant deficiencies or material weaknesses in internal controls since the date of evaluation, it is unclear to what extent internal controls need to be evaluated for every period.28 Section 404 of the Sarbanes-Oxley Act requires the annual report to contain an internal control report in which management evaluates the effectiveness of the internal control structure and financial reporting procedures.

    b. Internal controls can be very complex and extensive, involving information technology systems with hundreds of functions. A quarterly evaluation of all aspects of internal controls would be extremely burdensome and expensive. Given the different quantum of information required for quarterly reports as compared to annual reports, and the different time periods in which to prepare quarterly reports as compared to annual reports, the practical reality is that internal controls will not be evaluated to the same extent for a quarterly report as compared to an

    28 This is compounded by the confusion as to whether internal controls, or only the financial reporting portion of internal controls, is part of disclosure controls and procedures. For a discussion of this debate, see footnote 2, supra.

  • 26

    annual report.

    c. This issue may not be resolved definitively until the Commission implements Section 404 of the Sarbanes-Oxley Act.

    d. The issues and questions raised in evaluating internal controls include:

    (1) Whether the financial reporting systems are adequate to produce consistently accurate results;

    (2) Whether adequate controls exist to reduce the risk of fraud;

    (3) Whether the company has systematically monitored and evaluated its internal controls during the reporting period;

    (4) Any irregularities that involve management or employees who play a significant role in the internal controls or could have an effect on the financial statements;

    (5) Whether any degradations in internal controls have been:

    (a) Identified through internal control reviews (questionnaires), internal audit reports and other means;

    (b) Corrected or are the subject of current remedial action;

    (c) The subject of an auditor’s management letter; or

    (d) Prevented the preparation of financial statements in accordance with GAAP;

    (6) What is being done to address any identified deficiencies;

    (7) Whether anything came to the attention of the personnel responsible for the preparation of financial reports which would indicate the possibility of significant undisclosed financial exposures or the need for a restatement of prior period financial statements;

    (8) Any whistle-blower activities from in-house personnel, particularly those related to the finance function or any disagreement or matter that has received “heated” discussion with the outside auditor;

    (9) Whether the reportable conditions set forth in the outside auditor’s letter have been corrected;

  • 27

    (10) Any communications from customers, suppliers, regulatory agencies or lenders concerning noncompliance with laws or agreements; and

    (11) Any waivers or requests for waivers of the corporate ethics, insider trading and conduct rules for executive officers, directors and other key employees.

    D. Disclosure of Evaluation

    1. The end result of the evaluation of disclosure controls and procedures is to provide the procedural predicate to support the substantive provisions of the certification concerning the disclosure in the periodic report. Neither the rules nor the adopting release provide any guidance as to what the actual disclosure of this conclusion should entail. Based on recently filed quarterly reports, a sample of which is attached to this outline as Exhibit 1, it appears that issuers are disclosing only that the CEO and CFO evaluated the disclosure controls and procedures and concluded that they were “effective in timely alerting them to material information relating to the Company required to be disclosed in the Company’s periodic SEC filings.”29 There is no description of the procedures performed or tests applied or the measure or metric by which the CEO and CFO concluded that the disclosure controls and procedures were effective.

    V. CONCLUSION

    Certifications with respect to disclosure controls and procedures and internal controls are required for annual and quarterly reports covering periods ending on or after August 29, 2002. Given the changes that public companies must implement to comply with the Sarbanes-Oxley Act and the rules thereunder and the potential liability to the CEO, CFO and the issuer for non-compliance, one would have expected the new rules to provide a transition period before compliance is required. Unfortunately, there is no transition period. Practically speaking, however, we believe developing disclosure controls and procedures is an iterative process, where good faith efforts to comply should make a significant difference. The disclosure controls and procedures in place now to support Form 10-Qs for the third quarter of 2002 can be reviewed and enhanced so that refinements can be made in time for filing Form 10-Ks for 2002 due next year. Designing disclosure controls and procedures, road-testing them through dry-run exercises and applying them to the next periodic report, may be a better approach than waiting for the Commission to flesh out the complete picture of the new regulatory environment. We recommend that issuers put top priority on implementing disclosure controls and procedures because the new system is already here.

    29 See Exhibit 1 to this supplement.


2014-2015 District Nominee Presentation Form · 2014-2015 District Nominee Presentation Form . CERTIFICATIONS . District’s Certifications . The signatures of the district superintendent

2015-2016 School Nominee Presentation Form...ED-GRS (2015-2016) Page 1 of 2 . 2015-2016 School Nominee Presentation Form . ELIG IBILITY CERTIFICATIONS. School and District’s Certifications

2014-2015 District Nominee Presentation Form CERTIFICATION S · 2015-04-15 · 2014-2015 District Nominee Presentation Form CERTIFICATION S. District’s Certifications . The signatures

Certifications - resourcedesign.co.in fileEmbroidery and embellishment Map Certifications and awards, Our associates ... Kasuti work, a unique form of needlework native to North Karnataka

PM-Huber: PatchMatch with Huber Regularization for Stereo Matchingopenaccess.thecvf.com/content_iccv_2013/papers/Heise_PM... · 2017. 4. 4. · PM-Huber: PatchMatch with Huber Regularization

Multi-Family Housing Programs Tenant Certifications · •Form 3560-8 establishing household eligibility must be completed prior to initial occupancy. •Recertifying Form 3560-8

STANDARD CONTRACT FORM INSTRUCTIONS CONTRACTOR ... · STANDARD CONTRACT FORM INSTRUCTIONS CONTRACTOR CERTIFICATIONS COMMONWEALTH TERMS AND CONDITIONS Page 2 of 7 Issued 10/25/19 Form

School Nominee Presentation Form · School Nominee Presentation Form ELIGIBILITY CERTIFICATION S School and District’s Certifications ... I have reviewed the information in this

Www.pmi.Org en Certification ~ Media PDF Certifications PMP Application Form

School Nominee Presentation Form - Green Strides...School Nominee Presentation Form ELIGIBILITY CERTIFICATION S School and District’s Certifications The signatures of the school

Green Ribbon...Green Ribbon School Nominee Presentation Form ELIGIBILITY CERTIFICATIONS School and District’s Certifications The signatures of the school principal and district superintendent

Form 3 - Public Disclosure Form - SGS · 3200 AE Spijkenisse The Netherlands See Form 3 - Public Disclosure Other certifications currently held by the unit of certification The farm

2014-2015 District Nominee Presentation Form CERTIFICATION S€¦ · 2014-2015 District Nominee Presentation Form CERTIFICATION S. District’s Certifications . The signatures of

District Nominee Presentation Form … Nominee Presentation Form CERTIFICATION S District’s Certifications ... Then, include concrete examples for work in every Pillar and Element

Решения HUBER для ... - huber- · PDF fileWASTE WATER Solutions Компанией HUBER в последние годы были разработаны и успешно

Web viewGB101116. FORM B. IPG Registration and Additional Certifications. GB101116. Form A. Certifications and Disclosures. 26. V.15.1. Form A - V.15.235

WASTEWATER TECHNOLOGY INNOVATION SINCE 1961 · 2017. 11. 27. · HUBER Disc thickeners HUBER Rotary Screw thickeners HUBER Rotary Screw Presses HUBER Belt Thickeners HUBER Solar Driers

2012-2013 Nominee Presentation Form · 2013. 4. 11. · 2012-2013 Nominee Presentation Form PART I - ELIGIBILITY CERTIFICATION School and District’s Certifications The signatures

HUBER RINGS - University of Michiganrankeya/Huber Rings.pdf · HUBER RINGS RANKEYADATTA Abstract. These notes discuss basic properties of Huber rings, and were prepared for the Arithmetic

GET THE HUBER HABIT - CALENDAR THE HUBER - Take One …

IT Certifications By: David Amon. Overview Reasons for Certifications Negatives of Certifications CompTIA Certifications A+ A+ Net+ Net+ Microsoft Certifications

2015-2016 School Nominee Presentation Form · 2015-2016 School Nominee Presentation Form ELIGIBILITY CERTIFICATIONS School and District ’s Certifications The signatures of the school

2015-2016 District Nominee Presentation Form ... District Nominee Presentation Form CERTIFICATION S District’s Certifications The signatures of the district superintendent on the

SUHNER RF AND MICROWAVE COMPONENTS … AND MICROWAVE COMPONENTS SHORT FORM CATALOGUE HUBER+SUHNER Edition 2003 Excellence in Connectivity Solutions HUBER+SUHNER AG Microwave Cables

useR2011 - Huber

Affaire n° COMP/M.3796 – OMYA/HUBER PCC · Huber Corporation (ci-après dénommée « Huber »), actuellement contrôlées par J.M. Huber Corporation (États-Unis), par achat d'actions

APPLICATION FORM (FAA FORM 8130-6)faa form 8130-6) type certificate data sheet conformity . copy of previous certifications . export certificate of airworthiness . proof of de-registration

help.csod.com  · Web view2020-06-10 · Certifications: Certifications Overview. Certifications: Certifications: Certifications Overview. Certifications: Certifications: Certifications

Form A - Certifications and Disclosures A.docx · Web viewV.15.2 Certifications and Disclosures STATE OF ILLINOIS SUBCONTRACTOR DISCLOSURES ATTACHMENT FF Form A - V.15.21 Form A -

School Nominee Presentation Form ELIGIBILITY CERTIFICATIONS · School and District’s Certifications The signatures of the school principal and district superintendent (or equivalents)

2013-2014 School Nominee Presentation Form...2013-2014 School Nominee Presentation Form PART I - ELIGIBILITY CERTIFICATION School and District’s Certifications The signatures of

School Nominee Presentation Form - Green Strides · 2/10/2020  · School Nominee Presentation Form ELIGIBILITY CERTIFICATION S School and District’s Certifications The signatures

School Nominee Presentation Form€¦ · ED-GRS (2015-2018) Page 1 of 2 School Nominee Presentation Form . ELIGIBILITY CERTIFICATIONS . School and District’s Certifications . The

Practica2 Huber

2014-2015 District Nominee Presentation Form … P a g e | 1 2014-2015 District Nominee Presentation Form CERTIFICATIONS District’s Certifications The signatures of the district