recent developments in disclosure, governance...
TRANSCRIPT
Recent Developments in Disclosure, Governance, Shareholder Activism and
Audit & Financial Reporting
Moderators: Shawna Fullerton Anderson, Dorsey & Whitney LLP Mark Scholtes, PricewaterhouseCoopers LLP Panelists: Alan Gilbert, Maslon Edelman Borman & Brand, LLP Todd Hartman, Best Buy Enterprise Services, Inc. Melissa Krasnow, Dorsey & Whitney LLP Ron Schneider, RR Donnelley Anna Weispfenning, PricewaterhouseCoopers LLP
1
This presentation was created by Dorsey & Whitney LLP, 50 South Sixth Street, Suite 1500, Minneapolis, MN 55402. This presentation is intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances. An attorney-client relationship is not created or continued by sending and/or receiving this presentation. Members of Dorsey & Whitney will be pleased to provide further information regarding the matters discussed in this presentation.
Topics Cybersecurity Audit Matters
Evaluation of internal control over financial reporting under the updated COSO Framework
Recent trends in audit committee reports EU audit reforms SEC administrative actions against Big 4 firms in China
ISS Governance QuickScore 2.0 SEC Focus and Rulemaking
Regulation S-K study CEO pay ratio proposal Comment letter trends
RR Donnelley Survey: Proxy Statements – What Really Matters to Investors
Shareholder Activism Trends in shareholder proposals Use of courts to address exclusion
2
Cybersecurity Cybersecurity considerations:
state breach notification laws HIPAA/HITECH Act foreign breach notification laws state, federal and foreign security procedures laws and
enforcement Federal and state guidance SEC disclosure guidance Litigation cyber liability insurance company policies and procedures company contracts
3
Cybersecurity Breach notification laws:
47 states, when Kentucky’s law becomes effective July 14, 2014, plus District of Columbia, Guam, Puerto Rico and Virgin Islands have laws
No Alabama, New Mexico and South Dakota laws yet Trend of state laws being amended, including for state
attorney general notification HIPAA / HITECH Act breach notification provisions
for covered entities and business associates regarding protected health information at the federal level
4
Cybersecurity Cybersecurity laws and guidance:
State security procedures laws: MA, CA, TX and certain other states
Issued in February 2014: Federal: National Institute of Standards and Technology
critical infrastructure cybersecurity framework CA cybersecurity guidance
5
Cybersecurity Enforcement and other consequences:
Federal Trade Commission Department of Health and Human Services State attorneys general (e.g., California) Other regulators, including other countries Litigation Other consequences
6
Cybersecurity SEC Guidance Division of Corporation Finance (Oct 2011): Federal securities laws are designed to elicit disclosure of “timely,
comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”
Disclosure may be appropriate even though no existing disclosure requirement expressly refers to cybersecurity risk and cyber incidents: Guidance provides an overview of specific disclosure obligations
that may require discussion of cybersecurity risks and cyber incidents
Risk Factors: if cyber incidents are among the most significant factors that make an investment in the company risky
7
Cybersecurity MD&A: if costs or other consequences associated with one or more
known incidents or the risk of potential incidents “represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity or financial condition or would cause reported financial information not to be necessarily indicative of future results or financial condition”
Description of Business: if cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions
Legal Proceedings: if a registrant or any subsidiary is party to a material pending legal proceeding that involves a cyber incident
Financial Statements: could be broadly affected, depending on the cyber risk or cyber incident (due to costs before, during and after an incident)
8
Cybersecurity Disclosure Controls and Procedures: if a cyber incident poses a risk
to the registrant’s ability to record, process, summarize, and report information that is required to be disclosed in SEC filings, management should consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective
9
Cybersecurity SEC roundtable (March 26): examined state of public company
disclosure – is additional guidance needed? Should there be new requirements? Stay tuned for developments as the SEC continues to focus on cybersecurity
SEC’s Shelley Parratt presentation (May 1): without providing a road map of the company's vulnerabilities, companies must consider in the their disclosure: how information would be updated as threats evolve and risks change how company would respond in the event of a material breach do aspects of company's operations give rise to material cybersecurity
risks potential consequences and costs associated with cyberincidents has company outsourced functions that expose it to cybersecurity risks has company experienced a material cybersecurity incident and if yes,
is its disclosure current regarding the incident
10
Cybersecurity Public company disclosure implications: Failure to disclose cybersecurity incidents/breaches, if
material, could result in: Shareholder class action litigation SEC comments SEC enforcement proceedings
Extensive disclosure may encourage lawsuits Public relations/media considerations
11
Cybersecurity Steps Public Companies Can Take Consider cybersecurity and cyber incidents as part of overall risk framework Communicate and collaborate with the people responsible for disclosure Conduct a risk assessment Review applicable company policies and agreements, procedures and practices Review insurance coverage relating to cybersecurity and cyber incidents, if any;
other mechanisms Assess whether SEC filing disclosure about cybersecurity risks and cyber
incidents is adequate now and on an ongoing basis (e.g., actual or possible incident / breach)
Coordinate different areas that are involved, including legal, accounting, privacy, information technology, risk management/insurance and corporate communications
12
Cybersecurity Steps Public Companies Can Take Informing the board of directors and management Functions of board of directors and management Coordination of internal functions:
person in charge of handling an incident/breach needs to be connected to:
the person drafting risk factors the person managing disclosure to make sure that the incident/breach
notifications conform, both in timing and content, with the disclosure obligations under the U.S. federal securities laws
person in charge of internal controls and procedures needs to coordinate with IT to make sure that those two functions work together
person in charge of risk management needs to be coordinated with the IT function
13
Why update 1992 Framework?
16
Changes in the business environment Changes inside the business
Lack of clarity
0% 50% 100%
Control ActivitiesMonitoring
Control EnvironmentInformation &…
Risk Assessment
Difficult to interpretSomewhat difficult to interpretModerately easy to interpret
Do stakeholders understand requirements of effective internal control?
Source - COSO’s survey of users and stakeholders, worldwide – January to September 2011
Only 50% thought it was generally easy to interpret
Lack of understanding
2013 Framework preserves core strengths embedded in 1992 Framework
17
What is NOT fundamentally changing...
• Core definition of internal control
• Three categories of objectives and five components of internal control
• Each of the five components of internal control are required for effective internal control
• Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness
Entity Structure
Components
Updated COSO Cube
2013 Framework increases ease of use
18
COSO’s Internal Control–Integrated Framework (1992 Edition)
Consider changes in business & operating environments
Articulate principles to facilitate effective internal
control
Expand operations and reporting objectives
Update Context Clarify Requirements Broaden Application
COSO’s Internal Control–Integrated Framework (2013 Edition)
Refresh Objectives
Updates
19
2013 Framework articulates principles and points of focus
17 Principles
Points of focus
Controls
5 Components
Points of focus describe important characteristics of principles
Principles articulate fundamental concepts of components
Components and Principles are requirements for an effective system of internal control
Points of Focus and Controls are subject to management judgment
Legend
2013 COSO Cube
2013 Framework articulates seventeen principles for effective internal control
Control Environment
1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability
Risk Assessment
6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change
Control Activities 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures
Information & Communication
13. Uses relevant information 14. Communicates internally 15. Communicates externally
Monitoring Activities 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies
20
Transitioning ICFR to 2013 Framework – A 404 transition timeline
• Educate and Communicate Phase 1
• Conduct Preliminary Assessment Phase 2
• Complete Assessment & Develop Action Plan Phase 3
• Execute Action Plan Phase 4
21
12/31/14 May ‘13 Q3 Q1 Q2 Q3 Q4
2014 2013
Q2
EU Audit Reform - Key Developments EU member states voted unanimously in favor of the package of
audit reforms in December 2013, and European Parliament approved them in April 2014.
Key changes include:
Mandated rotation of statutory auditors and audit firms of Public Interest Entities (PIEs) after a ten year period
Further restrictions on the provision of non-audit services to audit clients
An annual cap on non-audit services of 70% of the average of the fees paid in the last three consecutive financial years for the statutory audit(s) of the audited entity and, where applicable, of its parent undertaking, its controlled undertakings and of the consolidated financial statements of that group of undertakings
22
EU Audit Reform - Impacts The regulation applies to all PIEs which includes:
All EU companies with listed securities All banks and all insurers (including EU branches)
whether listed or not The rotation requirement will not affect dual-listed
companies. The legislation is expected to be signed in to law later
in 2014 and in effect by 2016.
23
SEC/China Administrative Action – Key Developments July 2013 – trial for SEC Administrative Action against the PwC China audit
firm as well as the other Big 4 firms in China and the former BDO firm. January 2014 –Administrative Law Judge (the “ALJ”) issued initial decision
ALJ concluded each of the Big Four firms in China violated SEC’s Rules of Practice by failing to produce audit work papers directly to the SEC
ALJ determined all of the Big Four firms should be censured and barred from practicing before the SEC for six months
Initial decision is part of potentially very long process — too early to
predict what outcome might be. Decision by the ALJ is subject to appeal both to the full Commission as
well as to US federal courts.
24
SEC/China Administrative Action – Impacts The six-month practice bar, if it becomes effective,
would impact audit and perhaps other engagements for U.S. issuers.
Profession-wide issue and does not relate to the
quality of the audit firms work. Proceedings have placed Chinese audit firms in an
untenable situation in which compliance with the demands of the SEC staff would require them to violate the laws of their home country. 25
ISS Governance QuickScore 2.0 In January, ISS revised its corporate governance ratings
service, now known as “QuickScore 2.0” Of note:
New ratings were released in February and scores were included in proxy reports issued to ISS clients
ISS will now update ratings on an ongoing basis based on companies’ public disclosures throughout the year
There are still four pillars: board, audit, shareholder rights and compensation, with scoring still from 1 (best) to 10 (worst), but it is not clear how ISS weighs each factor it considers
26
ISS Governance QuickScore 2.0 New factors affecting score:
“Excessive” director tenure (over 9 years) Director approval rates: percentage of directors who received less than
average shareholder support (based on industry index) Compensation of outside directors as compared to median levels of the
ISS-determined peer group Alignment between pay and TSR based on a single, annualized relative
degree of alignment (RDA) measure for a 3-year period (previously, QuickScore used a 40/60 weighted average of 1- and 3-year RDA)
Say on Pay support Ongoing updates based on publicly available information
E.g., 8-K filings will be monitored and governance changes will be reflected in an updated QuickScore
BUT: 8-K does not require disclosure of the information ISS has stated it will consider for the director independence classification
Will companies start to file more robust 8-Ks?
27
ISS Governance QuickScore 2.0 How important is QuickScore?
Scoring system is determined by ISS; weight attached to each factor is not clear (companies cannot calculate QuickScore on their own)
System applied on a “one-size-fits-all” basis Tool for institutional shareholders – consider
shareholder base
28
SEC Focus and Rulemaking – Regulation S-K Study Regulation S-K study released in December 2013 (required
under JOBS Act) SEC Chair Mary Jo White has instructed DCF Staff to
provide recommendations for disclosure reform Keith Higgins remarks (April 11, 2014):
Staff to review S-K and S-X for ways to streamline disclosure requirements and eliminate duplicative disclosures, but still provide material information
Staff will also consider new disclosures if appropriate (some investors want more info, not less)
Will look at how and when information is disclosed, including in light of current technology – can disclosure be more efficient?
SEC seeking input from companies, investors and others: http://www.sec.gov/spotlight/disclosure-effectiveness.shtml
29
SEC Focus and Rulemaking – Regulation S-K Study Keith Higgins remarks (cont’d):
Regulation S-K: review to focus initially on business and financial information in periodic and current reports, Industry Guides, potential scaling of requirements for certain categories of issuers, and then n ways to update and modernize proxy disclosure requirements. Identify potentially outdated disclosure requirements (e.g., ratio of
earnings to fixed charges) Identify information investors don’t find useful and companies wouldn’t
otherwise calculate Identify information investors typically find using other sources (e.g.,
historical stock prices) Look to reduce burdens on companies where they can Identify redundant or duplicative disclosures (e.g., requirements created
to address voids in U.S. GAAP that are no longer necessary, such as certain off-balance sheet arrangements)
Identify where a broader principles-based approach is appropriate
30
SEC Focus and Rulemaking – Regulation S-K Study Keith Higgins remarks (cont’d):
Regulation S-X: Separate financial statements for entities other than the
registrant: look at how investors use this information and whether benefits justify the burden on registrants
Review differences in ’33 Act and ‘34 Act disclosure requirements (e.g., Form S-3 requires recasted financials prior to effectiveness if an accounting principle has changed, whereas ’34 Act reports don’t)
Look at overlap between GAAP requirements in FS footnotes and what SEC rules require
31
SEC Focus and Rulemaking – Regulation S-K Study Keith Higgins remarks (cont’d):
Current Suggestions Reduce repetition (e.g., use cross-references)
Example: Disclosure from significant accounting policies footnote repeated in MD&A discussions of critical accounting estimates
Focus disclosure Example: improve and streamline risk factors
Eliminate outdated information (if not material and not required, take it out)
32
CEO Pay Ratio What: Dodd-Frank Act (2010) mandated that the SEC promulgate rules requiring
U.S. public companies to disclose the ratio of: its CEO’s annual total compensation to the median of the annual total compensation of all other employees
When: SEC adopted proposed rules in September 2013 Final rules not yet adopted If adopted in 2014, calendar year companies to provide disclosure in 2016
Who: Apply to all registrants except smaller reporting companies, foreign private issuers, emerging growth companies, and IPOs (transition period)(approx. 4,000 companies subject to the rules)
Where: Forms 10-K, proxy and information statements, and registration statements, to the same extent that Reg S-K Item 402 disclosure is required
33
CEO Pay Ratio Calculation of Ratio: “All” employees required to be included in the calculation of median annual comp:
Full-time, part-time, seasonal or temporary worker Non-U.S. employees Employed as of the last day of the fiscal year Independent contractors and leased employees employed by a third party are NOT
included Calculation of total compensation: complicated
Annualize for permanent new hires who commenced employment mid-year NO adjustments for part-time, temporary or seasonal workers and no cost of living
adjustments for non-U.S. workers
34
CEO Pay Ratio Companies to calculate total compensation for a single
“median employee” Proposed rules permits use of any consistently applied
methodology for estimating annual compensation (e.g., statistical sampling)
As long as methodology is reasonable under the circumstances
Not required to determine “Summary Comp Table” compensation of every employee
35
CEO Pay Ratio Proxy disclosure must include
“brief overview” of the methodology used to identify the median employee
Any material assumptions, adjustments or estimates used to identify the median employee or determine total compensation
It may also include supplemental disclosure for context
36
CEO Pay Ratio Challenges: Information-gathering Identifying population of “employees” Calculation of “total compensation” for rank-and-file
What is a “reasonable” sampling method? Pension benefits calculations Perquisites (but only if greater than $10K for median employee) Non-U.S. employee compensation arrangements
Benefits; unintended consequences?
37
SEC Focus and Rulemaking – Comment Letter Trends Sarbanes-Oxley requires the SEC to review each
reporting company at least once every three years General Trends: more audit-related than legal
disclosure comments
38
Trends in Comments Frequent areas of Staff comment include:
MD&A, including liquidity and results of operations Impairments, including Goodwill and Long-lived assets Income taxes Pension and Other post-employment benefits (OPEB) Segment reporting Guarantor financial information
40
MD&A MD&A continues to be the most frequent area of SEC
Staff comment. Enable investors to see the company through the eyes
of management. Provide an executive overview Discuss trends which may have an impact on future
operating results and liquidity Explain the “whys” and “implications” Discussion of critical accounting estimates should
include changes in assumptions, judgments, estimates, and other variables that impact operating results
41
MD&A - Liquidity Address sources and uses of cash and uncertainty
to satisfy future obligations. Discuss trends in cash flow, particularly when cash
flow does not correlate to income from operations Expand discussion of the underlying reasons for the
sources and changes in cash flows Disclose items that impact the availability of credit
including reasonably likely future debt covenant violations, limitations to draw on existing lines of credit and other borrowing limitations
42
MD&A – Results of Operations Highlight and explain activities driving material
changes period-over-period. Provide readers with an understanding of the significant
components of revenues and expenses that in management’s judgment, facilitate an understanding of the results of operations
Expand discussion of the impact of current economic conditions
Describe other known trends or uncertainties that have had or may have a material impact on operations
43
Impairments Disclose methodology and key assumptions used to
test for impairment, as well as the basis for selecting those key assumptions. Include additional disclosure of rational for Step 0 within the
critical accounting estimates section in MD&A
Disclose the specific facts and circumstances that gave rise to impairments.
Expand disclosures for “at risk” assets or reporting units for which impairment charges are reasonably likely to occur in the next 12 to 24 months.
44
Income Taxes The Staff is focused on the liquidity implications of
indefinite reinvestment assertions and valuation allowances.
Reinvestment of foreign earnings Disclose the amount of cash and investments held by foreign
subsidiaries Disclose the amount of undistributed foreign earnings and
the corresponding tax impact on repatriation or a statement that it is impracticable to determine such amount
Disclose management’s current intention with regard to indefinite reinvestment
45
Income Taxes Valuation allowances
Avoid using boilerplate language when describing considerations for the need for valuation allowances; rather, discuss the material sources of uncertainty
Use balanced disclosures including both positive evidence as well as negative evidence considered to reach the conclusions Projections used in assessing the relizability of deferred tax
assets should be consistent with those used in the registrant's goodwill and long-lived asset impairment analysis
Include foreshadowing when significant changes in the valuation allowance is anticipated
46
Pension and OPEB Disclose significant policies and estimates including how the
discount rate was developed, how the expected rate of return was calculated, and the method for amortizing actuarial gains and losses.
For non-GAAP measures that adjust for benefit related charges, disclosure why the non-GAAP measures provide useful information to investors and include a reconciliation to the most comparable GAAP financial measure.
Benefit obligations in excess of plan asset fair value is a liquidity
“red flag.” Include disclosures that provide the reader additional insight into the entity’s liquidity and cash flows.
47
Segments The Staff continues to focus on the identification of
operating segments and aggregation of operating segments into reportable segments.
“Similar economic characteristics” is the gatekeeper for aggregation.
Registrants should continually reassess segment conclusions, especially when economic characteristics may have changed.
The Staff will often request a copy of the CODM package and compare to: Disclosures on website and articles in outside publications Press release and Form 10-K business disclosures Statements made by the company during analyst calls
48
Guarantor Information Guarantee must be full and unconditional in
order for the registrant to quality for the reduced level of reporting under Regulation S-X Rule 3-10.
Increased number of comments related to the form and content in the condensed consolidating financial information.
Common errors include: Presentation of negative assets or liabilities in the
balance sheet Cash flow statement classifications
49
Legal Comment Letter Trends General Focus on general need for greater clarity Sources of Comments: MD&A remains the leading
source; Other frequent sources include: Risk Factors Non-GAAP Financial Measures Executive Comp and Other Proxy Statement Disclosures Internal Control over Financial Reporting Disclosure Controls & Procedures State Sponsors of Terrorism Emerging Growth Companies
Legal Comment Letter Trends Risk Factors Removal of generic (“boilerplate”) risk factors Focus on risks that specifically affect the registrant and
their potential impact on its business Avoid repetition and information overload (one discrete
risk per factor) Removal of mitigating or offsetting language Tie-in to MD&A when risk may constitute a material
uncertainty or trend Early-warning disclosures Cyber-security
Legal Comment Letter Trends Non-GAAP Financial Measures
E.g., EBITDA, Adjusted EBITDA, free cash flow, “core” earnings, etc.
Undue Prominence of Non-GAAP Financial Measure Requirement to present most directly comparable GAAP
measure with “equal or greater prominence” Order of presentation and degree of emphasis
Disclose purpose for non-GAAP measure and usefulness to investors
Consistency of communications with investors
Legal Comment Letter Trends Proxy Statement Disclosures - Executive
Compensation Determination/calculation of NEO compensation
(including factors considered in determinations) Omission of performance targets (must satisfy CTR
criteria but need not formally request permission to omit)
Benchmarking Disclose benchmark and compensation elements subject to it Degree to which comp committee considers entities in
benchmark group to be comparable
Legal Comment Letter Trends Internal Control over Financial Reporting; Disclosure
Controls & Procedures Internal Control over Financial Reporting:
Technical compliance Disclosure of framework Disclose significant changes related to remediation of material
weakness, other identifiable events (e.g., mass layoffs)
Disclosure Controls & Procedures: State conclusion without qualifying or alternative language Use of incomplete CDP definition Reconsider “effective” conclusion if filing amended report Overlap between Internal Control over Financial Reporting
Legal Comment Letter Trends State Sponsors of Terrorism - Threat Reduction
Disclosure Cuba, Iran, Sudan and Syria designated state sponsors of
terrorism by U.S. Department of State Describe material operations in, and contacts with, state
sponsors of terrorism, including products or services provided into those countries
Discuss nature and extent of past, current and anticipated contacts
Legal Comment Letter Trends Emerging Growth Companies
Explain how registrant qualifies as an Emerging Growth Company
Describe circumstances in which status as Emerging Growth Company will terminate (how and when) Max 5 years after IPO if:
Total gross revenues do not exceed $1 billion Market capitalization does not exceed $700 million Does not issue more than $1 billion in nonconvertible debt in
3-year period
Shareholder Activism– Trends in Shareholder Proposals 2013 – Most Common Proposals Board-related (separation of CEO/Chair roles, board declassification,
majority voting) Executive compensation proposals (up 50% over 2012)
Eliminate accelerated vesting in termination (change of control) Eliminate supermajority voting Stock ownership guidelines
Board diversity - both total submitted proposals (44 vs. 13) and actual votes (24 vs. 8) tripled in 2013 from 2012
Environmental and Social (E&S) proposals, dominated by political spending and lobbying disclosure proposals
59
Shareholder Activism– Trends in Shareholder Proposals 2014 – Most Common Proposals
Governance Board declassification Independent board chair Majority voting for directors Others: no supermajority voting; right to call special meeting; action by shareholder written
consent; policy for vote tallies not to be made available to management or the board Environmental
Adopt/report on GHG emission reduction goals Sustainability reporting
Political Dominated by proposals regarding reporting of lobbying activity and political spending
Social board diversity human rights risk assessment report (see T-Mobile)
Executive Compensation require execs to retain a large % of shares acquired through equity pay programs until retirement no accelerated vesting under change of control limit NEO pay
60
Shareholder Activism– Use of Courts to Exclude Proposals Exclusion of proposals: historically through request for SEC no-action relief Recent trend: cases asking a court for permission to exclude proposals under 14a-8 Decisions of note:
Express Scripts Holding Co. v. Chevedden: argued that the supporting statement included false and misleading statements
U.S. District Court for the Eastern District of Missouri held for Express Scripts due to the inaccuracies in the supporting statement
Waste Connections, Inc. v Chevedden: U.S. Court of Appeals for the Fifth Circuit considered an appeal by Chevedden of a district court decision to allow Waste Connections to exclude a proposal. Chevedden had asked the district court to dismiss on the basis that the case was moot after he stipulated he wouldn’t sue if the company did not include the proposal; district court denied the motion to dismiss and granted the motion for a declaratory judgment that the company could exclude the proposal in reliance on Rule 14a-8
Is this the wave of the future? Cost of litigation Lack of control over timing Courts not as familiar with Rule 14a-8
61