The Securities and Exchange Commission recently published for comment a series of proposed rules that would implement several provisions of the Sarbanes-Oxley Act of 2002. The proposed rules would require disclosure regarding the identity of "financial experts" on a company's audit committee, management's assessment of internal financial controls and whether or not a company has a code of ethics for its CEO and senior financial management. (See SEC Release No. 33-8138, which you can access at http://www.sec.gov/rules/proposed/33-8138.htm.)

In a separate release, the SEC proposed new rules to prohibit officers and directors from taking action to improperly influence their company's auditors. (See SEC Release No. 34-4665, which you can access at http://www.sec.gov/rules/proposed/34-46685.htm.)

Identity of Financial Experts

The proposed rules would require SEC reporting companies (including foreign private issuers) to disclose in their annual reports the number and names of audit committee members determined by the board of directors to be "financial experts." Companies must also disclose whether or not the financial experts are independent, and if not, why not. If a company does not have any financial experts on its audit committee, it must explain this absence.

Narrow, Accounting-Oriented Definition of "Financial Expert"

As directed by Section 407 of the Sarbanes-Oxley Act, the proposed rules would define a "financial expert" as a person who has, through education and experience as a public accountant or auditor, or a principal financial officer, controller, or principal accounting officer of a reporting company, or "through similar positions," all of the following attributes:

  • An understanding of GAAP and financial statements,

  • Experience applying GAAP in connection with the accounting for estimates, accruals and reserves that are generally comparable to the estimates, accruals and reserves, if any, used in the company's financial statements,

  • Experience preparing or auditing financial statements that present accounting issues that are generally comparable to those raised by the company's financial statements,

  • Experience with internal controls and procedures for financial reporting, and

  • An understanding of audit committee functions.

The release sets forth a preliminary, nonexclusive list of ten factors that a board of directors might consider in making its determination. These factors include a person's level of financial or accounting education, status and duration of practice as a certified public accountant, positions and specific duties with SEC reporting companies, degree of familiarity with the preparation of periodic reports and audit committee experience. For foreign private issuers, the board of directors should also consider a person's experience with companies from the home jurisdiction, the company's use of GAAP and issues concerning reconciliation with U.S. GAAP.

Ultimately, the board of directors must independently evaluate each potential financial expert and determine whether he or she possesses all of the attributes required to satisfy the SEC definition as finally adopted. Despite the discretion given to boards, companies should take heed of the very high standard contemplated by the SEC's proposed definition. Many SEC reporting companies may find that none of their current audit committee members reasonably can be said to qualify as a financial expert. As the demand for directors who would qualify grows, it may become more difficult for a number of companies to attract a satisfactory financial expert to their audit committee. Growing liability concerns and forthcoming rules that would limit the number of audit committees on which a person can serve will only exacerbate the problem.

Disclosure Obligation Only

The proposed rules do not require that a financial expert be placed on each company's audit committee — the rules impose a disclosure obligation only. Until a company is able to identify a financial expert within the SEC's definition it may have no choice but to disclose the absence of a financial expert on its audit committee, the reasons for this absence and its plans, if any, for finding a director with such qualifications in the future.

Companies listed on Nasdaq, the NYSE or other securities exchanges must continue to comply with the applicable listing requirements concerning audit committees, such as the current Nasdaq and NYSE requirements that all committee members be financially literate and that at least one committee member be financially sophisticated. Recently proposed Nasdaq rules would also require each listed company to have at least one financial expert (as defined by SEC rules) on its audit committee. The NYSE has not yet proposed a similar rule.

Internal Control Reports

Implementing Section 404 of the Sarbanes-Oxley Act, the proposed rules would require SEC reporting companies (including foreign private issuers) to include an internal control report in each annual report filed with the SEC for fiscal years ending on or after September 15, 2003. This internal control report would be required to include:

  • A statement of management's responsibilities for establishing and maintaining adequate internal controls and procedures for financial reporting,

  • Management's conclusions regarding the effectiveness of the internal controls and procedures as of the end of the company's most recent fiscal year, and

  • A statement that the company's auditor has attested to and reported on management's evaluation of the internal controls and procedures.

The SEC is not proposing a specific form for the report. Instead, they expect management to tailor each internal control report to the company's specific circumstances.

Meaning of "Internal Controls and Procedures"

 Noting that the Sarbanes-Oxley Act and prior SEC releases generated much confusion about the term "internal controls and procedures," the SEC decided to rely on a well-recognized definition in the auditing world by referring to the term as used in the Codification of Statements on Auditing Standards § 319. The SEC believes that SAS § 319 advances the statute's primary objective with respect to internal controls and procedures, which is to provide reasonable assurance that a company's transactions are properly authorized, its assets are safeguarded against unauthorized or improper use and its transactions are properly recorded and reported, such that the company's financial statements are prepared in conformity with GAAP. The SEC anticipates that the recently established Public Company Accounting Oversight Board will consider and perhaps adopt a different definition of the phrase, in which case the PCAOB's definition will control.

The SEC contrasted this term with the definition of "disclosure controls and procedures" embodied in its final rules concerning CEO and CFO certifications mandated by Section 302 of the Sarbanes-Oxley Act. We addressed those rules in a prior client advice memorandum entitled "Sarbanes-Oxley Update: SEC Adopts Section 302 Certification Rules." 

It appears from the two definitions that the SEC views internal controls and procedures as primarily designed to ensure the integrity of financial reporting, and disclosure controls and procedures as primarily designed to ensure that information required to be disclosed is captured and reported on a timely basis. However, this distinction is not entirely clear from the release and may be the subject of further refinement by the SEC or the PCAOB.

Auditor Attestation

The proposed rules would amend Regulation S-X to require a company's external auditor to attest to and report separately on management's evaluation of the company's internal controls and procedures as set forth in the internal control report. The attestation would be included in the company's annual report and would be required to state the auditor's opinion as to whether management's evaluation is fairly stated in all material respects, or, if an opinion cannot be expressed, the reason why.

The SEC has suggested that the attestation requirement is likely to have a profound impact on auditing procedures, since it will require the auditors to have a detailed understanding of a company's internal controls and procedures. Because companies and their auditors will require time to develop processes and train personnel to perform the required analysis and backup, management should consult with their auditors soon to address the timing and scope of these services.

Related Amendments to Section 302 Certification and S-K Item 307 Disclosure

The SEC is also proposing conforming modifications to its recently adopted rules under Section 302 of the Sarbanes-Oxley Act. As modified, the rules would require the same quarterly evaluation of disclosure (as currently required) and internal (as proposed) controls and procedures to be made as of the last day of the period covered by the report (instead of any time during the 90-day period prior to filing). Conforming language modifications to the CEO and CFO certifications are also proposed.

Code of Ethics

Implementing Section 406 of the Sarbanes-Oxley Act, the proposed rules would require SEC reporting companies (including foreign private issuers) to disclose in their annual reports whether they have adopted a code of ethics for their CEO, CFO, principal accounting officer or controller, or persons performing similar functions. A copy of this code of ethics would be required to be filed as an exhibit to the annual report. If a company has not adopted a code of ethics, it would have to explain the reasons it has not done so.

Content Requirements

The code of ethics contemplated by the proposed rules is a codification of standards that is reasonably designed to deter wrongdoing and to promote:

  • Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships,

  • Avoidance of conflicts of interest, including disclosure to an appropriate person or persons identified in the code of any material transaction or relationship that reasonably could be expected to give rise to such a conflict,

  • Full, fair, accurate, timely, and understandable disclosure in reports and documents that a company files with, or submits to, the SEC and in other public communications made by the company,

  • Compliance with applicable governmental laws, rules and regulations,

  • The prompt internal reporting of code violations to an appropriate person or persons identified in the code, and

  • Accountability for adherence to the code.

Other than these general topics, the proposed rules do not address the content of a code of ethics. The SEC believes that the details, such as particular standards of conduct, compliance procedures and disciplinary measures, are best left to each company to determine.

Disclosure of Waivers on Form 8-K

The proposed rules would also require disclosure of any modification or waiver of a company's code of ethics on either a Form 8-K or on the company's website within two business days after the modification or waiver. Website disclosure would be permitted only if a company has disclosed in its most recent annual report that it intends to disclose such events on its website and provides the website address. A foreign private issuer would be required to disclose such events on an exhibit to its Form 20-F or 40-F, or could do so earlier on a Form 6-K or on its website. The SEC states in the release that it "plan[s] to strongly encourage foreign private issuers to make these disclosures promptly," but does not specify how it might do so.

Disclosure Obligation Only

As with the proposed financial expert rules, the proposed code of ethics rules are disclosure oriented only. They do not require an SEC reporting company to adopt a code of ethics. However, both Nasdaq and the NYSE have proposed rules that would require each listed company (other than foreign private issuers) to adopt a code of ethics and disclose any waivers of the code.

Prohibition Against Improper Influence of Auditors

Implementing Section 303(a) of the Sarbanes-Oxley Act, the SEC proposes to amend Rule 13b2-2 of the Securities Exchange Act of 1934. Under the proposed rule, it would be unlawful for any officer or director of an SEC reporting company (including foreign private issuers), or any other person acting under their direction, to take any action, directly or indirectly, to fraudulently influence, coerce, manipulate or mislead the company's auditors if the person knows, or is unreasonable in not knowing, that the action could render the company's financial statements materially misleading.

This prohibition would apply to a company's executive officers, such as the CEO and CFO, as well as to its secretary, treasurer, controller, vice presidents or other persons routinely performing these functions for the company, whether or not they are executive officers.

The prohibition would also extend to persons acting under the direction of an officer or director. The SEC has stated that this encompasses not only persons supervised by an officer or director, but also any person who might be in a position to interact with the auditors and engage in prohibited conduct at the behest of an officer or director. Examples cited in the release include customers, vendors, creditors, other partners or employees of the auditor, attorneys and securities professionals. In addition, the SEC does not view the term "direction" as requiring explicit instructions — lesser involvement, such as general guidance, may be sufficient.

Under the proposed rules, actions that could render a company's financial statements materially misleading include, without limitation, actions to improperly influence the company's auditor:

  • To issue a report on the financial statements that is not warranted,

  • Not to perform audit, review or other procedures required by generally accepted auditing standards,

  • Not to withdraw an issued report, or

  • Not to communicate matters to the audit committee.

With respect to prohibited conduct, the SEC states in the release that success is not required. In other words, the rules apply even if the conduct ultimately fails to affect the company's financial statements. Examples of prohibited conduct cited in the release include offering future employment or contracts for non-audit services, threatening to cancel or canceling existing non-audit or audit engagements if the auditor objects to the company's accounting or seeking to have a partner removed from the audit engagement because the partner objects to the company's accounting.

Request for Comments; Transition Rules

The SEC has invited comments on the proposed rules, which must be submitted within 30 days after they are published in the Federal Register. Under the Sarbanes-Oxley Act, the SEC must issue final rules concerning the financial expert and code of ethics disclosures no later than January 26, 2003, and final rules concerning the improper influence of auditors no later than April 26, 2003. There is no statutory deadline for the final rules concerning internal controls and procedures, but it seems likely that the SEC will act within a similar time frame.

The only rules for which the SEC is proposing an explicit phase-in period are those concerning internal control reports. Internal control reports would be required to be included in a company's annual reports starting with its first fiscal year ending on or after September 15, 2003.

Please contact the Dorsey & Whitney attorney with whom you work if you have any questions regarding the proposed rules or if you require any assistance preparing comments for submission to the SEC.

November 5, 2002