Davis Wright Tremaine LLP Davis Wright Tremaine LLP
Practice Areas - advisory bulletins
Home

Practice Areas - Business Transactions
 

Legal Services

Related Practice Areas

Advisory Bulletins

Links & Resources

Search

  
News to Use
Recruiting
DWT in the Community
Seminars & Training
Bookstore
Lawyer Directory
Office Locations
Search & Site Map

Advisory Bulletin

Financial and Disclosure Controls and Reporting Under Sections 302 and 404 of the Sarbanes-Oxley Act

By Marcus J. Williams and Shana Moran Kruse
[June 2003]

Section 404 of the Sarbanes-Oxley Act of 2002 requires that the Securities and Exchange Commission adopt disclosure requirements for a periodic "internal control report." The report must describe management's responsibility for establishing and maintaining a series of internal controls and must contain an assessment of those controls as of the end of the preceding fiscal year. The auditor's report for those financial statements must "attest to, and report on," management's assessment.

As directed, on June 5, 2003, the SEC issued final rules1 requiring companies subject to the reporting requirements of the Securities Exchange Act, other than registered investment companies, to include in their annual reports, in addition to other reporting obligations, a management report on the company's internal controls over financial reporting.

The purpose of this advisory bulletin is to assist issuers in evaluating or redesigning their internal control systems and procedures to comply with the new Section 404 regulations. Issuers should also note that the requirements to evaluate, report and certify internal controls under Section 404 are in addition to the senior officer certification requirements for "disclosure controls and procedures" currently in effect under Section 302 of the Act2. As a result, this bulletin also discusses the certification requirement under Section 3023 as it relates to Section 404 compliance and recommends a few practical guidelines for designing working controls and achieving reporting compliance.

SECTION 302: CEO AND CFO CERTIFICATIONS & DISCLOSURE CONTROLS AND PROCEDURES

CEO and CFO Certifications

As directed by Section 302 of the Act, the SEC adopted new Rules 13a-14 and 15d-14 under the Securities Exchange Act on September 9, 2002. These rules require each reporting company's principal executive officer and principal financial officer to certify in the company's quarterly and annual reports that to their knowledge, the financial statements present fairly the company's results of operations, financial condition and cash flows and the report does not contain a material misstatement or omission.

Certifying Disclosure Controls and Procedures. The Section 302 certification rules impose an explicit reporting obligation for disclosure controls and procedures, requiring CEOs and CFOs to certify in specified periodic reports that:

  • They are responsible for establishing and maintaining disclosure controls and procedures.

  • They have designed disclosure controls and procedures that ensure that material information about the company will be made known to them.

  • They have evaluated the effectiveness of those controls and procedures within 90 days prior to the filing date.

  • The report presents their conclusions about the effectiveness of those controls and procedures.

Rules and Regulations. The Section 302 certification refers both to disclosure controls and procedures and to internalcontrol reports that must be included in the report being certified. These disclosure requirements appear in Item 307 of Regulation S-K, Item 307 of Regulation S-B, Item 15 of Form 20-F and General Instruction B(6) of Form 40-F, all promulgated in the Section 302 release.

Definition of Disclosure Controls and Procedures

Generally, disclosure controls and procedures are intended to make public companies implement a process to timely identify, assemble and present relevant information to management level decision-makers who can then determine whether information should be reported. The Section 302 rules define "disclosure controls and procedures" to mean:

"Controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the commission's rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Exchange Act is accumulated and communicated to the issuer's management, including its principal executive officer or officers and principal financial officer or officers, or persons performing similar functions, as appropriate to allow timely decisions regarding timely disclosure."

"Disclosure Controls and Procedures" Distinguished from "Internal Controls." In adopting the Section 302 certification rules, the SEC emphasized that disclosure controls and procedures are broader than the pre-existing concept of internal controls, which relate to a company's financial reporting and control of its assets. In contrast to internal controls, the concept of disclosure controls and procedures under Section 302 relates to financial and non-financial information.

Disclosure Committee

The SEC has not prescribed any specific disclosure controls and procedures. Instead, the SEC expects "each issuer to develop a process that is consistent with its business and internal management and supervisory practices." The SEC does recommend that companies create a "disclosure committee" with responsibility for addressing materiality questions and for timely determining required disclosures. Unlike the issuer's audit committee, a disclosure committee should include officers and others directly involved in the disclosure process, including the principal accounting officer or controller, the general counsel and/or other senior in-house lawyer responsible for SEC disclosure matters, the risk management officer, and an investor relations officer.

Fair Presentation

According to the SEC, evaluating disclosure controls goes beyond assessing whether the financial statements and accompanying footnotes have been presented in accordance with GAAP. Rather, a company also must assess whether the financial information contained in a report fairly presents in all material respects the issuer's financial condition, results of operations and cash flows. In the SEC's view, a "fair presentation" encompasses:

  • Selection and proper application of appropriate accounting policies.

  • Disclosure of financial information that is informative and reasonably reflects the underlying transactions and events.

  • Inclusion of any additional disclosure necessary to provide investors with a materially accurate and complete picture of the company's financial condition, results of operations and cash flows, potentially including non-financial information that has or is likely to have an affect on financial matters.

SECTION 404: RULES RELATING TO INTERNAL CONTROL REPORTING

Going beyond the original mandate of Section 404 of the Act,4 the SEC has issued final rules that will require management to include in annual reports management's report on internal controls over financial reporting, with the auditors' attestation, and in quarterly reports regular evaluations of these controls, updated disclosures and certifications.

Compliance Dates

A company must begin to comply with the new rules by the following dates:

  • Accelerated Filers - June 15, 2004. A company that is an "accelerated filer," as defined in Exchange Act Rule 12b-25, as of the end of its first fiscal year ending on or after June 15, 2004 must begin to provide management's internal control reports in its annual report for that fiscal year.

  • Non-Accelerated Filers - April 15, 2005. A company that is not an accelerated filer as of the end of its first fiscal year ending on or after June 15, 2004, including a foreign private issuer, must begin to provide annual internal control reports in its first fiscal year ending on or after April 15, 2005.

Definition and Purpose

The SEC has defined the term "internal control over financial reporting" as:

"A process [designed and effected by management, officers, and personnel] to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;

(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registration; and

(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements."

Annual Internal Control Report and Auditor Attestation

Under the final rules, each annual report issued by a public company, other than a registered investment company, must contain an internal control report describing:

  • Management's responsibility for establishing and maintaining adequate internal controls and procedures for financial reporting.

  • Management's conclusions about the effectiveness of internal controls and procedures for financial reporting as of year-end, based on management's evaluation. The assessment must disclose any "material weaknesses" in the company's internal controls. Management may not conclude that the company's internal controls are effective if there are one or more material weaknesses in the company's internal controls over financial reporting.

  • The framework used by management to evaluate the effectiveness of the company's internal control over financial reporting.

  • That the external auditor has attested to, and reported on, management's evaluation.6

    Evaluation Framework. Under the final rules, the SEC requires management to base its evaluation of internal controls on a "suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment." However, the final rules do not mandate use of a particular framework, recognizing that several evaluation standards exist inside and outside the United States.7

    Method of Evaluating. The SEC believes that the methods of evaluating internal controls will, and should, vary from company to company. As such, the final rules do not specify the method or procedures to be performed in an evaluation. However, in the release, the SEC does insist that the assessment must be based on "procedures sufficient both to evaluate [the] design and to test [the] operating effectiveness" of the process. According to the SEC, the assessment should include, but not be limited to:

    • Controls over initiating, recording, processing and reconciling account balances, classes of transactions and disclosure and related assertions included in the financial statements.

    • Controls related to the selection and application of appropriate accounting policies.

    • Controls related to the prevention, identification, and detection of fraud.

Inquiry alone generally is not an adequate basis for management's assessment. At the very least, the company must maintain sufficient documentation to provide reasonable support for management's assessment.

Quarterly Evaluations and Disclosure of Material Changes to Internal Controls

The final rules also require that management evaluate and disclose any change in the company's internal controls which occurred during a fiscal quarter that has materially affected, or is reasonably likely to affect materially, the company's internal controls over financial reporting. This is a less expansive requirement than the Section 302 regulations, which require more in-depth quarterly evaluations on the effectiveness of a company's disclosure controls and procedures.

CEO and CFO Certifications

Under the Section 302 rules, principal executive and financial officers must certify disclosure controls in periodic reports, identifying significant deficiencies or material weaknesses, occurrences of fraud, and significant changes to disclosure controls since the previous evaluation. The new Section 404 rules contain similar reporting requirements for quarterly and annual reports.

Summary of Requirements

The following table presents the new evaluation, reporting and certification requirements.

Requirement Quarterly Annual
Management's internal control report   X
Auditor's attestation to management's report   X
Updated disclosures regarding internal controls X8 X
Evaluation of internal controls and report of evaluation X9 X
Management certification of adequacy of internal controls X X

ESTABLISHING A CONTROL FRAMEWORK FOR COMPLIANCE WITH SECTIONS 302 AND 404

The SEC acknowledges that there is no "one-size-fits-all" approach to effective controls. However, the SEC referenced basic principles of internal controls, which were adopted by the AICPA's Auditing Standards Board. The AICPA defines internal control as a process designed by an entity's board of directors, management and other personnel to provide reasonable assurance regarding: (1) effectiveness and efficiency of operations; (2) reliability of financial reporting; and (3) compliance with applicable laws and regulations.

Recommended Guidelines

As previously mentioned, the SEC expects each company to develop a process that is based on a suitable and recognized framework and is consistent with the company's business and internal management and supervisory practices. To assist your company in developing that process, we offer the following guidelines:

  • Corporate Culture. Establish and promote a corporate culture that emphasizes quality and timely disclosure, an effective disclosure process and compliance with the company's code of ethics. This essential component is extremely difficult to describe and measure. However, key ingredients include:

    • Hiring, Training and Promotion. Corporate integrity begins with personal integrity. Companies that place a value on corporate integrity will screen personnel at all levels for traits that display competence, honesty and forthrightness, and they will evaluate on the basis of these traits when considering retention and promotion.

    • Leadership by Example. Executives who adopt and consistently display their values, whether positive or negative, set the tone for their subordinates. Where those values are honesty, fairness and openness, this tone will percolate through the organization.

    • Internal Communications. Maintaining open, frank communications with and among employees and making it easy - and not career-threatening - for employees at all levels to raise their questions and concerns. The rules for handling employee complaints about audit-related issues recently promulgated under Section 10A(m)(4) of the Exchange Act10 are intended to provide for confidential lines of communications between employees and audit committee members. Moreover, Section 806(a) of the Act, known as the "whistleblower rule," makes it unlawful to fire or otherwise retaliate against an employee for raising a good faith concern about financial reporting. However, these requirements do not reach the real core of the "corporate culture" issue. The right culture does not arise under the statutes; it arises because the issuer places a value on corporate and financial integrity.

  • Educate Key Personnel. Financial management and audit committee members, at a minimum, should be educated on management's new disclosure and reporting responsibilities.

  • Reporting Objectives. Management should establish reporting objectives with clear responsibilities for each team member and should maintain a timely evaluation and reporting schedule.

  • Assign Roles. Establish a disclosure committee that implements and supervises the disclosure process and reports to senior management. Establish an internal control project team with defined roles and responsibilities that reports to the disclosure committee. The project team may include senior representatives from various departments including operations, finance and other operating units. Determine and identify the roles of outside auditor and outside counsel and use these professionals in the designated roles.

  • Assessment. Assess the effectiveness of existing controls by interviewing key members of the financial reporting team. Test whether existing controls are functioning. Perform remediation as needed. Document the assessment and any remediation.

  • Evaluation. Identify any material changes that have occurred since the last evaluation which could affect disclosure controls and procedures or internal controls such as installation of new information systems, material acquisitions or dispositions, changes in lines of business, geographic expansion, and changes in key personnel. Document the evaluation.

  • Drafting Disclosures. First, develop a timetable to identify deadlines for the preparation and review of the company's periodic reports and other disclosures. Next, assign drafting responsibilities to members of the disclosure committee or other appropriate personnel. The drafters should be familiar with the SEC's "plain English" requirements and should critically review past disclosures in addition to current disclosures. Drafting sessions also may be organized at different phases of the preparation to allow input from management and auditors in connection with more significant or complex filings.

  • Reviewing Disclosures. Review of the disclosures should have several layers, including internal review of draft, external review of draft (outside counsel and outside auditor), CEO and CFO review, and review (and, in appropriate cases, formal approval) by the audit committee.

We believe these basic principles may be helpful in developing an integrated framework for building effective internal controls and quality disclosure controls and procedures. Moreover, we believe most of these basic principles are followed - at least informally - by most companies. Nonetheless, we strongly encourage public companies to formalize these principles into regimented processes, which first and foremost begin with documentation. It is important to note that good internal controls and disclosure procedures are no longer just best practice; they are now essential components of corporate integrity and Securities Exchange Act compliance.

For Further Information, Please Contact:

Marcus J. Williams, Seattle, (206) 628-7710, marcuswilliams@dwt.com

This Corporate Finance News Brief is a publication of the Business Transactions/Corporate Finance Group of Davis Wright Tremaine LLP. Our purpose in publishing this News Brief is to inform our clients and friends of developments in business, corporate finance and securities laws. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Copyright © 2003, Davis Wright Tremaine LLP.

 

FOOTNOTES:

1 Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (Release No. 33-8238, June 5, 2003). The text of the release is available at http://www.sec.gov/rules/final/33-8238.htm.

2 Final Rule: Certification of Disclosure in Companies' Quarterly and Annual Reports (Release No. 33-8124, September 9, 2002). The text of the release is available at http://www.sec.gov/rules/final/33-8124.htm.

3 The purpose of this bulletin is to provide guidance for issuers adopting or evaluating an internal control system; it is not an attempt to provide extensive information on Section 302 certifications. More detailed information about Section 302 certifications can be found in various Davis Wright Tremaine LLP client advisory bulletins, particularly including Corporate Oversight and Accounting Reform: "An Overview of the Sarbanes-Oxley Act of 2002," by Brent Eller and Susan Preston, located at http://www.dwt.com/practc/corp_fin/bulletins/12-02SarbOxImp.htm. Other bulletins are located at http://www.dwt.com/practc/corp_fin/bulletins.htm.

4 Section 404 of the Act required the SEC to adopt rules requiring a company's management to present an internal control report in the company's annual report containing: (1) a statement of the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; (2) an assessment at the end of the company's fiscal year of the effectiveness of the company's internal controls; and (3) the company's external auditor's attestation and report on management's assessment.

5 An "accelerated filer" is an issuer that has $75 million or more in common equity held by non-affiliates, has been a reporting company for at least twelve months, has filed at least one annual report, and is not eligible to use Forms 10-KSB and 10-QSB for its annual and quarterly reports.

6 The auditor's attestation would be issued in accordance with attestation standards to be adopted by the Public Company Accounting Oversight Board.

7 The SEC acknowledges several potentially suitable frameworks, including (1) the Internal Control - Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission; (2) the Guidance on Assessing Control published by the Canadian Institute of Chartered Accountants; and (3) the Turnbull Report published by the Institute of Chartered Accountants in England and Wales (available online at http://www.icaew.co.uk/viewer/index.cfm?AUB=TB2I_6342&tb5=1).

8 Disclose changes that materially affect internal controls.

9 Evaluate changes that materially affect internal controls

10 Rel. No. 33-8220 (April 9, 2003); text available at http://www.sec.gov/rules/final/33-8220.htm. These rules became effective on April 25, 2003 and require self-regulatory organizations including the New York Stock Exchange and the Nasdaq Stock Market to adopt rules requiring listed companies to adopt and maintain such processes. Listed companies other than small business issuers and foreign private issuers must be in compliance no later than the first shareholder meeting held after January 15, 2004, and in any case no later than October 31, 2004. Small business issuers and foreign private issuers must be in compliance no later than July 31, 2005.


This Corporate Finance News Brief is a publication of the Business Transactions/Corporate Finance Group of Davis Wright Tremaine LLP. Our purpose in publishing this News Brief is to inform our clients and friends of developments in business, corporate finance and securities laws. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Copyright © 2003, Davis Wright Tremaine LLP.

return to Advisory Bulletins main page

 
Davis Wright Tremaine LLP
Home | Practice Areas | News To Use | Recruiting | DWT in the Community
Seminars & Training | Bookstore | Lawyer Directory | Office Locations | Search & Site Map
Davis Wright Tremaine LLP Davis Wright Tremaine LLP
return to Advisory Bulletin main page