Action Items Under Sarbanes-Oxley Act

August 2, 2002
15 minutes
David A. Fine
Christopher A. Klem

On July 30, 2002 the President signed into law the Sarbanes-Oxley Act of 2002. As we described in our Client Alert dated July 29, 2002, the Act imposes on public companies, their boards and management, new obligations regarding corporate reporting, governance and responsibility and creates a Public Company Accounting Oversight Board to oversee public accountants and the audit of public companies. Several provisions of the new law are immediately effective, while many others require rulemaking for their effectiveness or otherwise will be delayed in their effectiveness. The Act does, however, require most of its provisions to become effective in a relatively short timeframe. Below we identify certain key items for public companies to consider in the near term and over time as provisions of the Act become effective.

Immediate Considerations

CEO/CFO Certification Under Section 906

  • Section 906 of the Act requires that each periodic report containing financial statements of a company (e.g., Form 10‑K, Form 10‑Q and a Form 8‑K containing quarterly or annual financial statements) be accompanied by a written statement of the chief executive officer and chief financial officer certifying that (1) the report fully complies with the reporting requirements of the Securities Exchange Act of 1934, as amended, and (2) the information contained in the report fairly presents, in all material respects, the financial condition and results of operations of such company (the “906 Certificate”). Unless subsequently clarified, the 906 Certificate will be required in addition to the CEO/CFO certification described below pursuant to Section 302 of the Act (the “302 Certificate”) and the certification required of CEO’s and CFO’s of approximately 950 public companies by recent SEC order (the “SEC Order Certificate”).
    • For all companies: The SEC may provide guidance on the interplay among the various certificates and filing mechanics associated with them, so companies that have flexibility to delay filing their next periodic report, without failing to meet the applicable deadline, may wish to hold off to see whether the SEC acts in the near term. For most companies, the next quarterly report on Form 10‑Q will be due on August 14, 2002.
    • For companies already preparing a SEC Order Certificate: As of now, there are no prescribed answers for the relationship of the 906 Certificate and the SEC Order Certificate, the exact wording of the certification or the manner in which the certification is to “accompany” the subject report. Recommendations and alternatives as to these matters are as follows:
      • The 906 Certificate should be prepared as a separate document from the SEC Order Certificate. For now, we recommend against any attempt to merge the two forms, because, among other matters, the SEC website posting information as to the filing of the SEC Order Certificate includes a check-off box as to whether the wording conforms to the SEC-ordered wording. As to content of the 906 Certificate, we believe that a knowledge qualifier, although not expressly included by Section 906 of the Act, is appropriate given the language of the penalty provision of Section 906 of the Act. We believe that an appropriate way to have the 906 Certificate “accompany” Form 10‑Q is to file it as an Exhibit 99 to the form and reference its filing in the body of such Form 10‑Q. Other methods involve including the 906 Certificate in the body of the Form 10‑Q or sending it to the SEC as filed EDGAR correspondence to avoid “filed” status for Exchange Act liability purposes.
    • For companies not subject to the SEC order: These companies should review the considerations above. In addition they should immediately develop and start implementing procedures designed to ensure that their CEO’s and CFO’s can make the required certifications. While each company should develop a process that makes sense for its particular circumstances, the following is a process that we believe would be reasonable for many companies:
      • The CEO and the CFO would send a communication to others in the company who had a direct role in preparing the report, explaining the purpose of the certification. That communication would ask each of the recipients to review the covered report and the methods and procedures he or she employed to gather and verify the information for which they were responsible, and to be prepared to attend a meeting at which the contents would be reviewed.
      • The internal meeting would include the CEO and CFO, the principal accounting officer, and the general counsel or other legal official responsible for SEC reporting. Others attending the meeting might include, as appropriate, the internal auditor, the principal risk management officer, the chief investor relations officer, and other company officials and division heads. At the meeting, the participants would review the process followed in preparing the report, and the contents of the filing would be discussed, with particular emphasis on compliance with SEC reporting requirements and accounting policies and critical accounting estimates. Some of the items to be considered might include: off-balance sheet items, contingencies, reserves, revenue recognition, liquidity and capital resources, and material trends. There should be an adequate opportunity for discussion and questions.
      • The CEO, CFO, and other appropriate company officials should also meet with representatives of the independent accountants to discuss their audit and subsequent quarterly reviews.

        A record should be made of all of these proceedings to evidence the entire process.
  • Note that Section 906 prescribes serious penalties for improper Section 906 certificates. Chief executive officers and chief financial officers who knowingly or willfully certify false or non-compliant company periodic reports would face prison terms of up to 10 to 20 years and fines of up to $1 million to $5 million, respectively.

CEO/CFO Certification Under Section 302

  • Once the SEC has issued enacting rules (expected by the end of August), each public company’s principal executive officer and principal financial officer will be required to certify in each annual or quarterly report:
    • that he has reviewed the report;
    • that, based on his knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
    • that, based on his knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the company as of, and for, the periods presented in the report; and
    • as to certain matters about the company’s internal controls (including certification of responsibility for establishing and maintaining internal controls, disclosure to auditors and audit committee of significant deficiencies and material weaknesses in internal controls and any fraud involving management or employees with a significant role in the company’s internal controls, evaluation of effectiveness of internal controls and disclosure in the report of changes in internal controls).
      • This separate certification (the “302 Certificate”) will require SEC rulemaking before becoming effective, but companies should implement ongoing programs to ensure that their CEO’s and CFO’s can make the required certifications.

Beneficial Ownership Reporting

  • Effective 30 days after the enactment of the Act, the deadline for reporting of transactions in a public company’s equity securities by directors, officers and greater than 10% shareholders will be significantly accelerated. A change in ownership by any such person must be reported on Form 4 by the end of the second business day following the date of the transaction.
  • Within one year of the enactment of the Act, such reports must be filed electronically, and the SEC and the issuer of the security to which the report relates must post such report on their respective websites.
    • Companies should consider implementing procedures to ensure that they receive necessary information from directors and officers to assist them with such reporting.
    • Companies should consider systems adjustments to capture necessary data concerning such matters as officers’ changed allocations to the company stock account in a 401(k) plan.
    • The SEC has the authority to modify this requirement if they determine the two day period is not feasible; consequently the deadline for reporting may change.
    • What had been “voluntary” reporting on Form 4 appears to have become mandatory.

Prohibition on Personal Loans

  • Companies may no longer extend personal loans, directly or indirectly, to their executive officers and directors, subject to limited exceptions.
    • The prohibition likely extends to guarantees. Efforts by companies to “arrange” loans to executives are also banned.
    • If a company has made a personal loan in the past to a director or executive officer that is still outstanding, it will be grandfathered in and will not be subject to the prohibition on personal loans so long as no material modification is made to any term of such loan and the loan is not renewed.
    • There is considerable uncertainty as to the reach of this provision (see our separate Client Alert entitled “Prohibitions on Personal Loans to Executives”).

Preapproval of Services

  • The provision of all audit related services (including comfort letters) and any non-audit services, subject to a de minimus exception, by a company’s auditors must be approved in advance by a company’s audit committee.
  • A company must disclose in its periodic reports approval by the audit committee of any non-audit services.
    • Companies should review existing authorizations of both audit and non-audit services.

Whistleblower Protection

  • Effective immediately, employees of public companies who act as whistleblowers by providing assistance or information to governmental authorities or to their supervisors regarding securities laws or antifraud laws violations are given federal protection under the Act. Specifically, a public company may not discharge, demote, suspend, threaten, harass or discriminate against in any other manner an employee in retaliation for whistleblowing.
    • Companies should coordinate with their human resources departments on this matter and review the policies they have in place with respect to employment and personnel.

Medium Term Considerations
Audit Committee Matters

  • By April 26, 2003, national securities exchanges and national securities associations are required to adopt rules requiring that audit committees comply with the requirements of the Act. The Act also requires the SEC to adopt a rule directing the national securities exchanges and national securities associations to prohibit the listing of any security of any company that is not in compliance with the standards listed below. Note that the New York Stock Exchange and the Nasdaq Stock Market have each adopted separate audit committee rules, which are awaiting approval by the SEC; however, these proposed rules may need to be updated based on the requirements of the Act.
    • Once SEC approval of these rules is obtained, companies should amend their audit committee charter to state that:
      • The audit committee is directly responsible for the appointment, compensation and oversight of the company’s auditors (including the resolution of disagreements between management and the auditor regarding financial reporting).
      • The company’s auditors shall report directly to the audit committee.
      • Each member of the audit committee must be a member of the company’s board of directors and shall be “independent.” To qualify as “independent”, the audit committee member may not receive any consulting or other fees other than board, audit committee or other committee fees. Moreover, the member may not be an affiliated person of the company or its subsidiaries.
      • The audit committee shall establish procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters and the confidential anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.
      • The audit committee has the authority to hire independent counsel and other advisers as it determines necessary to carry out its duties.
    • Due to the new independence standards imposed by the Act, companies should review the membership of their audit committees so that they are in compliance with SEC rules as soon as such rules are adopted. Under the new rules, members of the audit committee may not receive any consulting or other fees other than board or audit committee fees. In addition, a member may not be an affiliated person of the company or any of its subsidiaries.
    • Management should review the new responsibilities and duties imposed on audit committees, as listed above, with the members of its audit committee in order to prepare for any necessary changes.
  • No later than January 26, 2003, the SEC is required to adopt rules requiring a company to disclose whether its audit committee has at least one member who is a “financial expert.” This term was not defined by the Act, but will be defined by the SEC no later than January 26, 2003.
  • As soon as the SEC adopts rules requiring company compliance (no later than April 26, 2003), audit committees will be required to establish procedures for the receipt, retention and treatment of complaints received by the company regarding accounting, internal accounting controls or auditing matters. The audit committee must also establish procedures for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters.
    • Companies should begin considering the procedures and policies that will be put into place in order to come into compliance with this requirement.
  • As soon as the SEC adopts rules requiring company compliance (no later than April 26, 2003), companies must grant their audit committees authorization to engage independent counsel and other advisers as the committee deems necessary to carry out its duties. Companies must provide appropriate funding, as the committee deems necessary, to compensate the independent auditor and any advisors retained by the committee.

Prohibition on Certain Non-Audit Services

  • Upon becoming a “registered public accounting firm” able to serve public companies (see Auditor Registration below), auditors of a public company are prohibited from providing non-audit related services to a company to which it provides audit services, including:
    • bookkeeping or similar services;
    • financial information systems design and implementation;
    • appraisal or valuation services, fairness opinions, or contribution-in‑Kind reports;
    • actuarial services;
    • internal audit outsourcing services;
    • management or human resource functions;
    • broker or dealer, investment adviser, or investment banking services;
    • legal services and expert services unrelated to the audit; and
    • any other Public Company Accounting Oversight Board-determined impermissible service.
  • This list of prohibited services appears to be self-implementing, although there are obviously many interpretive questions. Some may be answered by the legislative history, which is being prepared.
  • Permissible non-audit services (e.g., tax services) must be preapproved by a company’s audit committee (see Preapproval of Services above).
    • A company should consider transitioning to other vendors any non-audit services currently provided by its auditors.
    • A company should examine any consulting services it receives from its auditors to determine their true nature and whether they would be prohibited when the prohibition becomes effective.

Blackout Periods

  • Effective 180 days after enactment, the Act prohibits any director or executive officer of a public company to engage in any transaction in equity securities of that company during pension fund (e.g., 401(k) plans) blackout periods. The company (or a shareholder on behalf of the company) may recover any profits on a sale or purchase of the company’s equity securities by a director or officer in violation of this provision.
    • There are several definitional issues, including the meaning of “profits” and the question of whether certain limited plan suspensions trigger a “blackout period.” Companies may want to comment on the SEC rulemaking regarding this provision.
    • Companies should prompt their benefits departments to develop procedures to notify participants, beneficiaries, directors, officers, the SEC and any other relevant parties of blackout periods.

Enhanced Disclosure

  • The Act contains a number of provisions in an effort to enhance disclosure, directing companies to:
  • augment financial statement reporting by reflecting all material correcting adjustments that have been identified by their registered public accounting firm (see Auditor Registration below) in accordance with GAAP;
  • once the SEC has issued applicable rules, disclose in each 10‑Q and 10‑K all material off-balance sheet transactions, arrangements, obligations (including contingent obligations), and other relationships of the company with unconsolidated entities or other persons that may have a material current or future effects on financial condition, changes in financial condition, results of operations, liquidity, capital expenditures, capital resources or significant components of revenues or expenses; and
  • once the SEC has issued applicable rules, present any pro forma financial information included in any report filed with the SEC or in any public disclosure (e.g., a press release) in such a fashion that i) does not contain an untrue statement of a material fact or omit to state a material fact necessary in order to make the pro forma financial information, in light of the circumstances under which it is presented, not misleading, and ii) reconciles the pro forma financial information with the financial condition and results of operations of the company under GAAP.
    • Companies should already be endeavoring to meet the above requirements in their MD&A disclosure, notwithstanding their staggered effectiveness, as first required under SEC Release No. 33-8056.

Long-Term Considerations
Auditor Registration

  • Unless registered with the Public Company Accounting Oversight Board within 180 days after the Board is determined by the SEC to be operational, it will be illegal for an accounting firm to audit public companies.
    • Each public company should consult with its auditors to ensure it receives timely assurances of its auditors’ initial and on-going registration as a “registered public accounting firm.”
  • A registered public accounting firm will be disqualified from auditing a public company if during the one year period preceding the most recently commenced audit the CEO, CFO, chief accounting officer, controller or a person serving in a similar capacity was employed by the firm and participated in an audit of the company.
    • Note that because of this look-back provision, current hiring practices may disqualify a company’s auditor from performing an audit for that company when the auditor becomes registered.

Funding of Public Company Accounting Oversight Board

  • Note that the primary source of funding for the Board will be annual accounting support fees levied against public companies based on a formula taking into account each company’s market capitalization.

Critical Accounting Policies and Alternative Treatments

  • Under the Act, registered public accounting firms must report to the audit committee information regarding critical accounting policies and practices to be used, alternative treatments of financial information within GAAP relevant to the company’s audit and material written communications between the auditor and management of the company.
    • Companies should continue to identify critical accounting policies and be aware that alternative treatments must be presented, as the SEC has proposed in SEC Release No. 33-8098.