Einde inhoudsopgave
Corporate Social Responsibility (IVOR nr. 77) 2010/5.2.3
5.2.3 SOX - the 'in-control' requirement
Mr. T.E. Lambooy, datum 17-11-2010
- Datum
17-11-2010
- Auteur
Mr. T.E. Lambooy
- JCDI
JCDI:ADS367059:1
- Vakgebied(en)
Ondernemingsrecht (V)
Voetnoten
Voetnoten
The Sarbanes-Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted 30 July 2002), also known as the 'Public Company Accounting Reform and Investor Protection Act of 2002' and commonly called 'SOX' or 'Sarbox', is a US federal law. See: 'Sarbanes Oxley Act', at: http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act> accessed on 30 July 2010.
SEC, 'Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting under section 13(a) or 15(d) of the Securities Exchange Act of 1934 -Action: Interpretation', SEC 17 CFR Part 241, Release Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06e, 2007; p. 9, at: http://www.sec.gov/rules/interp/2007/33-8810.pdf, accessed on 28 April 2010.
This applies to companies that are subject to the US Securities Act 1933 and the reporting requirements of the US Securities Exchange Act 1933 (pursuant to rules 13(a) or 15(d)), other than registered investment companies.
The final rules amended the exhibit requirements for periodic reports in order to add the certifications required by sections 302 and 906 of SOX to the list of required exhibits to be included in reports filed with the SEC. See SEC, 'Implements Internal Control Provisions of Sarbanes-Oxley Act; Adopts Investment Company R&D Safe Harbor', Release 2003-66, 2003, at: http://www.sec.gov/news/press/2003-66.htm, accessed on 11 June 2010; Also see: SEC, ' Final Rule: Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports', 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274, 2003, Release Nos. 33-8238; 34-47986; IC-26068; File Nos. S7-40-02; S7-06-03) SII(H)(2), at: http://www.sec.gov/rules/final/33-8238.htm#iih2, visited on 10 March 2010.
Ibid., SEC Release 2003-66.
I.e. a listed company that has to report according to the US Securities Exchange Act.
SEC Release 2003-66, supra note 29. See also SEC, 'Commission Statement on Implementation of Internal Control Reporting Requirements', Release No. 2005-74, 2005, at: http://www.sec.gov/news/press/2005-74.htm, accessed on 1 May 2009.
SEC Release 2003-66, supra note 29. See also the description of internal accounting controls in the Securities Exchange Act (US) of 1934 s 13(b)(2)(B).
SEC Release 2003-66, supra note 29.
However, this SEC approach has also been criticised e.g. Peter Wallison,' Internal Control over Financial Reporting', Open letter to the SEC, where it states: 'The following is a written comment submitted to the SEC in connection with its proposed rule modifying the standards for internal controls under section [404 SOX]. It is of course commendable that the Commission is attempting now to ease the burden of section [404 SOX]. However, given the incentives of the parties involved, this effort is unlikely to be successful in significantly reducing the costs of this unnecessary and burdensome statutory provision.' See: http:// www.aei.org/publications/pubID.25664.filter.all/pub_detail.asp, accessed on 26 July 2010.
SEC Release 2003-66, supra note 29.
SOX was enacted in 2002. This was the American response to a number of major corporate and accounting scandals (e.g. Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom). When the share prices of the affected companies collapsed, investors lost billions of dollars and the public confidence in the nation's securities markets had also been affected. SOX was named after the sponsors Senator Paul Sarbanes, the Democrat Senator of Maryland, and Representative Michael G. Oxley, a Republican from Ohio. SOX was approved by an overwhelming majority (House: 334-90;
Senate 99-0).1
SOX established improved standards for boards, management, and public accounting firms of public companies regulated by the US Securities Exchange Act of 1934 (US Securities Exchange Act). It does not apply to privately held companies. SOX contains 11 titles, or sections, dealing with subjects ranging from additional corporate board responsibilities to criminal penalties. It required the SEC to introduce rulings to implement SOX. SOX and subsequently implemented SEC rules now require public companies to evaluate their internal controls and to publish those findings together with their SEC filings. Management and external auditors are held to evaluate the effectiveness of a company's internal control over financial reporting based on a suitable control framework. For this evaluation, the framework developed in the COSO Report 1992 is generally used.
Although SOX is directed at public companies, many privately owned companies and non-profit organisations are also electing to evaluate their systems of internal control using COSO's framework. The manner in which the components of the COSO framework are applied to an organisation will depend on the nature and size of the organisation. Presently, the debate continues over the perceived benefits and costs of SOX. Supporters contend that the legislation was necessary; opponents argue that SOX imposes too big a burden on US industry.
Section 404 of SOX directed the SEC to implement rules that require public companies to include in their annual reports ' a report of management on the company's internal control over financial reporting'.2 Both US and non-US companies listed in the US are subject to compliance with these requirements.3 The SEC issued a "Final Rule on Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports" (the SEC Rule on Internal Control).4 This Rule contains provisions regarding the format and the substance of the internal control report. Concerning the format, the following elements are mentioned that have to be included:
a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
a statement containing management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year;
a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and
a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting. [Emphasis added].5
The last-mentioned element requires that the company files the accounting firm's attestation report as part of the annual report. Additionally, management should evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over the annual financial reporting.
As regards the substance, the SEC Rule on Internal Control defines 'internal control over financial reporting' as:
A process designed by, or under the supervision of, the registrant's6 principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
1. pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;
2. provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and
3. provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements." [Emphasis added].7
This definition of Internal control encompasses the subset of internal controls addressed in the COSO Report 1992 in so far as they pertain to financial reporting objectives. However, the SEC's definition does not include those elements that relate to the effectiveness and efficiency of a company's operations (compare definition used in the COSO Report 1992 under 1. section 5.2.2, supra). Neither does it refer to a company's compliance with applicable laws and regulations (compare definition used in the COSO Report 1992 under 3. - section 5.2.2, supra), with the exception of compliance with the applicable laws and regulations directly related to the preparation of financial statements, such as the SEC's financial reporting requirements.8
Interestingly, the SEC's definition also creates an implicit link to the US prohibition on corrupt practices as defined in the FCPA by referring to the COSO Addendum 1994 (see section 5.2.2 supra)9In order to achieve the desired result and to provide consistency with the COSO Addendum, the SEC has explicitly included the words 'disposition of assets' under (1) and (3) of its definition. In its explanation to the text, the SEC pointed to the fact that the SEC definition will be used for purposes of public management reporting, and that the companies that will be subject to section 404 SOX requirements are also subject to the FCPA requirements.10 It certainly seems practical to combine the information required for both purposes in one internal control statement. However, the SEC Rule on Internal Control prescribes that the framework on which management's evaluation is based will have to be a suitable, recognised control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.11 This means that the COSO framework is one eligible framework, but that others could also be used.
Under the SEC rules, management must disclose any problems that could have a material effect on the financial statements. Management will be unable to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in such control. Any uncertainties concerning company employees engaging in corrupt practices could therefore in the view of the author and based on the explanatory text to the SEC Rule on Internal Control be qualified as such a material weakness.