Norman Marks on Governance, Risk Management, and Internal Audit

The US Securities and Exchange Commission has been more visible recently in challenging and even charging companies for errors in the disclosures they have included in filings and other reports to shareholders.

While the issue of material cyber breaches and ESG reports has been in the news, companies need to make sure they have reasonable assurance that everything in their filings and other communications is complete, accurate, timely, and complies with any related regulatory requirements.

Company chief executives and chief financial officers are required to certify that their “disclosure controls” are adequate by Section 302 of the Sarbanes-Oxley Act.

The SEC explained (with my highlights):

As adopted, new Exchange Act Rules 13a-14 and 15d-14[1] require an issuer’s principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, each to certify in each quarterly and annual report, including transition reports, filed or submitted by the issuer under Section 13(a) or 15(d) of the Exchange Act[2] that:

• he or she has reviewed the report;
• based on his or her knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by the report;[3]
• based on his or her knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition, results of operations and cash flows of the issuer as of, and for, the periods presented in the report;
• he or she and the other certifying officers:
  • are responsible for establishing and maintaining “disclosure controls and procedures” (a newly-defined term reflecting the concept of controls and procedures related to disclosure embodied in Section 302(a)(4) of the Act) for the issuer;
  • have designed such disclosure controls and procedures to ensure that material information is made known to them, particularly during the period in which the periodic report is being prepared;
  • have evaluated the effectiveness of the issuer’s disclosure controls and procedures as of a date within 90 days prior to the filing date of the report; and
  • have presented in the report their conclusions about the effectiveness of the disclosure controls and procedures based on the required evaluation as of that date;
• he or she and the other certifying officers have disclosed to the issuer’s auditors and to the audit committee of the board of directors (or persons fulfilling the equivalent function):
  • all significant deficiencies in the design or operation of internal controls (a pre-existing term relating to internal controls regarding financial reporting) which could adversely affect the issuer’s ability to record, process, summarize and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
  • any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
• he or she and the other certifying officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.

For purposes of the new rules, “disclosure controls and procedures” are defined as controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports filed or submitted by it under the Exchange Act[4] is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. “Disclosure controls and procedures” include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its Exchange Act reports is accumulated and communicated to the issuer’s management, including its principal executive and financial officers, as appropriate to allow timely decisions regarding required disclosure.

The SEC has not in practice limited their review of disclosures to those required by law and regulation. For example, the ESG disclosures are not (yet) mandated. They are voluntary. Note the highlighted section above that states the CEO and CFO must certify that “the report does not contain any untrue statement of a material fact or omit to state a material fact”.

Controls are needed to ensure there is at least reasonable assurance that all disclosures, whether required or voluntary, are complete, accurate, timely, and compliant with any regulatory requirements.

As with Sarbanes-Oxley Section 404 on internal controls over financial reporting (commonly referred to as “SOX”), we need to:

• Identify all disclosures
• Identify the controls relied upon for each disclosure
• Confirm that the controls are adequately designed to address the risk of material error or omission in the disclosure
• Confirm that the controls are operating effectively as designed

We can do this with a form of “control matrix” that has a row for each disclosure, and columns for completeness, accuracy, timeliness, and compliance.

This is a management responsibility, but they can ask internal audit or another function to develop and maintain it (while they retain the responsibility for it being correct).

Internal audit or an internal controls group or similar can test the identified controls’ design and operation.

The level and frequency of testing should be based on the level of risk of an error or omission that would be material to users of the filing, and other judgments.

What do you think?

For more guidance on SOX, please see Management’s Guide to SOX – 5th Edition (formerly a publication of the IIA), which has been called the “best book on SOX”.

====================================================================

[1] The SEC amends the Exchange Act of 1934 to reflect the provisions of subsequent Acts, such as Sarbanes-Oxley.

[2] 15 U.S.C.§§78m(a) or 78o(d). Section 13(a) of the Exchange Act requires every issuer of a security registered pursuant to Section 12 of the Exchange Act [15 U.S.C. §78l] to file with the Commission such annual reports and such quarterly reports as the Commission may prescribe. Section 15(d) of the Exchange Act requires each issuer that has filed a registration statement that has become effective pursuant to the Securities Act of 1933 [15 U.S.C.§77a et seq.] to file such supplementary and periodic information, documents and reports as may be required pursuant to Section 13 in respect of a security registered pursuant to Section 12. The duty of an issuer to file under Section 15(d) is automatically suspended for any fiscal year, other than a fiscal year in which its registration statement becomes effective or is required to be updated pursuant to Section 10(a)(3) of the Securities Act [15 U.S.C. §77j(a)(3)], if an issuer’s securities are held of record by less than 300 persons. See Exchange Act Rule 12h-3(c) [17 CFR 240.12h-3(c)].

[3] As permitted under our rules, a registrant may satisfy its disclosure obligations under Part III of Forms 10-K and 10-KSB by incorporating the required information by reference from its definitive proxy or information statement, if that statement involves the election of directors and is filed not later than 120 days after the end of the fiscal year covered by the annual report. See General Instruction G(3) to Form 10-K and General Instruction E(3) to Form 10-KSB. For purposes of this provision, the certification in the annual report on Form 10-K or 10-KSB would be considered to cover the Part III information in a registrant’s proxy or information statement as and when filed.

[4] These reports include quarterly reports on Form 10-Q or 10-QSB, annual reports on Form 10-K, 10-KSB, 20-F or 40-F, current reports, definitive proxy materials filed under Section 14(a) of the Exchange Act [15 U.S.C. §78n(a)], definitive information statements filed under Section 14(c) of the Exchange Act [15 U.S.C. §78n(c)] and amendments to any of these reports or documents.