The Sarbanes-Oxley Act of 2002 (the "Act") is much more than a tightening of corporate reporting requirements. We believe the Act has altered significantly the prosecutorial landscape on which Justice Department and agency investigations will play out. Even though the Act's requirements are limited to "issuers" or reporting companies, its eventual impact goes further. Officers of any organization - whether non-profit or privately held - may be affected by the Act's new standard of corporate conduct and the law's impact on penalties that can be threatened during an investigation.
Section 302 of the Act details new obligations for corporate reporting. The Act requires officers to aver that the reports contain all material facts needed to render the financial results "not misleading." As interpreted by the Securities and Exchange Commission ("SEC"), corporate officers are to establish disclosure controls and procedures that are different than historical internal accounting controls.
In short, Section 302 targets a favored defense for individual officers being threatened during an investigation of corporate fraud. This defense - the self-blinding or "who me?" response -- usually ran along the lines of an officer demonstrating that she had no idea the problem had occurred and would have remedied it had she known. The officer traditionally would then argue that it was a "corporate" not an "individual" failure and, therefore, the individual officer should not be charged.
Section 302 removes that defense and turns it on its head, making it illegal for a officer to have in place "internal controls" that do not "ensure" that relevant material information concerning the company's activities are made known to the officer. Further, the officer has to check that this system of "internal controls" actually works and that the people involved in it are acting honestly. See Act Section 302(a)(4) and (5).
Notably, the disclosure controls and procedures go well beyond accounting or financial matters. This means that the disclosure control and procedures need to be such that a responsible officer can receive information at every place where the company's activities intersect with a regulatory control -- if a violation of that regulation could have a material impact on the company. Depending on the company, this requirement underscores the advisability of establishing controls to ensure compliance with regulatory regimes running the gamut from labor and environmental to rules governing international trade, conflicts of interest, securities disclosure, insider trading, records retention and privacy.
As a corollary to its new requirements, the Act required the U.S. Sentencing Commission to revise Federal Sentencing Guidelines that would apply to violations of the Act and other prohibitions on corporate fraud. The draft amendments to these Guidelines make it evident that the impact of the Act will be felt far beyond publicly traded companies. For example, in considering enhanced penalties for corporate fraud, the Commission proposes "extending the enhancement to include other organizations with a substantial number of employees." It questions if the new sentencing provisions should "apply to cases in which an officer . . . of a large, non-public organization violates any provision of security [sic] law." See 67 Fed. Reg. 70999, 71000, 71002 (Nov. 27, 2002).
This means that the Act not only has altered the way publicly traded companies should operate. It has also set a new standard, possibly enhancing the penalties faced by officers of any organization (regardless of legal form) in the event of losses due to fraud.
With regard to governance and compliance requirements, the Act bolsters requirements in two ways. Section 302(a)(3) requires a certification that periodic reports "fairly presentÖthe financial conditionÖof the issuer" and is meant to include an analysis of legal and compliance risks. Section 406 requires a code of ethics for senior financial officers (as well as the CEO under regulations proposed by the SEC), including such standards as are reasonably necessary to promote compliance with governmental rules and regulations. The NYSE and Nasdaq have both proposed corporate governance and code of conduct requirements as part of their listing requirements, and have mandated that such programs apply to all employees.
Some of these requirements are effective already, and the remainder will be effective for reports filed in 2003. With this background, directors and officers of public companies and large private companies should immediately review and modify, as appropriate, their governance and compliance policies and procedures. Given the renewed emphasis on the potential criminal aspects for compliance failures, the preferred approach is to develop a system that comports with the Organizational Sentencing Guidelines ("OSG").
The OSG provide a seven-part test for "effective programs":
- Established compliance standards and procedures
- High-level individual(s) assigned overall responsibility
- No delegation to individuals with propensity to illegal activities
- Effective communication to all employees
- Reasonable compliance steps: monitoring, auditing and reporting systems
- Consistent enforcement of appropriate discipline
- Appropriate response to offense, and necessary program modifications
Directors should be proactive in requiring and implementing an effective program. For NYSE-listed companies, the proposed rules impose this burden on the Nominating and Governance Committee.
In implementing the OSG requirements, components of an effective program should include written policies, written code of conduct summarizing the policies and other important legal and compliance requirements, training systems, hotline, monitoring and auditing programs, and feedback to the board. A careful reading of the proposed NYSE and Nasdaq listing requirements regarding corporate governance, as well as SEC proposed regulations, indicates that such an integrated "system" is advisable. A code of conduct, no matter how well written, requires complementary training, monitoring and auditing systems. Hotlines are a mandated part of an OSG-compliant system, and Section 301 of the Act requires a procedure for the "confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters."
A program can be effective only if a culture of compliance is established at the company. This requires that the CEO and other senior officers endorse and sell the program. Employees must understand that legal and ethical conduct is expected at all times, and that violations of laws or the company's policies will result in discipline. Directors and officers are charged with ensuring employees comply with all "laws and regulations."
Under the new governance and compliance regime, "the buck stops here" is no longer a platitude. Congress, the stock exchanges, and the U.S. Sentencing Commission have placed responsibility squarely on the shoulders of directors and officers. Responsible directors and officers will conclude that proactive establishment of an effective governance and compliance system makes good business sense and is the surest way to avoid imposition of the numerous enhanced criminal penalties.