Over the past year, clients have repeatedly posed questions about the disclosure controls and procedures they are now required to maintain as mandated by Sarbanes-Oxley. Based on the number and types of questions posed, an overview of disclosure controls and procedures — in the form of a charter for a standard disclosure committee and policies governing the flow of information among committee members and throughout the organization — is among the most useful tools an attorney can provide a client in that regard.
Such a framework and policies will ensure that properly formulated disclosure questions reach the correct people within an organization, that such questions reach the appropriate person "up the food chain," and that all disclosures are then accurately and completely reported. In today's climate of increased scrutiny and enforcement, careful attention to these matters is crucial to the health of an organization.
As part of the massive overhaul of securities regulation known as Sarbanes-Oxley, the Securities and Exchange Commission (Commission) adopted new rules requiring corporations that have a class of stock registered under the Securities Exchange Act of 1934 (Exchange Act) to maintain procedures relating to public disclosure. The new requirements governing disclosure controls and procedures were adopted in conjunction with the Commission's rules requiring that a corporation's principal executive and principal financial officers each certify the financial and other information contained in the corporation's quarterly and annual reports filed with the Commission.
The new rules have the following two requirements:
- registrants must maintain disclosure controls and procedures; and
- management, with the participation of the principal executive and principal financial officers, must evaluate the effectiveness of the registrant's disclosure controls and procedures as of the end of each fiscal quarter.
Disclosure Controls and Procedures
The purpose of the disclosure controls and procedures is to assist the principal executive and principal financial officers in meeting their obligation of making the required certification and to ensure that the registrant's internal communications and other procedures operate so that important information flows to the appropriate collection and disclosure points in a timely manner. The Commission has stated that a corporation that fails to maintain adequate procedures, review them and otherwise comply with the rule could be subject to Commission action for violating Section 13(a) of the Exchange Act, even if the failure does not lead to flawed disclosure.
The term "disclosure controls and procedures" is a new term under the federal securities laws and is defined as controls and other procedures of a corporation that are designed to ensure that information required to be disclosed by the corporation in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms.
Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by a corporation in the reports that it files or submits under the Exchange Act is accumulated and communicated to the corporation's management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.
The term "disclosure controls and procedures" is broader than "internal controls" in that it relates to both financial and non-financial information. Internal controls relate only to accounting and financial information. Disclosure controls and procedures must be designed, maintained and evaluated to ensure full and timely disclosure in all reports filed or submitted to the Commission which would include reports on Form 8-K and proxy statements.
Each periodic report must include disclosure of the conclusions of the principal executive and principal financial officers regarding the effectiveness of those controls and procedures based on their evaluation as of the end of the period covered by the report.
Protection Against Liability
The corporation's disclosure controls and procedures should also enhance defenses against claims challenging the accuracy of the corporation's disclosures or its efforts to monitor and disclose corporate developments. These include federal and state securities fraud claims and state corporate law duty of care claims.
Developing Disclosure Controls and Procedures
The Commission expects each corporation to develop a process that is consistent with its business and internal management and supervisory practices. The corporation should develop and implement an information management system so that any information required to be disclosed is recorded, processed, summarized and reported in a timely manner and that the information is accumulated and communicated to management to allow timely decisions regarding required disclosure. Some guidelines to be considered by the corporation in designing and developing its disclosure controls and procedures are discussed below.
Establish the Objectives
Disclosure controls and procedures should be started and managed by the board of directors, management and other personnel, and designed to provide reasonable assurance regarding the achievement of the following objectives:
- timely and accurate efficiency of operations;
- reliability of financial reporting public disclosure; and
- compliance with applicable laws and regulations.
Evaluate Current Systems and Procedures
Before creating a new set of procedures, the corporation should review and evaluate the current manner in which disclosure information is generated and communicated, and the time in which such information is prepared and communicated to senior members of management. The review should address how information flows up and down the organization. In addition, the current involvement of the chief executive officer and chief financial officer should be analyzed.
Consider New Disclosure Requirements
The disclosure controls and procedures must be flexible. They must provide a mechanism whereby new disclosure requirements are identified, communicated and addressed in the disclosure controls and procedures.
Document Controls and Procedures
The corporation's disclosure controls and procedures should be documented in writing. The written controls and procedures should address:
- the Commission filings covered by the procedures;
- the persons responsible for each section of each report;
- the business units or departments involved;
- how the units or departments collect the information to be disclosed (i. e. , meetings, written reports, etc.);
- how the collected information is communicated to those responsible for preparing the report (i. e. , meetings, written reports, editing of previous reports, etc. );
- how materiality is determined and those persons responsible for making materiality decisions;
- how draft reports are reviewed and revised including the involvement of outside parties such as outside counsel, independent auditors, and other experts; and
- timing of the various steps.
Procedures for Gathering Information
Orientation to Disclosure Requirements. The corporation should consider whether the employees involved in the disclosure process need training to increase awareness and sensitivity to disclosure requirements. The current level of understanding the disclosure requirements should be assessed.
In particular, are the relevant employees aware of the events that require the corporation to file a Form 8-K and the time period within which the Form 8-K must be filed?The proper method of training should be determined (i. e. , written guidelines, oral presentations, etc. ).
Methods of Gathering Information. The disclosure controls and procedures policy should address the proper methods of gathering information. Different methods may be appropriate for different reports and/or sections of reports. Methods of gathering information may include:
- preparation of written reports; and
- review of and comment on draft reports.
Information gathered should be checked for consistency with the corporation's public disclosures, including press releases and the corporation's website.
Management Review of Reports. Senior management, including the chief executive officer and the chief financial officer, must be personally involved in the disclosure process. The CEO and CFO should review all reports requiring their certification.
In addition, senior management may need to review specific issues addressed in the report, to talk with key people who prepared the report and review the report with third party advisors. It may be necessary to convene regular review sessions where senior management can meet with the people preparing the reports and discuss any disclosure issues.
Disclosure Compliance Calendar. The corporation should prepare a disclosure compliance calendar in which key disclosure dates and milestones are identified. The following key dates and milestones should be considered:
- preparation of financial results;
- public announcement of financial results;
- deadlines for first drafts and revised drafts;
- CEO/CFO review dates;
- audit committee review dates;
- independent auditor review dates;
- quarterly and annual evaluations of the disclosure controls and procedures;
- filing deadlines; and
- printing and mailing deadlines.
The compliance calendar should be designed to begin gathering and analyzing information as soon as possible. It is not necessary to wait until after the end of the fiscal period or the closing of the books before beginning the disclosure process.
The corporation should also prepare a schedule that assigns responsibility for each aspect of the system of information management. The schedule should assign responsibility based on the individual's experience and specific area of knowledge. The responsible persons should also become familiar with the applicable regulations that address the disclosure requirements for his or her assigned area. Each individual should provide a report to the disclosure committee that all information that should have been furnished to the committee was in fact furnished. The information to be provided to the disclosure committee should include risks relating to the particular area such persons are responsible for.
Appoint a Disclosure Coordinator. The corporation should appoint a coordinator who will have overall responsibility for preparing a timetable, following up with others to make sure that assigned tasks have been completed on a timely basis. The disclosure coordinator does not need to beresponsible for making judgments regarding disclosure matters but should be senior enough within the corporation to be able to enforce deadlines.
Create a Disclosure Committee. The Commission recommends that public corporations create a committee with responsibility for managing the flow of information, considering the materiality of information and determining disclosure obligations on a timely basis.
The disclosure committee would not be a committee of the board of directors, but rather a group of officers and other employees acting under the supervision of the CEO or other senior executive. Officers and employees of the corporation who have an interest in, and the expertise to serve on, the committee could include the principal accounting officer or the controller, the general counsel or other senior legal official with responsibility for disclosure matters who reports to the general counsel, the principal risk management officer, the chief investor relations officer or an officer with equivalent responsibilities and such other officers or employees, including individuals associated with the corporation's business units, as the corporation deems appropriate.
The Commission has stated that such a committee should report to senior management, including the principal executive and financial officers, who bear express responsibility for designing, establishing, maintaining, reviewing and evaluating the corporation's disclosure controls and procedures.
The disclosure committee should have a charter setting forth its responsibilities. Consideration should be given to designating a secretary and chairman of the disclosure committee. The secretary would be responsible for coordination and written documentation. The chairman would coordinate the substance of the disclosure committee's considerations and ensure the appropriate involvement of the CEO and CFO. It may be appropriate for the chief legal officer to chair the committee since disclosure is ultimately a legal decision.
Back-Up Certifications. The corporation may want to consider obtaining certifications from certain officers that support the certifications made by the CEO and CFO. The back-up certifications should indicate that the officer has disclosed to specified senior officers matters that have affected, or may affect, the business in ways that may be of interest or concern to senior management.
Persons to consider for back-up certifications include the principal accounting officer, head of internal audit, the persons primarily responsible for preparing the financial statements, the persons primarily responsible for preparing the MD&A disclosure, the heads of principal business units and subsidiaries, and representatives of the legal department.
Use of Outside Advisors. The corporation should consider whether to incorporate the assistance of outside advisors such as legal counsel in its disclosure controls and procedures.
A Proactive Approach
The rules governing disclosure policies and procedures — the most recent piece of Sarbanes-Oxley — have been eagerly awaited by companies over the last six months. The best way to help corporate clients assure compliance with this part of Sarbanes-Oxley is to emphasize the value of a proactive approach to establishing policies, procedures and controls. By helping clients establish a charter for the standard disclosure committee, augmented by a sound model clearly reflecting the timely flow of information, you will help assure that clients avoid regulatory entanglements or enforcement actions somewhere down the road. It is much better to establish a roadmap — and put the appropriate controls in place in advance.
* article courtesy of Norman B. Antin and Jeffrey D. Haas, partners in the Financial Institutions practice in Washington DC's Patton Boggs LLP.