United States: Living with the Sarbanes-Oxley Act of 2002: A Primer for Members of Public Company Audit Committees

Introduction

In this post-Enron era, the rules for corporate governance, especially for audit committees of public company boards of directors, are rapidly and radically changing. The most sweeping legislation in corporate governance in several decades, the Sarbanes-Oxley Act of 2002 (the "Act") was signed into law on July 30, 2002. It creates, among other things, a new framework of responsibilities for audit committees and other members of boards of directors of public companies (referred to in the Act as "issuers").¹ The Act refers to the purpose of an audit committee as "overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer."

A number of provisions of the Act were made by amendments to the Exchange Act. Other provisions have been made effective by rules promulgated by the Securities and Exchange Commission (the "SEC").

The New York Stock Exchange ("NYSE"), the Nasdaq Stock Market, Inc. ("NASDAQ") and the American Stock Exchange ("AMEX") have each submitted new corporate governance rules to the SEC for approval, including rules related to audit committees, which in some respects go above and beyond the requirements of the Act.

This client bulletin discusses the responsibilities of audit committees and their members under the Act and the new SEC rules and forms. This client bulletin does not cover the application of the Act to foreign private issuers. Moreover, it is intended only as a quick reference for issuers’ audit committee members and as an introduction to the main sections of the Act that relate to their work. It is not intended as an exhaustive discussion of the laws that apply to such audit committee members.

Perhaps the most dramatic change in the law is the creation of a new regulatory body, named the Public Company Accounting Oversight Board (the "Accounting Oversight Board") that is subject to supervision by the SEC, and is independent of the accounting industry.

One of the statutory duties of the Accounting Oversight Board will be to register public accounting firms that conduct audits of public companies. Only "registered public accounting firms" will be authorized to prepare or issue or play a substantial role in the preparation or issuance of an audit report on an issuer’s financial statements. The Accounting Oversight Board is directed to establish, by rule (subject to SEC approval), auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports, and will have the power to conduct investigatory and disciplinary proceedings concerning, and impose appropriate sanctions against, accounting firms and their associated persons.

Although the Act has not assigned the Accounting Oversight Board any specific duties or powers related to audit committees as such, an audit committee of a public company, as described below, will have responsibilities requiring it to be knowledgeable as to the powers, duties, and rules of the Accounting Oversight Board.

The national securities exchanges and national securities associations (collectively, "SROs"), are prohibited from listing any security of an issuer that has failed to establish an audit committee in accordance with the audit committee requirements mandated by the Act; and the SEC has adopted audit committee listing requirements with which companies must comply in order to be listed (see Section H below).

Independence of Audit Committee Members—Every audit committee is required to consist entirely of independent directors, which means that each audit committee member must meet certain independence criteria ² outside of their work as board or committee members. Specifically, members may not accept directly or indirectly any consulting, advisory or other compensatory fee from the issuer or its subsidiaries, or be an "affiliated person" of the issuer or any of its subsidiaries. The SROs have each proposed their own standards for independence (see Section H below).

"Audit Committee Financial Expert"; Qualifications—An issuer is required to disclose annually in its filings under the Exchange Act whether it has at least one "audit committee financial expert" on its audit committee. If the issuer does not have such an expert, it will be required to explain why it does not. An audit committee financial expert is defined by SEC rules as a person who has the following:

• an understanding of generally accepted accounting principles ("GAAP") and financial statements;
• experience in preparing, auditing, analyzing or evaluating financial statements comparable to those of the issuer, or experience in actively supervising persons engaged in such activities; experience in the application of accounting principles in connection with the accounting for estimates, accruals and reserves;
• experience with internal accounting controls; and
• an understanding of audit committee functions.

Financial Literacy—Under several of the SROs’ proposed listing standards, each audit committee member would have to be "financially literate," thus enabling the member to understand the issuer’s financial reporting. In this connection, members of the audit committee should make sure that they understand the issuer’s critical accounting policies, internal controls, off-balance sheet financing, and related party transactions.

Further, although not required specifically by the SEC, managerial experience would also be useful for members in performing some of the audit committee’s new functions such as resolving disputes between management and auditors.

Corporate Action to Create Audit Committee—The audit committee must be created by action of the issuer’s board of directors. In reaction to this, most boards have adopted an audit committee charter (or revised an existing charter) to cover the committee’s purpose, organization, and responsibilities (see Sections D, E and F below). Boards have also designated the directors who are to be the members of the committee, after investigating and being satisfied as to the independence and financial literacy of each designee. In this connection, boards either have or will:

• set forth procedures and standards for audit committee member removal and replacement;

• determine if any designated committee member or members qualify as audit committee financial experts; and

• specify the amount and form of compensation of the committee members including whether a greater amount is to be paid to its chairperson.

Organization of Audit Committee; Rules of Practice; Budget—In view of the fundamental changes in its responsibilities, the audit committee should organize (or reorganize) itself, for instance, by adopting rules of practice specifying standards for meetings, notices, use of subcommittees or delegation of specified duties to a committee member, quorum, action, and other matters normally covered by bylaws. One of the first actions to be considered by the committee should be adoption of a budget setting forth estimated expenditures, including compensation to the audit firm to be selected, and expenses and compensation for staff, counsel and other advisors.

Retention of Advisors; Funding—Each audit committee must be given the authority to engage independent counsel and other advisers, and the issuer is required to provide appropriate funding, as determined by the audit committee, to pay its ordinary administrative expenses, and for compensating such advisors and the accounting firm for its audit and other services.

Potential Liability of Audit Committee Members; Indemnification; Insurance—Members of an audit committee should not be subject to greater liability than other directors. Nevertheless, the board of directors should consider the advisability of providing for (i) limitation of liability of committee members to the maximum extent possible under applicable state law, as well as (ii) specific rights to indemnity and advancement of litigation expenses for committee members. The foregoing protections will be included by means of provisions in the issuer’s articles, bylaws or by way of private contract. To cover such indemnification, a director and officer liability insurance policy that specifically covers actions of the audit committee should, if possible (and affordable), be carefully examined and obtained.

The Act states that the audit committee is a body established for the purpose, among other things, of overseeing the audit of the financial statements of an issuer. The Act then imposes certain responsibilities that are in connection with the internal and external audit process and related matters directly upon the audit committee that were formerly carried out by the board. The responsibilities of the audit committee in connection with the audit process are briefly summarized below.

Appointment, Compensation and Oversight of Work of Auditor—The overarching requirement of an audit committee under the Act is its sole and direct responsibility for the appointment, compensation, retention and oversight of the work of the auditor, who must report directly to the audit committee.

• The audit committee, not the board, will appoint and have the authority to dismiss the issuer’s independent auditor;

• The audit committee will have the sole authority to fix the compensation of the audit firm; and

• The issuer must provide funding, in an appropriate amount as determined by the audit committee, for compensation to the issuer’s audit firm.

Selection of Auditor: Requirements of the Act—The Act sets forth several requirements or qualifications applicable to an accounting firm being considered for appointment as an auditor, and the SEC has adopted rules to clarify and strengthen these provisions. The rules relate to auditor independence, audit partner rotation, and limitations on employment of audit engagement team members.

Non-Audit Services—The Act prohibits accounting firms from providing 11 specified categories of non-audit services to their audit clients, and the Accounting Oversight Board is authorized to determine, by regulation, that any other service is not permitted. Tax compliance, tax planning and tax advice to audit clients are permitted; but certain tax services will be deemed to impair the independence of an accountant, such as representing the audit client in tax court or other situations involving tax advocacy.

Preapproval and Oversight of Audit Services by Audit Committee—The audit committee must pre-approve all auditing services (including comfort letters and statutory audits), as well as any permitted non-audit services, to be provided by the registered public accounting firm, and as such, audit committees should promptly consider establishing a process for preapproving audit and non-audit services to be provided. Approval of a non-audit service shall be disclosed to investors in periodic reports.

In light of its statutory responsibilities to oversee the accounting and financial reporting processes of the issuer, the audit committee should adopt a process to review some or all of the following certifications, reports, disclosures and other matters relating to the issuer’s financial statements required by the Act or SEC rules as follows.

CEO/CFO Certifications—The principal executive and financial officers must certify in each annual report filed with the SEC that they have reviewed the report and, based on the officer’s knowledge, (i) the report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by the report; and (ii) the financial information included in the report, and the financial statements on which the financial information is based, fairly present in all material respects the financial condition, results of operations, changes in net assets and cash flows of the issuer as of, and for, the periods presented in the report.

Correcting Adjustments—Each financial report of an issuer filed with the SEC that contains financial statements that are required to be prepared in accordance with (or reconciled to) GAAP must reflect all material correcting adjustments identified by an issuer’s registered public accounting firm.

Auditor Reports to Audit Committee—The auditor for most types of issuers must report to the audit committee annually (and timely in relation to the filing of the audit report with the SEC):

• all critical accounting policies and practices to be used by the issuer;

• all alternative treatments of financial information within GAAP for policies and practices related to material items that have been discussed with management, including ramifications of the use of such alternative treatment and which treatment is preferred by the auditor; and

• all other material written communications between the auditor and management, including management letters and schedules of unadjusted differences.

Resolving Disagreements—The audit committee is responsible for resolving disagreements between management and the auditor regarding financial reporting.

Internal Control: Report and Assessment by Issuer and Auditor—The Act requires that management make an annual report of the issuer’s internal control over financial reporting. An SEC Rule defines "internal control over financial reporting" as a process "to provide reasonable assurance regarding reliability of financial reporting and preparation of financial statements." The report must include:

• a statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the issuer;
• management’s assessment of the effectiveness of the issuer’s internal control over financial reporting as of the end of the most recent fiscal year;
• a statement identifying the framework used by management to conduct the required evaluation; and
• a statement that the issuer’s auditor has issued an attestation report on management’s assessment.

The Accounting Oversight Board has adopted the Statement of Standards on Attestation Engagements No. 10 as the standard for the auditor’s attestation, and the SEC has approved this action.

Internal Control: Significant Deficiencies, Material Weaknesses, and Fraud—The CEO/CFO certifications required by the Act must state that the signing officers have disclosed to the audit committee all significant deficiencies and material weaknesses in the design or operation of internal controls over financial reporting which are reasonably likely to adversely affect the issuer’s ability to record, process, summarize, and report financial information and any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal controls over financial reporting.

Disclosure Controls and Procedures—Issuers are required to maintain, and regularly evaluate the effectiveness of, disclosure controls and procedures to ensure that the information required to be filed under the Exchange Act is recorded, processed, summarized and reported on a timely basis. The SEC has recommended that an issuer have a separate disclosure committee to perform these functions.

Off-Balance Sheet Obligations; Contractual Obligations (MD&A Reports)—The SEC has amended each of the SEC’s disclosure regulations that pertain to the MD&A section of periodic reports and registration statements to require a discussion of off-balance sheet arrangements and short- and long-term contractual obligations.

Non-GAAP Financial Measures (Pro Forma Financial Information)—The SEC has issued a new Regulation G, which requires enhanced disclosure whenever an issuer publicly discloses material information that includes a "non-GAAP financial measure" (commonly referred to as "pro forma financial information")³ . The SEC has also made amendments to item 10 of Regulation S-K (and comparable provisions in Regulation S-B) that require enhanced disclosure in any annual or quarterly reports where non-GAAP financial measures are used.

"Real Time" Issuer Disclosures—Issuers will be required to disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer in plain English as may be determined by SEC rules.

Enhanced SEC Review of Issuers’ Disclosures—The Act requires the SEC to review corporate disclosures made by issuers on a regular and systematic basis for the protection of investors. The reviews should occur at least every three years.

Improper Influence on Conduct of Audits—SEC rules prohibit any corporate officer or director of an issuer, or any person acting under their direction, from coercing, manipulating, misleading or fraudulently influencing the issuer’s auditor if such person knew or should have known that such action could render the issuer’s financial statements materially misleading.

The foregoing audit committee functions demonstrate that one of the most important of the audit committee’s duties is the oversight of the accounting policies, principles and practices used by the issuer in the preparation of its financial statements.

Procedures for Treatment of Complaints; Protection for Whistleblowers—The Act requires the audit committee to establish procedures for the receipt, retention and treatment of complaints received by the issuer concerning accounting, internal accounting controls and auditing matters, as well as procedures for the confidential, anonymous submission by employees of the issuer of concerns with respect to questionable accounting or auditing matters. The Act also provides for protection of such an employee against retaliation.

Code of Ethics—An issuer is required to disclose annually in its annual report whether or not it has adopted a code of ethics for senior executive, financial and accounting officers and, if not, the issuer must disclose why it has not done so. Prompt disclosure is required of any change in or waiver of the issuer’s code of ethics relating to any of the senior officers.

The Act is silent as to the mechanics of the audit committee’s role in overseeing the accounting and financial reporting processes of the issuer. The following are examples of actions that we would consider to be proper oversight:

Review of Issuer’s Procedures—The committee should review the issuer’s procedures that are designed to help the issuer comply with the disclosure requirements imposed by the Act and the SEC’s new rules. The issuer should also have in place procedures that enable the audit committee to review the issuer’s public communications containing financial information, such as:

• all SEC filings—in particular to review and approve the MD&A section of the annual proxy statement—and to assure that any non-GAAP financial measures included therein comply with Regulation G;

• the issuer’s earnings releases and "real-time" disclosures;

• financial information and earnings guidance provided to analysts and rating agencies;

• the issuer’s compliance with legal and regulatory requirements; and
• disclosure of material off-balance sheet transactions and contractual obligations.

Meeting with Issuer’s Internal and Outside Auditors and Management—The audit committee should periodically meet with the issuer’s inside and outside auditors and management of the issuer to review and discuss:

• any issues that may have arisen in connection with the preparation of the quarterly and annual reports (together with the CEO and CFO certifications thereof);
• contingencies, guarantees, and policies to govern financial risk assessment and management;
• the issuer’s report on internal controls and the auditor’s assessment thereof; and
• other sensitive items such as significant adjustments that have been made or recommended, disagreements between management and the auditor, off-balance sheet transactions and the use of special-purpose entities, related party transactions, critical accounting policies and practices, and alternative treatments, critical accounting estimates, revenue recognition, complaints from whistle-blowers, and communications from regulatory agencies regarding the issuer’s accounting, internal controls or auditing matters.

Audit Committee Contact with Auditor—The Act requires that the audit committee regularly communicate with and continually monitor the auditors. Certain required reports to be made by the auditor to the audit committee are described in Section E, above. The Act will undoubtedly result in the audit committee having more regular contact with the issuer’s auditor during the conduct of an audit.

Questions such as the following may arise in the course of such oversight:

• What action might be taken by the audit committee if it receives a significant report from the issuer’s auditor (or any accountant retained by the audit committee as an advisor) that may raise questions as to whether the financial statements "fairly present" the issuer’s financial condition or results of operations, even though they may be reported in accordance with GAAP?
• What is the responsibility of the audit committee if the issuer’s auditor discloses to the committee that it prefers an alternative accounting treatment for a transaction to that chosen by management?

We believe that most issuers will want to consider whether it would be appropriate for rules or procedures to be adopted dealing with such matters. Some issuers will find it necessary to include new provisions in the committee’s charter adopted by the board of directors or in rules of practice adopted by the audit committee itself.

The revisions effected pursuant to the Act to Rule 10A-3 under the Exchange Act prohibit SROs from listing any security of an issuer that has not achieved compliance with the following:

• independence of each member of its audit committee;

• audit committee must have responsibility for appointing, compensating, and overseeing the outside auditor;

• audit committee must have established procedures for handling complaints and concerns expressed by employees;

• audit committee must have authority to engage independent counsel and other advisers; and

• audit committee must receive sufficient funding from the issuer in order to carry out its duties.

SROs have submitted proposed rules and/or rule amendments that comply with Rule 10A-3. These rules must be approved by the SEC by December 1, 2003. The NYSE, AMEX and NASDAQ have each submitted extensive proposals to the SEC, including audit committee requirements, none of which has yet received SEC approval.

This article is presented for informational purposes only and is not intended to constitute legal advice.