Securities Exchange Act of 1934 Reporting Readiness Considerations April 4, 2017 Robert Suffoletta Corporate Bryan King Corporate The materials in this presentation, and the opinions expressed in this webinar, are those of the authors and speakers, respectively, and do not necessarily reflect the opinions of the companies or institutions with which such authors or speakers are affiliated. In addition, neither these materials nor the views expressed in this webinar are intended to constitute legal advice as to any particular situation. 1
What are internal controls and why do they matter? Post-IPO, an issuer becomes a reporting company and is subject to the reporting and disclosure regime of the Securities Exchange Act of 1934 Reporting companies face potential administrative and civil liability for untrue statements of material fact or material omissions in publicly filed reports An active plaintiffs bar patrols public filings Reporting companies are required to develop and maintain internal controls over financial reporting ( ICFR ) and disclosure controls and procedures ( DCP ) If an issuer is required to restate its financial results (likely due to failures in ICFR/DCP), SEC can force disgorgement of compensation paid to CEO/CFO during relevant period Failure to maintain effective ICFR and DCP increases the likelihood that the company s public reports will be materially inaccurate 2
What is internal control over financial reporting ( ICFR )? ICFR is a process designed and supervised by the CEO and CFO to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP for external purposes ICFR includes those policies and procedures that: Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the company s assets Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer s assets that could have a material effect on the financial statements 3
What are disclosure controls and procedures ( DCP )? DCP means controls and other procedures designed to ensure that information required to be disclosed in public filings is recorded, processed, summarized and reported in a timely manner Include all controls and procedures designed to ensure that relevant information is accumulated and communicated to the issuer s management, including its CEO and CFO as appropriate, to allow timely decisions regarding required disclosure The SEC s rules mandating DCP require the CEO and Board to make certain that procedures are in place to ensure that they hear bad news. (Former SEC Commissioner Cynthia Glassman) 4
What must the company disclose about ICFR in its periodic reports? On an annual basis (in the Form 10-K), management must disclose its assessment of the effectiveness of ICFR New reporting companies are not required to make ICFR disclosure until the second Form 10-K On a quarterly basis (in the Form 10-Q/10-K), management must disclose any change that has materially affected or is reasonably likely to materially affect the issuer s ICFR The annual report on Form 10-K must: State that management is responsible for establishing and maintaining adequate ICFR Identify framework used to evaluate effectiveness of ICFR State management s conclusion as to whether ICFR is effective If any material weakness identified, must state that ICFR is not effective and describe material weakness 5
What must the company disclose about ICFR in its periodic reports? (cont d) Framework used to evaluate ICFR must be based on a framework established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment Many reporting companies have adopted the framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which divides ICFR into five broad components: Control Environment: The company s top-down values and culture that set the tone and provide discipline and structure Risk Assessment: Mechanisms to identify and analyze risks relevant to company objectives Control Activities: Policies and processes that ensure management s directives are carried out Information and Communication: The company s ability to identify, capture and communicate pertinent information Monitoring: Processes that assess ICFR effectiveness over time 6
What must the company disclose about DCP in its periodic reports? Management is required to evaluate effectiveness of DCP and to disclose its assessment each quarter in the Form 10-Q/10-K (begins with first periodic report filed post-ipo) Management is required to evaluate overall effectiveness, but may also focus on developments since the most recent evaluation, areas of weakness, continuing concerns or other aspects of DCP that merit attention 7
What are SOX certifications and why do they matter? Section 302 of the Sarbanes-Oxley Act of 2002 ( SOX ) requires a reporting company s CEO and CFO to personally sign the following certifications in each periodic report on Form 10-K/10-Q: They are personally responsible for establishing and maintaining effective DCP and ICFR They have evaluated the effectiveness of DCP and ICFR They have disclosed any deficiencies in and material changes to ICFR SEC and DOJ have brought numerous civil and criminal actions against CEO/CFOs on the basis of false 302 certifications Actions taken against management of large and small issuers Not necessarily preceded by restatement of financials or accompanied by allegations of materially misstated financials Multiple actions brought solely on the basis of undisclosed deficiencies in ICFR ( broken window enforcement) 8
What are SOX certifications and why do they matter? (cont d) DOJ takes the position that knowingly filing a false 302 certification carries criminal penalties, including fines up to $5 million and up to 25 years in prison SEC imposes civil and administrative penalties, including injunctions and fines levied against individual officers SEC can also force CEOs and CFOs to reimburse their company for bonuses, incentive or equity-based compensation, and profits realized from the sale of company s securities when a company restates financials due to material noncompliance with financial reporting requirements, including 302 certifications Under Section 10(b) of the Act, reporting companies have civil liability for untrue statements of material fact or material omissions in their periodic reports, if plaintiffs can prove issuer knew its disclosure was untrue False 302 certifications can create a strong inference of actual knowledge or of deliberate recklessness to support claims that the company knew its disclosure was false 9
What are SOX certifications and why do they matter? (cont d) Bottom line: false 302 certifications may support charges of criminal securities fraud or wire fraud against CEO and CFO, and may subject individual officers and the company to civil and administrative penalties 10
What practical steps can issuers take to ensure accuracy of ICFR/DCP disclosure? Form a disclosure committee Management committee tasked with assisting the CEO, CFO and audit committee by: Collecting and evaluating information to be disclosed in public filings Preparing required disclosures Ensuring that the company s DCP are properly implemented Ensuring that company filings are accurate, complete, timely and fair Usually chaired by CFO, controller or chief legal officer and reporting directly to CFO or CEO Typically includes principal accounting officer or controller, principal legal officer, principal risk management officer and chief investor relations officer, as well as senior managers knowledgeable about primary business units Governed by a written committee charter 11
What practical steps can issuers take to ensure accuracy of ICFR/DCP disclosure? (cont d) Adopt a disclosure policy Adopt, distribute and regularly review a written disclosure policy Establish a process of upward certification Develop a process for upward certification of internal control reports by field managers to upper management Be prepared to back up all public statements Routinely create and preserve factual back-up materials that support all material public statements by company Important from a liability perspective, but also helpful to support due diligence when company seeks financing 12
Key Takeaways Effective ICFR/DCP and related accurate disclosures will require new people, new processes and more time than you expect start planning now Foster a culture of reporting, accountability and disclosure from the top down Engage early and often with your auditors and counsel to plan, prepare and refine ICFR and DCP 13
Thank you! Robert Suffoletta Wilson Sonsini Goodrich & Rosati 900 South Capital of Texas Highway Las Cimas IV, Fifth Floor Austin, TX 78746 rsuffoletta@wsgr.com Office: (512) 338-5439 Bryan King Wilson Sonsini Goodrich & Rosati 701 Fifth Avenue, Suite 5100 Seattle, WA 98104 bking@wsgr.com Office: (206) 883-2535 14