NEWS ALERT SARBANES-OXLEY UPDATE Internal Control Over Financial Reporting and Certification of Disclosures Executive Summary On June 6, 2003, the SEC released in final form its rules (the Rules ) under Section 404 of the Sarbanes-Oxley Act of 2002 ( Sarbanes-Oxley ) concerning management s report on internal control over financial reporting, and certification of disclosures in periodic reports filed under the Securities Exchange Act of 1934 (the Exchange Act ). 1 The Rules add new disclosure requirements for each annual report (Forms 10-K, 10-KSB, 20-F, and 40-F) of a company, other than a registered investment company. Each annual report must contain a statement of management s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, as well as management s assessment, at the end of the company s most recent fiscal year, of the effectiveness of such internal control structures and procedures. The Rules also require the company s auditor to attest to, and report on management s procedures for financial reporting in accordance with the standards established by the Public Company Accounting Oversight Board (the PCAOB ). Additionally, the Rules require companies to perform quarterly evaluations of changes that have materially affected or are reasonably likely to materially affect the company s internal control over financial reporting. Finally, the Rules require a company to submit the CEO and CFO certifications mandated by Sections 302 and 906 of Sarbanes-Oxley as exhibits to periodic reports filed with the SEC. Management s Report on Internal Control Over Financial Reporting What exactly is internal control over financial reporting? Internal control over financial reporting is a process designed by, or under the supervision of, the company s principal executive and principal financial officers, or persons performing similar functions, and effected by the company s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the generally accepted accounting principles ( GAAP ) and includes those policies and procedures that: Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the company; Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, and receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and Provide reasonable assurance regarding prevention or untimely detection of unauthorized acquisition, use or disposition of the company s assets that could have a material effect on the financial statements. June 2003 1 www.jenner.com
What must be included in the annual internal control report? The annual report on internal control over financial reporting must contain the following: A statement of management s responsibility for establishing and maintaining adequate internal control over financial reporting for the company; A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company s control over financial reporting; Management s assessment of the effectiveness of the company s internal control over financial reporting as of the end of the company s most recent fiscal year, including a statement as to whether or not the company s internal control over financial reporting is effective (including disclosure of any material weaknesses 2 in the company s internal control over financial reporting identified by management, which would preclude management from concluding that the company s internal control over financial reporting is effective); and A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management s assessment of the company s internal control over financial reporting. The company must also file, as part of the company s annual report, the attestation report of the registered public accounting firm that audited the company s financial statements. The Rules do not specify the exact content of the report beyond these general requirements for fear that doing so would result in boilerplate responses of little value. As a result, management should tailor the report to the company s circumstances. Are there any requirements for the framework used by management to evaluate effectiveness? Yes. The framework must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. A suitable framework must: Be free from bias; Permit reasonably consistent qualitative and quantitative measurements of a company s internal control; Be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company s internal controls are not omitted; and Be relevant to an evaluation of internal control over financial reporting. While the Rules do not mandate the use of a particular framework, the SEC has specifically authorized the use of the framework established by the Committee of Sponsoring Organizations of the Treadway Commission in its published reports regarding internal control. 3 To what extent is documentation required with regard to properly evaluating internal control over financial reporting? The Rules do not specify the procedures to be performed in an evaluation. However, a company must maintain documentation to provide reasonable support for management s assessment of the effectiveness of the company s internal control over financial reporting. The documentation must cover both the design of internal controls and the testing processes, and must provide reasonable support: For the evaluation of whether the control is designed to prevent or detect material misstatements or omissions; For the conclusion that the tests were appropriately planned and performed; and That the results of the tests were appropriately considered. 2
Additionally, the company s auditor that is required to attest to, and report on management s assessment will require that the company develop and maintain such documentation to support management s assessment. What are the auditor attestation requirements? As mentioned above, a company must now file, as part of its annual report, a statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management s assessment of the company s internal control over financial reporting, as well as the auditor s attestation report itself. The PCAOB is required to set standards for registered public accounting firms attestations to, and reports on, management s assessment regarding its internal control over financial reporting. On April 16, 2003, the PCAOB designated Statements on Standards for Attestation Engagements No. 10 as the standard of management s assessment of the effectiveness of internal control over financial reporting pending further PCAOB standard setting in this area. The PCAOB will monitor the appropriateness of those standards and modify them as needed. Must the quarterly evaluations of internal control be as extensive as the annual evaluations? No. For purposes of the quarterly evaluations, the company s management, with the participation of the principal executive and financial officers, must evaluate any change in the company s internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company s internal control over financial reporting. The annual reports require an overall evaluation of internal controls, not just an evaluation of changes to the internal controls. Do the Rules regarding auditor attestation affect the previously enacted rules regarding auditor independence? No. Management and independent auditors will need to coordinate their processes of documenting and testing the internal controls over financial reporting, however, auditors cannot provide non-audit services to an audit client. Auditors may assist in documenting internal controls, however, management must be actively involved in the process. The Rules do not change these circumstances. Are there differences between internal control over financial reporting and disclosure controls and procedures? Yes. Disclosure controls and procedures are designed to ensure that information required to be disclosed by the company in the reports that it submits or files under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the SEC s rules and forms. The SEC believes that while there is substantial overlap between a company s disclosure controls and procedures and its internal control over financial reporting, there are both some elements of disclosure controls and procedures that are not subsumed by internal control over financial reporting and some elements of internal control that are not subsumed by the definition of disclosure controls and procedures. However, the SEC also believes that many companies will design their disclosure controls and procedures so that they do not include all components of internal control over financial reporting. Where should the internal control report appear in the company s annual report? While no specific mandate has been given, the SEC recommends the internal control report appear near the corresponding attestation report issued by the company s auditor. The SEC expects the majority of companies to place the internal control report and attestation report near the MD&A disclosure, immediately preceding the companies financial statements. 3
When must companies begin compliance with the new reporting requirements regarding internal control over financial reporting? The SEC originally wished to require compliance with the Rules by September of this year. However, because the SEC realized that it may take a substantial amount of time for companies to implement procedures for the evaluation of internal controls, as well for the PCAOB to take necessary action with regard to establishing standards for attestation engagements, the effective date for internal control reporting requirements has been delayed. Companies, other than foreign private issuers, meeting the definition of an accelerated filer in Rule 12b-2 of the Exchange will be required to comply with the internal control reporting requirements for fiscal years ending on or after June 15, 2004. Generally, these issuers are U.S. companies that have equity market capitalization over $75 million and have filed an annual report with the SEC. All other issuers will be required to comply for fiscal years ending on or after April 15, 2005. CEO/CFO Certifications Under Sections 302 and 906 of Sarbanes-Oxley What changes have been made with regard to certifications under Section 302? The previous practice regarding certifications under Section 302 has been to include the certification immediately after the signature block at the end of the periodic report. The Rules now require companies to file CEO/CFO certifications as an exhibit to periodic reports. Specifically, Item 601 of Regulations S-B and S-K have been amended to add the Section 302 certifications to the list of required exhibits. The specific form and content of the required certifications is set forth in the applicable exhibit filing requirement. Additionally, companies were previously required, in their quarterly and annual reports, to disclose the conclusions of the principal executive and financial officers about the effectiveness of the company s disclosure controls and procedures as of a date within 90 days of the filing date of the report. The Rules have amended the evaluation date to as of the end of the period covered by the report. What changes have been made with regard to certifications under Section 906? The Rules have amended 13a-14 and 15d-14 of the Exchange Act to require the Section 906 certifications to be furnished with the periodic reports to which they relate. The Rules also amend Item 601 of Regulation S-B and S- K to include Section 906 certifications to the list of required exhibits. As a result of the Rules, Section 906 certifications will be publicly provided. A Section 906 certification must certify that: The report fully complies with Sections 13(a) or 15(d) of the Exchange Act; and The information contained in the report fairly represents, in all material respects, the financial condition and result of operations of the company. Additionally, any CEO or CFO that knowingly or willfully provides a false certification under Section 906 will be subjected to criminal penalties. Is there a difference between furnishing and filing a Section 906 certification? Yes. The Rules permit companies to furnish rather than file the Section 906 certifications with the SEC. Section 906 certifications that are furnished will not be subject to liability under Section 18 of the Exchange Act. Additionally, Section 906 certifications will not be subject to automatic incorporation by reference into a company s registration statements, which are subject to liability under Section 11 of the Securities Act of 1933, unless the company takes steps to include the certifications in a registration statement. 4
What are the procedural differences between a Section 302 certification and a Section 906 certification? The procedural differences between a Section 302 certification and a Section 906 certification are the following: Unlike Section 302 certifications, Section 906 certifications are required only in periodic reports that contain financial statements. Therefore, amendments to periodic reports that do not contain financial statements would not require a new Section 906 certification, but would require a new Section 302 certification to be filed with the amendment; Unlike Section 302 certifications, Section 906 certifications may take the form of a single statement signed by a company s chief executive and financial officers; and Unlike Section 302 certifications, which are included as part of the accompanying periodic report, Section 906 certifications are furnished with, and not made a part of, the accompanying periodic report. What is the purpose of amending the certification requirements of Sections 302 and 906? The principal reason that these certification requirements have been amended is to make it easier for the SEC, the Department of Justice and investors to access Section 302 and 906 certifications expeditiously. When are the Rules regarding certifications under Sections 302 and 906 of Sarbanes-Oxley effective? The Rules and form amendments concerning Sections 302 and 906 will become effective 60 days after their publication in the Federal Register. Given the differences between the compliance date of the rules relating to internal control over financial reporting and the effective date of changes to the language of the Section 302 certification, a company s certifying officers may temporarily modify the content of their Section 302 certifications to eliminate certain references to internal control over financial reporting until the compliance date. Endnotes 1 SEC Release Nos. 33-8238; 34-47986, available at http://www.sec.gov/rules/final/33-8238.htm 2 A material weakness is a deficiency in the design and operation of internal control that could adversely affect a company s ability to record, process, summarize and report financial data consistent with the assertions of management in the company s financial statements. SEC Release No. 33-8238, fn. 73. 3 See COSO Internal Control-Integrated Framework (1992), as well as the 1994 and 1996 supplements to this publication. For more information, please contact any of the following Jenner & Block attorneys: Robert S. Osborne Jerry J. Burgdoerfer Charles J. McCarthy Robert Z. Slaughter John E. Welch* Thomas A. Monson Thaddeus J. Malik Donald E. Batterson rosborne@jenner.com jburgdoerfer@jenner.com cmccarthy@jenner.com rslaughter@jenner.com jwelch@jenner.com tmonson@jenner.com tmalik@jenner.com dbatterson@jenner.com David R. Bowman Bobby J. Hollis II* Tobias L. Knapp* David M. Neville Edward G. Quinlisk Jill R. Sheiman Matthew B. Speiser Michael D. Thompson dbowman@jenner.com bhollis@jenner.com tknapp@jenner.com dneville@jenner.com equinlisk@jenner.com jsheiman@jenner.com mspeiser@jenner.com mthompson@jenner.com All attorneys may be contacted by phone at 312 222-9350, except * at 202 639-6000. Additional Sarbanes-Oxley rule summaries can be found at: http://www.jenner.com/practice/practice_detail.asp?id=439&parentid=29&parentname=corporate 2003 Jenner & Block, LLC. Jenner & Block is an Illinois Limited Liability Company. Although no longer a partnership, we use the term partners to refer to the attorneys who directly or indirectly hold membership interests in the LLC. This publication is not intended to provide legal advice but to provide information on legal matters and Firm news of interest to our clients and colleagues. Readers should seek specific legal advice before taking any action with respect to matters mentioned in this publication. Under professional rules, this news alert may be considered advertising material; the attorney responsible for this publication is Jerry J. Burgdoerfer. 5