Compliance, Risk Management And Internal Controls: A Checklist For Corporate Counsel - Part II

Sunday, August 1, 2004 - 00:00

Part I appeared in the July 2004 issue of The Metropolitan Corporate Counsel. Part II covers questions to be considered by corporate counsel with respect to the checklist included in Part I. It also covers the codes of ethics requirements of Sarbanes-Oxley, NYSE and NASDAQ and questions pertaining to them. As the author points out, the requirements outlined in this article make the general counsel an even more significant player in corporate governance. General counsel can, if they have the necessary status, staff and other resources, make the scandals of the past significantly less likely to occur in the future.Part I of this article discussed the impact of the U.S. Department of Justice Sentencing Guidelines, Sarbanes-Oxley Act (Section 404), NYSE and NASDAQ Listing Standards, Proposed Draft COSO Framework for Enterprise-wide Risk Management and PCAOB Audit Standard No. 2 regarding outside auditor review of internal control on the evolving roles and responsibilities of Board of Directors and, in particular, Audit Committees.

These increased responsibilities in the areas of risk management, compliance and internal controls should result in a much more proactive Audit Committee as it seeks to respond to the increased responsibilities. Part II of this article suggests a number of questions that Audit Committees should be asking management. General counsel should be prepared to respond to these inquiries and, if possible, work with management and the Audit Committee to preemptively frame these questions and respond to them.

General counsel should seek to educate and inform the Audit Committee and management about these new responsibilities and develop enterprise-wide risk management systems in response to them.

The following checklist suggests some, but certainly not all, of the kinds of inquiries that Audit Committees should be making and, therefore, that general counsel should be pro-actively working with management to put in position to anticipate and be in position to respond to.

Relevant Questions Pertaining To Part I

•Do risk managers or a risk management committee have the authority and backing of the Board?

•Has the CEO made compliance and risk management a strategic priority?

•Has a senior level position been established with firm-wide risk oversight responsibilities?

• Has a compliance structure been established? Is there a senior, full-time compliance officer? Are there appropriate compliance policies and procedures in place?

•Is there a direct reporting line between the senior risk officer and compliance officer to the Audit Committee and the Board?

•Have the responsibilities of the company's executive management and organizational leadership for compliance been specified?

•Are there adequate resources and authority for individuals within the company with the responsibility for the implementation of the compliance and risk management programs?

•Is the Board fully apprised of all risks faced by the company including not only business and financial but also legal, regulatory, compliance, operating, treasury, vendor, customer, product, political, international, supply, reputational, human resources, technology, insurance and audit?

•Has the Board made an independent determination that management has implemented and maintains an effective enterprise-wide risk management process, including policies and procedures?

•Is there an effective training program and process for the dissemination of training materials and information?

•Is there periodic evaluation of the effectiveness of the program and a requirement for monitoring and auditing systems?

•Are ongoing risk assessments conducted?

•Has executive management demonstrated and communicated an effective "tone at the top" and created a culture of compliance?

•Has the Audit Committee allotted enough time and attention to discussions of internal control with management, the internal auditor and the external auditor?

•Has the Audit Committee obtained written representations based on an appropriate and effective assessment from management on the effectiveness of internal control over financial reporting?

•Do the above mentioned written representations cover prevention and detection of fraud?

•Has the Audit Committee established specific expectations with management and the internal and external auditors about their information needs related to internal control, with particular attention to the control environment and controls in high risk areas?

•Is the Audit Committee aware of the existence and adequacy of a compliance system including policies, procedures, training and certification?

•Has the Audit Committee discussed the company's risk assessment and risk management policies?

Code of Ethics For Senior FinancialOfficers - Sarbanes-Oxley

Section 406: A company must disclose in its 10-K whether it has adopted a written code of ethics that applies to the company's senior financial officers (e.g., CEO, CFO, CAO, controller).

•If the company has not adopted such a code of ethics (or if it does not amend its existing code of ethics to meet the SEC's criteria), it must state the reasons why.

•The code of ethics must be publicly available (as an exhibit to the 10-K, posted on the company's website or by undertaking in 10-K to send a copy free of charge to anyone that requests it).

•Companies are required to disclose changes to, or waivers from, the code of ethics for senior financial officers on Form 8-K or on its website (under certain conditions) within 5 business days.

•The code of ethics must be reasonably designed to deter wrongdoing and promote:

¤Honest and ethical conduct, including ethical handling of actual or apparent conflicts of interest between personal and professional relationships;

¤Full, fair, accurate, timely and understandable disclosure in SEC filings and public communications;

¤Compliance with applicable governmental rules and regulations;

¤Prompt internal reporting of violations of the code to appropriate persons identified in the code;

¤Accountability for adherence to the code.

Code Of Business Conduct And Ethics - NYSE

•The NYSE rules require a listed company to adopt and disclose a code of business conduct and ethics for all directors, officers and employees that addresses the following topics:

¤Conflicts of interest, corporate opportunities;


¤Fair dealing;

¤Protection and use of company assets;

¤Compliance with laws,rules and regulations;

•Reporting of illegal or unethical behavior;

•The company must post the code of business conduct and ethics on website;

㨾-K must state both that the code is available on the website and available in print to any shareholder who requests it;

•Only the board or board committee may waive code provisions for officers or directors and any such waiver must be disclosed promptly.

Code Of Ethics And Business Conduct - Nasdaq

The Nasdaq rules require a company to have a publicly available code of conduct that complies with the SEC "Code of Ethics" and which is applicable to all directors, officers and employees. The code of conduct must include:

•An enforcement mechanism that ensures:

¤Prompt and consistent enforcement of the code;

¤Protection for persons reporting questionable behavior;

¤Clear and objective standards for compliance;

¤Fair process by which to determine violations.

Only the board may waive compliance with the code for officers or directors and any such waiver (as well as the reason for the waiver) must be disclosed on a Form 8-K within 5 days.

Relevant Questions PertainingTo Codes Of EthicsAnd Business Conduct

•Has a code been adopted?

•Has a Chief Ethics Officer been named or other appropriate senior management designated to monitor compliance, communicate to all employees, and engage in appropriate employee training and certification?

•Does the CEO or other person report to the board with respect to activity related to his/her assigned sections of the code?

•How is compliance, communication, training, certification and reporting accomplished?

• How does this process interface with the CEO/CFO ethics code requirement in Section 406 of Sarbanes-Oxley?

•Is there an appropriate system to respond to complaints, reports or questions? What is the interaction with "Whistleblower" requirements?

•Who determines how to respond to a report of code violations? When is an internal investigation necessary?

•Does the Audit Committee have oversight responsibility over conduct relating to the code of ethics?

•Does the Audit Committee have oversight responsibility over complaints and reports?

•Is there an annual certification of compliance by the CEO and CFO?


Implementation of a proactive, preventative approach to risk management and compliance at both the Board and management level is critical. It creates a clear message to the officers and employees of the company and to the public that these issues are not just legal requirements but ethical and cultural imperatives as well, and represent sound business practices that are part of the company's culture. The emphasis and focus on culture and "tone at the top" of the proposed Guidelines, Exposure Draft, and the Audit Standards underscore the importance of this approach. In addition, the nature and intensity of regulatory and enforcement responses to problems has increased significantly and all indications are that this will continue. A proactive, preventative approach for risk management will help to minimize problems and, when problems do occur, it will help to minimize the regulatory and enforcement consequences.

Robert E. Bostrom is a Partner and Head of the Financial Institutions Practice of Winston & Strawn LLP. Much of material included in this article was covered in a presentation made by Mr. Bostrom on May 18, 2004 to the American Conference Institute's Seminar entitled "Corporate Counsel Guide to Internal and External Investigations" and is being used with the permission of the Institute.

Please email the author at with questions about this article.