Corporate Governance Self-Audits: Policing Yourself Before You Get Policed

Wednesday, September 1, 2004 - 01:00

More than two years after it was enacted, directors and executive officers of
publicly traded companies, and their advisors, are still responding to the
dramatic changes to the rules of corporate governance wrought by the
Sarbanes-Oxley Act of 2002 and the new Securities and Exchange Commission (SEC)
and stock exchange rules that followed. Seeking to shore up U.S. capital markets
that had been overwhelmed by the so-called "dotcom" implosion, the Enron
debacle, and a series of high-profile corporate governance scandals, the United
States Congress adopted a series of directives that represent the most
significant changes in Federal securities law since the Depression.

Congress painted with a broad brush. Many of the most significant aspects of
the Sarbanes-Oxley Act consist of general statements combined with directions to
the SEC to develop implementing regulations over periods ranging from thirty
days to one year after enactment. In response, the SEC promulgated thousands of
pages of proposed and final rules. The SEC's interpretations of the
Sarbanes-Oxley Act have answered several questions, but also have raised
interpretational issues that leave the regulated community at some risk.

The Sarbanes-Oxley Act compels those who manage, advise or audit public
companies to pay added (if not new) attention to corporate governance issues.
Entities that evaluate public companies, such as rating agencies and shareholder
advisory services, have developed audit programs designed to determine whether
particular public companies have become good corporate citizens. Civil and
criminal regulators, as well as plaintiffs' lawyers, are surely developing their
own corporate governance score cards.

Public companies ought to perform their own self-assessments before they find
themselves under the scrutiny of unfriendly third-party corporate governance
audits. We offer below the broad outline of a corporate governance
self-assessment to assist company counsel in evaluating whether their company's
corporate governance protocols can withstand the outside scrutiny they may later
receive. It would be impossible to provide a complete self-assessment survey
(which would necessarily cover internal controls and other Rule 404 matters,
up-the-ladder reporting issues, loans to officers and directors and other
important Sarbanes-Oxely Act issues) in the space allotted, so we have focused
on specific sections of our outline.

Board Independence

The Sarbanes-Oxley Act has led the New York Stock Exchange, the American
Stock Exchange and NASDAQ to develop definitions of "independence" and then to
impose specific independence requirements with respect to the composition of
certain board committees as well as the composition of the board of directors.
While the definitions vary slightly, the self-assessment protocol should involve
analysis of the following issues, regardless of the exchange on which the
company's securities trade:

  • Has the board made affirmative determinations regarding each member's
    independence under the applicable definition?

  • In making independence determinations, has the board received sufficient
    data regarding each board member to assure that all aspects of the independence
    definitions are satisfied?

  • Has the board implemented procedures to assure that the applicable data is
    updated on a regular basis?
  • Subject to qualifications regarding so-called
    "controlled" corporations, the exchanges mandate that a majority of the board be
    independent and that various committees consist solely of independent
    directors. In certain circumstances, exceptions may be permitted for limited
    periods of time. A self-assessment audit should consider:

  • Do controls exist to assure that all applicable independence requirements
    are satisfied?

  • Do controls exist to assure that the applicable exchange is notified in the
    event that an independence requirement is no longer satisfied?

  • If the company is relying upon an exception permitted by the applicable
    exchange, have appropriate steps been taken to assure and document that a
    sufficient basis exists for relying upon the exception?

  • Do controls exist to assure that the board is notified when and if reliance
    on an exception is no longer permitted?
  • The exchanges require that independent directors meet
    periodically in "executive session" outside of the presence of management,
    although there is very little guidance about what should be discussed in those
    executive sessions. A self-assessment audit should examine the following:

  • Have procedures been implemented to assure that such executive sessions
    occur on a regular basis?

  • Are the executive sessions documented in the company's minutes?

  • If follow-up actions are required as a result of such executive sessions,
    are controls in place to assure that such actions are taken?
  • Board Committee Actions

    A substantial portion of the work of a typical public company board is
    performed by board committees. In light of applicable requirements, most public
    company boards can be expected to have, at a minimum, an audit committee, a
    compensation committee, a nominating committee and a committee (which could be
    the same as any of the foregoing committees) charged with the responsibility of
    monitoring related-party transactions. As corporate governance becomes a
    critical issue in corporate America, many boards have established corporate
    governance committees to assure proper focus on governance issues.

    As a matter of good corporate governance and, in certain circumstances, as
    required by applicable legal requirements, the functions of most committees are
    described in charters or resolutions adopted by the full board (and, in many
    cases, disclosed to the public). A self-assessment questionnaire would ask the
    following questions:

  • Does each board committee have a charter or other mission statement that
    articulates the functions of the committee?

  • Are each of the members of each committee aware of the charters applicable
    to their committees?

  • Does each committee report back to the full board after each of its

  • Are minutes of each committee meeting prepared, available to committee
    members and available to the full board?
  • The SEC's proxy rules demand that public companies
    disclose their audit committee charters no less frequently then once every three
    years. This obligation has led many companies to develop elaborate audit
    committee charters reflecting extensive responsibilities for audit committee
    members. Such elaborate charters can be fodder for plaintiffs' lawyers and
    conceivably for regulators. To avoid creating committee charters with which a
    committee cannot comply, a self-assessment guide would ask the following

  • Has each committee charter been reviewed to determine whether it is feasible
    for the committee to perform its designated functions?

  • Are steps taken to remind committee members of the functions to be

  • Is there follow-up to assure that the enumerated functions are being
  • Complaint Procedures

    Audit committees are required by the Sarbanes-Oxley Act to develop anonymous
    complaint procedures to assure that they receive, retain and respond to
    complaints regarding accounting, internal accounting controls, or auditing
    matters generally, and confidential anonymous submissions by employees of
    concerns regarding questionable accounting or auditing matters.
    While many public companies have hired outside consultants to develop
    and operate complaint mechanisms, other companies have implemented their own
    procedures. In any case, a self-assessment program should review the following

  • Does a complaint procedure exist?

  • Are employees aware that the complaint procedure exists?

  • If any complaints have been lodged through the complaint procedure, have
    they been resolved?

  • Has any retaliatory action been taken against any person who has submitted a

  • Has there been any pattern in the complaints that suggest that a pervasive
    problem exists?
  • Disclosure Controls

    Pursuant to the Sarbanes-Oxley Act the chief executive officer and chief
    financial officer of a public company must certify as to the adequacy of the
    company's disclosure controls. Disclosure controls are controls which assure
    that information which may be disclosable is funneled to those persons
    responsible for preparing disclosure documents filed with the SEC. While the SEC
    has not yet mandated that companies adopt so-called disclosure committees, the
    SEC has, in more then one release, strongly suggested that public companies
    establish disclosure committees to assure a proper flow of disclosable
    information. A self-audit should ask:

  • If the company has a disclosure committee, has it met regularly and kept

  • If the company has a disclosure committee, has that committee reached any
    conclusion other than that disclosure controls are adequate?

  • If the company has a disclosure committee which recommends that corrective
    action be taken, are procedures in place to monitor compliance steps?

  • If the company does not have a disclosure committee, what steps are being
    taken to assure that discloseable information is funneled to senior members of
  • Arranging for a confidential outside review of these
    and other corporate governance issues may save a company money, embarrassment
    and potential civil and criminal liability. We suggest that companies take the
    time to police themselves, before they are policed.

    Peter H. Ehrenberg is the Chairman of the Corporate
    Department and the Corporate Finance/M&A Practice Group of Lowenstein
    Sandlar PC, based in Roseland, New Jersey. He can be reached at (973) 597-2350.
    Anthony O. Pergola is Vice Chair of the firm's Tech Group and a
    member of the Corporate Finance/M&A Practice Group. He can be reached at
    (973) 597-2444.

    Please email the authors at
    with questions about this