More than two years after it was enacted, directors and executive officers of
publicly traded companies, and their advisors, are still responding to the
dramatic changes to the rules of corporate governance wrought by the
Sarbanes-Oxley Act of 2002 and the new Securities and Exchange Commission (SEC)
and stock exchange rules that followed. Seeking to shore up U.S. capital markets
that had been overwhelmed by the so-called "dotcom" implosion, the Enron
debacle, and a series of high-profile corporate governance scandals, the United
States Congress adopted a series of directives that represent the most
significant changes in Federal securities law since the Depression.
Congress painted with a broad brush. Many of the most significant aspects of
the Sarbanes-Oxley Act consist of general statements combined with directions to
the SEC to develop implementing regulations over periods ranging from thirty
days to one year after enactment. In response, the SEC promulgated thousands of
pages of proposed and final rules. The SEC's interpretations of the
Sarbanes-Oxley Act have answered several questions, but also have raised
interpretational issues that leave the regulated community at some risk.
The Sarbanes-Oxley Act compels those who manage, advise or audit public
companies to pay added (if not new) attention to corporate governance issues.
Entities that evaluate public companies, such as rating agencies and shareholder
advisory services, have developed audit programs designed to determine whether
particular public companies have become good corporate citizens. Civil and
criminal regulators, as well as plaintiffs' lawyers, are surely developing their
own corporate governance score cards.
Public companies ought to perform their own self-assessments before they find
themselves under the scrutiny of unfriendly third-party corporate governance
audits. We offer below the broad outline of a corporate governance
self-assessment to assist company counsel in evaluating whether their company's
corporate governance protocols can withstand the outside scrutiny they may later
receive. It would be impossible to provide a complete self-assessment survey
(which would necessarily cover internal controls and other Rule 404 matters,
up-the-ladder reporting issues, loans to officers and directors and other
important Sarbanes-Oxely Act issues) in the space allotted, so we have focused
on specific sections of our outline.
Board Independence
The Sarbanes-Oxley Act has led the New York Stock Exchange, the American
Stock Exchange and NASDAQ to develop definitions of "independence" and then to
impose specific independence requirements with respect to the composition of
certain board committees as well as the composition of the board of directors.
While the definitions vary slightly, the self-assessment protocol should involve
analysis of the following issues, regardless of the exchange on which the
company's securities trade:
Has the board made affirmative determinations regarding each member's
independence under the applicable definition?
In making independence determinations, has the board received sufficient
data regarding each board member to assure that all aspects of the independence
definitions are satisfied?
Has the board implemented procedures to assure that the applicable data is
updated on a regular basis?
Subject to qualifications regarding so-called
"controlled" corporations, the exchanges mandate that a majority of the board be
independent and that various committees consist solely of independent
directors. In certain circumstances, exceptions may be permitted for limited
periods of time. A self-assessment audit should consider:
Do controls exist to assure that all applicable independence requirements
are satisfied?
Do controls exist to assure that the applicable exchange is notified in the
event that an independence requirement is no longer satisfied?
If the company is relying upon an exception permitted by the applicable
exchange, have appropriate steps been taken to assure and document that a
sufficient basis exists for relying upon the exception?
Do controls exist to assure that the board is notified when and if reliance
on an exception is no longer permitted?
The exchanges require that independent directors meet
periodically in "executive session" outside of the presence of management,
although there is very little guidance about what should be discussed in those
executive sessions. A self-assessment audit should examine the following:
Have procedures been implemented to assure that such executive sessions
occur on a regular basis?
Are the executive sessions documented in the company's minutes?
If follow-up actions are required as a result of such executive sessions,
are controls in place to assure that such actions are taken?
Board Committee Actions
A substantial portion of the work of a typical public company board is
performed by board committees. In light of applicable requirements, most public
company boards can be expected to have, at a minimum, an audit committee, a
compensation committee, a nominating committee and a committee (which could be
the same as any of the foregoing committees) charged with the responsibility of
monitoring related-party transactions. As corporate governance becomes a
critical issue in corporate America, many boards have established corporate
governance committees to assure proper focus on governance issues.
As a matter of good corporate governance and, in certain circumstances, as
required by applicable legal requirements, the functions of most committees are
described in charters or resolutions adopted by the full board (and, in many
cases, disclosed to the public). A self-assessment questionnaire would ask the
following questions:
Does each board committee have a charter or other mission statement that
articulates the functions of the committee?
Are each of the members of each committee aware of the charters applicable
to their committees?
Does each committee report back to the full board after each of its
meetings?
Are minutes of each committee meeting prepared, available to committee
members and available to the full board?
The SEC's proxy rules demand that public companies
disclose their audit committee charters no less frequently then once every three
years. This obligation has led many companies to develop elaborate audit
committee charters reflecting extensive responsibilities for audit committee
members. Such elaborate charters can be fodder for plaintiffs' lawyers and
conceivably for regulators. To avoid creating committee charters with which a
committee cannot comply, a self-assessment guide would ask the following
questions:
Has each committee charter been reviewed to determine whether it is feasible
for the committee to perform its designated functions?
Are steps taken to remind committee members of the functions to be
performed?
Is there follow-up to assure that the enumerated functions are being
performed?
Complaint Procedures
Audit committees are required by the Sarbanes-Oxley Act to develop anonymous
complaint procedures to assure that they receive, retain and respond to
complaints regarding accounting, internal accounting controls, or auditing
matters generally, and confidential anonymous submissions by employees of
concerns regarding questionable accounting or auditing matters.
While many public companies have hired outside consultants to develop
and operate complaint mechanisms, other companies have implemented their own
procedures. In any case, a self-assessment program should review the following
questions:
Does a complaint procedure exist?
Are employees aware that the complaint procedure exists?
If any complaints have been lodged through the complaint procedure, have
they been resolved?
Has any retaliatory action been taken against any person who has submitted a
complaint?
Has there been any pattern in the complaints that suggest that a pervasive
problem exists?
Disclosure Controls
Pursuant to the Sarbanes-Oxley Act the chief executive officer and chief
financial officer of a public company must certify as to the adequacy of the
company's disclosure controls. Disclosure controls are controls which assure
that information which may be disclosable is funneled to those persons
responsible for preparing disclosure documents filed with the SEC. While the SEC
has not yet mandated that companies adopt so-called disclosure committees, the
SEC has, in more then one release, strongly suggested that public companies
establish disclosure committees to assure a proper flow of disclosable
information. A self-audit should ask:
If the company has a disclosure committee, has it met regularly and kept
minutes?
If the company has a disclosure committee, has that committee reached any
conclusion other than that disclosure controls are adequate?
If the company has a disclosure committee which recommends that corrective
action be taken, are procedures in place to monitor compliance steps?
If the company does not have a disclosure committee, what steps are being
taken to assure that discloseable information is funneled to senior members of
management?
Arranging for a confidential outside review of these
and other corporate governance issues may save a company money, embarrassment
and potential civil and criminal liability. We suggest that companies take the
time to police themselves, before they are policed.
Published September 1, 2004.