The US Sarbanes–Oxley Act of 2002: What Audit Committees of Non-US Issuers Need to Know

International Journal of Disclosure and Governance Volume 1 Number 4

The US Sarbanes–Oxley Act of 2002: What audit committees of non-US issuers need to know

Alexander F. Cohen* and David M. Brodsky** Received: 28th July, 2004

*Latham & Watkins, 99 Bishopsgate, London EC2M 3XF, UK; Tel: +44 (0)20 7710 1014; E-mail: [email protected] **Latham & Watkins LLP, Professional Liability Practice Group, 885 Third Avenue, New York, NY 10022-4802, USA; Tel: +1 212 906 1628; Fax: +1 212 751 4864; E-mail: [email protected]

Alexander F. Cohen is a partner in the London conclude that the full weight of the Act will only be felt office of Latham & Watkins. Latham & Watkins when the Act’s ‘internal control’ provisions come into operates as a limited liability partnership world- effect in 2005. wide with affiliates in the UK and Italy, where the practice is conducted through an affiliated multi- national partnership. INTRODUCTION When President George W. Bush signed the David M. Brodsky is a partner in the New York Sarbanes–Oxley Act of 2002 (the ‘Sarbanes– office of Latham & Watkins LLP. Oxley Act’, ‘Sarbanes–Oxley’, or the ‘Act’) into law, he called it ‘the most far-reaching ABSTRACT reforms of American business practice since KEYWORDS: audit committees, Sarbanes– the time of Franklin Delano Roosevelt’. Oxley Act, foreign private issuers, SEC Watching the passage of the Act was a bit registrants, non-US companies like watching a child do a ‘cannonball’ dive into a small pool: it drenched a few The US Sarbanes–Oxley Act of 2002 (‘the Act’) onlookers and triggered a wave of rule- introduced sweeping changes in the regulation of issuers making by the Securities and Exchange of public securities in the USA, including non-US Commission (SEC). issuers. Audit committees are a key area of corporate Foreign private issuers — a term that governance addressed by the Act, and the authors covers most non-US issuers, other than summarise how the Act applies to audit committees of foreign governments — were among the non-US issuers. First, the Act imposes certain most surprised (and in many cases unhappy) requirements directly on audit committees, relating to bystanders in this process. Unlike other areas such as independence and substantive duties. recent SEC initiatives (such as Regulation Secondly, it indirectly sets standards for audit FD), the Sarbanes–Oxley Act did not gen- committees, for example, through regulation of auditors. erally distinguish between US domestic and Finally, the Act introduces a far-reaching concept, foreign private issuers. internal control over ﬁnancial reporting. Audit commit- Audit committees are a key area of tee members need to understand the internal control rules corporate governance addressed by the Act. International Journal of Disclosure and Governance, in detail, because of the critical importance of internal Sarbanes–Oxley applies to audit committees Vol. 1, No. 4, 2004, pp. 313–323 Henry Stewart Publications, control to an issuer’s ﬁnancial reporting. The authors in three ways. First, it imposes certain 1741–3591

Page 313 The US Sarbanes^Oxley Act of 2002

requirements directly on audit committees, authors refer below to ‘issuers’ and ‘foreign relating to areas such as independence and private issuers’ they mean those companies substantive duties. Secondly, it indirectly sets that are subject to Sarbanes–Oxley. standards for audit committees, for example, through regulation of auditors. Finally, the STANDARDS RELATING DIRECTLY TO Act introduces a far-reaching concept, inter- AUDIT COMMITTEES nal control over financial reporting. Audit committee members need to understand the Listed company audit committees internal control rules in detail, because of the The Sarbanes–Oxley Act charged the SEC critical importance of internal control to an with creating rules to prohibit the listing of issuer’s financial reporting. any security in the USA of an issuer that is This paper summarises the key provisions not in compliance with certain substantive of the Act relevant to foreign private issuers. standards for audit committees. The SEC has It also discusses briefly the related audit accordingly adopted Rule 10A-3 under the committee requirements under the revised Exchange Act (‘Rule 10A-3’). Listed foreign corporate governance rules of the New York private issuers must be in compliance with Stock Exchange (NYSE) and NASDAQ. Rule 10A-3 by 31st July, 2005.2 Under Rule 10A-3, audit committee BACKGROUND: WHO IS SUBJECT TO members each have to be a member of the SARBANES–OXLEY? board of directors and be otherwise inde- The Sarbanes–Oxley Act applies to all pendent.3 To be ‘independent’, an audit issuers — including foreign private issuers committee member is barred from accepting — that: any compensatory fees other than in that member’s capacity as a member of the board4 . have registered securities under the US and may not be an ‘affiliated person’ of the Securities Exchange Act of 1934, as issuer.5 The definition of affiliated person amended (the ‘Exchange Act’ or the includes a person who, directly, or indirectly ‘1934 Act’); through one or more intermediaries, con- . are required to file reports under Section trols, or is controlled by, or is under common 15(d) of the Exchange Act; or control with the specified person.6 There is, . have filed a registration statement under however, a safe harbour for certain non- the US Securities Act of 1933, as amended executive officers and other persons who are (the ‘Securities Act’ or the ‘1933 Act’) that 10 per cent or less shareholders of the issuer.7 has not yet become effective.1 Foreign private issuers are entitled to certain exemptions from the independence This means, for example, that any foreign prong of Rule 10A-3. For example, the private issuer that has listed its securities in the inclusion of a non-management employee USA, or issued securities to the public in the representative,8 a non-management affiliated USA whether or not listed (such as in a person with only observer status,9 or a non- registered exchange offer for high-yield management governmental representative on bonds) is subject to the Sarbanes–Oxley the audit committee will not violate the Act. A foreign private issuer that has not affiliated person prong of the independence sold securities to the public in the USA, or test.10 that is exempt from Exchange Act registra- Rule 10A-3 also requires that: tion by virtue of Exchange Act Rule 12g3- 2(b) is not subject to the requirements of the . the audit committee must be ‘directly Sarbanes–Oxley Act. Accordingly, when the responsible’ for the appointment, com-

Page 314 Cohen and Brodsky

pensation, oversight and retention of the on the exemptions and an assessment of external auditors, who must report directly whether this reliance will materially to the audit committee;11 adversely affect the audit committee’s . the audit committee must establish pro- ability to act independently and to satisfy cedures for the receipt, retention and any of the other requirements of Rule treatment of complaints regarding 10A-3.19 accounting, internal controls or auditing matters, and for the confidential, anon- Audit committee financial expert ymous submission by employees of con- Under the Sarbanes–Oxley Act, the SEC has cerns regarding questionable accounting issued rules requiring a foreign private issuer or auditing matters;12 to disclose in its annual report on Form 20-F . the audit committee must have the that the issuer’s board of directors has authority to engage independent counsel determined whether or not it has one audit and other advisers as it deems necessary to committee financial expert serving on its carry out its duties;13 and audit committee, or if not, why not.20 If . the issuer must provide the audit commit- the issuer has a two-tier board of directors, tee with appropriate funding for payment the supervisory or non-management of external auditors, advisers employed by board would make this determination.21 the audit committee and ordinary admin- The issuer must also disclose the name of istrative expenses of the audit commit- the audit committee financial expert (if tee.14 any)22 and whether that person is ‘independent’ from management (note that for listed These requirements are not intended to issuers the audit committee financial expert conflict with local legal or listing provisions will need to satisfy the definition of ‘inde- (or requirements under the foreign private pendence’ as set forth in Rule 10A-3).23 An issuer’s organisational documents), and issuer’s board of directors must make an instead relate to the allocation of responsi- affirmative determination whether or not it bility between the audit committee and the has at least one audit committee financial issuer’s management.15 Accordingly, the expert, and may not simply fail to reach a audit committee may recommend or nomi- conclusion.24 nate the appointment or compensation of the In order to qualify as an audit committee external auditor to shareholders if these financial expert, the audit committee matters are within shareholder competence member must have the following ‘attri- under local law,16 and it must be granted butes’:25 those responsibilities that the board of directors can legally delegate.17 . an understanding of GAAP; Rule 10A-3 contains a general exemption . the ability to assess the general application for foreign private issuers that have a statutory of GAAP in connection with the account- board of auditors or statutory auditors ing for estimates, accruals and reserves; established pursuant to home country law . experience preparing, auditing or analys- or listing requirements, which in turn meet ing financial statements similar to those of various requirements.18 the issuer, or actively supervising others A foreign private issuer relying on Rule engaged in these activities; 10A-3’s exemption from independence, or . an understanding of internal controls and the general exemption noted above, will procedures for financial reporting; and need to disclose in its annual report on . an understanding of audit committee Form 20-F filed with the SEC its reliance functions.

Page 315 The US Sarbanes^Oxley Act of 2002

In addition, an audit committee financial STANDARDS RELATING INDIRECTLY expert must have gained those attributes TO AUDIT COMMITTEES through:26 Auditor independence The Sarbanes–Oxley Act creates a series of . education and experience as a principal requirements relating to the work of external financial officer, principal accounting auditors, grouped under the heading ‘auditor officer, controller, public accountant or independence’. The SEC’s rules generally auditor, or experience in similar took effect on 6th May, 2003 (although positions; many of the provisions of these rules have . experience actively supervising these varying transition periods), and also apply to functions; annual reports on Form 20-F in respect of . experience overseeing or assessing the fiscal years ending after 15th December, performance of companies or public 2003.31 accountants with respect to the prepara- Under these rules, it is unlawful for an tion, auditing or evaluation of financial auditor not to be independent. Among other statements; or things, this means that the audit committee . other relevant experience. must pre-approve the engagement of the auditor to provide audit and non-audit The term ‘GAAP’ in this context refers to services to the issuer or its subsidiaries, or the body of generally accepted accounting must only engage the auditor pursuant to principles used by the issuer in its primary pre-approval policies and procedures estab- 27 lished by the audit committee (subject to financial statements. Accordingly, the audit 32 committee financial expert of a foreign certain de minimis exceptions). An auditor private issuer need only be versed in local must also report to the audit committee on GAAP, and not in US GAAP or in (1) all critical accounting policies and prac- reconciliation to US GAAP (although tices to be used, (2) all alternative treatments that experience would, of course, be of financial information within GAAP that useful).28 have been discussed with the issuer’s manage- The SEC’s rules contain a liability ‘safe ment (as well as the implications of those harbour’ for the audit committee financial alternatives and the auditor’s preferred treat- expert, under which: ment), and (3) all other material written communications between the auditors and management.33 . a person who is determined to be an audit In addition, in its annual report on Form committee financial expert is not deemed 20-F an issuer must disclose the pre-approval to be an ‘expert’ for any purpose, such as policies and procedures of its audit commit- under Section 11 of the Securities Act; tee for audit and non-audit services.34 and29 . the designation of a person as an audit Improper influence on the conduct of committee financial expert does not an auditor; communication with audit impose greater duties, obligations or committee liabilities on the person than on other The Sarbanes–Oxley Act directs the SEC to audit committee and board members, and issue rules prohibiting any officer or director does not affect the duties, obligations or of an issuer from taking any action impro- liabilities of other audit committee and perly to influence an auditor for the purpose board members.30 of rendering the issuer’s financial statements

Page 316 Cohen and Brodsky

materially misleading. The SEC’s imple- ing and (2) containing an assessment, as of the menting rules took effect on 27th June, end of the issuer’s most recent fiscal year, of 2003.35 Among other things, the rules the effectiveness of the issuer’s internal prohibit an officer or director of an issuer, control structure and procedures for financial or any other person acting under the reporting. In addition, Section 404 requires direction of an officer or issuer, from taking an issuer’s independent auditor to attest to, any action to ‘coerce, manipulate, mislead or and report on, management’s assessment, in fraudulently influence’ an auditor engaged in accordance with standards adopted by the US the performance of an audit or review of Public Company Accounting Oversight financial statements of the issuer that are Board (PCAOB). (Section 404 provides, required to be filed with the SEC if that however, that the attestation cannot be a person knew or should have known that his separate engagement of the auditor.) or her actions, if successful, could result in The SEC has accordingly adopted new rendering the issuer’s financial statements implementing rules, and the PCAOB has materially misleading.36 adopted Auditing Standard No. 2.38 Under The rules identify certain types of actions the SEC’s rules, a foreign private issuer must: which could cause an issuer’s financial statements to be materially misleading. . maintain internal control over financial These include improperly influencing an reporting; auditor not to communicate matters to an . evaluate (with the participation of the issuer’s audit committee.37 CEO and CFO) the effectiveness of An audit committee can find itself in a internal control as of the end of each fiscal situation in which management and the year; and auditors do not agree about the accounting . evaluate (with the participation of the treatment of a transaction (or series of CEO and CFO) any change in its internal transactions). In that case, audit committee control that occurred during the fiscal year members should be mindful of these prohi- that has materially affected, or is reason- bitions to avoid opening themselves to claims ably likely to materially affect, the issuer’s that the auditors were coerced into accepting internal control over financial reporting. an inappropriate result, which in turn had a material impact on the financial statements. In addition, a foreign private issuer’s annual report on Form 20-F must contain an annual SECTION 404: INTERNAL CONTROL report from management on internal control, OVER FINANCIAL REPORTING an attestation report of the issuer’s independent auditor and disclosure of any changes in Background internal control. A foreign private issuer must Section 404 of Sarbanes–Oxley deals with comply with these rules in connection with internal control over financial reporting. It is its annual report on Form 20-F for the first one of the most far-reaching aspects of the fiscal year ending on or after 15th April, Act, and is proving to be one of the most 2005.39 complicated to implement in practice. Section 404 directs the SEC to issue rules Definition of internal control over requiring an issuer’s annual report to contain financial reporting an internal control report (1) stating manage- For these purposes, ‘internal control over ment’s responsibility for establishing and financial reporting’ is defined as a process maintaining an adequate internal control designed by, or under the supervision of, the structure and procedures for financial report- issuer’s CEO and CFO, and effected by the

Page 317 The US Sarbanes^Oxley Act of 2002

issuer’s board of directors, management and Accountants in England and Wales’ Turnbull other personnel, to provide reasonable assur- Report are all approved frameworks.43 ance regarding the reliability of financial The framework must:44 reporting and the preparation of financial statements for external purposes in accor- . be free from bias; dance with generally accepted accounting . permit reasonably consistent qualitative principles and includes those policies and and quantitative measures of an issuer’s procedures that: internal control; . be sufficiently complete so that those . pertain to the maintenance of records that relevant factors that would alter a conclu- in reasonable detail accurately and fairly sion about the effectiveness of an issuer’s reflect the transactions and dispositions of internal controls are not omitted; and the assets of the issuer; . be relevant to an evaluation of internal . provide reasonable assurance that transac- control over financial reporting. tions are recorded as necessary to permit preparation of financial statements in Management may not determine that an accordance with generally accepted issuer’s internal control over financial report- accounting principles, and that receipts ing is effective if it identifies one or more and expenditures of the issuer are being material weaknesses in the issuer’s internal made only in accordance with authorisa- control. The term ‘material weaknesses’ for tions of management and directors of the these purposes has the same meaning as under issuer; and the auditing standards of the PCAOB. . provide reasonable assurance regarding The SEC has not specified a method or prevention or timely detection of procedures to be followed in the evaluation. unauthorised acquisition, use or disposi- An issuer must, however, maintain ‘eviden- tion of the issuer’s assets that could have a tial matter, including documentation’ to material effect on the financial state- provide reasonable support for management’s ments.40 assessment of the issuer’s internal control over financial reporting.45 The assessment must be Management’s annual assessment of, based on procedures sufficient both to and report on, internal control evaluate design and to test operating effec- In an issuer’s annual report on Form 20-F, tiveness. The SEC has cautioned that inquiry management must provide a report on the alone generally will not provide an adequate issuer’s internal control over financial report- basis for management’s assessment. ing.41 The SEC has not required the use of a In June 2004, the SEC issued answers to particular framework. It has, however, spe- certain frequently asked questions regarding cified that management’s evaluation must be management’s report over internal control based on a recognised control framework (the ‘2004 FAQ’).46 Under the 2004 FAQ, established by a body or group that has among other things: followed due-process procedures, including a broad distribution of the framework for . Qualifications: Management may not qua- public comment.42 The Committee of lify its conclusion about the effectiveness Sponsoring Organizations of the Treadway of an issuer’s internal control, and may not Commission’s Internal Control — Integrated conclude that internal control is effective if Framework, the Canadian Institute of Char- a material weakness exists. Instead, man- tered Accountant’s Guidance on Assessing agement may state that controls are Control, and the Institute of Chartered ineffective for specific reasons.47

Page 318 Cohen and Brodsky

. Disclosure of significant deficiencies: An issuer directly to whether the auditor can agree must identify and publicly disclose all with management that internal control is material weaknesses. If management iden- effective.53 In this connection, the auditor tifies a significant deficiency, it is not needs to evaluate management’s assessment obligated to disclose publicly the existence process (to ensure that management has an or nature of the significant deficiency. If, appropriate basis for its conclusion) and to however, management identifies a signifi- test the effectiveness of internal control.54 cant deficiency that, when combined with other significant deficiencies, is determined to be a material weakness, manage- Significant deficiencies and material ment must disclose the material weakness weaknesses (and the significant deficiency to the Under Auditing Standard No. 2, both extent needed to understand the material management and the auditor may identify weakness). In addition, if a material deficiencies in internal control.55 A control change is made to either internal control deficiency exists ‘when the design or opera- or disclosure controls and procedures in tion of a control does not allow the response to a significant deficiency, the company’s management or employees, in issuer should disclose the change and the normal course of performing their consider whether a discussion of the assigned functions, to prevent or detect significant deficiency is needed.48 misstatements on a timely basis’.56 . Material business combinations: If an issuer Auditing Standard No. 2 provides that a consummates a material business combi- control deficiency should be classified as a nation during a fiscal year and is unable to ‘significant deficiency’ if, ‘by itself or in a conduct an assessment of the acquired combination with other control deficiencies, business’s internal control during the it results in more than a remote likelihood of period between the consummation date a misstatement of the company’s annual or and the date of management’s assessment, interim financial statements that is more than it may omit an assessment of the acquired inconsequential will not be prevented or business’s internal control for not more detected’.57 In addition, a ‘significant defi- than one year from the date of acquisition ciency should be classified as a material (and must make certain disclosure about weakness if, by itself or in combination the acquired business and the effect of with other control deficiencies, it results in the acquisition on the issuer’s internal more than a remote likelihood that a material control).49 misstatement in the company’s annual or interim financial statements will not be Internal control audits — Auditing prevented or detected’.58 Standard No. 250 Auditing Standard No. 2 mandates that an Auditing Standard No. 2 sets out the auditor must communicate in writing to the PCAOB’s rules for internal control audits audit committee all significant deficiencies (the PCAOB chose to refer to an ‘audit’ and material weaknesses of which the auditor rather than an ‘attestation’).51 The PCAOB is aware.59 In addition, the auditor must stated that the objective of the internal communicate to management, in writing, all control audit is to form an opinion as to control deficiencies of which the auditor is whether management’s assessment of the aware that have not previously been com- effectiveness of the issuer’s internal control municated in writing to management and is fairly stated in all material respects.52 The notify the audit committee of such a auditor’s conclusion will therefore relate communication.60

Page 319 The US Sarbanes^Oxley Act of 2002

Identifying significant deficiencies dard No. 2 does not permit a qualified Auditing Standard No. 2 identifies a number opinion on the effectiveness of internal of circumstances that, ‘because of their likely control in the event of a material weakness; significant negative effect on internal control instead, the auditor must express an ‘adverse are significant deficiencies as well as strong opinion’.68 The auditor may express an indicators that a material weakness exists’.61 unqualified opinion on management’s assess- These include:62 ment so long as management properly identifies the material weakness and con- . ineffective oversight by the audit com- cludes that internal control was not effec- mittee of the issuer’s external financial tive.69 If, however, the auditor and reporting and internal control. As part management disagree about the existence of of evaluating the control environment, the material weakness, then the auditor an auditor must assess the effectiveness would render an adverse opinion on man- of the audit committee’s oversight and agement’s assessment.70 must communicate to the board of directors if it concludes that oversight is NYSE AND NASDAQ REQUIREMENTS ineffective; FOR AUDIT COMMITTEES . material misstatement in the financial Both the NYSE and NASDAQ have passed statements not initially identified by the new corporate governance requirements, issuer’s internal control. Failure to detect including requirements relating to audit the misstatement is ‘a strong indicator that committees. The key aspects of these rules the company’s internal control’ is ineffec- are summarised below. tive; and . significant deficiencies that have been NYSE communicated to management and the The NYSE permits foreign private issuers to audit committee, but that remain un- follow home country practice in lieu of the corrected after reasonable periods of NYSE’s corporate governance standards, time. other than (with respect to audit committees) the NYSE’s requirement that it must have an Auditor’s report audit committee that meets the requirements An auditor may express an unqualified of Rule 10A-3.71 opinion if it has identified no material weaknesses.63 If the auditor cannot perform NASDAQ all of the necessary procedures, the auditor NASDAQ takes a different approach to may either qualify or disclaim an opinion.64 foreign private issuer compliance with its If an overall opinion cannot be expressed, corporate governance rules than does the Auditing Standard No. 2 requires the auditor NYSE. Under the NASDAQ rules, a listed to explain why.65 foreign private issuer may obtain exemptions Under Auditing Standard No. 2, the from NASDAQ corporate governance stan- auditor’s report includes two opinions: one dards if those rules would require the issuer on management’s assessment of internal to act contrary to applicable laws, rules, control and one on the effectiveness of regulations, or generally accepted business internal control.66 The auditor’s report may practices of the issuer’s home country, except disclose only material weaknesses, although if to the extent that exemption would be an aggregation of significant deficiencies contrary to the US federal securities laws constituted a material weakness, then dis- (including Rule 10A-3 relating to listed closure would be required.67 Auditing Stan- company audit committees).72

Page 320 Cohen and Brodsky

The NASDAQ rules require a quoted process, and the Act greatly expands the company’s audit committee to meet require- duties of audit committees. ments including: Prior to the Sarbanes–Oxley Act, the role of the audit committee — if any — was a . Sarbanes–Oxley:73 An issuer’s audit com- matter of the local corporate law under mittee must satisfy the independence and which a foreign private issuer was organised, other requirements of Rule 10A-3. and the listing rules of exchange on which . Charter:74 Each issuer must certify that it its securities were listed. The Act has thrust has a written charter and that the audit US federal securities regulation into that committee has reviewed and assessed the area, to the surprise of many foreign private adequacy of the audit committee charter issuers. on an annual basis. The charter must While the SEC has, in its implementing specify, among other things, the scope of rules, made various exceptions for the benefit the audit committee’s responsibilities, the of foreign private issuers, the Act continues to audit committee’s responsibility for ensur- have a profound impact on those companies’ ing its receipt from the outside auditors of audit committees. The full weight effect of a formal written statement delineating all Sarbanes–Oxley will only be felt when the relationships between the auditor and the internal control rules of Section 404 come issuer, and the committee’s purpose of completely into effect. overseeing the accounting and financial reporting processes of the issuer and the REFERENCES audits of the financial statements of the 1 Sarbanes–Oxley Act Section 2(a)(7). issuer. 2 1934 Act, Rule 10A-3(a)(5)(i)(A); see also . Composition:75 The issuer must have, and Standards Relating to Listed Company certify that it has and will continue to Audit Committees, Securities Act Release have, an audit committee of at least three No. 8220, Exchange Act Release No. members, each of whom must meet 47654, Investment Company Act Release certain requirements, including the ability No. 26001 (9th April, 2003). 3 1934 Act, Rule 10A-3(b)(1)(i). to read and understand fundamental 4 1934 Act, Rule 10A-3(b)(1)(ii)(A). financial statements. In addition, each 5 1934 Act, Rule 10A-3(b)(1)(ii)(B). issuer must certify that it has, and will 6 1934 Act, Rule 10A-3(e)(1)(i). continue to have, one member of the 7 1934 Act, Rule 10A-3(e)(1)(ii)(A). audit committee who has past employ- 8 1934 Act, Rule 10A-3(b)(1)(iv)(C). ment experience in finance or accounting 9 1934 Act, Rule 10A-3(b)(1)(iv)(D). or other comparable experience or back- 10 1934 Act, Rule 10A-3(b)(1)(iv)(E). ground which results in financial sophis- 11 1934 Act, Rule 10A-3(b)(2). tication. (A director who qualifies as an 12 1934 Act, Rule 10A-3(b)(3). ‘audit committee financial expert’ under 13 1934 Act, Rule 10A-3(b)(4). the SEC’s rules will be deemed to meet 14 1934 Act, Rule 10A-3(b)(5). this financial sophistication require- 15 Instruction 1 to 1934 Act, Rule 10A-3. 16 Ibid. ment.)76 17 Instruction 2 to 1934 Act, Rule 10A-3. 18 1934 Act, Rule 10A-3(c)(3). CONCLUSION 19 1934 Act, Rule 10A-3(d) and Form 20-F, One of the key policy goals of the Sarbanes– Item 16.D. Oxley Act was to increase oversight over 20 Form 20-F, Items 16A(a)(1) and (3). financial reporting and financial control. An 21 Ibid., Instruction 3 to Item 16A. issuer’s audit committee is at the heart of that 22 Ibid., Item 16A(a)(2).

Page 321 The US Sarbanes^Oxley Act of 2002

23 Ibid. 35 Improper Influence on Conduct of Audits, 24 Disclosure Required by Sections 406 and 407 of Exchange Act Release No. 47890, Invest- the Sarbanes–Oxley Act of 2002, Securities ment Company Act Release No. 26050, Act Release No. 8177, Exchange Act Financial Reporting Release No. 71 (20th Release No. 47234 (as corrected 24th May, 2003). January, 2003), Fed. Sec. L. Rep. 86,818 36 1934 Act, Rule 13b2-2(b)(1). at 86,885. 37 1934 Act, Rule 13b2-2(b)(2). 25 Ibid., Item 16A(b). 38 Public Company Accounting Oversight 26 Ibid., Item 16A(c). Board, An Audit of Internal Control over 27 Ibid., Instruction 3 to Item 16A. Financial Reporting Performed in Conjunction 28 Sections 406 and 407 Adopting Release, with an Audit of Financial Statements, Section II.A.4.d.i. PCAOB Release No. 2004-001, PCAOB 29 Form 20-F, Item 16A(d)(1). Rulemaking Docket Matter No. 008 (9th 30 Ibid., Items 16A(d)(2)-(3). March, 2004) [hereinafter Auditing Stan- 31 Strengthening the Commission’s Requirements dard No. 2 Release]. Regarding Auditor Independence, Securities 39 Management’s Reports on Internal Control over Act Release No. 8183, Exchange Act Financial Reporting and Certification of Dis- Release No. 47265, Investment Company closure in Exchange Act Periodic Reports, Act Release No. 25915, Investment Advi- Securities Act Release No. 8238, Exchange sers Act Release No. 2103 (28th January, Act Release No. 47986, Investment Com- 2003). pany Act Release No. 26068 (5th June, 32 S-X Rule 2-01(c)(7); see also 1934 Act, 2003), Section II.J [hereinafter Manage- Sections 10A(h)-(i) (all audit and permitted ment’s Reports on Internal Control Adopt- non-audit services must be pre-approved by ing Release]. the audit committee (subject to certain de 40 1934 Act, Rules 13a-15(f); 15d-15(f). minimis exceptions)). The SEC has stated 41 Form 20-F, Item 15(b). That report must that an issuer’s audit committee must follow contain, among other things: three requirements in its use of pre-approval . a statement of management’s responsi- through policies and procedures. First, the bility for establishing and maintaining policies and procedures must be detailed as adequate internal control over financial to the particular service to be provided. reporting; Secondly, the audit committee must be . a statement identifying the framework informed about each service. Thirdly, the used by management to evaluate the policies and procedures cannot result in the effectiveness of the issuer’s internal con- delegation of the audit committee’s author- trol over financial reporting; ity to management. Accordingly, monetary . management’s assessment of the effec- limits cannot be the only basis for the pre- tiveness of the issuer’s internal control approval policies and procedures. SEC over financial reporting as of the end of Office of the Chief Accountant, Application the most recent fiscal year, including a of the January 2003 Rules on Auditor statement as to whether or not the Independence — Frequently Asked Questions, issuer’s internal control over financial Question 22. Note that under Auditing reporting is effective; Standard No. 2 of the PCAOB, an issuer’s . a statement that the independent auditor audit committee cannot pre-approve inter- that audited the financial statements nal control services as a category, but must included in the annual report has issued instead approve each service. an attestation report on management’s 33 S-X Rule 2-07(a); see also 1934 Act, assessment of the issuer’s internal control Section 10A(k) (substantially identical over financial reporting; and requirements). . disclosure of any change in its internal 34 Ibid., Item 16C(e). control that occurred during the fiscal

Page 322 Cohen and Brodsky

year that has materially affected, or is assessing management’s report on internal reasonably likely to materially affect, the controls’. Ibid.,at6. issuer’s internal control over financial 52 Ibid.,at7. reporting. 53 Ibid. 42 Management’s Reports on Internal Control 54 Ibid. Adopting Release, Section II.B.3.a. 55 Ibid., at 19. 43 Ibid., at n. 67. 56 Ibid. 44 Ibid. 57 Ibid. 45 Form 20-F, Instruction 1 to Item 15. The 58 Ibid. SEC has stated that it believes it is important 59 Ibid., at 20. for the internal control report to be located 60 Ibid. near the auditor’s attestation report, and 61 Ibid. that it expects issuers will place the report 62 Ibid., at 20–21. and attestation near MD&A disclosure or 63 Ibid., at 22. immediately preceding the financial state- 64 Ibid. ments. Management’s Reports on Internal 65 Ibid. Control Adopting Release, Section 66 Ibid., at 23. II.B.3.e. 46 Office of the Chief Accountant, Division of 67 Ibid. Corporation Finance, Management’s Report 68 Ibid., at 24. on Internal Control over Financial Reporting and 69 Ibid. Disclosure in Exchange Act Periodic Reports: 70 Ibid. Frequently Asked Questions (22nd June, 71 NYSE Listed Company Manual, section 2004). 303A.00. 47 Ibid., Question 5. 72 National Association of Securities Dealers, 48 Ibid., Question 11. Inc., NASD Manual, Rule 4350(a)(1). 49 Ibid., Question 3. 73 Ibid., IM-4350(d). 50 Auditing Standard No. 2 Release, at 6. 74 Ibid., Rule 4350(d)(1). 51 The PCAOB believed that ‘attestation’ was 75 Ibid., Rule 4350(d)(2). ‘insufficient to describe the process of 76 Ibid., IM-4350-4.

ßLatham & Watkins 2004. All rights reserved. All or part of this document has been or may be used in other materials published by the authors or their colleagues at Latham & Watkins and may be updated or changed in other materials.

Page 323