Executive management has always been responsible for the quality and fairness of public reporting. However, under the Sarbanes-Oxley Act of 2002, the risks are higher and the consequences of failure more significant. In this environment, all companies should perform a rigorous review of their disclosure processes and implement needed changes in time for their first filing.
There are many questions regarding these new requirements. The SEC articulated the objectives but left the methods for achieving them to Corporate America. Following are a few of the important questions that management must address.
What are we really certifying?
Although there are several aspects to the executive certification, management is, in fact, certifying the effectiveness of the internal management processes that underlie the required disclosures. The days of an ad hoc approach to preparing public reports are over. Just as there are necessary processes for meeting key business objectives such as satisfying customers and paying bills, a process is required for generating accurate and timely material information for disclosure in public reports.
A process for generating disclosures and financial reports may mean formalizing and documenting the activities already in place. It may also mean rethinking how public reports have historically been prepared. In either case, certain considerations are imperative.
First among these is to define and communicate the key inputs to the process. This must include: a definition of “materiality” for purposes of preparing disclosures; guiding principles for complying with applicable rules and regulations; objective criteria for assessing the importance and significance of information requirements; and standards for evaluating design and operational effectiveness.
Management must then determine whether or not the activities for recording, accumulating and summarizing material information are designed and operating effectively. The organization’s overall control environment should support the execution of these activities. Next, management should identify assurance activities on which they can rely to evaluate disclosure controls and procedures, and should establish clear accountabilities to make disclosure controls and procedures more robust and highly repeatable. Finally, management must consider whether it will “do the right things” in keeping investors informed or just “do things right” and follow the letter of the rules when it comes to disclosures.
What are disclosure controls and procedures? How are they different from internal controls over financial reporting?
According to the SEC, disclosure controls and procedures are the activities in place to ensure material financial and nonfinancial information is “recorded, processed, summarized and reported within the time periods specified by the [SEC’s] rules and forms.” They may include ongoing processes for training personnel, monitoring change and keeping the inventory of reporting requirements up to date with current rules and regulations. They may also include processes that function only during the period in which a financial report is prepared, such as the use of a standard reporting package. Internal controls over financial reporting provide “reasonable assurance” that certain objectives are met. These objectives relate to the authorization and recording of transactions, the preparation of financial statements in conformity with generally accepted accounting principles, and the authorization of access to assets, among other things.
While the distinction is not completely clear between disclosure controls and procedures and internal controls over financial reporting, there is significant overlap between these activities. Disclosure controls and procedures are inclusive of internal controls that impact disclosure in public reports because the former applies to all material information included in these reports, both within and outside the financial statements. In introducing the concept of disclosure controls and procedures, the SEC intended to make it explicit that the controls contemplated by Sarbanes-Oxley should embody controls and procedures addressing the quality and timeliness of disclosure in public reports. Disclosure controls and procedures cover a broader range of information than is covered by internal controls over financial reporting.
The distinction between disclosure controls and procedures and internal controls over financial reporting is important for two reasons. First, management must specifically evaluate disclosure controls and procedures and report the results of that evaluation quarterly. Second, management must issue annually a report on internal controls over financial reporting. Once the SEC issues its rules on internal controls reporting, the external auditor will be required to attest to and report on the assessment made by management.
Most companies already have some disclosure controls and procedures in place. However, management should rigorously review these processes to ensure they are effective in capturing new developments, risks and other information germane to the business so that the required disclosures are included in public reports.
The following steps should be considered over the near term:
Form a disclosure controls committee to provide oversight.
In its August 29 release, the SEC recommended that companies form a committee responsible for considering the materiality of information and for determining disclosure requirements on a timely basis. This committee should report to senior management, specifically the certifying officers. The SEC suggests this committee consist of the principal accounting officer, the general counsel (or other senior legal official with responsibility for disclosure matters), the principal risk management officer and the chief investor communications officer. The committee should also include the chief information officer and appropriate representatives from the company’s operating units. To be effective, the committee should include an expert in SEC reporting and filing requirements.
Create a standard disclosure package or process to engage the appropriate people and funnel the required information upward.
Upward communication is vital to effective disclosure controls and procedures. A standard reporting package is a customary practice among many companies. If one is already in place, senior management (or the disclosure controls committee) should review it to evaluate whether the vital information necessary for the certifying officers to complete their evaluation is provided.
For example, a company might develop a standard monthly disclosure package for each operating unit that includes a representation letter, an analysis of variations and fluctuations in operations, an internal controls evaluation, a risk assessment relating to changes in operations (e.g., changes in personnel, changes in systems, changes in business practices, etc.), a summary of related party transactions, and the financial statements. The monthly package would also include a status report on the disposition of any open issues the operating unit might have with respect to financial reporting, as well as a summary of the unit’s compliance with any new GAAP or regulatory pronouncement that would affect the company’s financial reporting. A corporate disclosure committee would review each monthly package, follow up on questions and significant unresolved issues, and document the results of that follow-up.
Once the disclosure committee has signed off on all disclosure packages, it would forward them to the CEO and CFO, who would review the information as part of their ongoing evaluation process. The reporting packages would also be subject to routine review by internal audit and the external auditor.
Inventory the reporting requirements and keep that inventory current.
Regulation S-K, Regulation S-X, up-to-date GAAP checklists and other checklists provide a basis for determining the universe of disclosure requirements. Appropriate management (or the disclosure controls committee) should use these checklists to determine the company’s master list of applicable requirements.
Identify critical processes that require immediate evaluation.
At a minimum, financial reporting and disclosure processes should be reviewed as they are vital to the company’s compliance with the new requirements.
Create a checklist summarizing the key steps that must be carried out each quarter.
While reliance on people and on the processes of the organization is appropriate, certifying officers must be personally involved in the disclosure process. These individuals should participate directly in the review of the report and in the design, maintenance and evaluation of the company’s disclosure controls and procedures.
A checklist is a useful tool to identify the steps that need to be completed before the designated officers sign the certification. For example, have they:
- Carefully read the report and asked the necessary questions to understand its contents?
- Evaluated the internal controls over financial reporting to ensure financial disclosures are complete and accurate? (Note: Certifying officers should consider, among other things: effectiveness of the overall control environment; extent of documentation of the company’s processes; results of monitoring by key personnel; results of internal audit validation; turnover in personnel and management; volume and complexity of transactions; prior experience with the company’s financial reporting systems; and extent of operating changes during the reporting period.)
- Evaluated the internal processes used to prepare the report, including the related disclosure controls and procedures? (Note: Certifying officers should consider, among other things: results of the oversight and review by the disclosure controls committee; effectiveness of processes for funneling material information to management’s attention; extent of experts and advisors involved in the process; sufficiency of time taken to prepare the report; and adequacy of processes for maintaining a current master list of required disclosures.)
- Reviewed the results of process owner monitoring and internal audit testing of disclosure controls and procedures?
- Discussed with key personnel involved in the process whether there are any unresolved issues with respect to disclosures or financial reporting?
- Looked closely at areas where there is significant judgment applied or a possibility for significant errors or omissions? (For example, past problem areas, revenue recognition issues, significant accounting estimates, asset impairments, loss contingencies, related party issues, significant industry problem areas, and off-balance sheet items.)
- Discussed with the external auditor whether they have any concerns that could increase the company’s risks of non-compliance?
- Discussed the company’s disclosure controls and procedures with the audit committee?with the audit committee?
- Evaluated the disclosure treatment given to new developments and emerging risks?
- Followed up on open areas? (For example, disagreements with the external auditor, prior SEC comments, concerns of the audit committee, violations of the code of conduct, significant audit or other adjustments, issues raised by employees, instances or allegations of fraud, questions from analysts, and unresolved issues and problems identified in internal audit reports.)
- These are just a few of the questions to address. The checklist serves as a written record of the steps taken by the certifying officers before signing the certification.
What should we do over the long term?
Companies may choose to create a “chain of certifications” by requiring direct reports to certify results individually. Those direct reports may, in turn, require the same of their direct reports, and so on. This approach may engage unit managers and process owners, but it doesn’t necessarily provide assurance that better information will be furnished to management for timely action and disclosure. If it becomes a ritualistic exercise and lacks substance, it will not identify issues that may exist in critical processes.
To be effective in establishing accountability, disclosure controls and procedures require an infrastructure of policies, processes, people and reports. Once an interim solution is in place, additional steps should be taken to ensure the company’s disclosure controls and procedures will remain effective over time as operations and conditions change.
There is no “one-size-fits-all” approach to determining the appropriate long-term solution. Every company will have a different solution depending on the level of depth required in understanding and documenting its processes, risks and control points. The extent, nature and timing of a solution depend on the risks and complexities inherent in a company’s reporting and disclosure processes. For example, factors to consider when evaluating the appropriate longer-term solution would include key company characteristics (management turnover, volume and complexity of transactions, effectiveness of the overall control environment, etc.), known problem areas (revenue recognition, significant accounting estimates, significant industry problem areas, off-balance sheet issues, etc.), and issues and problems raised in the past (the nature of existing internal control weaknesses, the nature and amount of prior audit adjustments, the nature of prior management letter recommendations, the nature of SEC comments received on prior public filings, etc.). These are just a few of the factors management should consider when evaluating the level of depth required to address a longer-term solution.
Following are elements that can be key to a longer-term solution for management:
Source material information components in public reports back to upstream processes and points of origin, and identify the critical processes.
An interim solution might focus on evaluating the financial reporting process and the disclosure process. The critical upstream processes that feed the financial reporting and disclosure processes should be reviewed, with the appropriate process owners assuming responsibility for that review. Management can identify these critical processes by tracing the critical information in the public reports back to the relevant procedures that record, process, summarize and report that information. These procedures should be ranked using the appropriate criteria, such as importance to the company’s operations, impact on public reports, exposure to errors, susceptibility to change, potential for material events and the absence of appropriate documentation.
Once the processes are ranked by priority, document the critical ones, including their risks and control points.
Identify gaps and define an action plan to close them. The inputs, outputs, activities, policies, systems and metrics of the critical processes should be documented over, for example, a six- to 24-month period, depending on management’s assessment of their significance. As each process is documented, the risks and key control points are identified. These risks and control points provide the basis for conducting an evaluation of controls over vital disclosure processes, including significant transaction processes. Any deficiencies should be considered for disclosure and certification purposes, and should be resolved as soon as possible.
Align process owner monitoring and internal audit plans with evaluation requirements.
Control points provide the basis for developing appropriate metrics and focusing the monitoring activities of process owners. They also provide a business context for focusing internal audit plans. The results of process owner monitoring and internal audits should be reported to management (or the disclosure controls committee) for review. Companies should also consider implementing a self-assessment process by which personnel responsible for material information are required to address specific questions regarding the disclosure controls and procedures for which they are responsible. Through a self-assessment exercise, responsible personnel positively confirm that disclosure controls and procedures have operated effectively over the past quarter, and that there were no significant deficiencies or material changes in such controls and procedures. This practice is different from a “chain of certifications” because it focuses specific individuals on specific controls and procedures by which material information is recorded, processed, summarized and reported. In effect, this practice creates a “chain of accountability.”
Design a process to identify changes in environment as well as operating and other changes that impact disclosure and the adequacy of controls.
Change is inevitable. Changes in the environment and in the company’s operations require special emphasis because of their impact on the business, the financial statements and the required disclosures. Examples of changes requiring evaluation include mergers and acquisitions, divestitures, new innovative business practices, new systems, changes in personnel, significant market declines, and changes in laws and regulations. The disclosure controls committee – or an equivalent group of executives – should be responsible for monitoring change in order to identify material information requiring disclosure. Operational risks, new related party transactions, new litigation and other contingencies, strategic risks, regulatory developments, credit and market risks, and risks to reputation and brand image may require disclosure. Management (or the disclosure controls committee) should satisfy itself that the company’s disclosure controls and procedures are effective in addressing new issues and developments as they arise.
Keep the organization aligned with the objective of fair reporting and compliance with the code of conduct.
Disclosure controls and procedures should consider the organization’s internal communication, performance expectations, incentive compensation programs and other behavior-influencing practices that may impact fair reporting. Reporting needs to be an integral part of the job of every manager whose activities in some way impact public disclosures. These managers need to be actively engaged. For some organizations, this will require a mindset change because public reporting is often “someone else’s job.” Now it is everyone’s job. Management (or the disclosure controls committee) should periodically evaluate whether there are any aspects of the company’s culture that could compromise the goal of fair reporting and compliance with the code of conduct. This evaluation should be coordinated with the audit committee.
What else should we do before we certify?
Keep in mind there are actually two evaluations each quarter. The primary evaluation of design and operational effectiveness must be within 90 days of the date for filing the annual or quarterly report. The second assessment must be completed as of the filing date and determines whether there are significant changes in internal controls or in factors that affect the performance of internal controls after the date of their primary evaluation. The results of both evaluations are included in the report.
Some additional points certifying officers should keep in mind:
Identify the sources of assurance.
The certifying officers need not do their evaluation by themselves. There are many sources of assurance on which they can rely. For example, existing management processes -- those that review and analyze results of operations, and those that monitor the control environment -- provide input to their evaluation. Other sources of assurance include the results of internal audit validation activities, ongoing reviews by key employees and advice from outside experts. Board reviews also provide assurances. While the results of examinations by regulators and the work of external auditors also provide input, they are not primary sources of assurance because their work is intended to check management’s assertions regarding its internal processes. Notwithstanding all of these sources, the certifying officers have the final responsibility for the evaluation and should perform any additional procedures they deem necessary.
Make sure key managers involved in public reporting fully understand and are able to carry out their roles, responsibilities and authorities.
Individuals who are significantly involved in the disclosure process should be adequately trained in the legal and accounting requirements, and rely on appropriate legal, accounting and reporting experts who are knowledgeable of the requirements. There should also be adequate staffing to support the disclosure process and prepare the required reports. The time dedicated to preparing reports should be sufficient to ensure a quality product. Document retention policies should be approved by legal counsel and clearly articulated to and understood by all participants in the disclosure and reporting process.
Develop a protocol for resolving deficiencies in internal processes and controls.
In this demanding environment, significant deficiencies should be escalated promptly to senior management, including the certifying officers, and to the external auditors and the audit committee. Once identified, these deficiencies should be fixed as quickly as possible.
Use an authoritative framework for conducting management’s evaluation of disclosure controls and procedures and internal controls over financial reporting.
For example, the internal controls framework developed by the Committee of Sponsoring Organizations (COSO) includes the control environment, risk assessment, control activities, monitoring, and information and communication. While these components serve as a useful framework when evaluating internal controls, enhancements are needed to incorporate disclosure controls and procedures.
Certifying officers should design the certification process so that their activities are coordinated with business unit managers, process owners, internal auditors, the external auditor, legal counsel and other key parties. Companies that take a process view to compliance and put in place an appropriate oversight structure are more likely to be successful in complying with these requirements over the long term.