Brussels, 29.11.02 7273
Internal Market DG/GL D(2002) 460
Jonathan G. Katz
U.S. Securities and Exchange Commission
450 Fifth Street NW
Washington DC 20549-0609
United States of America
Dear Mr. Katz,
Subject : File No. S7-40-02
We thank you for the opportunity to comment on the proposed rules for disclosure under Sections 404, 406 and 407 of the Sarbanes-Oxley Act (SOA). We consider the following comments form part of a constructive regulatory dialogue between the United States and the European Union because the Act has also important effects on US-listed EU companies and EU auditors.
The adoption of the Sarbanes-Oxley Act is a US reaction to US financial reporting scandals. The Act aims at restoring investors' confidence in US capital markets. The European Commission and our 15 Member States share the these concerns and could in principle support many measures of the Act. This is also to a large extent the case for Sections 404, 406 and 407 of the Sarbanes-Oxley Act that address disclosures concerning financial experts on audit committees, codes of ethics for senior financial officers and internal control reporting.
We understand that the SEC is faced with a great challenge in having to implement fundamental changes to US securities laws in a very short timeframe. We also acknowledge that the SOA requires the SEC to also set rules for corporate governance issues which are a new area of regulation. But these rules, if they are applicable to foreign companies, must take into account the specific legal corporate governance environments of other parts of the world, including the European Union.
The SEC's proposed rules are written in a way to accommodate mainly US companies and US auditors. But, EU companies and EU auditors require the same legal clarity as their US counterparts. To demonstrate our concerns from a European perspective we would like to comment on several aspects of the proposed rules which you will find in the attached annex.
We trust that our comments will help the definition of further SEC rules to be in the best interest of US and also EU companies and auditors with transatlantic business links.
p.o. D. J. WRIGHT
Section 407: Financial experts in Audit Committees
Independence requirements for financial experts
(1) General EU concern about audit committee requirements. In general, section 301 envisages that every registrant should have an audit committee but does not make audit committees directly mandatory for registrants. If the registrant does not have an audit committee, the independence requirements have to be fulfilled by all board members (Section 2(3)B). It remains unclear how this would work in the dual board and single board systems of EU Member States. The implementing rules should take account of the different EU corporate governance systems that vary between Member States. Furthermore, these different legal backgrounds should be considered in defining disclosure requirements for financial experts on audit committees.
(2) Disclosure of independence of financial experts. Section 301 of the SOA already contains a legal requirement for the independence of financial experts on audit committees. Market participants, including investors, are accordingly already expecting the independence of audit committee members in general. Specific disclosure of the independence of financial experts which is already required by the Act seems unnecessary. Requiring basically "grass is green" disclosures adds to an increase of disclosures to which the rule of diminishing returns of scale for investor protection applies. Moreover, an additional disclosure of independence would rather create the impression that audit committee members are not obliged to be independent. Accordingly, there should not be any specific disclosure.
(3) Definition of independence. Section 301 SOA, introduced section 10A (m) 3 establishing the independence requirements. The criteria for independence of audit committee members seem conceptually insufficient and there would certainly be a merit in further defining the independence of audit committee members to deal with relationships of audit committee members that pose independence threats to them. For example, the independence definition does not cover relationships that audit committee members may have with the audit firm or its related entities. But also family relationships of audit committee members with the company's executive officers are not covered. A more systematic principles-based approach on the independence of audit committee members would certainly provide better investor protection. We would suggest to use the present rule on auditor independence as a starting point for defining independence requirements for the audit committee members.
(4) Appointment. The appointment of independent audit committee members should not be left to the entire board including management. It should rather be a task for the independent directors of the company. In the EU context, such practice is also recommended by the recent Report of the High Level Group of Company Law Experts.
Definition/ competence of financial experts
(1) Addressing foreign private issuers. It is comprehensible that the SEC is first of all interested in requiring financial experts on foreign private issuers' audit committees to have a full understanding of the US environment and requirements. However, the European Union has a large number of highly qualified financial experts that lack direct US experience. The proposed financial expert definition limits the choice of independent financial experts for EU companies in an unacceptable way because it requires experience with a company filing reports pursuant to Section 13(a) or 15(d). This seems to exclude and is discriminatory against highly qualified people in the EU from being financial experts on EU companies' audit committees even if they have the right (local) profile.
To avoid such discriminatory effects, we suggest that the competence requirements for foreign private issuers' financial experts on audit committees should be rephrased to emphasise a requirement for profound knowledge of their home country's environment which should be complemented by adequate knowledge of the US environment including US securities laws. A knowledge of, and experience in the foreign issuer's home country auditing and financial reporting practices seems to be more vital in assuring proper oversight of auditing and financial reporting processes than the knowledge of the US securities laws. Furthermore, from a practical point of view foreign private issuers will certainly not find a sufficient number of highly qualified people to serve as financial experts on their audit committees that also have such specific experience in the US environment. This aspect is all the more important as we understand that even in the US it has become difficult to find qualified people willing to serve on boards of listed companies.
(2) Knowledge of the audit process. The attributes defining the financial expert do not per se require experience in auditing financial statements, whereas oversight of the audit process is a key objective of the audit committee as set out in section 301.
Section 406: Code of Ethics disclosure
From the EU perspective, Section 406 concerning a code of ethics for senior financial officers does not represent a major area of concern because it offers a flexible approach to such a disclosure - also for EU companies. However, it seems difficult to see the added value of such a disclosure to the investing public as due diligence requirements for directors should suffice to ensure ethical behaviour.
The proposed rules foresee that the CFO, other senior financial officers and the CEO should comply with the company's code of ethics as they are involved in the generation and certification of the financial statements. This is not in line with the European perspective on the certification of financial statements.
As stated in the recent Report of the High Level Group of EU Company Law Experts, under the company laws of EU Member States, the board is collectively responsible for the probity of financial statements of the company: in a one-tier structure, this is the collective responsibility of both executive and non-executive directors, and in a two-tier structure, this is the collective responsibility of both the managing directors and the supervisory directors. This is reflected in many Member States in the requirement that all executive, non-executive and supervisory directors sign the annual accounts of the company.
Taking this into account, the US regulatory perspective on the proposed rules does not match the corresponding EU corporate governance approach by only including the CFO and the CEO and not the responsibility of collective board(s).
Section 404: Internal Controls
(1) General EU concern about additional financial and administrative burdens for EU companies. Currently, EU Member States do not have requirements for a specific certification of internal control system by management and attestation by auditors. EU companies face significant additional burdens by having to introduce systems that fulfil the US requirements (hiring of new personnel, bureaucratic reporting systems) in addition to other safeguards at EU Member State level.
The new concept of certification of internal control systems by executive management as well as by auditors has already been extensively considered in a number of Member States for a long period of time, but has not been adopted as a legal requirement. Considerable time and thought has gone into how to deal with the complex matters of evaluative criteria, effectiveness, management reporting and auditor attestation. A similar development can be seen in the United States. The SEC proposed rules set out good reasons why it has not adopted rules on internal controls in the past. However, the SEC got a clear mandate from the Sarbanes-Oxley Act to set such rules on internal control reporting.
We generally support the idea of internal control reporting and believe that it is an interesting concept aimed at improving the quality of financial reporting and its infrastructure. Nevertheless, the workability of the US approach to this concept in practice, and whether its cost/benefit balance is justifiable, crucially depends on the implementing rules.
The SEC's proposed rules clearly show that there is a whole range of unresolved questions concerning internal control reporting. These include areas such as the framework of internal control, auditing standards, reporting and liability. The suggested transition period for compliance with the rules until 15 September 2003 indicates that there is still a lot of fundamental work to de done to implement the Sarbanes-Oxley Act. This also implies that there is still a degree of uncertainty as to whether the US approach to the concept of internal control reporting is workable in practice.
An area in which the proposed rule already suggests a concrete measure is the proposed definition of the internal control system. This definition refers to AICPA's Codification of Statements on Auditing Standards (AU) Section 319. As the SEC intends to regulate non-US companies and auditors the SEC could consider rather to refer to the respective definition provided by the International Standards on Auditing which form the basis for many national auditing standards around the world. This would help to avoid further diverging requirements for non-US companies and auditors.
Accordingly, implementing rules have to be carefully drafted. These rules should not have the practical consequence that companies' internal control systems are designed in a way to simply avoid the liability of the company's officers. Without carefully balanced rulemaking, internal control systems would primarily follow US legal considerations. This could hinder US and also EU companies from applying necessary economic considerations in running their businesses.To have effective and efficient rules, they should also be accustomed to the specific corporate governance environment in which these rules have to be applied and which may differ from the US corporate governance environment.
We strongly believe that the US SEC should grant a full exemption to EU companies. The longstanding discussion in Member States showed that transparency on the adequacy of a company's internal controls requires tailored solutions for the European Union's corporate governance environment to avoid unnecessary burdens and liability risks for EU companies.
(2) General EU concern about the increased liability exposure for EU auditors. Some EU Member States have discussed the role of the auditor in relation to the internal control system for several years without reaching the conclusion that there should be a requirement for an attestation by the auditor on the adequacy and proper functioning. Statutory audits virtually always analyse the adequacy and functioning of companies' internal control system as part of the risk-oriented audit methodology.
Under section 103(a)(2)(A)iii of the Act, the auditor is required to opine, as a part of the audit engagement, on the internal control system of the audit client in the audit report or a separate report. In general, auditing standards used in the EU (including ISAs) require the assessment of the reporting entity's internal control system. If serious deficiencies in internal control systems gave rise to material errors in the financial statements this would affect the audit opinion via a disclaimer of opinion, or a qualified audit opinion.
Also in this area remains a large range of unresolved fundamental questions. The proposed implementing rule does at this stage not address the nature of the attestation service to be provided by the auditor. It is e.g. unclear whether this it is a review or if it is supposed to provide a level of assurance comparable to audit services.
In conclusion, EU audit firms should be exempted from attestation of the Internal Control systems on the basis of section 106 (c) of the Act.