BDO Seidman, LLP
Accountants and Consultants
330 Madison Avenue
New York, NY 10017
November 27, 2002
Mr. Jonathan G. Katz, Secretary
Securities and Exchange Commission
450 Fifth Street, N.W.
Washington, DC 20549-0609
Re: Release No. 33-8138
Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act
File No. S7-40-02
Dear Mr. Katz:
This letter is the response of BDO Seidman, LLP to your request for comments regarding the above-captioned proposal.
We support the goals of the Sarbanes-Oxley Act to increase the focus on and quality of issuers' internal controls, encourage ethical conduct by corporate officers and ensure that audit committees have the necessary expertise. However, we have several concerns about and suggestions for improving the proposed approaches to achieving these goals.
Summary of Our Major Concerns
Given the number, breadth, and complexity of the Commission's recent proposals, we are concerned that issuers, auditors, and others have not had sufficient time to fully consider and comment on them. We recognize that the short comment periods for this and other Commission proposals are necessary to meet Congressionally mandated final rule adoption dates. Unfortunately, we feel that this creates a significant risk that the rules the Commission adopts could have unintended or inappropriate consequences. We urge the Commission and its staff to be sensitive to this concern in considering the possible need to modify these rules in the future if such consequences become evident.
We are most concerned about the proposed rules that would implement internal control reporting. In that regard:
- We think the Commission needs to clarify its definition of internal controls and procedures for financial reporting. We suggest that the Commission could make the disclosures easier for investors to understand by taking an alternative approach to defining disclosure controls and procedures. We ask the Commission to clarify whether auditor attestations to internal control reports pursuant to the proposed rules will be sufficient to meet the requirements of Section 103 of the Act.
- We think the Commission's approach requires a level of work in interim periods that is unnecessary. We suggest an alternate approach that would cost less and provide appropriate investor protection.
- We believe the proposed effective date is not practical or appropriate.
- It appears to us that management reports on and certifications of controls and auditor attestations would be incorporated by reference in certain Securities Act filings. We do not think this is appropriate.
- We do not think the proposed approach of requiring control evaluations as of the end of the period covered by a report is appropriate. We think the Commission should instead provide registrants with more flexibility in selecting evaluation dates.
- We do not think the proposed change to require companies to report significant changes in internal controls during the period covered by the report is appropriate. We think the Commission should instead retain the approach of requiring companies to disclose significant changes after the evaluation date.
- It is not clear to us where the Commission stands on reporting significant changes in other factors that could significantly affect internal controls. We support the approach of removing this requirement.
With respect to code of ethics disclosures, we do not support the proposed approach of allowing a company to post information about changes in, or waivers of, its code of ethics on its web site without a corresponding Form 8-K filing.
With respect to "financial experts" disclosures, we believe that the proposed definition and disclosure approach could create a potential resource problem, especially for smaller companies.
Our more specific comments about the proposed rules and our recommendations for alternative approaches are set forth below.
Internal Controls and Procedures for Financial Reporting (Section 404)
Many of our comments focus on "internal controls and procedures for financial reporting" as defined in proposed rules 13a-14(d) and 15d-14(d) and "disclosure controls and procedures" as defined in rules 13a-14(c) and 15d-14(c). To make this letter easier to read, we will refer to these terms, as defined in these rules, simply as "internal controls" and "disclosure controls" unless we state otherwise.
We ask the Commission to clarify the definition of internal controls. We also suggest that the Commission could make the disclosures easier for investors to understand by taking an alternative approach to defining disclosure controls and procedures. In addition, we ask the to Commission clarify whether auditor attestations to internal control reports pursuant to the proposed rules will be sufficient to meet the requirements of Section 103 of the Act.
We do not think the definitions of internal controls and disclosure controls are sufficiently clear, and we ask the Commission to clarify them. We are concerned that problems such as the following could result if the definitions are not clear to issuers, lawyers and accountants:
- Uncertainty could lead to inconsistent reporting of control weaknesses. For example, there may be confusion about whether a control weakness is (1) a weakness that might fall within some other definition of internal controls, but is outside the definition of internal controls in the proposed rules, (2) a weakness only in internal controls or (3) a weakness in both internal controls and disclosure controls.
- Uncertainty among management and auditors as to which controls they need to address in performing their work to support their reports on internal controls could cause them to do too much or too little work.
The key aspects of these definitions that are not clear to us are (1) whether internal controls are a subset of disclosure controls and (2) if they are not, which internal controls are not encompassed by the definition of disclosure controls. When we read these definitions, we reach the conclusion that all internal controls are a subset of disclosure controls. However, we are not confident that this conclusion is correct. Comments in the Release lead us to think the Commission believes that some internal controls are not part of a company's disclosure controls. In that regard:
- In the Paperwork Reduction Act section, the Release says, "We believe a significant portion of internal controls and procedures for financial reporting are included in disclosure controls and procedures" (emphasis added). This indicates to us that the Commission believes that not all internal controls are included in disclosure controls.
- In the transition period discussion, the Release indicates that the Commission believes that principal executive and financial officers should not be required to provide certifications relating to internal controls "until the company has had the opportunity to perform the comprehensive evaluation of internal controls and procedures for financial reporting contemplated by Section 404." This could mean that the Commission believes that these officers will be certifying a broader set of internal controls in the future, when they certify internal controls and procedures for financial reporting, than they indirectly certify today when they certify their disclosure controls.
In addition, informal discussions with the Commission staff lead us to think the staff may believe that some internal controls do not fall within the definition of disclosure controls.
The confusion may result from differing views regarding the extent to which internal controls designed to safeguard assets are covered by the definitions of disclosure controls and internal controls. It may also result from differing views regarding the extent to which internal controls as defined in the proposed rules include controls encompassed in broader definitions of internal controls that exist.
We believe that the definitions of internal controls in Section 13(b)(2)(B) of the Exchange Act and Section AU 319 of the Codification of Statements on Auditing Standards are broader than the definition of internal controls in the proposed rules because they encompass safeguarding and other controls that are designed to achieve objectives beyond reliable financial reporting. We think it is clear that controls designed to achieve those other objectives are not within the definition of disclosure controls. However, we do not think it is clear which of these controls are outside the definition of internal controls in proposed rules 13a-14(d) and 15d-14(d). We read the definition in the proposed rules to say that it encompasses only the following narrower group of controls: those controls that are necessary to ensure reliable financial reporting (or, in the Commission's words, "to permit the preparation of the registrant's financial statements in conformity with GAAP"). We believe it does not encompass controls designed to achieve other objectives. Also, it is our understanding that reliable financial reporting is a prerequisite to having adequate disclosure controls and procedures, so controls needed to ensure reliable financial reporting are also part of a company's disclosure controls.
Therefore, we read the definitions to say that if safeguarding controls are necessary to ensure reliable financial reporting, they are part of a company's internal controls and its disclosure controls. For example, a company with weak controls to detect and record the loss of assets on a timely basis would probably conclude that it needs strong safeguarding controls to prevent the unrecorded loss of those assets and produce reliable financial statements. In this situation, we read the definitions to say that safeguarding controls are part of the company's internal controls and its disclosure controls. However, we also read the definitions to say the opposite is true. A company with strong controls to detect and record the loss of assets might conclude that its safeguarding controls are not necessary to produce reliable financial statements. In this situation, we read the definitions to say that safeguarding controls are not part of the company's internal controls or its disclosure controls.
For these rules to operate effectively, we think it is very important for the Commission to clearly explain whether internal controls are subsumed in the term disclosure controls and if not, when and why they are not. We also suggest that it might help the legal community if the Commission provided a similarly clear explanation of how internal controls as defined in proposed Rules 13a-14(d) and 15d-14(d) differ from the definition used in Section 13(b)(2)(B) of the Exchange Act.
Redefine "Disclosure Controls and Procedures"
We suggest that the Commission could make the disclosures easier for investors to understand by taking an alternative approach to defining disclosure controls and procedures.
In that regard, we suggest that the Commission consider significantly narrowing the definition of disclosure controls so that there is no overlap between the definitions of disclosure controls and internal controls. It appears to us that if a company has a significant deficiency in its internal controls, it is likely that this will cause the company to also have a significant deficiency in its disclosure controls. Thus, one control deficiency will lead to modified reporting on both the company's internal controls and its disclosure controls. We think this would confuse a number of investors and perhaps lead them to think the company's controls are weaker than they are. We suggest that the Commission consider addressing this issue by narrowing the definition of disclosure controls so that there is no overlap with the definition of internal controls.
Differences Between Sections 103 and 404 of the Act
Section 103 of the Act requires the PCAOB to require registered public accounting firms to present in audit reports an evaluation of whether the issuer's internal control structure and procedures meet certain objectives, including objectives which do not necessarily relate to the preparation of the financial statements in conformity with GAAP. These objectives are different from and seem to go beyond those that will be accomplished by complying with proposed Rule 2-02(f) of Regulation S-X. The Commission indicates in the Release that its proposed definition of internal controls is consistent with Section 103 of the Act and integrates the various concepts of internal control into a unified concept that is widely understood by the accounting profession and issuers. We agree that the Commission's definition is more widely understood than the definition in Section 103 and is more closely attuned to the needs of investors since it directly relates to the preparation of external financial statements.
However, it is not clear as to whether the PCAOB will be able to incorporate the Commission's definition in its actions pursuant to Section 103 or whether it will have to require the internal control reports to refer specifically to the objectives set forth in Section 103. The Commission should clarify this matter promptly since the different objectives in these Sections will require a different level of understanding and training to be implemented by issuers and auditors.
Quarterly Evaluations, Reports, and Certifications
It appears to us that the existing and proposed rules envision that the process a company's principal executive and financial officers would perform during the first three quarters to evaluate, report on, and certify its disclosure controls and internal controls is substantially the same as the process they would perform at year end. The only significant difference appears to be obtaining an auditor attestation to management's internal control report at year-end. We believe that requiring this level of work each quarter is unnecessary. We suggest that the Commission instead adopt an alternate approach that requires a lesser amount of effort and assurance for purposes of quarterly reports. We envision an approach that would permit issuers to test compliance with controls relating to major applications on a rotating basis throughout the year. In addition to costing less, this alternate approach might provide greater benefits by increasing the likelihood that companies will review their controls in the appropriate level of detail at least once each year.
Generally accepted accounting principles and auditing standards and the Commission's interim reporting rules are based on the principle that the primary purpose of interim reports is to provide timely updates of the information provided in the most recent annual report. They recognize that preparing interim reports entails less rigor than preparing annual reports. In that regard:
- Paragraph 9 of APB Opinion 28 states, "Interim financial information is essential to provide investors and others with timely information as to the progress of the enterprise. The usefulness of such information rests on the relationship that it has to the annual results of operations. Accordingly, the Board has concluded that each interim period should be viewed primarily as an integral part of an annual period."
- Generally accepted accounting principles and auditing standards recognize limitations in the rigor with which interim financial statements are prepared in order to meet the objective of providing timely information. Paragraph 4 of Opinion 28 states, "In view of the limited time available to develop complete information, many costs and expenses are estimated in interim periods. For example, it may not be practical to perform extensive reviews of individual inventory items, costs on individual long-term contracts and precise income tax calculations for each interim period." The emphasis on timeliness at the expense of rigor is repeated in paragraph AU 722.08 of the Codification of Statements on Auditing Standards, which states, "Timeliness is an important element of interim financial reporting. Interim financial information customarily is made available to investors and others more promptly than is annual financial information. Timely reporting of interim financial information ordinarily precludes the development by management of information and documentation underlying interim financial information to the same extent as that underlying annual financial information. Therefore, a characteristic of interim financial information is that many revenues, costs, and expenses are estimated to a greater extent than for annual reporting purposes."
- The Commission's rules accept this lower level of rigor by accepting financial statements that management prepares in accordance with APB 28 and accepting reviews, rather than audits, of those financial statements. In addition, the rules emphasize timeliness over completeness. Quarterly reports on Forms 10-Q and 10-QSB are due sooner than annual reports. In view of this, Article 10 of Regulation S-X and Item 303(b) of Regulation S-K do not require the same level of disclosure in interim financial statements and MD&A as is required in annual reports. Instead, these rules require registrants to communicate material changes to the information provided in the most recent annual report.
We think the Commission should modify the rules to apply the principle articulated above to interim evaluation, reporting and certification of disclosure controls and internal controls. Accordingly, we believe issuers should be permitted to perform a less rigorous evaluation during the first three quarters than is required at year-end. We think the objective of the work the certifying officers perform each quarter should be to identify changes in controls during the quarter and evaluate whether they would change the certifying officers' conclusions about disclosure controls and internal controls as stated in the most recent annual report. We also recommend that the Commission change the quarterly reporting and certification requirements to make them consistent with this change in the objective of the quarterly evaluations. In our view, these changes are appropriate for the following reasons:
- We see no reason to apply a more rigorous approach to evaluating controls each quarter than is applied to other aspects of quarterly reporting.
- We do not think the incremental benefits resulting from more rigorous control evaluations each quarter outweigh the costs.
- We think the alternative approach we suggest is more practical in view of the fact that the Commission has accelerated the due dates by which many issuers will be required to file quarterly reports.
- We think the alternative approach is more likely to ensure that companies review all significant controls in the appropriate level of detail at least once each year. If companies are required to do too much each quarter, we fear that the reviews will be broad but not deep. Under the alternative approach, we would expect companies to evaluate each significant control less frequently, but we would expect the evaluations they perform to be more comprehensive. We think this approach is more likely to protect investors by ensuring that companies have the controls necessary to provide reliable information.
- The FDIC's rules covering certain depository institutions require only annual reporting by management and auditor attestation regarding internal control. This approach seems to have produced satisfactory results.
We agree with the Commission's approach of first requiring internal control reporting in an annual report. However, we believe the proposed approach of requiring this reporting in annual reports for years ending on or after September 15, 2003 is not practical or appropriate.
We believe the proposed effective date could result in requiring auditor attestation to management's evaluation of internal controls sooner than contemplated by the Sarbanes-Oxley Act. Section 404(b) of the Act requires that the attestations be provided by registered public accounting firms. It also indicates that the work to support the attestations shall be part of the audit - not the subject of a separate engagement. Section 101(d) of the Act requires the PCAOB to be organized to carry out its duties by April 26, 2003. Section 102(a) of the Act requires accounting firms to be registered by 180 days after the date the Commission determines the PCAOB is suitably organized. Thus, public accounting firms may not be registered until October 23, 2003. We believe that the Act did not contemplate accounting firms providing the attestations required by Section 404(b) as part of engagements that were planned and where most of the work was completed before the accounting firm became registered. We believe that the implementation timetables in the Act are already aggressive. We do not think it is appropriate for the Commission to exceed them in implementing Section 404.
Section 404(b) of the Act requires accounting firms to provide attestations in accordance with standards for attestation engagements issued or adopted by the PCAOB. We agree with the Commission that "Congress did not intend for the provisions of this section to take effect until the PCAOB has established the relevant attestation standards." At this point, no one knows whether or when the PCAOB will adopt existing standards for attestation engagements or issue new ones. We believe the Commission needs to provide for this uncertainty by making the effective date the later of a specified date or a specified number of months after the PCAOB issues or adopts attestation standards.
In our opinion, the Commission should provide a significantly greater amount of lead-time than proposed for the following additional reasons:
- Performing the management evaluations and obtaining the auditor attestations requires a substantial amount of work. We believe that Congress intended and that the rules require a substantive upgrade of most companies' focus on controls, including more robust documentation of controls. By providing so little time to implement the rules and estimating for Paperwork Reduction Act purposes that this will require only five hours of effort, the Commission is sending a message to issuers that this is a trivial matter that requires only a token effort. We do not think that was Congress' intent. We think the Commission would better achieve the Act's intent by acknowledging the level of effort required through (1) commentary to that effect in the release covering the final rules, (2) providing ample lead time, and (3) reflecting the significant effort that will be required in its Paperwork Reduction Act burden estimate.
- As the Commission acknowledges, companies and auditors will require substantial time to develop processes and train personnel to perform this work. This is particularly true with respect to information systems audit specialists. We believe there is a shortage of these people and that it will be difficult to train a sufficient number of them in time to meet the proposed effective date.
- Because of manpower limitations, it will be necessary to perform a substantial amount of the work to support the auditor attestations well before year-end, especially in the first year the auditors provide the attestations. This will be particularly true for companies that will need to begin filing their Exchange Act reports on an accelerated timetable. Given the uncertainties about the professional standards to be followed and the substantial training requirement discussed above, it will be extremely difficult, if not impossible, to have sufficient company and accounting firm people in the field performing this work by the spring/summer of 2003, as would likely be required to meet the proposed effective date.
- The resource issue is exacerbated by the potential effects of the recently announced Commission proposal on rotation of audit partners. It is our understanding that the forthcoming proposal would go well beyond the Act by applying rotation to partners involved with significant aspects of the audit as well as to partners handling significant subsidiaries. If this proposal is adopted, the entire leadership of an engagement team may be required to be replaced at the same time, resulting in a collective loss of knowledge about an issuer's internal controls which would be difficult to equal with the partners newly assigned to the audit. Consequently, the resource limitations, coupled with the proposed rotation rules, could provide for less reliable attestations on an issuer's internal controls during the early phase of implementing the Section 404 rules.
Therefore, we think a more appropriate transition approach would be to first require management reporting and auditor attestation on internal controls in annual reports for fiscal years ending on or after the later of (1) eighteen months after the PCAOB issues or adopts attestation standards or (2) December 15, 2004.
We also think it would be appropriate for the Commission to defer the effective date for small business issuers for an additional year beyond that outlined in the preceding paragraph. We believe that small business issuers' internal controls tend to be less formal and not as well documented as those of large issuers. We believe the task of documenting internal controls is a comparatively greater burden for small companies. Accordingly, we believe additional time is warranted.
Management Reports and Certifications and Auditor Attestations in Securities Act Filings
The Release does not specifically address management reports on and certifications of controls or auditor attestations of management reports on internal controls in Securities Act filings. It appears that the practical effect of this is that these items would not be required in registration statements that do not incorporate the most recent annual report by reference. However, many registration statement forms require the registrant to incorporate the most recent annual report by reference. It appears that the items referred to above would be required to be incorporated by reference in the registration statement when these forms are used.
We do not believe this is appropriate. We see nothing in the Sarbanes-Oxley Act calling for these items to be incorporated by reference in Securities Act registration statements. In addition, we see no reason why the information content for a Securities Act registration statement should vary so significantly depending on the form the issuer chooses to use (e.g., Form S-1 vs. Form S-3). Accordingly, we think the Commission should amend the Securities Act forms that require the registrant to incorporate the most recent annual report by reference to exclude these items from the information to be incorporated by reference.
If the Commission elects to require these items in some or all Securities Act filings, we ask the Commission to provide guidance, similar to the guidance it provided regarding review reports on interim financial statements, on whether an auditor attestation is considered a "report" or "part" of the registration statement under Sections 7 and 11 of the Securities Act. As indicated above, we do not think the Sarbanes-Oxley Act envisioned that to be the case. The Commission would also need to consider the evaluation date question discussed in the next section of this letter.
Evaluation Date Change
The Commission has proposed to change the evaluation date for disclosure controls to the end of the period covered by the report (vs. within 90 days of the filing date under the current rules) and to require companies to also perform internal controls evaluations as of that date. We do not believe this approach is appropriate. We think the Commission should instead modify the rules to provide registrants with more flexibility in selecting evaluation dates.
Providing flexibility is consistent with the Sarbanes-Oxley Act. The 90-day requirement in Section 302 of the Act (which does not even specify whether the 90 days should be measured based on the period end or the filing date) appears to provide for flexibility in selecting the evaluation date.
We also have the following practical reasons for recommending that the Commission provide more flexibility.
- The Commission recently adopted rules to accelerate the due date for many companies' quarterly reports. When those rules were proposed, many commenters expressed great concern about the difficulty of meeting the accelerated quarterly reporting dates without eroding the quality of the information reported. Requiring companies to perform the controls evaluations as of the last day of each quarter will increase the difficulty of meeting the accelerated due dates. The problem will be even worse if a significant event occurs near the end of a quarter (e.g., a company makes a significant acquisition). Giving a company the ability to choose an evaluation date that is within a reasonable period before quarter-end should reduce this problem.
- The factors discussed immediately above also support allowing a company to choose an evaluation date that is within a reasonable period before year-end (even if that results in an evaluation as of a date that is more than 90 days prior to the filing date).
- Allowing a company to elect to perform the evaluations as of the end of the period covered by the report is also appropriate. The current rules require the principal executive and financial officers to evaluate disclosure controls as of a date within 90 days of the filing date. However, what if a company has to file its annual report late (i.e., more than 90 days after year-end)? Rule 12b-25 provides for an extension of time when a registrant cannot file an annual report without unreasonable effort or expense. Yet the current rules would appear to require the officers to reevaluate the company's disclosure controls as of a later date to meet the 90-day requirement. We do not think this is the intent of the Sarbanes-Oxley Act. Allowing end of period evaluation dates, regardless of when the registrant files the report, would address this problem.
- There are circumstances in which it would be highly impractical or even impossible for a company to perform its evaluation of internal controls as of period-end. This problem would arise if a company changed its principal executive or financial officer after period-end but before it filed its periodic report. Also, consider the example of a company that changes auditors after year-end and makes a significant change in its internal control system after year-end. Because of the system change, it could be highly impractical or impossible for the new auditor to attest to a management evaluation of the internal control system that existed at year-end (before the auditor was engaged). The rules should provide a means for companies in situations such as these to comply with them.
- As discussed above, it is not clear what controls reporting will be required in Securities Act registration statements. But we note that some issuers (i.e., those that do not meet the tests in Item 310(g) of Regulation S-B or Rule 3-01(c) of Regulation S-X) must provide audited year-end financial statements in Securities Act filings beginning 46 days after year-end. If controls reporting will be required in Securities Act registration statements, it would be a significant burden on these issuers to provide an auditor attestation to management's evaluation of internal controls 46 days after the evaluation date. Giving these companies the ability to choose an evaluation date that is within a reasonable period before year-end should reduce this problem.
For these reasons, we think a more appropriate approach would be to permit a company to choose as the evaluation date any date in a period that begins a reasonable period before period-end and ends on the day before the filing date of the report. We suggest that the Commission start by allowing the earlier date to be within two months before period-end and at some point change that date to one month before period-end. We suggest that the appropriate time to change would be after a company has filed three auditor attestation reports on its internal controls. We note that this could result in many companies performing evaluations as of a date that is more than 90 days before the filing date of the report. As stated above, we think the Sarbanes-Oxley Act provides for this flexibility. It appears to us that the Commission shares this view. We note that the proposed requirement for a foreign private issuer filing Form 20-F to evaluate its controls as of year-end could result in such registrants using evaluation dates that are up to six months before the filing dates.
Reporting Changes in Internal Controls
The Commission has proposed to change the period for which companies must report significant changes in internal controls to the period covered by the report (vs. the period subsequent to the evaluation date under the current rules). We do not think this change is appropriate. Instead, we suggest that the Commission retain the approach of requiring companies to disclose significant changes after the evaluation date. In that regard:
- Reporting significant changes in the period after the evaluation date is consistent with the requirements of the Sarbanes-Oxley Act.
- We do not think investors are particularly interested in changes that occurred during the period. We think they are far more concerned about changes that occurred after period-end that would (1) correct significant deficiencies or (2) raise questions about whether internal controls that were adequate as of period-end continue to be adequate.
- It appears that companies that make significant systems changes in a competent and professional manner (i.e., they do so without sacrificing control during the transition period) would nevertheless be required to report those changes. We do not think investors are interested in reading disclosures about those types of changes.
- It appears that a company would be required to repeat in its quarterly and annual reports the disclosure of changes that occurred during previous quarters that it provided in previous quarterly reports. We do not believe repeating this information is necessary.
In summary, we do not think investors are interested in a detailed description of the changes in a company's internal control systems during a period as long as no significant deficiencies remain at the end of the period. Instead, we believe that they simply want to know whether the systems were adequate at period-end and whether that conclusion might have been different at the time the company filed the report. We think the Commission should retain the approach of requiring companies to disclose significant changes that occur after the evaluation date.
Reporting Changes in Other Factors
It is not clear to us where the Commission stands on reporting significant changes in other factors that could significantly affect internal controls. Under the current rules, a company must disclose changes in other factors that could significantly affect internal controls. In the proposed rules, the Commission has removed this requirement from Item 307(b) of Regulations S-B and S-K, Item 15(a)(2) of Form 20-F, and General Instruction B.(7)(b) of Form 40-F. However, the requirement to address changes in other factors has not been removed from the Exchange Act rules (i.e., Rules 13a-14(b)(4)(vi) and 15d-14(b)(4)(vi)) or the form of the certifications to be provided in Exchange Act periodic reports (i.e., Forms 10-Q, 10-QSB, 10-K, 10-KSB, 20-F, and 40-F). We suggest that the Commission address these inconsistencies in the final rules.
Our sense is that the requirement to report changes in other factors has caused much confusion among preparers and professionals. If the Commission retains this requirement, in the release covering the final rules it should provide guidance on meeting it, including examples of matters to be disclosed.
We have a number of technical suggestions regarding the proposed rules.
- Proposed Rule 2-02(f) of Regulation S-X - This rule could be read in unintended ways. It could be read to require an accountant to examine management's internal control report any time he or she audits financial statements for a registrant. Thus, it could be read to say an accountant must examine and report on management's internal control report when he or she audits the registrant's interim financial statements, even though accountants are not required to attest to interim internal control reports. It could also be read to say an accountant must examine and report on internal control reports in Securities Act registration statements on Forms S-1 and SB-2, even though those registration statements do not require internal control reports. Finally, it could be read to say an accountant must examine the internal controls of an equity method investee or an acquired business if the accountant audits those entities' financial statements "for a registrant." We suggest the Commission rewrite the proposed rule so it will clearly communicate accountants' responsibilities in these situations.
- Item 307(a) of Regulations S-B and S-K, Item 15(a)(1) of Form 20-F, and General Instruction B.(7)(a) of Form 40-F - These rules require disclosures "about the effectiveness" of the issuer's controls. It is our understanding that these disclosures are supposed to address both the design effectiveness and the operating effectiveness of these controls. We suggest that the Commission modify these rules to make this clear.
- Item 307(c)(3) of Regulations S-B and S-K, Item 15(a)(3)(iii) of Form 20-F, and General Instruction B.(7)(c)(3) of Form 40-F - These rules require a statement regarding the accounting firm that prepared or issued "the registrant's audit report." The audit report is the report of the accountant on the registrant's financial statements. We suggest that the Commission change this phrase to say, "the audit report on the registrant's most recent annual financial statements."
- Item 307(c)(4) of Regulations S-B and S-K, Item 15(a)(3) (iv) of Form 20-F, and General Instruction B.(7)(c)(4) of Form 40-F -
- These rules require the registrant to furnish the attestation report of the accounting firm that "audited or reviewed" the registrant's financial statements. We do not understand the reference to a review here and suggest the Commission delete it.
- Sometimes an auditor other than the principal auditor audits the financial statements of part of a registrant, and the principal auditor refers to the other auditor's work in his or her report on the registrant's financial statements. In this situation, Rule 2-05 of Regulation S-X requires the registrant to present the other auditor's report in its filings with the Commission. There does not appear to be a similar requirement when there is divided responsibility for the attestation to management's report on internal controls. We suggest that the Commission require registrants to provide both attestation reports in these situations. We suggest that the Commission modify the rules referred to above and a rule in Article 2 of Regulation S-X to provide for this.
- Exchange Act Rules 13a-14(b)(4)(v)(A) and (B) and 15d-14(b)(4)(v)(A) and (B) - The period for which these disclosures must be made are not clear. Must the officers disclose matters identified (1) during the period covered by the report (or controls evaluation), (2) during the period from the end of the period covered by the report (or evaluation date) to the filing date, or (3) both? We suggest the Commission clarify this in the final rules.
- Revised instruction to Form 12b-25 - The next to last sentence says the form shall be filed "no later than one business day after the periodic report in question." The form, as amended, would apply to current as well as periodic reports. Therefore, we suggest the Commission delete the word "periodic" from the instruction.
- Exchange Act Rules 13a-14 and 15d-14 and the Exchange Act forms appear to use the terms "issuer" and "registrant" inconsistently. We suggest that the Commission consider whether any of these words should be revised to more correctly reflect the requirements.
- As we understand it, the management reports on disclosure controls and internal controls and the auditor attestation report on internal controls will be presented in Part III of Forms 10-K and 10-KSB. Based on General Instruction G.(3) to Form 10-K, which parenthetically refers to items 10, 11, 12 and 13 but not Item 14, it appears to us that these items must be included in a Form 10-K filed within 90 days of year-end (i.e., a company cannot incorporate them by reference to a proxy statement filed within 120 days of year-end). However, based on General Instruction E.3. to Form 10-KSB, which refers broadly to Part III and does not enumerate specific items, it is not clear whether a small business issuer must file these items in a Form 10-KSB within 90 days of year-end. We think these items should be filed with the rest of the Form 10-K or 10-KSB. We also think a more logical place to present them is in Part II, i.e., in the same section as MD&A and the financial statements. We suggest that the Commission relocate the disclosure and make the due date clear when it adopts the final rules.
- Amendments - It is not clear to us which certifications need to be filed when a registrant amends a periodic report. Consider, for example, a registrant that files its Form 10-K on time but omits Items 10, 11, 12 and 13. The registrant does not file its definitive proxy statement within 120 days of year-end, so it amends its Form 10-K to provide the omitted information. It seems to us that in this fact pattern, the registrant should be required to provide only the first two paragraphs of the certification. However, we think the answer would be different in other fact patterns. We suggest the Commission amend the rules or provide guidance to clarify the certification requirements when a registrant amends a periodic report.
Code of Ethics Disclosure (Section 406)
We do not support the proposed approach of allowing a company to post information about changes in, or waivers of, its code of ethics on its web site without a corresponding Form 8-K filing. Filing this information on a Form 8-K provides a verifiable filing date. It also enables investors to (1) find information by looking in a consistent location, (2) confirm that no events have been reported, and (3) access information for a period of longer than 12 months. All of these benefits would be lost if companies are permitted to only post the information on their web sites. Also, it is not clear whether the proposed filing extension for late Form 8-K filings would extend to a company that posts this information on its web site, or whether such a company would need to file a notification on Form 12b-25.
For these reasons, we believe companies should be required to disclose information about changes in their codes of ethics on Form 8-K. We believe this would provide the benefits described above. We note that the Commission has not hesitated to adopt requirements that exceed those specified in the Sarbanes-Oxley Act when doing so would be in the interests of investors. We think that requiring filings on Form 8-K is warranted.
If the Commission does not require Form 8-K reporting, we think the rules should be clearer regarding the late filing issue discussed above. In addition, the Commission should consider the need to amend the Securities Act registration statement forms (e.g., Forms S-2, S-3, S-4, S-8, F-2, F-3, and F-4) and rules (e.g., Rule 3-01(c) of Regulation S-X and Item 310(g) of Regulation S-B) that require all Exchange Act reports to have been filed or filed in a timely manner, to address website reporting in lieu of Form 8-K filing. The Commission should also consider the need to amend Exchange Act Rule and Form 12b-25.
We also note that the proposed rule is unclear as to the adoption date of a company's code of ethics. The proposed rules require companies to disclose whether or not they have adopted a code of ethics, but they do not state as of what date or for what period the company must have adopted that code, or whether the adoption date should be disclosed. We think the final rules should be clear as to the date a company must have adopted a code of ethics, and whether or not the company should be required to disclose the adoption date.
Disclosure About Financial Experts
Serving on a Company's Audit Committee (Section 407)
We believe that the proposed definition of "financial expert" is too strict. It appears to us that the rule contemplates a high level of knowledge of the technical issues involved in preparing the registrant's financial statements. If that is the case, we believe that it will create a resource problem, especially for small business issuers. We believe that the number of people who have detailed knowledge of and ability to apply all of the accounting literature and SEC rules applicable to a company is limited. Smaller companies with fewer resources and less prestige than larger companies will likely have even more difficulties in recruiting such people. This problem is exacerbated if the company engages in transactions involving particularly specialized accounting (e.g., complex issues regarding accounting for derivatives, derecognizing financial instruments, consolidating SPEs). For foreign issuers, this problem is worse, because the person must have extensive knowledge of both local GAAP and U.S. GAAP.
Companies might also face resource problems due to audit committee members' concerns about personal liability, especially since the proposed rules would require companies to disclose the people's names and identify them as "financial experts." People qualified to fill this role might also be discouraged from doing so because of a perceived higher level of responsibility that this title would carry compared to other audit committee members. Therefore, we suggest not requiring disclosure of the names.
The Commission stated in the proposing release, "The mere designation of the financial expert should not impose a higher degree of individual responsibility or obligation on a member of the audit committee.... Furthermore, in order to avoid any confusion in the context of Section 11 of the Securities Act, we do not intend for such a person to be considered an expert for purposes of Section 11 solely as a result of his or her designation as a financial expert on the audit committee." We think that if the Commission reflected this intent more formally, it might ease people's concerns about serving. Perhaps this could be done through appropriate protective language in the rules. It might also help if the Commission were to deem these disclosures not "filed," i.e., the approach the Commission used in Item 306 of Regulations S-K and S-B.
We also believe that under the proposed rules companies could face a chronic problem of audit committee members not being able to maintain the necessary attributes, given the frequent changes in accounting standards. This problem is magnified for companies in Europe, who are in the process of converting to International Accounting Standards. When these standards are first adopted, how many people will have necessary experience?
In light of the potential resource and compliance problems noted above, we suggest that the Commission rewrite this rule to take a different approach.
We believe an approach that allows the board of directors to use greater judgment in determining what level and type of expertise is needed for their company would be appropriate. As previously stated, many people who legitimately are viewed as financial experts would probably have difficulty meeting the proposed definition. This alternative would allow companies to conclude that they have financial experts without sacrificing investor protection.
If the Commission retains the proposed approach, we suggest that it be modified to permit more flexibility. The Commission could mandate only certain of the attributes contained in the definition, while recommending but not mandating the others. Alternatively, the rules could be changed to require the audit committee as a whole, instead of one designated member, to have all the attributes. In other words, the rules could provide for one audit committee member to provide certain attributes (e.g., accounting and auditing knowledge), while another provides others (e.g., knowledge about the industry in which the company operates). We think the key is for the audit committee as a whole to have the breadth of experience and knowledge needed to effectively meet its responsibilities.
We also believe that the Commission should clarify the rules. The rules would require a company to disclose whether or not they have a financial expert on the audit committee. However, they do not state as of what date or for what period the company must have had the expert on the committee or whether the date/time period should be disclosed. We think the rules should be clear as to the date a company must have had the expert and whether or not the company should be required to disclose the date/time period.
Finally, it would strike us as more logical and useful for investors if the Commission placed these rules in expanded Items 306 of Regulations S-K and S-B. This would put all the rules regarding audit committee disclosures in one place and require reporting of all information regarding audit committees to be disclosed in one place in the proxy statement.
* * * * * * * *
We appreciate this opportunity to express our views to the Commission. We would be pleased to answer any questions the Commission or its staff might have about our comments. Please contact Wayne Kolins (at (212) 885-8595 or via electronic mail at firstname.lastname@example.org) or Lee Graul (at (312) 616-4667 or via electronic mail at email@example.com).
Very truly yours,
/s/ BDO Seidman, LLP