From: Scatena, Pat [pat.scatena@intel.com] Sent: Wednesday, November 27, 2002 12:08 AM To: 'rule-comments@sec.gov' Cc: Klafter, Cary Subject: Comment Letter - File No. S7-40-02; Disclosure Required by Sectio ns 404, 406 and 407 of the Sarbanes-Oxley Act of 2002 November 27, 2002 Jonathan G. Katz Secretary, U.S. Securities and Exchange Commission 450 Fifth Street, N.W. Washington, D.C. 20549-0609 rule-comments@sec.gov Re: File No. S7-40-02; Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002 Dear Mr. Katz: Thank you for the opportunity to comment on proposed rules published in Exchange Act Release No. 34-46701. On behalf of Intel Corporation, we offer the following comments with regard to the rule proposals in that Release. Proposed Disclosure About "Financial Experts" on the Audit Committee We believe that both the statute and the proposed rules are inappropriately too restrictive and narrowly drafted in defining the term "financial expert". We understand that the SEC is constrained by the terms of the statute to a limited degree, but we recommend that where practicable the rule-making adopt a more expansive position in setting the definition. We will not be surprised to find that a majority of companies do not have a "financial expert" and will be unable or unwilling to recruit such a person to the Board and its Audit Committee. We think an unnecessarily narrow definition will undermine investor confidence whereas the goal here is to reassure investors that there are qualified and knowledgeable directors serving on the Audit Committee. Our specific recommendations and comments are as follows: Liability matters. The suggestion that a "financial expert" will not bear increased liability exposure will not be the position taken by many prospective candidates for the position, or the plaintiffs' bar. Some form of affirmative safe harbor defense should be afforded to these individuals that simply keeps their potential liability at the same level as other members of the Audit Committee. The Commission undercuts its own position in this regard by stating that an accountant serving as a "financial expert" would be deemed to be practicing before the SEC ( at fn. 51); this is simply not in line with other statements that the person is a resource to the Audit Committee and not the auditor of the company (at fns. 43-44). The Commission's statements with regard to practicing accountants might logically lead it to assume the same views with regard to practicing attorneys who serve on the boards of public companies. Term to be used. Such a person ought to be designated as an "accounting professional", "accounting expert" or other like term in lieu of "financial expert". The proposed list of job requirements is for an accountant/auditor rather than for an expert in finance. Independence requirement. Section 301 directly imposes a statutorily defined independence requirement on all members of the Audit Committee. The statute directs that this requirement will be imposed on listed companies through stock exchange rules. We suggest that any independence requirement adopted by the Commission be limited to affect only companies not listed on exchanges. Proposed attributes. Proposed attributes b. and c. relating to experience with "generally comparable" accounting matters must be the subject of detailed explanation by the SEC in the final rules and adopting Release. The current ambiguity of that phrase is manifest, and will create major difficulties for issuers in analysis of prospective candidates. Intel is a large, multinational manufacturer and seller of semiconductor and other products; the Commission's proposal does not afford us sufficient guidance to know if general comparability could include, e.g., a multinational auto or pharmaceuticals manufacturer, or a domestic telecommunications concern. General comparability should be focused at high level similarities, such as manufacturing vs. service industries and the like, and the Commission should contemplate diversified businesses in its rules. The Commission should keep in mind that if it defines "general" comparability too restrictively, it may leave affiliates of competitors as the only candidates. "Equivalent experience". The proposal suggests that it might be possible for someone other than a professional accountant or CFO to qualify for the status: "experience in one or more positions that involve the performance of similar functions (or that results, in the judgment of the company's board of directors, in the person's having similar expertise and experience)". However, there is no useful guidance from the lists of "factors" and "attributes" which would suggest that a person other than a professional accountant or CFO could ever reasonably expect to qualify. For example, the current NASDAQ rule which allows for CEO experience to count in this regard will clearly be obsolete when considered in relation to the SEC proposals. The Commission needs to be much more clear and forthcoming in both the rule and any related Release if it actually wants to offer the opportunity for the non-accountant/CFO to be acceptable. Determination of "financial expert" status. The Commission's proposal to make the Board responsible for status determinations is based on conclusive statements only. The Audit Committee members, who are responsible for interacting with management and internal and external auditors, are in the best position to make these determinations, and we do not understand why the Commission believes this would be "inappropriate." Perhaps instead of dictating whether the full Board or the Audit Committee must make the determination, the Commission could simply require disclosure of which one made it. Impracticability of a "bright line" test for status. This section of the Release actually raises the most interesting question of all: what is the "financial expert" supposed to do? Perhaps a bright line status test is perfectly appropriate for certain functions, but neither the statute nor the proposing Release offer any guidelines as to the job description. The Commission states that the "financial expert" should serve as "resource" to the Audit Committee, but that is nothing more than a function each of the Committee members should offer (not to mention management and the independent auditing firm). Perhaps the Commission should first consider the possible job descriptions for someone with the title of "financial expert", and then work from those positions to a determination of the appropriate factors and attributes that will support the relevant job descriptions. It appears at the moment that the Commission has relatively inflexible hiring requirements for an undefined job. Proposed Code of Ethics Disclosure Our general comment with regard to this proposal is that it seeks to expand beyond the statute in numerous respects, and does so without any particular logic or justification. We recommend the Commission look for other statutory authority if it wants to adopt broad code-of-ethics requirements similar to those being put into place by the stock exchanges. Our specific comments with regard to the proposed rules under section 406 of the Sarbanes-Oxley Act are as follows. Persons covered by the code. The proposed coverage of the code to the CEO is an arbitrary extension of the statute without particular logic. The statute is quite precise as to its intended coverage and both NASDAQ and NYSE are currently in the process of adopting listing standards requiring a code of ethics that will cover all employees of an issuer. What will constitute the code. Our company is one of many that already has a broad-based code of ethics in place that covers all employees. Our code (the "Corporate Business Principles" ("CBP")) covers numerous topic areas in addition to conflict-of-interest and legal compliance matters (e.g., workplace/employee relations policies; information security; use of intellectual property; press relations). If the CBP is used to satisfy the section 406 code requirements, it appears that we would have to file or otherwise disclose all CBP-related amendments and waivers, and our experience suggests that very few if any of such items would relate to the matters covered or underlying concerns addressed by section 406. For the purpose of avoiding these extraneous filings we are considering the establishment of a separate Finance Code of Ethics that will satisfy the relevant requirements. As an alternative to a separate Finance Code, we recommend that the Commission allow for a broad code such as our CBP to have a designated section or chapter to alone constitute the section 406 code. In such a case, amendments and waivers of other portions of the document would not trigger the disclosure requirement. Contents of the code. There are a very large number of "ethical principles" which have not been added to the proposed code requirements, but we once again note that both NASDAQ and NYSE will shortly adopt broad-based code requirements covering all employees of an issuer. We suggest the contents of this rule be guided by the terms of the statute. Quarterly disclosure. Quarterly boilerplate disclosure concerning a code will be of very marginal value to the readers of the document; we recommend the Commission consider the materiality of such disclosure before requiring its repetition in a document meant to afford a three-month update to investors. Website disclosure. The Commission's questions concerning website disclosure clearly reflect a bias in favor of 8-K filings. We note, for example, that users of the 8-K method would not be asked to notify stockholders of 8-K usage in annual filings or to send email notices to investors when another 8-K is filed. We recommend that the practical availability of website disclosure, as explicitly contemplated in the statute, not be undercut through the asymmetrical imposition of onerous and unnecessary requirements. Management's Internal Controls and Procedures for Financial Reporting We comment here on the combined effect of the proposing release and the rules adopted in the Commission's August 29, 2002 release, as they relate to the CEO/CFO certification and the quarterly and annual evaluations of disclosure controls and internal controls for financial reporting. Certification language. We request that the Commission reconsider the removal of the words "based on their most recent evaluation" from Rule 13a-14(b)(5) (now renumbered as 13a-14(b)(4)(v)). This change removes what we believe is a necessary and implied knowledge qualifier from the requirement for the CEO and CFO to certify that they have disclosed to the audit committee and auditors all significant deficiencies, material weaknesses and instances of fraud. It is inappropriate to impose an absolute personal liability standard on the CEO and CFO for failure to disclose instances of fraud and serious control deficiencies which have not come to their attention. Instead, the CEO and CFO should only be required personally to certify that based on their knowledge and their evaluation of the controls, they have disclosed such matters to the audit committee. This "knowledge" qualifier is entirely consistent with the scienter-based remedial sections of the Exchange Act. Current item (b)(4)(i) and new items (b)(4)(i) and (ii) speak to the design objectives of the controls. It is unclear whether the CEO and CFO could make their certifications if, at the time of signing, an issue had arisen, such as a disclosure issue where information was not reported in a timely manner to the CEO or CFO or a potential financial statement error, and the root cause of the issue was identified as a material weakness or significant deficiency in the design of the controls. We request that the Commission be very clear in the rules and the certification language that the CEO and CFO can still make the certification in this context, as long as the related disclosure of their conclusions on the effectiveness of the controls incorporates disclosure of the identified material weakness or significant deficiency in the control design, and they will not be liable for a false certification as long as this disclosure is complete and accurate. As indicated below, we are requesting a change addressing this point be made immediately. On a related point, we are presuming that the CEO and CFO would not be liable for having made prior certifications for the financial reporting periods that may have been affected by such a control design issue if they did not know about the issue at the time when those certifications were made. Consistent with these certifications being made under Sections 12, 13 and 15 of the Exchange Act, we request the Commission confirm there is no implied private right of action based on statements made in the certifications if they are subsequently determined not to have been accurate when made but without the requisite scienter for a fraud action. The Commission's revised certification wording will not become effective until, at the earliest, September 15, 2003. In the interim, we request that the Commission make effective immediately the following modifications to Rule 13a-14 and 15d-14: * Make the proposed wording change in (b)(4)(i) now, to comprehend that the CEO and CFO might not themselves design, and instead might direct the design of, the disclosure control system. * In (b)(5), revise the lead in sentence to clarify that the CEO and CFO are certifying that all matters that have come to their attention have been disclosed to the audit committee. * In (b)(4)(i), permit a proviso to be inserted stating that the CEO and CFO have, except as may be disclosed in the report, designed the disclosure controls to ensure that material information is made known to them. Standards for evaluation of effectiveness of controls. We request that the Commission make changes to the rules as necessary to clarify that evaluations of the effectiveness of both disclosure and internal controls are subject to a "reasonable assurance" standard, not a "designed to ensure" standard except to the limited extent required by the statute. There is a significant overlap between the definition of "disclosure controls and procedures" in Rule 13a-14(c), and the proposed definition of "internal controls for financial reporting", with disclosure controls having a specified objective, timely disclosure, whereas the financial reporting internal controls have various other objectives. However, by virtue of the definition used for disclosure controls, different standards are applied to the effectiveness of the same controls depending on the objective being served. Disclosure controls, under the current definition, must be "designed to ensure" that information required to be disclosed in Exchange Act reports is recorded, processed, summarized and reported in a timely manner. The subset of internal controls for financial reporting that is subsumed within this definition of disclosure controls must, at the same time, give "reasonable assurance" that the financial statements are fairly presented in accordance with GAAP. It is commonly understood in the accounting and auditing literature that control systems, because of their inherent limitations, can give only reasonable, not absolute assurance, that the objectives of the system will be met. Therefore, a "designed to ensure" standard with respect to any control system is problematic. This is more than a semantic issue to the officers required to make personal certifications regarding various aspects of the control system. The Commission may not have flexibility to change the certification language, as the statute requires the CEO and CFO to certify that internal controls are designed to ensure that material information is made known to the principal executive officer and principal financial officer, particularly during the periods when the periodic reports are being prepared. However, the Commission has unnecessarily broadened the application of the "designed to ensure" standard by incorporating it into the definition of disclosure controls. We strongly believe the Commission should remove this language from the definition, thereby permitting conclusions on effectiveness of controls to "record, process, summarize and report" in a timely manner (a much broader concept than ensuring material information is made known to the CEO and CFO in the right timeframes) to be made under a reasonable assurance standard. If the Commission views itself as having the flexibility to do so under the statute, it would be preferable to have the certification language revised so that it reads "designed with the intention to ensure" instead of "designed to ensure. This language is more consistent with the "reasonable assurance" standard generally applicable to control systems. Definition of internal controls for financial reporting. In lieu of referring to AICPA Codification of Statements on Auditing Standards, Section 319, and future pronouncements of the PCAOB, we believe it would be more helpful to issuers if the Commission defined internal controls for financial reporting now, using Section 319 as a guide, or directed the PCAOB to develop such a definition as a first order of business. Simply incorporating by reference a lengthy AICPA codification introduces unnecessary ambiguities as to the scope of the covered controls. Definition of significant deficiencies. There is no definition of "significant deficiency" in the auditing literature. As the Commission acknowledges in fn 122, the closest related definition is of the term "reportable condition" in AICPA Codification of Statements on Accounting Standards, Section 325. It would be helpful, to eliminate confusion on this point, if the Commission either replaced the term "significant deficiency" with the term "reportable condition" in the rules and certification language, or clarified in the rules that the two terms mean the same thing. Clarification of timing of controls evaluations and definition of "significant changes." The Commission's revision of Rules 13a-15(b) and 15d-15(b) to require that control evaluations must be made "as of the end of the period covered by the report" introduces unnecessary ambiguity, and confines the controls evaluation to what will be an increasingly short period of time between the end of the reporting period and the required filing date. We believe the concerns that are being addressed by this revision would be equally well-addressed by continuing to require that the controls evaluation be conducted within 90 days prior to the filing date of the report, and then requiring disclosure, in Item 307(b) of Regulation S-K, of all significant changes made during the reporting period and through the filing date. The Commission has given no guidance on what control changes would constitute a "significant change" beyond those changes necessary to correct significant deficiencies and material weaknesses. This guidance is critical to give certainty to issuers as to what needs to be disclosed. For larger, diversified companies, procedures and systems must be set up to detect and address the significance of control changes. Lack of guidance on what constitutes a significant change will result in inconsistency in application across companies and the unnecessary burden of reviewing and evaluating a large number of insignificant changes. On a related point, we note that the proposed revision to Item 307(b) eliminates problematic and overly vague language requiring disclosure of "other factors that could significantly affect" internal controls. We applaud this change, because it eliminates a significant ambiguity in the rule. However, the change has not been picked up in the certification language, resulting in a disconnect between what the CEO and CFO have to certify and what the company has to disclose. We are hopeful that the Commission views itself as having the flexibility under the statute to change the certification language by removing this wording, but if not, we request that the Commission give explicit guidance on what this terminology means and, most importantly, what it excludes. It could be read broadly to mean that companies are burdened with considering for possible significance a wide range of items such as internal reorganizations, changes in personnel, routine integration activities resulting from acquisitions, new industry standards, or the universe of new legislation or auditing/accounting pronouncements that could possibly impact the company. We request that the Commission make effective immediately the changes to Item 307 and the certification language addressing this point, rather than waiting until the remainder of the new rules becomes effective. Paperwork Reduction Act burden estimates. In the August 29 release, the Commission estimated that a company's evaluation of disclosure controls would add a burden of 5 hours per quarterly and annual report. The Commission is now estimating that a quarterly evaluation of the remainder of internal controls for financial reporting not subsumed within the definition of disclosure controls can be completed with an additional five hours of burden, and the annual internal controls report would add a further five hours. The Commission states in the current release that it has no basis for these numbers, and we believe the numbers in the August 29 release and in the current release grossly understate the actual time commitment and are totally misleading to anyone who would use them for any planning or other purpose. Prior to adoption of these rules, effective control systems simply did not comprehend a quarterly report up to the CEO or CFO of all control activities for certification purposes, and a significant amount of time by a large number of people will now be devoted to that internal reporting and then to the evaluation by the CEO and CFO. Based on our actual experience to date, we believe that the Commission has underestimated the time and effort involved in complying with these rules by at least a factor of 100, if not a greater order of magnitude. We can only hope that the Commission's burden estimates are not used for any substantive governmental purpose, since they are completely incorrect. Timing of effectiveness of proposed rules. The Commission should ensure that there is at least a three month period between the adoption by the Commission and the PCAOB of final rules addressing the annual internal control report and auditor attestation and the date by which issuers are required to comply. The work involved in developing procedures to complete the report and attestation will be quite substantial, and cannot be completed until the final rules are adopted. The Commission should not underestimate the tremendous amount of effort that will be required on the part of the issuers and auditors to meet these requirements. Please contact the undersigned at (408) 765-1215 or Patrice Scatena at (408) 765-9771 if you would like any additional information in connection with the above comments. Regards, Cary Klafter Director of Corporate Affairs Legal Department Intel Corporation