The ServiceMaster Company
November 20, 2002
Mr. Jonathan G. Katz
Dear Mr. Katz:
I have reviewed SEC Release No. 33-8138 entitled "Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002." I will limit my comments only to the proposed changes to Item 307 of Regulation S-K entitled "Controls and Procedures" and the proposed revisions to Rule 13a-14 under the Securities Exchange Act of 1934.
With all due respect, the SEC's apparent need for symmetry between Sections 404 of the Sarbanes-Oxley Act and 302 of that Act may cause the SEC to miss a substantial part of the boat. Section 404 clearly speaks to internal controls and procedures for financial reporting. Section 302 does not. Section 302, clearly to me, but arguably not to others, addresses a broader definition of internal controls.
For purposes of the Sarbanes-Oxley Act, the definition of internal controls should reference the AICPA definition and include the three prongs of financial reporting, efficiency and effectiveness of operations and compliance with laws and regulations. It makes sense and is appropriate to require a certification that addresses all three prongs of the definition of internal controls. On the other hand, I understand and believe it is appropriate that the internal control report required by Section 404 be limited as required by the Sarbanes-Oxley Act. This is due in part to Congress' clear intent to require an attestation report by an auditor. Therefore, the auditor should only attest to internal controls as they relate to financial reporting.
To amend Rule 13a-14 to narrow its current application to internal controls and procedures for financial reporting would ignore that compliance with laws, not just financial reporting requirements, is a critical component of every company's operations. Moreover, the lack of focus on compliance with laws has been one of the great drivers of the corporate scandals that have resulted in actions such as the passage of the Sarbanes-Oxley Act.
There is apparently a debate at the SEC regarding whether internal controls should include compliance with laws and regulations. That debate does not include public accountants as I understand that they believe internal controls includes more than financial reporting. To fail to include the broader definition of internal controls for purposes of the Sarbanes-Oxley Act and the 13a-14 certification would, in my view, give the green light to companies to divert resources from, or simply fail to staff, their compliance programs. In addition, compliance with laws (and compliance with a company's own policies) has an indirect and often direct effect on a company's financial statements. For example, the failure to comply with employment laws these days leads directly to lawsuits and reserve estimates. Ideally, a company's own compliance program will exceed the legal requirements and therefore its operations will by definition comply with the law.
The SEC's mission is to provide sunlight to a company's operations for the benefit of the current and prospective investor. A company's compliance program is a critical component in today's evermore regulated and increasingly litigious environment. Just ask the State's attorneys general. It is clearly for the benefit of the public investor that they know whether a company devotes sufficient resources to its compliance program. I fear that in a rushed effort to comply with the mandate of Section 404 of the Sarbanes-Oxley Act the SEC has knowingly or inadvertently recast Rule 13a-14 in order to satisfy some unfounded need for symmetry. Symmetry is not contained in the Sarbanes-Oxley Act and is not needed here. In fact, the simple fix is to make clear that internal controls refers to all of financial reporting, efficiency and effectiveness of operations and compliance with laws and that, for purposes of Section 404 only, the internal control report and auditor's attestation is limited to financial reporting.
By the way, an ethics code that contains a reference to compliance with laws and regulations is a poor stepchild to certification and acknowledged responsibility for compliance with laws. If the SEC does not fix the proposal now prior to the adoption of the final rules, I believe SEC staffers will find themselves wondering three years from now why the SEC did not do so at this time.
I would be happy to discuss my comments with any member of the staff. My telephone number is 630-271-2071.
/s/ Jim Kaput