Speech by SEC Commissioner:
Commissioner Cynthia A. Glassman
U.S. Securities and Exchange Commission
February 22, 2005
Thank you Gennie. I appreciate the opportunity to be with you here today in Tysons Corner. When my friend Rick Knop who, as many of you know, serves on the Board of Directors of this chapter of the Association for Corporate Growth, asked me to be the keynote for this conference, it was a pleasure to accept. Given your organization's focus on corporate growth, and concerns I have heard that the current regulatory environment is inhibiting corporate risk taking and growth, I thought I would give you my perspective on goals and expectations in the post-Sarbanes-Oxley environment. Before I go any further, however, I need to give our standard disclaimer which is that the views I express here today are my own and do not necessarily represent the views of the Commission or its staff.
I will begin my remarks today with a brief overview of the events leading up to Sarbanes-Oxley, or SOx as we call it. I will then give a general overview of the themes and goals of the Sarbanes-Oxley legislation, discussing certain of the provisions in more detail, and will wrap up with what this all means for you. As you are likely aware, SOx potentially touches upon virtually every player in the capital markets, including most, if not all, of the constituencies here in this audience.
To set the stage, I want to remind you briefly of the climate and events that produced one of the most sweeping corporate governance reforms in history. You know the background all too well. Starting in the mid-90s, we experienced the period Alan Greenspan referred to as "irrational exuberance", a period of unbridled investor optimism, albeit largely unsupportable in retrospect. We saw retail investors participating in the markets as never before, each trying to get a piece of that next hot IPO and putting -- and being encouraged by those who were not always disinterested to put -- their IRAs and pension money in high-flying and risky stocks. But, beginning in the second quarter of 2000, the bubble burst, IPOs dried up and a new round of class action suits began.
As the optimism gave way to realization of the extent of the losses, we also began to learn that some of the most supposedly successful companies were no more than a house of cards built upon a free-wheeling, "do whatever it takes" mentality to beat, or even just meet, the street's forecast for quarterly earnings per share. The names Enron, WorldCom, HealthSouth and others became synonymous with fraud. In the end, we were left with investors filled with distrust and anger, and deflated securities markets -- a state of affairs completely contrary to the SEC's mission and goal of protecting investors and maintaining the integrity of the markets.
It was in this environment that I joined the Commission in January 2002. I immediately became swept up in a flurry of initiatives and proposed reforms that culminated in the enactment of Sarbanes-Oxley in July 2002. SOx can be broken down into five major categories, and I will discuss certain of the adopted reforms under each category in turn.
The first category is restoring confidence in the accounting profession. SOx established the Public Company Accounting Oversight Board, pursuant to which any auditor of a public company must be registered. Inherent in the creation of the PCAOB was a recognition that certain deficiencies in the previously-existing system of oversight of auditors, including peer review, contributed to the decline in investor confidence in financial information and the integrity of audits. The PCAOB is overseen by the SEC -- we appoint the Board and review and approve its rules and budget. Further, in an effort to restore confidence in the integrity of audits, we amended our rules relating to auditor independence to clarify additional relationships that impair the independence of outside auditors.
A second category is improving the "tone at the top" of public companies. This category includes, among other reforms, our rules relating to the certification by CEOs and CFOs of the financial information included within their companies' periodic reports. I have heard repeatedly of the collective looks of disbelief that occurred when, during the Congressional investigation of Enron, Jeff Skilling stated that he was 'simply' the CEO and not responsible for Enron's financial statements. It was unfathomable to the members on the Hill, as well as to the SEC and the markets at large, that CEOs and CFOs were not actually reading the very financial statements that they were signing. In my view, the certification requirement has certainly focused management's attention in this respect, and I believe it is one of the more beneficial provisions of the Act. Another element in this category concerns our rules requiring disclosure of whether companies have adopted a code of ethics for CEOs, CFOs and other senior financial personnel, as well as when there are material changes to, or waivers from, the code.
A third category focuses on reforms designed to improve disclosure and financial reporting. These reforms include our rules relating to the use of non-GAAP financial measures and material off-balance sheet transactions, the point of which is to prevent issuers from providing misleading information. We also accelerated, to two business days, the disclosure of insider sales and purchases of a company's stock. Prior to the adoption of these rules, depending upon the nature of the transaction, insider transactions in company stock might not have been disclosed for more than a year.
SOx also required that companies disclose, on a "rapid and current basis", material changes in a company's financial condition or operations. Consistent with this provision, the SEC adopted amendments to Form 8-K to increase the number of 'presumptively material' events requiring the filing of the form, as well as to shorten the time period for filing the form from the existing five to fifteen day requirement, depending upon the nature of the event, to, generally, four business days. This reform category also includes the famous (or infamous) 404, the requirement that management annually report on, and auditors annually attest to, a company's internal controls over financial reporting. I will discuss this provision of SOx in more detail in a few moments.
The fourth category under SOx is improving the performance of gatekeepers. It was under this category that we adopted rules governing standards of conduct for attorneys appearing and practicing before the Commission, including a requirement to report "up the ladder" evidence of material violations of the securities laws or breaches of fiduciary duties. In addition, the Commission approved listing standards for audit committees, including requiring the audit committee to be directly responsible for appointing and overseeing the outside auditors, as well as requiring that it establish procedures to receive complaints regarding financial matters.
And finally, SOx gave the Commission new enforcement tools. We now have the ability to establish a "Fair Fund" in our enforcement actions so that civil penalties levied against wrongdoers can be returned to harmed investors, in addition to any disgorgement that is ordered. SOx also lowered the standard for imposing officer or director bars in fraud, manipulation or insider trading cases from that of "substantial unfitness" to simply "unfitness." The Commission has increasingly used these new tools -- since July 2002, we have authorized an aggregate of over $4 billion in disgorgement and penalties to be placed in Fair Funds for return to shareholders. In addition, during the period of 2002 through 2004, we sought an aggregate of 457 officer and director bars, up from an aggregate of 89 in 2000 and 2001.
So, here we are two-and-a-half years after enactment of SOx, and we are seeing numerous articles and editorials arguing that the benefits of SOx are not worth the costs, especially as we approach the deadline for many of the initial filings that will include the 404 internal controls reports and attestations. There is no question regarding the compliance burden, especially those resulting from the internal controls requirement. A recent survey put the cost of complying with the corporate governance reforms overall at $5.1 million for the average Fortune 1000 US company.1 However, in another recent survey taken of financial executives, 74% of the executives said their companies benefited from compliance with SOx and 57% felt that implementing the provisions of SOx was a good investment for stockholders.2
I would submit that it may be too early to be able to fully assess, with empirical data, the costs and benefits of SOx, especially when one of the final provisions has not been fully implemented, and the main intended benefit, restoring investor trust, will take time to be realized. To be very clear, given the environment at the time, the status quo was not an acceptable option and there was -- and is -- no question that the newly imposed rules have costs. At this point, my impression is that SOx has resulted in a necessary refocus and rebalance, although I am particularly sensitive to the concerns about the implementation of 404.
So now, let me turn to 404. With all the increased focus on internal controls, it would appear that this is a new requirement and responsibility for public companies. On the contrary, since the adoption of the Foreign Corrupt Practices Act in 1977, public companies have been required to institute and maintain an internal accounting control system to assure management's control, authority and responsibility over company assets. In addition, for years, auditors have relied on a company's internal controls to set the scope of the audit. Section 404 is a disclosure provision, and what has changed as a result is that now management must assess and publicly report on the effectiveness of the internal controls, and the auditors must publicly provide an opinion on management's assessment, as well as on the effectiveness of the internal controls themselves. This disclosure can be an important tool for investors in evaluating the reliability of a company's financial reporting. (As an aside, I would note that I do not understand how senior management could have been confident in the accuracy of the numbers included within the financial statements if they were not confident that they had effective controls to accurately record transactions and detect unauthorized transactions.)
As we moved towards the first 404 compliance date last November, I repeatedly heard, and I continue to hear, that the demands of 404 have caused companies and auditors to put business initiatives on hold and focus excessively on the details of financial systems -- missing the proverbial forest for the trees, so to speak. Product launches and hiring have been delayed, IT-system installations put off and, a subject near and dear to this audience, M&A activity has been put on hold. Basically, the criticism is that 404 compliance has taken management's attention away from running the business of the company to obsessing over completion of an internal controls checklist where each "i" is dotted and "t" is crossed, all of which is substantiated with reams of documentation. (I would note that if companies have poor controls or poor documentation, we expect them to expend serious time and effort to meet the rule requirements. On the other hand, when compliance concerns come from companies with good controls and documentation, we need to take them seriously.) A group of CEOs recently told me that, as a result of the time commitments relating to 404 compliance, their continual goal to create shareholder value has been shifted to simply preserving shareholder value.
And here we are. I have heard these messages loud and clear, and I can assure you that others at the Commission, including Don Nicolaisen, our Chief Accountant, and Alan Beller, the Director of our Division of Corporation Finance, have as well. We have already taken numerous steps to provide companies with more time to comply with the rules, and to start the process of determining how to improve them. Since we adopted the 404 rules in June 2003:
- we extended the compliance date for our accelerated, i.e. larger, filers from June 15, 2004 to November 15, 2004, and for our foreign issuers and non-accelerated filers from April 15, 2005 to July 15, 2005;
- we also deferred, for one year, the final implementation phase of the acceleration of the filing of periodic reports;
- we delayed, for up to 45 days, the reports on internal controls for certain of our smaller accelerated filers;
- we also established an Advisory Committee on Smaller Public Companies to study the effect of our rules, including those under Sarbanes-Oxley, on smaller companies, and, in particular, the framework for methods for management's assessment and standards for auditing internal controls for such companies. In this respect, we are seriously considering whether a delay in the current effective date of July 2005 is warranted for our non-accelerated filers, as well as for our foreign issuers.
We also recently announced that we will hold a public roundtable in April, which I strongly encouraged, to consider what's working and what's not and to determine if the process can be streamlined to ensure that investors are getting, in a cost-effective manner, useful and relevant information regarding internal controls. In other words, we ought to determine if there is a way to reduce the burden without reducing the effectiveness. We need to ensure that companies are improving and monitoring the internal controls that materially affect the financial statements and that auditors have the guidance they need to appropriately set the scope of the testing and audit of management's assessment and the internal controls themselves.
We also need to ensure that investors and other market participants put this first year of 404 reporting in proper context. Understandably, companies may be cautious and conservative in disclosing material weaknesses and significant deficiencies. While there have been reports of increasing disclosure in this regard,3 it is important to remember that significant deficiencies, or even material weaknesses, do not necessarily mean the financial statements are deficient -- mere disclosure should not necessarily result in an unwarranted regulatory, market or investor reaction. What is important is that management provides meaningful descriptions of the material weaknesses and their consequences, as well as the remedial actions that have, or will, occur to rectify the problem. Boilerplate disclosure that does not change from quarter to quarter or year to year is not sufficient.
And this brings me to my last point on 404 and then I promise I will move on, before you send out an SOS! Since our initial adoption of the internal control rules, I have been concerned that the reforms would be viewed as an expensive, check-the-box exercise, and I am troubled that my initial concerns may in fact be borne out. I am particularly concerned that management and Boards of Directors, due to the hurdles that have been put in front of them, may be missing an opportunity to incorporate the 404 requirements into a broader, enterprise-wide risk management system.4
So, for those of you already serving as executives or directors of, or as advisors to, public companies, you are likely very familiar with the Sarbanes-Oxley requirements and what it has meant for your company, practice or business. But, for those of you serving as an officer or director at a private company, or those of you exclusively advising private companies, what does Sarbanes-Oxley mean for you? After all, you are generally exempt from many of the required reforms I have discussed. I do believe, however, that SOx corporate governance and related reforms have, or will, become viewed as the "best practices" for corporate governance. I don't think that is a bad thing. I have certainly heard of and observed private companies putting in place audit and compensation committees, bringing on board more truly independent directors and taking a more critical look at director performance, among other reforms. If your company or client is considering adopting these reforms, however, I strongly encourage you to adopt the reforms in substance, and not just as a checklist for what constitutes good governance. In other words, follow the spirit of the law -- if you do that, this non-lawyer thinks that in most respects, the letter of the law will also be addressed.
In addition, if your company or client is considering going public, or being acquired by a public company, you must consider the requirements of Sarbanes-Oxley. With respect to going public, failure to actively plan and incorporate the SOx reforms into the company could result in delays in your ability to commence the offering, and will likely be a factor in a banker's decision as to whether to serve as an underwriter in the offering. The quality and extent of the adoption of the reforms will certainly also be a part of the underwriter's responsibility to conduct issuer due diligence in connection with the IPO.
If your company or client is considering alternatives that include being acquired, adopting SOx reforms could offer you a competitive advantage -- you could be viewed as more desirable by potential acquirers and their bankers. For example, CEOs and CFOs of public companies may feel more comfortable signing their certifications post-acquisition if a target company was already in compliance with the internal control requirements of SOx. As with IPOs, compliance with SOx could be a significant factor in due diligence prior to the acquiring company's signing on the dotted line of a merger agreement.
So, cutting through it all, what I am really saying? Let me step back from the rules and requirements and ask each of you to focus on what we are really trying to accomplish. Very simply, we want companies to be honest with investors -- to give them an accurate and timely picture of how their investment -- or potential investment -- is doing. All of this requires integrity -- people with integrity throughout the organizations and at their advisors -- and systems with integrity. As history has shown us many times over, laws on the books are not enough to stop corporate fraud or management excessiveness. What can, and I hope does, prevail is integrity embedded throughout the system, from top to bottom. Is that too much to expect?
Thank you, and I would be happy to answer any questions you may have.