Speech by SEC Commissioner:
Remarks before the European Corporate Governance Summit: An SEC Commissioner's View: The Post-Sarbanes-Oxley Environment for Foreign Issuers
Cynthia A. Glassman
U.S. Securities and Exchange Commission
March 2, 2005
Thank you. Having lived in England for three years, this is not the season in which I would have chosen to spend a week in London! Nevertheless, I appreciate the opportunity to be with you today for this very important dialogue on corporate governance between the members of the CFO Executive Board and other representatives of the business, investor and regulatory communities throughout Europe. Before going any further, I need to give the Commission's standard disclaimer that the views I express here today are my own and do not necessarily represent the views of the Commission or its staff.
When I was asked to speak at this Summit, my first thought was "a CFO conference in Europe in early March -- is it possible they might want to hear my views on 404, the internal control requirements mandated under Sarbanes-Oxley (in case anyone in this audience is not aware of 404)?" Of course, I knew the answer to that question. You may think I am rather courageous to be here today to discuss 404, and Sarbanes-Oxley, in general. Quite the contrary, I happily accepted the invitation as I hope to convey not only my understanding of the costs and concerns regarding 404, but also what I believe are the potential true benefits of the requirements.
Although I probably could, I do not want to spend my entire remarks on 404. What I would also like to provide is an overview of the general themes or goals of Sarbanes-Oxley, or SOx as we call it, and where I believe we are now, two-and-a-half years after it was enacted in July 2002. I would also like to remind you of certain accommodations we made for our foreign issuers as we worked to fulfill the Congressionally-mandated provisions of SOx. And finally, recognizing that the Commission has had not only a robust rulemaking agenda in the past two years, but also an increase in our enforcement actions -- both in the U.S. and abroad -- I would like to spend a few minutes talking about our enforcement process and offer my advice on things you may want to consider if your company is the subject of an SEC enforcement action -- advice I hope you never have to use!
As you are well aware, the corporate scandals specific to the U.S. -- Enron, WorldCom, HealthSouth and others -- prompted the enactment of Sarbanes-Oxley and the many corporate governance reforms I will discuss today. The U.S. securities laws and our corporate governance approach are based upon disclosure -- investors and the markets should have access to an appropriate body of information -- including transparent and accurate financial statements -- on which to judge and compare corporate investments. When that disclosure is false or misleading, or information is omitted so as to present a distorted picture of the truth, investors understandably will lose trust in the companies and the executives who manage them -- and that is the state in which we found ourselves upon the emergence of the corporate scandals.
However, we soon learned that corporate scandals were not specific to the U.S. With the revelation of fraud and corporate governance abuses at Parmalat, Hollinger, Royal Ahold and others, it became apparent that the issues and need for reform raised by the U.S. scandals were in fact confronting the markets and regulatory regimes globally. As a result, the Commission, and our counterparts around the world, all needed to take action to restore investor confidence and faith in companies, their management and the information, financial or otherwise, being distributed by them. While different regimes have responded, and will continue to respond, differently to these problems, I believe we share the same primary goal -- restoring investor trust.
The American response was Sarbanes-Oxley, which can generally be broken down into five major goals or themes, and I will discuss each in turn. The first is restoring confidence in the accounting profession. SOx created the Public Company Accounting Oversight Board. As you are aware, any audit firm that prepares, or participates in the preparation, of an audit report which is filed with the SEC must register with the Board. The Commission oversees the PCAOB -- we appoint the Board, consisting of five, full-time members, only two of which can be certified public accountants. We also review and approve its rules, and serve as an appellate body for appeals of final sanctions imposed by the Board. Another reform included within this theme is the amendment of our rules relating to auditor independence. We clarified additional relationships that impair the independence of outside auditors, as well as specified mandatory audit partner rotation requirements.
A second goal is improving the "tone at the top", that is, reforms meant to set the proper example and culture of management and other insiders at the company. This theme includes our rules requiring disclosure of whether companies have adopted a code of ethics for CEOs, CFOs and other senior financial personnel. These rules also require disclosure of material changes to, or waivers from, the code, and whether a "financial expert" serves on the company's audit committee. The "tone at the top" reforms also include the prohibition on loans by companies to insiders.
A third goal focuses on reforms designed to improve disclosure and financial reporting. These reforms include our rules relating to the conditions for use of non-GAAP financial measures, as well as the requirement that the SEC review the periodic reports of each public company registered with us at least once every three years. This theme also includes the internal control requirements under 404 that I will discuss in more detail in a few moments.
The fourth goal is improving the performance of "gatekeepers", or those who advise or analyze public companies. Under this goal, we adopted rules requiring our national securities exchanges and national securities associations, or Nasdaq, to prohibit the listing of any security of an issuer that is not in compliance with the audit committee requirements mandated by SOx, including the requirement that a completely independent audit committee be directly responsible for appointing and overseeing the outside auditors. We also adopted rules regarding the standards of conduct for attorneys practicing before the Commission, including a requirement to report "up the ladder" evidence of material violations of the securities laws or breaches of fiduciary duties.
The fifth and final goal of SOx is to enhance the Commission's enforcement tools. As a result of SOx, the SEC now has the ability to establish "Fair Funds" in our enforcement actions so that civil penalties levied against companies can be returned to harmed shareholders, in addition to any disgorgement that is ordered. The Commission has certainly made use of this new tool -- since July of 2002, we have authorized an aggregate of over $4 billion in disgorgement and penalties to be placed in Fair Funds for return to shareholders. In addition, SOx allowed the SEC to freeze temporarily certain extraordinary payments to be made to alleged securities law violators during the course of an investigation.
While Sarbanes-Oxley generally made no distinctions between U.S. and foreign issuers, we recognized that we had to accommodate the laws and regulatory regimes of our foreign counterparts in implementing the provisions of the Act -- one size would not fit all. Based in part upon the insightful comment letters we received from the foreign community, the public roundtable discussions we held and the continuing dialogue between U.S. financial regulatory agencies -- including the Treasury Department, the Federal Reserve Board and the SEC -- and foreign regulators and the European Commission, we worked very hard to make certain accommodations for our foreign issuers, while at the same time never losing sight of the purposes and goals of SOx.
For example, foreign audit firms were provided an additional six months -- that was ultimately extended another 90 days -- to register with the PCAOB. We also approved rules relating to the PCAOB's required inspection and investigation of foreign audit firms. These rules allow the PCAOB to rely, in varying degree, upon the inspection and investigative regimes of the firm's home country. With respect to the prohibition on loans to company insiders, we adopted rules providing an exemption for certain foreign banks that is comparable to the exemption provided under SOx to U.S. banks. In our final rules relating to audit committee financial experts, we clarified that an audit committee financial expert could gain his or her expertise by demonstrating an understanding of an issuer's home country GAAP, rather than an understanding based solely on U.S. GAAP.
With respect to our rules relating to non-GAAP measures, we provided a safe harbor for disclosures of non-GAAP financial measures made outside of the U.S. In addition, we approved final audit committee listing standards that allow non-management employees to serve as audit committee members, consistent with "co-determination" and similar requirements in some countries, such as Germany. We also permitted alternative structures -- such as statutory auditors or boards of auditors -- where these structures are provided for under local law. And finally, our rules regarding attorneys appearing or practicing before the Commission exclude "non-appearing foreign attorneys," defined generally as attorneys who do not hold themselves out as practicing or giving legal advice concerning U.S. securities laws.
Over the past six months or so, I have increasingly seen and heard commentary assessing the costs and benefits of SOx, both from a U.S. and foreign perspective. What I have heard overall is generally positive, except for 404. While it may be too early to know for sure, or to have the empirical data to support the view, I do perceive an increase in investor trust and confidence in company financial statements and management. There is no question regarding the overall compliance burden, but the alternative -- business as usual -- was not an option.
Nevertheless, I am deeply concerned when I hear that some foreign issuers may desire to forego registering with, or desire to de-register from, the SEC in order to avoid the compliance burdens associated with Sarbanes-Oxley, specifically the internal control burdens. As a free market economist, I believe issuers should be able to enter and exit markets as they deem appropriate, based upon efficiency and other competitive concerns. In this respect, we are considering revising our de-registration requirements, an initiative I strongly support, with the one caveat that the resulting standards must continue to support the SEC's mission of investor protection. Having said that, I do believe the internal control provisions, which appear to be driving the firms' de-registration concerns, are a well-intentioned means of restoring trust in financial reporting -- if, and this is an important if, they are implemented reasonably.
So, let me turn to 404. Since 1977, companies required to file reports with us, both U.S. and foreign, have been required to maintain an internal accounting control system in order to ensure management's control, authority and responsibility over company assets. Section 404 is a disclosure provision and what it changed is that now management must assess and publicly report on the effectiveness of the internal controls, and the auditors must publicly provide an opinion on management's assessment, as well as on the effectiveness of the internal controls. This disclosure can be an important tool for investors in evaluating the reliability of a company's financial reporting.
Quite frankly, I do not understand how management, prior to 404, could have been confident in the accuracy of their financial statements if they were not confident that they had effective controls to accurately record transactions or detect unauthorized transactions. In any event, 404 now ensures that management will perform the necessary evaluation on the effectiveness of the controls. I also encourage management and Boards to incorporate 404 into a broader, longer-term, enterprise-wide risk management program, and not view it as a short-term, check-the-box exercise.
In the U.S., we have already begun to receive company 404 reports and opinions, and roughly 13 days from today we will receive, from our calendar-year-end companies, the majority of the first 404 reports. I have repeatedly heard from our domestic issuers that the demands of 404 have caused companies and auditors to put business initiatives on hold -- product launches and hiring deferred, IT-system installations postponed, and strategic alliances delayed. Basically, the criticism is that 404 compliance has taken management's attention away from running the business of the company. A group of U.S. CEOs recently told me that, as a result of the time commitments relating to 404 compliance, their continual goal of creating shareholder value has been shifted to simply preserving shareholder value.
I have no doubt that your companies are facing similar concerns, all of which are compounded by the required adoption of International Financial Reporting Standards earlier this year. While we are very focused on the first round of reports in the U.S., I am here to assure you that we have not forgotten that you are actively planning, designing and implementing 404 to meet the current implementation deadline of July 15th of this year. As you know, since we adopted the 404 rules in June 2003, we extended the compliance date for our foreign issuers and smaller domestic issuers from April 15, 2005 to the current July 15, 2005. In addition to extending the time frame for implementation, we also allow foreign issuers to use foreign frameworks, such as the Turnbull Report published by the Institute of Chartered Accountants in England and Wales, for evaluating their internal controls. We are also seriously considering a meaningful further delay in the effective date for foreign issuers and I am hopeful that if we do delay, that we announce it soon -- that is only fair to you as you plan for the coming months ahead.
As we recently announced, we will be holding a roundtable on April 13th to closely review the experiences of issuers and audit firms in the U.S. and determine how the process can be improved to reduce the burden, without reducing the benefits. We need to ensure that companies are improving and monitoring the internal controls that materially affect the financial statements and that auditors have the guidance they need to appropriately set the scope of the testing and audit of management's assessment and the internal controls themselves.
I would now like to turn briefly to our enforcement program. After all, our rules requiring good corporate governance and transparent disclosure are even more effective when they are meaningfully -- but reasonably -- enforced. In the past two years, the Commission has brought approximately 1,200 civil actions, of which ten were against foreign issuers. In addition, since fiscal 2001, the SEC's budget has more than doubled to around $900 million, primarily to fund new staff and technology. Over the last three years, the enforcement staff has increased by approximately 360 individuals to an aggregate of 1,338 in fiscal 2005.
I have often been asked - "how do we discover corporate frauds?" The answer is many different ways:
- Restatements can be a red flag (and I stress the word "can" -- you should not avoid necessary restatements out of concern regarding what the SEC may or may not do -- it may only be worse later).
- Inside whistleblowers are an additional source, especially with the added protections under SOx for employees reporting evidence of fraud.
- We may receive an outside tip -- for example, from a disgruntled former employee. In calendar-year 2004, our Division of Enforcement received approximately 314,000 tips, including those submitted through the electronic complaint center on our web site at www.sec.gov, or via email at firstname.lastname@example.org.
- Other sources include newspaper articles, our filing review process within the Division of Corporation Finance and, increasingly, self-reporting by companies of the results of internal investigations.
When I joined the Commission in January of 2002, one of my biggest surprises was the amount of time I would devote to reviewing our enforcement actions. January 28th marked my three-year anniversary at the Commission, and since most American lawyers earn their law degrees in three years, I certainly think I am entitled to an honorary law degree! During this time, I have voted on over 1,500 enforcement actions, so let me offer my personal advice as to what you might want to consider if your company becomes the subject of an SEC investigation.
First, get good outside counsel -- counsel that understands our rules and processes. I cannot emphasize that enough. Second, it is important that you are aware of and understand the relationship of cooperation to SEC enforcement decisions -- the so-called "Seaboard" factors that we may consider in determining sanctions. For a detailed explanation of these factors, please see the "Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions" on our web site under "Reports of Investigations."1 While on our web site, you can also review recent speeches by Steve Cutler, Director of our Division of Enforcement, on these topics.
The Statement puts forth criteria we may consider in determining whether, and how much, to credit self-policing, self-reporting, remediation and cooperation in pursuing enforcement actions and determining sanctions. A few caveats -- first, true cooperation may help in our determination of whether to pursue an action, or in determining appropriate sanctions, but it does not erase the bad conduct. Second, this is truly a facts and circumstances determination -- as we note in the Statement, no set of criteria can, or should, be strictly applied in every situation to which they may be applicable. However, we do recognize that self-policing, self-reporting, remediation and cooperation are factors that may help to conserve limited enforcement resources and possibly bring about a quicker resolution to the harm -- which is certainly beneficial to investors.
Finally, I would suggest that the company consider conducting an independent internal investigation -- and I stress the term "independent," in definition as well as spirit. There is much guidance available on how to conduct an appropriate internal investigation -- for example, in the U.S., the American Bar Association and the Securities Industry Association publicize information on the topic. In connection with any such investigation, it is important to consider the appropriate timing of informing our enforcement staff of the investigation, and keeping them apprised of the status.
Overall, in my view, it is important that we strike a balance in our enforcement program. Without question, we must punish and deter bad conduct. However, companies and management must take risks if they desire to grow and expand their business. I am sensitive to the concerns I hear that, given the current regulatory environment, when management is looking at potential risks, their first thought is not if the risk is worth taking for potential growth of the company, but whether they will be later held liable, in hindsight, if the risk does not prove successful or productive for the company. We must ensure that we enforce our laws, but do so in a way that does not chill appropriate business behavior and risk taking.
In conclusion, I believe the issues raised by our foreign issuers in connection with the implementation of Sarbanes-Oxley deserve serious consideration, and we are responding to those concerns. While my earlier disclaimer still stands, I believe I do speak for my fellow Commissioners when I say that we are committed to, and in fact we need to maintain, a continuing dialogue with you and your regulators regarding what works, and what does not, based upon the laws of your home country. We do not operate in a vacuum -- we are all part of a global marketplace. I hope we can all agree that the SEC's mission -- and ultimate goal -- of protecting investors and maintaining the integrity of the capital markets -- is one to which we all must strive. Thank you, and I am happy to answer any questions that you may have.