August 13, 2002
Via Electronic Mail
U.S. Securities and Exchange Commission
450 Fifth Street, N.W.
Washington, D.C. 20549
Re: SR 34-46300: Comment Letter regarding Section 302 of Sarbanes Oxley Act of 2002
To Whomever It May Concern:
I am an investor and an attorney at the law firm of Foley & Lardner with a background in securities law. I have not been retained by any individual or entity to prepare or submit this comment letter. I am submitting this letter in the hope that it will assist the Commission in promulgating rules that further the public interest. I have reviewed portions of Sarbanes Oxley Act of 2002 and have identified a number of issues that I believe should be considered by the Commission in promulgating rules to implement Section 302. Most importantly, Section 302 contains many ambiguities provisions. The Commission will further the purposes of the Sarbanes-Oxley Act, and assist public companies as well as their CEOs and CFOs by promulgating regulations that clarify these ambiguities.
Section 302 requires, inter alia, that the CEO and CFO of each public company certify in each quarterly and annual report that they (1) are responsible for establishing and maintaining internal controls; (2) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which periodic reports are being prepared; and (3) have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report. The Commission should address the following uncertainties raised by these requirements of Section 302:
(1) What if the company does not have an employee who is designated as the CEO or as the CFO? What are the functions that make an employee the equivalent of a CEO or a CFO?
(2) What does it mean to be responsible for establishing the internal controls of a company? What does it mean to "have designed the internal controls?" Must the CEO and CFO have personally designed the internal controls? Must they have personally approved each internal control? Is it sufficient that they have delegated that responsibility to another and have reasonably supervised the individual(s) to whom that responsibility has been delegated?
(3) Under state corporation law, a company's management and board of directors are responsible for establishing a company's system of internal controls. Does Section 302 require the CEO and CFO of a public company that owns subsidiaries that are consolidated into the financial statements of a public company to be responsible for establishing and to design the subsidiaries' internal controls? How should a company reconcile such a requirement with the general principles of corporate governance established by state corporation law? What if one or more of the subsidiaries of the public company is also a public company? Are the CEO and CFO of the subsidiary public company also responsible for designing such internal controls? What does it mean for two sets of CEOs and CFOs to be responsible for establishing and to have designed the subsidiaries internal controls?
(4) In places, Sarbanes Oxley appears to use internal controls to mean internal accounting controls. For example, section 302(a)(5) requires that the CEO and CFO of each company certify that they have disclosed to the issuer's auditors and audit committee of the board of directors (or persons fulfilling the equivalent function) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data and have identified for the issuer's auditor's any material weaknesses in internal controls. In context it appears that the italicized internal controls are limited to internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data. Is Section 302(a)(4) limited to the internal accounting controls or does it extend to other compliance controls (e.g., personnel controls, compliance with environmental laws or other regulations)? If not, does this mean that companies must change their job descriptions to make the CFO responsible for the internal compliance controls that are not internal accounting controls?
(5) What does it mean to have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report? Must the CEO and CFO perform this evaluation personally? Must the evaluation be a comprehensive evaluation of all of the company's internal controls?
(6) Unlike other portions of Section 302(a)(4), Section 302(a)(4)(C) applies, by its terms, only to "the issuer's internal controls." Does the quarterly evaluation requirement apply only to the internal controls of the parent public company or does it also apply to the internal controls of all subsidiaries the financial condition and results of which are consolidated in the financial statements of the parent? Does it apply to companies the results of which are subject to equity pickup?
Section 302(a)(5) requires that the CEO and CFO of each company certify that they have disclosed to the issuer's auditors and audit committee of the board of directors (or persons fulfilling the equivalent function) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data and have identified for the issuer's auditor's any material weaknesses in internal controls and any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls.
(1) Is the disclosure requirement a quarterly requirement? Must the CEO and the CFO make the disclosure to the auditors and audit committee each quarter? Must the CEO and CFO personally make the disclosure or can that responsibility be delegated?
(2) What is meant by significant deficiency? How does this compare with material weaknesses in internal accounting controls? Congress apparently recognized that some deficiencies are insignificant? What are the criteria for distinguishing between significant and insignificant deficiencies? If a system of internal accounting controls provides reasonable assurance that the financial statements are fairly presented and in compliance with GAAP, can there still be significant deficiencies?
(3) Is the disclosure requirement limited to significant deficiencies that have been identified as a result of the quarterly evaluation referred to in section 302(a)(4)(C)? Does this provision indicate that the quarterly evaluation must be reasonably designed to identified all significant deficiencies?
(4) The phrase "which could adversely affect the issuer's ability to record, process, summarize, and report financial data" appears intended to limited the types of significant deficiencies that must be disclosed to the issuer's auditors and audit committee. What does "could" mean in this context? Read broadly, the term "could" could eviscerate the intended limitation.
(5) What employees should be viewed as having "a significant role in the issuer's internal controls?" Many, if not most, employees perform a role in the issuer's internal controls (e.g., completely accurate time records, completing requests for reimbursement that accurately and in reasonable detail describe the expenditure that is to be reimbursed). How should the CEO and the CFO distinguish between employees with a significant role and employees whose role is not significant?
Section 302(a)(6) requires that the CEO and CFO certify that they have indicated in the report whether or not there were significant changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regarding to significant deficiencies and material weakness.
(1) What is a significant change in internal controls? Presumably there are constantly changes in internal controls as procedures are modified, new business are acquired, employees are assigned to new positions, vacancies occur, training is conducted, etc. How should the CEO and CFO distinguish between significant changes and insignificant changes?
(2) Is it sufficient for the CEO and CFO simply to indicate that there have been changes that could be viewed as significant or are they obligated to identify and discuss the changes?
The Commission rules should address the intersection between Sections 201 ("Services outside the scope of the audit), 302 (Corporate responsibility for corporate reports), and 404 (Management assessment of internal controls). Section 201 prohibits the auditor from providing to the issuer any non-audit services including bookkeeping or other services related to the accounting records or financial statements of the audit client, financial information systems design and implementation, internal audit outsourcing services, management functions, and expert services unrelated to the audit. Section 404 requires that each annual report contain an internal control report that contains an assessment s of the end of the most recent fiscal year of the issuer, of the internal control structure and procedures of the issuer for financial reporting and that the auditor attest to and report on the assessment. It therefore appears that Section 201 does not prohibit an annual evaluation by the auditors of management's annual assessment of internal controls. Consistent with Section 201, what role can the auditor's perform in the quarterly evaluation referred to in Section 302?
I hope that this letter assists in the Commission identifying some of the many issues as to which CEOs and CFOs require guidance in attempting to comply with the certification requirements of Section 302. If you have any questions, the undersigned can be contacted at 202-672-5528.
Sincerely,
Kenneth B. Winer