Munger, Tolles & Olson LLP
355 South Grand Avenue
Los Angeles, California 90071-1560
Telephone (213) 683-9139
Facsimile (213) 687-3702
Simon M. Lorne
writer's direct dial:
November 29, 2002
Via e-mail: firstname.lastname@example.org
Securities and Exchange Commission
450 Fifth Street, N.W.
Washington, D.C. 20549
Attention: Jonathan G. Katz, Secretary
Re: File No. S7-40-02
Securities Act Release No. 8,138
Ladies and Gentlemen:
This letter is submitted in response to two specific aspects of the Commission's request for comments accompanying Securities Act Release No. 8,138, "Proposed Rule: Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002" (Oct.22, 2002) (the "Release") and the proposed rules (the "Proposed Rules") described in the Release. While there are a number of significant detailed comments that can and will be suggested to the Commission, my overarching concern is that in two specific respects, namely the definition of "internal controls" necessary for the application of §404 of the Sarbanes-Oxley Act of 2002 ("S-O") and the definition of "financial expert" as required by S-O §407, the Proposed Rules are unduly and unnecessarily restrictive in their scope to a degree that will significantly disserve the investing public. S-O properly gives the Commission considerable leeway in interpreting and applying its hastily conceived provisions, both generally, in §3(a), and specifically in the provisions here under discussion. I urge the Commission to take advantage of that authority to create an environment that is more accommodating to the needs of investors, and less woodenly adherent to the specific suggestions (but not mandates) of the statutory language.
I should hasten to add that in writing this letter, I do so individually, and not on behalf of my law firm (whose letterhead I use for purposes of identification only), any of my or our clients, or any other organizations with which I am associated.
In the Release, Rule 13a-15(d) is proposed to be amended to provide that "[f]or purposes of this section and §240.15d-15, the term internal controls and procedures for financial reporting means controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles as addressed by the Codification of Statements on Auditing Standards §319 or any superseding definition or other literature that is issued or adopted by the Public Company Accounting Oversight Board."
It is of course true that the auditing literature (as opposed to some degree to the accounting literature) views internal controls through the prism of financial reporting. That is to be expected. Fundamentally, reviewing financial reporting what independent auditors do. That is not the principle source to which the Commission should look for these purposes, unless the Commission is determined to pre-judge the conclusion. (It is equally true that if one tries to divine some aggregate "intention" of Congress embodied in S-O §404, one might infer a financial reporting focus.)
The Release itself also notes, properly, the considerably broader view of internal controls contained in the 1992 Framework ("Internal Control-Integrated Framework") of the Committee of Sponsoring Organizations ("COSO") of the National Commission on Fraudulent Financial Reporting (the so-called "Treadway Commission") as "'a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives' in three categories-effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. COSO further stated that internal control over each of these objectives consisted of the control environment, risk assessment, control activities, information and communication, and monitoring."1
Steven Root's book, "Beyond COSO-Internal Control to Enhance Corporate Governance" (1998), has this useful observation (Preface at viii): "What is clear is that, despite the premise inherent in the opening statement of its Framework [quoted above], COSO failed to alter the accountants' fixation on financial reporting controls . . . . [T]he COSO Framework selectively extirpates from its internal control criteria such vital corporate governance activities as entity-level objective setting, strategic planning, and risk management."
The Commission has an opportunity to correct the deficiency Root notes. I urge the Commission to seize it.
The Commission has often been accused of focusing too much on the "rear view mirror" of historical financial information and too little on the "windshield" of future risks and opportunities. While present (balance sheet) and historical (statements of operations, equity and cash flows) financial information is a critically important part of financial analysis, the most important issue to almost any public investor must be anticipated future performance. Present and historical information is often critical to the evaluation of future performance but it cannot be alone sufficient. The Commission has tried to recognize this in the past several years with, for example, its increasing emphasis on management's discussion and analysis, which essentially requires that management provide some level of guidance to investors in their efforts to estimate future performance.
By essentially viewing internal controls as pertinent only to financial reporting, as the Proposed Rule would, the Commission forces a rear-view mirror framework on the concept of financial controls. The broader COSO "premise" (whether or not delivered upon) of "assurance regarding the achievement of objectives" is a "windshield" approach. The latter should be the concern of more relevance to investors.
Moreover, the Commission should recognize that of all aspects of a public reporting issuer's disclosure processes, the one area that already gets substantial attention from a recognized, independent group of experts is the financial reporting function. The proposed rule, forcing even greater focus on that function might be seen to add some level of redundancy, and might even improve to some degree financial reporting. But with limited available resources, it threatens to do so at the expense of attention to the more important-and currently less thoroughly examined-evaluation of internal control systems in the broader sense.
For all of the above reasons, I would strongly urge the Commission to reevaluate the proposed definition of internal controls and to move toward the broader interpretation of that term identified by the Commission's reference to COSO in the body of the Release, but thereafter ignored.
Having said that, however, it is vitally important that the Commission be sensitive to are two equally important implications of adopting a broader view of internal controls.
First, the management evaluation required by S-O §404 must recognize that in the broader view, the design and testing of internal controls is as much art as science. There will be risks that were not anticipated. Some of them will escape the risk management analysis, and will affect performance. The events of September 11, 2001 should be sufficient to make that abundantly clear. Not all risks that affect a business will be anticipated, even though, in retrospect, it will be apparent that they could have been.
In the words of Root, supra at 27, "internal control . . . is aimed at reducing the incidence or severity of bad things to innocuous levels. This is a continuous challenge that warrants continuous attentiveness from management." [Emphasis added.] We should not pretend, or encourage the investing public to expect, that any internal control system will eliminate risks to the enterprise. Root refers to the Institute of Internal Auditors ("IIA"), "Standards for the Professional Practice of Internal Auditing," §300.02.4 to the effect that "adequate control is present if management has planned and organized (designed) in a manner which provides reasonable assurance that the organization's objectives and goals will be achieved efficiently and economically." [Emphasis added.]
Thus, internal control systems are aimed at minimizing exposure to unintended risk to a degree that is evaluated as reasonable under the prevailing circumstances. They are inherently subject to a number of significant limitations, among them the ability to recognize and to appreciate sources of risk, the fundamental ability to avoid some of those risks, and economic restraints affecting every enterprise. As an obvious example, most organizations are to some degree exposed to the risk of natural disasters. They can acquire insurance, they can establish redundancy, etc., but all of those precautions entail expense and none are likely to be fully effective in the extreme case.
Accordingly, management evaluations regarding the efficacy of internal control systems, and related certifications, should not be couched in language of such a nature as to provide investors with a false sense of security or to increase the exposure of corporate entities or officers to litigation. Managements can be asked to make a good-faith effort to have in place an internal control system (broadly defined) to manage risks to the attainment of objectives, within the reasonable confines of economic (including operating) efficiency under the circumstances. More should not properly be asked.
If a broader definition of internal controls is accepted, as I would urge, these subsidiary implications must also be addressed.
Second, and for largely the same reasons, I believe that the attestation function provided by the issuer's independent auditors, also required by S-O §404, needs to be carefully addressed. The prevalence of convergence on controls over financial reporting when internal controls are discussed in the auditing literature, as noted in the Release, suggests that it is difficult, or perhaps even impossible, to develop satisfactory standards of broadly-defined internal controls as to which an independent attestation can properly be given. It seems to me that over time, an examination of that issue is entirely appropriate for the Public Company Accounting Oversight Board, as the Release and the proposed rules suggest. At least in the interim, I would propose that the attestation requirement (as opposed to the management reporting requirement) be specifically limited to those parts of the internal control system that relate to financial reporting, in much the same way that the currently Proposed Rule addresses the entirety of the internal control system.
As the Chairman properly noted at the open meeting of October 16 at which the Release, though not yet final, was approved, the definition of "financial expert" in the Proposed Rules would more properly apply to an "accounting" or even "auditing" expert than a "financial expert." Such a definition is neither mandated by S-O §407 nor beneficial to investors.
S-O §407 does identify these accounting or auditing criteria, but it does so only in stating what "the Commission shall consider" in defining the term. In using that verb, it seems to me that the Congress acknowledged that these were not the only relevant considerations, and might not even be the most critical considerations.
To recognize the infirmities of the proposed definition, it should take no more than a recognition the groups excluded by the proposed definition. Many-quite possibly most-of the most effective securities analysts in the country, who clearly can understand and evaluate financial statements, would not qualify as "financial experts" under the Proposed Rule. (Without regard to the current regulatory imbroglio affecting some sell-side analysts, it cannot be doubted that there are a large number of securities analysts who provide thorough and beneficial examinations of issuers and their financial statements.) Very few of the 26 people who have served as Chairman of the Securities and Exchange Commission would qualify. Some of the most successful and respected investors in the country would not qualify. This is not an approach that will add value for investors. Exclusion of these groups seems almost certainly not what the Congress would have desired had it considered the issue and is not an approach that is consistent with any degree of common sense.
I would therefore urge a considerably broader definition, to accommodate not only those who are or have been external or internal auditors, but also the broader array of potentially valuable directors who are truly financial experts, who are fully able to read and understand financial statements (as they are and as they should be) but who do not happen to have been internal or external auditors.
* * *
I appreciate the opportunity to provide these suggestions, and would urge the Commission to consider and accommodate the broader needs of the investment community in these respects.
Simon M. Lorne
cc: Hon. Harvey L. Pitt
Hon. Paul Atkins
Hon. Roel Campos
Hon. Cynthia A. Glassman
Hon. Harvey Goldschmid
Alan L. Beller
Senior Counsel to the Commission and
Director, Division of Corporation Finance
Giovanni P. Prezioso
Acting Chief Accountant
|1 ||Release at text accompanying n. 112.