Pulling their sox up?

At the sixth AIG Europe Corporate Governance Seminar in January, James Bartos of Shearman Sterling discussed the impact of the US Sarbanes-Oxley Act on European companies. Sue Copeman summarises his comments

As far as non-US companies are concerned, the Sarbanes-Oxley Act (SOX) applies to those that have securities listed for trading in the US and those that have undertaken a registered public offering in the US. Usually those two classes are congruent, but there are some companies which have made registered debt offerings, but have not listed securities. These will not be affected by those rules that apply through the stock exchanges, although they will have to comply with the rules adopted by the Securities and Exchange Commission (SEC). Basically, SOX affects companies that file an annual report with the SEC on Form 20-F.

Historically, SEC rules have made accommodations for foreign companies, based on the principles by which they have been distinguished from domestic companies. When SOX first came out, there was concern that there were no specific exemptions for foreign companies. However, the accommodations are continuing, and the SEC has not interpreted SOX as a mandate to start changing the regime for foreign companies.

A key principle is that non-US companies have always had a different reporting regime from US companies. US companies are required to file quarterly reports as well as an annual report and are also required to file current reports in certain circumstances. Foreign companies have only been required to file an annual report. This means that the certificates that SOX requires CEOs and CFOs to give on disclosure will only apply to the annual report, as far as foreign companies are concerned.

Another concession for foreign companies is that they have been allowed to issue disclosure abroad under a different disclosure regime. This allows them to use non-GAAP financial measures, without the kind of reconciliation that applies to US companies issuing disclosure both inside and outside the US.

There have also always been SEC accommodations made in respect of foreign law and foreign regulations. This kind of accommodation is continuing, specifically in respect of the recent audit committee rules and independence of board members. Some European companies were concerned that their domestic legislation required worker representatives on the board and board committees, and that this would contravene the requirement for an audit committee made up of fully independent directors. However, under the SEC rules, such companies can count employees as independent, so long as they are not executive officers.

Liabilities
One of the key concerns for CEOs and CFOs of European companies is that their liability may have increased as a result of the SOX provisions which require them to sign certificates in respect of their 20-F filing. However, CEOs and CFOs have always had some liability under 20-F, though they may not have realised it. Under 20-F, the company has primary liability for misleading statements that affect the share price. Both before and after SOX, the CEOs have liability, either because they caused the statement to be made under 20-F, or because they controlled disclosure. Before SOX, they would have had that liability under the Securities Exchange Act 1934, unless they acted in good faith and did not cause the violation.

What are CEOs and CFOs actually saying when they sign these certificates? They are confirming that, based on their knowledge, the report contains no material mis-statements, and that the financial information is fairly presented. They must also make some representations about disclosure procedures and internal controls.

In one sense, however, SOX has changed liability. It has changed penalties and enforcement – gaol terms are longer, and fines are heavier.

In essence, CEOs and CFOs who are acting in good faith and without knowledge that something is wrong should not consider that SOX has particularly increased their exposure. Both before and after SOX, they have had to have some knowledge of something wrong to establish an individual liability.

This raises another question – what is knowledge? It is certainly true that if the CEO and CFO spend all their time on the golf course, and afterwards say they had no knowledge of anything wrong, it is not going to be good enough. The knowledge standard implies some effort to find out. Therefore CEOs and CFOs need to consider the procedures that will give them the necessary knowledge, on which they are going to base certification .

Controls and procedures
Disclosure controls and procedures are a key area of SOX, and crucial for foreign companies. For the first time, there are rules for the process of preparing disclosure, and there is now an SEC rule requiring companies to have disclosure controls and procedures. This is intended to ensure timely, accurate and reliable reporting throughout the year.

In reality, public companies will already have disclosure controls and procedures. Issuing an annual report implies that there is some gathering of information and some decision making about what the report should contain. However, in the light of SOX, companies now are evaluating their existing disclosure controls and procedures and are also establishing written procedures.

These have a number of advantages.