At the sixth AIG Europe Corporate Governance Seminar in January...

At the sixth AIG Europe Corporate Governance Seminar in January, James Bartos of Shearman Sterling discussed the impact of the US Sarbanes-Oxley Act on European companies. Sue Copeman summarises his comments

As far as non-US companies are concerned, the Sarbanes-Oxley Act (SOX) applies to those that have securities listed for trading in the US and those that have undertaken a registered public offering in the US. Usually those two classes are congruent, but there are some companies which have made registered debt offerings, but have not listed securities. These will not be affected by those rules that apply through the stock exchanges, although they will have to comply with the rules adopted by the Securities and Exchange Commission (SEC). Basically, SOX affects companies that file an annual report with the SEC on Form 20-F.

Historically, SEC rules have made accommodations for foreign companies, based on the principles by which they have been distinguished from domestic companies. When SOX first came out, there was concern that there were no specific exemptions for foreign companies. However, the accommodations are continuing, and the SEC has not interpreted SOX as a mandate to start changing the regime for foreign companies.

A key principle is that non-US companies have always had a different reporting regime from US companies. US companies are required to file quarterly reports as well as an annual report and are also required to file current reports in certain circumstances. Foreign companies have only been required to file an annual report. This means that the certificates that SOX requires CEOs and CFOs to give on disclosure will only apply to the annual report, as far as foreign companies are concerned.

Another concession for foreign companies is that they have been allowed to issue disclosure abroad under a different disclosure regime. This allows them to use non-GAAP financial measures, without the kind of reconciliation that applies to US companies issuing disclosure both inside and outside the US.

There have also always been SEC accommodations made in respect of foreign law and foreign regulations. This kind of accommodation is continuing, specifically in respect of the recent audit committee rules and independence of board members. Some European companies were concerned that their domestic legislation required worker representatives on the board and board committees, and that this would contravene the requirement for an audit committee made up of fully independent directors. However, under the SEC rules, such companies can count employees as independent, so long as they are not executive officers.

One of the key concerns for CEOs and CFOs of European companies is that their liability may have increased as a result of the SOX provisions which require them to sign certificates in respect of their 20-F filing. However, CEOs and CFOs have always had some liability under 20-F, though they may not have realised it. Under 20-F, the company has primary liability for misleading statements that affect the share price. Both before and after SOX, the CEOs have liability, either because they caused the statement to be made under 20-F, or because they controlled disclosure. Before SOX, they would have had that liability under the Securities Exchange Act 1934, unless they acted in good faith and did not cause the violation.

What are CEOs and CFOs actually saying when they sign these certificates? They are confirming that, based on their knowledge, the report contains no material mis-statements, and that the financial information is fairly presented. They must also make some representations about disclosure procedures and internal controls.

In one sense, however, SOX has changed liability. It has changed penalties and enforcement – gaol terms are longer, and fines are heavier.

In essence, CEOs and CFOs who are acting in good faith and without knowledge that something is wrong should not consider that SOX has particularly increased their exposure. Both before and after SOX, they have had to have some knowledge of something wrong to establish an individual liability.

This raises another question – what is knowledge? It is certainly true that if the CEO and CFO spend all their time on the golf course, and afterwards say they had no knowledge of anything wrong, it is not going to be good enough. The knowledge standard implies some effort to find out. Therefore CEOs and CFOs need to consider the procedures that will give them the necessary knowledge, on which they are going to base certification .

Controls and procedures
Disclosure controls and procedures are a key area of SOX, and crucial for foreign companies. For the first time, there are rules for the process of preparing disclosure, and there is now an SEC rule requiring companies to have disclosure controls and procedures. This is intended to ensure timely, accurate and reliable reporting throughout the year.

In reality, public companies will already have disclosure controls and procedures. Issuing an annual report implies that there is some gathering of information and some decision making about what the report should contain. However, in the light of SOX, companies now are evaluating their existing disclosure controls and procedures and are also establishing written procedures.

These have a number of advantages.

  • They are a tangible demonstration of compliance with the SEC requirements.
  • From the CEO's and CFO's point of view, they provide some comfort that information that is being issued is not misleading – which is what they have to certify. As they also need to certify that procedures are in place, written procedures are desirable.

    When it comes to disclosure controls and procedures, the SEC emphasises that one size does not fit all. Procedures grow out of a company's culture and organisation. Some companies may find they require very little change. Others may require a lot.

    The SEC has suggested that companies should consider whether they should have a disclosure committee. Most companies tend to have one, although it may not go by that name. Usually there are four or five people who talk together before something is issued. Designating them as a disclosure committee merely formalises the process.

    When adopting rules, the SEC has to analyse the burden that they are likely to place on companies. It estimates that there are five ‘burden' hours, in which the CEO and CFO spend quality time discussing the annual report. The point is that the CEO and CFO must be seen to be involved.

    Foreign companies have a range of different views on the 20-F filing. For example, some UK companies meld the 20-F and their annual report, producing one document to fulfil both LSE and SEC requirements. Others view 20-F as simply a US compliance document. They produce their annual report first, giving it a lot of attention but without any involvement of US lawyers. Then they produce the 20-F, discuss it with US lawyers, file it a few months later – and no-one is very interested in it. It is these companies which are likely to re-evaluate how it gets produced and its relationship to the annual report.

    The other response to SOX is benchmarking. Companies need to go through all the areas of rule making and see how they stack up. For UK companies, little of this is new, difficult or unusual. But the response will vary. For example, many Scandinavian companies do not have audit committees and will be putting them into place.

    Then there are the various charters and codes that are required to be in place. The ones that everybody has been focusing on are the audit committee charter and the financial officer code of ethics, which is something new. Companies need to disclose in the next annual report whether or not they have one. Since they will not want to admit that they do not, it is a kind of back door way of requiring companies to adopt a code of ethics.

    Sue Copeman is Editor, StrategicRISK

    Following the failures of 2001/2, how do you communicate the substance of good corporate governance to the market?

    Ian Byrne, director, business development, governance services, Standard & Poor's

  • Impacts of 2001/2 failures on companies – executives, non-executives, share price, insurance
  • Significant regulatory changes following the 2001/2 governance failures
  • Is compliance enough?
  • Substance and form – twin pillars of good corporate governance

    Who would be a director?
    Neil Fagan, Lovells

  • Development of directors' duty of care
  • DTI enquiry into responsibilities of non-executive directors
  • Combined Code/Cadbury Code
  • Recent initiatives
  • D&O Cover

    Identifying and managing risk arising from employment legislation
    Elizabeth Adams, Beachcroft Wansbroughs

  • What are the main risks?
  • The current legal position on whistleblowing, discrimination and tribunal awards
  • Future risk areas in employment law
  • A strategy for minimising risk

    The attitude of the FSA as regulator: a review of its behaviour over the last year Iain Roxborough, Clifford Chance

  • Published decisions on disciplinary matters
  • Statements about its approach to market abuse and disciplinary issues.
  • Tips and guidance on approaching an investigation

    Pro-active and post-event actions – what corporates can do when faced with fraud, corruption and black holes
    David Luijerink & Alex Plasvic, KPMG Forensic

  • Recent cases involving accounting black holes
  • Indicators to consider
  • Responding to suspected cases
  • Proactive measures

    Implications of the closure, or winding up, of final salary schemes
    Peter Hardy & Lesley Browning, Norton Rose

  • Key issue of funding
  • Mechanics of closure
  • Should the scheme be run on as a closed scheme?
  • Debt on the employer

    How to regulate the relationship with your auditors in the post-Enron era Joanna Page, Allen & Overy

  • How to examine the engagement letter to ensure a fair distribution of responsibility
  • Ensuring the necessary analysis of your auditor's other roles
  • How to regulate the relationship, given that a regular changeover of auditor may now be inevitable

    Corporate social responsibility Simon Jeffreys, CMS Cameron McKenna

  • What is corporate citizenship?
  • The OECD guidelines for multinational enterprises
  • Government strategy on CSR
  • Human rights and labour standards, corruption, supply chains and global sourcing and the environment