Financial Executives: Toward a Profile of Educational Background and Learning Interests

ADVISORY COMMITTEE Marla Markowitz Bace Executive Vice President Financial Executives Research Foundation, Inc. Rajeev Bhalla Vice President and Controller Lockheed Martin Corporation Frank H. Brod Vice President and Controller The Dow Chemical Company Keith G. Butler Senior Vice President and Controller Duke Energy Corporation John P. Jessup Vice President and Treasurer E.I. du Pont de Nemours & Co. Robert Laux Director of External Reporting Microsoft Corporation Connie McDaniel Vice President and Controller The Coca-Cola Company Billie K. Rawot Vice President and Controller Eaton Corp. George Schleier Deputy Controller Citigroup Kenneth R. Trammell Vice President and Controller Tenneco Automotive Inc. Katharine Zirolli Director of Accounting Policy Aetna Inc.

the source for financial solutions 200 Campus Drive P.O. Box 674 Florham Park, New Jersey 07932-0674 www.ferf.org an affiliate of

financial executives international

Best Practices for Sarbanes-Oxley Implementation Table of Contents Purpose and Executive Summary

2

Financial Statement Certification

3

Disclosure Committees

6

Internal and Disclosure Controls

7

Audit Committees

9

External Auditors

10

Code of Ethics and Whistleblower Provisions

12

Conclusion

13

Appendix A – Financial Executive Checklist

14

About the author and Financial Executives Research Foundation, Inc.

20

Financial Executives Research Foundation, Inc.

1

Executive Report

January 2003

Best Practices for Sarbanes-Oxley Implementation Purpose This paper will summarize practices used for implementing the Sarbanes-Oxley Act of 2002 (the Act) based on guidance from and interviews with FEI’s Committee on Corporate Reporting (CCR), FEI member companies and from final or proposed Securities and Exchange Commission (SEC) rules.

Executive Summary

In a challenging business environment fraught with new rules, financial executives are clearly assuming a lead role to ensure that both existing and new practices comply with the Sarbanes-Oxley Act of 2002 (the Act). In recent months, companies have focused attention toward complying with proposed rules with particular attention in two areas: financial statement certification and internal controls. For sections of the Act where final rules have been adopted, this report will provide an overall background and review of the Act and summarize the related rulemaking as well as best practices, recommendations and alternatives for commonly used financial reporting and disclosure procedures from leading companies. The report will also attempt to answer questions related to and provide guidance in areas such as: financial statement certification, disclosure controls, disclosure committees and internal controls. For sections of the Act where final rules are still pending, specifically, internal control review and attestation, this report will provide an opportunity to explore issues through discussion and deliberation with an independent financial researcher.

2

Financial Executives Research Foundation, Inc.

Financial Statement Certification

The Chief Executive Officer (CEO) and Chief Financial Officer (CFO) certification process, determined by SEC final rule 33-8124 that was effective August 29, was the primary and immediate focus of every public company soon after Sarbanes-Oxley was enacted on July 30, 2002. This process, defined by Sections 302 (302) and 906 of the Act, calls for the principal executive and financial officers of each public company to include in each SEC periodic filing a certification that the officers have reviewed the filing and that it “does not contain any untrue statement of a material fact” and “fairly presents in all material respects the financial condition and results of operations of the issuer.” The CEO and CFO must confirm their responsibility for establishing and maintaining internal controls and evaluate their effectiveness within 90 days prior to the filing date of the quarterly or annual report (with proposed rules modifying the 90 day requirement to require that the evaluation be made as of the end of the period covered by the report). The officers must also disclose fraud and significant internal control deficiencies to the company’s audit committee and identify any material control weaknesses to their external auditors. Generally speaking, all companies participating in this project had existing robust business reporting or representation processes that simplified implementation of 302 certifications. The immediate and most significant changes were the formalization of existing processes and in some cases, an increase in the frequency of representation from an annual to a quarterly basis, as well as the depth to which this process reached within the organization. For the most part, companies used the first two quarters of certification to establish procedures throughout their organizations and ensure fine-tuned processes are ready in time for calendar year end. Companies use some form of internal documentation, or subcertification, to support the overall 302 certification. Most subcertifications are modelled after external auditor representation letters, and include elements from the 302 CEO/CFO letters. Some companies tailored letters to address operating management’s responsibility to identify business trends and developments, internal reporting and accounting issues specific to an area of business or events at a plant or location level. However, most companies found a standard certification letter the most efficient. Some companies use different forms for international affiliates or joint ventures. The most advanced companies warehouse these letters on their intranet and are exploring ways to certify financial statements electronically. Depth of Subcertifications Company executives interviewed noted varying levels of support for the overall CEO/CFO certification. At a minimum, certification processes involve representation from corporate functions (such as legal, treasury, tax, corporate controllers, communications, strategic/planning/development, internal audit), top leadership of each business unit and other direct reports to the CEO and CFO. In some cases representation also includes top finance leadership of each unit and representatives from regional legal entities and joint ventures, which in a few cases are SEC registrants themselves. Some companies give units discretion on subcertification within their levels, which typically results in some form of cascading certification, regardless of the minimum requirements determined by corporate. Subcertifications call for multiple levels of management to support the financial reports of their business units and/or functional areas, and, among the companies contacted, ranged along a continuum that included as many as 250 individual letters from three to 26 business units. Financial Executives Research Foundation, Inc.

3

Each segment in turn determines the extent of formal procedures and documentation. For one company with 15 segments, about a third of those segments have decided to drill down the certification letters further. At another company, each business area has a key operating or business leader and a CFO, who each requested subcertifications coming up to them from lower level business controllers and other leaders. The lowest reaching certification process eventually cascaded down to middle management levels within the organization resulting in 240 subcertifications. Companies that opt not to use cascading certification have established formal, more robust disclosure committees, representing a number of areas, which individually sign a report to the CEO and CFO summarizing their duties and findings. Increased reliance is placed on the disclosure committee to ensure policies and procedures are being followed, particularly with regard to material information. Some companies require a subcertification letter directly from their disclosure committee, while others receive certification from a similar group of individuals through another established organizational hierarchy, such as a business unit chain of command. Reporting Hierarchies The reporting of each subcertification generally falls under organizational hierarchies with the corporate controller’s office acting as the primary gatekeeper typically receiving either hard or virtual copies of certifications from the individuals who are required to file them. When acting in this capacity the controller’s office then analyzes the subcertifications and prepares a report that highlights the information gleaned from that analysis for the disclosure committee, the CEO or the CFO. The corporate controller monitors all exceptions reported through this process. Typically, the CFO currently provides a full report to the audit committee regarding the certification process. Companies that do not have disclosure committees are considering forming them. These committees generally consist of all direct CEO and CFO reports, including representatives from the corporate controllers, treasury, tax and investor relations departments along with the heads of major business units and their senior financial executives. In some cases, business units compile their own subcertifications through the financial control function while the legal department collects the remaining, higher-level subcertifications. A complete disclosure package is submitted to the audit committee for review, along with a chronology of the meetings and procedures that support the overall certification. The company’s external auditors attend all segment and audit committee meetings and briefings. The most intense examples of 10-K and 10-Q certification begin with a signed representation letter from each business executive addressed to the CEO and CFO prior to the company’s earnings release. After the earnings release, another letter is signed prior to the final certification to confirm whether there have been any changes since the original representation letter. This additional documentation is used to address the time lag between the company’s earnings release and the SEC filing. This step involves the CEO, CFO and controller taking half a day to individually interview all business unit and key corporate executives (such as the CIO and other corporate function heads) either by phone or in person using a checklist that includes both general items based on a pre-prepared representation letter and more specific questions for 4

Financial Executives Research Foundation, Inc.

each business unit. Legal counsel is also present during the interviews and is responsible for taking minutes. During these meetings, disclosures are reviewed with each executive, and questions are posed regarding fiscal year end matters and whether any issues are not fully reflected in the disclosures. These meetings occur one to two days before any SEC filing occurs and represent the culmination of the process immediately before the CEO and CFO sign the certifications. Another interactive approach was formed following an independent third party audit. It relied upon “building blocks” and involves due diligence largely based on comfort level. The first building block involves quarterly calls with the CFOs of major business units that cover key projects as well as questions related directly to Act requirements. The second block involves business segment meetings with the CEOs and CFOs of each segment to discuss their subcertifications and the related Sarbanes-Oxley agenda that will be reviewed with the company’s disclosure committee. Communication is Key Proactive management communication with the board of directors through top executives to lower-ranking employees is an important tool for facilitating the compliance process. Electronic forms of communication, such as e-mail or the company intranet, are the primary means for communicating company wide efforts to employees. One company has adapted an existing system to store certification-related documentation electronically and plans to use it further to submit certifications electronically and prevent the supporting paperwork from becoming too cumbersome. In the interim, any electronically delivered certifications are currently transmitted as PDF file e-mail attachments incorporating executive signatures. Via its accounting policy Web site, another company outlines the financial reporting processes and includes specifics such as production calendars, timelines, checklists to review controls and potential issues to be discussed with auditors. Additional communication includes a memo from the corporate controller that reiterates and refers to requirements communicated through the Web site. Training programs also appear to be an effective and common practice. The legal and accounting research and policy group of one company conducts live training in many locations, with efforts to expand training throughout the organization to levels of line management. Another example of enhanced training is the inclusion of changes related to the Act into existing finance staff training sessions on 10-K and 10-Q filings and public disclosure requirements. Companies expect that lower level finance employees will also receive a high level review of issues and changes in procedure and processes pertaining to the Act. Communication of certification efforts is not without its challenges. Whether through strict policies, immediate documentation or through the CEO promoting the importance of the certifications at corporate office gatherings, companies need to be ready to aggressively enforce and maintain compliance and prevent a “check-the-boxmentality” from developing within their companies and undermining the company’s commitment to the certification process. To gauge the robustness of representation responses, one company has implemented metrics that are monitored by its internal audit department. Financial Executives Research Foundation, Inc.

5

In making the decision to use cascading certification, companies should ensure that managers and employees well below the senior executive level take the obligations seriously, perform duties appropriately and are properly informed about any responsibilities involved in signing a subcertification. One company told executives to have appropriate documentation of testing behind their units’ subcertifications. Thus, in the event that there are any questions about the certifications or the process that generated them, each unit executive will be able to demonstrate what was done to ensure his or her organization has complied with new regulations. In this regard the company’s corporate office has recommended education to the units, providing assistance as necessary.

Disclosure Committees

The SEC also recommended that companies create a committee responsible for timely disclosure that would report to senior management. This committee could include the controller, the general counsel, the principal risk management officer, and the chief investor relations officer, among others. Most of the companies’ executives interviewed have modelled their disclosure committees based on SEC recommendations, with a minimum of six members. Some other companies have larger committees of up to 16 members, adding representatives from human resources, treasury, internal audit, individual business units, SEC accounting and reporting, communications, compliance, external reporting, tax and investments. Companies with fewer disclosure committee members have established informal working groups with similar representation to support their efforts. For committees with a formal chairperson, this role is typically filled by the corporate controller. Duties Disclosure committees generally meet at least twice, if not several times, during a reporting cycle, to address and approve the earnings press release followed by the SEC filing. Other meetings occur close to segment leader, CFO or audit committee meetings. The disclosure committee typically reports directly to the CEO’s and CFO’s offices (at one company the committee also reports to the COO), and is required to read draft SEC filings through several rounds and manage the certification letter process. Another company’s committee spearheads the efforts in distributing internal memoranda that alert each general manager and controller of its eight business units as well as its more than 70 plant managers worldwide of the responsibility to establish the proper due diligence at each level to ensure all material events or internal control issues are reported. Committees often solicit input from each respective area on company filings, specifically as to the adequacy of disclosures. Interview sessions or meetings are frequently scheduled with the CEO and CFO during which the committee, or the corporate controller acting on behalf of the committee, reports on the findings from reviews of subcertification letters and draft filings. Some meetings include segment management as well. Once executive management approval is obtained, the audit committee performs its review and provides the final approval. Companies with broadly represented and larger working-group type committees generally sign a separate certification report to the CEO and CFO summarizing their duties and findings, which directly supports the overall CEO and CFO certifications. In

6

Financial Executives Research Foundation, Inc.

one case, the company’s disclosure committee neither delivers an individual representation letter nor makes an individual certification. However, the corporate controller, as chair of the committee and a key participant during the company’s business review sessions, provides a final supporting representation once the last representation letter is received. Many of the review processes also involve outside counsel and external auditors. One company’s disclosure committee is not only responsible for quarterly reporting documents, but is also charged for reviewing any public dissemination of information, such as analyst presentations made by investor relations. Documentation All disclosure committees have an agenda to review each Act requirement for distribution to participants and disclosure committee members. Documentation also includes the disclosure report or an outline of the full disclosure process and the related controls and procedures. One company compiled a disclosures control and procedures manual that details the steps in providing the proper disclosures and gives a timeline from the close of each quarter through the report filing date. Most companies have either adopted or are in the process of adopting formal charters for their disclosure committees, which outline committee members’ roles and responsibilities. For example, the controller is responsible for reporting any issues to the external auditors, whereas other members may be responsible for more specific regulations that are part of the company’s business. Those who have not adopted formal charters are waiting for additional SEC guidance. In some instances, documentation of disclosure committee meetings is kept on a highlevel and serves to provide a record of meeting dates. In other cases, roughly half of the executives interviewed report that their companies take formal minutes that are kept by the general counsel and recite the key events that took place during the meeting. The form, in some cases, is similar to the method used for maintaining minutes of boards of directors’ meetings. Some companies provide additional documentation that addresses the adequacy of disclosures, the disclosures that were approved, and, for those not approved, the reasons why disclosure was not considered appropriate.

Internal and Disclosure Controls

As called for by the Act, final SEC rules established a new term, “disclosure controls and procedures” that “are designed to ensure that information required to be disclosed by the issuer is recorded, processed, summarized and reported, within the time periods specified.” Through procedures related to 302 certifications, many companies have already addressed the testing of disclosure controls, in particular, the CEO’s and CFO’s responsibility for establishing and maintaining internal controls and evaluating their effectiveness. Specific to disclosure control testing, companies have established similar types of tests and tools that have been integrated within the disclosure and certification process. Tools include detailed periodic checklists that evidence all disclosure procedures are performed. In many cases, lists include questions tailored to address points that may only be applicable for a certain period for a specific business unit. Employees providing subcertifications have also been asked to keep documentation that backs up internal representations to the overall CEO and CFO certification. Financial Executives Research Foundation, Inc.

7

Such documentation is typically subject to review by internal audit, in accordance with both routine visits and the required quarterly review of disclosure controls within 90 days of each certification (or as of the end of the period covered by the quarterly or annual report if proposed rules are adopted). Reports of any issues, findings, suggestions and recommendations are provided to the CEO, the CFO and the disclosure committee, who then discuss the key documentation. At one company, the disclosure committee uses a separate list of questions to test whether all material information is received from the unit’s senior financial person. With most of the 302 procedures and testing already established, the recent focus has been shifting to keeping apprised on further rulemaking related to internal controls. However, since SEC rule proposals regarding Act section 404 (Management Assessment of Internal Controls) is still in the process of being finalized, companies are relying primarily on existing controls, with the internal control framework established in September 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as the standard for these procedures. Separate from disclosure controls processes, existing internal control procedures include specific representation about changes in control systems during the period via a control self-assessment process. This process involves completion of a questionnaire or form directed to a designated control person at each location. Forms of this type serve to interpret, clarify and define each internal control test, address specific control areas that affect financial reporting and call for an action plan if controls are not in place. The results are summarized and typically reported to each location and its supervisory levels. Future internal audit efforts are directed toward addressing any concerns. The processes will also serve to assist external auditors as well. To ensure that all units will read and analyze requirements, rather than adopt a “checkthe-box” mentality, companies may make some changes to both the internal and disclosure control documentation. Operating leaders are also asked to designate an “owner” for every component of internal control within a unit, such as a plant controller. This person’s duties may include documentation of internal control processes, integration of changes based on feedback within their units, preparation of flowcharts and development of awareness through group or regional meetings, the intranet, memoranda and training classes. Additional proactive steps include internal discussion based on proposed rules or the establishment of a new position, such as director of internal controls. This individual reports directly to the corporate controller and will be responsible for plans to increase the company’s control tracking in both business and corporate areas and implement various internal control and remediation plans. Companies also plan on increased internal audits to perform periodic spot checks and report any deficiencies to either the corporate or business unit management. Any testing or findings could then assist external auditors in their independent testing. Increased corporate accounting staffing is also a likely outcome as a result of increased internal audit efforts. Expectations with regard to internal controls include internal audit devoting more efforts and resources on testing financial controls versus previous years, thus shifting some focus from operating and compliance controls. Enterprise-wide risk management will also be a focus. Separate from processes established in direct response to the Act, one company intends to focus on definition, assessment and measurement of operating controls.

8

Financial Executives Research Foundation, Inc.

Audit Committees

Most companies would agree that their audit committees have been more active than ever during the past few months, particularly in anticipation of the first round of fiscal and calendar year ends under the Act. Current action includes drafting revisions of audit committee charters and related processes, based on final Act provisions, pending final SEC rulemaking and New York Stock Exchange (NYSE) and Nasdaq corporate governance proposals. As final rules are established, further changes to charters will be made. Plans include disclosure of fully adopted charters and agendas in 2003 proxy statements or on company Web sites. For some companies, audit committee meetings have increased to as many as 12 per year, with about four in-person meetings, often in conjunction with full board meetings. In addition to the time spent conducting the meeting, the hours required for the related documentation and preparation has clearly affected finance departments. For the most part, the length of each meeting has increased by at least one, if not two hours, to a total session lasting three to four hours. One company’s committee has also had discussions to potentially devote two half days to discuss the 10-K filing. Some companies have also found that the number of telephone calls and one-on-one conferences, particularly between executives and the audit committee chair has increased. For these calls, the chair may determine if a topic warrants full audit committee involvement. Companies have also noted that audit committee members have been seeking and delving deeper into the items established for each meeting agenda, and this has lengthened the meetings. The agenda of each meeting follows requirements detailed in company audit committee charters and include review and discussion of each quarterly filing. Earnings press releases are reviewed in detail and approved by audit committee chairs, if not the entire committees. One company reports that board members not on its audit committee voluntarily attend formal sit-down meetings conducted to review any SEC 1934 Act filings. A few other companies have also included meeting sessions solely designated to brief members on the segment reviews and the certification process. Meetings not related to SEC 1934 Act filings are prompted by audit committees performing more proactive, rather than exception-based, reviews. Companies are making additional efforts to update members on key accounting principles or critical accounting policies that may have a significant impact on the financials or are subject to judgment or assumptions, such as reserve or pension accounting. Members are also seeking and receiving further education on industry-specific issues. The complexity of one company’s business has also resulted in the creation of audit subcommittees to address control-related issues and procedures, such as site visits. Other related issues include the required disclosure of financial fraud to audit committees, with no materiality threshold set by the Act. Primarily, companies intend to address this through whistleblower and code of conduct violation reports to the audit committee. With the recent adoption of new rules pursuant to Act Section 407, Disclosure of Audit Committee Financial Expert, companies will also be preparing for required annual report disclosures for fiscal years ending after July 15, 2003. Under the new SEC rules, a company will be required to annually disclose whether it has at least one audit committee financial expert, and if so, the name of the expert and whether the expert is

Financial Executives Research Foundation, Inc.

9

independent of management. If a company does not have an expert, this must be disclosed, along with an explanation.

External Auditors

On January 22, 2003, the SEC voted to adopt rules to fulfill the mandate of Title II of the Act. Effective 90 days after publication in the Federal Register, the approved measures will address non-audit services, partner rotation, cooling off periods, compensation, communication with audit committees, and investor disclosures. Many companies had already taken steps to address these areas, particularly in the area of non-audit services and audit committee pre-approvals of services provided by the auditor. Though more guidance is being continually provided, the Act still calls for additional action and rulemaking from both the SEC and the Public Company Accounting Oversight Board (PCAOB). With final SEC rules on internal control still to be determined and PCAOB delays, such as the establishment of public accounting firm registration (public accountants that provide services to public companies must be registered with the PCAOB), the final impact on the relationships between companies and their external auditors is still to be determined. Accounting Services Approvals The delineation between audit and non-audit services is clearly an area that has resulted in some changes. Pre-approval processes established by companies and their audit committees dictate accounting firm services first and foremost. A list of audit versus nonaudit services that the company intends to continue using is prepared. The pre-approval processes involve evaluation of the independence implication of any non-audit service and typically establish approval for 12 months from the date of audit committee resolution and, for some companies, a budgetary and scope limit per transaction or type of service. The corporate legal, controller and internal audit offices are among the departments named by companies to implement and monitor accounting firm services. Any public accounting services that are not covered by the pre-approval process or that exceed the budgetary and scope limits are presented to the audit committee or to a designated audit committee member (who is not necessarily the audit committee chair) for additional approval. Policies are reinforced within companies, with one company noting during a finance conference that anyone engaging the external auditor prior to audit committee approval was subject to dismissal. In most companies, audit committees are periodically updated on the actual spending for each service category and given a comparison between the actual costs and the spending limits. At one company, the approval and tracking of audit and non-audit services is facilitated through the procurement organization and purchase order process before work is even performed. To control costs and capture data, business unit CFOs get direct approval from the corporate controller. If approvals are not obtained, the procurement department will not issue a purchase order. As a means of verification, the controller receives a report from the company’s global supply chain procurement department, particularly in instances where spending exceeds the approved amount. The external auditors also provide a monthly report of the hours and dollars spent for each project they performed. Internal versus external figures are compared for review and proxy purposes. This reconciliation process is 10

Financial Executives Research Foundation, Inc.

common across many companies, with one company using its internal audit department, instead of the corporate controller’s office to perform the review. Some companies have a very conservative approach, using external auditors only for the audit and financial reporting reviews directly related to the audit. For these companies, other firms provide non-audit services. Regardless of the respective decisions, challenges remain in monitoring services performed by accounting firms for global organizations with multinational units and subsidiaries, which in some cases may actually have different legal names. Cost As accounting firm services are redistributed, companies are increasingly concerned about rising audit costs. Though the Act specified that the costs of external audits should not be significantly affected, pending further rulemaking, many accounting firms have had preliminary discussions with companies about sizable increases in fees. In addition, the external auditors may shift their focus from audits relying primarily on balance sheet substantiation to audits relying more on disclosure and internal controls testing. In this regard, banking and financial institutions subject to the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), and internal control reviews necessary for compliance, may encounter less changes in audit testing than their counterparts in manufacturing and other non-financial industries. However, some companies have noted that if they already comply with COSO guidelines and have the related internal evaluations of control systems, there should not be any changes to the external audit other than increased codification related to disclosure control testing. Furthermore, a company with a robust internal control system and an internal audit department where audits have a proper scope and are based on processes, not on period end substantiation, may have a basis to control substantial incremental fees. One executive said the discussions with the company’s external auditors had been very frank, “The conversations we’ve had with our auditors are first ‘Let’s acknowledge that the business model is broken, [and] that the audit needs to be fixed. Now let’s have a thoughtful discussion about what you need to do, what the expectations are and the requirement of the audit committee. And then, when that’s resolved, let’s figure out what that costs.’” The implications of current rule proposals on mandatory auditor rotation have also become a concern among many companies, particularly businesses that are highly technical and rely upon their accountant’s industry specialists.

Financial Executives Research Foundation, Inc.

11

Code of Ethics and Whistleblower Provisions

As required by Section 406, Code of Ethics for Senior Financial Officers (406), of the Act, companies have also begun implementing codes of ethics for senior financial officers using FEI’S code of ethics as a baseline. Commencing with fiscal years ending on or after July 15, 2003 (or December 15, 2003 for small business issuers), new SEC rules require annual reports to disclose of whether a company has a code of ethics that applies to its principal executive, financial or accounting officers. Any changes to, or waivers of, the code applied to these individuals must also be disclosed within five business days.

Many companies have chosen to integrate the specific required elements into their overall business codes of conduct, while others have implemented a separate financial officer code. Those integrating changes into the overall company principles made some minor modifications that primarily involve broadening applicability to directors, employees and senior financial management. The general approach is to make adjustments from a principles-based approach, rather than dilute a code to address issues that may only be applicable to some employees. For example, a few companies have added to or broadened their codes’ sections on business standards. Other companies, however, felt it more appropriate to distinguish between financial and other employees, since financial personnel deal with more specific issues, as specified by 406. In these cases a separate finance code has been established for as few as 40 people within the top financial leadership to as many as every single finance person employed with a company. From a logistical standpoint, since additional regulator guidance could be provided, one company preferred to make changes to the finance staff code, rather than republish the business ethics section applicable to all employees. Regardless of the choice, clear and constant communication is the best method to reinforce the ethical conduct. Using the infrastructures of existing programs and ombudsman offices, companies are promoting ethics and integrity via employee training that could include a discussion of case studies through multiple perspectives (i.e. supervisor, employee, co-worker, human resource or employee satisfaction surveys regarding the ethics process). Communication on what ethics initiatives are used at companies within industries is another useful promotional tool. Many codes require annual attestation via online intranet or through a hardcopy form that requires individual signatures. Testing on business code components is also a commonly used tool, whereby additional training is required for those individuals who don’t pass the tests. No individual is exempted from the ethics process, and managers typically receive reports of delinquencies, which they must then act upon. In some cases, corporate compliance departments filter back any questions that are raised into the certification and financial reporting process. One company even performed an external audit to support its ethics program. Companies generally use existing ombudsmen, compliance or security departments, third party security vendors, such as Kroll, or a combination of internal and external parties, to address any employee concerns or potential whistleblower issues. These infrastructures have been expanded to address accounting and audit related issues, thus providing employees with a confidential and anonymous vehicle for filing complaints via a helpline or hotline. Any accounting and finance complaints are then submitted to the head of the internal audit department, the audit committee chair, the 12

Financial Executives Research Foundation, Inc.

audit committee, the board of directors, the company’s legal counsel, the company’s ethics department or some combination of these parties via a formal report or summary. However, whistleblowers do have the ability to contact audit committees directly. Since the Act has been enacted, companies estimate that about 90-95% of employee complaints still pertain to human resource issues.

Conclusion

Overall, most of the immediate and current actions as a result of the Act involved documentation and formalization of procedures that were already in place. Some minor differences were noted, but for the most part, certification, disclosure and control processes are consistent at leading companies. Clearly, final rules resulting from the Act have resulted in increased time commitment from financial executives and audit committee members alike. The Act has broadened the awareness of and involvement in financial management and reporting of senior corporate managers and directors who historically were not directly involved in these functions. Managing the expectations created by the Act and the response to them will continue to be a challenge as new rules continue to be implemented. One of the key areas still subject to new SEC and PCAOB rulemaking includes the testing of internal control by external auditors beginning with 2003 fiscal year audits. In the interim, working with a variety of information sources and advisors has proven to be the best approach for implementation of the Act. By and large, companies have sought guidance from their house and outside counsels, outside legal counsel and external auditors. Sarbanes-Oxley, Nasdaq and NYSE checklists, such as the ones authored by the Financial Executive Research Foundation, and benchmarking against or comparing experiences with other companies have also proven to be helpful.

Financial Executives Research Foundation, Inc.

13

Appendix A – Financial Executive Checklist Sarbanes-Oxley Act of 2002 – Enacted as Public Law on July 30, 2002 (Enactment date) Revised January 28, 2003

Description

Applies to

Effective Date

Issuers should be aware that accounting firms performing any audit functions for their organizations register with the Public Company Accounting Oversight Board (PCAOB)

External Auditors; Public Accounting Firms

Issuers should be aware that accounting firms performing any audit functions for their organizations:

External Auditors; Public Accounting Firms

Board to be established not later than 270 days after date of enactment; Registration required beginning 180 days after commencement of Board operations As established by PCAOB (103); 90 days after their publication in the Federal Register, with appropriate transition periods for various provisions (203, 204, 206); Compliance date October 31, 2003 (802); Subject to SEC rulemaking (404)

1. are subject to quality control and ethics standards adopted by the PCAOB 2. retain audit-related material for at least 7 years 3. perform concurring or second partner review of all audit report 4. describe in the audit report the scope and procedures of internal control structure testing 5. are prohibited from providing audit services to an issuer if the lead audit partner has performed audit services in each of the 5 previous fiscal years of that issuer

Act Section/ Other Reference 102

103, 203, 204, 206— SEC Final Rule: Strengthening Auditor Independence, 802—SEC Final Rule: Retention of Records relevant to Audits and Reviews http://www.sec.gov /rules/final/338180.htm 404— http://www.sec.gov /rules/proposed/338138.htm

Company Practice/ Action/ Resolution

Appendix A – Financial Executive Checklist Sarbanes-Oxley Act of 2002 – Enacted as Public Law on July 30, 2002 (Enactment date) Revised January 28, 2003

Description

Applies to

Effective Date

External Auditors; Public Accounting Firms

90 days after their publication in the Federal Register, with appropriate transition periods for various provisions

Act Section/ Other Reference

issuer 6. report to the issuer’s audit committee the methods, practices, policies behind the audit work 7. are prohibited from providing audit services for an issuer if the CEO, Controller, CFO, CAO (or equivalent capacity) was employed in the accounting firm’s audit practice during the 1 year period prior to the audit 8. must report on issuer internal controls Issuers and audit committees should ensure that registered accounting firms performing any audit functions for their organizations do not provide non-audit services, which include: 1. Bookkeeping or other services related to the accounting records of financial statements of the audit client 2. Financial information system design and implementation 3. Appraisal or valuation services, fairness opinions, or contribution-in-kind reports 4. Actuarial services 5. Internal audit outsourcing services

201—SEC Final Rule: Strengthening Auditor Independence, http://www.sec.gov /news/press/20039.htm

Company Practice/ Action/ Resolution

Appendix A – Financial Executive Checklist Sarbanes-Oxley Act of 2002 – Enacted as Public Law on July 30, 2002 (Enactment date) Revised January 28, 2003

Description

Act Section/ Other Reference

Applies to

Effective Date

Issuer audit committees must approve all auditing and nonauditing services provided to an issuer

Audit Committees; External auditors

202—SEC Final Rule: Strengthening Auditor Independence, http://www.sec.gov /news/press/20039.htm

Issuer audit committees shall be responsible for appointment and oversight of any audit work performed by an accounting firm. The Securities and Exchange Commission (SEC) is allowed to direct the national securities exchanges/associations to de-list any issuer that is not in compliance with Title III of the Act. Issuer audit committees must establish procedures for receiving and treating complaints (including anonymous ones from issuer employees) regarding accounting, internal accounting controls and auditing.

Audit Committees; External auditors

90 days after their publication in the Federal Register, with appropriate transition periods for various provisions Subject to SEC adoption based on rule proposal required by 301

Audit Committees; External auditors

Subject to SEC adoption based on rule proposal required by 301

301— http://www.sec.gov /rules/proposed/3447137.htm; 806, 1107

6. Management functions or human resources 7. Broker or dealer, investment advisor, or investment banking services 8. Legal services and expert services unrelated to the audit 9. Any other service that the Board determines, by regulation, is impermissible

301— http://www.sec.gov /rules/proposed/3447137.htm

Company Practice/ Action/ Resolution

Appendix A – Financial Executive Checklist Sarbanes-Oxley Act of 2002 – Enacted as Public Law on July 30, 2002 (Enactment date) Revised January 28, 2003

Description

Applies to

Effective Date

Issuers must provide audit committees with adequate funding for compensation to render an audit report and advisers employed by the committee

Audit Committee

Issuers must disclose whether or not, and if not, why, at least 1 financial expert serves on their audit committees.

Audit Committee; Reporting

Subject to SEC adoption based on rule proposal required by 301 For fiscal years ending on or after July 15, 2003

Annual reports filed with the SEC shall state the responsibility of management for establishing and maintaining adequate internal control structure and procedures for financial reporting; and contain an assessment of internal control effectiveness. Issuers must publicly disclose whether or not, and if not, why, senior financial officers sign a code of ethics.

Reporting; External auditors

Subject to SEC adoption based on rule proposal required by 404

Reporting

For fiscal years ending on or after July 15, 2003

Issuers must provide rapid and current disclosure in plan English regarding material changes in the financial condition or operations.

Reporting

Phase-in period for accelerated deadlines of quarterly and annual reports will begin for reports filed by companies that

Act Section/ Other Reference 3011 http://www.sec.gov /rules/proposed/3447137.htm 407 http://www.sec.gov /rules/final/338177.htm 404 http://www.sec.gov /rules/proposed/338138.htm 406 http://www.sec.gov /rules/final/338177.htm 409 http://www.sec.gov /rules/final/338128.htm

Company Practice/ Action/ Resolution

Appendix A – Financial Executive Checklist Sarbanes-Oxley Act of 2002 – Enacted as Public Law on July 30, 2002 (Enactment date) Revised January 28, 2003

Description

Applies to

Effective Date

Requires that each periodic financial report to the SEC be accompanied by a written statement that is signed by the CEO and CFO of the issuer that certifies that the periodic report containing the financial statements fully complies with securities laws. Penalties for certifying a misleading or fraudulent statement/report, detailed in Section 906, provide for criminal penalties in addition to fines. The principal executive officer(s) and financial officer(s) of each issuer must certify annual and quarterly reports to the SEC.

Reporting

meet the definition of "accelerated filer" as of the end of their first fiscal year ending on or after December 15, 2002 August 29, 2002

Reporting

August 29, 2002

All financial reports filed with the SEC must disclose offbalance sheet transactions that may have a material current or future effect on the financial condition of the issuer

Reporting

Fiscal years ending June 15, 2003

Pro forma financial information included in any periodic report filed with the SEC must not contain an untrue statement of a material fact and must be reconciled with

Reporting

March 28, 2003

Act Section/ Other Reference

906 http://www.sec.gov /rules/final/338124.htm

302, http://www.sec.gov /rules/final/338124.htm 401 http://www.sec.gov /news/press/200310.htm 401 http://www.sec.gov /rules/final/33-

Company Practice/ Action/ Resolution

Appendix A – Financial Executive Checklist Sarbanes-Oxley Act of 2002 – Enacted as Public Law on July 30, 2002 (Enactment date) Revised January 28, 2003

Description financial statements based on Generally Accepted Accounting Principles (GAAP). Issuer loans to executives are prohibited. Section 402 refers to certain exclusions. Issuer executives must forfeit any bonus or incentive-based pay or profits from the sale of stock, received in the 12 months prior to an earnings restatement due to material noncompliance, as a result of misconduct Issuer directors and officers are prohibited from purchasing, selling or transferring any equity security of that issuer during any pension fund blackout. Additional requirements for plan administrators, such as reasons for and expected length of blackout periods and penalties are detailed in Section 306. Employers are also required to give a 30-day advance written or electronic notice of any pension fund blackout period. Issuer directors, officers and principal stockholders must file a statement with the SEC when existing stock is sold or new stock is obtained from the issuer. Statements must be filed at the time of registration of such security on a national securities exchange or by the effective date of a registration statement; within 10 days after he or she becomes such beneficial owner, director or officer; if there has been a change in such ownership, within two days of the initial acquiring of such security. The electronic filing of such statements shall be available within 1 year of the date of enactment

Applies to

Effective Date

Act Section/ Other Reference 8176.htm

Compensation

Upon enactment

402

Compensation

Upon enactment

304

Insider Trades

Issuers must comply with §245.104(b)(3)(i) and (iii) of Regulation BTR beginning March 31, 2003 August 29, 2002

306 http://www.sec.gov /rules/final/3447225.htm

Insider Trades

403 http://www.sec.gov /rules/final/3446421.htm

Company Practice/ Action/ Resolution

About the Author

Cheryl de Mesa Graziano, CPA, is Director of Research at Financial Executives Research Foundation. She began her career at Coopers & Lybrand and went on to several private-sector positions, including controller and CFO. She has also worked for CNBC, Perseus Books and Bi-Logix, Inc and is completing a master’s degree in journalism.

Financial Executives Research Foundation, Inc. Copyright © 2002 by Financial Executives Research Foundation, Inc. All rights reserved. No part of this publication may be reproduced in any form or by any means without written permission from the publisher. International Standard Book Number x-xxxxxx-xx-x Printed in the United States of America First Printing Financial Executives Research Foundation, Inc. is the research affiliate of Financial Executives International. The purpose of the Foundation is to sponsor research and publish informative material in the field of business management, with particular emphasis on the practice of financial management and its evolving role in the management of business. The mission of the Research Foundation is to identify and develop timely, topical research to advance the financial management profession. The Foundation’s work is educational rather than editorial. The Foundation is an independent 501(c)(3) educational organization. The Foundation receives no portion of FEI Members dues; rather, it relies on voluntary tax-deductible contributions from corporations and individuals. The views set forth in this publication are those of the author and do not necessarily represent those of the Financial Executives Research Foundation Board as a whole, individual trustees, or the members of the Advisory Committee. This and more than 50 other Research Foundation publications can be ordered by logging onto www.fei.org/rf. Discounts available to FEI members and Foundation donors.

20

Financial Executives Research Foundation, Inc.

Upcoming and recent releases from Financial Executives Research Foundation… • • • •

Integrity-Based Financial Leadership and Ethical Behavior (coming soon) A Comparison of Alternative Models for Valuing Employee Stock Options (coming soon)

Benchmarking the Planning Process—World Class Companies vs. Average Companies Audit Committee Charter—For Privately-Held Companies (free download for FEI members)

• •

2002 Year-End Tax Planning Strategies (free download for FEI members) Year End Issues Update for Benefit Plan Sponsors

•

Sarbanes-Oxley Act of 2002—A Financial Executive Checklist

•

NASDAQ Corporate Governance Proposals—A Financial Executive Checklist

•

NYSE Corporate Governance Proposals—A Financial Executive Checklist

• • •

Corporate Reporting and the Internet—Understanding-and Using-XBRL Information Security—Keeping Data Safe (free download for FEI members) Commercial Insurance—Strategies for Renewal

•

Self-Directed Brokerage Accounts in 401(k) Plans

•

Business Performance Intelligence Software—A Market Evaluation

(free download for FEI members) (free download for FEI members) (free download for FEI members) (free download for FEI members)

(free download for FEI members) (free download for FEI members) (free download for FEI members)

•

Promoting Ethical Conduct—A Review of Corporate Practice

•

MD&A Trends and Techniques—How Leading Companies Promote Transparency

(free download for FEI members) (free download for FEI members)

To download selected free reports or to order publications, log on to http://www.fei.org/rfbookstore or call 973-765-1012. *Shipping and handling charges are $4.75 per item For overseas orders, add $10.00. For overnight delivery, add $20.00.