Under the mandates of the Sarbanes-Oxley Act, public companies are now required to establish and evaluate disclosure controls and procedures in addition to the accounting controls and procedures. Moreover, the principal executive and accounting officers are now required to certify these procedures with the filing of the company's periodic reports under the Securities Exchange Act of 1934. So what's a CEO to do?
The following is a brief summary of some steps that have been recommended that companies should implement. Importantly, all of the commentators strongly advise that close collaboration with the audit committee is critical to the success and proper operation of these measures.
- Establish a Disclosure Control Committee. To streamline the disclosure control process, a standing committee of select personnel should be on call to review all Exchange Act reports and press releases, including reports on Form 8-K and earnings releases, analyst guidance, investor presentations and similar public pronouncements. The committee might also be assigned the duty of monitoring the company's website to ensure that all required disclosures are properly made. The persons to be included in the committee should include the principal accounting officer, heads of major business functions, general counsel, and other similar functionaries.
- Review and Establish Disclosure Protocols. At the initial meeting, the committee should study the existing disclosure procedures. If no procedures are in place, the first task would be to establish appropriate protocols for ensuring full, fair and timely disclosure. In all events, the protocols should be documented.
- Reporting Procedures. The reporting procedures will need to include reporting requirements incumbent upon all heads of principal business units and major functions (such as accounting, finance, sales, etc.) to a central person or office all material developments in the business that may need to be reported, including problems, defects or breakdowns in the disclosure system. The procedures must include a timetable appropriate to ensure that the information is reported regularly on a timely basis as well as at scheduled times necessary to ensure that it is included in the periodic SEC filings.
- Information Gathering - Non-Financial Information. In addition, the protocols established by the committee must include a procedure that will permit the committee to ensure the gathering of all material information when needed on a timely basis. The protocols may implement a disclosure questionnaire designed to elicit hard data as well as "soft" facts that may require or impact disclosure, together with a narrative summary to be prepared by each principal unit.
- Information Gathering - Financial Information. When gathering financial information, it is critical that the committee focus, and elicit from the reporting units, information regarding critical accounting policies and estimates, judgments impacting financial statements, and other such items required to be disclosed in MD&A or otherwise. These disclosures include those issues at the forefront of SEC rules and disclosure guidelines, such as revenue recognition, derivatives disclosure, impairment determinations, adequacy or overstatement of reserves, use of non-GAAP financial measures, restructuring charges, off-balance sheet arrangements, and affiliated party transactions.
- Document Review. The protocols should require the committee to review key documents and other information prior to finalizing its review. This should include material contracts, financial changes, press releases, analyst and investor guidance and presentations, competitor information (such as their SEC reports, etc.), auditor communications, complaints by employees (including "whistleblower" complaints), and the company's website.
- Circulate Draft Disclosure. The committee should distribute the draft disclosure document or report to all persons involved in the disclosure process, which includes all principal unit heads. Distribution should be made with sufficient time for such persons to study and comment on it - that is, to report back even if the reviewer has no suggested changes. The standard for their review should be to determine if the report or document discloses the relevant information adequately and accurately, and the therefore "fairly presents" the disclosure required to be contained therein.
- Unit Head Certifications. The protocols should require that the unit heads, after reviewing the proposed disclosure, certify the disclosure to the best of his or her knowledge. The certification would be the same as that required of the CEO and principal financial officer and would be limited to the extent of the information within the knowledge of the unit head, the purview of his or her responsibilities, and what he or she should have known in the exercise of his duties and authority.
- Evaluations. The CEO and the principal accounting officer are required to evaluate the disclosure controls and to file a certification with the SEC as to the evaluation quarterly, and to report at least annually on the disclosure control system. The disclosure control committee should assist in the performance of these functions. On a quarterly basis, the committee should review the system and procedures generally. On an annual basis, the committee should actually interview persons in the chain of disclosure obligations, sample the system by following the route of some of the disclosures made - or not made, ask questions of unit heads and review past disclosures against an in depth review of operations and performance.
- Documentation. The committee should take pains to document its evaluations and conclusions, including the steps taken to reach those conclusions.
In conclusion, disclosure control committees will be held to a high standard. It will be most important that appropriate procedures be implemented to enable the committee, and the company, to live up to its obligations.