About 10 years ago, when Attorney General John Ashcroft was governor of Missouri and president of the National Governors Association, he was challenged by then-chairman of the Securities and Exchange Commission, Richard Breeden, with the fact that each year, states imposed millions of dollars in fees on mutual funds, although most didn't do much in the way of regulating them. Without skipping a beat, Governor Ashcroft responded by saying, “Why, Mr. Chairman, I do believe that in this country, honest people pay for prisons.”
In a similar vein, honest and upstanding corporations, lawyers, accountants, and executives are now faced with “paying” for the misdeeds of a few high-profile corporate malefactors in complying with the letter and spirit of the Sarbanes-Oxley Act of 2002 and all that comes and will come with it. Sarbanes-Oxley has been called the most sweeping securities legislation since 1933. Just as the Securities Act of 1933, the first federal securities law, was among the reforms enacted in the famous First 100 Days of Franklin D. Roosevelt's administration, it is ironic that Sarbanes-Oxley also was drafted and enacted at the congressional version of warp speed.
It is long and complex, affects many different areas of the law, empowers regulators to adopt expansive and more detailed rules, and creates a new regulatory body to oversee a yet-to-be-devised system of oversight for accountants. It also elevates the criminal penalties for white collar crime to among the most severe available under federal law, and makes criminal a number of wrongful acts that were not treated as crimes before. All these reforms-along with their imposing costs in dollars, time, and resources-come at a time when corporate America is trying to cope with a weak and nervous economy, layoffs and other cutbacks, elusive profits, and a public image stained by corruption and manifest distrust.
In the last piece I wrote here, I focused on some of the conflicts I see arising in the context of the public company boardroom, particularly with the concept of setting up and strengthening the watchdog roles of the audit committee, auditors, and in-house and outside counsel, and pledged to explore potential strategies and approaches in dealing with them. While I do not profess to have a crystal ball any clearer than anyone else's, I do approach the problem with the background of 20-plus years' experience as a securities regulator, with some idea of what works and what doesn't in trying to establish that you are doing what you are supposed to be doing under the law.
Form Over Substance Is a Very Bad Idea
To begin, public companies must learn what broker-dealers and investment advisers already know all too well regarding regulation. Laws empower regulators to make rules. Under those laws and rules, companies are required to adopt policies and procedures. When acts of those companies are called into question, the companies are examined to determine compliance not only with the laws and the rules, but also with their own policies and procedures. Even if the substantive law and regulations were not violated, if the company failed to follow its own policies and procedures, it can be subject to sanctions.
Under Sarbanes-Oxley, a new layer of liability is created. A broad array of new policies and procedures must be established and followed. They must be tailored to the company's particular circumstances. It will not suffice to use a set of generic procedures you copied from some seminar materials or from a buddy down the street. They must be an accurate reflection of the policies, responsibilities, and procedures for the operation involved. I recommend that the manual should be kept in a three-ring binder or the like, with each page dated and each section separated by starting a new page. This should be a living, breathing, working document, not some bound work some consultant drafted that everyone puts on the shelf and forgets.
Companies will be held to have and implement such policies and procedures. Failure to have them or departure from them could very well constitute grounds for liability without any more substantive wrongdoing. For example, even if the financials certified by the CEO and CFO are perfectly accurate, if it were discovered that there were no procedures in place to substantiate the CEO and CFO's certification, or that they are in place but the CEO and CFO did not follow them, the company could be in hot water nonetheless. Companies should resist adopting any policy or procedure it is not their intention to follow.
Lessons of History
George Santayana wrote that those who fail to learn the lessons of history are bound to repeat them. In large part, one year's regulatory emphasis can be defined as an organized effort to prevent and detect the problems encountered the year before. Corporations can be sure that the misdeeds and tricks that made headlines over the last two years will be the subjects of examination this year, the next, and for some time to come. Companies will be well served to analyze what happened at the corporations mired in scandal, indictments, restatements of earnings, and the like, and then identify the reasons why they couldn't happen here, devise ways to prevent them from happening here, and figure out approaches to oversight to make sure they don't. And finally, write it all down and make sure it's done.
Declarations of Independence
To truly fulfill both the letter and spirit of Sarbanes-Oxley, the ultimate power and authority figure at the corporation must surrender some real authority and control to independent parties, particularly the audit committee of the board of directors. That Sarbanes-Oxley calls for greater audit committee authority and involvement is no revelation. It is the nature of that delegation and empowerment that I suspect will entail a significant executive gulp and leap of faith into the unknown.
It is overly simplistic to say, “If you don't have anything to hide, there's nothing to worry about.” Even if there is nothing to hide, there is undoubtedly a mountain of information to understand, and in a competitive market, little time to understand it if you are not living and breathing it each day. The CEO and CFO are immersed in a corporation's affairs. It is unrealistic to believe that no matter how dedicated, the board of directors or even its audit committee members will have the time, skill, and experience to grasp all the information corporate executives had at their disposal in reaching a decision or developing financial information. They are, after all, serving on the board on a very limited, part-time basis.
There will be no perfection here; there is no way to score 100% on this test. But take note of the old French adage: “Let not the better be the enemy of the good.” There are a few easy steps that can be taken immediately to improve both the appearance and reality of board and audit committee independence and oversight. Sarbanes-Oxley requires that the audit committee must be composed of independent directors only. As many commentators have suggested, it should become standard policy that the audit committee, if not all of the independent members of the board, should meet separately and periodically with outside auditors and outside counsel.
It is usually suggested or assumed that such a meeting should take place at the time of the full board meeting. I think this idea is satisfactory, but not as useful as holding such a meeting a few weeks before the scheduled board meeting. If the audit committee meeting with the outside advisors is held in conjunction with the full board meeting, whatever questions or concerns that might arise must be dealt with by the audit committee on the fly, without much opportunity to request and consider additional information or otherwise deliberate on the matter. As useful as I believe such a separate meeting to be, I realize that constraints on board members' time may make this meeting in advance too burdensome.
Having served on a number of smaller boards of directors (of not-for-profit entities, admittedly) as board member and chair, and having served several other boards as counsel or in other capacities, it is my experience that "getting the board books out" is invariably a madcap race against time. Voluminous materials are received by the board members two or three days before the board meeting. The materials are often left to be read on the plane by the members on their way to the city in which the meeting will be held. Granted, in this manner the materials are as up-to-date as possible, but it is hardly conducive to careful consideration and study. Perhaps the process is more sophisticated in larger companies, but I suspect there is always some element of last-minute preparation.
A way to counter this all-but-inevitable obstacle to full-board understanding is to assign an independent board member, perhaps an audit committee member, to oversee a particularly controversial, sensitive, or complex subject. In a manner suitable to the particular task, those in the corporate ranks can feed information to the assigned member on a more consistent basis so that, come time for the board meeting, the assigned member is more up to speed given his or her focus on the subject over time. (Although the subject of e-mail is sensitive and complicated, it cannot be denied that the medium affords a very sleek means of communicating information easily and quickly.) These assigned board members might even contribute their insights to other members in a report prepared and distributed in anticipation of the next board meeting.
Under Sarbanes-Oxley, the audit committee is empowered to seek its own counsel and auditing assistance, at the corporation's expense. Obviously, this is not feasible at smaller enterprises. In the last article, I raised the question that at larger operations, if indeed independent counsel and accountants are hired to assist the audit committee, what motivation would these people have in concurring with the decisions and product of the corporation's people? Is it not possible that, given the liabilities imposed under the Act, they would be much better off as naysayers?
I hope it will never come to the point that a 10K is composed of a majority and minority report on financials and disclosure. No system can be developed to make certain that the financial information and disclosure provided by a corporation are absolute truth. There is no such thing. What has been lacking to at least some degree is any kind of adversarial process involving independent parties to give some assurance the information has been vetted, that critical questions have been asked and answered to an independent person's satisfaction. The majority/minority debacle I described is unlikely to develop if there has been an honest flow of accurate information and time to consider it, either by the audit committee itself or in conjunction with its professional consultants and staff.
What if some cutting-edge accounting treatment is being proposed for a novel transaction? Certainly, management will have sought and obtained input from advisors and consultants in support of the approach. Audit committee members should first be apprised of the plan, but might also inquire as to whether the SEC has been consulted, and if not, why not. Accounting standards are not immutable principles of physics. If the SEC and perhaps the PCAOB, the accounting oversight board, are going to hold people accountable for their financial product, the regulators themselves can be made responsible for providing guidance before the fact. If they elect not to provide such advice, at least the company will be on record as having sought the guidance before acting. A similar result can be achieved with public disclosure, such as an announcement regarding the manner in which the transactions are being reported and the impact it has on the financial portrait of the firm.
Finally, a lesson from reports about the HealthSouth case. From these printed reports, it appears that part of the scheme involved the doctoring of invoices to reflect much higher revenues than were actually received. Whether this actually happened at HealthSouth is unimportant for the point I am making. To be certain that the information being presented by management to the board and auditors is genuine and accurate, the simple rule is to get that information from an independent party, the counterparty. In other words, get copies from them directly.
Some Closing Thoughts
There have always been and will always be dishonesty and criminal behavior. A regulatory system is inherently disadvantaged by the fact that it is a “Maginot Line,” a fixed impediment that just sits there, waiting for someone to figure out a way around it. It is very difficult to prevent one or more miscreants from plotting and executing a fraud, at least for a while. That they are eventually caught and punished speaks to the effectiveness of the law as well as its weakness. In my 20 years of fraud investigation, I grew to believe that a long prison sentence is of very little deterrent effect to the true criminals, because each one who sets out to defraud believes he or she is smarter than the oafs who got caught before them.
The systems and controls developed in the wake of Sarbanes-Oxley should be well-reasoned, practical, and strong. The best companies will turn this negative into a positive. They will strive to be the most honest and reliable companies in the country. They will find new ways to show investors and shareholders exactly what's going on at all times, and still be competitive. They will also resist the temptation to take the safe path rather than innovate, for fear of being second-guessed down the road. Overall, Congress has mandated, “No more commercials; it's time for the news.” Let's get on with it.