6 Dodd-frank and Sarbanes-oxley Financial Regulation

6 Dodd-Frank and Sarbanes-Oxley Financial Regulation¹

6.1 Background

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 ("Dodd-Frank")² and the Sarbanes-Oxley Act of 2002³ (SOX) are comprehensive, lengthy statutes covering a variety of topics. This chapter focuses on the provisions of these Acts that relate to certain key compliance topics, namely:

• Internal controls over financial reporting and certification procedures
• Attorney "reporting up"
• The whistleblower award program
• The anti-retaliation provisions
• The clawback and hedging policies

SOX was enacted in the wake of Enron's collapse and the 2008 financial crises, both of which resulted from financial fraud.⁴ This broad financial reform bill creates some of the greatest changes to financial regulation since the banking and financial reforms following the Great Depression. The Act seeks to stop the practices that led to the 2008 financial crisis, with a primary focus on corporate fraud. One of its key attributes establishes a whistleblower award program that creates financial incentives to report violations of federal securities laws, fraud, and other laws (and, on the other hand, offers substantially enhanced whistleblower anti-retaliation protections).

6.2 Internal Controls over Financial Reporting and Certification Procedures

"Focus on marketing. Market what [your compliance] program means, what it doesn't mean.... [M]ake your program more robust, more transparent, and make it clear that, when people come to the internal compliance function and identify wrongdoing that wrongdoing is remediated and that individual is not punished for coming forward.... If you are setting the tone at the top, you want your employees to come to you first.... Make your compliance programs [as] up to speed and robust as possible [and] market, market, market, that would be my strongest advice."
—Sean McKessy, Chief of the U.S. Securities and Exchange Commission (SEC)'s Office of the Whistleblower, June 15, 2011

Internal controls over financial reporting are policies and procedures whose purpose is to provide reasonable assurance that financial reporting and the preparation of financial statements have been properly conducted in accordance with generally accepted accounting principles. The Foreign and Corrupt Practices Act of 1977 sets forth requirements for public companies to establish and maintain internal control provisions. To these requirements, SOX adds that the company's management and auditors must evaluate and affirmatively report the effectiveness of the company's internal controls and must certify the financial reports filed with the SEC. These requirements are meant to establish more effective internal control programs, while concurrently offering investors greater transparency and confidence in the accuracy of the reporting.

6.3 Assessment by the Management

Under SOX § 404(a), the management for "issuers" (basically, public companies)⁵ must annually assess how effective their internal controls over financial reporting are at preventing misstatements that could be material to the financial statements. If management finds one or more "material weaknesses" in its internal controls over financial reporting, it must disclose those weaknesses and cannot state that its internal controls are effective. A material weakness, in turn, is one or more control deficiencies that create a "reasonable possibility" of a material misstatement in the company's annual or interim financial statements. A material weakness can include a deficiency in the design or operation of internal controls that could adversely affect the company's ability to record, process, summarize, or report financial information. Public companies must also disclose the results of that evaluation in their annual financial reports filed with the SEC; the reports must affirmatively state whether the internal controls were found to be effective.

The SEC rules, for their part, provide a noncomprehensive list of controls that management should consider in its assessment:

• Controls over initiating, recording, processing, and reconciling account balances, classes of transactions and disclosure, and related assertions included in the financial statements
• Controls related to the initiation and processing of nonroutine and nonsystematic transactions
• Controls related to the selection and application of appropriate accounting policies
• Controls related to the prevention, identification, and detection of fraud

Management must also on a quarterly basis evaluate and report any material changes in its internal controls program.

6.4 Certification

The chief executive officer (CEO) and chief financial officer (CFO) must, as required by SOX § 302, certify the company's annual and quarterly reports filed with the SEC. In doing so, they must certify that the reports fairly and accurately describe the company's financial condition. More specifically, the executives must affirm the following:

1. They have reviewed the report.
2. The financial information is fairly presented and does not contain a false statement of material fact or omit a material fact that would make the financial statement misleading.
3. They acknowledge their responsibility for the internal controls.
4. They have assessed the effectiveness of these controls, stated their conclusion as to the effectiveness, and disclosed any material changes in the internal controls.

The penalty for knowingly certifying false results is as much as $1 million or imprisonment of up to ten years, or both. The willful certification of false results is as much as $5 million or imprisonment of up to twenty years, or both.

6.5 Report by the Auditor

SOX § 404(b) requires a company's independent, outside auditor to conduct a separate audit of the internal controls' effectiveness, and, thereafter, to attest to management's representations as to those controls. The Public Company Accounting Oversight Board (PCAOB), which was created by SOX, oversees the audit of public companies.

6.6 Attorney Reporting-Up

SOX § 307 contains attorney "up-the-ladder" reporting obligations for attorneys appearing and practicing before the SEC in the representation of a company that is required to file periodic reports with the SEC. The purpose of these reporting rules is to ensure that attorneys respond appropriately to evidence of a "material violation" by the issuer or by any officer, director, employee, or agent of the issuer. In turn, a material violation means a "material violation of an applicable United States federal or state securities law, a material breach of fiduciary duty arising under United States federal or state law, or a similar material violation of any United States federal or state law."⁶

Specifically, the rules require an attorney to report evidence of a company's material violation to the company's chief legal officer (CLO), or to both the CLO and CEO.⁷ If the CLO does not appropriately respond within a reasonable time, the attorney must move up the ladder and report to the audit committee of the issuer's board of directors, another committee of the issuer's board comprised entirely of independent directors, or the full board of directors.⁸ The reporting obligation is stated in mandatory terms, meaning the rule states that an attorney appearing before the SEC shall report up the ladder when the attorney becomes aware of evidence of a material violation, regardless of whether that violation is by the issuer or by an officer, director, employee, or agent of the issuer.⁹

6.7 Who Must Report?

Regardless of whether formally engaged or not, SOX § 307 applies to an in-house or outside attorney who renders legal services to an issuer in the context of an attorney-client relationship in connection with SEC matters, as well as to attorneys representing the issuer, its officers, directors, or witnesses in SEC proceedings. These attorneys are referred to as "appearing and practicing before the SEC" and as such are subject to the up-the-ladder reporting obligations to the company. By contrast, up-the-ladder reporting obligations do not apply to attorneys at issuers who, although licensed to practice law, do not provide legal services within the context of an attorney-client relationship. Nor do the reporting obligations apply to attorneys representing an agent of the company (e.g., an underwriter, trustee, or clearing agent).

A subordinate attorney—meaning an attorney who is supervised by, or acts at the direction of, another attorney—complies with SOX § 307 reporting obligations by reporting evidence of a material violation to his or her supervising attorney.¹⁰ That said, the subordinate is also permitted to directly report up if the subordinate "reasonably believes" that the supervising attorney has failed to do so.¹¹ By "reasonably believes," the rules mean that the attorney "believes the matter in question and that the circumstances are such that the belief is not unreasonable."¹²

When a subordinate reports a material violation to his supervisor, the supervisory attorney, must, in turn, comply with SOX's reporting-up requirements.¹³

6.8 When Must the Attorney Report?

The reporting obligation is triggered when an attorney becomes aware of "evidence of a material violation," which means "credible evidence, based upon which it would be unreasonable, under the circumstances, for a prudent and competent attorney not to conclude that it is reasonably likely that a material violation has occurred, is ongoing, or is about to occur."¹⁴ Again, a material violation refers to the material violation of an applicable U.S. federal or state securities law, a material breach of fiduciary duty arising under U.S. federal or state law, or a similar material violation of any U.S. federal or state law. The SEC applies an objective standard when evaluating this issue.

6.9 Can the Attorney Report to the SEC?

The SEC rules allow, but do not require (i.e., "may"), an attorney practicing...