Setting Up Disclosure Controls and Procedures

In its Release 33-8124 and 34-46427 (the "Release") addressing CEO/CFO certifications under Section 302 of the Sarbanes-Oxley Act, the SEC requires public companies to establish and maintain "disclosure controls and procedures." We believe that the design and operation of these controls and procedures represent some the most troublesome requirements of the new rules, particularly because these disclosure systems must be in place prior to the November 14 filing date for third quarter Form 10-Qs. Several clients have also asked us about how to preserve the attorney-client and other legal privileges protecting sensitive information that may be gathered during this process.

In this E-Alert, we will deal exclusively with the subject of how to set up disclosure controls and procedures and the legal privilege issues that accompany it, which relate to our earlier analysis of CEO/CFO certifications.

Overview

The Release mandates that disclosure controls and procedures

• must ensure "timely collection and evaluation of information potentially subject to disclosure,"
• must "capture information that is relevant to the need to disclose developments and risks,"
• should "evolve with the business" being reported on and
• must be "capable of producing '34 Act reports that are timely, accurate and reliable."

Furthermore, the CEO and CFO are required to certify that

• they are responsible for establishing and maintaining disclosure controls and procedures,
• they have designed these disclosure controls and procedures to ensure that material information is made known to them,
• they have evaluated the effectiveness of these controls and procedures within the last 90 days and
• they have included in the applicable periodic report their conclusions about the effectiveness of these controls and procedures.

Thus, responsibility for "disclosure controls and procedures" resides squarely with top management, and this new system must bear the weight of a sweeping and formidable set of goals. The SEC did not describe in any way a system capable of achieving these goals. Clearly, however, the SEC is calling for the construction of a major management system virtually overnight.

Urgency

To enable the CEO and the CFO to make such a certification regarding the existence and effectiveness of these controls and procedures in the next Form 10-Q, this system has to be put in place immediately.

Definition of Disclosure Controls and Procedures

The SEC defines "disclosure controls and procedures" in new Rules 13a-14(c) and 15d-14(c) as follows:

"disclosure controls and procedures" means controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by any issuer in the reports that it files or submits under the Exchange Act is accumulated and communicated to the issuer's management, including its principal executive officer or officers and principal financial officer or officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.

What Would Such a System Look Like?

We are in uncharted waters here. Nevertheless, from the new Rules and the SEC's commentary on them in the adopting Release, some conclusions can be drawn about the nature of "disclosure controls and procedures."

• Formalized procedures. First, the SEC clearly envisions a formal system for generating material information within a public company. The SEC means for this system to cover non-financial information as well as financial information. The adopting Release notes that:

  "these procedures are intended to cover a broader range of information than is covered by an issuer's internal controls related to financial reporting" and "…should ensure timely collection and evaluation of information potentially subject to disclosure under … Regulation S-K" [which deals primarily with required information and disclosures about the issuer's business and properties]. Although the Release does not address mechanisms for accomplishing this result, the SEC appears to be thinking about formalized channels through which information is collected and funneled to persons having the duty, knowledge of the issuer, and expertise to evaluate and include the information, if appropriate, in the issuer's periodic reports.
  

• Disclosure Committee of officers and employees. The SEC recommends, but does not require, the establishment of a special standing committee of officers and employees at each issuer to supervise the system and evaluate the data collected. Although some issuers may elect not to establish a formal committee, it is hard to see how the requirements of the Rules could be met except through the interaction of a group of persons acting together. The members of this committee will vary from issuer to issuer, depending on who is best situated and best able to discharge the function. 1
  
• Subject to Audit. We also believe that the SEC envisions a system whose effectiveness can be audited -- by management, by special counsel if trouble arises and possibly by SEC investigators (perhaps even by underwriter's counsel in connection with due diligence exercises). A formal system will require written procedures for the collection, retention and handling of information.2 This system falls within the Board of Directors' oversight under its duty of care. We think it can be predicted with reasonable confidence that having in place an effective disclosure controls and procedures system will assist in any defense against charges of knowing or fraudulent misstatements or omissions in Exchange Act periodic reports. In other words, an issuer's disclosure controls and procedures system is likely to attract a lot of scrutiny from diverse groups.

How do you comply?

Because the new Rules require extensive changes to existing practices, we anticipate that our clients will find the need to create one of these systems from scratch, in a hurry, to be a problem. Our conclusion, however, is that these Rules do not contain many new concepts. After all, issuers have been preparing high-quality Form 10-Ks and Form 10-Qs for a long time now. There can be, however, no one-size-fits-all set of controls and procedures, because every issuer operates a different business, handles disclosure differently, and has its own staffing practices. If you believe your company needs assistance in coming up with a system of disclosure controls and procedures, we would be pleased to help. We are also available to advise on best practices for controls and procedures. Our recommendations are summarized below:

• Description of your existing process. First, we suggest that the issuer designate a person or team of persons who are currently in charge of the process of producing Form 10-Ks and Form 10-Qs to write a detailed description of how the issuer has historically prepared such reports. This description should take the form of a set of procedures rather than a narrative. We recommend that you consider Regulation S-K early in the process and draft a procedure based on how the company produces the information required by each of the relevant items of Regulation S-K. Among other things, these procedures should construct a set of information channels designed to gather relevant information throughout the company that will funnel upward to the persons charged with the duty of evaluating and presenting this information in the Exchange Act report.
  
• Personal interviews. We believe that information channels are best constructed through personal interviews between people with the relevant business and financial knowledge and other people who know the disclosure requirements and have the necessary interviewing skills. In contrast, relying on input such as written reports from operating personnel has two major deficiencies: first, we doubt that a form inquiry will elicit the kind and depth of information needed; second, forms create written records vulnerable to discovery.3 Finally, supplying operating people with a copy of last year's Form 10-K and asking "Has anything changed?" may not elicit much new information either. Interlining changes is difficult, and this method of drafting may perpetuate errors and deficiencies from the prior year's report.
  
• Establish controls. The Rule requires not only procedures, however, but also controls. In using these two words in conjunction, we believe the SEC was emphasizing that they meant two different things. We believe the SEC used the word "controls" in the same sense in which the word is used in the term "internal controls"; that is, a mechanism to protect the integrity and accuracy of the information generated by the procedures. For example, the controls should ensure that supervisors cannot edit or suppress information from subordinates that, although material, is embarrassing or threatening to the superior. Controls ought to address the source of information; that is, ensure that the information is coming from the person with the best knowledge. As disclosure procedures are drafted, the company should also institute the controls necessary to protect the procedures.
  
• Adequate time before filing. The timeline for the process should allow for the testing of information. When previously unknown problems or information come up through the information channels, sufficient time should be reserved to evaluate those problems or information before the filing deadline. Issuers should also consider whether additional time needs to be reserved for review by members of the Board of Directors before periodic reports are certified and filed.
  
• Broad participation. Broad operational participation adds value to the process. At present, our experience is that financial concerns are sometimes overemphasized. Note that the SEC contemplated more than just accounting controls.
  
• Minutes. The Disclosure Committee, or whatever body controls the process, should keep records, including minutes of its proceedings. We suggest that the secretary of the committee confine these minutes to lists of matters discussed without inclusion of narrative discussions of the concerns discussed and actions taken. Documents that are prepared or presented should be retained.

Evaluating the effectiveness of the design and operation of disclosure controls and procedures.

The CEO and the CFO must "evaluate the effectiveness" of the disclosure system within 90 days before the filing of each quarterly and annual report filed under the Exchange Act. Because those same officers are "responsible for establishing . . . disclosure controls and procedures . . . ", the evaluation of those controls and procedures insofar as the first reporting period is concerned is probably the same thing as their establishment. That said, we believe that the CEO and the CFO should be personally involved in the establishment of the system, and that both should review personally the final product before the periodic report is filed on or before November 14. Thereafter, the CEO and CFO must perform an evaluation of the system at least once a quarter.

• Involvement of senior management. The new Rules place great emphasis on personal involvement by the issuer's top officers. The reason, undoubtedly, is to put an end to the "I didn't know (whatever), it's a big company and my subordinates failed to keep me informed" responses that emerged from current corporate scandals. That is why, in our view, the CEO and CFO certification includes a statement that those officers were "responsible" for establishing and maintaining the system. Furthermore, the certification requires not only a regular evaluation of the system but also a report, from the CEO and the CFO, of their conclusions regarding the effectiveness of the system. In other words, a serious effort was made in drafting the new rules to hold top management accountable for the company's disclosure.
  
• Evaluation Process. It would be dangerous to conduct the evaluation process as a routine or perfunctory exercise. At a minimum, the evaluation should involve a conference among the CEO and CFO, on the one hand, and the personnel who constructed and operate the disclosure system on the other, at which the CEO and the CFO probe for weaknesses in the disclosure system in the same way they would if the subject under discussion were a potential acquisition or the introduction of a new product. The company should also adapt and incorporate its existing due diligence procedures to fit the needs of the disclosure controls. As time goes by, the evaluation process should include retrospective analyses of previous periodic reports to gauge whether descriptions of risks, for example, were adequate in light of subsequent circumstances, and whether the procedures in place at that time could be improved.

Attorney-client and other legal privileges.

We frankly do not see any new substantive issues here. There are substantial privilege problems inherent in the operation of any system by which comprehensive information is collected about a company's operations, of course, but we believe these problems existed before. What is different is the existence of a Disclosure Committee. The deliberations of this Committee are going to become a standard target of subpoenas in virtually any lawsuit to which the issuer is a party. Litigation and potential litigation are issues that must be considered by the Committee and litigants will want to know what was said about the evaluation of disputed facts, the magnitude of potential damages, and the likelihood of prevailing in the dispute, all of which should be subject to legal privilege if properly protected.

Practical issues.

We do not believe it is practical to try to enclose the entire workings of the Disclosure Controls and Procedures system in legal privilege. For one thing, the basic purpose of the system is to generate information that will be publicly disclosed. On the other hand, as is the case now, information will be swept up in the course of preparing periodic reports that deserves and should get the protection of legal privileges against discovery by adverse parties in litigation. The issue, then, is how to divert information generated by the system out of the public information channels and into a privileged channel, and how to shield the deliberations of the Committee about information that should be privileged from discovery.

Treatment of privileged information.

A smoothly functioning disclosure controls and procedures system should make counsel's job easier in some respects, because potential legal problems will be identified in a systematic way and may perhaps be identified earlier. The key is to recognize issues that could present problems at the earliest possible stage (just as it is today). That objective implies the participation of lawyers in the gathering of information as well as in the evaluation of it.

Protecting the privilege.

What steps should an issuer take to increase the chances the deliberations of the Disclosure Committee will be considered privileged where necessary?

• Formation. The Disclosure Committee should be established by the Board of Directors. The resolution establishing the Committee should state, among other things:
  • that the purpose of the Disclosure Committee is to assist the issuer in complying with requirements of the Release and to gather relevant information for the purposes of rendering legal advice,
  • that the General Counsel is to be a permanent member of the Disclosure Committee,
  • that it is the intent of the Disclosure Committee to maintain all applicable privileges, including, but not limited to, the attorney-client privilege, and that the Disclosure Committee is authorized to meet for the purposes of obtaining legal advice, and
  • that the General Counsel shall be authorized to render legal advice with respect to the Committee's deliberations on all matters coming before the Committee.
    
• Minutes of the Disclosure Committee meetings should be taken. Disclosure Committee meeting minutes should contain the date, who is present, the subject of the meeting, and the confidentiality of the proceedings. Disclosure Committee meeting minutes should not contain detailed information, but should be kept generally in the same manner as Board of Directors minutes typically are. Any report or advice that results from the deliberations of the Disclosure Committee should come from the Office of the General Counsel, be directed only to individuals who are members of the Disclosure Committee, and contain legal advice.
  
• Restrictions on communications. Dissemination of privileged communications or documents should be highly restricted and recipients should be notified of the privileged nature of the information. Please note that company e-mails might not be considered confidential -- some courts have concluded that there is no expectation of privacy in such communications.
  
• Engagement of counsel. If the results of the Disclosure Committee's deliberations indicate that a more thorough or extensive investigation of a particular matter is warranted, outside counsel should be engaged directly by the Office of the General Counsel. Typically, employing outside counsel and giving outside counsel authority over an investigation increases the chances that the results of the investigation will remain privileged and protected from discovery.

Caveat.

Keep in mind that one of the critical elements in determining whether the SEC finds that an issuer has "cooperated with an investigation" is whether the attorney-client privilege and related privileges have been waived. Of course, waiver of a privilege must be balanced against the need to protect privileged communications from private third party litigants, but we can foresee situations in which issuers may find it advantageous to waive such privileges. For example, it may difficult in some cases to prove that the issuer and its CEO and CFO have met their obligations under the Rules if the relevant workings of the Disclosure Controls and Procedures and the deliberations of the Disclosure Committee are hidden from SEC view by privileges.

FOOTNOTES

1 Footnote 60 in the Release indicates that "the committee could include the principal accounting officer (or controller), the general counsel or other senior legal counsel with responsibility for disclosure matters who reports to the general counsel, the principal risk management officer, [and] the chief investor relations officer . . . " For the remainder of this E-Alert, the discussion will assume that the issuer has created a Disclosure Committee.
2 See "Formalized Procedures" above.
3 Probably the best way to conduct these interviews is by attorneys whose participation gives rise to the availability of the lawyer-client privilege.

This E-Alert is intended to be only a general discussion and summary of the matters discussed, based on laws and regulations and practices currently in effect. For more information on the topics in this E-Alert, please contact your attorney at Andrews & Kurth L.L.P.