Compliance, Risk Management And Internal Controls: A Checklist For Corporate Counsel - Part I

Thursday, July 1, 2004 - 01:00

Part II, which will appear in the August 2004 issue of The Metropolitan Corporate Counsel will include questions to be considered by corporate counsel with respect to the checklist included in Part I and will discuss other recent developments highighting the importance of risk management. It will also cover the codes of ethics of Sarbanes-Oxley, NYSE and NASDAQ and questions pertaining to them.The following list of requirements and relevant questions is designed to assist corporate counsel in advising the board, the audit committee and management about whether the corporation is meeting applicable requirements with respect to compliance, risk management and internal controls.

Where To Find The Requirements?

1.Traditional director duty of care jurisprudence -Caremark case

2. U.S. Department of Justice Sentencing Guidelines

3. Sarbanes-Oxley Act(Section 404)

4. NYSE Listing Standards

5. Proposed Draft COSO Framework for Enterprise-wide Risk Management

6. Public Company Accounting Oversight Board Audit Standard No. 2 regarding outside auditor review of internal controls

Traditional Director Duty Of Care JurisprudenceCaremark Case

The Traditional duty of care of directors and the business judgment rule is incorporated in the Caremark decision. In re Caremark International Inc. Derivative Litigation, 698 A.2dd 959 (Del. Ch. 1996). This case involved a shareholder derivative suit alleging that each of the directors had breached their fiduciary duty of care in connection with failing to adequately monitor Caremark officers and employees, who allegedly violated various laws and regulations in the course of their employment with Caremark.

The decision by the Delaware Chancery Court stated that a director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system exists to keep the board adequately informed of the actions of corporate officers and employees that could result in civil or criminal liability for illegal conduct and that "failure to do so may under some circumstances, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards". Such a system should be reasonably designed to provide "timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation's compliance with laws and its business performance" The court found that the directors' reliance upon compliance and information systems in place at Caremark appears to have represented a good faith attempt to be informed of relevant facts.

The DOJ Sentencing Guidelines

Understanding the DOJ Sentencing Guidelines requires a review of the original Guidelines, the Holder and Thompson Memoranda, and the changes to the original Guidelines based on the October 7, 2003 Advisory Group Report

The Original DOJ Sentencing Guidelines Compliance Program Requirements:

1. Establish written standards, policies and procedures

2. Assign overall responsibility to oversee compliance with the standards and policies to a senior officer

3. Effectively communicate standards and policies to all employees through training and dissemination of explanatory written materials

4. Utilize monitoring, testing and audit systems to assess and assure compliance with standards and policies

5. Establish and publicize a reporting system for employees to report violative conduct without fear of retaliation

6. Enforce the standards and policies consistently through appropriate disciplinary and enforcement mechanisms

7. Take reasonable steps after detection of violations of law to respond to the violation to prevent future occurrences, including modification of the compliance program

Revised Sentencing Guidelines

The U.S. Sentencing Commission promulgated revised sentencing guidelines for corporations in April. The Advisory Group Report concluded that although the United States Sentencing Guidelines have induced many corporations to focus on compliance programs, changes were necessary to provide additional guidance regarding effective compliance programs to prevent and detect violations of law. Accordingly, the Report recommended the revised Sentencing Guidelines (which will become effective on November 1, 2004 unless Congress acts sooner) include the following:

1. Emphasize the importance within the Guidelines of an organizational culture that encourages a commitment to the law

2. Provide a definition of "compliance standards and procedures"

3. Specify the responsibilities of an organization's governing authority and organizational leadership for compliance

4. Emphasize the importance of adequate resources and authority for individuals within organizations with the responsibility for the implementation of the program

5. Replace the current terminology of "propensity to engage in violations of law" with language that defines the nature of an organization's efforts to determine when an individual has a reason to know of, or history of engaging in, violations of law

6. Include training and the dissemination of training materials and information within the definition of an "effective program"

7. Add "periodic evaluation of the effectiveness of a program" to the requirement for monitoring and auditing systems

8. Require a mechanism for anonymous reporting

9. Include the phrase "seek guidance about potential or actual violations of law" within the criteria in order to more specifically encourage prevention and deterrence of violations of law as part of compliance programs

10. Provide for the conduct of ongoing risk assessments as part of the implementation of an "effective program"

Sarbanes-Oxley Act (Section 404) Management Assessment Of Internal Controls

•A company must include in its annual report a management report on the effectiveness of its internal controls over financial reporting as well as an independent accounting firms attestation report on management's assessment of the company's internal controls

•A company must also disclose in its quarterly reports any material changes to its internal controls that occurred during the period covered by the report

NYSE Listing Standards

•The audit committee must review major issues as to the adequacy of the company's internal controls and any special audit steps adopted in light of material control deficiencies.

•The audit committee has responsibility for confirming the company's compliance with legal and regulatory requirements

Draft COSO Framework On Enterprise Risk Management Standard For Evaluation Of Risk Management

COSO (popularly known as the "Treadway Commission") is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.

•The Exposure Draft defines ERM as a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise.

•ERM should be designed to identify and assess all potential events and risk that may affect the company, manage risk, and provide reasonable assurance regarding the achievement of company objectives.

•The Exposure Draft lists the following eight components of ERM:

1. Internal Environment

2. Objective Setting

3. Event Identification

4. Risk Assessment

5. Risk Response

6. Control Activities

7. Information and Communication

8. Monitoring

•The key to implementing ERM is process and the internal environment.

•The Exposure Draft identifies a company's internal environment as the foundation for all other components of enterprise risk management.

•The Internal Environment encompasses:

1. Risk management philosophy

2. Risk culture

3. Role of the Board of Directors

4. Integrity and ethical values

5. Commitment to competence

6. Integration of management's philosophy and operating strategy

7. Risk appetite

8. Organizational structure

9. Assignment of authority and responsibility

10.Human resources policies and practices

Public Company Accounting Oversight Board Audit Standard No. 2

•The Auditing Standard for Audits of Internal Control by the Public Company Accounting Oversight Board places responsibility on Management and the Audit Committee for effective internal controls and requires the external auditor to evaluate effective Audit Committee oversight of the internal control process.

•The Auditing Standard establishes requirements applicable to an auditor's audit of management attestation of the effectiveness of internal controls over financial reporting. In particular, the auditor is directed to evaluate all controls that address material risk of fraud. These controls include:

1.A company's risk assessment processes;

2.A company's code of ethics/conduct provisions, especially those related to conflicts of interest, related party transactions, illegal acts, and the monitoring of the code by management and the Audit Committee of Board;

3.The adequacy of the company's internal audit activity and whether the internal audit function reports directly to the Audit Committee as well as the extent of the Audit Committee's involvement and interaction with the internal audit; and,

4.The adequacy of the company's procedures for handling complaints and for accepting confidential submissions of concerns about questionable accounting or auditing matters.

•The Auditing Standard suggests that it may be appropriate for the auditor to test and evaluate the design effectiveness of company-level controls which include the following:

1. Controls within the control environment, including tone at the top, the assignment of authority and responsibility, consistent policies and procedures, and company-wide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units

2. Monitoring components of internal control over financial reporting and that the existence of an effective Audit Committee helps to set a positive tone at the top. However, although the Audit Committee plays an important role, management is responsible for maintaining effective internal control over financial reporting. The Audit Standard does not suggest hat this responsibility has been transferred to the Audit Committee.

•The Auditing Standard goes on to state that while the company's board of directors is responsible for evaluating the performance and effectiveness of the Audit Committee, the auditor should assess the effectiveness of the Audit Committee as part of understanding and evaluating the monitoring of internal controls.

•In evaluating the effectiveness of the Audit Committee's oversight of the company's external financial reporting and internal control the company's external financial reporting and internal control over financial reporting, the auditor is directed to review the following factors:

1. The independence of the Audit Committee members from management;

2. The clarity with which the Audit Committee's responsibilities are articulated;

3. How well the Audit Committee and management understand those responsibilities;

4. The Audit Committee's involvement and interaction with the independent auditor and with internal auditors;

5. The Audit Committee's interaction with key members of the financial management, including the chief financial officer and chief accounting officer;

6. Whether the right questions are raised and pursued with management and the auditor; and,

7. The responsiveness by the Audit Committee to issues raised by the auditor.

•The Auditing Standard concludes in Paragraph 59 that "Ineffective oversight by the Audit Committee of the company's external financial reporting and internal control over financial reporting should be regarded as at least a significant deficiency and is a strong indicator that a material weakness in internal control over financial reporting exists."

Robert E. Bostrom is a Partner and Head of the Financial Institutions Practice of Winston & Strawn LLP. Much of material included in this article was covered in a presentation made by Mr. Bostrom on May 18, 2004 to the American Conference Institute's Seminar entitled "Corporate Counsel Guide to Internal and External Investigations."

Please email the author at with questions about this article.