United States: SEC Adopts Final Rules Implementing Sections 406 and 407 of the Sarbanes-Oxley Act of 2002, Relating to Codes of Ethics and Audit Committee Financial Experts

Co-authored by Stephen Glover, Michael J Scanlon, John Weathers and Ashley Wakefield

The Securities and Exchange Commission ("SEC") recently adopted final rules implementing Sections 406 and 407 of the Sarbanes-Oxley Act of 2002 (the "S-O Act"). The release containing the rules appears at http://www.sec.gov/rules/final/33-8177.htm. Section 406 of the S-O Act directed the SEC to issue rules requiring new disclosures relating to company codes of ethics. The final rules implementing Section 406 require public companies to:

• disclose whether they have adopted a "code of ethics" covering the principal executive officer and senior financial officers and if not, why not;
• make the code of ethics available to the public; and
• disclose amendments to or waivers of specified code of ethics provisions relating to the principal executive officer and senior financial officers.

Section 407 of the S-O Act directed the SEC to issue rules requiring additional disclosures relating to "financial experts" serving on corporate audit committees. The final rules implementing Section 407 require public companies to:

• disclose whether they have at least one audit committee financial expert and if not, why not; and
• disclose the name of the audit committee financial expert and whether he or she is independent of management.

The final rules raise a number of significant issues, many of which are highlighted in the discussion below.

The final rules require each company subject to the reporting requirements of Section 13(a) or 15(d) of the Exchange Act to disclose, in its annual report on Form 10-K or 10-KSB, whether or not it has adopted a code of ethics covering its principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions. If the company has not adopted a code of ethics containing the provisions specified in the rules, it must explain why it has not done so. In addition, the rules require a company to make its code of ethics available to the public by: (1) filing a copy of the code as an exhibit to its annual report; (2) posting the code on its website; or (3) undertaking to provide a copy of the code upon request. Finally, the company must disclose, on Form 8-K or its Internet website, any amendments to or waivers of the specified code provisions, to the extent that such amendments or waivers relate to the principal executive officer or senior financial officers.

The final code of ethics rules are set forth in Items 406 and 601 of Regulations S-K and S-B, in Item 10 of Form 8-K, and in amendments to Part III of Forms 10-K and 10-KSB.

As noted above, the final rules require public companies to disclose whether they have a code of ethics covering certain senior officers. New Item 406(b) of Regulations S-K and S-B defines the term "code of ethics" for this purpose to mean "written standards that are reasonably designed to deter wrongdoing" and to promote:

• honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships;
• full, fair, accurate, timely and understandable disclosure in public communications and in reports and documents that are filed with or submitted to the SEC;
• compliance with applicable laws, rules and regulations;
• the prompt internal reporting of code violations to an "appropriate person or persons" identified in the code; and
• accountability for adherence to the code.

The rules do not prescribe specific procedures for internal reporting or specific sanctions to assure "accountability for adherence to the code." Instead, the adopting release indicates that code provisions may vary from company to company, and decisions as to compliance procedures and disciplinary measures will be left to each company's discretion. In addition, Instruction 1 to Item 406 provides that a company may have a separate code of ethics for the covered officers, or it may include the specified "code of ethics" standards in a broader code that addresses additional issues or that applies to additional persons.

Both the New York Stock Exchange ("NYSE") and the NASDAQ Stock Market ("NASDAQ") have proposed to amend their corporate governance listing standards to require listed companies to adopt and disclose codes of conduct for all officers, directors and employees. Commentary to the NYSE proposal indicates that every listed company's code of conduct should address:

• conflicts of interest;
• corporate opportunities;
• confidentiality;
• fair dealing;
• protection and proper use of company assets;
• compliance with laws, rules and regulations (including insider trading laws); and
• encouraging the reporting of any illegal or unethical behavior.

The NASDAQ proposal, as recently amended, would require listed companies to adopt a code of conduct satisfying the definition of "code of ethics" set out in Section 406 of the S-O Act and the SEC's final rules. The SEC is expected to publish the NYSE and NASDAQ proposals for comment shortly.

Item 406(c) of Regulations S-K and S-B requires a company to make its code of ethics available to the public in one of three ways:

• by filing a copy of the code as an exhibit to its annual report on Form 10-K or 10-KSB;
• by posting the text of the code on its website and disclosing, in its annual report, its website address and the fact that it has posted the code on its website; or
• by undertaking in its annual report to provide to any person without charge, upon request, a copy of the code, and explaining the manner in which the request may be made.

Finally, the rules require a company to disclose, on Form 8-K or the company's Internet website, any amendments to or waivers of the specified "code of ethics" provisions, but only to the extent that such amendments or waivers relate to the principal executive officer or a senior financial officer. In this respect, the final rules depart significantly from the proposed rules, which would have required disclosure of all amendments and waivers, regardless of whether they pertained to the specified code of ethics provisions or the covered officers.

Specifically, Item 10 of Form 8-K requires a company to "briefly describe" the nature of any amendment or waiver, including any implicit waiver, of the specified code of ethics provisions. In those instances where a waiver of a specified code of ethics provision relates to a covered officer, the company must disclose the name of the person to whom the waiver was granted and the date of the waiver. The term "waiver" is defined as the company's approval of a "material departure from a provision of the code of ethics," and the term "implicit waiver" is defined as the company's "failure to take action within a reasonable period of time regarding a material departure from a provision of the code of ethics that has been made known to an executive officer" of the company.

The required disclosures must be made on Form 8-K or the company's website within five business days after the amendment or waiver. If the company intends to satisfy this requirement by posting information on its website, the company must disclose this intention and the company's website address in its annual report on Form 10-K or 10-KSB. In addition, the information must remain available on the company's website for at least 12 months after posting. Following the 12-month posting period, the company must retain the information for at least five years and must furnish copies to the SEC upon request.

Companies must comply with the code of ethics disclosure requirements in their annual reports for fiscal years ending on or after July 15, 2003. They must comply with the requirements regarding code amendments and waivers on or after the date on which they file their first annual report in which the code of ethics disclosures are required.

The final rules require each company subject to the reporting requirements of Section 13(a) or 15(d) of the Exchange Act to disclose, in its annual report on Form 10-K or 10-KSB, whether or not it has at least one "audit committee financial expert," as defined by the rules. If the company does not have such an audit committee financial expert, it must explain why not. In addition, the rules require a company to disclose the name of its audit committee financial expert and whether that person is independent of management. If a company has determined that it has more than one audit committee financial expert, it may (but is not required to) identify such additional persons and disclose whether they are independent.

The final disclosure rules are set forth in Item 401(h) of Regulation S-K and Item 401(e) of Regulation S-B, and in amendments to Part III of Forms 10-K and 10-KSB.

The final rules introduce a new term, "audit committee financial expert," in lieu of the proposed term, "financial expert." Under the final rules, an "audit committee financial expert" is a person who has all of the following attributes:

• an understanding of financial statements and generally accepted accounting principles;
• the ability to assess the general application of such principles in connection with the accounting for estimates, accruals and reserves;
• experience preparing, auditing, analyzing or evaluating financial statements that present accounting issues that are "generally comparable" to the issues that can reasonably be expected to be raised by the company's financial statements – or experience "actively supervising" one or more persons engaged in such activities;
• an understanding of internal controls and procedures for financial reporting; and
• an understanding of audit committee functions.

Under the final rules, an audit committee financial expert can acquire the required attributes through:

• education and experience as a senior financial officer, accountant or auditor, or experience in similar positions;
• experience "actively supervising" a senior financial officer, accountant, auditor or person performing similar functions;
• experience overseeing or assessing the performance of companies or accountants with respect to the preparation, auditing or evaluation of financial statements; or
• other relevant experience.

If a person qualifies as an audit committee financial expert by virtue of "other relevant experience," Instruction 2 to Item 401 requires the company to briefly list that person's relevant experience.

Significantly, the final rules revise the proposed requirement that a financial expert have experience applying generally accepted accounting principles in connection with estimates, accruals and reserves that are "generally comparable" to the estimates, accruals and reserves used in the company's financial statements, by eliminating the reference to "generally comparable" estimates, accruals and reserves. In addition, the proposed requirement that a financial expert have experience "preparing or auditing" financial statements has been expanded to include persons who have experience "analyzing or evaluating" financial statements. This change should permit some financial analysts, investment bankers and venture capitalists to qualify as audit committee financial experts.

The final rules – unlike the proposed rules – also permit an audit committee financial expert to acquire the mandatory attributes through experience "actively supervising" others, and through other relevant experience. The final rules thus make it more likely that some, but not all, chief executive officers may qualify as audit committee financial experts. The adopting release emphasizes, however, that the term "active supervision" means more than a traditional hierarchical reporting relationship between the supervisor and the person being supervised. Rather, a person will be deemed to "actively supervise" others only if he or she participates in, and contributes to, the process of addressing the types of financial and accounting issues addressed by the person or persons being supervised. The release states that a chief executive officer with "considerable operations involvement, but little financial accounting involvement," likely would not qualify.

The final rules also drop the proposed requirement that an audit committee financial expert must have gained the relevant experience with publicly reporting companies. Finally, the rules eliminate the proposed list of factors to be considered in evaluating the education and experience of an audit committee financial expert candidate. The adopting release indicates, however, that the SEC believes companies should consider "all the available facts and circumstances" in evaluating a potential audit committee financial expert, including the types of factors cited in the proposed rules.

The final rules include a safe harbor, in Item 401 of Regulations S-K and S-B, clarifying that an audit committee financial expert will not be deemed an "expert" for any purpose. Furthermore, the designation or identification of a person as an audit committee financial expert will not impose upon that person any duties, obligations or liability beyond those imposed on audit committee members generally, nor will it affect the duties, obligations or liability of any other member of the audit committee or board.

Companies other than small business issuers must comply with the audit committee financial expert disclosure requirements in their annual reports for fiscal years ending on or after July 15, 2003. Small business issuers must comply with the requirements in their annual reports for fiscal years ending on or after December 15, 2003.

• Review Codes of Ethics/Conduct. Companies should approach the new code of ethics disclosure requirements by evaluating their existing codes of ethics or codes of conduct. In most cases, a company's code of ethics or code of conduct will have evolved over time and will be tailored to fit the company's business, culture and industry. Therefore, companies that already have codes of conduct should review them to determine what changes are necessary to meet the definition of "code of ethics," and then consider implementing these changes within the body of the existing code. Of course, companies that currently do not have a code of ethics or code of conduct should adopt one, with provisions addressing, at a minimum, the covered officers and specified standards.
• NYSE and NASDAQ proposals. In adopting or revising their codes of conduct, companies should consider the requirements in the proposed NYSE and NASDAQ listing standards to the extent applicable.
• Other S-O Act requirements. Companies also should consider other provisions of the S-O Act that are relevant to codes of conduct. For example, Section 301 of the S-O Act and related SEC proposals will require audit committees to establish procedures for handling complaints about accounting and auditing matters and for the "confidential, anonymous submission by employees" of concerns regarding such matters. In addition, Section 806 prohibits a company and its agents from retaliating against employee "whistleblowers" who provide information or assist in a government or supervisory investigation. Section 1107 imposes criminal sanctions for retaliation against whistleblowers.
• Relationship to other codes and policies. Whether a company chooses to adopt a stand-alone "code of ethics" or fold the requisite elements into an existing code, consideration should be given to how new codes or code provisions intersect with any additional policies or codes that the company may have. Many companies have separate policies addressing such issues as insider trading, confidentiality, health and safety, and conflicts of interest. New codes or code provisions should be evaluated in light of such policies for consistency, and input should be obtained from appropriate groups, including the human resources and legal departments.
• Waivers. Waivers of code provisions should be granted only in exigent circumstances, if at all. Accordingly, companies should evaluate whether the relevant provisions of their codes are flexible enough to accommodate normal and acceptable practices without requiring frequent waivers.
• Reporting mechanisms and other communications. Companies should examine their current procedures for addressing questions that arise under their codes and for internal reporting of potential violations. Because no code can anticipate every situation that may arise, codes should encourage employees and other covered persons to ask questions about particular circumstances. Companies should designate an "appropriate person or persons" to answer questions and receive reports about potential misconduct. Companies that elect to fold the provisions applicable to senior officers into a broader code should keep in mind that the appropriate contact person may differ for officers, employees and directors. Consideration also should be given to whether a company's code documents adequately, and explains clearly, whom employees and other covered persons should contact about questions and potential violations. A separate section addressing communications and reporting may be useful in this regard.
• Decide Whether to Designate an Audit Committee Financial Expert. Companies that do not designate an audit committee financial expert will be required to publicly disclose and explain that fact on an annual basis. This disclosure could have a negative impact on investor confidence. On the other hand, many directors may be reluctant to assume the perceived responsibility and risk of personal liability associated with identification as an audit committee financial expert – notwithstanding the safe harbor provisions in the final rules. Companies should keep these factors in mind when deciding whether to designate an audit committee financial expert.
• Examine Qualifications of Audit Committee Members. Companies should evaluate current audit committee and other board members to determine whether they meet the definition of an audit committee financial expert. Although the definition in the final rules is less stringent than the proposed rules, an audit committee financial expert still must have all of the required attributes, gained through the specified means or "other relevant experience." As noted above, a company whose audit committee financial expert gained the required attributes through "other relevant experience" must disclose that person's relevant experience. If a company does not have any current audit committee members who qualify as audit committee financial experts, it may wish to recruit a qualifying person during the transition period.