New COSO ERM Framework – Enterprise Risk Management – Integrating with Strategy and Performance; COSO 2013 Internal Control Framework; the Business Judgment Rule

You may have heard or seen that the new COSO ERM Framework is out as of a day or two ago – Enterprise Risk Management – Integrating with Strategy and Performance. This is a project that COSO announced on October 21, 2014, so it is a longtime in the works. The original (first) framework was issued in 2004. Below I have provided the bare bones outline for the new ERM Framework, in addition to the bare bones outline for the COSO 2013 Internal Control Framework, and a summary of the business judgment rule. Why did I provide all three? Because for boards and audit committees, and for business entities and their executive officers, and sometimes for the employees also, all three are, or should be, tied together.

I will be commenting about and outlining the ERM Framework in detail in later posts (after I have had time to evaluate the detailed materials, and discuss them with colleagues). For now, all I can give you is the outline below. I do note – and I’m not being negative about this – that I have some concern that the five concepts and twenty principles, with the detail added, might be a lot for some small and mid-sized business entities, nonprofits and governmental entities to handle. But it is what it is. And as you may know, although it is now recognized that boards are responsible for oversight of risk management, many audit committees are responsible for risk management oversight pursuant to statute, regulation, or exchange requirements, and a typical audit committee charter lists oversight of risk management as an area of responsibility, generally there is no legally required or mandated risk management framework or process, although some industries (such as banks, for example) are heavily regulated for risk management purposes. It is possible that the new COSO ERM Framework will become the accepted framework to follow, although other frameworks do exist.

COSO (the Committee of Sponsoring Organizations of the Treadway Commission) is a private sector initiative, jointly sponsored and funded by the American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants, and The Institute of Internal Auditors.

The new COSO ERM Framework is organized into five interrelated primary or core components, which are supported by a set of twenty principles. The following is a broad outline of the five components and twenty principles. And as I stated above, in later posts I will be adding considerable detail. Below I have also provided an outline for the COSO 2013 Internal Control Framework, and a discussion about the business judgment rule.

Thanks for reading. David Tate, Esq., Royse Law Firm, Menlo Park office, with offices in the San Francisco Bay Area and Los Angeles

 

COSO ERM Framework – Enterprise Risk Management – Integrating with Strategy and Performance (five components, and twenty principles)

I.  Governance and Culture Component:

Supporting Principles:

  1. Exercises Board Risk Oversight
  2. Establishes Operating Structures
  3. Defines Desired Culture
  4. Demonstrates Commitment to Core Values
  5. Attracts, Develops, and Retains Capable Individuals

II.  Strategy and Objective-Setting Component:

  1. Analyzes Business Context
  2. Defines Risk Appetite
  3. Evaluates Alternative Strategies
  4. Formulates Business Objectives

III.  Performance Component:

  1. Identifies Risk
  2. Assesses Severity of Risk
  3. Prioritizes Risks
  4. Implements Risk Responses
  5. Develops Portfolio View

IV.  Review and Revision Component:

  1. Assesses Substantial Change
  2. Reviews Risk and Performance
  3. Pursues Improvement in Enterprise Risk Management

V.  Information, Communication, and Reporting Component:

  1. Leverages Information and Technology
  2. Communicates Risk Information
  3. Reports on Risk, Culture, and Performance

 

Enterprise Risk Management (ERM) and internal controls work together and should complement each other. The following is the broad outline of the COSO 2013 Internal Control Framework.

Sarbanes-Oxley section 404 requires public company management and its external auditors to attest to the design and operating effectiveness of a company’s internal control over external financial reporting. Internal controls should also be designed and implemented for private company, nonprofit and governmental entities.

COSO 2013 Internal Control Framework – 5 Components, and 17 Principles

1.  Control Environment Component:

Mandatory Principles

  1. Demonstrate commitment to integrity and ethical values.
  2. Board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes, with board oversight, structures and reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.
  4. Demonstrate commitment to attract, develop and retain competent individuals in alignment with objectives.
  5. Hold individuals accountable for their internal control responsibilities in the pursuit of objectives.

2.  Risk Assessment Component:

Mandatory Principles

  1. Specify objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  2. Identify risks to the achievement of its objectives across the entity and analyze risks as a basis for determining how the risks should be managed.
  3. Consider the potential for fraud in assessing risks to the achievement of objectives.
  4. Identify and assess changes that could significantly impact the system of internal control.

3.  Control Activities Component:

Mandatory Principles

  1. Select and develop control activities that contribute to the mitigation of risks to the achievement of objectives and acceptable levels.
  2. Select and develop general control activities over technology to support the achievement of objectives.
  3. Deploy control activities through policies that establish what is expected and procedures that put policies into action.

4.  Information & Communication Component:

Mandatory Principles

  1. Obtain or generate and use relevant, quality information to support the functioning of internal control.
  2. Internally communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  3. Communicate with external parties regarding matters affecting the functioning of internal control.

5.  Monitoring Activities Component:

Mandatory Principles

  1. Select, develop and perform ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  2. Evaluate and communicate internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

 

The Business Judgment Rule

The business judgment rule also is relevant on these topics (from Tate’s Excellent Audit Committee Guide). The business judgment rule provides a director with a defense to personal liability, holding that as a general principle of law, a director, including a director who serves as a member of a board committee, who satisfies the business judgment rule has satisfied his or her duties. Thus, the business judgment rule provides one standard of care, although other standards may very well also apply to specific tasks and responsibilities. The business judgment rule provides a very good overall approach for directors and audit committee members to follow, although the rule itself is lacking in specific detail. In some states the business judgment rule is codified by statute while in other states the rule is established by case law (see, i.e., Cal. Corp. Code §309 for California corporations, Del. Gen. Corp. Law §141 for Delaware corporations, in addition to relevant case law). The rule also applies to directors as board committee members.

The Business Judgment Rule

In summary, as a general principle the business judgment rule provides that a director should undertake his or her duties:

-In good faith, with honesty and without self-dealing, conflict or improper personal benefit;

-In a manner that the director reasonably believes to be in the best interests of the corporation and its shareholders; and

-With the care, including reasonable inquiry, that an ordinarily prudent person in a like position with like expertise would use under similar circumstances. The rule itself doesn’t require a particular level of expertise, knowledge or understanding; however, as you might be aware, public company audit committee members do have such a requirement, and you can at least argue that, depending on the facts and circumstances, a board or committee member should have or should obtain a certain unspecified level of knowledge or understanding to be sufficiently prepared to ask questions, evaluate information provided, and make decisions.

Reliance Upon Other People Under the Business Judgment Rule

In the course and scope of performing his or her duties, a director must necessarily obtain information from and rely upon other people. An independent director is not involved in the day-to-day operations of the business. The director provides an oversight function. Pursuant to the business judgment rule, a director is entitled to rely on information, opinions, reports or statements, including financial statements and other financial data, prepared or presented by any of the following:

-Officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the relevant matters;

-Legal counsel, independent accountants or other persons as to matters that the director reasonably believes are within the person’s professional or expert competence; or

-A committee of the board on which the director does not serve, as to matters within that committee’s designated authority, so long as the director acts in good faith, after reasonable inquiry as warranted by the circumstances, and without knowledge that would cause reliance to be unwarranted.

That’s it for now. Thanks for reading. Much, much more to come on these topics. David Tate, Esq., Royse Law Firm, Menlo Park office, with offices in the San Francisco Bay Area and Los Angeles

* * * * *

Advertisements

Comments re post by Norman Marks – internal audit and ERM accused of failing to hit the mark – discussion about management, boards and audit committees – David Tate, Esq., Royse Law Firm

I have provided below a link to a post by Norman Marks, in which Norman discusses and in part compares or contrasts internal audit and ERM. Norman’s post is a good, worthwhile read.

There are many good writers on these topics – you will also note that there are disagreements between knowledgeable professionals. Just for example, as Norman notes, ERM or enterprise risk management is a management function (I would say a management, board and audit committee function) whereas internal audit is independent; however, there has been for sometime considerable discussion about the role of internal audit and whether it can be or should be or has been expanded in ways that could make it less independent or less of an audit function and more of an advisory function in some circumstances – internal audit endeavors to make itself more valuable and needed as a function and department.

I don’t get into the discussions about whether internal audit should or should not be less independent or more advisory – instead, if internal audit is not being sufficiently utilized I primarily attribute that to one or both of two reasons which can be interrelated: (1) either internal audit needs to do a better job selling to management, the board and the audit committee how internal audit can help, or (2) particularly the board and the audit committee need to be more educated or convinced about how internal audit can help them to satisfy their oversight duties and responsibilities (I can help you with reason (2)).

If you are interested in risk management and enterprise risk management you are aware that COSO is still updating its ERM framework. If you aren’t interested in risk management or ERM but you are a board and/or audit committee member you definitely should be interested as it or parts of it are part of your oversight duties and responsibilities.

COSO has said that its updated ERM function should be out mid-2017, in other words, soon. This is a big deal. Whereas risk management professionals will extensively evaluate and comment about the new framework from an ERM perspective, and although I am also a CPA, I will primarily evaluate the framework from a legal perspective and what the new framework will or may require of management, the board and the audit committee in satisfaction of their duties and responsibilities. Add to this the COSO 2013 updated internal control framework, and the changes that are being made to audit procedures and the audit report, in addition to increasing disclosures about events, practices and procedures not just numbers, and you have a significantly changing environment in terms of management, board and audit committee duties and responsibilities.

That’s all for now. Below is the link to Norman Marks’ new blog post – read his post – it covers more about internal audit and ERM than the title indicates. David Tate, Esq., Royse Law Firm (see below for firm practice areas), Menlo Park, California office, with offices in northern and southern California. The following is a link to my other blog, about trust, estate, and elder, etc., disputes, litigation and difficult or contentious administrations: http://californiaestatetrust.com.

Here is the link to Norman’s post:  https://normanmarks.wordpress.com/2017/07/15/internal-audit-and-erm-accused-of-failing-to-hit-the-mark/

David Tate, Esq. (and CPA, California inactive). Royse Law Firm, Menlo Park Office, California (with offices in both northern and southern California).

Royse Law Firm – Practice Area Overview – San Francisco Bay Area and Los Angeles Basin, http://rroyselaw.com/

  • Corporate and Securities, Financing and Formation
  • Corporate Governance, D&O, Boards and Committees, Audit Committees, Etc.
  • Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  • International
  • Immigration
  • Mergers & Acquisitions
  • Labor and Employment
  • Disputes and Litigation (I broke out these areas because they are my primary areas of practice)
  •             Business
  •             Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  •             Trade Secrets, NDA, Financial & Accounting Issues, Fraud, Lost Income, Royalties, Etc.
  •             Privacy, Internet, Hacking, Speech, Etc.
  •             Labor and Employment
  •             Mergers & Acquisitions
  •             Real Estate
  •             Owner, Founder, Investor, Board & Committee, Shareholder, D&O, Lender/Debtor, Etc.
  •             Insurance Coverage and Bad Faith
  •             Investigations
  •             Trust, Estate, Conservatorship, Elder Abuse, Etc., and Contentious Administrations
  •             Dispute Resolution and Mediation
  • Real Estate
  • Tax (US and International) and Tax Litigation
  • Technology Companies and Transactions Including AgTech, HealthTech, etc.
  • Wealth and Estate Planning, Trust and Estate Administration, and Disputes and Litigation

Court holds that a whistleblower need only have a reasonable belief that the defendant’s conduct was unlawful

The United States District Court, S.D. New York, on a FRCP 56 motion for summary judgment, recently held in Murray v. UBS Securities, LLC that a whistleblower under section 806 need only show reasonable belief that the defendant’s conduct violated federal law. In relevant part see the summary snapshot below. This is important for potential defendants and their decision makers to know when evaluating potential whistleblower situations and how to proceed.

David Tate, Esq. (and CPA, California inactive), Royse Law Firm (Menlo Park office, California, San Francisco Bay Area and the Los Angeles Basin)

PCAOB Adopts New Audit Report-Should Be Interesting-Still Has To Be Adopted By The SEC

The following is a link to the PCAOB website page discussing the PCAOB’s June 2017 adoption of a new audit report which in part requires the disclosure of critical audit matters (CAM) for certain audits conducted under PCAOB standards. Here’s the link to the PCAOB page CLICK HERE

The new report standard still must be adopted by the SEC. If adopted, some of the new report standards will first apply to annual audits for years ending on or after December 15, 2017; however, the critical audit matter reporting would not apply until 2019 at the earliest for certain entities.

As the PCAOB notes, there is a need to make the audit report more relevant. In fact, there is a need to make both external and internal audit and auditors more relevant.

More will follow on this; however, I usually don’t spend signification time on new laws, statutes, regulations, rules and standards until (1) they are in fact enacted or adopted, and (2) it is near the time of actual use or requirement.

I do note, however, that this new report and the CAM provision is an interesting development, which perhaps should have occurred years ago. If you click on the above link, and then on the actual standard itself, you will also see that the standard contains worthwhile discussions about critical audit matters, materiality and other topics that are relevant to the standard.

Best, David Tate, Esq. (and CPA, California inactive). Royse Law Firm, Menlo Park Office, California.

Royse Law Firm – Practice Area Overview – San Francisco Bay Area and Los Angeles Basin

  • Corporate and Securities, Financing and Formation
  • Corporate Governance, D&O, Boards and Committees, Audit Committees, Etc.
  • Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  • International
  • Immigration
  • Mergers & Acquisitions
  • Labor and Employment
  • Litigation (I broke out the litigation because this is my primary area of practice)
  •             Business
  •             Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  •             Trade Secrets, NDA, Financial & Accounting Issues, Fraud, Lost Income, Royalties, Etc.
  •             Privacy, Internet, Hacking, Speech, Etc.
  •             Labor and Employment
  •             Mergers & Acquisitions
  •             Real Estate
  •             Owner, Founder, Investor, Board & Committee, Shareholder, D&O, Lender/Debtor, Etc.
  •             Insurance Coverage and Bad Faith
  •             Investigations
  •             Trust, Estate, Conservatorship, Elder Abuse, Etc., and Contentious Administrations
  • Real Estate
  • Tax (US and International) and Tax Litigation
  • Technology Companies and Transactions Including AgTech, HealthTech, etc.
  • Wealth and Estate Planning, Trust and Estate Administration, and Disputes and Litigation

 

New COSO Updated ERM Framework – Coming Soon – End of June, Perhaps – Could Be Very Important

Just a heads up, a source has suggested that the new long-anticipated COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM update might finally be out at the end of June. COSO is spending a very long time (since October 2014) preparing and vetting this “update” of the 2004 Enterprise Risk Management — Integrated Framework. COSO’s sponsoring organizations are the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]), and the Commission includes representatives from industry, public accounting, investment firms, and SROs (exchanges).

We’ll have to wait and see what we get with this “update,” which will either simply be a relatively unimpressive or vague tweak, or a useful, modernized, sufficiently detailed guide which might become the standard to achieve, or somewhere in between. I’m hopeful for the useful version – ERM needs a big boost – this “update” is important. I find that there really are only three ways to provide this type of boost: sponsorship and push by large or influential organizations and people, mandatory (i.e., by law, regulation or rule) adoption, or, sometimes, push and expectancy by the public.

Here is the link to the COSO website https://www.coso.org/Pages/default.aspx

Best to you, David Tate, Esq., Litigation, D&O, audit committees, etc., Royse Law Firm http://rroyselaw.com/

Evaluating Director Independence – Zynga Shareholder Derivative Suit

Thomas Sandys Derivatively on Behalf of Zynga, Inc. v. Pincus, et al., Delaware Supreme Court, Case No. 157,2016, December 5, 2016, highlights the sometimes difficulty, and the importance of evaluating director independence in the circumstance of a shareholder derivative suit.

In Zynga the plaintiff filed his shareholder derivative suit without first making a demand upon the board that the Company sue Company insiders that were alleged to have improperly sold Company stock. Instead of first making the demand upon the board, plaintiff argued that such a demand would have been futile because a majority of the nine person board members lacked independence.

In summary, the plaintiff alleged two derivative claims based on allegations that certain top managers and directors at Zynga were given an exemption to the Company’s standing rule preventing sales of stock by insiders until three days after an earnings announcement, and that the insiders who participated in the sale breached their fiduciary duties by misusing confidential information when they sold their shares while in possession of adverse, material non-public information. And plaintiff also asserted a duty of loyalty claim against the directors who approved the sale.

The holding in Zynga is that at the pleading stage there was sufficient evidence to suggest that a majority of the board did lack independence so as to excuse not making the demand upon the board. The holding is primarily interesting for the Court’s discussion about three particular board members, and the reasons why the Court determined that there was evidence to sufficiently suggest that those three directors did in fact lack independence to impartially consider a demand that the Company bring suit against the selling insiders, which resulted in a majority of the board also lacking independence, so as to excuse making the pre-suit demand upon the board.

To plead demand excusal the plaintiff must plead particularized factual allegations that create a reasonable doubt that, as of the time the complaint was filed, the board of directors could have properly exercised its independent and disinterested business judgment in responding to a demand. At the pleading stage, a lack of independence turns on whether the plaintiff has pleaded facts from which the director‘s ability to act impartially on a matter important to the interested party can be doubted because that director may feel subject to the interested party‘s dominion or beholden to that interested party.
With respect to one of the directors in question, the Court found troubling for the purpose of independence or lack thereof that the particular board member and her husband co-owned an unusual asset, an airplane, with Zynga’s former CEO and controlling stockholder, which the Court found was suggestive of an “extremely intimate personal friendship between their families.”

And with respect to the other two directors, the Court found troubling for the purpose of independence or lack thereof that the directors are partners at a prominent venture capital firm and that they and their firm not only controlled 9.2% of Zynga‘s equity as a result of being early-stage investors, but have other interlocking relationships with the controller and another selling stockholder outside of Zynga. More specifically the Court stated “Although it is true that entrepreneurs like the controller need access to venture capital, it is also true that venture capitalists compete to fund the best entrepreneurs and that these relationships can generate ongoing economic opportunities. There is nothing wrong with that, as that is how commerce often proceeds, but these relationships can give rise to human motivations compromising the participants’ ability to act impartially toward each other on a matter of material importance. Perhaps for that reason, the Zynga board itself determined that these two directors did not qualify as independent under the NASDAQ rules, which have a bottom line standard that a director is not independent if she has ―a relationship which, in the opinion of the Company‘s board of directors, would interfere with the exercise of independent judgment . . . .[Footnote #1: NASDAQ Marketplace Rule 5605(a)(2)] Although the plaintiff’s lack of diligence made the determination as to these directors perhaps closer than necessary, in our view, the combination of these facts creates a pleading stage reasonable doubt as to the ability of these directors to act independently on a demand adverse to the controller‘s interests. When these three directors are considered incapable of impartially considering a demand, a majority of the nine member Zynga board is compromised for Rule 23.1 purposes and demand is excused. Thus, the dismissal of the complaint is reversed.”

As you might correctly assume, board member independence can arise as an issue in several different corporate and governance related circumstances.

* * * * *

NEW NINTH CIRCUIT CASE – PLAINTIFF CANNOT BRING A SECURITIES CASE FOR BREACH OF THE CORPORATE CODE OF ETHICS . . . WELL, NOT SO FAST . . . .

On January 19, 2017, the Ninth Circuit dismissed a securities fraud case holding that the claim could not legally be brought where shareholders of Hewlett-Packard Company (“HP”) alleged that the Company CEO and Chairman violated Hewlett-Packard’s Corporate Code of Ethics after publicly touting the Company’s high standards for ethics and compliance while at the same time himself violating the provisions in the Code of Ethics. The case is Retail Wholesale & Department Store Union Local 338 Retirement Fund v. Hewlett-Packard Co. and Mark A. Hurd, Ninth Circuit Case No. 14-16433 and District Court Case No. 3:12-cv-04115-JST (Northern District of California) and you can view the case at http://cdn.ca9.uscourts.gov/datastore/opinions/2017/01/19/14-16433.pdf.

Plaintiffs’ claim was brought under §10 and Rule 10–b of the Securities Exchange Act of 1934. The Court’s decision is helpful from a defense viewpoint, but the decision shouldn’t be viewed too broadly. In summary, the Court held as follows (note: the below quotes from the case are not necessarily in the exact order in which they appeared in the Court’s decision):

“Retail Wholesale argues that the SBC [HP’s Standards of Business Conduct], bolstered by Defendants’ express promotion of corporate ethics, gives rise to a finding of material misrepresentation. Its claim is based in three factual allegations: (1) HP and Hurd actively promoted the SBC and stated that HP had zero tolerance for SBC violations; (2) Hurd’s SBC violations led to his resignation; and (3) Hurd’s resignation caused HP’s stock price to drop. The Court cannot agree that, under the facts alleged in the complaint, Defendants’ representations about ethics were materially misleading.”

“Defendants made no objectively verifiable statements during the Class Period. As one court has aptly written, a code of conduct is “inherently aspirational.” Andropolis, 505 F. Supp. 2d at 686. Such a code expresses opinions as to what actions are preferable, as opposed to implying that all staff, directors, and officers always adhere to its aspirations. See id.”

“Similarly, Hurd’s comments prefacing the SBC are not objectively verifiable. In the 2008 preface to the SBC, Hurd stated, in part,

We want to be a company known for its ethical leadership . . . .

We know actions speak louder than words. We must make decisions and behave in ways that we can be proud of, that reflect our commitment to doing the right thing . . . .

. . . . Let us commit together, as individuals and as a company, to build trust in everything we do by living our values and conducting business consistent with the high ethical standards within our SBC.”

“The aspirational nature of these statements is evident. They emphasize a desire to commit to certain “shared values” outlined in the SBC and provide a “vague statement[] of optimism,” not capable of objective verification. See Or. Pub. Emps., 774 F.3d at 606. A contrary interpretation—that statements such as, for example, the SBC’s “we make ethical decisions,” or Hurd’s prefatory statements, can be measured for compliance—is simply untenable, as it could turn all corporate wrongdoing into securities fraud.”

However, and equally important, the Court also stated:

“We note that the case may have been closer had Hurd’s sexual harassment and false expenses scandal involved facts remotely similar to those presented by the 2006 scandal [i.e., an earlier unrelated ethics problem at HP in which “A few years earlier, in 2006, a major scandal erupted when a whistleblower informed several government agencies that HP had hired detectives to monitor the phone records and email accounts of HP directors, HP employees, and journalists to find the sources of leaks of company information to the press”], as the ethical code could then have been understood as at least promising specifically not to do what had been done in 2006. Here, however, the context does not make HP’s promotion of business ethics any less subjective or vague. Further, Retail Wholesale cites to no case law suggesting that context may operate to allow a plaintiff to import an out-of-Class-Period statement into the Class Period. The strongest statement alleged in the complaint—the suggestion of a zero tolerance policy for SBC violations—was made outside of the Class Period.”

“In sum, we conclude that as there was no statement during the Class Period that was capable of being objectively false, there was no affirmative misrepresentation.”

It could be easy to read the case too broadly, and to conclude that a securities fraud claim cannot be brought for violation of the company’s code of ethics. Whether such a claim can be brought really depends on the facts and circumstances of the case. Further, and depending on the facts of each case, it might be possible that such a claim could be brought under a different legal theory such as, for example, the Foreign Corrupt Practices Act.

Thus, companies, and their officers, managing agents and directors still must be advised to know the company’s Code of Ethics, to follow the Code, and to be careful about making specific representations about following, satisfying or complying with the Code.

* * * * *