New COSO Updated ERM Framework – Coming Soon – End of June, Perhaps – Could Be Very Important

Just a heads up, a source has suggested that the new long-anticipated COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM update might finally be out at the end of June. COSO is spending a very long time (since October 2014) preparing and vetting this “update” of the 2004 Enterprise Risk Management — Integrated Framework. COSO’s sponsoring organizations are the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]), and the Commission includes representatives from industry, public accounting, investment firms, and SROs (exchanges).

We’ll have to wait and see what we get with this “update,” which will either simply be a relatively unimpressive or vague tweak, or a useful, modernized, sufficiently detailed guide which might become the standard to achieve, or somewhere in between. I’m hopeful for the useful version – ERM needs a big boost – this “update” is important. I find that there really are only three ways to provide this type of boost: sponsorship and push by large or influential organizations and people, mandatory (i.e., by law, regulation or rule) adoption, or, sometimes, push and expectancy by the public.

Here is the link to the COSO website https://www.coso.org/Pages/default.aspx

Best to you, David Tate, Esq., Litigation, D&O, audit committees, etc., Royse Law Firm http://rroyselaw.com/

NEW NINTH CIRCUIT CASE – PLAINTIFF CANNOT BRING A SECURITIES CASE FOR BREACH OF THE CORPORATE CODE OF ETHICS . . . WELL, NOT SO FAST . . . .

On January 19, 2017, the Ninth Circuit dismissed a securities fraud case holding that the claim could not legally be brought where shareholders of Hewlett-Packard Company (“HP”) alleged that the Company CEO and Chairman violated Hewlett-Packard’s Corporate Code of Ethics after publicly touting the Company’s high standards for ethics and compliance while at the same time himself violating the provisions in the Code of Ethics. The case is Retail Wholesale & Department Store Union Local 338 Retirement Fund v. Hewlett-Packard Co. and Mark A. Hurd, Ninth Circuit Case No. 14-16433 and District Court Case No. 3:12-cv-04115-JST (Northern District of California) and you can view the case at http://cdn.ca9.uscourts.gov/datastore/opinions/2017/01/19/14-16433.pdf.

Plaintiffs’ claim was brought under §10 and Rule 10–b of the Securities Exchange Act of 1934. The Court’s decision is helpful from a defense viewpoint, but the decision shouldn’t be viewed too broadly. In summary, the Court held as follows (note: the below quotes from the case are not necessarily in the exact order in which they appeared in the Court’s decision):

“Retail Wholesale argues that the SBC [HP’s Standards of Business Conduct], bolstered by Defendants’ express promotion of corporate ethics, gives rise to a finding of material misrepresentation. Its claim is based in three factual allegations: (1) HP and Hurd actively promoted the SBC and stated that HP had zero tolerance for SBC violations; (2) Hurd’s SBC violations led to his resignation; and (3) Hurd’s resignation caused HP’s stock price to drop. The Court cannot agree that, under the facts alleged in the complaint, Defendants’ representations about ethics were materially misleading.”

“Defendants made no objectively verifiable statements during the Class Period. As one court has aptly written, a code of conduct is “inherently aspirational.” Andropolis, 505 F. Supp. 2d at 686. Such a code expresses opinions as to what actions are preferable, as opposed to implying that all staff, directors, and officers always adhere to its aspirations. See id.”

“Similarly, Hurd’s comments prefacing the SBC are not objectively verifiable. In the 2008 preface to the SBC, Hurd stated, in part,

We want to be a company known for its ethical leadership . . . .

We know actions speak louder than words. We must make decisions and behave in ways that we can be proud of, that reflect our commitment to doing the right thing . . . .

. . . . Let us commit together, as individuals and as a company, to build trust in everything we do by living our values and conducting business consistent with the high ethical standards within our SBC.”

“The aspirational nature of these statements is evident. They emphasize a desire to commit to certain “shared values” outlined in the SBC and provide a “vague statement[] of optimism,” not capable of objective verification. See Or. Pub. Emps., 774 F.3d at 606. A contrary interpretation—that statements such as, for example, the SBC’s “we make ethical decisions,” or Hurd’s prefatory statements, can be measured for compliance—is simply untenable, as it could turn all corporate wrongdoing into securities fraud.”

However, and equally important, the Court also stated:

“We note that the case may have been closer had Hurd’s sexual harassment and false expenses scandal involved facts remotely similar to those presented by the 2006 scandal [i.e., an earlier unrelated ethics problem at HP in which “A few years earlier, in 2006, a major scandal erupted when a whistleblower informed several government agencies that HP had hired detectives to monitor the phone records and email accounts of HP directors, HP employees, and journalists to find the sources of leaks of company information to the press”], as the ethical code could then have been understood as at least promising specifically not to do what had been done in 2006. Here, however, the context does not make HP’s promotion of business ethics any less subjective or vague. Further, Retail Wholesale cites to no case law suggesting that context may operate to allow a plaintiff to import an out-of-Class-Period statement into the Class Period. The strongest statement alleged in the complaint—the suggestion of a zero tolerance policy for SBC violations—was made outside of the Class Period.”

“In sum, we conclude that as there was no statement during the Class Period that was capable of being objectively false, there was no affirmative misrepresentation.”

It could be easy to read the case too broadly, and to conclude that a securities fraud claim cannot be brought for violation of the company’s code of ethics. Whether such a claim can be brought really depends on the facts and circumstances of the case. Further, and depending on the facts of each case, it might be possible that such a claim could be brought under a different legal theory such as, for example, the Foreign Corrupt Practices Act.

Thus, companies, and their officers, managing agents and directors still must be advised to know the company’s Code of Ethics, to follow the Code, and to be careful about making specific representations about following, satisfying or complying with the Code.

* * * * *

Really Massive Changes in Accounting, Auditing, Reporting and Communicating – The End Of Accounting?

Although I practice as an attorney, I previously practiced as a CPA and I have experienced several times over the years when there were significant changes occurring in the accounting practice and profession. But right now, I believe that I am witnessing multiple massive changes that have been long in the making. The following is a link to an Accounting Today article which does a pretty good job of discussing some of the changes, and also includes a question whether this is the end of accounting – click on the following link, CLICK HERE

It’s not like these changes are screaming at you in the headlines, but the cumulative effect is significant, new changes are continuing and will continue, and perhaps more important, the reasons for the changes are permanent.

For a long, long time the value of the audit and of the audit report have been questioned.

For a long, long time, the value of the information provided by an accounting that is prepared in conformity with generally accepted accounting principles has been questioned.

Different stakeholders also have different needs, and speed at which the flow of information is needed and expected is ever-increasing. Audited financial statements, for example, don’t tell you very much about the future investment or business generating value of the entity or of the transactions reported, or of the risks that are associated.

So now, for example, in addition to GAAP accounting we have non-GAAP accounting and reporting, we are seeing an increased ability to audit all transactions by computer software, GAAP is moving from the more detailed and specific rules based approach back to the more principles based approach that was in place when I first became a CPA, and non-GAAP measurements or criteria are becoming or should become more important such as some of the governance criteria (integrity, tone-at-the-top, culture, etc.), sustainability, transparency, risk management, and more emphasis on internal controls such as COSO.

However, I don’t agree with the suggestion or question in the title to the above linked article – it’s not the end of accounting. Traditional accounting serves a useful purpose – can you imagine what a free for all it would be without traditional accounting? There would be absolutely no checks or balances. There would be a “zero” reliability factor, and no comparability between different entities or industries.

But there is no question that the changes that have occurred and that continue to occur in accounting and auditing create both opportunities and risks for investors, financial institutions and other stakeholders, executive, financial, accounting and audit officers and professionals, boards, and audit and risk committees. The people who will excel are the people who will embrace and become expert in these changes. It’s a lifetime of learning to stay ahead and relevant.

Best to you. Dave Tate, Esq.

The following is a link to my Tate’s Excellent Audit Committee Guide, updated January 2016, CLICK HERE

Does Your Audit Committee Charter List Risk Management?

If you are an audit committee member of a public company your audit committee charter might and in some cases must in some manner list risk management oversight as a responsibility.

If you are a nonprofit, private business or company, or governmental entity, and if you have an audit committee charter, your charter also might list risk management oversight, and if it doesn’t, then that oversight is the sole responsibility of the entire board.

In relevant part for example the NYSE Listed Company Manual states under Audit Committee Additional Requirements that the audit committee’s purpose in part at a minimum must be to:

  1. Assist board oversight of (1) the integrity of the listed company’s financial statements, (2) the listed company’s compliance with legal and regulatory requirements, (3) the independent auditor’s qualifications and independence, and (4) the performance of the listed company’s internal audit function and independent auditors (if the listed company does not yet have an internal audit function because it is availing itself of a transition period pursuant to Section 303A.00, the charter must provide that the committee will assist board oversight of the design and implementation of the internal audit function); and
  2. Discuss policies with respect to risk assessment and risk management.

And under related Commentary with respect to risk assessment and management: While it is the job of the CEO and senior management to assess and manage the listed company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee.

The Listed Company Manual also states that each listed company must have an internal audit function.

And under related Commentary with respect to the internal audit function: Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the listed company’s risk management processes and system of internal control. A listed company may choose to outsource this function to a third party service provider other than its independent auditor. While Section 303A.00 permits certain categories of newly-listed companies to avail themselves of a transition period to comply with the internal audit function requirement, all listed companies must have an internal audit function in place no later than the first anniversary of the company’s listing date.

Further, General Commentary to Section 303A.07 states: To avoid any confusion, note that the audit committee functions specified in Section 303A.07 are the sole responsibility of the audit committee and may not be allocated to a different committee.

From an audit committee member perspective, here’s the issue that I have with risk management oversight – it’s whether the audit committee and the board primarily, and possibly other necessary stakeholders or people involved, really have reached an understanding about what that “risk management” oversight means, both in terms of substantive risk oversight areas that are (and therefore also that aren’t) included in your oversight responsibilities, and exactly what you are expected to do to satisfy that oversight? And then, how those areas and responsibilities are described in the charter. Without clarification the term “risk management” is or can be vague and potentially extremely broad.

As risk management oversight has grown, or you might say, exploded, in importance for the board and its committees, over the past several years I have regularly received materials from risk management professionals discussing and disagreeing about exactly what risk management is, what terms and criteria to use, and how to go about performing risk management. I’m not trying to duplicate their efforts. But risk management can be a complicated area requiring a substantial investment of oversight effort and time. Obviously it’s an important area for the board, and for an audit committee or risk committee to which that oversight has been delegated. Even with delegation to a committee, the board should still maintain risk management oversight.

And risk management also is an area that relates to other areas of oversight such as internal controls (COSO 2013), personal safety, anonymous reporting processes and investigations, compliance with laws, and other areas.

You as an audit committee member, and other stakeholders need to understand what is involved, and what is expected of you, so that hopefully, to the extent possible (because it isn’t possible to avoid all surprise or unexpected situations) the important possible risks or surprises and related processes that are under your oversight have been and are being evaluated, addressed (designed and implemented), monitored and updated as necessary, including what to do and how to act to mitigate and remedy the situation if a surprise or unexpected situation does occur.

You can find additional discussions on this blog and on Tate’s Excellent Audit Committee Guide, the January 3, 2016, version of which can be found at http://wp.me/p75iWX-q

Wishing you the best.

Dave Tate, Esq. and CPA licensed in California (inactive), San Francisco and California

DTatePicture_Square