CHAPTER 3 FINANCIAL STATEMENT RISK AND CORPORATE GOVERNANCE

• Jurisdiction: United States

Strategic Risk Management for Natural Resources Companies
(May 2008)
CHAPTER 3
FINANCIAL STATEMENT RISK AND CORPORATE GOVERNANCE
Bill Evert
Hein & Associates LLP
Denver, Colorado
Dan Edwards
Hein & Associates LLP
Denver, Colorado
George Curtis
Securities and Exchange Commission
Denver, Colorado

FINANCIAL STATEMENT RISK

Financial statement risk is the risk that the financial statements, including the related notes to the financial statements, are materially misstated. Financial statements are materially misstated when the misstatement could be reasonably expected to influence the economic decisions of the users. (See also the meaning of the word material as defined under the federal securities law in Basic, Inc. v. Levinson, 485 U.S. 224, 231-36 (1988) and TSC Indus. v. Northway, Inc, 426 U.S. 438 (1976)). Embedded in the financial statements are certain assertions made by companies to those relying on their financial statements. Assertions of (1) completeness, (2) existence or occurrence, (3) rights and obligations, (4) valuation and allocation, and (5) presentation and disclosure underlie the information presented in the financial statements and it is these embedded assertions that investors and others rely on, in part, when making economical decisions.

Misstatements are the result of errors or fraud. Errors are unintentional misstatements of amounts or disclosures in financial statements. Fraud is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Misstatements resulting from errors or fraud can consist of one, or more, of the following:¹

• An inaccuracy in gathering or processing data from which financial statements are prepared

• A difference between the amount, classification, or presentation of a reported financial statement element, account, or item and the amount, classification, or presentation that would have been reported under generally accepted accounting principles

• The omission of a financial statement element, account, or item

• A financial statement disclosure that is not presented in conformity with generally accepted accounting principles

• The omission of information required to be disclosed in conformity with generally accepted accounting principles

• An incorrect accounting estimate arising, for example, from an oversight or misinterpretation of facts; or

• Management's judgments concerning an accounting estimate or the selection or application of accounting policies that the auditor may consider unreasonable or inappropriate.

CORPORATE GOVERNANCE

[Page 3-2]

Progression of Corporate Accountability

Prior to the Sarbanes-Oxley Act of 2002 (the "Act"), investors and others reasonably believed that the financial statement risk described above was offset, in part, by the fiduciary duty corporate officials and their auditors had to their investors and others.

The fiduciary duty is a legal relationship between two or more parties. A fiduciary is expected to be extremely loyal to the person to whom they owe the duty (the "principal"): they must not put their personal interests before the duty, and must not profit from their position as a fiduciary, unless the principal consents. ²

However, the fraudulent activities committed by corporate officials at companies like Enron, WorldCom, HealthSouth, and Tyco raised serious questions about the effectiveness of the fiduciary duty. Unfortunately, these corporate executives completely ignored their fiduciary duty and abused the trust imputed to them by investors and others as they sought to achieve their own personal goals (which typically included attempting to exceed analysts' expectations and, thereby, lining their own pockets).

Because of this apparent abdication of duty and abuse of trust by corporate officials, and others, Congress stepped in and provided a framework that, in essence, regulated the fiduciary duty. In July of 2002, Congress enacted the Sarbanes-Oxley Act and gave additional strength to corporate governance.

Corporate governance is the set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. An important theme of corporate governance is to ensure the accountability of certain individuals in an organization through mechanisms that try to reduce or eliminate the principalagent problem.³

The Sarbanes-Oxley Act of 2002 (the "Act") (Public Law 107 - 204; 116 STAT. 745) contains 11 Titles and 68 Sections. The Sections of the Act that primarily relate to corporate governance over financial reporting and to attorneys with publicly-traded clients are:

• Section 302- Addresses the requirement for the Principal Executive Officer (typically the CEO) and Principal Financial Officer (typically the CFO) to certify the financial statements and defines the responsibilities assumed by those signing the certifications.

• Section 906- Defines the criminal penalties for those who certify, or willfully certify, the financial statements knowing that the financial statements do not comport with all of the requirements set forth in Section 906.

• Section 404- Commonly referred to as "SOX 404", this Section provides the foundation from which management's assessment of internal controls is built upon and it also serves as the preamble to the responsibilities of the Securities and

[Page 3-3]

Exchange Commission (the "SEC"), Public Company Accounting Oversight Board (the "PCAOB"), and external auditors for reporting thereon.

• Section 307- Grants the SEC the authority to issue minimum standards of professional conduct for attorneys who appear and practice before the SEC.

Impact of Sarbanes-Oxley to Attorneys

Before discussing the rules related to internal controls over financial reporting, it is important to briefly discuss the rules related to attorneys promulgated by the Act. As mentioned above, Section 307 deals with the professional conduct for attorneys who appear and practice before the SEC. Item (1) of Section 307 requires, "... an attorney to report evidence of a material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent thereof ..."⁴ The term "breach of fiduciary duty" is defined by paragraph 205.2(d) of the SEC's final rule on, "Implementation of Standards of Professional Conduct for Attorneys," as, "... any breach of fiduciary or similar duty to the issuer recognized under an applicable federal or state statute or at common law, including but not limited to misfeasance, nonfeasance, abdication of duty, abuse of trust, and approval of unlawful transactions."⁵ Although this paper does not purport to define the meaning of, or to identify acts that would constitute, a material violation of securities law, a breach of fiduciary duty, or similar violations, it is intended to provide attorneys with tools that will help them know if their companies have adequate systems for designing, implementing, and monitoring internal controls over financial reporting to comply with the requirements of SOX 404.

Compliance with SOX 404

Pursuant to Section 404, annual reports required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 need to contain an internal control report which will (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.⁶

In June of 2007, the SEC issued its guidance on SOX 404 in its release titled, "Amendments to Rules Regarding Management's Report on Internal Controls Over Financial Reporting". Page two of the release states that the SEC is, "... issuing interpretive guidance to assist companies of all sizes in completing a top-down, risk-based evaluation of internal controls over financial reporting".⁷ In order to perform its evaluation, management must use, "... a suitable, recognized control framework that is established by a body or group that has followed due-process procedures ..."⁸ Pursuant to the third paragraph of section 3(a) of the SEC's Final Rule on, "Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports" issued in June 2003, the SEC stated that the Committee of Sponsoring Organizations of the Treadway Commission ("COSO") Framework satisfies

[Page 3-4]

its criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements.⁹

It should be noted, however, that the SEC does not mandate the use of the COSO Framework and recognizes that other evaluation standards exist outside of the United States and that frameworks other than COSO may be developed within the United States in the future that satisfy the intent of the statute without diminishing the benefits to investors. The Guidance on Assessing Control published by the Canadian Institute of Chartered Accountants, the Turnbull Report published by the Institute of Chartered Accountants in England and Wales,¹⁰ and the Internal Control Over Financial Reporting - Guidance for Smaller Public Companies, which is a modified version of the COSO Framework aimed at issuers who have "characteristics of smaller companies", are all examples of other suitable frameworks recognized by the SEC. Additionally, when designing control objectives and controls over information technology, the Control Objectives for Information and Related Technology ("CobiT") 4.1 issued by the IT Governance Institute is widely accepted by public companies and their auditors, although it is not mentioned in...