Professor Bainbridge...on law, politics, religion, culture & food

Stoneridge and SOX Section 404: Conference Remarks

Next Tuesday Monday, 10/9, the Supreme Court will hear oral argument in Stoneridge Investment Partners v. Scientific-Atlanta, arguably the most important securities law case to reach the Court in a decade. It requires the Court to decide whether third-parties, such as financial advisors, auditors, attorneys, or vendors, who engage in allegedly fraudulent transactions with a public corporation, but who do not speak or provide financial statements or other disclosures to investors can be held liable under SEC Rule 10b-5.

I’m off to a conference on Stoneridge to be held at Case law school. The conference will be webcast (details here).

My remarks will focus on the interaction of scheme liability and internal controls under Sarbanes-Oxley section 404.

Remarks on Stoneridge and Sarbanes-Oxley
Symposium on Scheme Liability, Section 10(b), and Stoneridge Investment Partners v. Scientific Atlanta
October 5, 2007

Let’s assume for the sake of argument that the Supreme Court upholds some form of scheme liability in the Stoneridge case. I’m not saying it will or that it should; I’m just playing the “what if” game.

As we all know, Sarbanes-Oxley Section 404 requires inclusion of internal control disclosures in each public corporation’s annual report. This disclosure statement must include: (1) a written confirmation by which firm management acknowledges its responsibility for establishing and maintaining a system of internal controls and procedures for financial reporting; (2) an assessment, as of the end of the most recent fiscal year, of the effectiveness of the firm’s internal controls; and (3) a written attestation by the firm’s outside auditor confirming the adequacy and accuracy of those controls and procedures.

It is not the disclosure itself that makes § 404 significant, of course; instead, it is the need to assess and test the company’s internal controls in order to be able to make the required disclosures.

Also relevant to the questions at hand are SOX sections 302 and 906. In particular, among other things, Section 302 requires both the CEO and CFO individually to acknowledge in writing that they are responsible for establishing and maintaining the corporation’s systems of internal controls and to certify that such internal controls are designed to ensure that material information properly flows from the corporation’s business units to the CEO and CFO. They also must certify that they have evaluated the effectiveness of those internal controls within the 90-day period prior to the filing of the report. To ensure that the certification is not mere boilerplate, the CEO and CFO are required to include in the quarterly or annual report, as the case may be, an assessment of the effectiveness of the company’s internal controls.

Imagine a publicly held vendor like Motorola or a publicly held financial advisor like some of those charged in the Enron litigation. A Supreme Court decision validating scheme liability will place renewed emphasis on the internal controls within such firms dealing with major contracts.

We know that developing effective controls to deal with vendor relations has been a real problem. Firms seldom include clear provisions relating to internal control performance in contracts with customers or suppliers. In particular, even when dealing with core services that have been outsourced, firms often fail to insist on something so basic as a contractual right to perform internal control audits. Indeed, many even fail to insist on the right to request a SAS 70 report. The resulting lack of transparency into contracting partners internal control environments has seriously hampered many corporation’s section 404 compliance efforts. They are often unable to identify or document, let alone evaluate, the internal control processes partner firms.

If scheme liability is imposed, however, the risks associated with these practices will escalate significantly. To be sure, there are already some risk that the SEC or Justice Department will pursue these roundtrip transactions, but it seems safe to assume that private party liability exposure would raise the stakes significantly.

The net effect will be to bring significant pressure to bear on the Motorola’s of the world to subject these sort of contracts to effective internal audits. In turn, because nobody will want to sign off on the accounting treatment for transactions that might push the edge of the envelope without clearing it with their auditors, there will be even greater involvement of external auditors in the contracting process.

You might say, well, so what? After all, aren’t internal controls supposed to crack down on wrongdoing? Well, yes, but. Remember Motorola didn’t issue the misleading financial statements. It didn’t help prepare them. We’re not talking about Charter’s 404 duties. We’re talking about imposing more extensive and demanding 404 requirements on firms in connection with somebody else’s disclosures.

There’s a reason, after all, that firms seldom put internal control performance provisions in contracts with customers or suppliers. It’s bad enough trying to monitor your own internal controls. Trying to monitor somebody else’s can be orders of magnitude more difficult and expensive.

See also my earlier post laying out the Stoneridge facts and issues in detail.