Corporate Governance Update SOX 404 and Internal Controls Speakers Barbara Borden bborden@cooley.com 858.550.6243 Brad Peck bpeck@cooley.com 858.550.6012 Steven Spector (858) 453-7200 x229 sspector@arenapharm.com 1
An internal control over financial reporting is a process designed by or under the supervision of the principal executive and financial officers and effected by the board of directors, management and other personnel to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP Internal controls over financial reporting include policies and procedures that: pertain to the maintenance of records that accurately and fairly reflect transactions and dispositions of assets provide reasonable assurance that transactions are recorded as necessary to permit preparation of GAAP financial statements and receipts and expenditures are being made only in accordance with authorizations of management and directors provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of assets that could have a material effect on the financial statements 2
A significant deficiency is a control deficiency or combination of control deficiencies that adversely affects the ability to initiate, authorize, record, process or report external financial data reliably in accordance with GAAP such that there is more than a remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential will not be prevented or detected A material weakness is a significant deficiency or combination of significant deficiencies that results in more than a remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected 3
Significant deficiencies and material weaknesses Internal discussions before audit committee involvement Discussions with audit committee Reporting issues Management s annual internal control report contains: A statement of management s responsibility for establishing and maintaining adequate internal control over financial reporting. A statement identifying the framework used by management to evaluate the effectiveness of internal control over financial reporting. Management s assessment of the effectiveness of internal control over financial reporting as of fiscal year end: a statement as to whether or not internal control over financial reporting is effective and disclosure of any material weakness in internal control over financial reporting A statement that the auditor has issued an attestation report on management s assessment. 4
Before the SOX 404 compliance deadline: A company is not required to disclose changes to internal control over financial reporting made in preparation for its first annual management report. If a company identifies a material weakness prior to the first annual management report, the company should consider disclosing that fact as well as changes made in response to the material weakness. Trends in disclosure (as reported by Compliance Week) Problems with financial systems and procedures, including financial close processes, account reconciliations and inventory weaknesses (more than 50% of disclosed issues) Problems with personnel, including poor segregation of duties, inadequate staffing and inadequate supervision (32% of disclosed issues) Detailed disclosure of remediation efforts Added disclosure regarding risk factors related to internal control over financial reporting 5
Quarterly evaluations of internal control over financial reporting The company must disclose in its quarterly report any material change in internal control over financial reporting. Disclosure of changes made to internal controls may need to include a discussion of the nature of any significant deficiency being addressed. The company must maintain evidence, including documentation, reasonably supporting management s quarterly evaluation of internal controls. SOX 302 certification will cover internal controls. SOX 302 New quarterly certification of internal controls Beginning with the annual report, certifying officers must certify that: They are responsible for establishing and maintaining internal controls over financial reporting. They designed such internal control over financial reporting or caused such internal control over financial reporting to be designed under our supervision to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP. 6
Process Issues Preparation of financial statements Disclosure Committee review Audit Committee review Public announcement of operating results Filing of 34 Act report When do you interact with the auditors in the process? 7