During the last two weeks of 2019, the US Securities and Exchange Commission (SEC) offered guidance and reminders relating to:
- The Role of Audit Committees;
- International Intellectual Property and Technology Risks; and
- Confidential Treatment
Public companies should take these pronouncements into account as the new year begins.
Role of Audit Committees
On December 30, 2019, the SEC's chairman, chief accountant and director of the division of corporation finance (Division) issued a joint public statement (Audit Committee Statement) on the role of audit committees in financial reporting, including key reminders regarding oversight responsibilities.1 The Audit Committee Statement included five general observations regarding the audit committee's role in financial reporting and auditing, followed by three more specific observations.
The Audit Committee Statement's five general observations related to:
- Tone at the Top. The Audit Committee Statement emphasized that it is important for the audit committee to "set an expectation for clear and candid communications to and from the auditor" and to "proactively communicate with the independent auditor to understand the audit strategy and status, and ask questions regarding issues identified by the auditor and understand their ultimate resolution."
- Auditor Independence. The Audit Committee Statement encouraged audit committees to "consider periodically the sufficiency of the auditor's and the issuer's monitoring processes," which, among other matters, "should address corporate changes or other events that could affect auditor independence (e.g., changes or events that may result in new affiliates or business relationships) and facilitate the timely communication of these events and changes to the audit firm."
- Generally Accepted Accounting Principles (GAAP). The Audit Committee Statement focused on the implementation of new GAAP standards, encouraging audit committees to "engage proactively with management and auditors in the implementation process of new standards to understand management's implementation plan, including whether the plan provides sufficient time and resources to develop well-reasoned judgments and accounting " The Audit Committee Statement also emphasized that it is important for an audit committee to "understand management's processes to establish and monitor controls and procedures over adoption and transition."
- Internal Control Over Financial Reporting (ICFR). The Audit Committee Statement expressed the belief that audit committees are most effective in carrying out their oversight responsibilities for ICFR "when they have a detailed understanding of identified ICFR issues and engage proactively to aid in their " According to the Audit Committee Statement, if there is a material weakness, it is important for audit committees to "understand and monitor management's remediation plans and set an appropriate tone that prompt, effective remediation is a high priority."
- Communications to Audit Committee from Independent Auditor. The Audit Committee Statement reminded audit committees of the PCAOB AS 1301 requirements for the auditor to communicate with the audit committee as part of the year-end financial reporting process, including with respect to certain accounting processes and practices, estimates and significant unusual transactions. The statement encouraged audit committees to "incorporate this dialogue in carrying out their responsibilities."
The three more specific observations contained in the Audit Committee Statement related to:
- Non-GAAP Measures. The Audit Committee Statement encouraged audit committees to "be actively engaged in the review and presentation of non-GAAP measures and metrics to understand how management uses them to evaluate performance, whether they are consistently prepared and presented from period to period and the company's related policies and disclosure controls and procedures."
- Reference Rate Reform. In light of the expected discontinuation of LIBOR, the Audit Committee Statement also encouraged audit committees to "understand management's plan to identify and address the risks associated with reference rate reform, and specifically, the impact on accounting and financial reporting and any related issues associated with financial products and contracts that reference LIBOR."
- Critical Audit Matters (CAMs). Noting certain public companies' auditors are now required to communicate critical audit matters in the auditor's report, the Audit Committee Statement encouraged audit committees to "engage in a substantive dialogue with the auditor regarding the audit and expected CAMs to understand the nature of each CAM, the auditor's basis for the determination of each CAM and how each CAM is expected to be described in the auditor's report."
International Intellectual Property and Technology Risks
On December 19, 2019, the Division issued CF Disclosure Guidance Topic No. 82 (IP/Technology Guidance), which discussed disclosure obligations that companies should consider relating to intellectual property and technology risks associated with international business operations, particularly in jurisdictions that do not have levels of protection comparable to US protections for corporate proprietary information and assets.
The IP/Technology Guidance identified sources of international intellectual property and technology risk, such as direct intrusions by private parties and foreign actors, including those affiliated with or controlled by state actors, through both cyber intrusions and physical theft. In addition, the IP/Technology Guidance discussed sources of indirect risks—such as reverse engineering by joint venture partners or other parties, as well as requirements to compromise protections or yield rights to technology, data or intellectual property—that companies may face in order to conduct business or access markets in foreign jurisdictions, examples of which include:
- Patent license agreements in which a foreign licensee retains rights to improvements on the relevant technology;
- Foreign ownership restrictions;
- Terms favoring foreign persons, such as access and license provisions as conditions to conducting business in foreign jurisdictions; and
- Regulatory requirements restricting the ability of companies to conduct business unless they agree to store data locally, use local services or technology, or agree to terms that could involve sharing of intellectual property.
The IP/Technology Guidance also encouraged companies to assess their risks and disclosure obligations relating to potential theft or compromise of technology and intellectual property arising from their international operations and how these risks may impact their business, including financial condition and results of operations, reputation, stock price and long-term value. In that regard, the IP/Technology Guidance suggested various questions that companies should consider, including:
- Is there a heightened technology or intellectual property risk to the company from maintaining significant assets, or earning material revenue, abroad?
- Does the company operate in an industry or foreign jurisdiction where its technology or intellectual property is particularly susceptible to theft or to forced transfer?
- Has the company entered a license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology and/or rights to continued use of the technology after the licensing term expires?
- Is the company subject to requirements that foreign parties must be controlling shareholders or hold a majority of shares in a joint venture or that a foreign party retain certain ownership rights?
- Has the company been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets located in a foreign jurisdiction?
- Is the company operating in foreign jurisdictions where the ability to enforce intellectual property rights is limited, either as a statutory or practical matter?
- Have conditions in a foreign jurisdiction caused the company to relocate, or consider relocating, operations to a different host nation, and, if so, has the company considered related material costs?
- Does the company have controls and procedures in place to adequately protect technology and intellectual property from potential compromise or theft, including those designed to detect malfeasance by insiders, corporate espionage events, unauthorized intrusions into commercial computer networks, and other forms of theft and cyber-theft?
- What level of risk oversight and management do the board of directors and executive officers have with regard to the company's data, technology and intellectual property and how may these assets be impacted by operations in foreign jurisdictions where they may be subject to additional risks?
The IP/Technology Guidance reminded companies that risks that are material to investment and voting decisions should be disclosed and that disclosure about such risks should be specifically tailored to a company's unique facts and circumstances. It also noted that where a company's technology, data or intellectual property is being or previously was materially compromised, stolen or otherwise illicitly accessed, hypothetical disclosure of potential risks is not sufficient to satisfy a company's reporting obligations. Moreover, the IP/Technology Guidance reminded companies to consider whether disclosure may be necessary in its management's discussion and analysis, business section, legal proceedings, disclosure controls and procedures, and/or financial statements in light of existing rules and regulations and the SEC's statements regarding cybersecurity and evolving business risks in general.
Confidential Treatment Applications
On December 19, 2019, the Division also issued CF Disclosure Guidance: Topic No. 73 (Confidential Treatment Guidance), which addressed how and what to submit when filing an application objecting to release of information otherwise required to be filed under the Securities Act of 1933, as amended, (Securities Act) or the Securities Exchange Act of 1934, as amended, (Exchange Act). The Confidential Treatment Guidance replaces and supersedes the guidance previously provided in Staff Legal Bulletins 1 and 1A.
Applications for confidential treatment generally arise in the context of material contracts required to be filed as exhibits. The Confidential Treatment Guidance explained that in order to apply for confidential treatment under Securities Act Rule 406 or Exchange Act Rule 24b-2, an applicant must file the required exhibit with the associated filing, omitting the confidential information and marking the exhibit to indicate where information has been omitted. The filing must indicate that the confidential information has been filed separately with the SEC.
An applicant must also send a paper application for confidential treatment to the office of the secretary of the SEC, including an unredacted copy of the contract with the confidential portions identified. The applicant must identify the applicable Freedom of Information Act exemption it is relying on, justify the time period for which confidential treatment is sought and explain in detail why, based on its specific facts and circumstances, disclosure is unnecessary for the protection of investors. In addition, the applicant must provide written consent to furnishing the confidential information to other government agencies, offices or bodies and to Congress; identify each exchange with which the material is filed; and provide the name, address and telephone number of the person the Division should contact regarding the application.
If when reviewing an application for confidential treatment, the Division requires additional information, it will convey its comments by telephone and request a written response. If an applicant omits information beyond what it customarily and actually treats as confidential, the Division will request an amendment with more circumscribed omissions, as well as an amended application. Upon resolution of any comments, the Division will either issue an order granting the application or allow the applicant to withdraw the application. If the applicant does not respond to the Division's comments, or if the comments are not resolved, the Division may deny the application, in which case the applicant may petition the SEC for review. If the Division issues an order granting or denying the application, it will post the order with the company's filing history on the SEC's website.
Public companies should make their audit committees aware of the Audit Committee Statement. Companies and their audit committees should consider whether any changes should be made to their audit committee charters or to their ICFR processes following a review of the observations made in the Audit Committee Statement and their existing internal processes.
The specific topics singled out in the Audit Committee Statement—non-GAAP measures, LIBOR risks and CAMs—are topics that have previously garnered attention at the SEC and clearly remain a concern taken seriously at the SEC. Therefore, companies should pay careful attention to how they are addressing these key areas.
The timing of the IP/Technology Guidance, coming out just as many calendar year companies are focusing on preparation of their annual reports on Form 10-K, signals that the SEC will be looking for disclosure in this area by companies in appropriate circumstances. Although some of the considerations relate to general cybersecurity concerns that have been discussed in other contexts, the IP/Technology Guidance has elaborated on aspects of intellectual property and technology issues specifically arising from international operations. Companies that do business in non-US jurisdictions should review the IP/Technology Guidance carefully and assess whether they are affected by any of the risks discussed. If they are, they should evaluate how they are overseeing and managing such risks and whether they need to add or expand their risk factor disclosures.
In March 2019, the SEC adopted amendments to Item 601(b) of Regulation S-K that allow companies to omit confidential information that is commercially sensitive and the disclosure of which would result in competitive harm (determined on the basis of the same standard always used in connection with confidential treatment requests) from most exhibits without filing confidential treatment applications. As a result, most companies have since chosen to rely on the amended provisions and have not submitted a confidential treatment application. However, companies that are considering submitting a formal confidential treatment request should carefully review the Confidential Treatment Guidance to be sure they follow the current procedures established by the SEC, both in terms of the scope of their requests and the manner in which they file the relevant documents on EDGAR, as well as submit the paper application materials directly to the SEC.
If a company previously obtained a confidential treatment order that is about to expire, it must file an application under Rules 406 or 24b-2 to continue to protect the confidential information from public release. (The SEC has a streamlined, short-form application for this purpose, but it can only be used before the order expires.) In this circumstance, it is not sufficient to file the redacted exhibit on EDGAR using the procedures specified in the March 2019 amendments to Item 601(b) of Regulation S-K.
Originally published in Harvard Law School Forum on Corporate Governance
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2019. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.