J-SOX
April 12, 2008 | Leave a Comment
Japan recently enacted the Financial Instruments Exchange Law which includes a regulation entitled Management Assessment and Audit of Internal Control over Financial Reporting (”ICFR”). ICFR requires management to provide an assessment of its internal control over its financial reporting. The regulation also requires that the registrant obtain an auditor’s opinion on management’s assessment. The regulation, commonly referred to as “J-SOX” named after Sarbanes-Oxley, is applicable to companies that are publicly registered on Japanese stock exchanges and is effective for registrants’ fiscal years beginning on or after April 1, 2008.
The new law is complex and confusing. ICFR will impact the 3,800 companies listed on Japanese stock exchanges and will also affect the subsidiaries of the listed companies, even if they operate in other parts of the world.
The implementation guidance (published by the FSA) recommending a risk-based, top-down approach to J-SOX implementation twhcih means that that the parent company will begin by evaluating entity level controls (e.g., overall control environment, oversight by the board of directors, etc.) and will work down to specific processes and financial statement accounts.
The Section 1 guidance, which covers the basic framework for internal control, requires a control framework that includes the common COSO elements of:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
In addition to those five COSO elements, J-SOX also incorporates “Response to IT” as it relates to ICFR as a new component. The Section 2 guidance covers management assessment and reporting of ICFR and includes the following five areas:
- Definition of Financial Reporting
- Scoping of Management Assessment
- Structure for Internal Control Assessment Method and Use of Specialists
- Evaluation of Company Level Controls
- Process Level Controls – Assessment of Operating Effectiveness
The Section 3 guidance covers the audit of ICFR and includes the following four areas:
- The meaning of auditor’s “Indirect Reporting”
- Sample size for testing operating effectiveness
- Use of the work of internal audit and/or others
- Reporting on material weaknesses and other reportable conditions.
Japan’s electronic data regulations and their potential interplay with J-SOX will be the subject of a later post.
Individual Liability for SOX Whistleblower Retaliation
April 9, 2008 | Leave a Comment
Individual Liability for SOX Whistleblower Retaliation. The Sarbanes-Oxley Act of 2002 specifically applies to all officers, employees, contractors, subcontractors, or agents of a covered company. At least one Adminitrative Law Judge has ruled that individuals may be properly named as respondents in SOX whistleblower protection claims under Section 806 of the Act. Granada Entertainment, 2004-SOX-74 (ALJ Oct. 19, 2004).
French Subsidiary May Have Exposure for Retaliation Under Sarbanes-Oxley
April 7, 2008 | Leave a Comment
O’Mahony v. Accenture
Earlier this year, a New York Federal Judge found that a former senior employee of a global consulting firm who was stationed in Paris can sue for damages under the whistleblower protection provision of Sarbanes-Oxley. Rosemary O’Mahony, a British citizen who worked for Accenture in France for 14 years, claimed the company demoted her after she accused it of withholding more than $3 million it owed in French social security payments. The Southern District of New York Judge rejected a motion to dismiss by co-defendants Accenture, which is based in Bermuda, and itsU.S. subsidiary. The co-defendants argued that the provision of Sarbanes-Oxley did not cover employees outside theUnited States. The Court determined that because the alleged “wrongful conduct and other material acts occurred in the United States … the exercise of jurisdiction by this Court to resolve the dispute before it would not implicate extraterritorial application of American law.” This appears to be the first case that applies Sarbanes-Oxley whistleblower protections to an employee working overseas.
The Plaintiff in the case, O’Mahony, was a partner at Accenture’s U.S. subsidiary from 1984 through Aug. 31, 2004, and a partner and employee of its French subsidiary from Sept. 1, 2004, to Oct. 31, 2006. Around September 1992, she left the United States to establish and head a new office for Accenture in France. She worked in France part time for a year, but in September 1993 her assignment was made full time.Accenture’s U.S. subsidiary received a certificate of coverage exempting it from making contributions to the French social security system for five years. But since she worked in Paris for more than five years, O’Mahony claimed that Accenture was obligated to make payments to the system. O’Mahony alleged in her complaint that her former employer owed the French government “in an amount equal to approximately 36 percent of Ms. O’Mahony’s total compensation for the period September 1997 through September 1, 2004. She said that she earned $10.4 million during that period, making the amount owed to the French $3.7 million. O’Mahony said that she notified American executives about the problem, but in September 2004 Accenture’s global financial controller in New York told her that the company had decided that its “‘interests’ would be better served by not making any of the French social security contributions and continuing to affirmatively conceal from the French authorities the fact that [O’Mahony] had been working in France since 1992. O’Mahony responded that she could not violate the law, and brought the matter to the attention to the French authorities. She claimed that Accenture responded by demoting her in November 2004 and reducing her salary by $670,000.
Criminal Exposure of Sarbanes-Oxley
April 4, 2008 | Leave a Comment
Section 1107 of SOX imposes several criminal penalties. The penalties include a fine and/or imprisonment for up to 10 years. Section 1107 does NOT create a private cause of action. See In Re Compact Disc Minimum Advertised Antitrust Litigation, MDL No. 1361 (D.Me.Oct. 2, 2006).
Section 1107 provides that:
“whoever knowingly, with the intent to retaliate, takes any action harmful to any person including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any Federal offense.”
This section of SOX is not limited to publicly traded employers. It appears to apply broadly to both individuals and corporations. The Section prohibits retaliation against persons who provide to a law enforcement officer “any truthful information” relating to the commission or possible commission of “any Federal offense.” Thus the information is not limited to matters involving corporate fraud or accounting abuses but can involve “any Federal crime“.
Section 1107 could create “land mines” for employers. For example, a report to a law enforcement official that a co-worker or supervisor engaged in any of the following activities would appear to be protected under this Section: (1) willfully creating dangerous working conditions in violation of OSHA laws; (2) violating one of the multitude of environmental laws; (3) copying or using software with out permission; (4) storing and/or transmitting indecent material via a company computer; or (5) the destruction of documents in response to notice of a governmental investigation.
Another concern for employers should be the risk of defending both a civil proceeding and a criminal proceeding under the Act, with a potential early communication to OSHA being the employer’s first required statement on the matter. The substantial resources required to defend against both proceedings simultaneously could result be a drain on the employer’s assets.
The final concern resulting from Section 1107 is the location of its codification at 18 U.S.C. § 1513(e). This section is specifically listed within the definition “racketeering activity” under the Racketeer Influenced and Corrupt Organizations Act (“RICO”). The result of this is that Section 1107 will likely be a basis for asserting civil RICO claims in a whistleblower case.
Data Privacy Laws: Dual Compliance Issues for Multi-National Companies
April 3, 2008 | Leave a Comment
European Union And United States Data Privacy Laws
In a very well reasoned and comprehensive article published this month in the Metropolitan Corporate Counsel, the differing approaches taken by the United States and the European Union towards data privacy issues was discussed. The article cautions Multi-National companies based in the United States may be subject to both.
The article points out the fundamental differences in the two regulatory approaches to data privacy. The United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin.”
Potential For Conflict
The article explains that Sarbanes-Oxley law and regulations may conflict with both the requirements of the EU Directive and the law of individual nations. Sarbanes-Oxley, for example, requires public companies to establish a method for employees to report anonymously on possible financial improprieties and to develop a company code of ethical conduct. International application of the resulting policies has created conflicts with the law of various EU nations. Recent decisions in France and Germany have invalidated anonymous reporting hotlines.
The hotlines may also be problematic for the EU Directive to the extent a European employee’s personal data is transferred back to the home office back in the States. Other areas where compliance with U.S. law may create conflicts with EU law is: outsourcing; and efforts to investigate terrorist activities.
Options For Multinational Companies
The Metropolitan Corporate Counsel article discusses several options for companies that must comply with the requirements of several jurisdictions.
One option recommends that companies comply with the U.S. Department of Commerce’s Safe Harbor Privacy Principles. Doing so should provide companies with a presumption of “adequacy” of privacy protection. This presumption should allow them to transfer data from their EU offices to their U.S. offices without violating the EU Directive.
Another option suggested: (1) limiting the reporting requirement to only those employees required to report by Sarbanes-Oxley, including senior financial officers (§ 406) and attorneys (§ 307); (2) limiting the reporting requirement to subjects such as fraud and financial wrongdoing; and (3) promptly notifying any accused employee of the details of any ethics complaint.
One word of caution must be given about the final option suggested in the article, however. This option discussed the implementation of different legal entities, one for European operations, and one for operations in the United States. Before considering this, the company should examine the recent New York federal opinion in O’Mahony v. Accenture Ltd, ___ F.Supp.2d ___, 2008 WL 344710 (S.D.N.Y. 2008), which finds that a foreign subsidiary of a U.S. Company may be subject to SOX regulations in certain situations. The Accenture case will be discussed in greater detail in a subsequent post.
AN EMPLOYEE’S ASSISTANCE IN RESPONDING TO A SUBPOENA BY A GRAND JURY WAS POTENTIALLY “ASSISTING” A PROCEEDING AND THEREFORE POTENTIALLY A PROTECTED ACTIVITY
April 2, 2008 | Leave a Comment
In Miles v. Wal-Mart Stores, Inc.,No. 5:06-CV-05162 (W.D.Ark. Jan. 25, 2008), the court found that the Plaintiff had created a geniune issue of material fact as to whether she engaged in protected activity under SOX because she had provided assistance to the FBI and an Assistant U.S. Attorney in connection with Wal-Mart’s response to a grand jury subpoena calling for production of documents concerning union-related labor relations and the investigation of a former executive for suspected fraud. The Plaintiff had objected to an instruction to shred certain documents being digitized in her labor relations department which she believed might have been subject to the subpoena. Wal-Mart argued that the Plaintiff had only aided an “investigation” as opposed to a “proceeding.” The court found that under the circumstances, a genuine issue of material fact existed as to whether the Plaintiff engaged in protected activity.
The section of the Sarbane-Oxley Act that potentially applied was the second prong of the protected activity provision of Sarbanes-Oxley which prohibits publicy traded companies from discrimination against an employr or other covered person that: files, causes to be filed, testifies, participates in, or otherwise assists in a proceeding filed or about to be filed (with any knowledge of the employer) relating to an alleged violation of section 1341, 1343, 1344, or 1348, any rule or regulation of the Securities and Exchange Commission, or any provision of Federal law relating to fraud against shareholders. 18 U.S.C. 1514A(a) (2004).
SOX Investigations: Isilon Systems, Inc.
April 1, 2008 | Leave a Comment
An example of a recent investigation is reflected in the recent press release of Isilon Systems, Inc. (NASDAQ: ISLN). The release stated that the Company’s Board of Directors, based upon the recommendation of the Audit Committee, determined that the Company should restate its financial statements for fiscal year ended December 31, 2006, and for the first and second quarters of fiscal 2007, ended April 1, 2007 and July 1, 2007 respectively.
The release reported that the Audit Committee, assisted by independent forensic accounting and legal advisors, conducted an independent review of certain sales to resellers and other customers to determine whether commitments were made that have an impact on the timing and treatment of revenue recognition and whether the Company’s internal controls relating to revenue recognition are sufficient. The Audit Committee identified errors in the Company’s previous recognition of revenue.
The release stated that the Audit Committee concluded that none of the Company’s current senior executives engaged in improper practices or are otherwise responsible for the errors in revenue recognition.
One of the transactions restated was a sale directly to an end-user customer for which the terms and conditions were not fixed or determinable. The release states that revenue from this sale will be recognized in a subsequent period when the terms become fixed or determinable and all other criteria for the recognition of revenue are met.
The press release also contained forward-looking statements regarding future events, including statements regarding an ongoing review by the Company’s Audit Committee.