Chapter 6: The US Sarbanes-Oxley Act of 2002

BACKGROUND

On July 30 2002, US President George W Bush signed into law the Sarbanes-Oxley Act, which he called the "most far-reaching reforms of American business practice since the time of Franklin Delano Roosevelt." The Sarbanes-Oxley Act significantly modified the US federal securities laws and has led to an unprecedented wave of rulemaking by the SEC.

We summarize below the key provisions of the Sarbanes-Oxley Act and the SEC's rules under the Act that are relevant to foreign private issuers.

(i) Who is subject to Sarbanes-Oxley?

The Sarbanes-Oxley Act applies to all issuers - including foreign private issuers - that:

• have registered securities under the Exchange Act;
• are required to file reports under Section 15(d) of the Exchange Act; or
• have filed a registration statement under the Securities Act that has not yet become effective.²⁹⁵

This means, for example, that any foreign private issuer that has listed its securities in the United States, or issued securities to the public in the United States whether or not listed (such as in a registered exchange offer for high-yield bonds) is subject to the Sarbanes-Oxley Act. A foreign private issuer that has not sold securities to the public in the United States, or that is exempt from Exchange Act registration by virtue of Exchange Act Rule 12g3-2(b) is not subject to the requirements of the Sarbanes-Oxley Act. Accordingly, in this section of the Overview when we refer below to "issuers" and "foreign private issuers" we mean those companies that are subject to Sarbanes-Oxley.

Although the Sarbanes-Oxley Act does not generally distinguish between US domestic and foreign private issuers, the SEC has, in its implementing rules, made various exceptions for the benefit of foreign private issuers.

(ii) When does Sarbanes-Oxley take effect?

The Sarbanes-Oxley Act's provisions have taken effect at different times, ranging from immediately upon enactment to later dates specified in the Act or on which the required SEC implementing regulations come into force. Annex C lists the effective dates for certain key provisions of Sarbanes-Oxley and the related SEC rules.

KEY PROVISIONS OF SARBANES-OXLEY, AND RELATED SEC RULEMAKING

(i) Certification requirements

Sarbanes-Oxley contains two overlapping certifications that must be provided by an issuer's principal executive officer and principal financial officer, or persons performing similar functions (respectively, the CEO and the CFO): the Section 302 certification, and the Section 906 certification. Section 302 amends the Exchange Act, whereas Section 906 amends the US federal criminal code.

(a) Section 302

Section 302(a) of the Sarbanes-Oxley Act directs the SEC to adopt rules requiring CEO and CFO certification of each annual or quarterly report filed by issuers. In response, the SEC has adopted new Exchange Act Rules 13a-14, 15d-14, 13a-15 and 15d-15; new Item 15 of Form 20-F; and the text of a certification for Form 20-F.²⁹⁶ The certification rules, Item 15 and the certification text took effect on August 29 2002.²⁹⁷

However, the certification rules, Item 15 and the certification text have been further modified by the rules adopted under Section 404 of the Sarbanes-Oxley Act.²⁹⁸ As a result, we have summarized below the revised versions of the certification rules, Item 15 and the certification text. The revised versions generally took effect August 14 2003 (with certain exceptions that we note below).²⁹⁹

(1) Exchange Act Rules 13a-14, 15d-14; Form 20-F
Rules 13a-14 and 15d-14 require a foreign private issuer's annual report on Form 20-F (but not its current reports on Form 6-K)³⁰⁰ to include separate certifications by the issuer's CEO and CFO.³⁰¹ The certifications must state that:³⁰²

• the officer has reviewed the annual report;
• based on the officer's knowledge, the annual report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading;
• based on the officer's knowledge, the financial statements, and other financial information included in the annual report, fairly present in all material respects the financial condition, results of operations and cash flows of the issuer;
• the CEO and CFO are responsible for establishing and maintaining "disclosure controls and procedures"³⁰³ [and "internal control over financial reporting"³⁰⁴]³⁰⁵ for the issuer and have:
  - designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under their supervision, to ensure that material information relating to the issuer, including its consolidated subsidiaries, is made known to them by others within those entities;
  - [designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;]³⁰⁶
  - evaluated the effectiveness of the issuer's disclosure controls and presented in the annual report their conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by the report based on such evaluation;³⁰⁷ and
  - disclosed in the report any change in the issuer's internal control over financial reporting that occurred during the period covered by the report that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting; and
• the CEO and CFO have disclosed, based on their most recent evaluation of internal control over financial reporting, to the issuer's auditors and the audit committee:
  - all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the issuer's ability to record, process, summarize and report financial information; and
  - any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal control over financial reporting.

The certifications must be included as an exhibit to the issuer's annual report on Form 20-F.³⁰⁸ Except for the portions of the certifications appearing above in square brackets (which do not come into effect until April 15 2005), the wording of the certification may not be changed in any respect, even if the changes would appear to be inconsequential.³⁰⁹

(2) Disclosure controls and procedures - Exchange Act Rules 13a-15 and 15d-15; Item 15 of Form 20-F
Under Rules 13a-15 and 15d-15, a foreign private issuer must maintain disclosure controls and procedures.³¹⁰ In addition, as of the end of each fiscal year, the issuer's management, with the participation of the CEO and CFO, must make an evaluation of the effectiveness of the issuer's disclosure controls and procedures.³¹¹ Finally, under Item 15 of Form 20-F, the issuer must disclose the conclusions of its CEO and CFO regarding the effectiveness of the disclosure controls and procedures based on their review as of the end of the period to which the report relates.³¹²

For the purposes of Rules 13a-15 and 15d-15, and Item 15 of Form 20-F (as well as the required certifications of Rules 13a-14 and 15d-14), "disclosure controls and procedures" means controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Exchange Act is (i) recorded, processed, summarized and reported in a timely fashion, and (ii) accumulated and communicated to the issuer's management, to allow for timely decisions about disclosure.³¹³

(3) Violations of Section 302
While Section 302 carries no specific criminal sanctions, false certifications are subject to SEC enforcement action for violating the Exchange Act and also possibly to both SEC and private litigation alleging violations of the anti-fraud provisions of the Exchange Act (for example, Section 10(b) of the Exchange Act and Exchange Act Rule 10b-5). A false certification also may have liability consequences under Sections 11 and 12(a)(2) of the Securities Act if the accompanying report is incorporated by reference into a registration statement (for example, on Form F-3) or into a prospectus.

(b) Section 906

Section 906, which added new Section 1350 to the US federal criminal code, took effect immediately upon enactment of the Sarbanes-Oxley Act on July 30 2002. Section 906 requires that each periodic report containing financial statements filed by an issuer must be accompanied by a certification by the issuer's CEO and CFO that:

• the periodic report fully complies with the requirements of Section 13(a) or Section 15(d) of the Exchange Act; and
• the information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.

Although Section 906 is self-implementing, the SEC has adopted Exchange Act Rules 13a-14(b) and 15d-14(b) to require that the Section 906 certification (which may be a joint certification of the CEO and CFO) must be provided, and must be furnished as an exhibit to the relevant periodic report.³¹⁴ Because the Section 906 certification is not considered "filed" as a technical matter, it would not attract liability under Section 18 of the Exchange Act or be incorporated by reference into the issuer's subsequent Securities Act registration statements (unless specifically incorporated by the issuer).³¹⁵

(1) Violations of Section 906
Under Section 906, an officer who certifies a statement "knowing that the periodic report accompanying the statement" does not meet the certification can be fined not more than $1 million or imprisoned for not more than 10 years, or both. By contrast, an officer who willfully certifies his or her written statement while knowing that the annual report does not "comport with all the requirements" of Section 906 can be fined not more than $5 million or imprisoned not more than 20 years, or both. The distinction between "knowing" and "willful" certification is not set out in the Sarbanes-Oxley Act, but in other contexts "willfully" normally requires a showing that the person had specific knowledge of the law he or she was violating, whereas "knowingly" does not.³¹⁶

(c) Differences between Section 906 and Section 302 certifications

Although the text of the two required certifications overlap, there are some important differences between them. First, unlike Section 302, the SEC has not issued specific guidance on whether Section 906 applies to current reports on Form 6-K. We believe the Section 906 certification is not required for Form 6-K current reports (in view, among other things, of the fact that the SEC's rules implementing Section 302 only apply to annual reports on Form 20-F). In April 2003, however, US Senator Joseph R Biden inserted comments into the US Congressional Record to the effect that the Section 906 certification was intended to apply to Form 6-K submissions containing financial statements.³¹⁷ The SEC has taken note of Senator Biden's comments, and although it stated that it was "concerned that extending Section 906 certifications to Forms 6-K or 8-K could potentially chill the disclosure of information by companies," it went on to comment that it was "considering, in consultation with the US Department of Justice, the application of Section 906 to current reports on Forms 6-K and 8-K and annual reports on Form 11-K and the possibility of taking additional action."³¹⁸

Second, in contrast to the Section 302 certification, the text of the Section 906 certification does not explicitly provide for the officer to certify as to his or her knowledge. However, the US Department of Justice has confirmed that an officer may qualify a Section 906 certification to his or her knowledge because knowledge would, in any event, be a necessary element of criminal prosecution.³¹⁹

Third, whereas the Section 302 certification is required for any amendment to an annual report on Form 20-F, the SEC has stated that Form 20-F amendments do not require a new Section 906 certification.³²⁰

(ii) Management's reports on internal control over financial reporting

Section 404 of Sarbanes-Oxley directs the SEC to issue rules requiring an issuer's annual report to contain (i) an internal control report from management and (ii) an attestation report of the issuer's independent auditor. The SEC has accordingly adopted new Rules 13a-15 and 15d-15 under the Exchange Act, and new Item 15 of Form 20-F. A foreign private issuer must comply with these rules in connection with its annual report on Form 20-F for the first fiscal year ending on or after April 15 2005.³²¹

For the purposes of Rules 13a-15 and 15d-15, and Item 15 of Form 20-F (as well as the required certifications of Rules 13a-14 and 15d-14), "internal control over financial reporting" is defined as a process designed by, or under the supervision of, the issuer's CEO and CFO, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles, and includes those policies and procedures that:

• pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
• provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
• provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.³²²

(a) Exchange Act Rules 13a-15 and 15d-15

In addition to requiring the maintenance of disclosure controls and procedures, Rules 13a-15 and 15d-15 require a foreign private issuer to maintain internal control over financial reporting.³²³ As with disclosure controls and procedures, management (with the participation of the CEO and CFO) must evaluate the effectiveness of the issuer's internal control over financial reporting as of the end of each fiscal year.³²⁴ The SEC has, however, specified that management's evaluation must be based on a recognized control framework established by a body or group that has followed due-process procedures, including a broad distribution of the framework for public comment.³²⁵ Furthermore, the issuer's management must also evaluate whether during the fiscal year any change in the issuer's internal control over financial reporting occurred which materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting.³²⁶

(b) Item 15 of Form 20-F

In an issuer's annual report on Form 20-F, management must provide a report on the issuer's internal control over financial reporting that contains, among other things:³²⁷

• a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting;
• a statement identifying the framework used by management to evaluate the effectiveness of the issuer's internal control over financial reporting;
• management's assessment of the effectiveness of the issuer's internal control over financial reporting as of the end of the most recent fiscal year, including a statement as to whether or not the issuer's internal control over financial reporting is effective (including the disclosure of any material weakness in the issuer's internal control over financial reporting discovered by management);³²⁸ and
• a statement that the independent auditor that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the issuer's internal control over financial reporting (the independent auditor's attestation report must also be provided in the annual report).³²⁹

An issuer must maintain "evidential matter, including documentation" to provide reasonable support for management's assessment of the issuer's internal control over financial reporting.³³⁰

In addition, the issuer must also disclose any change in its internal control over financial reporting, identified in connection with the CEO and CFO's evaluation as of the end of the fiscal year, that occurred during the period covered by the annual report that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting.³³¹ The SEC has cautioned that while there is no explicit requirement in the rules under Section 404 to disclose the reasons for any such change, an issuer must consider whether the anti-fraud provisions of the US federal securities laws would require that disclosure, together with other information about the circumstances surrounding the change.³³²

(iii) Non-Gaap financial measures

Section 401(b) of the Sarbanes-Oxley Act requires the SEC to issue rules limiting the use of pro forma financial information in various ways. In response, the SEC has adopted both a new disclosure regulation, Regulation G, and new rules applicable to disclosure in filings with the SEC under Item 10 of Regulation S-K.³³³ The SEC has chosen to refer in the rules to "non-Gaap financial measures" rather than pro forma financial information, to avoid confusion with existing SEC rules on pro forma financial information (such as Article 11 of Regulation S-X).³³⁴

(a) Regulation G

Regulation G applies whenever an issuer, or a person acting on its behalf, publicly discloses material information that includes a non-Gaap financial measure.³³⁵ A "non-Gaap financial measure" is broadly defined as a numerical measure of financial performance that excludes (or includes) amounts that are otherwise included (or excluded) in the comparable measure calculated and presented in the financial statements under Gaap.³³⁶ For a foreign private issuer, "Gaap" means the local Gaap under which the financial statements were prepared, unless the measure in question is derived from US Gaap, in which case Gaap means US Gaap for purposes of applying the requirements of Regulation G to the disclosure of the measure.³³⁷

Regulation G requires that disclosure of this sort be accompanied by the most directly comparable financial measure calculated in accordance with Gaap, and a reconciliation of the differences between the two.³³⁸ In addition, Regulation G prohibits an issuer from making any non-Gaap financial measure public if it contains a material misstatement or omits to include information needed to make the included measure not misleading.³³⁹ Regulation G took effect on March 28 2003.³⁴⁰

A foreign private issuer is exempt from Regulation G if:³⁴¹

• its securities are listed or quoted outside the United States;
• the non-Gaap financial measure being used is not derived from or based on a measure calculated and presented in accordance with US Gaap; and
• the disclosure is made outside the United States.

(b) Regulation S-K Item 10(e)

Distinct from Regulation G, the SEC has adopted limitations on the use of non-Gaap financial measures in filings (whether annual reports on Form 20-F, or registration statements in connection with offerings in the United States or US listings) as new Item 10(e) of Regulation S-K. Item 10(e) applies to any SEC filings made in respect of financial years ended after March 28 2003.³⁴²

Item 10(e) requires that whenever an issuer includes a non-Gaap financial measure in an SEC filing it must also include:³⁴³

• a presentation, with equal or greater prominence, of the most directly comparable Gaap financial measure;
• a reconciliation of the differences between the non-Gaap financial measure and the most directly comparable Gaap financial measure;
• a statement why management believes the non-Gaap financial measure provides useful information for investors; and
• to the extent material, a statement of the additional purposes for which management uses the non-Gaap financial measure.

Furthermore, Item 10(e) prohibits in SEC filings, among other things:³⁴⁴

• non-Gaap measures of liquidity that exclude items requiring cash settlement, other than EBIT and EBITDA;
• the adjustment of non-Gaap measures of performance to eliminate or smooth items characterized as non-recurring, unusual or infrequent when the nature of the charge or gain is such that it is reasonably likely to recur within two years or there was a similar charge or gain within the prior two years; and
• the use of titles or descriptions for non-Gaap financial measures that are the same as, or confusingly similar to, titles or descriptions used for Gaap financial measures.

Item 10(e) contains an exemption from these prohibitions for a foreign private issuer if the non-Gaap financial measure relates to the local Gaap used in the issuer's primary financial statements, is required or expressly permitted by the standard-setter that establishes the local Gaap, and is included in the issuer's annual report for its home jurisdiction.³⁴⁵

(iv) Off-balance sheet and other MD&A disclosure

Section 401(a) of the Sarbanes-Oxley Act requires the SEC to implement rules requiring issuers to disclose material off-balance sheet transactions. The SEC's rules go beyond off-balance sheet transactions, however, and also address certain topics covered in its prior MD&A initiatives.³⁴⁶ The rules take the form of amendments to Item 5 of Form 20-F, and accordingly apply to all registration statements filed by foreign private issuers (whether under the Securities Act or Exchange Act), as well as annual reports.

(a) Off-balance sheet arrangements

Effective for SEC filings for fiscal years ending on or after June 15 2003,³⁴⁷ an issuer must disclose, in a separately captioned section of MD&A, off-balance sheet arrangements that either have, or are reasonably likely to have, a current or future material effect on the issuer's financial condition, results of operations, or liquidity.³⁴⁸ To the extent necessary to understand these arrangements, the disclosure must include:³⁴⁹

• the nature and business purpose of the off-balance sheet arrangements;
• the importance to the issuer of the off-balance sheet arrangements in respect of liquidity, capital resources, market risk support, credit support or other benefits;
• the amount of revenues, expenses and cash flows arising from these arrangements;
• the nature and amounts of any interests retained, securities issued or amounts incurred by the issuer under these arrangements;
• the nature and amounts of any other obligations or liabilities (contingent or otherwise) arising from these arrangements that are reasonably likely to become material and the triggering events that could cause them to arise; and
• any known events or trends that will, or are reasonably likely to, result in the termination or reduction in availability to the issuer of these arrangements and the course of action the issuer proposes to take in response.

An "off-balance sheet arrangement" is defined to include any transaction, agreement or contractual arrangement to which an entity unconsolidated with the issuer is a party under which the issuer has certain obligations or interests.³⁵⁰ Because the definition of "off-balance sheet arrangement" incorporates concepts from US Gaap, foreign private issuers will need to refer to US Gaap for some of the disclosure items.³⁵¹ However, the MD&A disclosure should focus on the primary financial statements in the document (while taking reconciliation to US Gaap into account).³⁵²

(b) Table of contractual obligations

For fiscal years ending on or after December 15 2003,³⁵³ an issuer must also include in its SEC filings a table of contractual obligations as of the end of the latest balance sheet date showing the following items:³⁵⁴

The term "purchase obligations" means an enforceable agreement to purchase goods or services that is binding on the issuer and that specifies key commercial terms (such as quantity and price).³⁵⁵ With the exception of purchase obligations, the classifications of categories shown in the table are defined by reference to US Gaap. However, an issuer that prepares financial statements in accordance with non-US Gaap should include those items of contractual obligations in the table that are consistent with the classifications used in the Gaap under which its primary financial statements are prepared.³⁵⁶

(c) Contingent liabilities and commitments

Although it has issued proposed rules with respect to disclosure requirements for contingent liabilities and commitments, the SEC has declined to adopt final rules. In the meantime, the SEC's existing guidance on the subject - which suggests a tabular format of specified categories³⁵⁷ - is controlling.³⁵⁸

(v) Standards relating to listed company audit committees

Section 301 of the Sarbanes-Oxley Act adds new Section 10A(m) of the Exchange Act. Section 10A(m) charges the SEC with creating rules to prohibit the listing of any security in the United States of an issuer that is not in compliance with certain substantive standards for audit committees. The SEC has adopted final rules under Section 301 as Exchange Act Rule 10A-3. Listed foreign private issuers must be in compliance with Rule 10A-3 by July 31 2005.³⁵⁹

Under Rule 10A-3, audit committee members each have to be a member of the board of directors and otherwise independent.³⁶⁰ To be independent, an audit committee member is barred from accepting any compensatory fees other than in that member's capacity as a member of the board³⁶¹ and may not be an affiliated person of the issuer.³⁶² The definition of "affiliated person" includes a person that, directly, or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the specified person.³⁶³ There is, however, a safe harbour for certain non-executive officers and other persons that are 10% or less shareholders of the issuer.³⁶⁴

Foreign private issuers are entitled to certain exemptions from the independence prong of Rule 10A-3. For example, the inclusion of a non-management employee representative,³⁶⁵ a non-management affiliated person with only observer status,³⁶⁶ or a non-management governmental representative on the audit committee will not violate the affiliated person prong of the independence test.³⁶⁷ In addition, issuers involved in an IPO are entitled to certain exemptions during a transitional period following their public offering.³⁶⁸

Rule 10A-3 also requires that:

• the audit committee must be "directly responsible" for the appointment, compensation, oversight and retention of the external auditors, who must report directly to the audit committee;³⁶⁹
• the audit committee must establish procedures for the receipt, retention and treatment of complaints regarding accounting, internal controls or auditing matters, and for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters;³⁷⁰
• the audit committee must have the authority to engage independent counsel and other advisers as it deems necessary to carry out its duties;³⁷¹ and
• the issuer must provide the audit committee with appropriate funding for payment of external auditors, advisors employed by the audit committee and ordinary administrative expenses of the audit committee.³⁷²

These requirements are not intended to conflict with local legal or listing provisions (or requirements under the foreign private issuer's organizational documents), and instead relate to the allocation of responsibility between the audit committee and the issuer's management.³⁷³ Accordingly, the audit committee may recommend or nominate the appointment or compensation of the external auditor to shareholders if these matters are within shareholder competence under local law,³⁷⁴ and it must be granted those responsibilities that the board of directors can legally delegate.³⁷⁵

Rule 10A-3 contains a general exemption for foreign private issuers that have a statutory board of auditors or statutory auditors established pursuant to home country law or listing requirements, which in turn meet various requirements.³⁷⁶

A foreign private issuer relying on Rule 10A-3's exemption from independence, or the general exemption noted above, will need to disclose in its annual report its reliance on the exemptions and an assessment of whether this reliance will materially adversely affect the audit committee's ability to act independently and to satisfy any of the other requirements of Rule 10A-3.³⁷⁷

(vi) Audit committee financial expert

Section 407(a) of the Sarbanes-Oxley Act directs the SEC to issue rules requiring an issuer to disclose in its periodic reports whether its audit committee has at least one financial expert, or if not, why not.

The SEC's final rules implementing Section 407(a) use the term "audit committee financial expert" instead of "financial expert." The SEC has implemented these rules as new Item 16A of Form 20-F. Item 16A applies to annual reports of foreign private issuers for fiscal years ending on or after July 15 2003.³⁷⁸

Under Item 16A, a foreign private issuer must disclose in its annual report that the issuer's board of directors has determined whether or not it has one audit committee financial expert serving on its audit committee, or if not, why not.³⁷⁹ If the issuer has a two-tier board of directors, the supervisory or non-management board would make this determination.³⁸⁰ The issuer must also disclose the name of the audit committee financial expert (if any)³⁸¹ and whether that person is independent from management.³⁸²

In order to qualify as an audit committee financial expert, the audit committee member must have the following attributes:³⁸³

• an understanding of Gaap;
• the ability to assess the general application of Gaap in connection with the accounting for estimates, accruals and reserves;
• experience preparing, auditing or analyzing financial statements similar to those of the issuer, or actively supervising others engaged in these activities;
• an understanding of internal controls and procedures for financial reporting; and
• an understanding of audit committee functions.

In addition, an audit committee financial expert must have gained those attributes through:³⁸⁴

• education and experience as a principal financial officer, principal accounting officer, controller, public accountant or auditor, or experience in similar positions;
• experience actively supervising these functions;
• experience overseeing or assessing the performance of companies or public accountants with respect to the preparation, auditing or evaluation of financial statements; or
• other relevant experience.

The term "Gaap" as used in Item 16A refers to the body of Gaap used by the issuer in its primary financial statements.³⁸⁵ Accordingly, the audit committee financial expert of a foreign private issuer need only be versed in local Gaap, and not in US Gaap or in reconciliation to US Gaap (although that experience would, of course, be useful).³⁸⁶

Item 16A also contains a liability safe harbour for the audit committee financial expert, under which:

• a person who is determined to be an audit committee financial expert is not deemed to be an expert for any purpose, such as Section 11 of the Securities Act; and³⁸⁷
• the designation of a person as an audit committee financial expert does not impose greater duties, obligations or liabilities on the person than on other audit committee and board members, and does not affect the duties, obligations or liabilities of other audit committee and board members.³⁸⁸

(vii) Auditor independence

Title II of the Sarbanes-Oxley Act creates a series of requirements relating to the work of external auditors, grouped under the heading "auditor independence." Title II establishes new Sections 10A(g) through (l) of the Exchange Act. The SEC has implemented Title II by the adoption of amendments to S-X Rule 2-01, new S-X Rule 2-07, new Exchange Act Rule 10A-2, and new Item 16C of Form 20-F. S-X Rules 2-01 and 2-07, and Rule 10A-2, generally took effect on May 6 2003 (although many of the provisions of these rules have varying transition periods), while Item 16C takes effect for annual reports in respect of fiscal years ending after December 15 2003.³⁸⁹

Rule 10A-2 provides generally that it is unlawful for an auditor not to be independent under certain provisions of S-X Rules 2-01 and 2-07. S-X Rules 2-01 and 2-07, in turn, track - and in some cases expand upon - the requirements of Sections 10A(g)-(l), and provide (among other things):

• certain restrictions on the ability of an issuer to employ a former partner, principal, shareholder or professional employee of an accounting firm;³⁹⁰
• limitations on the non-audit services that an independent auditor may provide;³⁹¹
• that an audit partner must not act as the lead audit partner or concurring partner for more than five consecutive years, and must not provide certain other services for more than seven consecutive years;³⁹²
• that the audit committee must pre-approve the engagement of the auditor to provide audit and non-audit services to the issuer or its subsidiaries, or for policies or procedures for pre-approval of audit and non-audit services (subject to certain de minimis exceptions);³⁹³
• that no audit partner may earn compensation based on the partner's procuring engagements with the issuer to provide any services other than audit, review or attest services;³⁹⁴ and
• that an auditor must report to the audit committee on (i) all critical accounting policies and practices to be used; (ii) all alternative treatments of financial information within Gaap that have been discussed with the issuer's management (as well as the implications of those alternatives and the auditor's preferred treatment); and (iii) all other material written communications between the auditors and management.³⁹⁵

Under new Item 16C of Form 20-F, a foreign private issuer must disclose in its annual report:

• under the caption "audit fees," aggregate fees billed by the auditor for each of the last two fiscal years for audit services (and services in connection with statutory and regulatory filings);³⁹⁶
• under the caption "audit-related fees," aggregate fees billed by the auditor for each of the last two fiscal years for certain services "reasonably related" to the audit and review of financial statements, as well as a description of these services;³⁹⁷
• under the caption "tax fees," aggregate fees billed by the auditor for each of the last two fiscal years for tax services, as well as a description of these services;³⁹⁸
• under the caption "all other fees," aggregate fees billed by the auditor for each of the last two fiscal years for all other products and services, as well as a description of these services;³⁹⁹
• the pre-approval policies and procedures of its audit committee for audit and non-audit services;⁴⁰⁰ and
• if greater than 50%, the percentage of hours expended on the audit by persons other than full-time permanent employees of the auditor.⁴⁰¹

(viii) Improper influence on the conduct of audits

Section 303 of the Sarbanes-Oxley Act directs the SEC to issue rules prohibiting any officer or director of an issuer from taking any action to improperly influence an auditor for the purpose of rendering the issuer's financial statements materially misleading.

The SEC has adopted Exchange Act Rules 13b2-2(a) through (c), largely tracking the text of Section 303. Rules 13b2-2(a) through (c) took effect on June 27 2003.⁴⁰² Among other things, the rules prohibit an officer or director of an issuer, or any other person acting under the direction of an officer or issuer, from taking any action to coerce, manipulate, mislead or fraudulently influence an auditor engaged in the performance of an audit or review of financial statements of the issuer that are required to be filed with the SEC if that person knew or should have known that his or her actions, if successful, could result in rendering the issuer's financial statements materially misleading.⁴⁰³

The reach of the new rules is quite broad. The phrase "persons acting under the direction" of an officer or director includes the issuer's employees (even if they are not under the supervision or control of that officer or director), customers, vendors, and even lawyers or other outside advisors who might be in a position to give out false or misleading information to the auditor. ⁴⁰⁴

In addition, the period during which an auditor can be said to be "engaged in the performance of an audit" has been given a wide interpretation by the SEC. It accordingly could encompass not only the professional engagement period but any other time the auditor is called upon to make decisions or judgments regarding the issuer's financial statements, including, in certain situations, periods prior to and after the retention of the auditor.⁴⁰⁵

Rule 13b2-2 also identifies certain types of actions which could cause an issuer's financial statements to be materially misleading, including improperly influencing an auditor:

• to issue or reissue a report on an issuer's financial statements that is not warranted in the circumstances (due to material violations of Gaap, Gaas, or other professional or regulatory standards);
• not to perform audit, review or other procedures required by Gaas or other professional standards;
• not to withdraw an issued report; or
• not to communicate matters to an issuer's audit committee.⁴⁰⁶

(ix) Auditor record retention

Section 802 of the Sarbanes-Oxley Act (which amends the US federal criminal code) requires any accountant who conducts an audit of an issuer to maintain all audit or review workpapers for a period of five years from the end of the fiscal period in which the audit or review was concluded. Section 802 also requires the SEC to issue rules relating to the retention of relevant records such as workpapers and other documents that form the basis of the review. In response, the SEC has added new Rule 2-06 to Regulation S-X. Rule 2-06 took effect on March 3 2003.⁴⁰⁷

Rule 2-06 requires that, for a period of seven years after an accountant concludes an audit or review of an issuer's financial statements, the accountant must retain records relevant to the audit or review, including workpapers, which:⁴⁰⁸

• are created, sent or received in connection with the audit or review; and
• contain conclusions, opinions, analyses or financial data related to the audit or review.

"Workpapers" for these purposes means documentation of auditing or review procedures applied, evidence obtained, and conclusions reached by the accountant in the audit or review engagement.⁴⁰⁹

Rule 2-06 also provides that memoranda, correspondence, communications, and other documents and records (including electronic records) must be retained whether they support the auditor's final conclusions about the audit or review, or contain information that is inconsistent with those conclusions.⁴¹⁰

(x) Material correcting adjustments

Section 401(a) of the Sarbanes-Oxley Act adds new Section 13(i) to the Exchange Act. Under Section 13(i), each financial report containing financial statements that is prepared in accordance with (or reconciled to) US Gaap and filed with the SEC must reflect all material correcting adjustments that have been identified by an issuer's auditors. This provision took effect on July 30 2002, and does not require implementing regulations by the SEC.

The SEC has not provided guidance on the question whether Section 13(i) applies to interim financial statements submitted on Form 6-K. We believe the better view of Section 13(i) is that it applies only to a foreign private issuer's annual report on Form 20-F, and not to any interim financial statements furnished to the SEC under Form 6-K. Submissions on Form 6-K are not considered "filed" as a technical matter with the SEC, and are not required to be reconciled to US Gaap. In addition, the SEC has interpreted the Section 302 certification requirement - which also refers to reports filed with the SEC - as not applying to Form 6-K submissions.⁴¹¹ As a practical matter, however, an issuer would likely face concerns under the anti-fraud provisions of the US federal securities laws if it failed to reflect a material correcting adjustment in an interim financial statement furnished on Form 6-K.

(xi) Attorney conduct rules

Section 307 of the Sarbanes-Oxley Act requires the SEC to issue rules setting forth "minimum standards of professional conduct for attorneys appearing and practicing before the SEC in any way in the representation of issuers." Section 307 also directs the SEC to implement rules requiring an attorney to report "evidence of a material violation of securities law or breach of fiduciary duty or similar violation" by an issuer or its agent to the issuer's CEO or chief legal counsel, and to report the evidence to the audit committee, another independent board committee, or the board of directors as a whole, if the CEO or chief legal counsel "does not appropriately respond to the evidence." The SEC adopted final rules under Section 307 as new Part 205 Standards of Professional Conduct for Attorneys Appearing and Practicing Before the Commission in the Representation of an Issuer (the Attorney Conduct Rules).⁴¹² The Attorney Conduct Rules took effect on August 5 2003.

The term "appearing and practicing" before the SEC is broader than it might first appear. It potentially covers any lawyer who transacts business with the SEC, represents an issuer in SEC proceedings, provides advice on the US securities laws regarding any document the attorney "has notice" will be provided to the SEC (including in the context of preparing documents to be filed), or advises an issuer whether information must be included in or filed with any SEC document.⁴¹³ However, the Attorney Conduct Rules contain an exemption for "non-appearing foreign attorneys,"⁴¹⁴ which is defined as a lawyer who (i) is himself or herself admitted to practice law in a jurisdiction outside of the United States and does not hold himself or herself out as practicing US federal or state securities or other laws, and (ii) either:

• conducts activities that would constitute appearing and practicing before the SEC only incidentally to, and in the ordinary course of, the practice of law in a jurisdiction outside the United States; or
• is appearing and practicing before the SEC only in consultation with counsel, other than a non-appearing foreign attorney, admitted or licensed to practice in a state or other United States jurisdiction.⁴¹⁵

If a covered lawyer becomes aware of evidence of a "material violation" - which is defined to include a material violation of US securities law or a breach of fiduciary duty or a similar material violation of any US federal or state law⁴¹⁶ - the Attorney Conduct Rules create a duty to report the matter to the issuer's chief legal officer (CLO) or to both the CLO and the CEO.⁴¹⁷ The CLO must then open an inquiry into the matter and take all reasonable steps to cause the issuer to adopt an appropriate response.⁴¹⁸ Unless the lawyer reasonably believes that the CLO's response was adequate, he or she must report the matter up-the-ladder to the audit committee, to another independent board committee (if the issuer does not have an audit committee), or to the board of directors as a whole (if there is no independent board committee).⁴¹⁹

As an alternative to reporting to the CLO or CEO, the lawyer may refer the matter to the issuer's qualified legal compliance committee (QLCC), if one has been set up.⁴²⁰ A QLCC - which may also be the audit committee - is any committee of the issuer that includes at least one member of the audit committee and two or more non-employee members of the board of directors, and that has been duly established by the board of directors with certain requirements.⁴²¹ If the lawyer reports the matter to the QLCC, he or she has no further obligations under the Attorney Conduct Rules.⁴²² In addition, the CLO may refer a reported matter to the QLCC in lieu of conducting the required investigation, in which case the QLCC will be responsible for responding.⁴²³

The SEC has also proposed, but not yet adopted, a noisy withdrawal provision, under which a covered lawyer would be required to withdraw from representing an issuer under certain circumstances if there is not an appropriate response to the up-the-ladder reporting.⁴²⁴ The 60-day comment period for the noisy withdrawal proposal has expired, and the proposal has been the subject of extensive comment by US lawyers.

(xii) Code of ethics

Section 406 of the Sarbanes-Oxley Act directs the SEC to issue rules requiring issuers to disclose whether they have adopted a code of ethics for senior financial officers, or if not, why not. The SEC has accordingly adopted new Item 16B of Form 20-F, which takes effect for annual reports for fiscal years ending on or after July 15 2003.⁴²⁵

Item 16B requires the issuer to disclose whether it has adopted a code of ethics that applies to its principal executive officers, principal financial officers, and principal accounting officer or controller (or persons performing similar functions), and if not, it must explain why it has not done so.⁴²⁶ The term "code of ethics" means written standards that are reasonably designed to deter wrongdoing and to promote a specified set of principles, such as honest and ethical conduct and full, accurate and timely disclosure.⁴²⁷ The code must be filed as an exhibit to the issuer's annual report on Form 20-F or posted on the issuer's website, or the issuer must undertake to provide to any person upon request, free of charge, a copy of the code.⁴²⁸ An issuer must report any amendment to the code relating to its covered executive officers, as well as the nature and date, and name of the person involved, of any waivers (whether explicit or implicit) of the code for its covered executive officers.⁴²⁹

(xiii) Blackout trading restrictions

Section 306 of the Sarbanes-Oxley Act prohibits directors and executive officers from acquiring or transferring company equity securities during pension fund blackout periods. The SEC has adopted new Regulation Blackout Trading Restrictions (Regulation BTR) to implement Section 306. Regulation BTR took effect on January 26 2003.⁴³⁰

For a foreign private issuer, a blackout period generally means any period of more than three consecutive business days during which the ability to purchase or sell an interest in the issuer's equity securities held in an individual account plan (such as a 401(k) plan)⁴³¹ is temporarily suspended with respect to not less than 50% of participants or beneficiaries located in the United States and:

• the number of participants and beneficiaries located in the United States subject to the temporary suspension exceeds 15% of the total number of employees of the issuer and its consolidated subsidiaries; or
• more than 50,000 participants or beneficiaries located in the United States are subject to the temporary suspension.⁴³²

Regulation BTR prohibits, subject to certain exceptions, any director or executive officer of an issuer from purchasing, selling or otherwise transferring the issuer's equity securities during any blackout period applicable to the securities, if the officer acquires or previously acquired the securities in connection with his or her service or employment as a director or officer.⁴³³ Under Regulation BTR, in any case where a director or officer is subject to a blackout trading restriction under Section 306 of Sarbanes-Oxley, the issuer must notify in a timely fashion each director or officer and the SEC of the blackout period and provide certain additional information (including the reasons for the blackout period).⁴³⁴ The issuer must file any notice of this type as an exhibit to its annual report on Form 20-F.⁴³⁵

Subject to a two-year statute of limitations,⁴³⁶ profits realized by an insider in violation of Section 306 (regardless of the insider's intention upon entering into the transaction) will be recoverable by the issuer.⁴³⁷ In addition, if the issuer fails to institute an action to recover such profits within 60 days after being requested to do so by a shareholder, the shareholder can then initiate the action to recover on behalf of the issuer.⁴³⁸

(xiv) Loans to executives

Section 402(a) of the Sarbanes-Oxley Act adds new Section 13(k) to the Exchange Act. Under Section 13(k), it is illegal for an issuer to "extend or maintain credit, to arrange for the extension of credit, or to renew an extension of credit, in the form of a personal loan to or for any director or executive officer (or equivalent thereof)" of that issuer.⁴³⁹ Section 13(k) covers both direct extensions and indirect extensions of credit, including through subsidiaries.⁴⁴⁰ Section 13(k) took effect on July 30 2002, and does not require implementing SEC regulations.

Section 13(k) contains certain exemptions, including:

• any loan existing on July 30 2003, unless its terms are materially modified or the loan is renewed;⁴⁴¹
• consumer credit and extensions of credit under a charge card;⁴⁴² and
• certain bank loans.⁴⁴³

The broad sweep of Section 13(k), coupled with the absence of SEC guidance, has raised a number of thorny questions for issuers. In response, a group of 25 law firms (including Latham & Watkins) has issued a paper attempting to interpret Section 13(k) (the Interpretive Paper).⁴⁴⁴ The Interpretive Paper contends that the following should generally be regarded as permissible under Section 13(k):

• cash advances to reimburse travel and similar expenses while performing executive duties;⁴⁴⁵
• personal usage of a company credit card and company car, and relocation expenses required to be reimbursed;⁴⁴⁶
• stay and retention bonuses subject to repayment if an employee terminates employment before a designated date;⁴⁴⁷
• indemnification advances for litigation;⁴⁴⁸
• tax indemnity payments to overseas-based executive officers;⁴⁴⁹
• loans by a parent or shareholder that is a foreign private issuer but not subject to Sarbanes-Oxley to the executive officer of a wholly-owned subsidiary that is subject to Sarbanes-Oxley, if the subsidiary has not "arranged" the loan and the loan is made by reason of service to the parent, not the subsidiary;⁴⁵⁰ and
• most cashless option exercises.⁴⁵¹

(xv) Forfeiture of bonuses

Section 304 of the Sarbanes-Oxley Act provides that if an issuer is required to "prepare an accounting restatement due to the material noncompliance of the issuer, as a result of misconduct" with any financial reporting requirements under the securities laws, the CEO and CFO must reimburse the issuer for:

• all bonuses or other incentive-based or equity-based compensation received from the issuer during the 12-month period following the first public issuance or filing with the SEC (whichever is first) of the financial document embodying the financial reporting requirement; and
• any profits received from the sale of the issuer's securities during that 12-month period.

Section 304 took effect on July 30 2002 and does not require SEC implementing rules. It remains unclear whether, among other things, the definition of "misconduct" applies to mistakes as opposed to knowing or reckless conduct.⁴⁵² In the case of foreign private issuers, it is also not certain how Section 304 will work if the required repayment is in conflict with the CEO's or CFO's rights under local employment laws.⁴⁵³

(xvi) Research analysts

Section 501 of the Sarbanes-Oxley Act added new Section 15D to the Exchange Act. Section 15D directs the SEC to adopt rules "reasonably designed to address conflicts of interest" involving securities analysts. The SEC has implemented Section 15D by enacting Regulation Analyst Certification (Regulation AC).⁴⁵⁴ In addition, as discussed below, the NYSE and NASD have issued new rules regarding research analysts that are designed to meet the requirements of Section 15D. Regulation AC took effect on April 14 2003.

Regulation AC requires that any broker or dealer, or certain persons associated with brokers or dealers, must include in any research reports that they publish or circulate to a US person in the United States, a clear and prominent statement from the research analyst:⁴⁵⁵

• attesting that all of the views expressed in the research report accurately reflect the research analyst's personal views about the securities or issuers covered in the report; and
• either that no part of the analyst's compensation is related to specific recommendations expressed in the report, or if it is related, details of the source, amount and purpose of the compensation and how the compensation could influence the recommendations expressed in the report.

A research analyst is the person primarily responsible for the preparation of the content of the research report.⁴⁵⁶ If more than one analyst is primarily responsible, all must certify.⁴⁵⁷ Certifications should either appear on the front page of the research report or the front page should disclose where the certification is to be found.⁴⁵⁸ The first certification (as to accuracy) applies both to the rating as well as to the analysis in the research report, and the SEC has warned that a rating that contradicts the analysis could both render the certification false, as well as potentially violate the anti-fraud provisions of the US federal securities laws.⁴⁵⁹

In addition, Regulation AC mandates that brokers or dealers that provide research reports to US persons in the United States prepared by an analyst employed by them must keep certain quarterly records of public appearances of the analyst containing:⁴⁶⁰

• a statement by the analyst attesting that the views expressed in the public appearances accurately reflected his or her personal views about the securities or issuers covered in the report; and
• a statement that no part of the analyst's compensation is related to specific recommendations or views expressed in the public appearances.

However, the record-keeping requirement only applies to public appearances when the research analyst is physically present in the United States.⁴⁶¹

Regulation AC contains an exclusion to cover foreign research. In particular, foreign persons located outside the United States who are not associated with a US registered broker-dealer are exempt from Regulation AC if they:⁴⁶²

• prepare a research report concerning a foreign security; and
• provide the research report to a US person in the United States in accordance with the exemption under Exchange Act Rule 15a-6(a)(2) for non-US broker-dealers providing research reports to major US institutional investors.

A "foreign person" for these purposes means any non-US person, and a "foreign security" means a security issued by a foreign issuer for which the US market is not the principal trading market.⁴⁶³

(xvii) Liability issues

The Sarbanes-Oxley Act has a sweeping impact on liability under the US federal securities laws. For a discussion of this, see "Liability Under the US Federal Securities Laws - Sarbanes-Oxley Act," below.