Category: Corporate Governance

Audit committee oversight of non-GAAP financial measures

According to audit firm PwC, non-GAAP financial measures play an important role in financial reporting, “showing a view of the company’s financial or operational results to supplement what is captured in the financial statements,” and help to tell the company’s financial story, as the SEC has advocated in connection with MD&A, “through the eyes of management.” Yet, they also have the potential to open the proverbial can of worms, subjecting the company to serious SEC scrutiny and possible SEC enforcement if misused. Just a couple of weeks ago, the SEC announced settled charges against DXC Technology Company, a multi-national information technology company, for making misleading disclosures about its non-GAAP financial performance.  According to the Order, DXC materially increased its reported non-GAAP net income “by negligently misclassifying tens of millions of dollars of expenses ” and improperly excluding them from its reported non-GAAP earnings. In addition to misclassification, DXC allegedly provided a misleading description of the scope of the expenses included in the company’s non-GAAP adjustment and failed to adopt a non-GAAP policy or to have adequate disclosure controls and procedures in place specific to its non-GAAP financial measures. Consequently, DXC “negligently failed to evaluate the company’s non-GAAP disclosures adequately.” DXC agreed to pay a civil penalty of $8 million. (See this PubCo post.) So what can a company’s audit committee do to help prevent the types of problems that have arisen at DXC and elsewhere? Audit committees may find helpful this recent article from PwC providing guidance for committees tasked with oversight of the use of non-GAAP financial measures.

COSO introduces “internal control over sustainability reporting”

Under the pressure of institutional investors, environmental groups, employees, consumers and other stakeholders, many companies have sought to demonstrate their bona fides when it comes to ESG through disclosure about their sustainability efforts, goals and achievements, whether in periodic reports or in separate sustainability reports.  But, as reporting increases, so do concerns by some about potential greenwashing.  How can companies assure the quality of their sustainability reporting and create more trust and confidence among stakeholders? One way might be through effective internal controls. So far, however, according to a new report from Committee of Sponsoring Organizations of the Treadway Commission, known as COSO, ”[f]ew best practices have been established. While some larger institutions have progressed in building controls around environmental, social, and governance (ESG) reporting, many organizations have designed ad hoc controls around certain key sustainable business metrics. Many also perform internal verification and assurance procedures to ensure management comfort with this information. Yet few of them seem to have developed effective, integrated systems of internal control over their material or decision-useful sustainable business information.” Now, leveraging insights gleaned from development of the most widely used internal control framework—the COSO Internal Control-Integrated Framework—COSO has developed the concept of  ”internal control over sustainability reporting” (ICSR).  In its new report, which weighs in at 114 pages, COSO provides supplemental guidance that explains and interprets how each of the 17 principles in the 2013 version of the COSO ICIF applies to sustainable business activities and sustainable business information. According to the authors, “[i]nternal controls have value beyond compliance and external financial reporting. Effective internal controls can help an organization articulate its purpose, set its objectives and strategy, and grow on a sustained basis with confidence and integrity in all types of information.”  As companies seek to “generate sustained value—ethically and responsibly—over the longer term,” with an emphasis on sustainability and ESG, both companies and their stakeholders need effective controls and oversight to provide the reliable and high-quality data needed for “decision making in this changing world.”  

Cooley Alert: DOJ amps up antitrust enforcement against interlocking directorates

The Department of Justice has stepped up its enforcement of antitrust rules against interlocking directorates.  Subject to de minimis exceptions, Section 8 of the Clayton Antitrust Act prohibits the same person from serving on the boards of two competitors. But recently, the DOJ has interpreted the statute more broadly, leading to director resignations where different individuals—who were associated with the same private equity or venture capital firm—served on the boards of competing companies. Companies should take care to assess their Section 8 exposure, as discussed in this excellent Alert from the Cooley Antitrust group, Biden Justice Department Continues Focus on Interlocking Directorates. Be sure to check it out!

Sustainability reports—not a liability-free zone

In April of last year, as described in this press release, the SEC filed a complaint against Vale S.A., a publicly traded (NYSE) Brazilian mining company and one of the world’s largest iron ore producers, charging that it made “false and misleading claims about the safety of its dams prior to the January 2019 collapse of its Brumadinho dam. The collapse killed 270 people, caused immeasurable environmental and social harm, and led to a loss of more than $4 billion in Vale’s market capitalization.” The SEC alleged that Vale “fraudulently assured investors that the company adhered to the ‘strictest international practices’ in evaluating dam safety and that 100 percent of its dams were certified to be in stable condition.” Significantly, these statements were contained, not just in Vale’s SEC filings, but also, in large part, in its sustainability reports. In discussing the charges, the press release made reference to the SEC’s Climate and ESG Task Force formed in 2021 in the Division of Enforcement “with a mandate to identify material gaps or misstatements in issuers’ ESG disclosures, like the false and misleading claims made by Vale.”  On Tuesday, the SEC announced that Vale had agreed to pay $55.9 million to settle the SEC charges.   According to the Associate Director of Enforcement, the SEC’s “action against Vale illustrates the interplay between the company’s sustainability reports and its obligations under the federal securities law….The terms of today’s settlement, if approved by the court, will levy a significant financial penalty against Vale and demonstrate that public companies can and should be held accountable for material misrepresentations in their ESG-related disclosures, just as they would for any other material misrepresentations.”

Workplace sexual harassment has a cost—to the company, to employees, and even to shareholders

Workplace sexual harassment and related misconduct—a toxic boys’-club atmosphere—led to three recent cases against McDonald’s, its management and board. And studies have shown that workplace sexual harassment can have substantial adverse “psychological, health, and job-related consequences” for employees, often resulting in “higher employee turnover, lower employee productivity, increased absenteeism, and increased sick leave costs.”  But what is the impact for shareholders?   A study in the Journal of Business Ethics,  “How Much Does Workplace Sexual Harassment Hurt Firm Value?”, looked at just this question.  Earlier studies of the impact of workplace sexual harassment looked at the short-term impact on the market, but this study analyzed the “longer-term effect on firm value starting from the date when harassment risk affects employee morale.”  The study found that sexual harassment led to much greater damage—manifested in significant reductions in stock performance and profitability—than previously realized: the stock prices of the group of companies with the highest levels of pervasive harassment underperformed those of an equivalent group with low levels of harassment by about 17%. The study also showed that these “high-SH” companies experienced a decline in operating profitability and an increase in labor costs.  One of the paper’s co-authors told Corporate Secretary, “[f]inancial analysts and investors often undervalue intangibles such as the effect of a toxic work environment…But [workplace safety] is indicative of all sorts of other underlying issues, including poor control systems and overall bad governance, which can directly impact employee performance, company performance and stock market value.”

What have studies shown so far about PvP disclosure?

In August last year—12 years after the Dodd-Frank mandate— the SEC finally adopted a new rule that requires disclosure of information reflecting the relationship between executive compensation actually paid by a company and the company’s financial performance: the pay-versus-performance rules.   To a significant extent, the approach taken by the SEC in this rulemaking was prescriptive and some of the prescriptive aspects of the rules were quite complex; the SEC opted not to take a “wholly principles-based approach because, among other reasons, such a route would limit comparability across issuers and within issuers’ filings over time, as well as increasing the possibility that some issuers would choose to report only the most favorable information.”  But there was some flexibility built into the new rules. How would companies implement the more flexible disclosure requirements?   That was the question considered by Compensation Advisory Partners, which published a report on the  versions of pay-versus-performance disclosure from the earliest filers among the S&P 500. A similar study of a slightly larger group was conducted by equitymethods. The goal in each case was to try to get a sense of how companies were responding to the new disclosure requirements. What choices were companies making on peer groups, financial measures or “Company-Selected Measures”? How were companies describing the relationship between pay and performance? Just what did the new disclosure look like?

SEC Chief Accountant has advice for audit committees on lead auditors’ use of other auditors

In this new statement, SEC Chief Accountant Paul Munter—no longer “acting” Chief, he got the job—discusses some of the issues arising out of the increased use by lead auditors of other accounting firms and individual accountants (referred to as “other auditors”) on many issuer audit engagements.  While, in this context, much of the responsibility falls on the lead auditors, audit committees also have an important oversight role, and Munter has some useful advice for audit committee members.

McDonald’s court dismisses Caremark claims against directors

Here we have another in a string of McDonald’s cases—all of them arising out of workplace misconduct at McDonald’s, none even dipping its toe into employment law.  First, you’ll remember, there were settled charges brought by the SEC against McDonald’s and its former CEO, Stephen Easterbrook, arising out of disclosure about the termination of Easterbrook on account of workplace misconduct.  Then there was the derivative Caremark litigation for breach of fiduciary duty against David Fairhurst, who formerly served as Executive Vice President and Global Chief People Officer of McDonald’s, for consciously ignoring red flags about workplace misconduct and engaging in some pretty extensive workplace misconduct himself.  Now, we have a new decision out of Delaware regarding the derivative Caremark litigation against the company’s directors alleging that they ignored red flags about the company’s culture that condoned workplace misconduct.  But this case turned out to be different—VC Laster of the Delaware Chancery Court dismissed the complaint against the directors.  The Court held that, in this case, the directors did not ignore the numerous red flags: the facts cited in the pleadings did “not support a reasonably conceivable claim against them for breach of the duty of oversight.”  Once again, the case reinforces that high bar described by former Chief Justice Leo Strine for Caremark claims:  “Caremark claims are difficult to plead and ultimately to prove out,” and constitute “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” (See this PubCo post.)

SEC charges DXC with misleading non-GAAP disclosures and absence of non-GAAP disclosure controls

The SEC has announced settled charges against DXC Technology Company, a multi-national information technology company, for making misleading disclosures about its non-GAAP financial performance in multiple reporting periods from 2018 until early 2020.  According to the Order, DXC materially increased its reported non-GAAP net income “by negligently misclassifying tens of millions of dollars of expenses ” as non-GAAP adjustments related to strategic transactions and integration and improperly excluding them from its reported non-GAAP earnings. In addition to misclassification, DXC allegedly failed to accurately describe the scope of the expenses included in the company’s non-GAAP adjustment, with the result that “its non-GAAP net income and non-GAAP diluted EPS in periodic reports and earnings releases were materially misleading.”  What’s more, the SEC alleged, DXC’s disclosure committee “negligently failed to evaluate the company’s non-GAAP disclosures adequately,…and failed to implement an appropriate non-GAAP policy” or adequate disclosure controls and procedures specific to its non-GAAP financial measures. Consequently, DXC “negligently failed to evaluate the company’s non-GAAP disclosures adequately.” DXC agreed to pay a civil penalty of $8 million. According to the SEC’s Associate Director of Enforcement, “[i]ssuers that choose to report non-GAAP financial metrics must accurately describe those metrics in their public disclosures….As the order finds, DXC’s informal procedures and controls were not up to the task, and, as a result, investors were repeatedly misled about its non-GAAP financial performance.”

Ransomware attack—SEC charges misleading disclosures and disclosure control failure—again!

Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack.  After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers.  But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.”  As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical.  The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”