The SEC introduced “disclosure controls and procedures” as a new term in its initial August 29, 2002, release following the enactment of Sarbanes-Oxley. Disclosure controls and procedures are designed to ensure that information required to be disclosed by the company in its Exchange Act reports is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms. They are also designed to ensure that information required to be disclosed by the company in its Exchange Act reports is accumulated and communicated to the company’s management (including its principal executive and financial officers) for timely assessment and disclosure pursuant to the SEC’s rules and regulations. The SEC intended to make it explicit that the controls contemplated by Sarbanes-Oxley should embody controls and procedures addressing the quality and timeliness of disclosures in public reports.
In summary, disclosure controls and procedures are the activities in place that ensure material financial and nonfinancial information required to be disclosed is identified and communicated in a timely manner to appropriate management, including the certifying officers, so that decisions regarding disclosure can be made.
Disclosure controls and procedures that generate required disclosures include:
- Form a disclosure committee to organize and oversee the disclosure process.
- Use a standard reporting package or process to engage the appropriate unit managers and process owners, and funnel the required information upward.
- Perform inventory on the reporting requirements and maintain a current inventory.
- Design and implement a process to address each required disclosure.
- Conduct a financial reporting risk profile.
- Establish a tracking system for routine disclosures.
- Source material information components in public reports back to upstream processes and points of origin, and identify the critical processes that generate them.
- Decide how the company’s collective knowledge will be captured and summarized for certifying officers to ensure timely action and disclosure.
It’s important that management design the disclosure controls and procedures so that the disclosure process will not become simply a ritual. During the initial filings, the disclosure process is likely to receive significant attention from everyone involved. However, over time, priorities change. The business undergoes change and, the managers and key employees involved in these disclosure processes change.
Processes are needed to monitor change and assess risk to continuously improve the disclosure process and keep it fresh. The disclosure committee should determine that such processes are in place and are operating effectively. The following are examples of steps management should take:
- Monitor change (both externally and internally). Changes in the environment and in the company’s operations require special emphasis to evaluate their impact on the business, the financial statements and required disclosures.
- Identify the primary business risks associated with company operations and the critical information essential for measuring, monitoring and reporting on each risk; in view of such risks, evaluate current disclosures to determine whether additional information is needed. Senior management and the board should concur as to the company’s primary business risks, the appetite or tolerant level for such risks, and the plans for managing and monitoring the company’s exposure to losses and potential for profits from such risks.
- Design a process to identify operating and other changes that impact the effectiveness of established controls. Changes in the external environment can affect the determination of estimates and assumptions inherent in the financial statements.
Learn more about disclosure control procedures in the Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404 and by exploring these helpful tools on KnowledgeLeader: