MD&A

Recent Commission Comments on the Tax Implications of Overseas Earnings and Offshore Cash Holdings

by Vanessa Schoenthaler on September 21, 2011

SEC Comment LettersThe Financial Times ran a piece on Monday noting the the Securities and Exchange Commission’s Division of Corporation Finance has been increasingly focusing on disclosure regarding the tax implications of overseas earnings and offshore cash holdings in accounting and regulatory reviews of company filings.

Below are some of the recurring comments that the Commission has been issuing*:

  1. Please disclose the amount of cash, cash equivalents and investments held outside the U.S. Please also describe any potential income tax consequences or other limitations that may impact your ability to repatriate cash, cash equivalents and investments held outside of the U.S.
  2. Please tell us what consideration you gave to providing a discussion of the need to repatriate undistributed earnings of foreign subsidiaries and the associated potential tax impact.
  3. Please tell us how you considered providing disclosures that explain how having earnings in countries where you have different statutory tax rates impacts your effective income tax rates and obligations. In this regard, you should consider explaining the relationship between the foreign and domestic effective tax rates in greater detail as it appears as though separately discussing the foreign effective income tax rates may be important information necessary to understanding your results of operations. To the extent that certain countries have had a more significant impact on your effective tax rate, then tell us how you considered disclosing this information and including a discussion regarding how potential changes in such countries’ operations may impact your results of operations.

Most of the above also refer back to Item 303(a)(1) of Regulation S-K, addressing liquidity in MD&A disclosure, and Sections III.B and IV of Interpretive Release 33-8350, addressing the Commission’s guidance on MD&A content and focus, and on liquidity and capital resources disclosure. Both of which you may want to revisit as we approach the quarter’s end.

________________________

*Remember, comment letters are released no earlier than 20 business days after the Commission has completed its review.

Be the first to comment

Should Companies be Required to Disclose Cyber Attacks?

by Vanessa Schoenthaler on June 8, 2011

With more and more of our data moving to the cloud network security is becoming an increasingly mainstream issue. But, for all of the media attention that material network breaches have garnered as of late, there hasn’t been much in the way of disclosure. That may be about to change.

A Little Legislative Background

According to the National Conference of State Legislatures 46 states as well as the District of Columbia, Puerto Rico and the Virgin Islands have legislation in place requiring that companies notify affected individuals of security breaches involving their personal data.

In May the White House introduced a legislative proposal which, if enacted, would largely displace these state law requirements with a federal cybersecurity act.

As proposed the federal legislation would require a company that participates in interstate commerce and “uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period” to notify affected individuals following a security breach. The proposed legislation contains a safe harbor which would exempt a company from this notification requirement if, following a risk assessment, it concludes that there is no reasonable risk that the security breach has or will result in harm to the affected individuals and if it notifies the Federal Trade Commission of its risk assessment and safe harbor election.

A Request for Interpretive Guidance

Just prior to the White House’s release of its proposed cyber security legislation Senator Jay Rockefeller, Chairman of the Senate Committee on Commerce, Science and Transportation, who has previously introduced his own cybersecurity legislation, penned a letter to Chairman Schapiro requesting that the Securities and Exchange Commission issue interpretive guidance addressing when companies need to make information security disclosures regarding:

  • material information security risks and actions taken to reduce those risks; and
  • material network breaches.

(Download File)

Disclosure Regarding Material Information Security Risks

When does a company need to make disclosures regarding material information security risks?

While there are no disclosure obligations that specifically address information security risks, disclosure may still be appropriate under one or all of the following existing disclosure requirements:

  • Risk Factors – Item 503(c) of Regulation S-K requires disclosure of the most significant factors that make an investment in a company speculative or risky. Risk factor disclosure should clearly state the risk and specify how the particular risk affects the company. The following are a sample of risk factors related to information security that have been culled from recent annual report filings:

If we experience significant service interruptions, which could require significant resources to resolve, it could result in a loss of customers or impair our ability to attract new customers, which in turn could have a material adverse effect on our business, results of operations and financial condition.

In addition, with the growth of wireless data services, enterprise data interfaces and Internet-based or Internet Protocol-enabled applications, wireless networks and devices are exposed to a greater degree to third-party data or applications over which we have less direct control. As a result, the network infrastructure and information systems on which we rely, as well as our customers’ wireless devices, may be subject to a wider array of potential security risks, including viruses and other types of computer-based attacks, which could cause lapses in our service or adversely affect the ability of our customers to access our service. Such lapses could have a material adverse effect on our business and our results of operations.

We may experience outages and disruptions of our online services if we fail to maintain adequate operational services and supporting infrastructure.

As we increase our online products and services, we expect to continue to invest in technology services, hardware and software — including data centers, network services, storage and database technologies — to support existing services and to introduce new products and services including websites, e-commerce capabilities and online communities. Creating the appropriate support for online business initiatives is expensive and complex, and could result in inefficiencies or operational failures, and increased vulnerability to cyber attacks, which could diminish the quality of our products, services, and user experience. Such failures could result in damage to our reputation and loss of current and potential users, subscribers and advertisers which could harm our business. In addition, we could be adversely impacted by outages and disruptions in the online platforms of our key business partners, who offer our products and services.

If we are unable to protect our information systems against data corruption, cyber-based attacks or network security breaches, or if we are unable to provide adequate security in the electronic transmission of sensitive data, it could have a material adverse effect on our business, financial condition and results of operations.

We are highly dependent on information technology networks and systems, including the Internet, to securely process, transmit and store electronic information. In particular, we depend on our information technology infrastructure for business-to-business and business-to-consumer electronic commerce. Security breaches of this infrastructure, including physical or electronic break-ins, computer viruses, attacks by hackers and similar breaches, can create system disruptions, shutdowns or unauthorized disclosure of confidential information. If we are unable to prevent such security or privacy breaches, our operations could be disrupted, or we may suffer loss of reputation, financial loss and other regulatory penalties because of lost or misappropriated information, including sensitive consumer data.

  • Management’s Discussion and Analysis – Item 303 of Regulation S-K requires a broad range of disclosures necessary for an understanding of a company’s financial condition, changes in financial condition and results of operations.

Are there any known trends, events, demands, commitments or uncertainties related to network security that are reasonably likely to have a material effect on your liquidity, capital resources or financial condition? How might a network security breach impact your business? What are the costs associated with protecting personally identifiable information about your customers? What actions have you taken to mitigate the risks associated with a network breach? Do you have adequate network security in place? Do you carry insurance against cyber attacks? As the Commission has noted in its guidance on MD&A, disclosure of a trend, event, demand, commitment or uncertainty is required unless a company is able to conclude that it is not reasonably likely to come to fruition or that a material effect on the company’s liquidity, capital resources or results of operations is not reasonably likely to occur.

  • Legal Proceedings – Item 103 of Regulation S-K requires disclosure of any material legal proceeding, other than ordinary routine litigation incidental to a company’s business.

Disclosures Regarding Material Network Breaches

One of the more prominent media examples of a material network breach is that of Sony Corporation, which has fallen victim to at least three different breaches in recent months, the first in late April, the second shortly thereafter in early May, and the most recent just last week. At least twenty-five lawsuits have been filed against Sony since its second network breach, one of which alleges that the company was aware of the possibility of a security breach, but failed to adequately warn consumers.

Sony is a foreign private issuer, however, and not the best example for purposes of our disclosure discussion because its reporting obligations are primarily governed by Japanese law. Some notable examples of domestic companies that have made headlines for material network breaches include:

  • Lockheed Martin – which disclosed a May 21, 2011 network breach in a press release issued on May 28th and available on the company’s website. The release states, in relevant part, that “no customer, program or employee personal data” had been compromised in the attack.
  • Google – which disclosed a mid-December 2010 network breach in a post on its official blog and in a Form 8-K, on January 12, 2010 (there are estimates that over 200 companies were similarly targeted in the Google cyber attack). The most recent cyber attack concerning Google Gmail users did not involve a network breach but rather, as disclosed in a post on Google’s official blog on June 1, 2011, targeted users  in a campaign to collect passwords through scams such as phishing.
  • Nasdaq OMX Group – which confirmed its discovery of a network breach in October 2010 following a February 2011 Wall Street Journal report.

While both EMC and Google voluntarily disclosed their material network breaches on a Form 8-K filed in conjunction with their public response, most other companies don’t make such disclosures. But should they be required to? And what would trigger such an obligation? Perhaps, along the lines of the proposed federal cybersecurity legislation, a company should only be required to disclose a material network breach to the extent it is required to notify affected consumers?

Updated: June 9, 2011

Chairman Schapiro’s response letter to Senator Jay Rockefeller was made available yesterday:

(Download File)

1 comment

Foreign Private Issuer Stats and Other Odds and Ends from Last Week

by Vanessa Schoenthaler on April 4, 2011

Number of Foreign Private Issuers Registered and Reporting with the Securities and Exchange CommissionToday the Securities and Exchange Commission released its updated list of registered and reporting foreign private issuers for the year ended December 31, 2010.  Of the 970 issuers accounted for approximately:

  • 35.8%, or 347 issuers, were organized in Canada;
  • 12.9%, or 125 issuers, were organized in the Cayman Islands;
  • 7.6%, or 74 issuers, were organized in Israel; and
  • 5.0%, or 49 issuers, were organized in the British Virgin Islands;

The remaining 38.7 % of issuers were organized in 47 different countries.

Most foreign private issuers, 46.5% of them, were listed on the NYSE/Amex/Arca markets, 27.1% were listed on the Nasdaq markets and the remaining 26.4% were quoted in the over the counter markets.

A few other odds and ends that I didn’t have a chance to get to last week:

Regulatory Review and Comment

On January 18, 2011 President Obama issued Executive Order 13563 – Improving Regulation and Regulatory Review to supplement and reaffirm Executive Order 12866 – Regulatory Planning and Review, which was issued by President Clinton on September 30, 1993, and which generally requires regulatory agencies to:

  • only propose or adopt regulations where the benefits would justify the costs;
  • tailor regulations so that they impose the smallest burden on society, while remaining consistent with regulatory objectives;
  • select regulatory approaches that maximize net benefits;
  • specify, to the extent possible, performance objectives rather than behaviors or manners of compliance that regulated entities must adopt; and
  • identify and assess available alternatives to direct regulation.

Neither of the Executive Orders apply to independent regulatory agencies, like the Securities and Exchange Commission, however, the Commission, given that it subscribes to many of the practices and principles outlined in the Executive Orders, has established a website to seek public comment “on modifying, streamlining, expanding or repealing … existing rules to better promote economic growth, innovation, competitiveness and job creation while still achieving … mandates to protect investors and maintain fair, orderly and efficient markets.”  The Commission is particularly interested in comments that pertain to smaller reporting companies and non-Exchange Act reporting companies that raise capital in the private markets.

Thus far there are three categories to comment on:

  • regulations and exemptions related to the offer and sale of securities;
  • disclosure and reporting requirements; and
  • other suggestions for updating rules to promote economic growth.

Only half a dozen comments have been submitted, four of which in some way address the effects of XBRL compliance on smaller reporting companies.

On the Accounting Front

On Monday Financial Reporting Executive Committee (FinREC) of the American Institute of CPAs (AICPA) released a working draft of the latest version of its practice guide: Valuation of Privately Held Company Equity Securities Issued as Compensation, which was first published in 2004.  The Journal of Accountancy has a nice summary of some of the more significant changes, which include revisions to FinREC’s guidance on, and illustrative examples of, MD&A disclosure in an IPO registration statement.

And on Friday the Securities and Exchange Commission, Division of Corporation Finance, updated its Financial Reporting Manual to address issues related to combined periodic reporting, income averaging, accountant changes and foreign private issuer financial statements, among other things.  As Broc Romanek notes over at the Corporate Counsel, lately the Commission has been making incremental updates to the Manual on a more frequent basis.

Auditing the SEC

Finally, the Office of Inspector General within the Securities and Exchange Commission released two audit reports last week, one addressing the Commission’s Budget Execution Cycle and the other its Implementation of and Compliance with Homeland Security Presidential Directive 12.

on modifying, streamlining, expanding or repealing our existing rules to better promote economic growth, innovation, competitiveness and job creation while still achieving our mandates to protect investors and maintain fair, orderly and efficient markets

3 comments

Financial Statement Red Flags

by Vanessa Schoenthaler on December 3, 2010

Financial Statement Red Flags

Yesterday the Securities and Exchange Commission made available a slide presentation from the Public Company Accounting Oversight Board’s  2010 Forum on Auditing in the Small Business Environment.  The slides include detailed notes on some of the more common issues encountered by the Commission in reviewing company financial statements.  A number of topics are addressed, from reverse mergers and business combinations to MD&A and disclosure controls and procedures, with some of the more universally applicable take-aways being:

  • Management’s Discussion and Analysis - Make sure that you are providing a sufficient level of detail in discussing factors that may contribute to fluctuations in your operating results from period to period and when discussing your liquidity and capital resources.  Also, make sure that you are disclosing known and predictable uncertainties that may have a material impact on your income from continuing operations.  In its presentation the Commission notes that it may issue comments in a situation where an event that triggers an impairment or other charge appears to have been predictable but was not addressed in an earlier period.
  • Revenue Recognition – Avoid using overly vague or boilerplate language in your accounting policy disclosure and make sure that you clearly state the timing and method you use for recognizing each material stream of revenue.
  • Disclosure Controls and Procedures – Disclosure controls and procedures encompass internal controls over financial reporting and even though disclosure controls and procedures may be found effective at the same time internal controls over financial reporting are found ineffective, if you reach that conclusion you should be prepared to support it.
  • Internal Control Over Financial Reporting – Make sure that you are explicitly stating, without the use of any qualifying language or limitations in scope, whether or not your internal controls over financial reporting are effective.  If you find a material weakness in your internal controls over financial reporting, you should focus on more than just its impact on the particular line item in which it was discovered, instead, in both your disclosure of the weakness itself and your remediation disclosure, you should consider and discuss its impact on other items in your financial statements.  And, again, avoid using overly vague or boilerplate language that remains static from period to period.
  • Changing a Certifying Accountant – If you dismiss your independent accountant because it has been involuntarily deregistered by the PCAOB, disclose that fact in your Forms 8-K, and if your former independent accountant’s audit report contained a going concern opinion it should also be disclosed in the Form 8-K as a modification as to uncertainty.

There are a number of other useful bits of disclosure guidance throughout the slide presentation, and it’s probably worth a flip through as you prepare for you next periodic filing.

Be the first to comment

The SEC Proposes Enhanced Disclosure Requirements for Short-term Borrowing

by Vanessa Schoenthaler on September 17, 2010

Earlier today, in an open meeting, the Securities and Exchange Commission proposed a new set of rule amendments designed to expand and enhance company disclosure of short-term borrowings.  If adopted the amendments would require reporting companies to include detailed quantitative and qualitative information about short-term borrowings in their filings with the Commission.

In her opening statement at the meeting Chairman Shapiro commented that:

The proposed rules we are considering today, if adopted, would shed greater light on a company’s short-term borrowings, including a practice some refer to as balance sheet ‘window-dressing.’ Under these proposals, investors would have better information about a company’s financing activities during the course of a reporting period — not just a period-end snapshot. With this information, investors would be better able to evaluate the company’s ongoing liquidity and leverage risks.

The Commission also approved additional interpretive guidance relating to discussions of liquidity and capital resources in Management’s Discussion and Analysis of Financial Condition and Results of Operations.

Comments on the proposed short-term borrowing rule amendments can be made here and are due 60 days after amendments’ publication in the Federal Registrar.  The MD&A guidance is effective as soon as it’s published in the Federal Registrar.

2 comments