Sarbanes norms guiding Clause 49 implementation

Indian corporates see Sarbanes Oxley Act (SOX Act) of the US as guidline for the implementation of Clause 49, ignoring the fact that there's a huge difference in the key provision.

The focus of SOX Act is purely on controls over financial processes, Clause 49 says CEOs and CFOs have to certify they have control over all internal processes, not just financial.

"In our view, Clause 49 is more akin to SOX, although the business risks and related controls envisaged by Clause 49 go well beyond the financial reporting process which seems to be the main focus of SOX. This question is open to different interpretations because Clause 49 does not clarify whether the internal controls mean controls over the financial reporting process or controls which extend to the whole gamut of how companies manage their business risks," said Pradip Kanakia, executive director at consulting firm, KPMG.

Most corporates are adopting the SOX models for Clause 49 adherence, even though the focal point of the US Act is internal controls over financial reporting, said Ameet Parikh, managing director, Axis Risk Consultancy Services.

The Securities and Exchange Board of India (Sebi) has set December 31, 2005 as the deadline for implementation of Clause 49.

"We believe this question (of whether to certify just controls over financial processes or go beyond it) should be addressed by the boards and audit committees of individual companies entrusted with the task of overseeing the control environment," said KPMG's Kanakia.

The CEOs and CFOs are required to certify they have internal controls in place, but there is no guidance from the regulator beyond what is stated in the regulation as to what it means by internal controls.

"Clause 49 does not specify the areas it intends managements to have internal controls in place unlike the SOX Act," said Parikh.

If Clause 49 is considered all inclusive and not restricted to financial reporting, the board of a BPO firm could also seek controls in the recruitment process to ensure that people with fake educational certificates or criminal records are not recruited.

This may entail mandatory background checks of all employees recruited, which may be as or more important than the controls over financial reporting.

Similarly, directors could insist on strong compliance controls in the areas of health, safety and environment in a manufacturing company which goes well beyond the controls over financial reporting.

"In our view each company should evaluate key business risks applicable to their individual situations and put in place controls to address such risks. In the spirit of Clause 49, therefore, the controls should be beyond just financial reporting, said Kanakia.

Axis' Parikh said Clause 49 is more in line with the regulations in force in the United Kingdom and South Africa, where the controls are restricted to just financial reporting as in the US.

For example, The US regulation is more concerned that the purchase and payment functions in a company are segregated and vested in one oficial. It does not require CEOs and CFOs to certify that the quality of goods. A number of companies believe that they have sufficient internal controls in place and that they have sounding boards in internal and external auditors.

"Based on discussions internally and with certain prominent independent directors of companies' audit committees, we believe the corporates have been slow to react so far," Kanakia said.

In contrast, preparations at Indian companies listed in the US are in full swing or well planned to meet the deadlines for implementing section 404 of the SOX Act, that deals with processes for internal controls.

"This difference could be the result of a perception that the penalties for non-compliance could be far more severe for US listed companies. For example, there is a criminal liability implication for non-compliance with SOX, but there is no such criminal liability implied by Sebi," said Kanakia.

Clause 49 requires managements of companies to have in place a proper risk management framework, to identify risks and measure them, to ensure adequate internal controls and review them periodically and put the responsibility of guiding the management on the audit committees of listed companies.

Unlike Clause 49, SOX Act has done away with "to the best of my knowledge" sign-offs. SOX makes boards responsible for reviewing processes annually and assuring that adequate internal controls are in place. Clause 49 makes CEOs and CFOs to certify "to the best of their knowledge and belief".

---

THE FINE PRINT

CEOs and CFOs shall certify that, to the best of their knowledge and belief that:

They have reviewed the balance sheet and profit and loss account and all its schedules and notes on accounts, as well as the cash flow statements and the directors' report

These statements together present a true and fair view of the company, and are in compliance with the existing accounting standards and / or applicable laws / regulations

They are responsible for establishing and maintaining internal controls and have evaluated the effectiveness of internal control systems of the company