Corporate Governance Under Sarbanes-Oxley
New Realities and Their Effect on Public Markets — an interview with Cary Klafter of Intel Corporation
Diana A. Jeschke
Sharon A. Rose
Posted Sunday, May 1, 2005
5 U.C. Davis Bus. L.J. 18 (2005)

Cary Klafter is the Vice President of Legal and Government Affairs, Director of Corporate Affairs, and Corporate Secretary at Intel Corporation, Santa Clara, California. The Corporate Affairs Group is responsible for the company's corporate-level legal activities, including SEC matters, finance and treasury, mergers & acquisitions, investor relations, Board of Directors and other corporate governance matters. Intel is the world's largest computer chip maker, as well as a leading manufacturer of computer, networking, and communications products.

Prior to joining Intel in 1996, Mr. Klafter was a partner in the San Francisco firm office of Morrison & Foerster. Mr. Klafter was also a Director of the Society of Corporate Secretaries and Governance Professionals. He is a speaker at various legal and business programs. Mr. Klafter holds a JD degree from the University of Chicago Law School in 1972. He earned his BA and MS degrees from Michigan State University in 1968 and 1971, respectively.

Q: Sarbanes-Oxley and a host of other SEC regulations require additional disclosures for corporations. What are some of the specific disclosures corporations are now or will soon be required to provide? What do you see coming down the road from here?

A: Sections 302 and 404 (302 and 404) are two of the provisions of Sarbanes-Oxley with the greatest impact. Each of these sections has required major in-house activity related to quarterly and annual disclosures as part of the 10K/10Q reports. These provisions require that the company CEO and the CFO sign a statement that then gets published in the 10K or the 10Q, stating that the document in question doesn't have any untrue statement of material fact, and that the financials fairly present the financial condition of the company. The Section 302 certification introduced a concept which was just created out of whole cloth by the SEC and its regulations under the statute, relating to "disclosure controls and procedures." These provisions effectively mandate that the issuer had to have a formal set of disclosure controls and procedures described as intending to ensure that all material information is known to the CEO and CFO at the time they're signing the document. Then nested within disclosure controls are internal controls over financial reporting which is the heart of the 404 requirement. Section 404 requires a really elaborate procedure concerning the various controls over the bookkeeping and financial reporting process in the company to better ensure the numbers that are generated are as close to accurate as practicable. The Public Company Accounting Oversight Board (PCAOB), which was invented by Sarbanes-Oxley, adopted 404 auditing standards as one of its major acts to date. It created an auditing standard which is imposed upon the external auditing firms, in our case Ernst and Young, to audit management's assertions concerning internal control over financial reporting. Then the internal auditors also have to do their own report with respect to the internal control over financial reporting. The company actually has three separate reports generated on an annual basis under 404. We're a large company and the 404 work costs us more than $25 million for 2004, so it's an extraordinary state of affairs.

All of these 302 and 404 reports are gigantic efforts and require a tremendous number of people. They put a lot of stress and workload on the finance and legal staff to get this work done and to do it right. The quarterly 302 cycle culminates in a series of meetings that demand the personal attention of the most senior officers, specifically the CEO, the president, and the CFO. Their involvement was explicitly intended by these statutes. As you may recall, in the hearing involving Enron, you had a bunch of Enron guys up in front of Congress, effectively saying, "Well, we don't know anything about these partnerships," or "we're not familiar with this line of business." In effect, the CEO was saying, "I'm just not familiar with the way we earned 80% of our profits." One can very easily track the various recent episodes and scandals to very specific provisions in Sarbanes-Oxley, directly related to those guys getting up and saying "I never looked at the financials. I don't know anything about this."

The new reporting regulations also affect the time-frame corporations have to submit reports, requiring closer oversight sooner and more often in the process. What you have, separately from Sarbanes-Oxley, is the SEC moving to shorten the time to produce both the 10Q and 10K reports. The 10K used to be filed within ninety days after the end of the fiscal year, but they've been dropping it in stages. They actually delayed it this year. It would have been sixty days this year; it'll be sixty days next year. Out on "the street," the difference between sixty and ninety days may not sound particularly meaningful, but it's effectively a dramatic difference in terms of who has to do what and when. That intersects with the 302 and 404 provisions because the 302 and 404 reports for the annual period are part of the 10K, and they have to be done for a calendar year company by the end of February. For a practitioner at a large company, what it means is that documents like the 10K, or even the proxy statement, are getting to be like the basketball season - they seem to run about ten months out of the year. You finish up one, you take a deep breath, and do your post-mortems and a couple of months later, off you go again.

Q: You mentioned that the CEO, CFO and other senior officers are now involved in a number of oversight meetings. Can you comment further on specific accountability issues for senior management and boards now required by the new regulations?

A: What you have in something like 302 and 404 is the necessity of reaching out on a worldwide basis to gather the data and make sure you have it in hand and analyzed on a quick, timely basis. The location where events occur, where contracts are signed, or financials are rolled up, can be anywhere in a large organization. You can visualize the tentacles reaching out to all the finance controllers and all of the general managers and the compliance review committees for each business unit at various times during the course of the year when you are working on this kind of process. When we were taking a fresh look at our disclosure activities as we built and documented our disclosure controls and procedures, one of the new things we put in place was a very formal reportable events process. For example, we go out formally through emails four times a quarter in advance of the earnings release, in advance of the 10Q, in advance of the certification meeting, on a worldwide basis, to pre-selected contact people. We're effectively asking them, "What's new? What don't we know? What hasn't been reported up through normal legal or finance channels? What excursion might have occurred that we are unaware of?" This better ensures that we have that data in hand. Then we created a disclosure committee to review and consider that data and to determine what to do with it. This touches on a large number of people. At some companies, but not our own, various sub certifications have been created and involve controllers and business unit managers signing up to their own miniature certifications, all of which get rolled up to the top.

Q: In a situation where a company has numerous business units around the world, how are the field managers held accountable? What if these managers run their operations fraudulently, but report positive results to upper management. If upper management learns that something was different two or three years later, who, in the end, is ultimately accountable?

A: This plays into accountability down the line, as well. The import of the 302 and 404 requirements is that it demands "reasonable assurance," reasonable assurance is the term of art, with respect to all of these requirements on an enterprise-wide basis. Therefore, part of the function of creating, for example, the internal control over financial reporting is that it has to get down to an immaterial level of detail. You have to make sure your systems have sufficient controls in them, and that might entail increasing control over regional managers or managers of sub units. In some cases where you can't otherwise deal with risk, you put in some sort of control which helps to mitigate or compensate for the potential risk. There are all sorts of ways that you have to reach out to the end of the line, to make sure that everybody is part of the relevant system so that the financials can be documented, tested, and audited.

Q: How have these requirements impacted the ability of corporations to effectively respond to market changes in pursuit of their business plans and corporate goals?

A: In our case, we can absorb twenty-five million ($25M), although that's not chicken feed. As a practical matter, we're not skimping elsewhere because of this, but its still $25M that could have gone elsewhere, to the treasury or to the stockholders. I've read a number of articles in the newspaper about smaller companies that have said, in effect, "that they couldn't afford to remain publicly traded and were going to go private." They had gone public at a time when they thought there was value to that because it allowed them to tap into publicly available capital, but now they're in a circumstance where the compliance overhead related to being public, and their own financial situation is such that it's simply uneconomic. If it's $25M for us, we can write that check, but an extra million for a much smaller company might be simply more than they're able to bear.

Q: What effects will the increased oversight have on institutional investors' evaluation of the securities they purchase for their portfolios?

A: It obviously gives them more data points. One of the things that is going on right now is the rollout of the 404 reports for the first time. This is the first season that they're coming out, and I've seen data suggesting that so far approximately 8% of the companies that have reported, have reported what's known as a "material weakness." A material weakness is one of the key defined terms in this whole procedure because if you have a material weakness in your internal control, then management and auditors are unable to deliver a clean report. That doesn't mean you can't file your annual report, your 10K, and it doesn't mean you can't have audited financial statements. It does mean you'll get the scarlet letter with respect to the internal control, and there was a lot of concern early on, and there still is, as to the market reaction. Will the market overreact? I haven't seen any data as to price fluctuations with respect to that sort of thing. In fact, there were a series of major groups coming together, both securities analysts and auditor firms, in effect trying to allay the fears of the investing public by pointing out that all material weaknesses need to be fixed, but that some are more material than others. The analysts are trying to put reported material weaknesses into context.

In a slightly related context, this creates a lot of interesting issues with respect to mergers and acquisitions, which is another way to tap the capital market. It has always been the case that major concerns of the acquiring company include hidden and unknown problems that will be acquired but won't be known until you actually take the company and integrate it into your own. Maybe even the management of the other company doesn't know about the problem until you discover it once you have already bought it, and it comes to you unknowingly broken. Tremendously elaborate sets of representations, warranties, and the responsibilities of doing due diligence are used to try to deal with this concern. The fact is that not every company knows everything about itself, and not every acquirer can know everything about the company that it is acquiring, even putting fraud aside. Then a year after you acquire a company, its financial systems are now subsumed into your 404 report. This raises the ante with respect to acquisition of companies. This creates a concern that you may be purchasing something that may turn out to create a major flaw within your larger system.

So you need a lot more due diligence up front and a lot more oversight early on to ensure that everything is known that can be known -- you really have to get into the details. As an acquiring company, you hopefully were always doing this sort of research, but now you do it even more. It's not just a function of figuring out how might we get our money back, because if you're buying a public company, you can hardly ever get your money back, but how can we avoid damage to our own enterprise if we bring some sort of broken or diseased organism into our system.

Q: Will the new rules change the process by which corporate boards are selected?

A: There are many effects relating to boards and their various responsibilities. The new rules will have a direct impact with respect to how boards are chosen. You may have seen a number of commentators talking about whether, at the margin, there will be a number of people who simply won't want to sit on a board because of the potential danger of personal liability. As a potential candidate, if you get over the personal liability issue, then there's the time commitment. You can expect the time commitment to be much greater than it has been in the past. You have to figure out how much time you're spending on your day job and whether you're willing to go along with this system. If you're a board candidate and you read about what's going on with respect to institutional investors and their interests in changing the system of how boards are being elected, you may think twice since you might be facing, in effect, a contested election every year. Do you have sufficient motivation to step into that kind of process?

Q: What impact will the regulations have on the current proxy voting process of retail investors? What concerns emerge from an often ill-informed group of people making decisions about board members, and does their ratio of votes compared to institutional investors impact the ultimate decision?

A: There's a tremendous amount of activity which is going on, on that side of the world. As you know, there has been a lot of commentary relating to institutional investors, basically chiding them and saying, "You're an owner of these companies. You're a key player and need to become more active." A lot of proxy voting advisory services are springing up which are being very active in terms of effectively setting non-governmental standards with respect to boards and voting on account of their power and authority, and over voting on behalf of numerous clients. Retail investors tend not to vote as much as institutional investors. Institutional investors are compelled to vote for a number of reasons. If you're an ERISA pension plan, the Department of Labor, a number of years ago indicated that the vote is an asset of the pension plan and implicitly stated that it shouldn't be wasted. Theoretically, you might decide not to vote because it doesn't deliver value to do so, but as a practical matter, pension plans in particular have become extremely active in the voting process because they feel impelled by law to do so. In the same way, they might hire an investment manager to manage the buy and sell decisions; they hire organizations like Institutional Shareholder Services (ISS) to manage the voting decisions. They pay a lot of money to have a theoretical professional handle the process and they may or may not feel happy about it, but that means that all of those shares get voted.

Just starting this year, there are new rules under the Investment Company Act of 1940 which require that mutual funds actually publish their voting policies and voting records so all stock holders are able to see them. This means that mutual funds and mutual fund managers are automatically under pressure from various interest groups with respect to the ways they vote. Union pension funds in particular have announced that they look at this very closely, and they will withdraw their assets under management from these managers if they aren't voting the right way. So you have a politicization of the voting process, and more scrutiny. All of which means institutional investors are going to vote 100% of the time, and retail investors are not. There are a number of rule proposals, for example, proposed changes to New York Stock Exchange (NYSE) Rule 452 which would effectively strip a large amount of the retail vote out of the system, so proportionately the institutional voters will have even more sway.

As to the impact on the retail market and the investment practices of retail investors, I don't know if it will necessarily change their investment practices if they're not focused on voting. They still want to buy and sell stocks on an individual basis. I don't know that the rule change will directly affect them. They can always vote if they want to. From an issuer's perspective though, this creates a big issue because much more voting power now is being delivered to a small group of institutions. Every company regardless of its size is going to have a top ten or top one hundred list of investors who will, except in rare circumstances, tend to be unaffiliated institutional investors of various types.

Q: What effects will the new regulatory environment have on the relationship between federal and state laws governing corporations?

A: There is a tremendous amount of that is going on. A couple of years ago, the SEC, as it does every five or ten years, took a look at the proxy process relative to its regulations. It ultimately came out with what were known as the Shareholder Access Rule Proposals which effectively, for the very first time, would have allowed investors to place their own director nominees into a company proxy statement. A company proxy statement is the proxy statement of the entity. It's the board of directors reporting to the stockholders on the board of directors' slate of nominees who are in the proxy statement. As you know, you or I could create a competing slate to run against a directors' slate of nominees, but as a practical matter that's hardly ever done in the absence of a group willing to spend a lot of money to go through that proxy solicitation process. Also, in such a case, they typically want to take over the control of the company. Short of wanting to take over control of a company, you rarely have competing nominees because no one wants to spend the money to do so. Our solicitation costs in a routine year, for a proxy voting, are five to six million. We have over four million stockholders and you have to print proxy statements and mail them to everybody, and it just takes lots of money. That intersects with state law, of course, because it is state law which sets up a corporation, controls its internal governance, and has traditionally controlled the fundamentals of the voting and nomination process with respect to directors. So there was a lot of debate over whether the SEC had the authority to establish the Shareholder Access Rule. There was a case about fifteen years ago where the SEC also tried to change a rule with respect to the voting rights of particular classes of shares; they were sued, and they lost. It was held that the SEC did not have the authority, and it was a matter of state law, so this was a matter of concern to the SEC and a big topic of debate.

The controversy over the Shareholder Access Rule also intersects generally with all that's been going on in the corporate governance arena because states like Delaware have been concerned that, on account of Sarbanes-Oxley and new stock exchange rules, the states were effectively losing relevance with respect to a lot of their core corporate code provisions. Under Delaware law, you have the business judgment rule, which is basically a procedural standard, but behind it are these core responsibilities of loyalty, care, and good faith by directors. Now you have all of these new federal-law standards, all of these prescriptive and proscriptive responsibilities under Sarbanes-Oxley. The question is does the business judgment rule mean anything anymore? Is it too lax? Are these guys at Enron, WorldCom, and Tyco able to get away with bad acts and still be covered by the business judgment rule? A very specific subset of the discussion on this topic has been related to executive compensation. You're probably familiar with the Disney case, which is a Delaware case. Then you have the Dick Grasso case (the NYSE president), which is not under Delaware law. Here was an analogous circumstance in considering whether the compensation committee of the board of that enterprise engaged in the proper level of oversight, due diligence, care, and loyalty when it was setting the compensation of Dick Grasso.

Q: How have the new regulations played a part in changing the roles of these compensation committees and the methods used to establish an executive's compensation package?

A: There have been some very specific changes. Committees have to determine the compensation of the senior executives, basically the Section 16 officers of the issuers. Counsels are looking to lessons from the Disney case and the Grasso case and other similar circumstances. Plus you have the Delaware judiciary giving speeches saying, "We're still relevant, and the business judgment rule is not changed," and specifically talking about executive compensation practices. The bar gets raised by matters of common practice and best-known methods over the years, though. I think all compensation committees are well advised to spend more time to be more conscientious about considering what data they should receive and what data do they really need to understand and determining what are the compensation tools that are going to be utilized in determining the compensation of the senior executives. The fundamental point is that they shouldn't be captured by the CEO or others, but should make an independent determination. Effectively, the subliminal message is "do not overpay these guys." Link their pay to the performance of the company or to generated value for the stockholders. That's not the easiest thing to do in a lot of circumstances, but there are places to do it better than it has been done in the past. All of that means more time, more effort, more stress, and more potential liability. What you also find is those compensation committees, and all committees, have the official authority now, though they should have had it in the past as a matter of practice, to go out and hire independent consultants and have their own counsel. There are more circumstances at the margin where the board or the committees are going to have their own consultants and their own counsel as opposed to the corporation's counsel. Notwithstanding the addition of these separate counsels for the various committees, Section 307 of the Sarbanes-Oxley makes clear that in-house counsel is counsel to the board of directors - to the corporation as a whole. You may spend a lot of time with the CEO, the CFO, or head of business unit number 7, but that's just because that's one of your jobs. Your ethical responsibility is to the enterprise as a whole. As a practical matter, this always increases the stress and tension level when you have dueling counsels.

Without a doubt, institutional investors will impact the compensation committees, as well, by directly entering into the compensation debate and forcefully making their voting views known. A prominent local circumstance is the CALPERS shareowner's forum website. You will see a very elaborate set of guidelines and standards which they have developed basically saying to the thousands of portfolio companies, "this is how we want you to establish executive compensation." They've also recently announced a three-year program of engagement with regard to (a) companies and compensation consultants that just aren't getting it on executive compensation and (b) engagement with the SEC to try and increase disclosure relating to executive compensation and with the executive compensation consultant industry. They're operating under the belief that the consultants are often times as much of the problem as the companies themselves. CALPERS has been, for many years, very active with respect to corporate governance, but this a good example of the sort of thing that you see coming out of institutional investors.

Q: Do you see special interest groups playing into an individual corporation's decisions rather than the board making decisions wholly on their own?

A: Clearly that's the case now. It is always an appropriate practice to listen to your stockholders and understand that someone else might have a better or different idea than you do. It's always useful to engage with your investors and to hear other views. One of the underlying messages of so many of these regulations is to try and make sure that there's an appropriate level of communication and that companies aren't simply stonewalling interested parties with respect to these areas. Ultimately, most companies have more sense of the internal company detail than do any outsiders so there is always the issue of trying to figure out the right balance between what interesting ideas you can take from other folks. At a bare minimum, what this really means is maybe you won't adopt the views of the third parties, but by engagement with them, they're able to better understand exactly what it is that you're doing. One of the methods to do this is in the report to the compensation committee in the proxy statement, plus all of the other supplemental data in the proxy statement concerning executive compensation. As a general matter, reports of compensation committees are getting bigger, more detailed, and better at dealing with a large number of topics that had previously not been dealt with because they were seen as immaterial from a dollar point of view. The "perks" area is a classic example. The SEC has all but said that they're going to revamp the disclosure rules on executive compensation sometime this year, so all issuers can expect that next year's proxy season will have more mandated disclosure. The bar will be raised for everybody with regard to what it is that you need to disclose on executive compensation.

Q: What are the long-term consequences of Sarbanes-Oxley and these other regulations for corporate legal departments? Will they increase litigation? Will they divert critical corporate resources to legal departments instead of to research & development departments? What effect will the regulations have on the competitiveness of American corporations with respect to foreign companies?

A: There's no doubt that this generates the requirement of greater compliance related activity. Compliance in its broadest sense means internal control, disclosure, and oversight by the board of directors. By definition, lawyers will have a piece of that action because lawyers are the proper and trained people with respect to much of this. All of this costs money. This all has to be taken into account by companies in their development or venture capital stage. Will we be in a position to afford this going forward? Are we able to do this in such as way as to meet those responsibilities and at the same time have enough money for normal business operations and be able to deliver a return to our stockholders? Foreign companies are looking at the US market and saying at the margin, "it would be great to tap into the US public capital markets, but do we want to put ourselves into the system which might be quite different from systems in other countries?" There are very few provisions in Sarbanes-Oxley and the PCAOB rules that allow for different arrangements for non-US issuers. That is a non-traditional way of doing things. Traditionally, the SEC has created a large number of regulations to take into account the fact that a German company will have a different board of directors' structure, a different kind of audit committee, and different financial statements. Sarbanes-Oxley didn't take any of that into account, and the PCAOB is taking it into account on a very modest basis.

With respect to companies generally, these new regulations will create more opportunities for more litigation. There are simply more things that can go wrong and more opportunity to create other causes of action when plaintiffs file suit. In the long run, you can expect more litigation to take place and more opportunities for litigators. At the margin, it will have an impact with respect to competitiveness because you'll have more of senior management's time being spent with regard to compliance as opposed to strategic activities. Similarly, at the board level, you'll have some companies that won't go public, but could have really done well as a public company. This is impossible to quantify. My $25M figure can be, to some reliable extent, extrapolated on a US-wide basis. The more overhead costs, the less goes into anything else. Overall, you hope that the increased costs still deliver value. Take the Enron situation, for example, where the lack of additional overhead destroyed the entire value of the company. These new regulations want to reduce the future likelihood of cases such as that where all of the investors lost all of their money, all of the Enron employees who lost jobs, and all the other fraud related to Enron, including all of the dramatic increases in California's electricity rates. There shouldn't be a corporate counsel in the US who doesn't feel some degree of animus to the Enrons of the world, just on account of the fact that it increases our workload.

It's impossible to come to a definitive conclusion on the cost-benefit analysis of the new laws and whether the balance was properly struck. To some level, this has all been good stuff, but it is always important to do a post-mortem and take a second and third look at the operation and value of a system. Right now, the SEC is doing a roundtable, soliciting comments concerning the whole 404 process, and asking for the first time, if 404 is doing its job. They're asking thirty to forty questions and hopefully they'll take all of that into account, as will the PCAOB, and there will be adjustments going forward. As you might imagine, nothing that the SEC or PCAOB adopts will be perfect because very few things are perfect for everyone, so there's always the possibility for adjustment. I'm already reading news articles about how the SEC has "caved into evil corporate interests" in holding this roundtable, but that's just silliness to believe that someone has got it exactly right the first time. There's obviously no political appetite to repeal Sarbanes-Oxley. Who wants to be the one decried as the guy who decided to let the bad guys run rampant in the streets again? The structure of securities laws has traditionally given a lot of authority to the primary regulator. The SEC, and now the PCAOB, adopt rules so it is appropriate public policy that they should use their rulemaking authority to make adjustments to the process so that they can get closer to the proper balance.