Special Issue: A Roundtable Discussion on Leading Compliance Issues in the U.S. and EU

Throughout the world, Sarbanes-Oxley (SOX) legislation might well have had the biggest impact in corporate governance since the introduction of limited liability. To that end, jurisdictions outside the U.S. have not been idle. A recent Eversheds survey found more than 100 studies on the topic in 29 European countries within and outside the EU. Clearly, proper compliance to corporate governance guidelines is top of the list to in-house counsel across the EU, as well as the U.S.

To avoid civil and criminal penalties, multinational companies have to comply with laws and principles of good governance in all of the countries where they operate. U.S. legislation attempts extra-territorial reach. That legislation is in most cases in addition to, rather than in substitution for, local law, even for NYSE-listed entities. For multinationals, then, even if SOX is the beginning of the story, it is not the end.

Coupled with the changing face of regulation is an increased challenge on in-house resources. Many corporations are under pressure to reduce head count, and in-house legal teams are often not immune. At the same time, boards have a greater appetite for corporate governance and are likely to rely more on the General Counsel for advice with at least anecdotal evidence that the number of independent legally qualified directors is in decline.

This roundtable sought to road-test some of these issues and look to some of the U.S.'s best governed corporations to see if there is a map for the journey ahead.

The Participants

Jonathan Armstrong is a solicitor with Eversheds LLP in the UK. The 2005 Legal Experts Report again featured him as one of the UK's leading experts in his field. Armstrong's practice includes counseling multinational companies on electronic corporate governance and on their online reputations. His practice is international and he has been a Member of the Faculty for the Georgetown University Advanced Institute on Electronic Commerce, Washington, DC, since 2001. He has contributed to the European privacy section in the Law of Europe at www.lawofeurope.info. He may be reached at [email protected].

Steven D. O'Brien is General Counsel and Corporation Secretary for The Gallup Organization and a member of its Executive Committee. O'Brien, who joined Gallup in 1990, responds to legal issues affecting the company, including overseeing risk management and strategic legal issues. He is also responsible for government relations. Gallup employs many of the world's leading scientists in management, economics, psychology, and sociology. O'Brien may be reached at Steve_O'[email protected].

Scott Green, CPA, MBA, is the author of The Manager's Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud and the soon-to-be-released Sarbanes-Oxley and the Board of Directors: Techniques and Best Practices for Corporate Governance. He is also the Director of Compliance at Weil, Gotshal & Manges, one of the largest law firms in the world. He may be reached at [email protected].

Joe Ryan is Executive Vice President and General Counsel for Marriott International, Inc., headquartered in Washington, DC. He is responsible for the 80-attorney law department, the office of the corporate secretary, government affairs, and corporate communications. In addition, Ryan serves as the Chairman of the Board of Avendra, a joint venture among Marriott, Hyatt, InterContinental, Fairmont and ClubCorp. He is also Senior Vice President and General Counsel of the Ritz-Carlton Hotel Company, LLC. He may be reached at [email protected].

The Roundtable

Armstrong: Joe, would you say the General Counsel's role in your organization has changed in the last 3 years? If so, how?

Ryan: The last 3 years have been quite different. More attention has been paid at all levels to compliance matters; a much more active audit committee; much higher third-party costs. From a lawyer's point of view, it makes it easier to be taken seriously. From the point of view of the American economy, one wonders.

Armstrong: Steve, is it the same for you?

O'Brien: Absolutely, even as a private company, the new compliance issues are all on the front burner. Our third-party costs are up somewhat due to the effort our outside auditors have to place on public companies, and I think private companies are being bounced down the ladder a bit.

Ryan: We estimate an additional 100,000 hours spent internally in finance, accounting and law to make sure we were in section 404 compliance. Our added costs to Ernst & Young were right at 50%.

Green: You are not alone. The costs for complying with 404 were greater than anyone imagined when the legislation was passed. There are numerous studies, all showing millions spent by our largest companies on 404.

O'Brien: I saw a study that showed year-over-year external audit fees up 53%. Sarbanes-Oxley has become the “Accountant Full Employment Act.”

Armstrong: Absolutely. Over here, we have been a little amused by the [advertisement] placed in defense of Sarbanes-Oxley by one of the large firms. I saw reports that one firm hired more than 1600 new auditors and 400 extra temps.

Green: And it is likely to get even tougher for smaller companies. It is not clear what they need to do to comply, but if it is the same standard as what has been expected of larger companies, small companies will be faced with difficult decisions whether to stay public or take the company private. One study shows de-listings are up 30% over the last year.

Armstrong: This is certainly a trend we are seeing in Europe. Even before Enron there had been a trend in Europe to take companies private with leading entrepreneurs, Sir Richard Branson being an example, saying that stock market listing of non-conventional companies was too volatile for them to operate. Increased regulation has in my view seen an acceleration of the take-private trend. In addition, a number of European companies are looking very critically at their NYSE listing where they have dual or triple listings. One UK company, BT, put the cost of compliance with Sarbanes-Oxley at $18.5 million. Another, BP, has published a figure of $125 million for their compliance costs as a whole. Other European companies, including Siemens, MM02, lastminute.com, Cadbury Schweppes and BASF have also been reported as being prepared to look at resigning their U.S. listings.

O'Brien: Even as a private company we have to look at implementing Sarbanes-Oxley initiatives. For private companies, this is all “coming to a theater near you.”

Ryan: Will it deny the initial public offering or at least make that most traditional vehicle much less attractive?

O'Brien: If you are planning to go public, or be acquired at some point, being Sarbanes-Oxley compliant is critical and can affect the valuation of the company. Then there are outside factors that push this legislation down on private companies, from bank covenants, insurance companies, state overlays, etc. Private companies can't just sit back and say, “we're exempt.”

Armstrong: I think the difficulty of selling non-compliant companies is a good point to make. In Europe, as you know, the regulations dealing with data privacy compliance have some parallels with Sarbanes-Oxley. My firm acted for the purchasers of a travel business back in 2001. We asked the vendors some tough questions about their compliance. They took some time to answer — clearly because they had not invested to get their compliance up to scratch. They replied to our questions on Sept. 10 that year, but as you'll imagine given what happened to travel business values at that time, nobody ever got to read their answers and the deal went away. A colleague of mine also recently acted for a U.S. multinational acquiring a rival. They have put the cost of compliance at around $750,000 for the target business and have reduced their offer for the business by exactly this amount.

Green: It is clear to me that bank lenders are requiring private and not-for-profits to meet many of the same standards as required by 404.

Ryan: Our economic history is one of extreme tolerance, then crisis, then over-reaction, but I do not think this genie is going back in the bottle.

Armstrong: Has the recent WorldCom directors' settlement had an impact on your board? If so, how?

O'Brien: Well, there certainly is more interest in knowing the parameters of our director and officer coverage. And our outside directors are becoming more active in our internal audit functions. I think it was a wake-up call for many outside directors who now see liability rather than opportunity in many board appointments

Armstrong: Joe, your thoughts?

Ryan: Our directors did not say much, but our audit committee is quite good and has been quite active, so that is not unexpected. One would need a brain scan, however, to sit on the audit committee of a public company about which there were any questions, and that even happens to the big ones, like Pfizer.

Green: I recently spoke with a leading recruiter in charge of her firm's national board practice, and she complained that it is increasingly hard to find people to sit on boards. Candidates are very choosy and ask a lot of questions [about] interview management, counsel, other directors, etc.

Armstrong: Joe, do you participate more or less often in board meetings than 3 years ago?

Ryan: My participation is about the same, but the audit committee and full board meetings are much longer.

O'Brien: I would agree. The board involvement isn't changing that much, but the audit committee meetings are much more extensive.

Armstrong: That's interesting. I heard a tale from a General Counsel recently of audit committee meetings going from 1-hour duration to 6, and having to start at 6 a.m. to be accommodated. Why are board meetings longer or more extensive?

Ryan: Because all the directors are more probing and demanding.

O'Brien: In our case, the scope of responsibility is greater than ever before. It is the expanding issue of compliance and data security, as well as internal audit issues.

Green: Smart audit committees are taking the time to understand their significant accounting policies, the aggressiveness of those policies, and assess alternatives. They are also providing oversight to the internal control process. They understand that risks can migrate deep from within an organization, so they want to ensure that the process is valid and that issues are addressed. Their personal liability is on the line.

Ryan: For sure, but audit committees are placing much keener interest in issues. For instance, they will ask: “please give us, in order, the risks facing the business.” They will ask for a much sharper view on any balance sheet related item and focus hugely on internal control.

Armstrong: The Marriott business is famous for the way in which it has systemized its procedures in various areas of operation. I'm thinking for example of the manual on how to make a bed, which I understand works globally right across the business. Have you tried a similar systemized approach to corporate governance and if so can it work?

Ryan: We do as much as we can through company-mandated policies.

Armstrong: Steve, who counsels the directors of your organization on compliance? If they have separate representation, please give some details.

O'Brien: I provide counsel on compliance issues. Our outside directors sit on numerous boards, so they are well-versed in many of these issues. I am not aware if they have representation independently. Most of our conversations deal with how issues affect our specific company and our industry. More pointed issues than general compliance, I guess.

Armstrong: Joe, same question to you. Who counsels the directors of your organization on compliance?

Ryan: In almost all instances, they call me, but, as Steve notes, they are sophisticated with lots of contacts and resources, so I assume they forum shop like everyone else. To the best of my knowledge, they are not independently represented, or, if they are, they are paying for it themselves.

Armstrong: That's a good segue into the next question: In money terms, how much do you think you have spent on Sarbanes-Oxley (and local equivalents) and similar compliance programs?

Ryan: We are afraid to find the answer. Just kidding. We estimate somewhere in the [area of] U.S. $15-$20 million.

Armstrong: How does that compare [with] previous years?

Ryan: I am not certain, because 404 was a 2004 issue, and we do not have an apples-to-apples comparison, but I would state with great confidence it is materially more than in prior years. A huge part of the increase is in internal costs. Basically, people with day jobs simply getting it done, and a lot of other things not getting done

Armstrong: Steve, how about you? Sarbanes-Oxley costs?

O'Brien: I was afraid you were going to ask me that … Realize [that] we are a smaller company, but our costs were in the $1.5 million range. Most of that are internal costs, folks like Joe mentioned. The external audit figure is up about 15% and internal up in the 60% to 70% range. Also, realize that we are approximating Sarbanes-Oxley compliance as a private company. We have the “luxury” of being able to implement over time.

Green: Both examples are representative. Just to put some perspective around the issue, AMR Research Inc. reports that companies spent $5.5 billion on compliance in 2004, and the spending continued into 2005. Section 404 has obviously been the big story, but there were other sections of the Act that also impacted public companies. Whistleblower protections, statements of ethics, officer certifications: How have these impacted your organizations?

Ryan: It has added much formality and drama to our proceedings, but the guts of what we are doing are still pretty much intact.

Armstrong: You talked of a total somewhere over $15 million. How did you and will you allocate resources for compliance work or budget specifically for it?

Ryan: Both specific additional resources given and postponement of other projects.

O'Brien: Since we are a private company, we do have the luxury of implementing over time and not on the SEC schedule. As a result, we are largely taking a wait-and-see approach. We did increase the number of people on our internal audit committee and devoted more time to compliance issues.

Armstrong: Has your in-house legal department staff increased to deal with extra work around compliance responsibilities?

Ryan: No.

O'Brien: We haven't added legal staff, but responsibilities of internal legal staff and reporting responsibilities have increased.

Armstrong: How much of your personal time is now spent on compliance as compared with 2 years ago?

Ryan: More, but I've never measured it. Maybe 20%?

O'Brien: The time I spend on compliance issues has increased, largely in advising the board and internal audit and working with our executive committee to implement programs. I do not think it will continue at that level over time as much of this is a process of triage and upgrade.

O'Brien: Many of these are what I call “plug-ins,” such as anonymous phone lines and codes of conduct. They are easy to implement; the question is whether they are effective. I understand Enron had a stellar Code of Conduct.

Green: Enron did have a stellar code, but as we know, insincerity can be identified all the way from the mailroom. What do companies need to do to make it work?

O'Brien: It has to start from the top and be reinforced every day. And you need to get input from the general workforce on whether they feel the ethics of the company. We are in the survey business, so this is second nature to us.

Green: What types of comments, if any, have you fielded from your European operations or regulators regarding Sarbanes-Oxley?

Ryan: To date, we have had relatively few international inquiries. The Enron point, incidentally, is huge. If the culture is not open, no number of codes, policies, procedures etc. will make a difference.

Armstrong: How do others feel about this?

Green: This importance of culture cannot be overstated. We also performed an internal survey and found it useful. Our employees knew we had a code, but did not know where to find it or how to report a problem. This feedback helped us focus our efforts on answering these questions for them.

O'Brien: Exactly. Employees need a way to communicate. Without that, people go the way of the whistleblower and an intervention on a regular basis can be helpful to avoid that. Some people are afraid of what they will find in a survey, but you can't fix it if you can't identify it.

Green: How big an expense were these “plug-ins” and have they proved helpful? Does your firm help companies perform these surveys?

O'Brien: Yes, we work with companies and also with some audit firms that want to measure the effectiveness of controls on a local level. It is critical if you are going to do a survey that you get feedback to the participants, otherwise it is perceived as a “Big Brother” concept and you won't get buy-in from those you need.

Green: Well said. What are some of the larger issues that companies have had to deal with as a result of these surveys?

O'Brien: The big one is training. Who do I report a problem to and what is “my responsibility” in all of this. The biggest benefit in this first round is identifying where you need to provide more training and structure around reporting. I don't mean to minimize the “plug ins” I referred to, but in haste I think some companies just plugged things in and didn't communicate well to the workforce about why this is mission critical and the role they play in it.

Armstrong: I think we have the same issues in play in Europe too. The whole process needs careful thought. From some of the projects I have seen, there is perhaps a more pronounced cultural play in Europe too — some countries just do not have a culture of telling someone else that they are not satisfied where they are; others will complain much more readily. I recently spoke at a conference for some of the new EU countries and Bulgaria and Romania in Sofia, and given their history under former Communist times, there's an understandable discomfort with telling 'the management' how co-workers are performing.

Green: The newspapers are filled with examples that prove Steve's point. Employees often do not know how they fit into the overall compliance picture, or that they have a responsibility to report behaviors that breach accepted boundaries. How can management best communicate these responsibilities to their employees?

O'Brien: I think it has to start at the top, but it has to go to the work group level immediately. The local manager has more control than most give him or her credit for. And unless the relationship between the local manager and his or her reports is open and honest, you will have problems. There are good whistleblowers and bad whistleblowers. Bad ones are just people looking for a payoff. Good ones are people who are frustrated because the company doesn't listen to them. If local managers aren't listening, you are in for big problems.

Armstrong: Are calls to your hotline predominantly HR-based? Many of our clients tell us that the real incidents of abuse picked up by hotlines are small, but people want to complain about their own managesr when they feel that the existing system is failing them and their complaints are not being heard.

Ryan: Yes.

O'Brien: I would agree. If someone's message isn't being picked up and voiced through the local manager, it will find a way out in other ways and that is ultimately bad for the company.

Green: What is important is that issues are captured and vetted. Do either of you have recommendations regarding how to best capture and vet this information either at the manager or employee level? Who should do the vetting? The last thing you want is for this to be played out in the press.

Armstrong: From my point of view, I think that it's important that a business uses a hotline, but also looks at what's out there about the company itself. I've looked at employee discontent through blogs and chat rooms. Organizations on both sides of the Atlantic need to watch what is being said about them. The important thing is to deal with what is it out in the open before it affects stock price.

O'Brien: Again, talking about “good” whistleblowers, in large part, they just want to be heard. They feel like their opinions don't count. Many times the local manager is the problem, not the person raising the complaint. You need an environment where these issues can be raised and managed internally. The local manager does some vetting, has to, but broader participation is needed in many cases to help the person be heard.

Armstrong: Good point. If you look at the blog-type communication, for example, quite often the employee will start off with a minor complaint to see if anyone is listening. If no one is listening, it escalates and gets to the real “nub” of his issue. Oftentimes the allegations will get more and more serious and then acquire a life of their own.

Green: Agreed. Sometimes the local manger is the problem, and will silence critical communication. That is where these alternative methods of communications become key.

Armstrong: What do you do to monitor what associates or others are saying about you online? For example do you monitor chat rooms and blogs?

Ryan: Someone else does this.

Green: Steve, can you use surveys to identify these types of issues? Should they be performed regularly?

O'Brien: Yes, the surveys won't get to specific issues, but they create a conversation if done correctly. For example, low ratings on control features should be discussed at the work-group level and people should be asked what their specific issues are. In these feedback sessions, issues can come out and usually the answer is already in the room, someone just needs to activate it. But without the feedback, you just see levels of distrust and don't get to the actual issues.

Armstrong: There is a particular European issue here. A lot of U.S. multinationals are keen on doing employee surveys in enough detail to identify specific issues within the organization. Frequently, that brings them into conflict with data privacy laws in Europe because when you get down to the level where you can identify specific issues, often you can identify an individual or individuals affected by that issue and that is usually a breach of local law.

Green: That is a great segue into the European vs. U.S. space. What other major difference are you finding between the ways we regulate versus the EU?

O'Brien: Data Protection issues are huge with a company like ours. We require consent from employees to manage their data and implement reporting. You have to develop a level of trust that their data will be managed with the highest integrity. But in order to do the work effectively, you have to get the employee's consent.

Armstrong: I think the major issue is the multiplicity of rules. So, for example, we already know that there are more than 100 studies on corporate governance in Europe. Some of them are well known such as the Cadbury code in the UK. But others are relatively obscure, particularly, with the distance with the Atlantic in between. To keep track of them, we have, internally, run a computer database, but even that is a job for four to five permanent people to update it. In the U.S., it is relatively easy to look at SEC requirements and map a compliance program on the back of them

Green: Both great points. On data security, how do you obtain that trust?

O'Brien: Well again, it is the feedback mechanism where they can see that their involvement has an impact on their work life.

Armstrong: On the data security point, trust is certinaly an issue. But in addition, for some employee surveys, even the employee consenting to the survey might not be enough. The only workaround is to make the survey more general than specific and then of course there is the downstream issue of not being able to identify what is behind the dissatisfaction.

Green: I understand the EU has adopted a roadmap to harmonize their regulations.

Armstrong: Scott — to your point — the EU is really only part of the picture. For example, Switzerland has no real plans to join the EU. It currently has two primary legal authorities, three codes of conduct, and 23 different secondary legal authorities, all, of course, in three official languages. Using just that one country as an example shows that the EU, even if it can codify corporate governance for EU members, will still not solve the problem. The other point: Switzerland is of course of critical importance in this piece because of the preference of many U.S.-based multinationals to conduct their European business via a Swiss subsidiary.

O'Brien: Let me pose a question. I have seen arguments about the Data Protection laws being in conflict with Sarbanes-Oxley. How do you see that issue?

Armstrong: Steve, I definitely do agree with you. Sarbanes-Oxley encourages the organization to reach out from headquarters and gather information from European subsidiaries, for example. Some European legislation specifically prohibits that information being seen by anyone in the U.S. The conflict just isn't easy to resolve.

Green: We will always have to deal with rules in the independent jurisdictions. You're right that the Swiss are not currently joining, but they seem to be in constant consideration of joining the EU. But more to your point, while the U.S. took a fast track, the Europeans are taking a more measured approach spanning implementation to the end of the decade. That leaves a lot of wiggle room until these questions are addressed with each country in effect bringing its own practices to the table and forcing companies to comply with the highest worldwide standard.

O'Brien: It would be an interesting point under the Federal Sentencing Guidelines if a company refused to provide information because it violated an EU data protection provision.

Armstrong: I continue to have doubts as to whether the EU has the ability or the willingness to bring the whole of Europe to one table. As someone who works in Switzerland most every month I see no signs of them joining the EU any time soon. To pick up both points at once, I have already seen instances where, for example, in an antitrust investigation, data is asked for, by the U.S. authorities; the provision of which would breach European law. For many organizations, the call would be: which law did they breach? And clearly for many, because of the Federal Sentencing Guidelines, they will want to be seen to be co-operating fully with the U.S. authorities, even if that does expose the business to criminal penalties outside the U.S.

In Europe, an example of where rules can be in direct conflict might be in looking at the remuneration of specific individuals, say, for example, in a European entity being acquired. Clearly, stakeholders in the U.S. would feel entitled to that information to enable good governance, but it is likely that the type of data would not be allowed to go back to the U.S. parent without the consent of the individuals involved in a takeover, which could affect individual employees. Most organizations will not want to go and ask for that consent and even if they ask, they are likely not to get it. Joe, have you had any corporate governance compliance issues yourself in Europe as yet?

Ryan: No.

Armstrong: Steve, I see you have operations in Europe in Belgium, Croatia, the Czech Republic, Germany, Hungary, Lithuania, The Netherlands, Poland, Romania, Spain and the UK. Have you had any specific issues with corporate governance in these countries as yet and if so can you share some detail?

O'Brien: We have not experienced any specific corporate governance issues in Europe. The most significant issues are around data protection. Europe has been the leader in this regard globally, and we are very diligent to ensure that we comply with all data protection laws. This has a governance component as we implement our own standards for maintenance and transfer of data. A failure of controls with data integrity can be as dangerous as a failure of financial controls. Both are governance issues and both could lead to significant damage to the enterprise from a risk assessment standpoint.

Armstrong: Scott, what do you make of the fact that certain studies show that reporting a material deficiency does not negatively impact a company's stock price?

Green: So far, there have been over 400, or roughly 4%, of all companies reporting material weaknesses. There was a preliminary study of over 200 companies in January that determined that companies reporting such deficiencies did not experience a negative market impact. For those that were surprised, I view this as the pundits not giving the market enough credit. The market always looks forward. When companies report big write-offs, the stock often goes up. The market knows that, going forward, the company is better positioned having put the problem behind it. Likewise, the fact that a company has disclosed a weakness, and has either corrected it or is in the process of correcting it effectively makes it a non-factor going forward.

Armstrong: Joe, please feel free not to answer, but on a personal note as an officer of the organization, your own remuneration package has been in the public domain much more than before. How do you feel about publications like Forbes broadcasting what you earn?

Ryan: You don't worry about what you can't control.

Armstrong: Steve, would the new regulatory regime make you less likely to seek a public listing?

O'Brien: We don't have any plans to seek a public offering. The additional costs of Sarbanes-Oxley compliance would be a factor in “preparing” for an offering. And the regulatory regime would be a factor in whether or not management wanted to operate a public company. There would be opportunity for ramping up prior to filing an S-1, but an operating company that wants to go from zero Sarbanes-Oxley compliance to public company would be in for some surprises.

Armstrong: Scott, a few questions for you. Looking at this from the U.S. perspective, can you expand on what you think are some of the differences between the U.S. and European approach to corporate governance?

Green: The primary difference is timing. The U.S. took a fast-track approach to reform, quickly implementing financial certification requirements for executives, creating a regulatory body to provide oversight of the accounting profession, and creating structural changes that increased the authority of independent directors. The EU has taken a more measured approach, which envisions a lengthy implementation period stretching, for some reforms, to the end of the decade. Until the reforms are complete, there will be many differences in the practices of EU member states.

Another primary difference between European and U.S. practices concerns the method of enforcement. While the U.S. has mandated certain practices, such as the legal requirement for an independent audit committee, while leaving others voluntary, many European countries follow the UK approach, which is the voluntary comply-or-explain methodology. If a company chooses not to follow a governance standard, a company will disclose why they have not. This system relies on the market to enforce governance discipline.

There are also some structural differences. European companies usually have two separate individuals holding the offices of CEO and Chairman, while the U.S. has generally supported the imperial CEO, who holds both positions. There are some clear conflicts of interest with the U.S. approach, and many boards are voluntarily separating the positions or identifying “lead directors” to guide the independent directors through the issues of CEO evaluation, compensation and other conflicted matters. Many European companies also have employee or government representatives on their boards. That is rarely the case in the U.S.

Armstrong: This latter point is interesting. Some colleagues of mine are currently working on pan-European corporate governance policies. The CEO/Chairman point crops up regularly across Europe and the terminology can be hard to track. In the UK, for example, we recognize a distinction between non-executive (ie, non-employee) directors and executive directors in much the same way as you might distinguish between independent/external directors and those within the company. Many countries across Europe do not have similar concepts in their law. Some terms such as “Company Secretary” or “President” are used on both sides of the Atlantic, but with different meanings. For example in company terms, a French President is closest to the U.S. Chairman of the Board, but a U.S. President is closest to the French Directeur General. The term exists in both countries, but describes a different position with different roles and responsibilities in corporate governance terms. What accommodations, if any, were made for foreign companies in recent U.S. governance reforms?

Green: Initially, very few. Foreign companies that are listed in the U.S. were given longer to comply with certain aspects of the Sarbanes-Oxley Act, but that was about it. The EU strongly disagreed with what they perceived as an over-reaching approach by the U.S., particularly as it related to certification of financial statements and internal control systems, direct U.S. access to EU audit working papers, U.S. auditor independence requirements and audit committee requirements. The SEC and PCAOB have begun to address some of these issues. For example, the SEC has provided an exemption from the audit committee requirements if foreign jurisdictions require an independent board of auditors or similar body to provide oversight of financial statement preparation. The PCOAB, while requiring foreign accounting firms to register, will rely “to an appropriate degree” on the oversight of the accounting firms by regulators in foreign jurisdictions. Nevertheless, the more onerous provisions of the Act, such as Section 404 requiring the certification of the internal control structure, have many companies assessing whether access to the U.S. financial markets warrant the increased costs of compliance.

Armstrong: What issues still remain for implementation of the Sarbanes-Oxley Act?

Green: One of the most significant outstanding questions is how Section 404 will be implemented for small companies. Documenting and certifying internal controls is an expensive proposition. As noisy as the complaints have been for large corporations, they do have the resources to accomplish the task. Small companies, however, generally do not have the resources to hire legions of consultants, implement compliant information systems and carry the headcount needed to maintain an elaborate internal control structure. They generally rely on manual controls such as managerial oversight and payment approval controls. This has been a concern of mine since its enactment, and the SEC is beginning to take notice of its potential impact on small companies. They have created a smaller company advisory committee to address Sarbanes-Oxley issues related to small public companies.

Armstrong: Thank you all for your participation today. This has certainly been a fascinating discussion. It seems to me that the authorities on both sides of the Atlantic do have a determination to fix the system, but all four of us have our doubts as to whether their arrows are properly hitting the target. In their willingness to “do something,” regulators may well have got the balance wrong and, certainly Joe's figure for Sarbanes-Oxley compliance in Marriott should make many think about whether that response has been proportionate. It is clear though that the burden of compliance is likely to be heavy both in the U.S. and Europe in the years to come.

Throughout the world, Sarbanes-Oxley (SOX) legislation might well have had the biggest impact in corporate governance since the introduction of limited liability. To that end, jurisdictions outside the U.S. have not been idle. A recent Eversheds survey found more than 100 studies on the topic in 29 European countries within and outside the EU. Clearly, proper compliance to corporate governance guidelines is top of the list to in-house counsel across the EU, as well as the U.S.

To avoid civil and criminal penalties, multinational companies have to comply with laws and principles of good governance in all of the countries where they operate. U.S. legislation attempts extra-territorial reach. That legislation is in most cases in addition to, rather than in substitution for, local law, even for NYSE-listed entities. For multinationals, then, even if SOX is the beginning of the story, it is not the end.

Coupled with the changing face of regulation is an increased challenge on in-house resources. Many corporations are under pressure to reduce head count, and in-house legal teams are often not immune. At the same time, boards have a greater appetite for corporate governance and are likely to rely more on the General Counsel for advice with at least anecdotal evidence that the number of independent legally qualified directors is in decline.

This roundtable sought to road-test some of these issues and look to some of the U.S.'s best governed corporations to see if there is a map for the journey ahead.

The Participants

Jonathan Armstrong is a solicitor with Eversheds LLP in the UK. The 2005 Legal Experts Report again featured him as one of the UK's leading experts in his field. Armstrong's practice includes counseling multinational companies on electronic corporate governance and on their online reputations. His practice is international and he has been a Member of the Faculty for the Georgetown University Advanced Institute on Electronic Commerce, Washington, DC, since 2001. He has contributed to the European privacy section in the Law of Europe at www.lawofeurope.info. He may be reached at [email protected].

Steven D. O'Brien is General Counsel and Corporation Secretary for The Gallup Organization and a member of its Executive Committee. O'Brien, who joined Gallup in 1990, responds to legal issues affecting the company, including overseeing risk management and strategic legal issues. He is also responsible for government relations. Gallup employs many of the world's leading scientists in management, economics, psychology, and sociology. O'Brien may be reached at Steve_O'[email protected].

Scott Green, CPA, MBA, is the author of The Manager's Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud and the soon-to-be-released Sarbanes-Oxley and the Board of Directors: Techniques and Best Practices for Corporate Governance. He is also the Director of Compliance at Weil, Gotshal & Manges, one of the largest law firms in the world. He may be reached at [email protected].

Joe Ryan is Executive Vice President and General Counsel for Marriott International, Inc., headquartered in Washington, DC. He is responsible for the 80-attorney law department, the office of the corporate secretary, government affairs, and corporate communications. In addition, Ryan serves as the Chairman of the Board of Avendra, a joint venture among Marriott, Hyatt, InterContinental, Fairmont and ClubCorp. He is also Senior Vice President and General Counsel of the Ritz-Carlton Hotel Company, LLC. He may be reached at [email protected].

The Roundtable

Armstrong: Joe, would you say the General Counsel's role in your organization has changed in the last 3 years? If so, how?

Ryan: The last 3 years have been quite different. More attention has been paid at all levels to compliance matters; a much more active audit committee; much higher third-party costs. From a lawyer's point of view, it makes it easier to be taken seriously. From the point of view of the American economy, one wonders.

Armstrong: Steve, is it the same for you?

O'Brien: Absolutely, even as a private company, the new compliance issues are all on the front burner. Our third-party costs are up somewhat due to the effort our outside auditors have to place on public companies, and I think private companies are being bounced down the ladder a bit.

Ryan: We estimate an additional 100,000 hours spent internally in finance, accounting and law to make sure we were in section 404 compliance. Our added costs to Ernst & Young were right at 50%.

Green: You are not alone. The costs for complying with 404 were greater than anyone imagined when the legislation was passed. There are numerous studies, all showing millions spent by our largest companies on 404.

O'Brien: I saw a study that showed year-over-year external audit fees up 53%. Sarbanes-Oxley has become the “Accountant Full Employment Act.”

Armstrong: Absolutely. Over here, we have been a little amused by the [advertisement] placed in defense of Sarbanes-Oxley by one of the large firms. I saw reports that one firm hired more than 1600 new auditors and 400 extra temps.

Green: And it is likely to get even tougher for smaller companies. It is not clear what they need to do to comply, but if it is the same standard as what has been expected of larger companies, small companies will be faced with difficult decisions whether to stay public or take the company private. One study shows de-listings are up 30% over the last year.

Armstrong: This is certainly a trend we are seeing in Europe. Even before Enron there had been a trend in Europe to take companies private with leading entrepreneurs, Sir Richard Branson being an example, saying that stock market listing of non-conventional companies was too volatile for them to operate. Increased regulation has in my view seen an acceleration of the take-private trend. In addition, a number of European companies are looking very critically at their NYSE listing where they have dual or triple listings. One UK company, BT, put the cost of compliance with Sarbanes-Oxley at $18.5 million. Another, BP, has published a figure of $125 million for their compliance costs as a whole. Other European companies, including Siemens, MM02, lastminute.com, Cadbury Schweppes and BASF have also been reported as being prepared to look at resigning their U.S. listings.

O'Brien: Even as a private company we have to look at implementing Sarbanes-Oxley initiatives. For private companies, this is all “coming to a theater near you.”

Ryan: Will it deny the initial public offering or at least make that most traditional vehicle much less attractive?

O'Brien: If you are planning to go public, or be acquired at some point, being Sarbanes-Oxley compliant is critical and can affect the valuation of the company. Then there are outside factors that push this legislation down on private companies, from bank covenants, insurance companies, state overlays, etc. Private companies can't just sit back and say, “we're exempt.”

Armstrong: I think the difficulty of selling non-compliant companies is a good point to make. In Europe, as you know, the regulations dealing with data privacy compliance have some parallels with Sarbanes-Oxley. My firm acted for the purchasers of a travel business back in 2001. We asked the vendors some tough questions about their compliance. They took some time to answer — clearly because they had not invested to get their compliance up to scratch. They replied to our questions on Sept. 10 that year, but as you'll imagine given what happened to travel business values at that time, nobody ever got to read their answers and the deal went away. A colleague of mine also recently acted for a U.S. multinational acquiring a rival. They have put the cost of compliance at around $750,000 for the target business and have reduced their offer for the business by exactly this amount.

Green: It is clear to me that bank lenders are requiring private and not-for-profits to meet many of the same standards as required by 404.

Ryan: Our economic history is one of extreme tolerance, then crisis, then over-reaction, but I do not think this genie is going back in the bottle.

Armstrong: Has the recent WorldCom directors' settlement had an impact on your board? If so, how?

O'Brien: Well, there certainly is more interest in knowing the parameters of our director and officer coverage. And our outside directors are becoming more active in our internal audit functions. I think it was a wake-up call for many outside directors who now see liability rather than opportunity in many board appointments

Armstrong: Joe, your thoughts?

Ryan: Our directors did not say much, but our audit committee is quite good and has been quite active, so that is not unexpected. One would need a brain scan, however, to sit on the audit committee of a public company about which there were any questions, and that even happens to the big ones, like Pfizer.

Green: I recently spoke with a leading recruiter in charge of her firm's national board practice, and she complained that it is increasingly hard to find people to sit on boards. Candidates are very choosy and ask a lot of questions [about] interview management, counsel, other directors, etc.

Armstrong: Joe, do you participate more or less often in board meetings than 3 years ago?

Ryan: My participation is about the same, but the audit committee and full board meetings are much longer.

O'Brien: I would agree. The board involvement isn't changing that much, but the audit committee meetings are much more extensive.

Armstrong: That's interesting. I heard a tale from a General Counsel recently of audit committee meetings going from 1-hour duration to 6, and having to start at 6 a.m. to be accommodated. Why are board meetings longer or more extensive?

Ryan: Because all the directors are more probing and demanding.

O'Brien: In our case, the scope of responsibility is greater than ever before. It is the expanding issue of compliance and data security, as well as internal audit issues.

Green: Smart audit committees are taking the time to understand their significant accounting policies, the aggressiveness of those policies, and assess alternatives. They are also providing oversight to the internal control process. They understand that risks can migrate deep from within an organization, so they want to ensure that the process is valid and that issues are addressed. Their personal liability is on the line.

Ryan: For sure, but audit committees are placing much keener interest in issues. For instance, they will ask: “please give us, in order, the risks facing the business.” They will ask for a much sharper view on any balance sheet related item and focus hugely on internal control.

Armstrong: The Marriott business is famous for the way in which it has systemized its procedures in various areas of operation. I'm thinking for example of the manual on how to make a bed, which I understand works globally right across the business. Have you tried a similar systemized approach to corporate governance and if so can it work?

Ryan: We do as much as we can through company-mandated policies.

Armstrong: Steve, who counsels the directors of your organization on compliance? If they have separate representation, please give some details.

O'Brien: I provide counsel on compliance issues. Our outside directors sit on numerous boards, so they are well-versed in many of these issues. I am not aware if they have representation independently. Most of our conversations deal with how issues affect our specific company and our industry. More pointed issues than general compliance, I guess.

Armstrong: Joe, same question to you. Who counsels the directors of your organization on compliance?

Ryan: In almost all instances, they call me, but, as Steve notes, they are sophisticated with lots of contacts and resources, so I assume they forum shop like everyone else. To the best of my knowledge, they are not independently represented, or, if they are, they are paying for it themselves.

Armstrong: That's a good segue into the next question: In money terms, how much do you think you have spent on Sarbanes-Oxley (and local equivalents) and similar compliance programs?

Ryan: We are afraid to find the answer. Just kidding. We estimate somewhere in the [area of] U.S. $15-$20 million.

Armstrong: How does that compare [with] previous years?

Ryan: I am not certain, because 404 was a 2004 issue, and we do not have an apples-to-apples comparison, but I would state with great confidence it is materially more than in prior years. A huge part of the increase is in internal costs. Basically, people with day jobs simply getting it done, and a lot of other things not getting done

Armstrong: Steve, how about you? Sarbanes-Oxley costs?

O'Brien: I was afraid you were going to ask me that … Realize [that] we are a smaller company, but our costs were in the $1.5 million range. Most of that are internal costs, folks like Joe mentioned. The external audit figure is up about 15% and internal up in the 60% to 70% range. Also, realize that we are approximating Sarbanes-Oxley compliance as a private company. We have the “luxury” of being able to implement over time.

Green: Both examples are representative. Just to put some perspective around the issue, AMR Research Inc. reports that companies spent $5.5 billion on compliance in 2004, and the spending continued into 2005. Section 404 has obviously been the big story, but there were other sections of the Act that also impacted public companies. Whistleblower protections, statements of ethics, officer certifications: How have these impacted your organizations?

Ryan: It has added much formality and drama to our proceedings, but the guts of what we are doing are still pretty much intact.

Armstrong: You talked of a total somewhere over $15 million. How did you and will you allocate resources for compliance work or budget specifically for it?

Ryan: Both specific additional resources given and postponement of other projects.

O'Brien: Since we are a private company, we do have the luxury of implementing over time and not on the SEC schedule. As a result, we are largely taking a wait-and-see approach. We did increase the number of people on our internal audit committee and devoted more time to compliance issues.

Armstrong: Has your in-house legal department staff increased to deal with extra work around compliance responsibilities?

Ryan: No.

O'Brien: We haven't added legal staff, but responsibilities of internal legal staff and reporting responsibilities have increased.

Armstrong: How much of your personal time is now spent on compliance as compared with 2 years ago?

Ryan: More, but I've never measured it. Maybe 20%?

O'Brien: The time I spend on compliance issues has increased, largely in advising the board and internal audit and working with our executive committee to implement programs. I do not think it will continue at that level over time as much of this is a process of triage and upgrade.

O'Brien: Many of these are what I call “plug-ins,” such as anonymous phone lines and codes of conduct. They are easy to implement; the question is whether they are effective. I understand Enron had a stellar Code of Conduct.

Green: Enron did have a stellar code, but as we know, insincerity can be identified all the way from the mailroom. What do companies need to do to make it work?

O'Brien: It has to start from the top and be reinforced every day. And you need to get input from the general workforce on whether they feel the ethics of the company. We are in the survey business, so this is second nature to us.

Green: What types of comments, if any, have you fielded from your European operations or regulators regarding Sarbanes-Oxley?

Ryan: To date, we have had relatively few international inquiries. The Enron point, incidentally, is huge. If the culture is not open, no number of codes, policies, procedures etc. will make a difference.

Armstrong: How do others feel about this?

Green: This importance of culture cannot be overstated. We also performed an internal survey and found it useful. Our employees knew we had a code, but did not know where to find it or how to report a problem. This feedback helped us focus our efforts on answering these questions for them.

O'Brien: Exactly. Employees need a way to communicate. Without that, people go the way of the whistleblower and an intervention on a regular basis can be helpful to avoid that. Some people are afraid of what they will find in a survey, but you can't fix it if you can't identify it.

Green: How big an expense were these “plug-ins” and have they proved helpful? Does your firm help companies perform these surveys?

O'Brien: Yes, we work with companies and also with some audit firms that want to measure the effectiveness of controls on a local level. It is critical if you are going to do a survey that you get feedback to the participants, otherwise it is perceived as a “Big Brother” concept and you won't get buy-in from those you need.

Green: Well said. What are some of the larger issues that companies have had to deal with as a result of these surveys?

O'Brien: The big one is training. Who do I report a problem to and what is “my responsibility” in all of this. The biggest benefit in this first round is identifying where you need to provide more training and structure around reporting. I don't mean to minimize the “plug ins” I referred to, but in haste I think some companies just plugged things in and didn't communicate well to the workforce about why this is mission critical and the role they play in it.

Armstrong: I think we have the same issues in play in Europe too. The whole process needs careful thought. From some of the projects I have seen, there is perhaps a more pronounced cultural play in Europe too — some countries just do not have a culture of telling someone else that they are not satisfied where they are; others will complain much more readily. I recently spoke at a conference for some of the new EU countries and Bulgaria and Romania in Sofia, and given their history under former Communist times, there's an understandable discomfort with telling 'the management' how co-workers are performing.

Green: The newspapers are filled with examples that prove Steve's point. Employees often do not know how they fit into the overall compliance picture, or that they have a responsibility to report behaviors that breach accepted boundaries. How can management best communicate these responsibilities to their employees?

O'Brien: I think it has to start at the top, but it has to go to the work group level immediately. The local manager has more control than most give him or her credit for. And unless the relationship between the local manager and his or her reports is open and honest, you will have problems. There are good whistleblowers and bad whistleblowers. Bad ones are just people looking for a payoff. Good ones are people who are frustrated because the company doesn't listen to them. If local managers aren't listening, you are in for big problems.

Armstrong: Are calls to your hotline predominantly HR-based? Many of our clients tell us that the real incidents of abuse picked up by hotlines are small, but people want to complain about their own managesr when they feel that the existing system is failing them and their complaints are not being heard.

Ryan: Yes.

O'Brien: I would agree. If someone's message isn't being picked up and voiced through the local manager, it will find a way out in other ways and that is ultimately bad for the company.

Green: What is important is that issues are captured and vetted. Do either of you have recommendations regarding how to best capture and vet this information either at the manager or employee level? Who should do the vetting? The last thing you want is for this to be played out in the press.

Armstrong: From my point of view, I think that it's important that a business uses a hotline, but also looks at what's out there about the company itself. I've looked at employee discontent through blogs and chat rooms. Organizations on both sides of the Atlantic need to watch what is being said about them. The important thing is to deal with what is it out in the open before it affects stock price.

O'Brien: Again, talking about “good” whistleblowers, in large part, they just want to be heard. They feel like their opinions don't count. Many times the local manager is the problem, not the person raising the complaint. You need an environment where these issues can be raised and managed internally. The local manager does some vetting, has to, but broader participation is needed in many cases to help the person be heard.

Armstrong: Good point. If you look at the blog-type communication, for example, quite often the employee will start off with a minor complaint to see if anyone is listening. If no one is listening, it escalates and gets to the real “nub” of his issue. Oftentimes the allegations will get more and more serious and then acquire a life of their own.

Green: Agreed. Sometimes the local manger is the problem, and will silence critical communication. That is where these alternative methods of communications become key.

Armstrong: What do you do to monitor what associates or others are saying about you online? For example do you monitor chat rooms and blogs?

Ryan: Someone else does this.

Green: Steve, can you use surveys to identify these types of issues? Should they be performed regularly?

O'Brien: Yes, the surveys won't get to specific issues, but they create a conversation if done correctly. For example, low ratings on control features should be discussed at the work-group level and people should be asked what their specific issues are. In these feedback sessions, issues can come out and usually the answer is already in the room, someone just needs to activate it. But without the feedback, you just see levels of distrust and don't get to the actual issues.

Armstrong: There is a particular European issue here. A lot of U.S. multinationals are keen on doing employee surveys in enough detail to identify specific issues within the organization. Frequently, that brings them into conflict with data privacy laws in Europe because when you get down to the level where you can identify specific issues, often you can identify an individual or individuals affected by that issue and that is usually a breach of local law.

Green: That is a great segue into the European vs. U.S. space. What other major difference are you finding between the ways we regulate versus the EU?

O'Brien: Data Protection issues are huge with a company like ours. We require consent from employees to manage their data and implement reporting. You have to develop a level of trust that their data will be managed with the highest integrity. But in order to do the work effectively, you have to get the employee's consent.

Armstrong: I think the major issue is the multiplicity of rules. So, for example, we already know that there are more than 100 studies on corporate governance in Europe. Some of them are well known such as the Cadbury code in the UK. But others are relatively obscure, particularly, with the distance with the Atlantic in between. To keep track of them, we have, internally, run a computer database, but even that is a job for four to five permanent people to update it. In the U.S., it is relatively easy to look at SEC requirements and map a compliance program on the back of them

Green: Both great points. On data security, how do you obtain that trust?

O'Brien: Well again, it is the feedback mechanism where they can see that their involvement has an impact on their work life.

Armstrong: On the data security point, trust is certinaly an issue. But in addition, for some employee surveys, even the employee consenting to the survey might not be enough. The only workaround is to make the survey more general than specific and then of course there is the downstream issue of not being able to identify what is behind the dissatisfaction.

Green: I understand the EU has adopted a roadmap to harmonize their regulations.

Armstrong: Scott — to your point — the EU is really only part of the picture. For example, Switzerland has no real plans to join the EU. It currently has two primary legal authorities, three codes of conduct, and 23 different secondary legal authorities, all, of course, in three official languages. Using just that one country as an example shows that the EU, even if it can codify corporate governance for EU members, will still not solve the problem. The other point: Switzerland is of course of critical importance in this piece because of the preference of many U.S.-based multinationals to conduct their European business via a Swiss subsidiary.

O'Brien: Let me pose a question. I have seen arguments about the Data Protection laws being in conflict with Sarbanes-Oxley. How do you see that issue?

Armstrong: Steve, I definitely do agree with you. Sarbanes-Oxley encourages the organization to reach out from headquarters and gather information from European subsidiaries, for example. Some European legislation specifically prohibits that information being seen by anyone in the U.S. The conflict just isn't easy to resolve.

Green: We will always have to deal with rules in the independent jurisdictions. You're right that the Swiss are not currently joining, but they seem to be in constant consideration of joining the EU. But more to your point, while the U.S. took a fast track, the Europeans are taking a more measured approach spanning implementation to the end of the decade. That leaves a lot of wiggle room until these questions are addressed with each country in effect bringing its own practices to the table and forcing companies to comply with the highest worldwide standard.

O'Brien: It would be an interesting point under the Federal Sentencing Guidelines if a company refused to provide information because it violated an EU data protection provision.

Armstrong: I continue to have doubts as to whether the EU has the ability or the willingness to bring the whole of Europe to one table. As someone who works in Switzerland most every month I see no signs of them joining the EU any time soon. To pick up both points at once, I have already seen instances where, for example, in an antitrust investigation, data is asked for, by the U.S. authorities; the provision of which would breach European law. For many organizations, the call would be: which law did they breach? And clearly for many, because of the Federal Sentencing Guidelines, they will want to be seen to be co-operating fully with the U.S. authorities, even if that does expose the business to criminal penalties outside the U.S.

In Europe, an example of where rules can be in direct conflict might be in looking at the remuneration of specific individuals, say, for example, in a European entity being acquired. Clearly, stakeholders in the U.S. would feel entitled to that information to enable good governance, but it is likely that the type of data would not be allowed to go back to the U.S. parent without the consent of the individuals involved in a takeover, which could affect individual employees. Most organizations will not want to go and ask for that consent and even if they ask, they are likely not to get it. Joe, have you had any corporate governance compliance issues yourself in Europe as yet?

Ryan: No.

Armstrong: Steve, I see you have operations in Europe in Belgium, Croatia, the Czech Republic, Germany, Hungary, Lithuania, The Netherlands, Poland, Romania, Spain and the UK. Have you had any specific issues with corporate governance in these countries as yet and if so can you share some detail?

O'Brien: We have not experienced any specific corporate governance issues in Europe. The most significant issues are around data protection. Europe has been the leader in this regard globally, and we are very diligent to ensure that we comply with all data protection laws. This has a governance component as we implement our own standards for maintenance and transfer of data. A failure of controls with data integrity can be as dangerous as a failure of financial controls. Both are governance issues and both could lead to significant damage to the enterprise from a risk assessment standpoint.

Armstrong: Scott, what do you make of the fact that certain studies show that reporting a material deficiency does not negatively impact a company's stock price?

Green: So far, there have been over 400, or roughly 4%, of all companies reporting material weaknesses. There was a preliminary study of over 200 companies in January that determined that companies reporting such deficiencies did not experience a negative market impact. For those that were surprised, I view this as the pundits not giving the market enough credit. The market always looks forward. When companies report big write-offs, the stock often goes up. The market knows that, going forward, the company is better positioned having put the problem behind it. Likewise, the fact that a company has disclosed a weakness, and has either corrected it or is in the process of correcting it effectively makes it a non-factor going forward.

Armstrong: Joe, please feel free not to answer, but on a personal note as an officer of the organization, your own remuneration package has been in the public domain much more than before. How do you feel about publications like Forbes broadcasting what you earn?

Ryan: You don't worry about what you can't control.

Armstrong: Steve, would the new regulatory regime make you less likely to seek a public listing?

O'Brien: We don't have any plans to seek a public offering. The additional costs of Sarbanes-Oxley compliance would be a factor in “preparing” for an offering. And the regulatory regime would be a factor in whether or not management wanted to operate a public company. There would be opportunity for ramping up prior to filing an S-1, but an operating company that wants to go from zero Sarbanes-Oxley compliance to public company would be in for some surprises.

Armstrong: Scott, a few questions for you. Looking at this from the U.S. perspective, can you expand on what you think are some of the differences between the U.S. and European approach to corporate governance?

Green: The primary difference is timing. The U.S. took a fast-track approach to reform, quickly implementing financial certification requirements for executives, creating a regulatory body to provide oversight of the accounting profession, and creating structural changes that increased the authority of independent directors. The EU has taken a more measured approach, which envisions a lengthy implementation period stretching, for some reforms, to the end of the decade. Until the reforms are complete, there will be many differences in the practices of EU member states.

Another primary difference between European and U.S. practices concerns the method of enforcement. While the U.S. has mandated certain practices, such as the legal requirement for an independent audit committee, while leaving others voluntary, many European countries follow the UK approach, which is the voluntary comply-or-explain methodology. If a company chooses not to follow a governance standard, a company will disclose why they have not. This system relies on the market to enforce governance discipline.

There are also some structural differences. European companies usually have two separate individuals holding the offices of CEO and Chairman, while the U.S. has generally supported the imperial CEO, who holds both positions. There are some clear conflicts of interest with the U.S. approach, and many boards are voluntarily separating the positions or identifying “lead directors” to guide the independent directors through the issues of CEO evaluation, compensation and other conflicted matters. Many European companies also have employee or government representatives on their boards. That is rarely the case in the U.S.

Armstrong: This latter point is interesting. Some colleagues of mine are currently working on pan-European corporate governance policies. The CEO/Chairman point crops up regularly across Europe and the terminology can be hard to track. In the UK, for example, we recognize a distinction between non-executive (ie, non-employee) directors and executive directors in much the same way as you might distinguish between independent/external directors and those within the company. Many countries across Europe do not have similar concepts in their law. Some terms such as “Company Secretary” or “President” are used on both sides of the Atlantic, but with different meanings. For example in company terms, a French President is closest to the U.S. Chairman of the Board, but a U.S. President is closest to the French Directeur General. The term exists in both countries, but describes a different position with different roles and responsibilities in corporate governance terms. What accommodations, if any, were made for foreign companies in recent U.S. governance reforms?

Green: Initially, very few. Foreign companies that are listed in the U.S. were given longer to comply with certain aspects of the Sarbanes-Oxley Act, but that was about it. The EU strongly disagreed with what they perceived as an over-reaching approach by the U.S., particularly as it related to certification of financial statements and internal control systems, direct U.S. access to EU audit working papers, U.S. auditor independence requirements and audit committee requirements. The SEC and PCAOB have begun to address some of these issues. For example, the SEC has provided an exemption from the audit committee requirements if foreign jurisdictions require an independent board of auditors or similar body to provide oversight of financial statement preparation. The PCOAB, while requiring foreign accounting firms to register, will rely “to an appropriate degree” on the oversight of the accounting firms by regulators in foreign jurisdictions. Nevertheless, the more onerous provisions of the Act, such as Section 404 requiring the certification of the internal control structure, have many companies assessing whether access to the U.S. financial markets warrant the increased costs of compliance.

Armstrong: What issues still remain for implementation of the Sarbanes-Oxley Act?

Green: One of the most significant outstanding questions is how Section 404 will be implemented for small companies. Documenting and certifying internal controls is an expensive proposition. As noisy as the complaints have been for large corporations, they do have the resources to accomplish the task. Small companies, however, generally do not have the resources to hire legions of consultants, implement compliant information systems and carry the headcount needed to maintain an elaborate internal control structure. They generally rely on manual controls such as managerial oversight and payment approval controls. This has been a concern of mine since its enactment, and the SEC is beginning to take notice of its potential impact on small companies. They have created a smaller company advisory committee to address Sarbanes-Oxley issues related to small public companies.

Armstrong: Thank you all for your participation today. This has certainly been a fascinating discussion. It seems to me that the authorities on both sides of the Atlantic do have a determination to fix the system, but all four of us have our doubts as to whether their arrows are properly hitting the target. In their willingness to “do something,” regulators may well have got the balance wrong and, certainly Joe's figure for Sarbanes-Oxley compliance in Marriott should make many think about whether that response has been proportionate. It is clear though that the burden of compliance is likely to be heavy both in the U.S. and Europe in the years to come.