A critical look at the Securities Act, 2016 (Zambia) - (Also appeared in the Daily Nation - 14 March 2017)

By Kelvin Chungu

A few weeks ago I wrote an article titled redefined regulatory landscape and I pointed out some of the current changes in the regulatory space. The Securities Act, 2016 (the ‘Act’) is one such legislative initiative sponsored by the Security and Exchange Commission (SEC) which will bring forth transformative regulatory imperatives for public traded companies, however the Act has also left it to the SEC to provide many of the rules by regulation. This legislation has been developed to help foster international best practice, ensure increased investor protection and financial reporting transparency.

The Act most profound change is well captured in Section 147 of the Act, which now requires that the board of directors ensure the integrity of the public traded company’s systems and to report on the effectiveness of the public traded company’s internal control system in its annual report. Note that it does not specify whether these system be financial or not.

The Act goes further to provide a broad definition and defines internal control as policies, procedures and practices put in place by the management or the board of a listed company or company whose securities are registered with the Commission to ensure the safety of assets, accuracy of financial records and reports, achievement of corporate objectives and compliance with laws and regulations. In this Act, it appears that the auditors are being taxed to report on internal control above and beyond those related to the integrity of financial reporting and this change could have significant cost implications.

As we grapple with what the rules underpinning this Act will be, a lot can be learned from the implementation experiences of Sarbanes Oxley Act (SOX), a statute that parallels the Act in the United States. There were a number of implementation issues, however the one that stands was in regard to management and auditors alike responding by testing every process and control, even at the transactional routine level, however after 17 years in the offing, Companies have now realized that they need to be efficient and are now more agile at disregarding routine transactions, considered low-risk.

So what is the most significant change the Act brings along? The Act in its previous form did not place considerable emphasis on correcting the possible negligent corporate governance practices, including for shortfalls in the reliability or accuracy of financial reporting. The Act, now introduces that requirement by obligating the chief executive officer and the chief financial officer or any other officers or persons performing similar functions in a public traded company to report and certify under threats of sanctions the accuracy of reported financial statements, that they have designed, have established and maintained internal control in their reporting on the adequacy of the internal controls in their filed report and introduces another requirements that the signing officers must disclose all significant deficiencies and material weaknesses in the design or operation of internal controls, which would adversely affect the company’s ability to record, process, summarizes and report financial data and have identified for the public traded company’s auditors. This requirement is strengthened by an introduction of penalties threat for those signing the report and indeed the Auditors under certain conditions.

The importance of introducing sanction is best exemplified with an analogue, the ‘fact that the most famous sections other than Section 404 in the SOX has been section 302’, which section requires that both the management of publicly held companies and their external auditor take personal responsible of financial reports requiring their signature on the documents respectively under threat of sanctions. Section 209.6 provides further in respect of directors that the SEC could recommend to a public regulated company for their removal from office. There are no other sanctions available to the directors except perhaps the humiliation that may accompany the public removal of a director from the board of a public company.

10 years after the Sarbanes Oxley Act had been in place in 2012, Alison Frankel (2012) ‘Sarbanes-Oxley’s lost promise: Why CEOs haven’t been prosecuted’ asked the question “Why aren’t SOX’s false certification provisions producing the sort of quick, easy cases that prosecutors envisioned when the law was first passed?” and it was noted according to the surveyed federal prosecutors that the answer lay partly in the specifics of the certification provisions and how corporations had responded to SOX.  In terms of how the corporations had responded, Alison Frankel (2012) noted that “companies began to implement internal compliance systems that made it very difficult to show that the CEO or CFO knowingly signed a false certification and as a consequence, when prosecutors had enough evidence to show that those internal systems failed and top executives knowingly engaged in wrongdoing, they preferred, for strategic reasons, to charge crimes that were other than false certification. Additionally most large corporations put in place multiple layers of sub-certification, requiring lower-level officials to attest to the accuracy of financial reports all the way up the chain to the CEO and CFO”.

Alison Frankel (2012) further noted that “It was a natural reaction for the CEOs and CFOs to ask ‘How can I possibly sign this without sub-certifications and so it was noted that sub-certification process had two effects. First, it forced corporations to be more vigilant about financial reporting at all levels, which is likely one of the reasons there have been few accounting scandals at major public corporations since SOX took effect. In that regard, the law was doing what it’s supposed to do, encouraging accountability and deterring fraud, however it also insulated CEOs and CFOs from false certification charges because to prove the SOX charges, prosecutors had to show that top officials signed off on financial reports they knew to be false. A charge which is much harder to prove given the sub-certifications received from lower-rung executives”.  This is perhaps one key lesson that the Zambian executives in public companies can learn.

There are also advantages that have been noted following the 15 years of the SOX that could bear resemblance with the Act depending on implementation. In 2004, 2 years after the enactment of the SOX, the Accountancy Journal wrote of the following developments, among others:

• “The stepped up internal audit documentation and mandatory rotation requirements placed significant demands on partners and staff to meet the requirement to rotate the lead audit partner and audit review partner every five years, as such small and midsize firms had to carefully coordinate their growth plans.
• Audit firms began to their vet prospective audit clients more carefully to ensure that a prospect’s industry aligned with the firm’s experience, whether the prospective client had a strong financial position and a good reputation.
•  The law also forced auditing firms out of many of the ancillary services they previously had provided public-company clients.

There are other pros that have been written about in other publications such as Companies becoming more risk-intelligent and are thus more likely to have better competitive advantage.  

Having noted the above, an issue that tend to arise when new legislation emerges is that Companies focus on the rigid implementation of the legislative requirements instead of realigning themselves to see the benefit of an increased focus on their business. The Act’s requirements that a public company have strong financial controls as part of a normal operating process brings with it a benefit of increased focus on the business of the company. So what should the Regulators, Directors and External Auditors do? There is advice for all:

1. Regulators - Regulators must firmly administer the legislation to ensure that the stakeholders are clear about the consequences of non-compliance. However the need to continuously supervise and take necessary action as early as possible can assist the Regulator in ensuring that there are no unintended matters arising. The Regulators also need to provide guidance regarding how it the current involuntary non-compliance in the reports it will receive given the lack of guidance.
2.  As the Regulator begin to structure the regulations to follow the Act, International norms would dictate that those should enable the shareholder have the ability to understand how the board of directors is structured, how it operates and how it is performing including how that performance is assessed. Additionally, the adoption of strict governance listing rules that also requires Companies to state and explain any departures from those rules can help to provide for an effective monitoring mechanism for the shareholder.
3.  External Auditor - External Auditor are a huge stakeholder in this and they must, foster the appearance of independence, build a culture of responsibility rather than one designed to get and keep clients at any cost.
4.  Board of Director - The Boards of directors increased responsibilities as a consequence of the Act means that there will be need to relook at the structure of the board and its committee to effectively prosecute the new responsibilities assigned by the Act. There must also be a re-educating process for board members in terms of those increased responsibilities and what needs to be in place to ensure compliance. Those increased responsibilities means that the directors must insist on widened representation letter from management, but that alone will not absorb them from the new potential sanctions.

As I wrote in the previous article, this new regulatory environment means that compliance must be a top agenda of the Chief Executive Officer and perhaps for the board.