SOX, FSG’s, and FAR

What are the Relevant Components of The Sarbanes-Oxley Act of 2002 (SOX)?

• Section 406 of SOX requires disclosure of whether a code of ethics has been adopted.

Section 406 of SOX directed the Securities and Exchange Commission (SEC) to issue rules requiring each public company to disclose whether or not it has adopted a code of ethics (business code of conduct or employee code of conduct) that applies to the organization's key officers. The SEC adopted final rules implementing Section 406 of SOX in January 2003.

The final SEC rules define "code of ethics" as written standards that are reasonably designed to deter wrongdoing and to promote:

• Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships.
• Full, fair, accurate, timely and understandable disclosure in reports and documents that a company files with or submits to the SEC and in other public communications made by the company.
• Compliance with applicable governmental laws, rules and regulations.
• The prompt internal reporting of any violations of the code of ethics to an appropriate person or persons identified in the code of ethics.
• Accountability for adherence to the code of ethics.

SOX does not actually mandate business ethics training or adopting a Code of Ethics / Code of Conduct, but it requires that a company disclose whether or not it has adopted a Code that satisfies the definition above. If the company has not adopted such a Code, it must disclose why. This approach is often described as a "law of shame."

• NYSE and NASDAQ Governance Standards require a Code.

Expanding upon the Section 406 concept, the SEC approved new NYSE and NASDAQ Governance Standards. Both exchanges require a "Code of Business Conduct and Ethics" covering all employees, officers and directors. Each listed company must make its Code available to the public.

The NYSE requires CEO's to certify compliance with these listing standards on an annual basis. (Final NYSE Corporate Governance Rules, Section 10.) The NYSE requires more than a Code. It mandates "compliance standards and procedures that will facilitate effective operation of the Code." These "procedures" are largely interpreted to include training and education.

• Section 301 of SOX requires clear communication of reporting channels and protocols.

It's important to consider the importance of training when addressing general compliance with SOX. SOX requires each Audit Committee to establish a procedure for the confidential, anonymous reporting of complaints about audit and financial matters. (Section 301(4)). Such "procedures" naturally involve training and education about reporting channels and protocols.

(2) Federal Sentencing Guidelines (FSG's)

What are the Federal Sentencing Guidelines (FSG's)?

The Federal Sentencing Guidelines are rules that set out a uniform sentencing policy for convicted defendants. They were amended in November of 2004 to include critical training requirements.

The FSG's now require employers to adopt comprehensive ethics and compliance programs, and to train everyone on the fundamental components of those programs. Practically speaking, this means having a Code of Conduct or Code of Ethics and training on that Code.

How Do the Federal Sentencing Guidelines Work?

The FSG's make clear that employers can be held liable for their employees' illegal conduct. If employers take proactive steps to prevent unethical and illegal conduct through an effective ethics and compliance program (which includes training), employers can substantially mitigate potential fines and punishment for criminal violations:

The potential fine range for a criminal conviction can be significantly reduced -- in some cases up to 95 percent -- if an organization can demonstrate that it had put in place an effective compliance and ethics program and that the criminal violation represented an aberration within an otherwise law-abiding community.(1)

The opposite side of this equation is that an absence of effective ethics and compliance programs can be used to increase fines and punishment.

Why Are the FSG's Relevant to Civil Proceedings?

There is a long and extensive history of courts and regulatory agencies using the Federal Sentencing Guidelines to establish expected standards of conduct for employers, and to determine associated fines and penalties for not meeting those standards. The Commentary to the FSG's emphasizes that effective ethics and compliance programs go beyond the deterrence of criminal conduct to "facilitate compliance with all applicable laws." (2)

Who Needs to Be Trained?

Everyone.

Sections 8B2.1(b)(4)(A) & (B) of the Federal Sentencing Guidelines reference the need to train the entire workforce with a sweeping definition of "individuals" who must be trained:

The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to [members of the governing authority, high-level personnel, substantial authority personnel, the organization's employees, and, as appropriate, the organization's agents] by conducting effective training programs and otherwise disseminating information appropriate to such individuals' respective roles and responsibilities.

This requirement is further underscored in the Commentary to the Amendments:

Section 8B2.1(b)(4) makes compliance and ethics training a requirement, and specifically extends the training requirement to the upper levels of an organization, including the governing authority and high-level personnel, in addition to all the organization's employees.

How Often Does Training Have to Occur?

"Periodically."

As detailed above, Section 8B2.1(b)(4)(A) of the Federal Sentencing Guidelines refers to a periodic training requirement.

While "periodic" is not defined officially by the FSG's, employers can be guided by how that term has been interpreted in the employment law arena. The US Supreme Court and the EEOC require "periodic" harassment and discrimination prevention training for all employees and managers. A thorough review of employment law training case law shows that "periodic" is generally interpreted as every 12 - 24 months. (3)

California's recently passed harassment training law (AB 1825; new Government Code section 12950.1 ) (4) also references periodic training, and officially sets the time frame at every two years.

Based on this legislative context and a thorough review of state and federal case law from the past 5 years, ELT recommends training every year, and at least every other year.

Also, it is essential that new employees be trained as soon as possible. Under California's new harassment training statute, mandated training must occur within six months after a new manager is hired.

Can Distributing a Code of Conduct Meet the Training Requirements?

No.

The Federal Sentencing Guidelines specifically reference the need to proactively communicate the organization's ethics and compliance program by "conducting effective training programs." Clearly, distributing a Code of Conduct, whether electronically or in hard copy, does not amount to an effective education program.

Once again, given the relative infancy of the FSG requirements, employers can be informed and guided by the historical data and information regarding employment law training requirements. Following landmark decisions by the US Supreme Court in 1998 (5), and specific training guidelines from the EEOC in 1999 (6), there is a mountain of case law showing that distribution and even tracking of policies is not enough to meet a training requirement.

Employers with more than 200 employees should be particularly aware of the formality of the FSG's training requirement. While small employers (<200 employees) may provide training through more informal means ( i.e. staff meetings) as long as the training is effective and comprehensive, larger employers (200 employees or more) must provide more formally planned and implemented training programs. (7)

Does the Quality of Training Really Matter?

Yes!

The FSG's make continual reference to an "effective" training program. The new California training statute uses the same term, "effective."

Most importantly, quality training means that more is accomplished than just "checking the box." ELT's solution is engaging, exciting and entertaining. While this is done in a totally professional manner, lessons are imbedded within compelling stories that are based on actual events. The learner identifies with the experience and gains an intuitive understanding of the conduct expected by his or her employer. Behavior actually changes!

Finally, the introduction of the organization's Code of Conduct is a message of high importance transmitted from the Board of Directors through the CEO. The more powerful the delivery of this message, the better its acceptance and durability. Employees experiencing this course will not only remember the message, but also the experience. They actually look forward to the next opportunity to learn from the increasingly familiar characters of Working People TM -- the fictional workplace featured in each ELT production. Without qualification, "quality" matters when the integrity and future of your organization is being presented!

What are the Federal Acquisition Regulations (FAR)?

The Federal Acquisition Regulations govern how organizations do business with the government and define what the government requires of its contractors.

What Must Organizations Doing Business with the Government Do to Comply with the New FAR Amendments?

Within 30 days* of entering into a government contract, contractors must:

• Adopt a written code of business ethics and conduct;
• Provide a copy of the Code to employees; and
• Promote compliance with the adopted Code.

*This time may be extended by the contacting officer and the requirement does not apply to existing contracts that were awarded before amendments became effective, or to task orders awarded under those contracts.

Within 90 days of entering into a government contract, contractors must:

• Establish an "ongoing business ethics and business conduct awareness program"; and
• Establish an internal control program aimed at:
• The timely discovery of improper conduct; and
• Ensuring corrective measures are taken.

What Organizations Are Subject to the New FAR Requirements?

Under FAR, any organization is subject to these requirements if it is awarded a government contractor that:

• Is worth at least $5 million; and
• Requires more than 120 days to perform;

The requirements apply regardless of which government contracting agency is involved in the contract and apply with minor exceptions to subcontractors providing services under the affected contracts.

What Kind of Employee Training and Audit Programs Are Required?

In general, the regulations provide that government contractors must adopt (1) employee business ethics and compliance training, and (2) internal audit programs:

• That are suitable to the size of the company and extent of its involvement in Government contracting.
• That facilitate the timely discovery and disclosure of improper conduct in connection with Government contracts
• That ensure corrective measures are taken.

What Happens If You Don't Comply with the New FAR Requirements?

The new FAR requirements represent a condition for doing business with the government. An organization that fails to satisfy could face withheld payments, loss of fee award, or even debarment, suspension or other disciplinary action.

Are There Any Exceptions to the New FAR Requirements?

Yes.

There is a partial exception for contractors that have represented themselves as small business concerns during the contracting process are excluded from the formal training program and internal control requirements.

Amendments in December 2007 originally provided exceptions for contracts awarded under the FAR Part 12 commercial item contracts clause and for contracts to be outside of the United States, the District of Columbia, and outlying areas. These exceptions were rescinded by statute and are no longer available.

When Were the FAR Regulations on These Issues Last Amended?

Contractor obligations with respect to Code of Conduct training and internal audit programs were originally created by amendments to FAR which became effective in December 2007. However, the FAR regulations were again amended in December 2008. These latest amendments specifically define elements of the mandated compliance programs, and require contractors to disclose suspected criminal conduct in connection with government contracts. They supplement the December 2007 regulations, and provide contractors with more detailed guidance on how to meet their training and compliance obligations.

• With respect to Code of Conduct training, the new amendments seek to bring the FAR requirements into closer alignment with the requirements of the Federal Sentencing Guidelines and provide that contractors must take reasonable steps to periodically provide Code of Conduct training to all principals and employees, agents and subcontractors.
  
  They also provide that the training must be appropriate to each individual's duties expressly provide that the training must go to all "principals and employees" and, where appropriate, to all "agents and subcontractors."
• With respect to Internal Control Systems, the new amendments identify additional, mandatory elements of an effective program.

The December 2008 amendments also create a new "self-reporting" obligation for contractors that would require contractors to disclose in writing to the government whenever they have reasonable grounds to believe that a principal, employee, agent or subcontractor has violated the False Claims Act or other provisions of federal law relating to the award or performance of a government contract.

Do Ethics & Code of Conduct Training Requirements Apply to All Employers - Both Public and Private?

Yes. Unlike SOX, the FSG's and FAR apply to both public and private employers.

The Federal Sentencing Guidelines apply to "all organizations, whether publicly or privately held, and of whatever nature, such as corporations, partnerships, labor unions, pension funds, trusts, nonprofit entities, and government units." (8)

Similarly, the Federal Acquisition Regulations apply to all organizations doing business with the government regardless of whether the organization is publicly traded.

While the Sarbanes-Oxley Act applies to publicly traded companies, the rules and guidelines that it established are being widely adopted by privately held companies for two reasons: (1) Sarbanes-Oxley standards make for good business practice, adding value beyond simple "check the box" compliance. Many of the Sarbanes-Oxley requirements, like training, can help to substantially mitigate risk and liability for privately held organizations; and (2) Sarbanes-Oxley type legislation is expected in the near future for privately held organizations. Leading employers are recognizing the opportunity to stay ahead of the compliance curve.