While much of the focus over the years has been on the robustness of audit committee disclosures in SEC filings, the topic of direct engagement between investors and audit committees has not been discussed as often. Investors have sought out engagement on compensation issues with compensation committee chairs for many years now after the advent of say-on-pay, but investor engagement with audit committee chairs seems to be less common.
Earlier this year, the UK’s Financial Reporting Council (FRC) announced the launch of a new web page that provides a series of conversation starters for engagement between investors and audit committees. The FRC indicates in the announcement that direct engagement with investors can provide insight into “the company’s approach to regulatory focus and areas of interest to market participants.”
While these conversation starters are UK-oriented, they are still useful for audit committees of US companies as a way of understanding the particular areas that investors may be focused on, which could aid in expanding disclosures or direct engagement efforts.
I have been on the road again after the long pandemic hiatus from business travel and it hit me that these trips are much less enjoyable without my friend and collaborator Marty Dunn. Marty passed away three years ago this month and his absence is strongly felt at the events that I have recently attended. To sum it up, during his life Marty had found a way to make what we do and what we talk about every day somehow fun and interesting, and that was indeed a special gift. What we do on a day-to-day basis can seem like drudgery at times, so finding that spark which makes the job fun and interesting is perhaps the most important part of having a long and successful career. Marty’s inspiration to find that spark is one of the many gifts from my friend that I am grateful for, and I hope you feel the same way.
If you are looking for a refresher on Marty’s many gifts, you can read my tribute to Marty in this blog, as well as The Fond Farewell episodes of The Dave and Marty Radio Show in 2020 section of our podcasts archive. You can also check out my tribute to Marty in this Deep Dive with Dave podcast.
Earlier this week, Vanguard published a statement on its approach to board responsiveness to shareholders & other stakeholders. After a couple of pages devoted to the usual platitudes about the importance of engagement and the general need for directors to be responsive to shareholder input, Vanguard lowered the boom by laying out its policy on board responses to majority supported shareholder proposals:
When a board fails to respond to a proposal supported by a majority of its voting shareholders and the Vanguard-advised funds supported the proposal, the funds will generally vote against relevant members of the board. For example, concerns with compensation matters would likely impact votes on members of the compensation committee, while governance concerns would generally impact votes on members of the nominating/governance committee. A pattern of unresponsiveness to shareholder feedback (e.g., a failure to act, or slow action, on shareholder votes) may be an indicator of poor governance practices and may result in increasing levels of opposition to board members’ election.
Not surprisingly, Vanguard doesn’t specify what an appropriate “response” would be to a majority-supported shareholder proposal, which is probably impossible to do in the abstract. Nevertheless, companies need to know that their responsiveness to these proposals will be graded at the ballot box by one of their largest shareholders.
Vanguard’s policy may not have a significant impact on most companies, at least for now. That’s because, as SEC Commissioner Mark Uyeda pointed out in his speech at the Society for Corporate Governance’s conference earlier this week, the percentage of shareholder proposals receiving majority support has fallen precipitously in recent years. Only 5% of proposals received majority support this proxy season, compared to 19% just two years ago.
The May-June issue of the Deal Lawyers newsletter was just posted and sent to the printer. This month’s issue includes the following articles:
– Anatomy of a CVR: A Primer on the Key Components and Trends of CVRs in Life Sciences Public M&A Deals
– Chancery Ruling Highlights Important Role of Special Litigation Committees in Maintaining Board Control Over Derivative Litigation
The Deal Lawyers newsletter is always timely & topical – and something you can’t afford to be without in order to keep up with the rapid-fire developments in the world of M&A. If you don’t subscribe to Deal Lawyers, please email us at sales@ccrcorp.com or call us at 800-737-1271.
Liz and Broc met up at the Society Conference in Salt Lake City this week and I just couldn’t resist sharing this picture of two of TheCorporateCounsel.net’s all-time greats with our readers. It feels like a Beatles reunion – minus Ringo, of course, but nobody misses him anyway!
Yesterday, the SEC announced settled enforcement proceedings against Marcum LLP, for what it contends were systemic quality control failures & audit standards violations in connection with audit work for hundreds SPAC clients. This excerpt from the SEC’s press release provides additional details on the proceeding:
Over a three-year period, Marcum more than tripled its number of public company clients, the majority of which were SPACs, including auditing more than 400 SPAC initial public offerings in 2020 and 2021. The strain of this growth, however, exposed substantial, widespread, and pre-existing deficiencies in the firm’s underlying quality control policies, procedures, and monitoring. These deficiencies permeated nearly all stages of the audit process and were exacerbated as Marcum took on more SPAC clients.
Moreover, in hundreds of SPAC audits, Marcum failed to comply with audit standards related to audit documentation, engagement quality reviews, risk assessments, audit committee communications, engagement partner supervision and review, and due professional care. Depending on the audit standard at issue, violations were found in 25-50 percent of audits reviewed, with even more frequent, nearly wholesale violations found as to certain audit standards across Marcum’s SPAC practice.
The SEC’s order alleges that “Marcum’s quality control and audit standard failures permeated most stages of engagement work—from client acceptance to risk assessments, audit committee communications, audit documentation, assembly and retention of audit documentation, engagement quality reviews, technical consultations, due professional care, and engagement partner supervision and review. At nearly every stage, Marcum lacked sufficient policies and procedures to provide reasonable assurance that engagements were conducted in accordance with professional standards.”
Without admitting or denying the SEC’s allegations, Marcum agreed to an order finding that the firm engaged in improper professional conduct within the meaning of Rule 102(e), violated multiple audit standards across numerous engagements, and violated Rule 2-02(b)(1) of Regulation S-X. Marcum also agreed to pay a $10 million penalty & to undertake remedial actions, including retaining an independent consultant and abiding by certain restrictions on accepting new audit clients.
The Association of Corporate Counsel recently released the results of its 2023 Law Department Benchmarking Survey, which covered 449 legal departments in companies of all sizes across 24 industries and 20 countries. Here are some of the key takeaways:
– Privacy is now the most common business function directly overseen by Legal (57% and six points more than reported in 2022) overtaking compliance, which traditionally tops the list (56%). An additional 19% of departments, however, indicated that compliance is a separate department that reports to legal. Therefore, in total, 77% of legal departments reported that the CLO ultimately oversees compliance compared to 70% that have oversight over privacy.
– The median total legal spend for all participating companies increased from $2.4 million last year to $3.1 million this year and although this increase occurred across companies of all sizes, the largest increases were driven by companies with greater than $20 billion in revenue, with a median total legal spend of $80 million this year compared to $50 million last year.
– The median total legal spend as a percentage company revenue (a key measure of Legal’s overall cost to the business) also increased to 0.63% compared to 0.56% last year. However, the total inside/outside spend distribution has remained roughly the same with 53% of total spend going to internal costs and 47% of total spend going to outside costs.
– About three in ten departments track internal diversity metrics related to the legal department’s composition, and 21% report tracking diversity metrics with respect to their outside counsel. There has been little movement in these numbers over the past three years despite the increased attention and desire to establish a more inclusive and equitable environment within the legal profession.
The increases in total legal spend are pretty eye-popping, particularly for large companies. A recent LegalDive.com article on the survey notes that although law firms increased their rates by an average of 5.5% in the first quarter of 2023, other factors, such as increased litigation and regulation, are more significant contributors to the jump in overall spending.
The members of the House of Representatives managed to pry themselves away from the cable news networks’ microphones long enough to pass a bunch of bipartisan legislation aimed at facilitating capital formation. Here’s the intro to this Mayer Brown blog:
In early June, the US House of Representatives passed two sets of bills focused on promoting capital formation. The bipartisan effort included bills that amend the accredited investor definition in order to increase the diversity of investors participating in the private markets. In addition, as the IPO market continues to suffer, the packages include bills that would enact legislation formalizing measures that already are permitted by SEC staff, such as, for example, expanding “testing-the-waters” accommodations to all issuers. Also, the package includes a bill directing the SEC to investigate the costs associated with going public for middle market companies.
The blog includes brief summaries of each piece of legislation as well as links to the text of the bills. It says that the next stop for this package is the Senate Committee on Banking, Housing, and Urban Affairs.
Artificial Intelligence is a topic that’s really exploded into public consciousness this year, so it isn’t surprising that AI risks are also beginning to feature prominently in some corporate risk factor disclosures. This Bryan Cave blog notes that companies are addressing AI risks either through standalone risk factors or as part of broader risk factor disclosures. The blog highlights the topical areas of these broader risk factors in which AI disclosures appear and provides several examples of standalone risk factors, including this one from DoorDash’s most recent Form 10-Q:
We may use artificial intelligence in our business, and challenges with properly managing its use could result in reputational harm, competitive harm, and legal liability, and adversely affect our results of operations.
We may incorporate artificial intelligence (“AI”) solutions into our platform, offerings, services and features, and these applications may become important in our operations over time. Our competitors or other third parties may incorporate AI into their products more quickly or more successfully than us, which could impair our ability to compete effectively and adversely affect our results of operations. Additionally, if the content, analyses, or recommendations that AI applications assist in producing are or are alleged to be deficient, inaccurate, or biased, our business, financial condition, and results of operations may be adversely affected.
The use of AI applications has resulted in, and may in the future result in, cybersecurity incidents that implicate the personal data of end users of such applications. Any such cybersecurity incidents related to our use of AI applications could adversely affect our reputation and results of operations. AI also presents emerging ethical issues and if our use of AI becomes controversial, we may experience brand or reputational harm, competitive harm, or legal liability. The rapid evolution of AI, including potential government regulation of AI, will require significant resources to develop, test and maintain our platform, offerings, services, and features to help us implement AI ethically in order to minimize unintended, harmful impact.
The blog says that only about 10% of companies in the major indices (S&P 500 and Russell 3000) are currently including a discussion of AI in their risk factor disclosures, but it also points out that companies addressing AI in their risk factors represent a broad range of industries tech & software.
Verizon recently published its 2023 Data Breach Investigations Report, and one of its more interesting findings is that, when it comes to cybersecurity, a company’s senior leaders are often its weakest link – particularly when it comes to the burgeoning category of “social engineering” attacks. Here’s an excerpt from Verizon’s press release:
The human element still makes up the overwhelming majority of incidents, and is a factor in 74% of total breaches, even as enterprises continue to safeguard critical infrastructure and increase training on cybersecurity protocols. One of the most common ways to exploit human nature is social engineering, which refers to manipulating an organization’s sensitive information through tactics like phishing, in which a hacker convinces the user into clicking on a malicious link or attachment.
“Senior leadership represents a growing cybersecurity threat for many organizations,” said Chris Novak, Managing Director of Cybersecurity Consulting at Verizon Business. “Not only do they possess an organization’s most sensitive information, they are often among the least protected, as many organizations make security protocol exceptions for them. With the growth and increasing sophistication of social engineering, organizations must enhance the protection of their senior leadership now to avoid expensive system intrusions.”
Like ransomware, social engineering is a lucrative tactic for cybercriminals, especially given the rise of those techniques being used to impersonate enterprise employees for financial gain, an attack known as Business Email Compromise (BEC). The median amount stolen in BECs has increased over the last couple of years to $50,000 USD, based on Internet Crime Complaint Center (IC3) data, which might have contributed to pretexting nearly doubling this past year.
