USA Law and Practice Contributed by: Matt Hurd, Melissa Sawyer and Scott Crofton, Sullivan & Cromwell LLP
7.2 Requirements for Directors Concerning Management Risk and Internal Controls The federal securities laws require a public company to maintain adequate internal controls over financial reporting (ICFR) in order to pro - vide reasonable assurances with respect to the reliability of the company’s financial reporting and compliance with GAAP measures. A com - pany’s principal executive and financial officers are responsible for the design and implementa - tion of the internal ICFR regime and must report control deficiencies and related findings to the audit committee and the company’s independ - ent auditor. Subject to certain exceptions, com - panies are required to include a management- drafted internal control report with their annual report and a related attestation by the compa - ny’s independent auditor.
The NYSE requires a company’s audit committee to discuss policies with respect to risk assess - ment and risk management, but states that the audit committee is not required to be the sole body responsible for risk oversight. The federal securities laws require disclosure of the board’s role in the company’s risk oversight process, including with respect to cybersecurity risks. However, in response to investor, proxy adviser and stakeholder pressure, many companies go beyond these requirements to provide more detailed risk oversight disclosures, particularly in proxy statements, often including descriptions of their risk oversight processes for other critical risks facing the company and/or describing the number of directors the company has that have risk oversight experience.
884 CHAMBERS.COM
Powered by FlippingBook