The 2002 Sarbanes-Oxley Act (SOX) greatly increased the obligations of public companies to establish auditable business processes and strong internal controls for purposes of financial reporting. SOX places responsibility for those processes and controls squarely on the shoulders of senior management by requiring the CEO and CFO to certify the company's annual and quarterly reports.
As with all complex legislation, SOX's full ramifications are still emerging nearly a decade later. Prominent among the areas in which compliance has lagged is intellectual property. While pioneering work in the valuation of IP assets and liabilities has been done in recent years, too many companies do not yet account systematically for their IP portfolios in their public reporting.
CEOs and CFOs must focus on the adequacy on internal controls for the company's financial reporting and on procedures for certifying periodic reports required by both SOX and the Securities and Exchange Act of 1934. SOX also incorporates strong civil and criminal penalties for violations. While SOX has had a tremendous ripple effect on traditional accounting for tangible assets, the next swell will result from dealing with intangible assets, as the value and importance of IP continues to increase.
In a knowledge-based economy, intellectual property accounts for a significant proportion of corporate assets. Although there is no explicit SOX provision requiring publicly traded companies to treat intellectual property differently from the way they did pre-SOX, the provisions dealing with "certifications" and "internal controls" have led most commentators and auditors to conclude that SOX requires major changes in the way publicly traded companies manage their intellectual property. (See, e.g., Russ Banham,Valuing IP Post-Sarbanes-Oxley. Journal of Accountancy, vol. 200, no. 5, pp. 72–78 [January 2006].) Thus, SOX implicitly mandates that these intangible assets be valued accurately.
Taking full account of the value of your intellectual property means valuing, among other things, all of your firm's innovations in procedures and products. Let's say, for example, that you are charged with assessing the value of the IP portfolio of a financial services firm. That entails evaluating your firm's innovation in areas that might include transactions processing, debt evaluation, risk management, financial models and software. Innovations in functions like these give your firm its competitive advantage in fields such as capital markets, trading, underwriting, asset management and financial products creation. In every industry, competition drives companies to develop analogous intangible assets.
SOX §404 mandates certification of control procedures by a company's officers. The purpose is to ensure that companies have indeed taken all steps to identify and value all of their assets, including IP assets. Without engaging in proper IP management procedures, an executive cannot truthfully certify that the financial statements fairly and accurately represent the health of the company. Moreover, although SOX does not impose certification obligations on the board of directors, the board does have an implicit fiduciary obligation to make sure that the company properly protects its assets.
SOX also should impel companies to also account for IP liabilities. Section 409 requires disclosure "to the public" on a "rapid and current basis" of all material changes in a company's financial condition or operations. Therefore, there should be prescribed channels for seasonably communicating any impairment in the value of an IP asset (including perceived or threatened third-party claims) to those charged with the responsibility for reporting. Additionally, a company should lay out and follow a comprehensive enforcement program for the protection of its own IP assets.
IP Imperatives of SOX
To make certain that the management and reporting of IP assets meets with SOX requirements, a company must:
- ensure that the management understands the importance of IP asset management and the obligations cast upon them by SOX;
- set up a system to identify and manage the company's IP portfolio;
- evaluate the importance of the identified IP assets to the company, including the wealth-generation of each of those assets;
- undertake periodic IP valuations, making IP valuations and IP asset controls visible;
- communicate the results of IP valuations stakeholders and governmental authorities;
- develop a comprehensive enforcement program for the company's IP rights that alerts persons vested with the authority to take decisions regarding potential infringement and act upon confirmed infringements, and;
- watch for infringement of the IP rights of third parties, including taking steps to resolve potential disputes with the least expenditure of corporate resources.
Relevant SOX Disclosure Requirements
Within the 11 titles that form SOX, the disclosure requirements are codified in five sections:
- Section §302 requires CEO/CFO certification of annual (10-K) and quarterly (10-Q) reports. These reports must be a fair representation of the value of the company and must not contain untrue statements or omissions of material facts. The CEO/CFO must certify responsibility for establishing, maintaining and evaluating internal controls for the disclosure of financial information.
- Section §401 requires that the annual and quarterly reports must include all material off-balance-sheet liabilities, obligations and transactions.
- Section §404 states that the annual reports must contain an internal control report that provides an assessment of the internal controls for auditing and reporting disclosure information, including commentary on the effectiveness of such controls.
- Section §409 mandates real-time public disclosures on a "rapid and current basis" for any material changes to the financial condition or business operations of the company.
- Section §906 prescribes criminal penalties for violations of the certification requirements.
The Three Components of Compliance
SOX compliance with regard to IP assets can be subdivided into three main categories of activity: inventory, valuation and protection/internal controls. The mechanism is that the result of an IP audit is communicated to those with responsibility for valuing and protecting those assets and, ultimately, to the officers charged with the responsibility for certifying that financial reports fairly represent the financial condition of the company.
Inventory — The IP Audit
Before a company can properly value its intellectual property, it must first identify those assets. While this is easier in some companies, and with respect to some types of IP than with others, every public company should perform an IP audit, which should be updated at least annually. Without the depth of knowledge of the IP portfolio that only a formal IP audit can provide, the company's officers likely cannot comply with the certification requirements of SOX.
IP audits, generally, consist of the following steps:
- Appoint a team to conduct the audit, including in-house counsel, outside IP counsel, representatives from corporate IT, R&D and HR, and, sometimes, third-party consultants.
- During the inventory process, ensure that data that helps in the valuation process is collected alongside that which helps to identify the scope of the IP. This would include data pertaining to cost, current revenue and projected revenue streams attributable to each IP asset.
- Data that would assist in comparing the strengths and weaknesses of a company's IP relative to IP owned by competitors also should be collected.
- Identify trademarks, trade names, patents, copyrights and the like.
- Identify IP grants, such as written agreements relating to copyrights, trademarks, patents and know-how.
- Identify all software applications in use by the company. For software developed by or for the company, include documents that serve to calculate the cost to the company.
- Identify customer lists.
- Identify restrictive covenants with employees.
- Identify trade secrets and other confidential information of value to the company.
One of the collateral benefits of conducting an IP audit and managing these assets for the purposes of SOX compliance is that the company can improve its ability to extract value from the assets, e.g., by increased "harvesting" of employee innovations, employee training and so forth. Thus, a company may identify additional opportunities for licensing its IP, enhance the market power or prestige of its IP portfolio, create barriers to entry by competitors, etc. Clear policies and best practices for each category of its IP assets will be more easily established. Finally, the audit process may identify loopholes in document retention, which can then be remedied.
The higher echelon of a company's management is responsible for assuring that proper valuation methods are used. There are many acceptable methods to measure value, and as to which method is to be used will depend upon a variety of factors. In general, IP assets are valued using one of the following methods: the cost approach, income approach or market approach.
The cost approach focuses on the development cost of the assets to the company. Cost to the company if the assets were to be replaced is another way in which the value is calculated using this approach.
The income approach analyzes the income streams generated by an IP asset. It takes into account the present value of expected future cash flows. In other words, if there were enough historical data to measure the cash flows from the IP asset or related product, the measurement would project those cash flows into the future (for example, through the life of a patent) and use an appropriate discount rate to calculate the present value of a future income stream.
The market approach measures what a third party would be willing to pay to use the asset, including licensing of the asset. This approach also utilizes knowledge of similar assets sold in the marketplace, either by the company itself or by its competitor.
Further suggestions related to measurement of IP asset value:
- All data should come from existing data sources within the company whenever possible.
- External data should come from sources deemed reliable by company management.
- Technology use in-house should be tracked to the extent possible.
- The value of an IP asset should be linked to the products or services that rely upon or are supported by it.
- Measurements should, to the extent possible, be subjected to statistical processing such as normalization.
- Measurements should be done on an individual year and historically indexed basis.
- When appropriate, measurement should be indexed against peer companies. Performance goals of an IP asset should be set using internal or external indices as a basis for comparison.
- The value of an IP asset normally does not remain constant over time. Therefore, periodic updates to the audit are necessary.
Protection and Internal Controls
SOX deals with a company's internal controls over its financial reporting process, laying emphasis on the responsibility of the reporting officer to ensure that what is being reported has not been the subject of fraud or manipulation. In the IP context, this translates to the establishment of proper internal controls for monitoring and reporting changes in IP asset values. Commentators have referred, in this context, to IP-related risks (potential infringement actions, failure to pay renewal or license fees, etc.). They argue that for an officer to truthfully make the representations mandated by SOX about IP asset value, he or she must have assurance that the IP assets are adequately protected and not unreasonably impaired. Certain controls are necessary in order to provide that assurance. Such internal controls imply the regular performance of self-assessment of risks to business processes that affect financial reporting, in addition to the assessment of risks that affect the value of the asset itself. A well-performing IP asset management system, once set up, will go a long way to satisfying SOX requirements.