New SEC Rules Detail Executive Certification of Periodic Reports Required Under Sarbanes-Oxley Act
September 2002
On August 27, 2002, the U.S. Securities and Exchange Commission (SEC) adopted final rules requiring the certification by public company executives of the disclosures in their companies’ quarterly and annual reports, (SEC Release Nos. 33-8124, 34-46427, IC-25722, dated August 28, 2002 [the Release]). Subject to a limited transition provision, the rules became effective August 29, 2002, as required by Section 302 of the Sarbanes-Oxley Act of 2002.
The Release promulgates new rules 13a-14, 13a-15, 15d-14 and 15d-15 under the U.S. Securities and Exchange Act of 1934 (the Exchange Act). The new rules incorporate the requirements of Section 302 of the Sarbanes-Oxley Act as well as adopting some of the executive certification proposals contained in the SEC’s June 14, 2002 Release No. 34-46079 (the June Proposals).
The new rules also create a new concept of "disclosure controls and procedures" that is separate from the existing federal securities law concept of "internal controls." The new rules require that "disclosure controls and procedures" be maintained by reporting companies and covered by the required executive certifications. The Release includes a transition provision discussed below that defers the application of the new requirements for certifications regarding disclosure controls and procedures until the first periodic report filed for a period ending after August 29, 2002.
We recently published an On the Subject… dealing with the various certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act and the SEC’s order of June 27, 2002, (the June Order), which applied to the largest 947 U.S.-based public companies. That publication is available by clicking here^ and is updated by this memorandum in many respects.
Certification Content and Mechanics
With respect to each quarterly and annual report of all issuers required to file reports under Section 13(a) or 15(d) of the Exchange Act, the new rules require the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, to certify verbatim a series of six statements about the report and include the certifications in the report. The required certification language for an annual report on Form 10-K is reproduced on Exhibit A to this memorandum and follows closely the language of Section 302 of the Sarbanes-Oxley Act but deviates in a few noteworthy respects.
In the certification that the report does not contain material untrue statements or omissions, the new rules add the phrase "with respect to the period covered by the report." The Release says this change addresses the fact that issuers can satisfy the requirements of Part III of annual reports by incorporating by reference certain information from their definitive proxy or information statement filed not more than 120 days after the end of the fiscal year. Therefore, the certification that accompanies the 10-K is considered to cover the later filed material. While a practical solution, this does result in the anomaly that the executives are certifying information that probably does not yet exist.
In the certification dealing with the financial information included in the report, the new rules specifically cover cash flows as well as financial condition and results of operations. In our earlier On The Subject… we noted with curiosity that Section 302 of the Sarbanes-Oxley Act did not mention cash flows so we are not surprised at this change.Section 302 of the Sarbanes-Oxley Act requires certain certifications with respect to "internal controls." The new rules introduce the new concept of "disclosure controls and procedures" and require that they be certified as well. (See "Disclosure Controls and Procedures" below.)
As was the SEC’s position on the June Order certifications, the Release and new rules make it clear that the new certifications must be in the exact form specified and may not be changed in any respect, even if the change appears inconsequential. In addition, the certifications must appear "in" the report and the SEC has amended the annual and quarterly report forms to include the certifications immediately after the signature page. As with the June Order certifications, a separate certification is required for each certifying person, rather than multiple signature lines on the same certification. The certification requirements do not alter the current signature requirements for reports. Certifying persons may not have the certification signed on their behalf under a power of attorney or other form of confirming authority.
Affected Issuers and Reports
The certification requirements apply to all issuers that file reports pursuant to Section 13(a) or 15(d) of the Exchange Act, including foreign private issuers, banks and savings associations, asset-backed securities issuers (with some exceptions), small business issuers and issuers that voluntarily file. Separate and effectively parallel certification requirements are imposed on registered investment companies through the Release’s adoption of new Investment Company Act Rule 30a-2.
The certification requirements apply to annual reports on Form 10-K, 10-KSB, 20-F and 40-F as well as to quarterly reports on 10-Q and 10-QSB and amendments to and transition reports on any of the foregoing. The requirements do not apply to "current" reports on Forms 6-K and 8-K, although the Release makes clear that disclosure controls and procedures are required to be maintained to ensure the integrity of these reports. (See "Disclosure Controls and Procedures" below.)
The SEC is continuing to consider whether to extend the certification requirements to other Exchange Act documents, such as registration statements on Forms 10 and 10-SB and definitive proxy and information statements.
Disclosure Controls and Procedures
As discussed in the June Proposals, Rules 13a-15 and 15d-15 require reporting companies (not just the certifying persons) to establish and maintain "disclosure controls and procedures," which are defined as those "designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the [Exchange Act] is recorded, processed, summarized and reported, within the time periods specified in the [SEC’s] rules and forms." These new rules also require the issuer to evaluate the effectiveness of the design and operation of the issuer’s disclosure controls and procedures.
The Release distinguishes these types of controls from "internal controls," which are applicable to financial information. Disclosure controls and procedures are intended to cover a broader range of information than internal controls and the requirements for disclosure controls and procedures are intended to complement and not alter the existing requirements for reporting companies to maintain internal controls regarding financial information.
The new rules also require the certifying persons to make separate statements about the maintenance and adequacy of disclosure controls and procedures on the one hand and internal controls on the other hand. With respect to disclosure controls and procedures, they must each certify that they and the other certifying officers:
- are responsible for establishing and maintaining disclosure controls and procedures for the issuer;
- have designed them to ensure that material information is made known to them, particularly during the period of report preparation;
- have evaluated the effectiveness of them as of a date within 90 days prior to the filing of the report; and
- have presented in the report their conclusions about the effectiveness of the disclosure controls and procedures.
With respect to internal controls, they must each certify that they and the other certifying officers:
- have disclosed to the issuer’s auditors and audit committee, all significant deficiencies in the design or operation of internal controls that could adversely affect the issuer’s ability to record, process, summarize and report financial data and have identified for the auditors any material weaknesses in internal controls, and any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
- have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses. Unless internal controls are completely subsumed within disclosure controls and procedures, this last point is somewhat confusing because there is no specific requirement of a periodic evaluation of internal controls, only disclosure controls and procedures.
Other noteworthy items on this topic include the requirement to maintain disclosure controls and procedures are separate from the requirement to provide adequate disclosure in reports. Footnote 74 states that "a company that failed to maintain adequate [disclosure controls and] procedures, review them and otherwise comply with the rule could be subject to [SEC] action … even where the failure did not lead to flawed disclosure." Neither the new rules nor the Release provide specifics for the maintenance or evaluation of disclosure controls and procedures but the Release indicates that "the evaluation must, at a minimum, address the matters specified by the rules." Presumably this means the items mentioned in the definition of the phrase in paragraph (c) of Rule 13a-14. The SEC also recommends that issuers that have not already done so create a committee with responsibility for considering the materiality of information and determining disclosure obligations on a timely basis.
Beyond GAAP
The SEC’s position is that the certification as to fair presentation of financial statements and information is not limited to a representation that they comply with "generally accepted accounting principles" (GAAP). Rather, the SEC believes that Congress intended to require "assurances that the financial information disclosed in a report, viewed in its entirety, meets a standard of overall material accuracy and completeness that is broader than financial reporting requirements under [GAAP]." In the SEC’s view, a fair presentation encompasses "the selection of appropriate accounting policies, proper application of appropriate accounting policies, disclosure of financial information that is informative and reasonably reflects the underlying transactions and events and the inclusion of any additional disclosure necessary to provide investors with a materially accurate and complete picture."
Transition Provisions
In something of a surprise move, the SEC bifurcated the required certifications. Certifications (1), (2) and (3) dealing with the person having reviewed the report, the absence of material untrue statements or omissions and the fair presentation of financial information, are effective immediately for any reports filed after the effective date of August 29, 2002. However, certifications (4), (5) and (6), because they deal with the design, implementation and assessment of internal controls and disclosure controls and procedures, are effective only with respect to reports covering periods ending after the effective date. For calendar year companies this means that the third quarter 10-Q, due to be filed on November 14 (or November 19 if a Form 12b-25 is timely filed), will be the first to require certifications concerning controls and procedures.
Section 906 Certification
Disappointing but not surprising, the SEC did not even mention in the Release the certifications required by Section 906 of the Sarbanes-Oxley Act. Accordingly, Section 906 certifications will still need to accompany future reports. In fact, issuers subject to the June Order that also have a June fiscal year will need to file three separate sets of certifications in three different formats and by three different methods on or before the deadline for filing of their Form 10-K.
There was one piece of good news in this area. The SEC’s conclusions and comments in the Release with respect to Forms 6-K and 8-K strongly suggest that those reports should not be subject to Section 906, which is confined to periodic reports. In discussing Section 302, the SEC noted "[r]eports that are current reports, such as reports on Forms 6-K and 8-K, rather than periodic (quarterly and annual) reports are not covered by the certification requirement." At footnote 50 the SEC also indicated: "We do not believe that a Form 6-K constitutes a ‘periodic’ report analogous to a quarterly report on Form 10-Q or 10-QSB for which certification is required." This logic seems to apply irrespective of whether the report contains financial statements. Our previous advice with respect to June Order and Section 906 certifications remains unchanged.
Specific Changes to Future Reports
Putting aside the transition period, the new rules will require at least the following new items and procedures for future quarterly and annual reports:
- The new certifications will need to be included verbatim in the body of the report, immediately following the signature page.
- Pursuant to new Item 307 of Regulation S-K the report will need to include the conclusions of the certifying persons regarding the effectiveness of the issuer’s disclosure controls and procedures, based on an evaluation that they have conducted within the prior 90 days.
- Also pursuant to new Item 307, the report will need to include a statement by the certifying persons as to whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
Recommended Actions
Each reporting company should consider taking the following steps to ensure that its disclosure controls and procedures are in proper order and that its CEO and CFO are sufficiently involved in the establishment, maintenance and evaluation of such controls and procedures and the review and determination of the sufficiency of disclosure in the company’s reports:
- Companies should establish a disclosure committee responsible for the establishment of and compliance with the company’s disclosure controls and procedures, the evaluation of relevant information and the determination of the sufficiency of the disclosure included in the company’s reports. The committee should include the general counsel or senior legal officer responsible for disclosure, the principal accounting officer, the chief investor relations officer, the principal risk management officer and other officers and employees involved in the preparation of the company’s reports. The committee should report to the CEO and the CFO. Companies may want to consider whether an existing compliance committee structure can be utilized to serve in this function.
- The disclosure committee should direct that all existing company disclosure controls and procedures, including internal controls, be documented. Most of our clients have extensive disclosure controls and procedures already in place, particularly internal controls designed for the preparation of financial statements. These controls and procedures, however, may not have been documented or may have been reflected in ad hoc policies adopted over many years. Before an informed evaluation can be conducted, it is important to take this survey of existing controls and procedures.
- The disclosure committee should immediately commence a review of the existing disclosure controls and procedures in light of recent legislation and propose revisions and additions to such controls and procedures. Legal counsel and outside accountants can be brought in at this time to review specific areas of concern and advise on better practices. The goal of this process should not be to create a whole new set of policies and procedures, but rather to build upon the existing disclosure compliance platform and make changes where necessary.
- The disclosure controls and procedures should provide for the active, substantive and timely participation of the CEO and the CFO in the preparation and review of the company’s reports. Although back-up certificates as to the sufficiency of disclosure from the members of the disclosure committee and others may be appropriate, such certificates cannot substitute for the active participation of the CEO and the CFO in the review and approval of the company’s reports.
- The disclosure committee should present to the CEO and the CFO a full description of the existing disclosure controls and procedures and the changes that the disclosure committee deems appropriate. In order for reporting companies to comply with this legislation, it is crucial that the CEO and the CFO be substantively involved in the review, adoption and evaluation of appropriate disclosure controls and procedures. Sufficient information must be presented to the CEO and CFO so that they understand the existing and proposed disclosure controls and procedures. We suggest that the disclosure committee conduct a series of due diligence type sessions in which the CEO and CFO are full participants and at which the existing and proposed disclosure controls and procedures are fully explained and evaluated. Minutes of these meetings should be prepared.
- At the completion of these sessions the CEO and the CFO should approve a written and well-documented disclosure controls and procedures policy. The policy should include a determination as to those members of management who are responsible for the implementation of and compliance with the policy, distribution of the policy to all such individuals and required certification by such individuals on a quarterly basis that they have complied with the policy.
