The Sarbanes-Oxley Act of 2002 (the Act), which was signed into law by President Bush on July 30, 2002, made sweeping changes in the rules applicable to corporate America and its executives, auditors and advisers. It is likely to have greater impact on how public companies are governed than any other piece of legislation since the Depression. For management some of the most crucial aspects of the Act, and the ones with the most urgency, are the provisions requiring executive certification of periodic reports.
Two sections of the Act (Sections 302 and 906) require the chief executive officer and the chief financial officer of public companies to certify certain of their issuer’s periodic reports, including but not limited to financial information, filed with the Securities and Exchange Commission (SEC). These two Sections apply to all public companies and are in addition to the one-time certifications required of the 947 largest public companies by the SEC’s controversial June 27, 2002 Order (the "June Order"). Perhaps reflecting the hasty and reactive nature of Congressional action on the Act, the provisions of Sections 302 and 906 are different (both one from the other and from the June Order) with respect to the scope of the certifications, applicable standards, documents covered, penalties for non-compliance, and time of effectiveness.
Section 302 directs the SEC to adopt rules within 30 days of enactment of the Act (by August 29, 2002) to require that the CEOs and CFOs of all issuers "filing" periodic reports under Sections 13(a) or 15(d) of the Securities Exchange Act of 1934 (Exchange Act) certify in annual and quarterly reports filed with or "submitted" to the SEC that:
- they have reviewed the report;
- based on their knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
- based on their knowledge, the financial statements and other financial information included in the report fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;
- they are responsible for establishing and maintaining the issuer’s internal controls; have designed such internal controls to ensure that material information relating to the issuer is made known to them and others within the organization; have evaluated the effectiveness of the internal controls as of a date within 90 days prior to the report; and have presented in the report their conclusions about the effectiveness of the internal controls;
- they have indicated to the issuer’s auditors and audit committee that all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and;
- they have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including corrective actions taken.
Section 906 of the Act amends Title 18 of the U.S. Code, effectively immediately, to require that:
- each "periodic report" containing financial statements "filed" by an issuer with the SEC pursuant to Section 13(a) or 15(d) of the Exchange Act must be "accompanied by" a written statement of the CEO and CFO (or equivalent thereof); and
- the statement must certify that the report "fully complies" with the requirements of Section 13(a) or 15(d) of the Exchange Act, and the information contained in the report fairly presents, in all material respects, the financial condition and results of operations of the issuer.
Section 906 provides for criminal penalties for anyone who certifies any statement required by that section "knowing" that the periodic report accompanying the statement does not comport with all the requirements of the Section. The basic penalties in (c)(1) are fines of not more than $1 million and imprisonment for not more than 10 years, or both. Penalties for "willful" certification of a statement "knowing" it does not comport with the Section are provided in (c)(2) and consist of fines of not more than $5 million or imprisonment for not more than 20 years, or both.
It is difficult to understand the difference between a "willful" and "non-willful" certification when, in both instances, the Act requires "knowing" of the report’s deficiencies. "Willful" certification in this context might only mean that when one signed the certification he or she indeed intended to put their name to the document (as opposed to, for example, being intoxicated or tricked into signing). For purposes of assessing exposure, we believe every executive should view their certifications with the possibility of a fine of $5 million and a prison term of 20 years in mind. Unless the Act is amended or clarified, we believe it will be a very unusual case to which (c)(1) applies but (c)(2) does not. Interestingly, no specific penalty is provided in Section 906 for failure to certify, although a failure would presumably result in the issuer having a deficient Exchange Act report.
Highlights and Issues
- Sections 302 and 906 apply to all companies reporting under Sections 13(a) or 15(d) of the Exchange Act and not just the 947 affected by the SEC’s June Order.
- Barring some immediate relief or clarification from the Justice Department, the SEC or Congress, the certifications mandated by Section 906 are required for all Form 10-Qs and Form 10-Ks filed on or after July 30, 2002, including the Form 10-Qs of calendar year companies that are due to be filed no later than August 14, 2002.
- At first blush, because Section 302 is found in Title III under "Corporate Responsibility" and Section 906 is found in Title IX under "White-Collar Crime Penalty Enhancements," one might conclude that Section 302 provides the substantive certification requirements and Section 906 contains the penalty provisions to enforce Section 302. Some Congressional staffers have also indicated that this was the intent. However, this is clearly not what the Act says. Section 906 is effective immediately (rather than depending upon SEC rulemaking like Section 302) and has its own certification requirements.
- The certifications required by Section 906 are unusual in that they provide an audit opinion type standard, i.e. "fairly presents the financial condition and results of operations" (though interestingly not cash flows), even though it is not being signed by auditors or even, in many cases, an accounting professional. This audit opinion type standard also applies to the entire report as opposed to the financial statements only. This contrasts to Section 302 where a Rule 10b-5 type standard is applied to the periodic report as a whole and a separate audit opinion type standard is applied to the financial statements.
- The Section 906 standard is also unusual in that it calls for certification that the report "fully" complies rather than "materially" complies and does not expressly permit the "knowledge" qualification that is contained in Section 302 and the June Order. However, the criminal penalties in Section 906 are based on "knowing" of a report’s deficiency. Until applicable government authority indicates otherwise, we recommend adding a "knowledge" qualification to the certification in light of the Act’s silence on this point.
- The reference in Section 906 to a report being "accompanied" by a certification is also unclear. Presumably there are at least the following four possible methods of accompanying the report with a certification: 1) including the certification in the body of the report, 2) filing it as an exhibit, 3) including it in the cover letter that transmits the report and is tagged as correspondence and therefore not available on EDGAR, and 4) filing the certification in hard copy, as in the case of the certifications required by the June Order, and referencing the report that the certification "accompanies." Our review of reports on Form 10-K or 10-Q filed on July 31 and August 1,2002 with the SEC indicates that of the 105 filed, 21 contained the certification as an exhibit and five contained the certification in the body of the report. The balance were either not accompanied by a certification or were accompanied by a certification using some other method, such as 3) or 4) above. Attached as Exhibit A is a sample of a Section 906 certification that could be filed as an exhibit to the report. Attached as Exhibit B are the results of our survey.
- Until Congress or the SEC provides clarification on how the Section 906 certifications are to be filed, we believe that how one chooses to file them will depend on whether one wants the public to be able to view them. There is probably some positive impression conveyed by putting them forth for all to see but also, presumably, some additional exposure due to investors’ possible reliance on them.
- Because Section 906 stands alone and provides for substantive criminal penalties, it seems that CEOs and CFOs should make clear in the Section 906 certifications that they are being submitted only under Section 906 and apply only for purposes of Section 906. See Exhibit A for sample language.
- The June Order specified clearly the language to be used in the executive’s certification by attaching an exhibit. Through subsequent FAQ releases the SEC re-emphasized that the language must be verbatim and that each officer must sign a separate certification. By contrast, Section 906 of the Act is not nearly so specific. It is unclear whether CEOs and CFOs could, for example, insert "knowledge" or "materially" (as opposed to "fully" complies) qualifiers into the certifications. Interestingly, it is also not clear what effect such qualifiers would have since the criminal penalties are predicated on certifying a statement knowing the report "does not comply with all the requirements set forth in [Section 906]" as opposed to being predicated on an inaccurate certification. In other words, watering down the certification so that it is accurate might not avoid liability.
- The June Order still applies separately and is not superceded or replaced in any respect by Sections 302 or 906. The executives of the 947 companies affected by the June Order should still file separate certifications required by that order separately by the due date (August 14, 2002 for calendar year companies) or earlier, if they have not already done so.
- For non-U.S. companies that file annual reports with the SEC, the certifications under both Sections 302 and 906 will be required in Form 20-F and 40-F annual reports. Moreover, for these issuers it appears that the Section 302 certification requirements (but not the Section 906 requirements) will be applicable to some Form 6-K reports, which are "submitted" to the SEC but not "filed."
- The certification requirements do not appear to apply to non-U.S. companies that are exempt from SEC filing requirements under Exchange Act Rule 12(g) 3-2(b) because those issuers only "furnish" reports to the SEC (as opposed to "file" or "submit").
- Section 302(b) provides that foreign re-incorporations will have no effect on an issuer’s obligation to file certifications under Section 302. However, this same concept is not included in the Act with respect to Section 906 certifications.
- Section 906 does not define a "periodic report." For example, it is not clear whether a Form 8-K that includes financial statements constitutes a periodic report. We believe it does not, based on Section 13 of the Exchange Act and the fact that 8-Ks are not filed at regular intervals, but the term is not defined in the Act.
- Section 302 does not define "knowledge" and Section 906 does not define "knowing." All of the issues normally associated with defining and determining knowledge are unanswered questions. For example, will knowledge be implied if an executive should have known of a problem but negligently failed to investigate and is knowledge or investigative work of a subordinate attributable to the certifying executive?
- Many executives will probably take comfort in making their certifications that they have some combination of directors and officers liability insurance coverage and indemnification from the issuer through bylaw provisions or agreements. Since the only penalties under Section 906 are criminal penalties, anyone relying on these protections would be wise to read the policies and other documents carefully and, in the case of indemnification, to consider the possibility that it might prove unenforceable as contrary to public policy.
CEOs and CFOs of companies subject to the June Order have decisions to make, for example, regarding the level of due diligence necessary to back up their certifications and whether or not to file early so that a particular filing would not be covered. However, most executives would not be meaningfully increasing their exposure by signing the certifications required by the June Order because they already are exposed, as a practical matter, to most of the same civil liability by virtue of having initially signed the applicable report (typically only the CFO for a 10-Q), by being a controlling person (the CEO and the CFO), or otherwise under the securities laws. In addition, it is possible under the June Order to further limit exposure by correcting any problems with old reports by amendment and certifying the corrected reports "as amended or supplemented," which is language provided for in the required statement. On the other hand, failing to sign the certification required by the June Order forces one to make the electronic "perp walk" provided by the SEC website, which distinguishes between fully complying certifications and "all others." Failure of an executive to fully certify under the June Order will likely put the issuer and the executive under immediate SEC scrutiny and could cause a catastrophic reaction by investors. For all these reasons it seems unlikely that executives would decide not to make the standard certifications under the June Order.
The decisions regarding certifications under Section 906 are dramatically different. The individual penalties are staggering; but there is no specified consequence for failure to provide the certifications, either for the executive or the issuer. In fact, the Act and the SEC have not even indicated any focused public attention that will occur from failing to certify and, as noted above with respect to our research, it is not clear whether anyone but the SEC will be able to tell with certainty whether the certifications have been filed and what they say. Executives with any doubt about the integrity of their issuer’s accounting, financial statements or periodic reports will probably think hard about their willingness to make the Section 906 certifications, particularly with only two weeks to prepare. There will almost certainly be some substantial tensions between the issuers' interests and the interests of the individual executives being asked to put their names and necks on the line.