Certifications, Disclosure Controls and the
Duties of Professionals in the Sarbanes-Oxley Era
www.morganlewis.com
Presented by:
Linda L. Griggs
Christian J. Mixter
Washington Office
CEO and CFO Certifications
SEC release dated August 28, 2002 announced adoption
of rules to implement Section 302 of Sarbanes-Oxley Act of
2002
Three interrelated rules
– 13a-14 requiring CEO and CFO certifications
– 13a-15 requiring the maintenance and quarterly evaluation of
disclosure controls and procedures
– Item 307 of Regulation S-K requiring disclosures about
effectiveness of disclosure controls and procedures and changes in
internal controls
2
CEO and CFO Certifications (continued)
Effective dates
– Certifications required in quarterly and annual reports filed after
August 29, 2002
• Only content-related statements required for periods ended
before August 29, 2002
– Disclosure controls and procedures required after August 29, 2002
– Disclosure of changes in internal controls required after August 29,
2002 and disclosure about evaluation of disclosure controls and
procedures required in reports for periods ended after August 29,
2002
3
Certifications (continued)
Three parts to the certifications required by 13a-14
– Content
– Disclosure controls and procedures
– Internal controls
SEC proposals to implement Section 404 of Sarbanes-
Oxley issued on October 22, 2002 (“404 Proposal”)
– 404 Proposal would amend the certifications and the other rules
adopted in August 2002
4
Content Certification
Content
– Review of the report, no material omission or material inaccuracy
and fair presentation
– Overlap with Section 906 certification
• Required with same filings
• Fair presentation
– Differences from Section 906 certification
• Fully complies vs. material omission and material inaccuracy
• Knowledge qualifier
• Location
– Fair presentation requires the:
• proper selection and application of accounting policies;
• disclosure of financial information that is informative and reasonably
reflects the underlying transactions and events; and
• inclusion of any additional disclosure necessary to provide
investors with a materially accurate and complete picture of the
company’s financial condition, results of operations and
cash flows.
5
Disclosure Controls Certification
Current required statement 404 Proposal would revise
by certifying officers: statement by certifying officers:
– are responsible for establishing – are responsible for establishing and
and maintaining disclosure maintaining DCPs and internal
controls and procedures (“DCPs”) controls and procedures for
and have: financial reporting (“ICPs”) and
– designed such DCPs to ensure have:
that material information is made – designed such DCPs, or caused
known to them, such DCPs to be designed under
– evaluated the effectiveness of the their supervision, to ensure that
DCPs as of a date within 90 days material information is made known
of the filing of the report and to them,
– presented in the report their – evaluated the effectiveness of the
conclusions of their evaluation DCPs and the ICPs as of the end
of the period covered by the
report and
– presented in the report their
conclusions of their
evaluation
6
Internal Control Certification
Current required statement 404 Proposal would revise
by certifying officers: statement by certifying
– disclosed to the audit officers:
committee and the outside – disclosed to the audit
auditors, based on their committee and the outside
evaluation, auditors
• all significant deficiencies in • all significant deficiencies
the design or operation of and material weaknesses
internal controls which could in the design or operation of
adversely affect the issuer’s ICPs which could adversely
ability to record, process, affect the issuer’s ability to
summarize and report record, process, summarize
financial data and have and report financial data
identified for the auditors any within the required time
material weaknesses in periods and
internal controls and
• any fraud; and
• any fraud; and
7
Internal Control Certification (continued)
Current required statement 404 Proposal would revise
by certifying officers statement by certifying
(cont’d): officers (cont’d):
– indicated in the report – indicated in the report any
whether or not there were significant changes in ICPs
significant changes in or in other factors that could
internal controls or in other significantly affect ICPs
factors that could made during the period
significantly affect internal covered by the report,
controls subsequent to the including any corrective
date of their most recent actions with regard to
evaluation, including any significant deficiencies and
corrective actions with material weaknesses.
regard to significant
deficiencies and material
weaknesses.
8
Certifications
Issues
– Who signs?
– How can a new officer sign? How can the certification cover a
recent acquisition?
– Can you qualify the certification?
– Any other change in the certification?
– How do you certify to Part III of Form 10-K?
9
Disclosure Controls and Procedures
Rule 13a-15(a) requires companies to maintain DCPs
Rule 13a-15(b) requires companies to:
– have an evaluation of the effectiveness of the design and operation
of their DCPs conducted as of date within 90 days prior to the filing
date of the report under the supervision and with the participation of
management, including the CEO and CFO
404 Proposal would amend Rule 13a-15(b) to require
companies to:
– have an evaluation of the effectiveness of the design and operation
of the DCPs and the ICPs conducted, as of the end of the period
covered by the report, by management, with the participation of
the CEO and CFO
10
Disclosure Controls (continued)
Rule 13a-14(c) provides that DCPs are controls and
procedures:
– that are designed to ensure that information required to be
disclosed by the issuer in the reports that it files or submits under
the Exchange Act is recorded, processed, summarized and
reported within the time periods specified in the SEC’s rules and
forms; and
– that include, without limitation, controls and procedures designed to
ensure that information required to be disclosed by an issuer in the
reports that it files or submits under the Act is accumulated and
communicated to the issuer’s management, including the CEO and
CFO, as appropriate to allow timely decisions regarding required
disclosure.
DCPs must cover disclosure required by Regulations
S-X and S-K or S-B and Forms 20-F and 40-F
11
Disclosure Controls (continued)
What is the difference between DCPs and ICPs?
– August 29, 2002 release defined internal controls by reference to
Section 13(b)(2)
– 404 Proposal would define ICPs as controls that pertain to the
preparation of financial statements for external purposes that are
fairly presented in conformity with GAAP as addressed by the
Codification of Statements on Auditing Standards Section 319
– SEC Corp. Fin. FAQs issued on November 14, 2002 state that
“some elements of internal controls are included in the definition of
disclosure controls and procedures.”
12
Disclosure About DCPs and
Internal Controls
Item 307(a) currently requires 404 Proposal would amend:
disclosure of – Item 307(a) to require
– conclusions of the CEO and CFO disclosure of
as to the effectiveness of the • conclusions of the CEO and
design and operation of the DCPs CFO as to the effectiveness
– based upon their evaluation as of of DCPs and ICPs based
a date within 90 days prior to the upon their evaluation as of
filings date. the end of the period
Item 307(b) currently requires – Item 307(b) to require
disclosure disclosure of
– As to whether or not there were • Any significant changes in
any significant changes in the the company’s internal
company’s internal controls or in controls made during the
other factors that could period covered
significantly affect those controls
subsequent to the date of the
evaluation.
13
307 Disclosures (continued)
Sample disclosures of conclusions
– Based on their evaluation of the company’s DCPs as of a date
within 90 days of the filing of the report, the CEO and CFO have
concluded that such controls and procedures are effective.
– Based on their evaluation, the CEO and CFO have concluded that
the DCPs are effective to ensure that material information required
to be filed in this quarterly report has been made known to them in
a timely fashion.
– Based on their evaluation, the CEO and CFO have concluded that
the DCPs are effective in causing material information to be
recorded, processed, summarized and reported by management on
a timely basis and in ensuring that the quality and timeliness of the
Company’s disclosures complies with its SEC disclosure
obligations.
14
307 Disclosures (continued)
– Based on their evaluation within 90 days of the filing, the CEO and
CFO have concluded the that DCPs are functioning effectively to
provide reasonable assurance that the Company can meet its
disclosure obligations.
– No controls and procedures can provide absolute assurance that
the information required to be disclosed is recorded, processed,
summarized and reported within the required time periods.
Disclosure about changes in internal controls
– There were no significant changes in the Company’s internal
controls or in other factors that could significantly affect such
controls subsequent to the date of their evaluation.
– For the quarter ended August 31, 2002, there were no significant
changes in the Company’s internal controls or in other factors
that could significantly affect the Company’s
internal controls.
15
Management Report on Internal Controls and
Procedures for Financial Reporting
Proposed Item 307(c) would implement Section 404 of
SOA and require management to include in a Form 10-K or
20-F a report that includes:
– A statement of management’s responsibilities for establishing and
maintaining adequate ICPs;
– Conclusions about the effectiveness of the ICPs as of the end of
the most recent fiscal year;
– A statement that the company’s outside auditors have attested to,
and reported on, management’s evaluation of the ICPs; and
– The attestation report of the outside auditors.
Expected effective date of amendments in 404 Proposal:
– Item 307(c): fiscal years that end on or after September 15, 2003
– Amended certifications: at the time that management must
report under Item 307(c)
16
Problems with the Proposals
Proposed definition of ICPs
Absence of clarity as to relationship between ICPs and
DCPs
Proposals imply that the nature of the quarterly evaluation
of ICPs is the same as the annual evaluation of ICPs to be
required
Need to disclose to the audit committee and outside
auditors all significant deficiencies and material
weaknesses, not just those identified in the evaluation
Need to disclose all significant changes in ICPs during
the period
Incomplete transition guidance
17
Documentation of Disclosure Controls
Documentation of DCPs is necessary:
– For the CEO and CFO to sign the required certifications and
– To prove that the disclosure controls have been established and
are maintained.
• See footnote 74 of the August 28 release
Documentation of ICPs will be critical
– In order for management to issue its report on ICPs under
proposed Item 307(c) of Regulation S-K and S-B; and
– For the outside auditors to opine on management’s assessment
of the effectiveness of ICPs under proposed
Rule 2-02(f) of Regulation S-X.
18
How to Set Up Disclosure
Controls & Procedures
No “one-size-fits-all” approach
Process by which a company records, gathers, processes,
summarizes and reports information must fit the size,
culture, structure and industry of the company
Reasonableness standard
Risks and rewards
Incorporate within DCPs:
– ICPs
– Code of conduct
– Insider trading policy
19
How to Set Up DCPs (continued)
Meet with audit committee to determine role
Form a Disclosure Committee
• Membership
• Traffic cop or corporate responsibility officer
• Disclosure control monitor
• Ombudsman to consider complaints
Tone at the top:
• Commitment of CEO, CFO and audit committee
• Environment that encourages upstream disclosure
• Code of conduct that requires, among other things, full, fair, accurate,
timely and understandable disclosure
• Personnel evaluation that takes into account ethical conduct
• Appropriate education
20
How to Set Up DCPs (continued)
Analyze existing process and create time and
responsibilities calendar
– Identify specific dates, deadlines and responsibilities for gathering,
processing, summarizing and reporting required information
– Provide for the on-going and final evaluation of the effectiveness of
the design and operation of DCPs
Develop “early warning system” for press releases and
expected new 8-K rules
Consider use of questionnaires or interviews to gather
information
Develop checklist of necessary information and
documents and other sources of information to review
Consider use of sub-certifications
21
How to Set Up DCPs (continued)
Evaluation process
– Real-time, ongoing evaluation
• Business and personnel changes
• Complaints or problems with controls and procedures
– Evaluation in connection with the filing
• Feedback mechanism (subcerts, interviews, questionnaires)
• Adequacy of time and responsibilities calendar
• Address any disclosure gaps
• Look back at prior report
• Document evaluation process
22
Regulation of Professionals
“Practicing Before the SEC”
Section 602 eliminates the SEC’s Checkosky problem
– Provides the first-ever statutory support for Rule 102(e)
– Codifies the culpability standards for accountants in the 1998 Rule
102(e) Amendments
• Intentional or knowing conduct, including recklessness
• Negligent conduct in the form of
– (A) A single instance of highly unreasonable conduct
– (B) Repeated instances of unreasonable conduct, each resulting in a
violation of applicable professional standards, that indicate a lack of
competence to practice before the Commission.
23
Regulation of Professionals
“Practicing Before the SEC” (continued)
While awaiting the Public Company Accounting Oversight
Board, the SEC’s Rule 102(e) program against
accountants continues unabated
– Proceedings against auditors
• In the Matter of Michael Sullivan (Nov. 26, 2002)
• In the Matter of Michael G. Horsey, Michael D. Watson, and Sallie D.
Feldman (Nov. 18, 2002)
– Proceedings against in-house CPAs
• In the Matter of Betty L. Vinson (Dec. 6, 2002)
• In the Matter of Stephen R. Becker (Nov. 12, 2002)
• In the Matter of Frederick W. Kolling III (Nov. 6, 2002)
24
Regulation of Professionals
“Practicing Before the SEC” (continued)
Section 307 - It’s not just about accountants anymore
– SEC is directed to issue rules setting minimum standards of
conduct for attorneys appearing and practicing before the
Commission “in any way in the representation of issuers”
– SEC is specifically directed to issue a rule requiring “Reporting Up”
within the issuer’s organization (up to the Board) of “evidence of a
material violation of securities law or breach of fiduciary duty or
similar violation by the company or any agent thereof”
25
Regulation of Professionals
“Practicing Before the SEC” (continued)
Nov. 21, 2002 Section 307 Rule Proposal: The SEC runs
with the ball
– Proposed Rule mandates not just “Reporting Up,” but “Reporting
Out” via a “noisy withdrawal” that includes notifying the SEC if a
lawyer doesn’t (or shouldn’t) believe the client has done the right
thing
– Would apply to non-practicing attorneys
– Sec. 205.2(a) of the Proposed Rule uses the broadest possible
definition of attorneys “appearing and practicing before the
Commission”
26
Regulation of Professionals
“Practicing Before the SEC” (continued)
Nov. 21, 2002 Section 307 Rule Proposal: The SEC runs
with the ball (continued)
– (a) Appearing and practicing before the Commission includes, but
is not limited to, an attorney’s:
• (1) Transacting any business with the Commission, including
communication with Commissioners, the Commission, or its staff;
• (2) Representing any party to, or the subject of, or a witness in a
Commission administrative proceeding;
• (3) Representing any person in connection with any Commission
investigation, inquiry, information request or subpoena;
• (4) Preparing, or participating in the process of preparing, any
statement, opinion or other writing which the attorney has reason to
believe will be filed with or incorporated into any registration
statement, notification, application, report, communication or
other document filed with or submitted to the Commissioners,
the Commission or its staff; or
27
Regulation of Professionals
“Practicing Before the SEC” (continued)
• (5) Advising any party that:
• (i) A statement, opinion or other writing need not or should not be filed
with or incorporated into any registration statement, notification,
application, report, communication or other document filed with or
submitted to the Commissioners, the Commission or its staff; or
• (ii) The party is not obligated to submit or file a registration statement,
notification, application, report, communication or other document with
the Commission or its staff.
Violations would be punishable through:
– Routine Exchange Act sanctions
– Rule 102(e), under culpability standards for attorneys just like the
standards for accountants now codified in Section 602
28
Section 303 - Prohibits exercising “improper
influence” over an audit, in violation
of rules to be promulgated by the SEC
SEC’s October 22, 2002 Rule Proposal would expand
existing Rule 13b2-2 to prohibit officers and directors of an
issuer (as well as any other person acting under the
direction thereof) from taking “any action to fraudulently
influence, coerce, manipulate, or mislead any independent
public or certified public accountant engaged in the
performance of an audit or review of the financial
statements of that issuer if that person knew or was
unreasonable in not knowing that such action could, if
successful, result in rendering such financial statements
materially misleading.”
29
Section 303 - Prohibits exercising “improper
influence” over an audit, in violation
of rules to be promulgated by the SEC (continued)
Prohibited goals include trying to cause an auditor:
• (i) To issue a report on the issuer’s financial statements that is “not
warranted in the circumstances”;
• (ii) Not to perform audit, review or other procedures required by GAAS
or other professional standards;
• (iii) Not to withdraw an issued report; or
• (iv) Not to communicate matters to the audit committee.
– A person “acting under the direction” of an issuer’s officer or
director could be anyone at all – a lawyer, a corporate employee, a
vendor, a customer, or even someone within the auditing firm
itself.
30
Section 802 – Criminal penalties for “knowing
and willful” destruction of audit records in violation of
record retention rules to be promulgated by SEC
SEC’s November 22, 2002 Rule Proposal requires auditors
to maintain for five years:
– Workpapers and other documents that form the basis of the audit or
review, and memoranda, correspondence, communications, other
documents and records (including electronic records) which
– are created, sent or received in connection with the audit or review
and
– contain conclusions, opinions, analyses or financial data related to
the audit or review.
31
Section 802 – Criminal penalties for “knowing
and willful” destruction of audit records in violation of
record retention rules to be promulgated by SEC (cont ’d)
Materials are to be retained “whether the conclusions,
opinions, analyses, or financial data in the materials
support or cast doubt on the final conclusions reached by
the auditor. For example, such materials shall include
documentation of differences of opinion concerning
accounting and auditing issues.”
32
Section 304 – A Right Without
a Remedy?
If an issuer must restate its financials due to “misconduct,”
the CEO and the CFO must reimburse the issuer for
bonuses, incentive- or equity-based compensation
received during the 12-month period following the issuance
of the incorrect financials.
33