CEO's and CFO's of public companies have recently become subject to new Federal requirements that they certify the accuracy of their SEC filings. Several of the certification requirements have already taken effect; others are on the way. The objective of these requirements is to restore investor confidence in light of recent accounting scandals. The certification provisions substantially enhance the personal exposure -- civil and criminal, private and governmental -- of senior executives. This FAQ addresses questions from CEO's and CFO's about how they should comply with the various certification requirements.
Three certification requirements are now in effect. The first was contained in an emergency order issued by the Securities & Exchange Commission in June. Order 4-460 (Order Requiring the Filing of Sworn Statements Pursuant to Section 21(a)(1) of the Securities Exchange Act of 1934) (June 27, 2002) (www.sec.gov/rules/other/4-460.htm). Order 4-460 imposes a one-time certification requirement, limited to public companies with 2001 revenue of $1.2 billion or more. This covers 947 companies. See www.sec.gov/rules/other/4-460list.htm. Most of the affected companies have already complied with this order. Others will do so when they file their next Form 10-Q or Form 10-K. Once a company has filed the 4-460 certification, it will not need to deal with the order again.
The second requirement is contained in Section 906 of the Sarbanes-Oxley Act, which President Bush signed into law on July 30. Effective immediately, Section 906 requires CEO's and CFO's of all public companies -- not just the largest ones -- to certify the accuracy of all periodic reports (on Form 10-Q or Form 10-K) that they file after that date.
The third requirement is based on Section 302 of Sarbanes-Oxley. That provision requires the SEC to promulgate, by August 29, 2002, regulations that will impose a certification requirement that addresses internal controls, as well as the accuracy of periodic reports. The SEC has recently adopted the final rules implementing Section 302. These are Exchange Act Rules 13a-14 and 15d-14 (www.sec.gov/rules/final/33-8124.htm).
In addition, the New York Stock Exchange and NASDAQ have each proposed certification requirements for companies listed on those exchanges. See www.nyse.com/abouthome.html?query=/about/report.html; www.nasdaqnews.com/about/corpgov/corp_gov_filings_061301.html. It remains to be seen whether the exchanges will modify their requirements in light of the new SEC rules.
Order 4-460 applies to the company's most recent annual filing on Form 10-K and its quarterly reports on Form 10-Q since the last 10-K (including the first filing on or after August 14, 2002). In addition, the certification covers filings on Form 8-K since the last Form 10-K, as well as the company's proxy statement since the last Form 10-K.
Section 906 applies to the company's periodic reports filed with the SEC on or after July 30, 2002. The officer must certify not just the accuracy of the information in the report, but also that the report complies with the SEC's various reporting requirements.
These certifications are not limited to the financial statements in the filings. The certifications apply to all disclosures in those documents, regardless of where they are found. As a result, even if a certifying officer concludes that the financial statements are accurate, she must still review the other disclosures in the filings (particularly the Management's Discussion & Analysis section) for accuracy and completeness.
Rules 13a-14 and 15d-14 apply to the company's quarterly and annual reports. The SEC is also considering applying them to proxy statements. Like the other two certification requirements, the SEC regulations require certification of the accuracy and completeness of the company's disclosures, both in MD&A and in the financial statements. The regulations go beyond those requirements, however, by requiring certification as to the adequacy of a company's internal controls and disclosure controls. This new requirement is discussed below.
The certification is made "to the best of my knowledge" (Order 4-460) or "based on my knowledge" (Rules 13a-14 and 15d-14). Some have suggested that, so long as they are not aware of any inaccuracies in the SEC filings, they should simply sign the certification without undertaking any additional inquiry. A cynic might call this the "Sergeant Schultz" approach ("I know nothing"). In my opinion, this is not a prudent approach to the Order, although it might be justified by the literal terms of the certification. If subsequent events at the company lead to revelation of a significant accounting or disclosure problem -- especially one that would have been revealed by reasonable inquiry -- then a "see no evil" approach will lead to a loss of public confidence in the executive. Such a scenario might also trigger an SEC enforcement action against the executive. Moreover, when the CEO or CFO discusses the certification with the Audit Committee (discussed below), many Audit Committees will be disturbed if the executive says that she did nothing to confirm the accuracy of the certification.
In my opinion, a responsible CEO or CFO will undertake some degree of diligence before certifying the SEC filings. The steps taken need not amount to an audit or to a full-blown internal investigation. There is no one-size-fits-all checklist; the inquiry must be tailored to the circumstances and controls in place at a particular company. Nevertheless, in the following questions, I review some potential inquiries with respect to the financial statements, the disclosure sections, and internal controls, respectively. Note that, regardless of the scope of the inquiry, the certifying executive should have reviewed the filings in question in their entirety.
The SEC rules require that the executive certify that the financial statements "fairly present in all material respects the financial condition and results of operations of the issuer." This goes beyond a mere statement that the financials comply with GAAP.
An important part of an inquiry into the accuracy of the company's financial statements is process-oriented, focused on three sets of controls. The first is internal audit. How has the internal audit function performed? Is it staffed in a meaningful manner or barebones? Has the internal auditor had unrestricted access to the company's operations? Has the internal auditor met regularly with the Audit Committee? The executive should meet with the head of the internal audit function to confirm that the process has worked as designed and to determine whether the internal auditor believes that the SEC filings are accurate and complete.
The second focus is the outside auditors. Have they manifested a probing, independent attitude? Have they demonstrated a willingness to push back on aggressive accounting treatments? Have they been candid and detailed with the Audit Committee?
The third focus is the Audit Committee of the Board. Has it complied with its charter? Has it conducted interactive discussions with finance executives and the outside auditors, or has it been more passive? Has it drilled down into non-standard accounting treatments to be sure that they are appropriate?
If the CEO or CFO reviews these processes and concludes that they have worked well, she should have a substantial degree of protection in signing the certification, even if an accounting problem subsequently emerges.
In addition to reviewing those processes, the certifying executive should also ask key participants in the process whether they believe that the financial statements for the periods in question are accurate and complete. This would include the groups just discussed (internal auditor, external auditors, and Audit Committee). The question should also be asked of key accounting personnel: the CFO; the corporate Controller; the head of credit & collections; and controllers and CFO's in particular divisions and geographies. If they consistently answer "yes," then the certification is far lower-risk. If they answer "no," then further steps must be taken, as discussed below.
The executive's review is not limited to the financial statements. Of the other portions of the SEC filings, the key one is MD&A. Again, an important part of the executive's inquiry should be process-oriented. Has the company followed its internal procedures in drafting the MD&A? Have outside counsel been involved in that process? Were they overruled with respect to any recommended disclosures? Did the drafters of MD&A consult with the key business unit heads in analyzing the condition of the company?
In addition to process, the executive should also probe any disagreements. Did any executives express concerns that particular disclosures were inaccurate or complete? Did executives propose additional disclosures that were rejected? Would any of the executives be unwilling to sign a certification similar to that being required of the CEO and CFO?
In the same rulemaking that implemented Section 302, the SEC imposed a new substantive requirement on public companies. Exchange Act Rules 13a-15 and 15d-15 require a company to establish and maintain a system of "disclosure controls and procedures" adequate to satisfy the company's disclosure obligations under the federal securities laws.
This new requirement is linked to the certification requirement in Rules 13a-14 and 15d-14, in three respects. First, the executive must certify: that she is responsible for establishing and maintaining disclosure controls and procedures; that the disclosure controls are designed to ensure that material information is made known to the executives during the period covered by the filing; and that the executives have evaluated the effectiveness of the disclosure controls within 90 days of the date of the report.
Second, the periodic filing must present management's conclusions about the effectiveness of the disclosure controls, and state whether significant changes occurred since the internal evaluation of controls (including corrective actions) that could significantly affect internal controls.
Third, the executive must certify that management has disclosed to the outside auditors and to the Audit Committee all significant deficiencies or material weaknesses in internal controls, as well as any fraud (whether or not material) involving management or employees involved in the internal controls.
In my opinion, the responsibilities imposed on an executive in connection with disclosure controls and internal controls exceed the other requirements with respect to the disclosures and financial statements themselves. The new rules will require companies to build (often from the ground up) a new apparatus for reviewing the adequacy of disclosures. The rules will also require much greater attention to internal financial controls, by the Audit Committee as well as by management. Management now has a responsibility for personal evaluation of the adequacy of the controls. The good news is that, if an executive has discharged that responsibility conscientiously and in good faith, it will be appropriate for her to rely on the disclosures and financials produced as a result of that process. But the excuse that "I was not involved in the internal controls process" is no longer acceptable for a CEO or CFO.
If the CEO or CFO uncovers any potential material errors or omissions in the course of her inquiry, she must stop and pursue them. Whether or not one agrees that some affirmative inquiry is required by the certification requirements, there is no question that, having undertaken an inquiry, the executive cannot ignore any signs of a material accounting error or disclosure defect. At the first indication of a problem, the executive should involve the general counsel, as well as outside disclosure counsel. Promptly thereafter, the executive should inform the Audit Committee. Depending on what you find, you may need to launch an internal investigation. For more details, see What to Do When You Find the Side Letter.
In the event that a potential problem emerges, determining whether it is real or illusory, material or trivial, can take time. For that reason, a prudent executive will not wait until the deadline for filing a certification before undertaking the inquiry described in this article. If the investigation has not reached conclusions about the appropriateness of the accounting treatment by the date the certification is due, then the company will need to disclose why the executive is not able to sign the certification at that time.
Order 4-460 requires that the CEO or CFO state whether or not she has reviewed the contents of her certification with the Audit Committee. Checking "not" is an unrealistic option, in my opinion. The market will react very negatively to such a statement. Moreover, the new SEC regulations explicitly require discussion with the Audit Committee of various control issues, as well as instances of fraud.
As a result, nearly all certifying executives will choose to discuss the certification with their Audit Committees. In my opinion, the executive should review with the Audit Committee the process she followed in inquiring into the accuracy of the SEC filings. If she has come across any red flags, she should identify them for the Audit Committee and discuss their investigation and the outcome of that investigation. This is also a good opportunity to review with the Audit Committee any concerns it has about the accuracy of the filings. As set forth above, the executive should also review with the Audit Committee the design and implementation of the company's disclosure controls and internal controls.
The certification requirements do not require the CEO or CFO to maintain a record of what she reviewed or considered before signing the certification. Nevertheless, I think that it is prudent to maintain a summary of the steps the executive took: whom she spoke with, and topics they discussed. This does not need to be the equivalent of a witness memorandum. It can be prepared in the form of a memorandum to the general counsel. In the event of subsequent scrutiny of the executive's certification, such a summary record could provide a useful basis for justifying what the executive did before concluding that the certification could be signed.
Public companies might consider three other actions to ensure the accuracy of their SEC filings. First, if a company does not have a robust internal audit group, it should establish one. This will go part of the way toward satisfying the internal-controls provisions addressed by Section 302 and the implementing SEC regulation. Moreover, the internal auditor can be an important source on which the CEO and CFO can rely in signing their certifications. Companies that have declined to create an internal audit function because of its cost need to reprioritize in light of the new governmental requirements. Companies that formally have an internal audit group, but have not staffed or funded it at meaningful levels, need to do so now.
Second, companies should consider having an audit performed of their internal control mechanisms. The normal quarterly review or annual audit by the outside accountants typically does not include a detailed review of control mechanisms. Such a controls audit can lead to changes that enhance the integrity of the company's financial statements. Moreover, a clean bill of health from such an audit can provide a basis for certification of the integrity of the internal controls.
Third, if companies intend to rely on outside corporate counsel to confirm the adequacy of their disclosures in periodic reports, they must involve those counsel in a meaningful way in the review of the quarter and in the drafting of those disclosures. The common practice of preparing the reports internally, and then shipping them out for cursory review on the eve of hitting the "send" button, will provide little comfort for the certifying executive.
In my opinion, the operative watchword for the new certifications will be "good faith." Although CEO's and CFO's are understandably nervous about having to sign the certifications -- particularly in the current anti-corporate climate -- I do not believe that a CEO or CFO who has pursued the certification process responsibly, and in good faith, will be subject to an enforcement action, even if facts subsequently emerge that lead to amendment of covered filings.
*Copyright 2002. Boris Feldman is a member of Wilson Sonsini Goodrich & Rosati, in Palo Alto. This article reflects his views, not his firm's. Revised, August 29, 2002.