CEOs and CFOs Required to Certify SEC Reports

There are now three separate requirements for certifications by CEOs and CFOs of public companies of periodic reports. The first certification requirement was a one-time SEC requirement for CEOs and CFOs of approximately 1000 large companies. The second certification requirement was established by the Sarbanes-Oxley Act of 2002. The third certification requirement, which also has its origins in Sarbanes-Oxley, has not yet taken effect. Following a description of the three certifications are some practical considerations for CEOs and CFOs to consider when completing the internal due diligence necessary to make the certifications.

What Are the Three Different Certification Requirements?

SEC Order. The SEC, on June 27, 2002, issued an order requiring the CEOs and CFOs of 947 U.S. public companies with annual revenue over $1.2 billion to file notarized statements certifying the accuracy of their most recent annual reports. These statements are a one-time requirement and are to be filed by the due date of the company's first periodic report due on or after August 14, 2002, which for calendar year-end companies is the Form 10-Q due on August 14, 2002. The SEC recommends that companies file a Form 8-K announcing the submission of the sworn statements and provide public access to the contents of the certification.

Section 302 of Sarbanes. Section 302 of Sarbanes-Oxley does not establish immediate certification requirements, but instead requires the SEC to establish rules for a comprehensive certification process by August 29, 2002. It will apply to all companies, U.S. or foreign, that file SEC reports. The SEC had published its own proposed certification rules on June 17, 2002. Following the passage of Sarbanes-Oxley on July 30, 2002, the Commission published a supplement to its proposed rules on August 2, 2002, stating that it intended to change its final rules to comply with Section 302. The SEC's final rules are due on August 29. You can view the SEC's proposed rules and related supplement on the agency's web site.

Section 906 of Sarbanes. Section 906 of Sarbanes-Oxley is a continuing requirement applicable to all companies, U.S. or foreign, that file SEC reports. Unlike Section 302, which requires the SEC to establish rules before any certification is required, Section 906 was effective immediately upon enactment of Sarbanes-Oxley. Because Section 906 is effective immediately, the CEO and CFO of any company that files a periodic report after July 30, 2002 must certify to that report. There is some speculation that when the SEC publishes its rules requiring Section 302 certifications, it may harmonize Section 906 and Section 302 into one certification requirement.

SECTION 906 CERTIFICATIONS

What Must 906 Certifications Include?

Section 906 requires that each periodic report containing financial statements be accompanied by a written statement of the company's CEO and CFO, or equivalent officers, certifying that: (1) the report fully complies with the requirements of Sections 13(a) or 15(d) of the Securities Exchange Act of 1934; and (2) the information contained in the report fairly presents, in all material respects, the financial condition and results of operations of the company.

Although the language in Section 906 certification does not contain a "knowledge" qualifier, Section 906 states that penalties will be imposed only when an officer "knowing[ly]" submits a false certification.

What Form Should a Certification Take?

The Act states that certifications must accompany periodic reports but does not define the term "accompany". The three different methods of certifying a report implemented to this point are:

• placing the certification in the report, usually at the end of the signature page;
• attaching the certification with the report as an exhibit; and
• sending the certification as correspondence on the EDGAR system.

If the certification is sent as correspondence, it will not be made public. Because the existence and content of the certification is likely to be deemed material, non-public information, companies choosing to send a certification as correspondence should file a Form 8-K to file the certification under Item 5 or "furnish" it under Item 9, thereby making the certification and its contents public. Filing the certification as correspondence and then furnishing it under Item 9 of Form 8-K will prevent the certification from being incorporated into a registration statement, which may prevent attachment of certain civil liabilities related to registration statements.

What Reports Must be Certified?

Section 906 requires each periodic report containing financial statements filed by a company with the SEC after July 30, 2002 to be certified. Clearly a Form 10-K and Form 10-Q must be certified. Less clear is whether a Form 8-K must be certified if it contains financial statements, although it is certainly arguable that Form 8-Ks do not constitute "periodic" reports for purposes of requiring a certification.

What Penalties Can Be Imposed for a Section 906 Violation?

Any person who certifies a report knowing that it does not comport with the requirements of Section 906 is subject to fines of up to $1,000,000 and/or imprisonment of up to 10 years. Any person who willfully certifies a report knowing that it does not comport with the requirements of Section 906 is subject to fines of up to $5,000,000 and/or imprisonment of up to 20 years. There may be situations when a CFO or CEO cannot certify a report, such as when a company is under SEC investigation. The Act does not explicitly allow an officer not to certify, but the Act also does not set out criminal penalties for failing to do so. There will likely be significant market ramifications for failing to certify a report.

SECTION 302 CERTIFICATIONS

What Must 302 Certifications Include?

Although the SEC is charged with establishing rules governing Section 302 certifications, the Act itself specifies the content of the certification. CEOs and CFOs will be required to certify in each annual or quarterly report filed with or submitted to the SEC with respect to the following matters:

• he or she has reviewed the report;
• based on the officer's knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made not misleading;
• based on the officer's knowledge, the financial statements and other financial information included in the report fairly present in all material respects the company's financial condition and results of operations for the periods presented;
• the signing officers are responsible for establishing and maintaining internal controls that are designed to ensure that material information about the company and its subsidiaries is made known to them;
• the signing officers have evaluated the internal controls within 90 days prior to the report and have presented in the report their conclusions about the effectiveness of the internal controls based on that evaluation;
• the signing officers have disclosed to the company's auditors and the audit committee of the board of directors (i) all significant internal control deficiencies, (ii) that they have identified to the company's auditors any material weaknesses in internal controls, and (iii) any fraud involving management or other employees who have a significant role in the company's internal controls; and
• the signing officers have indicated in the report whether there were any significant changes in internal controls or factors that could significantly affect internal controls since the last evaluation.

What Form Should a Certification Take?

Section 302 requires that officers "certify in each annual or quarterly report…." The SEC's final rule will likely provide additional guidance on the specific procedure for making the certification.

What Reports Must be Certified?

Section 302 will require the certification of annual and quarterly reports filed with or submitted to the SEC.

How Will Section 302 Affect a CEO's or CFO's Potential Liability?

Based on statements made by the SEC in connection with its original proposed rules requiring certification, the SEC did not believe that the proposed certification requirement would create an unacceptable risk of increased liability for a company's principal executive officer and principal financial officer. The SEC stated that senior officers already are responsible as signatories for their company's disclosure under the Exchange Act liability provisions, and can be liable for material misstatements or omissions both under general antifraud standards and under the SEC's authority to seek redress against those who cause or aid or abet securities law violations. The SEC believes that the proposed certification requirement will only reinforce the responsibility of these corporate officers.

CERTIFICATION DUE DILIGENCE

What Process Should I Use to Review Reports?

When developing or enhancing the procedures necessary to support the required certifications, CEOs and CFOs should ensure that the process will be comprehensive enough to allow for both Section 302 and Section 906 certifications. Procedures to consider implementing in a review process are:

• Read the report carefully to assess its accuracy and completeness, and require all members of the senior management team to do the same.
• Consider setting up a disclosure team that reports to the CFO and CEO. This idea was first recommended by the SEC in their one-time emergency certification proposal in June 2002. This team should include employees such as the principal accounting officer, the general counsel, the principal risk management officer, the chief investor relations officer, and senior financial managers of specific business units. Responsibilities of the team would include analysis of the company's internal controls and financial reporting structures.
• The signing officer should interview those responsible for creating the report and monitoring and maintaining the company's internal controls and reporting systems, as well as the engagement partner of the company's outside auditors. Include questions such as: What were the key issues faced in preparing the documents? Do you have any concerns with the financial statements, reported results, internal controls or reporting systems? Have any such concerns been expressed to you by others? Have there been any changes in accounting policies or methods or in estimates that are important to accounting judgments?
• Consult the audit committee to brief them on the composition of the disclosure assessment team and the assessment process itself. This will also give the audit committee a chance to identify areas of special concern.
• Establish a schedule for quarterly evaluation of the company's procedures intended to assure the reliability of the company's periodic reports.
• Consider requiring internal certifications to confirm that no one who played a significant part in creating the reports knows of any reasons why the reports should not be certified. This idea might meet resistance from some employees. To minimize this resistance ensure that an employee is asked only to certify information that is within his or her personal knowledge.
• Create a record of the certification process. This will serve as tangible evidence as to what steps were taken before certifying the report.

***

This update is intended solely to alert readers to the certain provisions of Sarbanes-Oxley and is not intended as legal advice. Further details may be necessary for a complete understanding of the information in this update and more information will be made available as additional guidance is provided on complying with the provisions of the Sarbanes-Oxley Act.