Section 302 of the Sarbanes-Oxley Act of 2002: Disclosure Controls and Procedures and the Related CEO and CFO Certification – Analysis and Recommendations

Introduction

On August 29, 2002, the Securities and Exchange Commission ("SEC") adopted rules implementing Section 302 of the Sarbanes-Oxley Act of 2002 (the "S-O Act").1 Pursuant to these new rules, public companies that file periodic reports and other information with the SEC pursuant to the Securities Exchange Act of 1934 (the "Exchange Act") are required to establish and maintain so-called "disclosure controls and procedures" that are designed to ensure the filing of compliant disclosure documents. The new rules also require the principal executive officer (CEO) and principal financial officer (CFO) to undertake an evaluation of the effectiveness of the design and operation of such controls and procedures within 90 days of the date of filing of each quarterly and annual report and disclose their conclusions as to the effectiveness of the controls and procedures in each such report. In addition, the new SEC rules require CEO and CFO to file with each quarterly and annual report a personal certification, addressing, among other things, the accuracy of the report and their responsibility for and evaluation of the disclosure controls and procedures established and maintained by the company. In its rulemaking release, the SEC observed that the term "disclosure controls and procedures" was a newly-defined term reflecting a concept of controls and procedures related to disclosure embodied in Section 302(a)(4) of the S-O Act. In this respect, disclosure controls and procedures are distinguishable from traditional internal accounting controls relating to financial reporting that are embodied in the Exchange Act and existing accounting literature and have been part of the compliance landscape for decades. In view of the new requirements, public companies are well-advised to undertake a fresh look at, and as necessary, revise their existing practices with respect to the preparation of SEC periodic reports and other filings. By undertaking such review and making any necessary revisions, a public company will be able to demonstrate that it has in place compliant disclosure controls and procedures and will position the CEO and CFO to comply with their obligations to evaluate and report on the effectiveness of such controls and procedures. An important message to be taken from the new legal requirements is that appropriate and compliant disclosure should be a central element of a public company’s compliance program.

In Part I of this client alert, we examine the SEC’s new rules relating to disclosure controls and procedures and the related CEO and CFO certification adopted under Section 302 of the S-O Act. In Part II, we set forth recommendations for establishing and maintaining disclosure controls and procedures and undertaking an inquiry in support of the related CEO and CFO certification.

Part I: SEC Rules Relating to Disclosure Controls and Procedures and CEO and CFO Certification Under Section 302 of the S-O Act
Disclosure Controls and Procedures
Pursuant to Rule 13a-15, every public company must maintain disclosure controls and procedures. The term "disclosure controls and procedures" is defined in new Exchange Act Rule 13a-14(c) as:

controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the [Exchange Act] is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the [Exchange Act] is accumulated and communicated to the issuer’s management, including its principal executive officer or officers and principal financial officer or officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.

While, as noted above, disclosure controls and procedures are a new regulatory concept, we believe that traditional internal accounting controls relating to financial reporting are properly viewed as a subcategory of such controls and procedures. Under Section 13(b)(2) of the Exchange Act, a public company is required to maintain a system of internal accounting controls sufficient to produce reasonable assurances that (i) transactions are executed in accordance with management’s general and specific authorization, (ii) transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles and to maintain accountability for assets, (iii) access to assets is permitted only in accordance with management’s general and specific authorization and (iv) the recorded accountability for assets is compared with existing assets at reasonable intervals and appropriate action is taken with respect to any differences. The accounting literature contains similar definitions of internal controls. 2

Insofar as a public company’s financial statements and financial data are already subject to traditional internal accounting controls, such information is already subject to and produced under so-called disclosure controls and procedures within the meaning of Rule 13a-14. No additional controls and procedures are necessary with respect to financial information if such internal accounting controls have been recently judged adequate by internal and independent auditors. However, a review of such internal accounting controls should be undertaken in connection with the establishment of formal written compliance procedures discussed below.

While the new CEO/CFO certification is only required to be filed with Form 10-Q quarterly reports and Form 10-K annual reports (Form 20-F annual reports in the case of foreign private issuers), the company’s disclosure controls and procedures must be established and maintained to produce compliant disclosure in all SEC filings made pursuant to the Exchange Act, including proxy statements and Form 8-K current reports. The SEC has stated that the failure to maintain adequate disclosure controls and procedures could result in an SEC enforcement action for violating the Exchange Act even where the failure did not lead to non-compliant disclosure. In addition, any serious deficiencies in the disclosure controls and procedures would provide factual support to an allegation of recklessness, the state-of-mind required to support a securities fraud claim under the SEC’s general anti-fraud Rule 10b-5.

Section 302 CEO/CFO Certification
Pursuant to new Rules 13a-14 and 15d-14, the CEO and CFO must certify in each Form 10-Q quarterly report and Form 10-K annual report that:

  • he or she has reviewed the report;
  • based on his or her knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by the report;
  • based on his or her knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition, results of operations and cash flows of the issuer as of, and for, the periods presented in the report;
  • he or she and the other certifying officers:
    – are responsible for establishing and maintaining "disclosure controls and procedures" for the issuer;
    – have designed such disclosure controls and procedures to ensure that material information is made known to them, particularly during the period in which the periodic report is being prepared;
    – have evaluated the effectiveness of the issuer’s disclosure controls and procedures as of a date within 90 days prior to the filing date of the report; and
    – have presented in the report their conclusions about the effectiveness of the disclosure controls and procedures based on the required evaluation as of that date;
  • he or she and the other certifying officers have disclosed to the issuer’s auditors and to the audit committee of the board of directors (or persons fulfilling the equivalent function):
    – all significant deficiencies in the design or operation of internal controls relating financial reporting which could adversely affect the issuer’s ability to record, process, summarize and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
    – any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
  • he or she and the other certifying officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.

The Section 302 certification requirement applies to any Form 10-Q and Form 10-K and amendments thereto filed after August 29, 2002, including amendments to an original report filed prior to August 29, 2002. However, the SEC’s transitional rules provide that the certification need only address the first three items when it is included in a report, or amendment thereto, covering a period ending before August 29, 2002. The certification would cover information incorporated by reference into a report, such as a Form 10-K which incorporates later filed information from the annual shareholder meeting proxy statement.

The SEC did not further define or elaborate on the term "evaluate" as it relates to the requirement that the CEO and CFO evaluate within 90 days of the filing date of each Form 10-Q and Form 10-K report and present in each such report their conclusions regarding (as discussed below) the effectiveness of disclosure controls and procedures. Section 404 of the S-O Act requires the SEC to adopt rules that will require public companies to include in their annual reports an internal accounting control report by management that addresses its responsibility for establishing and maintaining adequate internal accounting controls and its "assessment" as of the end of the fiscal year of the effectiveness of such controls. The distinction between the terms "evaluate" and "assessment" remains to be clarified in connection with the rules adopted pursuant to Section 404 of the S-O Act. We understand that the International Auditing and Assurance Standards Board ("IAASB") is considering the distinction between the meaning of the terms "evaluation" and "assessment." It has been suggested an assessment follows an evaluation. The public company’s management evaluates (obtains and considers information to make an assessment) and then provides their assessment (conclusion) of the effectiveness of the controls.

The SEC did elaborate on the certification requirement relating to the fair presentation of the financial statements and other financial information contained in the report. The SEC noted that such certification requirement is not limited to a representation that the financial statements and other financial information have been presented in accordance with generally accepted accounting principles ("GAAP") and is not otherwise limited by reference to GAAP. The SEC believes that the certification is intended "to provide assurances that the financial information disclosed in a report, viewed in its entirety, meets a standard of overall material accuracy and completeness that is broader than financial reporting requirements under [GAAP]." According to the SEC, a fair presentation encompasses "the selection of appropriate accounting policies, proper application of appropriate accounting policies, disclosure of financial information that is informative and reasonably reflects the underlying transactions and events and the inclusion of any additional disclosure necessary to provide investors with a materially accurate and complete picture of an issuer’s financial condition, results of operations and cash flows."

The certification required under Section 302 of the S-O Act is required to be made separate and apart from the certification required under Section 906 of the S-O Act.3 While one SEC commissioner has questioned the SEC staff as to whether one integrated certification requirement can be adopted to satisfy both Sections 302 and 906 of the S-O Act, to date the SEC’s general counsel has not concluded whether it has the rulemaking authority to integrate the two certification requirements. We believe that there is clear rulemaking authority contained in Section 3(a) of the S-O Act to adopt a single integrated certification requirement.

New Disclosure Requirements
The SEC amended Form 10-Q to include a new Item 4 and Form 10-K to include a new Item 14. These new disclosure items require the company to include the disclosure required by new Item 307 of Regulation S-K. Item 307(a) which requires each company to disclose in its Form 10-Q and Form 10-K reports the CEO’s and CFO’s conclusions regarding effectiveness of the company’s disclosure controls and procedures based on the certifying officers’ evaluation made within 90 days of the filing dates as required by the new certification requirement. The Item 307(a) disclosure requirement applies with respect to Form 10-Q or Form 10-K reports covering periods ending after August 29, 2002. Item 307(b) requires the company to disclose whether there were significant changes in internal accounting controls or in other factors that could significantly affect such internal controls subsequent to the date of the certifying officers’ evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses. This requirement is effective for Form 10-Q and Form 10-K reports and amendments thereto filed after August 29, 2002, although where the underlying evaluation of disclosure controls and procedures was not required, the disclosure requirement would not be applicable.

Part II: Recommended Compliance Procedures to Establish and Maintain Disclosure Controls and Procedures and Undertake an Inquiry in Support of the Related CEO and CFO Certification
Establishing and Maintaining Disclosure Controls and Procedures
Excluding financial statements and related data that are subject to and produced under established internal accounting controls, many public companies have relied on an informal system for preparing SEC filings that is not documented in comprehensive written compliance procedures. A public company that continues with this approach to comply with its disclosure obligations, if subject to SEC scrutiny, will risk a finding of noncompliance with the new disclosure controls and procedures requirements. We believe public companies will be better positioned to demonstrate that they have adequate disclosure controls and procedures within the meaning of Rule 13a-14(c) if they are formally embodied in comprehensive written compliance procedures. While the form and content will vary from company to company, such controls and procedures should incorporate the following principles:

  • Organization and Responsibility. Disclosure controls and procedures should be formally organized and the persons responsible for developing and verifying required disclosure should be identified and their responsibilities should be clearly delineated.
  • Education. Persons who participate in the preparation of the company’s disclosure documents should have sufficient knowledge of the SEC’s reporting requirements (through continuing education, training or otherwise) so that they can competently fulfill their responsibilities.
  • Verification and Analysis. Disclosure controls and procedures should ensure that information included in disclosure documents is appropriately verified and substantiated (recognizing that the financial statements are already subject to such verification and substantiation through existing internal accounting controls) and that opinions and conclusions included in disclosure documents represent a reasonable interpretation or analysis of the facts.
  • Communication. Disclosure controls and procedures should contain clear lines of communication pursuant to which information necessary produce compliant disclosure documents is identified to the appropriate persons with knowledge of or direct or indirect access to such information and once obtained is reported to the persons responsible for the preparation of the company’s disclosure documents.

To that end, while recognizing that no single solution is appropriate for all public companies, we recommend each public company review and build upon its current procedures relating to the preparation of SEC filings with a view towards implementing the following or similar procedures:

  • Create a Disclosure Committee. The company should create a disclosure committee (a recommendation of the SEC) with the mandate of designing and implementing the company’s disclosure controls and procedures and overseeing the company’s compliance with its disclosure obligations on a timely basis.
    – The disclosure committee should report to (if it does not otherwise include) the CEO and CFO and include other senior officers selected by them who collectively have an overall knowledge and understanding of the company’s business and strategic plan, financial results and condition, and operational, competitive and financial risk profile. Such officers would include the senior legal officer, controller or principal accounting officer, principal risk management officer, heads of key operating units, divisions or segments or heads of geographic regions, the investor relations officer or other officers with the stature and professional background that will enable the committee to meet its mandate.
    – A subcommittee comprised of the senior legal officer, investors relations officer and other financial or accounting officers should be created to address disclosure issues that require immediate attention or that relate to sensitive developments not otherwise known throughout the company.
    – The disclosure committee should operate under a charter which delineates its purpose and responsibility. The committee should designate an administrative secretary to coordinate and document the work of the committee.
  • Written Compliance Procedures. The disclosure committee should develop comprehensive written compliance policies and procedures that underscore that the company’s disclosure controls and procedures are a central component of the company’s compliance program and that participants in the disclosure process who fail to comply with their obligations will be subject to discipline in accordance with the company’s code of conduct. The compliance procedures should be reasonably designed to ensure that information required to be disclosed is recorded, processed, summarized and reported on a timely basis.
    – Specific drafting responsibilities should be assigned with respect each Form 10-Q and Form 10-K report and the annual proxy statement. A checklist which identifies each section of the filing and the person(s) responsible for drafting the required information should be created.
    – The committee should meet prior to the commencement of the preparation of each filing and establish a timetable for the preparation of each filing. The committee should also review new developments, key risks and business challenges or areas of concern for special attention during the drafting process.
    – Draftsman should be provided copies of Form 8-K, Form 10-Q, Form 10-K and Schedule 14A and Regulation S-K and Regulation S-X.
    – The draftsmen (to the extent they are not committee members) should be provided standard instructions which underscore the importance of compliant and accurate disclosure and address standards of materiality (on a operating division, segment, business unit basis). The instructions should require each draftsman to assemble or produce the information or data (other than the financial statements which would be subject to internal accounting controls) that serves to verify or substantiate the information contained in the section of the filing to be drafted by such draftsman.
    – Requests for information by draftsmen should be made under the cover of memoranda that emphasizes the importance of compliant and accurate disclosure.
    – Each section of the filing should be subject to separate review by one or more committee members.
    – Each member of the disclosure committee should read the completed draft of each report in its entirety.
    – The committee should meet to discuss the completed draft and review and address comments and concerns by members with in-house and outside counsel and the independent auditors.
    – Committee members should obtain copies of current research analyst reports on the company and the industries in which it operates.
    – Committee members should have access to and obtain ongoing continuing education with respect the to the SEC’s reporting and disclosure rules and policies. Committee members should be designated to review and report to the committee with regard to new regulatory developments relating to the SEC’s disclosure rules.
    – The reports should be referred to in-house or outside counsel for a compliance check against the requirements of the SEC form and applicable Exchange Act rules and regulations, including Regulation S-K and Regulation S-X.
  • Review of Information. The disclosure committee should periodically review all other information publicly disseminated by the company that is intended to inform or influence the trading market in the company’s securities, including without limitation:
    – All press releases reporting earnings or earnings guidance or announcing significant developments such as acquisitions or dispositions or other material developments or events;
    – All presentations delivered at analyst or industry conferences, individual analysts and rating agencies; and
    – All information publicly disseminated to investors and shareholders, including information contained on the company’s website.
  • Internal certifications. To the extent that it serves as an additional record of the procedures employed and sensitizes others as to the importance of accurate and reliable information in the company’s SEC filings, the company’s compliance procedures may require that backup certificates be obtained from other members of management and employees. However, such backup certificates should be related to the individual’s division, department or unit in the company and obtaining and such backup certificates should not be viewed as a substitute for appropriate inquiry by the two certifying officers.
  • Recordkeeping. A written record of the procedures followed in the preparation of the reports should be maintained under the direction of the disclosure committee. The record should reflect the drafting checklist and timetable, the assignment of drafting responsibilities, reviews of drafts, disclosure committee meetings and other meetings with the CEO and CFO and the audit committee.

CEO/CFO Certification and Related Inquiry
Insofar as new Rules 13a-14 and 15d- 14 require the CEO and CFO to make a certification that addresses, among other things, the accuracy of the Form 10-Q and Form 10-K reports and the fairness of the financial information contained therein and their evaluation of the company’s disclosure controls and procedures, the two certifying officers must undertake an inquiry sufficient to position them to make the required certification. With regard to the foregoing, the CEO and CFO should meet with senior management in charge of key divisions and business units, internal financial staff and inhouse counsel, the independent auditors and as appropriate outside counsel to discuss the content and the procedures employed in the preparation of the Form 10-K or Form 10-Q report. Once a disclosure committee has been formed, the certifying officers should meet with the committee to discuss such matters. The officers should inquire, among other things, as to:

  • Who was involved in the drafting of the report;
  • How information was recorded, processed, and summarized for inclusion in the report;
  • Whether the participants are comfortable that the procedures employed are sufficient to ensure accurate disclosures;
  • Whether there are other employees who should be consulted to discuss the preparation of the report or the content thereof;
  • What material or significant disclosure or financial reporting issues arose during the preparation of the report;
  • How key risks, trends and uncertainties were identified and addressed in the report;
  • Whether there are complex disclosure issues that merit a second look; Whether the financial statements are consistent with GAAP;
  • Whether there any weaknesses in internal controls identified in the past three years, and if so, how were they addressed;
  • Whether there have been any material year adjustments in the past three years, and if so, whether there is a potential for a similar adjustment in the current fiscal year;
  • Whether the company has taken any aggressive accounting positions;
  • Whether there are any "hot-button" accounting issues (such as critical accounting estimates, revenue recognition, off balance sheet liabilities, related party transactions, etc.) relevant to the disclosure contained in the report;
  • Whether there have been any questions or criticisms about the company’s accounting practices raised by research analysts or other third parties;
  • Whether there are any disagreements with outside auditors;
  • Whether the participants are uncomfortable with any disclosures in the report;
  • Whether the participants are aware of any material misstatement or omission in the disclosure contained in the reports; and
  • Whether the participants believe the financial statements fairly present, in all material respects, the financial condition, results of operations and cash flows of the company.

The subjects for inquiry relating to financial and accounting matters should be addressed to the financial staff and independent auditors, and can be made in conjunction with the audit committee’s review of the financial statements with the independent auditors. The foregoing subjects for inquiry are general suggestions and should not be viewed as exhaustive list of the subjects for which inquiry by the certifying officers should be made. Each public company should consider its unique circumstances in supplementing or modifying our suggested subjects for inquiry. With respect to the evaluation of internal accounting controls (a subcategory of disclosure controls and procedures), the CEO and CFO should obtain guidance from the independent auditors as to the kind of inquiry necessary for an effective evaluation of such controls.

As discussed above, the SEC must adopt regulations pursuant to Section 404 of the S-O Act which will require a report of management’s assessment of internal accounting controls be included in the Form 10-K annual report. In connection with the rulemaking, the SEC should shed additional light on the nature of the required "evaluation" of disclosure controls and procedure and how it relates to the "assessment" of internal accounting controls. We continue to monitor and report to our clients regarding these developments.

Client Alert is published solely for informational purposes and should in no way be relied upon or construed as legal advice. For specific information on recent developments or particular factual situations, the opinion of legal counsel should be sought. Paul, Hastings, Janofsky & Walker LLP is a limited liability partnership.

© 2002 Paul, Hastings, Janofsky & Walker LLP

1 See SEC Release No. 34-46427 (August 28, 2002).

2 See AICPA Professional Standards, Section AU 319, (.06 - .07) (Internal control is a process – effected by an entity’s board of directors, management, and other personnel – designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting, (b) effectiveness and efficiency of operations, and (c) compliance with applicable laws and regulations).

3 Section 906 requires each periodic report containing financial statements be accompanied by a written statement by the CEO and CFO that the report fully complies with the requirements of Section 13(a) or 15(d) of the Exchange Act and that the financial statements fairly present, in all material respects, the financial condition and results of operation of the issuer.