May 20, 2022

One More Anniversary: The Sarbanes-Oxley Act!

When I was recounting all of the significant anniversaries in 2022 earlier this week, I definitely forgot a big one – the Sarbanes-Oxley Act! I hope all of the Sarbanes-Oxley fans out there will forgive me for that oversight.

The law was enacted July 30, 2002 in response to the major corporate scandals of the early 2000s, and it changed everything about the way public companies comply with their reporting obligations and govern themselves, as well the way auditors conduct their audits and interact with the companies they audit (under the supervision of the PCAOB). I was actually not at the SEC at the time when Sarbanes-Oxley was enacted – I was on the “dark side,” working on a number of the above-referenced scandals. I rejoined the SEC in 2003 when implementation of Sarbanes-Oxley was in full swing, which was definitely a very interesting time to work at the agency.

There is one aspect of the Sarbanes-Oxley Act legacy that I think is worth revisiting now that we are going on 20 years into living with the Act, and that is the certification process. As we all know, the Sarbanes-Oxley Act imposed certification requirements on CEOs and CFOs in Sections 302 and 906 of the Act. The legislative purpose behind Sections 302 and 906 of the Sarbanes-Oxley Act was to enhance investor confidence in the quality and reliability of periodic reports by compelling CEOs and CFOs to take a more active role in the disclosure processes of public companies through individual responsibility for the accuracy and completeness of periodic report disclosures.

What many companies have done to support their Sarbanes-Oxley certifications is to implement a process of sub-certifications that compel responsible individuals throughout the organization to provide certifications that the CEO and CFO can rely on to provide their own certifications with the periodic report. Neither the statutory provisions of the Sarbanes-Oxley Act, nor the SEC’s implementing rules, specify any requirement that sub-certifications be executed by responsible individuals within a public company as a means to support the certifications signed by the CEO and the CFO. Further, the SEC has not provided any substantive guidance on the use of sub-certifications as part of a public company’s overall disclosure controls and procedures.

Sub-certifications can serve as important evidence supporting the executive’s state of mind. This evidence would be particularly important if the government were to pursue a criminal case based on the executive’s certification, which would require the DOJ to prove the executive “willfully” signed a certification “knowing” that the report did not comply with the SEC’s requirements. It is more difficult for the government to prove such an allegation if the executive was told that the report did in fact comply with the applicable requirements through the sub-certification process. The more specific the sub-certifications are, the more helpful they are for this purpose.

Remember that sub-certifications are not a substitute for implementing, utilizing and periodically evaluating effective disclosure controls and procedures and internal control over financial reporting. If used properly as part of a disciplined disclosure process, sub-certifications can serve the purpose of reinforcing effective disclosure controls and procedures and internal control over financial reporting, while promoting a corporate culture of compliance. Sub-certifications can sometimes be perceived negatively as a means for the CEO and CFO to transfer responsibility for the company’s SEC filings to subordinate employees, rather than taking responsibility themselves.

I think the 20th anniversary is a good opportunity to take another look at your sub-certification process. Some question you could ask are as follows:

1. Are the appropriate individuals within the organization providing sub-certifications?

2. Are the individuals taking the steps necessary to appropriately provide the sub-certification, or are they treating it as a pro forma process?

3. Can the sub-certification process be streamlined in any way to increase its effectiveness and enhance to protections that are sought through the process?

4. Is the sub-certification process appropriately integrated with the company’s overall disclosure controls and procedures and internal control over financial reporting?

5. Does the disclosure committee, or another appropriate governance body, periodically review the sub-certification process?

6. Do you have a plan in place for when an individual refuses to provide a sub-certification?

For more about Sarbanes-Oxley Act certifications and sub-certifications, check out our “CEO/CFO Certifications” Practice Area.

– Dave Lynn