SEC Requires CEO and CFO Certification of Quarterly and Annual Reports

9/4/2002
Client Alert
Section 302 of the Sarbanes-Oxley Act of 2002 (the "Act") directed the Securities and Exchange Commission ("SEC") to adopt rules to require the principal executive and financial officers of a public company to certify in their company's annual and quarterly reports that such reports are accurate and complete and that they have established and maintained adequate internal controls for public disclosure. The legislative purpose behind Section 302 is to ensure that a company's CEO and CFO take a proactive role in their company's public disclosure and to give investors more confidence in the accuracy, quality and reliability of a company's SEC periodic reports. On August 27, 2002, the SEC adopted a rule that requires such a CEO and CFO certification (see the SEC website for Section 302 Certification Release). Certain parts of Section 302's certification requirement are effective immediately. A CEO and CFO of a public company filing a quarterly or annual report, or an amendment to such a report, must consider the requirements of the Section 302 Certification Release prior to the filing of the report. In addition, the Section 302 Certification Release requires a public company to begin developing and implementing internal disclosure controls and procedures designed to guarantee that its quarterly and annual reports are accurate and complete in preparation for having to disclose its CEO's and CFO's evaluation of such controls in its quarterly and annual reports.

Substance of Section 302 Certification

Typically, a company's principal executive officer and principal financial officer will be the company's CEO and CFO, respectively (therefore, we refer to a company's principal executive officer and principal financial officer as its CEO and CFO for purposes of summarizing the Section 302 Certification Release). Currently, the CEO and CFO are required to sign their company's annual report, and only the CFO is required to sign quarterly reports. The Section 302 Certification Release does not change existing signature requirements, but rather requires that every public company's CEO and CFO provide new a certification in their company's quarterly and annual reports ("Section 302 Certification"). The Section 302 Certification is not required in a Form 8-K or 11-K because the Section 302 Certification is expressly limited to a company's quarterly and annual reports. The Section 302 Certification Release also indicates that the SEC may in the future require a Section 302 Certification in initial registration statements on Forms 10 and 10SB or to definitive proxy and information statements.

The Section 302 Certification can be broken down into three distinct parts: (1) accuracy and fair presentation of the report's disclosure, (2) establishment and maintenance of disclosure controls and procedures, and (3) reporting of deficiencies in, and changes to, internal accounting controls.

Accuracy and fair presentation of the report's disclosure

A CEO and CFO must certify in any quarterly or annual report, including amendments to such reports, filed after August 29, 2002, covering financial periods ending both before and after August 29, 2002, that:

  • he or she has reviewed the report;
  • based on his or her knowledge, the report does not contain any untrue statement of fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by the report; and
  • based on his or her knowledge, the financial statements, and other financial information included in the report (including, financial statements, footnotes to the financial statements, selected financial data, management's discussion and analysis of operations and financial condition and other financial information in the report), fairly present in all material respects the financial condition, results of operations and cash flows of the company as of, and for, the periods presented in the report.

Establishment and maintenance of disclosure controls and procedures

A CEO and CFO must also certify in any quarterly or annual report covering a financial period ending after August 29, 2002, including amendments to such reports, that:

  • he or she and the other certifying officer:
    • are responsible for establishing and maintaining "disclosure controls and procedures" (a newly-defined term reflecting the concept of controls and other procedures of the company that are designed to ensure that information required in quarterly and annual reports is recorded, processed, summarized and reported in a timely manner) for the company;
    • have designed such disclosure controls and procedures to ensure that material information is made known to them, particularly during the period in which the periodic report is being prepared;
    • have evaluated the effectiveness of the company's disclosure controls and procedures within 90 days of the date of the report; and
    • have presented in the report their conclusions about the effectiveness of the disclosure controls and procedures based on the required evaluation.

Reporting of deficiencies in, and changes to, internal accounting controls

A CEO and CFO must further certify in any quarterly or annual report covering a financial period ending after August 29, 2002, including amendments to such reports, that:

  • he or she and the other certifying officer have disclosed to the company's auditors and the audit committee (or persons fulfilling the equivalent function):
    • all significant deficiencies in the design or operation of "internal controls" (a pre-existing term relating solely to financial reporting) which could adversely affect the company's ability to record, process, summarize and report financial data and have identified for the company's auditors any material weaknesses in internal controls; and
    • any fraud, whether or not material, that involves management or other employees who have a significant role in the company's internal controls; and
  • he or she and the other certifying officer have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
The first part of the Section 302 Certification (accuracy and fair presentation) provides a CEO's and CFO's assurances that the disclosure, including financial information, in the quarterly or annual report is accurate and complete, consistent with the anti-fraud prohibitions of the federal securities laws. The first part also contains a statement that the financial presentation in the report "fairly presents" in all material respects the financial condition, results of operation and cash flows of the company. In order to satisfy this "fairly presents" requirement, it is not enough that the financial presentation is in accordance with generally accepted accounting principles. The Section 302 Certification Release indicates that, in the SEC's opinion, a "fair presentation" of a company's financial condition, results of operations and cash flows encompasses the selection and application of appropriate accounting policies, and the disclosure of financial information that is informative and reasonably reflects the company's material transactions and events.

The second part of the Section 302 Certification (disclosure controls and procedures) provides a CEO's and CFO's assurances that their company has internal disclosure controls and procedures that ensure that information required to be disclosed in the quarterly or annual report is collected, processed, organized and communicated to the company's management facilitating timely disclosure.

While the Section 302 Certification is the responsibility of the CEO and CFO, the Section 302 Certification Release also contains new rules that impose a complementary obligation on the company to maintain adequate disclosure controls and procedures, so that its CEO and CFO can provide the second part of his or her Section 302 Certification. The Section 302 Certification does not mandate any specific internal disclosure controls or procedures. Each public company is given the flexibility to adopt procedures that best suit its corporate infrastructure. However, the Section 302 Certification Release indicates that a company's internal disclosure controls and procedures should cover a broader range of information than is covered by a company's internal controls related to financial reporting (see the third part of the Section 302 Certification below). A company's disclosure controls and procedures should be broad enough to capture all information required to be disclosed in quarterly and annual reports and relevant to an assessment of developments and risks that pertain to the company's business. For example, a company that operates in a highly regulated industry should adopt disclosure controls and procedures that ensure that an assessment and evaluation of operational and regulatory risks is undertaken.

The third part of the Section 302 Certification (reporting of deficiencies in, and changes to, internal accounting controls) relates to the company's internal accounting controls, which are the company's system for gathering, reconciling and presenting the financial information of the company. Unlike internal disclosure controls and procedures, public companies have been required to devise and maintain adequate internal accounting controls since the enactment of the Foreign Corrupt Practices Act in 1977. The independent outside auditor, with the oversight of the audit committee, reviews the adequacy of the company's internal accounting controls and identifies any deficiencies or material weaknesses in such controls. The Section 302 Certification directs the CEO and CFO to certify that they have done the same.

The CEOs and CFOs of all public companies, including small business issuers and foreign private issuers, must comply

The Section 302 Certification Release requires Section 302 Certifications in the quarterly and annual reports that are filed by public companies, including small business issuers. Therefore, the CEO and CFO of a small business issuer must provide a Section 302 Certification in their company's Forms 10-QSB and 10-KSB.

The CEO and CFO of a foreign private issuer must provide a Section 302 Certification in their company's annual report on Form 20-F or 40-F. Section 302 Certifications are not required for Forms 6-K. The Section 302 Certification also does not apply to reports that are not deemed to be "filed" with the SEC, such as materials furnished to the SEC by foreign private issuers pursuant to Rule 12g3-2(b).

Foreign private issuers, like domestic companies, will have to ensure that they have internal disclosure controls and procedures that permit their CEOs and CFOs to give the required Section 302 Certifications. For some foreign private issuers, these new requirements go beyond, and may even conflict with the laws and practices of the foreign private issuer's home jurisdiction and foreign stock exchange requirements. Historically, the SEC has recognized that there may be fundamental differences between the securities laws of foreign nations and the United States by affording foreign private issuers different treatment than domestic companies when the circumstances have merited. However, the Section 302 Certification Release indicates that Congress clearly intended for the Section 302 Certification to apply to foreign private issuers, and it is unclear whether the SEC would be amendable to granting exemptive relief from any of the requirements of the Section 302 Certification. A foreign private issuer that anticipates compliance problems should seek the advice of counsel as soon as possible to explore the possibility of approaching the SEC for relief or guidance.

Form and location of Section 302 Certification

The SEC has mandated a specific form of Section 302 Certification. The Section 302 Certification Release specifically sets forth the language of the Section 302 Certification and expressly prohibits a CEO and CFO from altering the language of the prescribed certification in any manner. The CEO and CFO must each give the Section 302 Certification, and each must sign his or her Section 302 Certification (powers of attorney are not permitted). As discussed earlier, a CEO and CFO, initially, does not have to give a complete Section 302 Certification (covering disclosure and internal controls) until a Section 302 Certification is given in connection with a quarterly or annual report covering a financial period ending after August 29, 2002. The Section 302 Certification must appear directly after the signature page of the quarterly or annual report. The SEC did not adopt any public notice requirement for companies whose CEOs or CFOs do not certify or provide non-conforming Section 302 Certifications. The SEC indicated at its open meeting where the Section 302 Certification Release was adopted that the staff of the SEC's Division of Corporation Finance will be conducting "spot checks" of quarterly and annual reports to determine whether the Section 302 Certifications are compliant.

What steps must a CEO, CFO and a public company take to comply?

The Section 302 Certification Release does not mandate any specific due diligence procedures for a CEO or CFO to follow in preparing to give his or her Section 302 Certification. In anticipation of the adoption of the Section 302 Certification and in response to the Section 906 certification and SEC Order 4-460 (see our discussion about these other CEO and CFO certifications later in this memorandum), a series of "best practices" steps for a CEO and CFO preparing to certify have begun to evolve. We recommend that a CEO and CFO consult counsel to ensure that all necessary precautions and inquiries are made.

The Section 302 Certification does not require either a CEO or CFO to separately inquire as to information not known to him or her as a prerequisite for giving the Section 302 Certification. However, the Section 302 Certification Release does recognize that a CEO's and CFO's review of an annual or quarterly report must be a critical one. Such a critical review would necessarily include certain inquiries where appropriate, such as questioning disclosure that they do not understand, or questioning the materiality of information known to them. A CEO and CFO will have to rely on the information being provided to them from other members of management and their subordinates. In that regard, the Section 302 Certification Release recommends that a company create a committee with responsibility for considering materiality of information and determining disclosure obligations on a timely basis. The Section 302 Certification Release suggests that the committee include the principal accounting officer or controller, the general counsel or other senior legal official with responsibility for disclosure matters who reports to the general counsel, the principal risk management officer, the chief investor relations officer (or an officer with equivalent responsibilities), and such other officers or employees, including individuals associated with the company's business units, as the company deems appropriate. This committee would report to senior management, including the CEO and CFO, who bear express responsibility for designing and establishing and maintaining and reviewing the company's disclosure controls and procedures.

One potential problem that a CEO and CFO may face when deciding whether he or she can certify as to the accuracy and completeness of the disclosure in a Form 10-K or 10-KSB is that certain of the information required in the report may not be disclosed until after the report is filed. Many domestic public companies incorporate by reference into their Forms 10-K and 10-KSB executive compensation disclosure from their proxy statements for their annual meetings of shareholders. In order to do so, a company must file its proxy statement within 120 days of its fiscal year-end. Annual reports on Forms 10-K and 10-KSB must be filed at least 30 days earlier than the due date for filing definitive proxy materials; therefore, in most cases, the Section 302 Certification will be filed prior to the public filing of the annual meeting proxy statement. The Section 302 Certification Release indicates that a CEO's and CFO's Section 302 Certification is deemed to cover all executive compensation disclosure and other information incorporated by reference from the company's proxy statement for the annual meeting of shareholders, even if the proxy statement is filed after the Form 10-K or 10-KSB. Once the proxy statement is filed, there is no requirement in the Section 302 Certification Release that a CEO or CFO reaffirm his or her previous Section 302 Certification. However, a CEO and CFO should continue to review all information to be incorporated by reference from the proxy statement into the annual report as soon as it becomes available. Any concerns with such disclosure should be immediately discussed with counsel.

The Section 302 Certification Release also requires a public company, under the supervision of the CEO and CFO, to conduct an evaluation of the company's internal disclosure controls and procedures within 90 days of the filing date of every quarterly and annual report. Therefore, internal disclosure controls and procedures to address the requirements of the Section 302 Certification must be adopted immediately by a public company. As mentioned earlier, a company is already required to have in place internal accounting controls, although a CEO and CFO will want to critically evaluate those controls in light of the Section 302 Certification.

For any financial period ending after August 29, 2002, a public company must report in every quarterly and annual report the CEO's and CFO's conclusions as to the evaluations of the company's internal disclosure controls and procedures. It must also disclose any changes in internal controls occurring subsequent to the CEO's and CFO's evaluation of such internal controls that could significantly affect the CEO's and CFO's evaluation.

Liability for a false Section 302 Certification

A CEO or CFO signing a false Section 302 Certification potentially could be subject to an SEC enforcement action for violating Section 13(a) of the Securities Exchange Act of 1934 (the "Exchange Act") and private actions under Section 10(b) of the Exchange Act and Rule 10b-5. A false Section 302 Certification also may have liability consequences under Sections 11 and 12(a)(2) of the Securities Act of 1933 where a quarterly or annual report is incorporated by reference into a registration statement. Penalties in SEC enforcement actions could include civil money penalties and/or injunctive actions. Relief in private actions could include monetary damages. In egregious cases, where a false Section 302 Certification was "willfully" provided, the SEC may refer the matter to the Department of Justice for possible criminal prosecution under criminal statutes that existed prior to enactment of the Act. The Act increases the criminal penalties (fines up to five million dollars and imprisonment up to 20 years) for a "willfully" false Section 302 Certification.

Though there may be an increase in actions against CEOs and CFOs based on the Section 302 Certification requirement, any such action brought against a CEO or CFO based upon his or her Section 302 Certification will not be successful if brought solely on the basis that material information was incorrect or missing from an annual or quarterly report. Any cause of action would also have to allege that the officer believed, knew, or should have known that the information was material and incorrect or absent from the report.1 How effectively a CEO and CFO document their actions taken in connection with the preparation of an annual or quarterly report may be critical to avoiding liability.

The Section 302 Certification does not eliminate need to submit Section 906 certifications and SEC Order sworn statements

In addition to the Section 302 Certification, Section 906 of the Act requires a CEO and CFO to certify that a periodic report containing financial statements:

  • fully complies with the requirements Sections 13(a) or 15(d) of the Exchange Act, as applicable; and
  • the information contained in the report fairly presents, in all material respects, the financial condition and results of operations of the company for the periods being presented. (See our update CEO and CFO Certification Under Sarbanes-Oxley, August 2002.
Although it is unclear whether Congress intended Section 906 to create an additional certification, practitioners and the SEC have both recognized the need to submit separate certifications pursuant to Sections 302 and 906 of the Act until Congress or the Department of Justice provide further guidance. The language of Section 906 is ambiguous as to what reports must include the Section 906 certification. As a result, there are conflicting opinions as to when and where the Section 906 certification is required. For example, there is no consensus among practitioners as to whether the Section 906 certification is required in Forms 8-K and 6-K that include financial statements. The Section 302 Certification Release is very clear that the Section 302 Certification is not required in Forms 8-K or 6-K. The SEC has publicly stated that it will not provide guidance as to the certification required by Section 906 of the Act. Although we believe it is possible for a CEO and a CFO to each file a single certification that satisfies the requirements of Sections 302 and 906 of the Act, we would advise against a CEO or CFO submitting a joint Section 302/Section 906 certification until further guidance is provided by Congress or the Department of Justice.

On June 27, 2002, the SEC issued Order No. 4-460 requiring the CEOs and CFOs of 947 of the nation's largest publicly-traded companies to submit one-time sworn statements attesting to the accuracy of their companies' recent SEC filings (see our update SEC Orders Senior Officers of Large Public Companies to Attest to the Accuracy of Their Company's Financial Statements, July 2002). Most of the 947 companies were required to submit their sworn statements on August 14, 2002 when they filed their Forms 10-Q for the second quarter ended June 30, 2002. Those remaining companies that did not have to file a quarterly or annual report by that date must submit their sworn statements no later than the date their next quarterly or annual report is due. The Section 302 Certification Release does not affect the need to submit these sworn statements.

Conclusion

The SEC staff has indicated that the purpose of the Section 302 Certification is to ensure greater participation by CEOs and CFOs in the creation of the company's quarterly and annual reports and to restore investor confidence in the periodic disclosure of public companies; however, a legitimate concern is that, regardless of how involved a CEO and a CFO become in the creation of these reports, the Section 302 Certification could lead to a spate of plaintiff's lawsuits against CEOs and CFOs and may create de facto new liability standards for CEOs and CFOs in civil litigation. CEOs and CFOs could end up in the unenviable position of having to demonstrate in court that they were not aware of undisclosed material information at the time of filing of a quarterly or annual report in order to escape liability. In addition, it is clear that a CEO and CFO cannot avoid liability in all cases by arguing that they did not know about a material omission or misstatement. Because they must be involved in the creation of a company's quarterly and annual reports, some level of critical inquiry will be required. The level of inquiry required may ultimately be a matter for the courts to decide.

Greater focus may also be placed on what information is "material." The Section 302 Certification Release does not provide any bright line test of materiality, so CEOs and CFOs will have to continue to apply existing judicially-created standards of materiality, including whether a reasonable investor would consider the information important in making an investment decision. Unfortunately under this test, information omitted from a filing might not seem material until after a CEO and CFO must make the disclosure decision. The Section 302 Certification Release does provide guidance on how a CEO, CFO and their company can best prepare for the Section 302 Certification and the disclosure that must accompany the Section 302 Certification in the quarterly or annual report. What actions a CEO, CFO and the company immediately take to comply will be critical in minimizing potential liability in the future.


1: The Section 302 Certification proposing release (SEC Release No. 34-46079) pointed out that even without the Section 302 Certification, private litigants may seek to hold officers that sign an annual or quarterly report liable under Section 18(a) of the Exchange Act, if such officers cannot prove that they acted in good faith and had no knowledge that the report contained false or misleading statements.

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.