A new front opens in the SOX battle

One of the issues that I address in my SOX Master Classes (the next one is in February) has come of age.

I am talking about the certification signed by the CEO and CFO and included in the quarterly filing with the SEC – the one required by Section 302 of the Sarbanes-Oxley Act.

The issue is this:

• The CEO and CFO are required by law to assess the state of internal control over financial reporting (and disclosure control) every quarter and report whether or not it is effective as of the date of the quarterly filing.
• For their own as well as the company’s protection, they need to have a reasonable basis for that assessment.
• Tests of internal control over financial reporting are typically spread over the year. Some perform tests in every quarter; some during at least a couple of quarters; and few limit their testing to the fourth quarter.
• Deficiencies in the controls are identified during that testing.
• Those deficiencies may be assessed as potential material weaknesses if not corrected and retested prior to the end of the year.
• As a result, potential material weakness frequently not only exist but are known to exist at the time that the CEO and CFO are required to assess and certify internal control over financial reporting.
• But, for whatever reason, these potential material weaknesses either are not reported to the CEO and CFO (which fails one of the Section 302 requirements: they have to certify that they know about control issues) or are ignored.
• The CEO and CFO may certify that the systems of internal control and disclosure controls are adequate when they are not.

This is what I have to say in Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization:

In the past, most CEOs and chief financial officers (CFOs) have signed their annual and quarterly certifications—which are included in the financial statements filed with the SEC on Form 10-Q and required by Section 302 of Sarbanes-Oxley—without a rigorous examination of internal controls. Ideally, management has integrated the quarterly and annual assessment processes. Although management is not required to test all its key controls every quarter, it should perform some degree of testing each quarter to support the quarterly Section 302 certification. At a minimum, the Section 302 certification process should include a consideration of the status of the Sarbanes-Oxley project, the results of testing, the severity of any identified control deficiencies, and management’s corrective action plans.

When I was writing the book, I talked to the SEC about this issue. They said that they understood it but it was not a priority at that time.

Well “the times, they are a-changing”.

This recently appeared on the CFO magazine web site in an article on SEC Focuses on Internal Control by a former chief accountant of the SEC’s Division of Enforcement. In the middle of the article is this section:

Specific issues that investigators have been addressing include whether a material weakness: (1) existed in a reporting period before a restatement; (2) was adequately described as to scope; (3) existed, even if there was no material error; and (4) existed in connection with controls and procedures for disclosure, or in connection with 302 certification processes.

In the book and in the class, I recommend that management and the SOX PMO consider how the results of testing during earlier quarters are incorporated into the Section 302 certification process.

For example, is the SOX PMO (or equivalent) included in the disclosure review process?

When potential material weaknesses are discovered during SOX or internal audit testing, my suggestion is to review the issue with the legal function. They can advise the CEO and CFO whether this should be disclosed as part of the Section 302 certification.

This new front is clearly starting to open.

Don’t let it pull you under.

I welcome your comments.