Sub-Certifications Are Not Guarantees For SOX 302

The Sarbanes-Oxley Act requires chief executive and financial officers to put their liberty on the line when they attest to their companies’ financial statements. The safest way to do that: back up those attestations all the way down the line.

Such “sub-certifications” from lower-level employees are not required by Sarbanes; only chief executive and financial officers must certify results, as prescribed by the law’s Section 302. Still, a large number of companies are crafting sub-certification processes anyway, to ingrain the often-touted “culture of compliance”—and to let CEOs and CFOs breathe a little easier.

Poss

“Some CEOs and CFOs think that, as long as they have a stack of subcertifications, they can go ahead and sign their own certifications,” says Stephen Poss, a lawyer with Goodwin Procter in Boston. “That’s not a recommended practice. CEOs and CFOs need to be active participants in the process. Subcertifications are not a substitute for diligence and knowledge.”

Jim DeLoach, a risk consultant with Protiviti, says the majority of companies are not doing subcertification effectively.

DeLoach

“Most of the self-certification activity is not sufficiently process-based to create a chain of responsibility,” DeLoach says. “A chain of certification does not provide a substantive source of evidence for Section 404. However, if you organized a chain of certifications where you created in effect a chain of accountability—where the process owners within the organization were providing self-assessment that the controls for which they are responsible are operating effectively—that’s different.”

David Richards, president of the Institute of Internal Auditors, says subcertifications are “a best practice; they formalize responsibility within the organization and fix it with a specific individual for a defined process … They also demonstrate that there is in fact someone who is stepping up to the plate, making a specific statement that they are satisfied to whatever means have been used to determine that the controls are in place.”

Richards

Richards acknowledges that many companies struggle with how to use subcertifications effectively, and look to see how other companies are handling them. “There should be best-practice sharing that would drive some of the organizations struggling with this process to raise the bar of their internal documentation,” he says.

Donald Meiers, a partner with Steptoe & Johnson in Washington, says the bar definitely needs to be raised. “I’m not overwhelmed or impressed by the degree to which companies have really thought this through and, in essence, realized that the backup certifications should be an integral part of disclosure controls and procedures,” he says.

Don’t Mimic 302 Certifications

Anderson

Subcertification processes vary widely from company to company, notes Urton Anderson, an associate dean and accounting professor at McCombs School of Business in Texas.

“I’ve seen some extremely sophisticated certification systems developed as a way of really getting responsibility down where it belongs, to the managers,” Anderson says. “But I don’t see any problem with variation. People should look at what kind of company they have and what kind of management style and culture they have, and fit [the subcertification] process into their company.”

Hall

Chris Hall, a lawyer with Perkins Coie in Portland, Ore., says a common tactic, and not a good one, is copy Section 302 certifications down the chain of command. “They don’t do that little bit of extra work to make [subcertifications] more tailored,” he says. “You can start with the 302 certification and add more detail, be more specific about the questions that they expect people to go into or respond to.”

Poss notes that subcertifications should be “tailored to the individual’s area of personal knowledge. That can be broken up geographically, by product line, by function or some other way. You want people closer to a particular aspect of a company’s disclosure controls and procedures to certify that they’ve examined them and that they’re working well.”

Simply handing out sub-certification forms to employees with terse orders to sign and return them “is not an ideal way to proceed,” Poss quips. “Ideally the personnel asked to make the subcertification should understand how the subcertification fits into the company’s 302 or 404 process. They should have some kind of training or seminar that explains to them how this works, why it’s important and why they’re going to be relied upon.”

‘Raise Your Hand’

Who should provide sub-certifications? Meiers says too often companies demand the attestations from “people in positions who don’t have the responsibility or expertise to be making statements and representations.”

Meiers

What doesn’t make sense, he adds, is to require sub-certifications beyond the group of employees generally responsible for helping to make periodic filings with the Securities and Exchange Commission. “I generally go with the five or six people beyond the CEO and CFO as starting point, and try to determine who are the critical players,” he says. “I try to find the one or two people who see themselves as ‘tell it like it is, good or bad.’ ”

Employees who sign subcertifications falsely could, in addition to losing their jobs, face liability from regulators or perhaps even shareholders.

Carney

The authorities have always had the choice to pursue lower-level employees, but those employees also always had the argument that they were only following orders from senior executives says John Carney, former securities fraud chief at the Justice Department and now a partner with Baker and Hostetler. Now, “if a lower-level person signs a [false] certification that gets relied upon, it’s more likely someone will go after them.”

Poss says people who sign subcertifications should consider themselves liable if they sign falsely or in bad faith. “They could be charged with aiding and abetting a violation of the securities laws, or with causing a books and records violation,” he says. “One could imagine various provisions that SEC enforcement might utilize in attempting to take action against someone who falsely signed a subcertification.”

Anderson says people who sign subcertifications should not do so lightly. “I hope would hope they would be concerned,” he says. “This is what you’re hired for. If you don’t have controls in place, you should fix it.”

DeLoach, of Protiviti, notes that “the whole objective of SOX is not shooting somebody; it’s about transparency. If something’s going wrong, raise your hand. If a control is not operating effectively, steps need to be taken to fix it—or make sure that the right people are made aware of it so that other compensating controls can be looked at.”