PrintShare


Publications

What you Need to Know About the Certification Requirements of The Sarbanes Oxley Act of 2002

Client Advisory

June 2003
Introduction

This advisory addresses the question of what senior management should now be doing to comply with the certification requirements under Sections 302, 404 and 906 of the Sarbanes-Oxley Act of 2002 (the “Act”). It updates our previous advisory on the same subject of September 2002 by incorporating a description of the new rules recently adopted by the SEC which implement Section 404 of the Act with respect to management’s assessment of internal controls and the revisions to the Act’s Section 302 certification requirements.

U.S. and non-U.S. public companies have been subject to the disclosure controls and procedures and the internal accounting controls certification requirements of Section 302 of the Act since August 29, 2002, when the SEC published its final rules regarding Certification of Disclosure in Companies’ Quarterly and Annual Reports (the “August 29th Final Rules”). U.S and non-U.S. Public Companies have also been subject to the certification requirements of Section 906 of the Act since July 30, 2002.

Section 404 of the Act required the SEC to prescribe rules obliging each annual report to contain an internal control report stating that it is the responsibility of management to establish and maintain an adequate internal control structure and procedures for financial reporting and an assessment, as of the end of the most recent fiscal year of the company, of the effectiveness of these internal control structures and procedures. Section 404 of the Act also requires the public accounting firm that issues an audit report on the company’s annual financial statements to attest to, and report on, the assessment made by management.

In response to the Act’s mandate, on June 5, 2003, the SEC adopted Final Rules regarding Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (the “June 5th Final Rules”).

The June 5th Final Rules require annual reports to contain (i) management’s report on the company’s internal controls including management’s assessment of their effectiveness as of the end of the fiscal year (ii) a statement identifying the framework used by management to evaluate internal controls and (iii) an independent auditor’s attestation report on management’s assessment. They also require management to evaluate, on a quarterly basis, material changes in the company’s internal controls.

In addition, the June 5th Final Rules also make certain revisions to the Section 302 certification requirements and forms of certification.

It is important to note at the outset, that in the June 5th Final Rules, the SEC changed the term “internal controls and procedures for financial reporting” previously used to describe the internal controls required by Section 404 of the Act to “Internal Control Over Financial Reporting.”

As part of Carter Ledyard & Milburn LLP’s commitment to assist you in the interpretation and implementation of the complex layers of SEC, NYSE and Nasdaq rules triggered by the Act, we shall continue to keep you abreast of corporate governance rules and regulations as they unfold.

What is the Difference Between Disclosure Controls and Procedures and Internal Control Over Financial Reporting?

Because both the August 29th Final Rules and the June 5th Final Rules deal with “Disclosure Controls And Procedures” and “Internal Control Over Financial Reporting,” it is important to understand the basic difference between them.

Disclosure Controls And Procedures are meant to ensure, as far as possible, that all the information required by law to be included in the periodic reports filed with the SEC is made available to those responsible for preparing them in a complete and timely fashion. The urgency of putting such procedures into place arose out of the loose reporting systems at Enron which resulted in many significant transactions either not making it into the periodic reports at all or not making it in a timely fashion.

Internal Control Over Financial Reporting is meant to ensure the integrity of the financial statements and guard the assets of the company. At the bookkeeping level, these procedures are designed to enforce the proper recording of income and expenditure so that revenues are deposited into the company’s bank account and unauthorized expenditures do not leave the company’s bank account. At the executive level, these procedures are designed to prevent manipulation of revenues and expenses, such as illegal transfers from expense accounts to capital accounts, in which management may to tempted to engage in order to hit the end of the period “whispered numbers”.

Because most periodic reports contain financial statements, there is some inevitable overlap between the two sets of controls. But given the recent gaps through which large numbers fell, overlap is not a bad thing.

The Disclosure Controls and Procedures and The Internal Control Over Financial Reporting are sometimes collectively referred to in this advisory as “the Controls And Procedures.”

By What Date Must a Company Comply with the June 5th Final Rules?

There are two different compliance dates relevant to June 5th Final Rules. The first compliance date, is August 14, 2003, (the “First Compliance Date”). This is the date, when companies must comply with the revised Section 302 Disclosure Controls and Procedures certification language. The second compliance date (the “Second Compliance Date”) is the date on which companies must (i) comply with the revised Section 302 Internal Control Over Financial Reporting certification language, (ii) include an internal control report in their annual reports, (iii) evaluate and disclose in quarterly reports, beginning with the filing of the first quarterly report due after the Second Compliance Date, any change in the internal control that occurred during a fiscal quarter (or fiscal year in the case of a non-U.S. public company) that has a material effect on the internal control. For smaller companies that are not Accelerated Filers, (as this term is explained below), the Second Compliance Date is the date they file their first annual report for fiscal years ending on or after April 15, 2005. For larger companies that are Accelerated Filers, the Second Compliance Date is the date they file their first annual report for fiscal years ending on or after June 15, 2004. The term Accelerated Filer means a company, (including a non-U.S. Public Company) with an aggregate market value of common equity held by non-affiliates of $75 million or more and subject to the Exchange Act reporting requirements for at least one year.

What is the Second Compliance Date for Non-U.S. Public Companies that are Accelerated Filers?

There is an apparent inconsistency regarding the Second Compliance Date for non-U.S public companies between the SEC press release issued on May 27, 2003 announcing the June 5th Final Rules and the SEC’s adopting release for the June 5th Final Rules. Whereas the press release unambiguously makes all non-U.S public companies, even those that are Accelerated Filers, subject to the April 15, 2005 later Second Compliance Date, the Adopting Release could be interpreted to make non-U.S. public companies which are Accelerated Filers subject to the June 15, 2004 earlier Second Compliance Date, like all other Accelerated Filers.

In view of this ambiguity, Carter Ledyard & Milburn LLP sought further clarification from the SEC Staff. The Staff has advised that non-U.S public companies that are Accelerated Filers must indeed begin to comply with the management report on internal control requirements and the revised Section 302 or Internal Control Over Financial Reporting certification language beginning with their fiscal year ending on or after June 15, 2004.

What will the Required Section 302 Certification Language be after the First Compliance Date?


The revised language required to be inserted in the Section 302 certification on and after August 14, 2003 is set forth below and includes (i) the clarification that Disclosure Controls and Procedures may be designed under the supervision of the principal executive and financial officers, (ii) the replacement of the term “Internal Controls” previously used in the August 29th Final Rules with the term “Internal Control Over Financial Reporting,” (iii) a revision to the effect that officers must evaluate the effectiveness of the disclosure controls “as of the end of the period covered by the report” rather than “as of a date within 90 days prior to the filing date” of the report as required by the old Section 302 certification, (although the revised certification is silent as to the date on which the evaluation must be conducted), (iv) other revisions which are highlighted in the comparison version of the new certification with the old certification set forth below.

Aside from these modifications, the Section 302 certification will, as before, continue to require the CEO and CFO of a public company to certify in the periodic reports that (i) the company’s periodic reports are not misleading within the meaning of Rule 10b-5 of the Securities Exchange Act of 1934 (the “Exchange Act”) (ii) that the financial information included in such reports fairly present, in all material respects, the financial condition of the company and that (iii) appropriate “Disclosure Controls and Procedures” have been put in place to ensure the quality and timeliness of the information contained in the report. The words “fairly present” require more than mere compliance with GAAP. They require disclosure of overall material accuracy and completeness.

The revised Section 302 certification language required to be used on or after August 14th 2003 is set forth immediately below. It is marked to show changes from the certification language previously required by the August 29th Final Rules .

“I [identify the certifying individual] certify that:

1. I have reviewed this [specify report] of

[Identify registrant].

2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report.

3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report.

4. The registrant’s other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-14 and 15d-1415(e) and 15d- 15(e)) for the registrant and have:

(a)Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated Subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

b) evaluated the effectiveness of the registrant's disclosure controls and procedures as of a date within 90 days prior to the filing date of this annual report (the "Evaluation Date"); and

(b) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures based on our evaluation as of the Evaluation Date;, as of the end of the period covered by this report based on such evaluation; and

(c) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and

5. The registrant’s other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent function):

(a) All significant deficiencies and material weaknesses in the design or operation of internal controls control over financial reporting which could are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial data and have identified for the registrant's auditors any material weaknesses in internal controls information; and

(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal controls; and 6. The registrant's other certifying officers and I have indicated in this annual report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of our most recent evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses’s internal control over financial reporting.

Date:

__________________

Signature

Title”

A clean unmarked copy of this certification is attached as Exhibit A to this Advisory.

The Section 302 certification language may not be altered, must be signed by both the CEO and CFO or persons with equivalent functions on separate certificates, and cannot be made by power of attorney.

In addition to the Section 302 certification, the CEO and the CFO will be required, as before, to give the separate Section 902 certification.

One of the revisions introduced by the June 5th Final Rules relates to the location of the Section 302 certifications. Beginning August 14, 2003, the Section 302 certifications will be required to be “filed” as exhibits to the periodic reports to which they relate rather than being included in the reports following the signature page as was the case prior to the June 5th Final Rules. Because the Section 302 Certification is required to be “filed,” rather than “furnished,” it will subject the company to liability for misleading statements under Section 18 of the Exchange Act and it will it be automatically incorporated by reference into a company’s registration statements under the Securities Act of 1933, as amended (the “Securities Act”).

How Should The CEO and the CFO Evaluate the Controls and Procedures Prior to Filing a Periodic Report?

The June 5th Final Rules did not change the previously existing requirement that the CEO and CFO certifying the periodic report, perform a quarterly evaluation of the Disclosure Controls and Procedures as of the end of the quarter or year covered by the report and that they present the conclusions of such evaluation in the quarterly or annual report itself. Whereas the August 29th Final Rules required officers to certify that they had evaluated the effectiveness of the company’s Disclosure Controls and Procedures “as of a date within 90 days prior to the filing date” of the report, the June 5th Final Rules require that the officers must evaluate the effectiveness of the Disclosure Controls and Procedures “as of the end of the period covered by the report.”

In addition, the CEO and CFO must certify that they have disclosed to the company’s auditors and audit committee, prior to the date of the filing of the periodic report, any significant deficiencies and material weaknesses in the design or operation of Internal Control Over Financial Reporting which are reasonably likely to adversely affect the company’s ability to record and report its financial data and any fraud, whether or not material, that involves management or other employees with a significant role in the company’s internal control over financial reporting.

The conclusions of the CEO and CFO concerning their evaluations of the Controls and Procedures must be disclosed in the periodic reports. For this purpose, the August 29th Final Rules added a new Item 4, entitled “Controls and Procedures,” to the quarterly reports on the Forms 10-Q and 10-QSB and a new Item 14, entitled “Controls and Procedures,” to the annual reports on Forms 10-K and 10-KSB.

How Should a Company Implement Disclosure Controls and Procedures

All companies, to a greater or lesser extent, already have procedures in place for gathering and evaluating information to be included in their Exchange Act filings. The new SEC rules do not require companies to do anything that they were not previously supposed to do. The new rules however, compel companies to take a second look at their procedures, fix any deficiencies, and enhance them, as appropriate.

In contemplating the implementation of these procedures, companies should focus on the purpose of the Disclosure and Control Procedures rather than on their form. Each company has a different business and there is no “one size fits all” solution. Thus for example, it may not be appropriate for all companies to establish a disclosure committee. Each company should consider which methods of gathering information would be best for acquiring the necessary information.

The Disclosure Controls and Procedures should be crafted in such a way that they are easy to follow and practical to implement. They should be in writing and should be customized to reflect the operations of the company and its particular risk profile. What follows is a list of suggestions, some recommended by the SEC and others that we believe are good practice, for the implementation of Disclosure Controls and Procedures designed to give the certifying officers the comfort level they need to sign the certifications.

Disclosure Committees


  • Consider establishing a disclosure committee charged with assisting the CEO and CFO in developing, writing and overseeing Disclosure Controls and Procedures. The disclosure committee should be made up of the general counsel, the principal accounting officer, the chief investor relations officer, the principal risk manager or persons with different titles but with similar responsibilities, heads of major business units and the head of the human resources department.

Take Inventory of Current Procedures


  • A good starting point for the disclosure committee in developing Disclosure Controls and Procedures is to take an inventory of the company’s existing practices and weaknesses with regard to:
    •  preparing annual reports on Forms 10-K, 10-KSB, 20-F or 40-F, quarterly reports on Form 10-Q, 10-QSB, current reports on Form 8-K, foreign issuer reports on Form 6-K, proxy and information statements, earnings press releases, rating agency reports, schedules 13D and 13G, reports on Forms 3, 4 and 5 to the extent that the company prepares them for their executive officers and directors, and website disclosure;
    • the handling of whistle blower complaints with respect to the company’s disclosure; 
    • the review of any matters raised by the company’s independent auditors in their management letter or in connection with any information included in the reports and 
    • the retention of relevant documents.

Who Should Be Involved in Gathering Disclosure Information


· The disclosure committee should identify persons both inside and outside the company whose input is critical to the disclosure process and set deadlines for the time they have to gather, verify and report the information to those preparing the disclosure.

Prepare a Controls and Procedure Timetable and Check List

· The disclosure committee should disseminate internally a Controls and Procedures check list which fills in any gaps and fixes any weaknesses discovered by the inventory. The check list should state that it has been adopted as part of the Disclosure Controls and Procedures required by the Act. The check list should be prepared in consultation with the company’s internal and independent auditors and outside counsel with a view to blending, as far as possible, the Disclosure Controls and Procedures with the company’s Internal Control Over Financial Reporting.

What Should the Check List Include?

· The check list should assign responsibility to designated individuals with deadlines
  • for gathering the documentation and information needed by each section of the relevant report under the relevant SEC rules and regulations, (i.e. Regulation S-X, S-K etc.);
  • for providing responses to any follow up questions arising out of the gathered information;
  • for assessing risks the company may be facing in its business or in its operational, technology, or financial areas;
  • for taking a closer look at areas of disclosure that have raised questions in the past and for reviewing other hot button issues such as related party and off balance sheet transactions, revenue recognition policies, reserves or asset impairment; 
  • for reviewing any alternative accounting treatments and why the company chose the one it did and whether it provides a fair presentation of the company’s financial condition;
  • for communicating and meeting with the outside auditors and outside counsel in connection with their audit or review of the reports;
  • for reviewing any employee complaints regarding disclosure and bringing them to the attention of the audit committee;
  • for convening due diligence meetings with the participation of the disclosure committee and outside advisors to discuss the comprehensiveness of the material gathered and any disclosure issues;
  • for convening management meetings to evaluate any management letters received by the company from their independent accountants and to consider the adequacy of operating and information technology systems;
  • for preparation and revision of draft reports and the conducting of compliance checks of the pertinent SEC, exchange and Nasdaq regulations;
  • for gathering of back-up certifications for the Sections 302 and 906 certifications if the company decides to implement back-up certifications ;
  • for convening meetings with the CFO and CEO, the board and the audit committee at which the reports can be carefully reviewed and any disclosure issues discussed; and
  • for signing off on drafts and final versions of the reports.

Back-up Certifications

Companies may wish to consider obtaining “back-up” support certifications from certain officers that confirm the certifications of the CEO and CFO. Back-up certifications may not be appropriate for all companies. One consideration, among others, is whether asking for back-up certificates will cascade down through the company and create an unmanageable bureaucratic structure.

Evaluation of Disclosure Controls and Procedures

The disclosure committee should review and evaluate the check list at least quarterly in the case of U.S. companies and annually in the case of non-U.S. companies for the following:

o staffing inadequacies in the disclosure process;

o the level of experience of those drafting the reports;

o the reliability of the information systems used;

o whether those preparing the reports have access to the persons that have the information required and whether such persons are responsive to requests for information;

o whether sufficient time was allowed for review, comment and Q&A on drafts; whether transaction files were complete or were missing documents;

o whether material transactions and issues were included in early drafts and how long did it take for issues to surface;

o whether disclosures were accurate; whether form checks revealed any problems and if so whether they were corrected;

o whether there are adequate controls over related party transactions; and

o Whether there was sufficient time to discuss issues and maintain a sufficient dialog between the gatekeepers of the information. The results of this periodic evaluation should be discussed with the CEO, CFO, the board of directors and the audit committee.

Other Functions of the Disclosure Committee

Other functions of the disclosure committee would include overseeing and coordinating the collection of information, resolving questions about the materiality of a development, reviewing and advising on the content of disclosure, drafting of disclosure and communication with the investing public, and recommending to the board, the audit committee, the CFO and the CEO, the filing of the report.

The Importance of Company-wide Training Sessions For Controls and Procedures


Periodic staff education programs should be held to ensure that employees in the organization are aware of the company’s reporting obligations and what must be reported to management. Companies should consider whether they should offer training sessions customized for specific departments. Of course, Carter Ledyard & Milburn LLP will be happy to assist at such training sessions.

Such sessions should be used as an opportunity to drive home the message that the Controls and Procedures come from the top and that integrity of disclosure is a question of company survival.

Using Technology to Capture All Potential, Relevant Information

Consider adding software to rationalize the information-gathering process including extranet systems, if not in place, that allow people at different locations to conference, review and make collectively agreed upon changes to documents in real time.

What Should Each CEO and CFO Ask Before Signing the Certifications

Assuming that the steps described above in connection with the implementation of the Controls and Procedures have been taken, the CEO and CFO should ask themselves the following questions before signing the certification.

· Did you participate in the design, maintenance and evaluation of your company’s Controls and Procedures as they apply to all of the company’s public disclosures and reports?

· Did you make it clear to employees that adherence to the Controls and Procedures is on top of your list of priorities and should be taken very seriously?

· Did you read the report and does it provide an accurate picture of the company’s financial condition as you know it?

· Have you asked for explanations of anything you did not understand and were you satisfied with the answers?

· Did you evaluate the Controls and Procedures and are you satisfied that they are adequate to ensure that they capture all potential matters for disclosure in a timely manner?

· Did the Disclosure Controls and Procedures leave enough time to prepare a good first draft and give sufficient time to you, the board and the audit committee to review it and discuss any issues?

· Does the disclosure of the evaluation of the Controls and Procedures in the periodic report you are signing conform with your own evaluation of the Controls and Procedures?

· Did you talk to the critical people preparing the report? Did you ask them how comfortable they are with the contents of the disclosure and if they would sign the certification under oath, if the law were to require them to?

· Did you take a second critical look at those areas most likely to raise issues with the SEC?

· Did you talk with the independent auditors about the report? Did you ask them whether they was anything in the report they would have recorded differently than the internal auditors recorded it?

· Did you ask the independent auditors if they are satisfied with the Controls and Procedures and with their communication with the inside auditors?

· Did you ask the independent auditors whether they had any disagreements with the internal auditors or senior management regarding the contents of the financial statements or the report?

· Did you ask the independent accountants if the company’s accounting was aggressive?

· Did you discuss with the audit committee the certifications and the Controls and Procedures evaluation made?

· Did you keep a record of all steps taken to give you the comfort necessary to sign the certification?

What Will the Required Section 302 Certification Language Be After the Second Compliance Date?

Below, for your convenience, we recite the Section 302 certification language that will be required (i) beginning with the first annual report for fiscal years ending on or after April 15, 2005 for a company that is not an Accelerated Filer and (ii) beginning with the first annual report for fiscal years ending on or after June 15, 2004 for a company that is an Accelerated Filer. It is marked to show changes from the certification language required after the First Compliance Date shown above.

“I [identify the certifying individual] certify that:

“1. I have reviewed this [specify report] of [identify company].

2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;.

3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;

4. The registrant's other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e) and internal control over financial reporting (as defined in the Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:

a) designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

b) designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;

(c)
evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and

d) disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting.

5. The registrant's other certifying officers and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of registrant's board of directors (or persons performing the equivalent function):

a) all significant deficiencies and material weaknesses in the design or operation of internal control over financing reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information and;

b) any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal controls over financial reporting.

Date:

__________________

Signature

Title”

What is the Purpose of Internal Control Over Financial Reporting?


The establishment, maintenance and periodic evaluation of Internal Control Over Financial Reporting required by Section 404 of the Act is important in view of the fact that in auditing financial statements, outside accountants conduct and rely upon samplings and random checks rather than upon an exhaustive review of each transaction. This method of sampling and spot checking is justified if a reliable system of Internal Controls Over Financial Reporting is in place because it provides a level of comfort that there are checks and balances which monitor the day to day financial operations of the company. If on the other hand, no reliable Internal Control Over Financial Reporting exists, the accountant would have to conduct tests of transactions and perform additional analyses in order to accumulate sufficient evidence to support its opinion on the financial statements.

What Procedures Should Be Included In the Internal Control Over Financial Reporting?


Internal Control Over Financial Reporting should include policies and procedures that provide reasonable assurance that (i) records are maintained that fairly reflect purchase and sales of the company’s assets,(ii) that transactions are properly recorded so as to permit the preparation of GAAP financial statements, (iii) receipts and expenditures are being made in an authorized fashion and (iv) unauthorized use of company assets that could have a material effect on the financial statements will be timely detected.

What is the Extent of Management’s Duty to Assess and Report on the Company’s Internal Control Over Financial Reporting?

In order to ensure the reliability of the Internal Control Over Financial Reporting at all times, management is required to evaluate the effectiveness of those controls on a periodic basis and to include a report of such evaluation in the annual report, which evaluation must be attested to by the company’s outside accountants. Under the Section 404 proposed rules, management would have been required to evaluate the effectiveness of the internal controls quarterly. Recognizing that this would be too burdensome, the June 5th Final Rules only require quarterly evaluation of changes that have materially affected, or are reasonably likely to materially affect, the Company’s Internal Control Over Financial Reporting. Whereas a U.S. public company would have to report these changes quarterly, a non-U.S public company would only have to report them in its annual report.

If, in the course of the evaluation, management discovers any deficiency in the design or operation of Internal Control Over Financial Reporting that could adversely affect a company’s ability to record, process, summarize and report financial data consistent with the assertions of management in the company’s financial statements, then management must disclose this material weakness in the report.

What Procedures Should Management Follow in Preparing the Report of the Effectiveness of Internal Control Over Financial Reporting?

The June 5th Final Rules do not specify the method or procedures to be performed in an evaluation and such method will vary from company to company. They do, however, require management to maintain the documentation that supports its assessment of the effectiveness of the company’s Internal Control Over Financial Reporting. The documentation regarding the design of internal controls and the testing process should provide reasonable support (i) for the evaluation of whether the control is designed to prevent or detect material misstatement or omissions, (ii) for the conclusion that the tests were appropriately planned and performed and (iv) that the results of the tests were appropriately considered. In performing their evaluation of the design and effectiveness of the Internal Control Over Financial Reporting, management should review (i) the company’s controls over initiating, recording, processing and reconciling account balances, classes of transactions and disclosures and related assertions included in the financial statements; controls related to the initiation and processing of non-routine and non-systematic transactions; controls relating to the selection and application of appropriate accounting policies and controls relating to the prevention, identification and detection of fraud.

Where, in the Annual Report Will Management’s Report on the Effectiveness of Internal Control Over Financial Reporting be Located?


Form 10-K for annual reports of U.S. public companies has been amended by adding Item 9A entitled “Controls and Procedures” to the annual report on Form 10-K. Form 20-F for annual reports for non-U.S. public companies has been amended by revising Item 15 of Part II. After the Second Compliance Date, these amendments will require a company’s annual report to include an internal control report of management that contains (i) a statement of managements responsibility for establishing and maintaining internal controls over financial reporting for the company, (ii) a statement identifying the framework used by management to conduct the required evaluation (iii) managements assessment of the effectiveness of the company’s Internal Control Over Financial Reporting as of the end of the company’s most recent fiscal year, which assessment must include disclosure of any material weakness in the company’s Internal Control Over Financial Reporting identified by management and (iv) a statement that the accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting, which report must be filed as part of the company’s annual report with the SEC. For public companies that are Accelerated Filers, including non-U.S. public companies that are Accelerated Filers, the Second Compliance Date by which they must comply with the internal control report requirement is the date that the company files its first annual report for fiscal years ending on or after June 15, 2004. For public companies that are not Accelerated Filers, the Second Compliance Date by which they must comply with the internal control report requirement is the date that the company files its first annual report for fiscal years ending on or after April 15 2005.

What Framework Should Management Adopt in Evaluating the Internal Control Over Financial Reporting?

Although the SEC has not mandated any particular framework for the evaluation of the effectiveness of the Internal Control Over Financial Reporting, the framework used must be free of bias, permit qualitative and quantitative measurements, be sufficiently complete to include factors that would alter a conclusion about the effectiveness, and be relevant to an evaluation of internal control.

What Must the Outside Accountant’s Attestation on Management’s Internal Control Report Include and What Accounting Standards Will Be Used For Such Attestation?

As previously noted, the June 5th Final Rules require each annual report to include an attestation by the company’s outside accountants in which the accounting firm expresses an opinion, or states that an opinion cannot be expressed and if not, why not, about management’s assessment of the effectiveness of the company’s Internal Control Over Financial Reporting in accordance with standards on attestation engagements. The Act requires the new Public Company Accounting Oversight Board to establish standards for these attestation reports.

Can Management Delegate the Evaluation of the Internal Control over Financial Reporting to the Company’s Outside Accountants?

Management cannot delegate the evaluation of the Internal Control Over Financial Reporting to the company’s outside accountants because under the SEC’s rules of auditor independence (see Carter Ledyard & Milburn’s LLP client advisory dated May 2003 on Audit Committee and Financial Reporting for U.S. and non-U.S companies under the Sarbanes Oxley Act), one of the prohibited non-audit services that an outside accountant may not provide to its audit client is the monitoring of internal controls. Nevertheless, because under Section 404 of the Act, the outside accountant must attest to the effectiveness of management’s evaluation of the internal controls, the outside accountant must be involved in the assessment. Accordingly, management must be actively involved in the evaluation of the internal controls by the outside accountants and coordinate the process with them.

Do the Periodic Report Certification Requirements and the Controls and Procedures Apply to Non U.S Public Companies and to Current Reports on Form 8-K, Proxy Materials and Information Statements?

It should be noted that the certification and Controls and Procedures apply to annual reports filed by Foreign Private issuers on Forms 20-F and 40-F. Although the certification is not required for reports of Foreign Private Issuers on Form 6-K, the Disclosure Controls and Procedures for generating a 6-K, especially those incorporating financial data, must be in place. These Controls and Procedures should be designed to ensure timely filing of Form 6-K reports via EDGAR (required since November 4, 2002) and to ensure that all information included in a Form 6-K is complete and accurate in all material respects.

Current reports such as reports on Forms 8-K, 6-K, proxy materials and information statements are not covered by the Section 302 certification requirement. Disclosure Controls and Procedures for these reports however, are required to be designed, maintained and evaluated to ensure full and timely disclosure even though there is no certification requirement. In this connection, companies should build in to their Disclosure Controls and Procedures the mechanisms necessary to allow them to comply with a proposed amendment of the SEC which would require them to report on Form 8-K, 22 categories of events within two days of their occurrence.

What is the Required Section 906 Certification Language Under the June 5th Final Rules?

The Section 902 certification language has not been amended by the June 5th Final Rules. However, as of the First Compliance Date, it must be “furnished” as an exhibit to the periodic report containing financial statements to which it relates rather than included in the report following the signature page as was the case prior to the June 5th Final Rules. A manually signed copy of the Section 906 certification must be maintained for a prescribed period of time. Because the Section 906 certification is “furnished” rather than “filed,” it will not subject the Company to liability under Section 18 of the Exchange Act for misleading statements nor will it be automatically incorporated by reference into a company’s registration statements under the Securities Act. The CEO and the CFO may sign a single Section 906 certification.

Pursuant to SEC interim guidelines on Section 906 Certifications and in advance of the June 5th Final Rules, the SEC encouraged companies to submit the Section 906 certifications as an Additional Exhibit to the periodic reports under Item 99 of Item 601(b) of Regulation S-K. Companies will be able to continue the use of Exhibit 99 for this purpose until the SEC announces that the EDGAR system allows registrants to file or furnish Section 302 and Section 906 certifications as Exhibits 31 and 32.

Are There Any Practical Differences Between the Section 302 Certification and the Section 906 Certification Requirements?

Unlike the Section 302 certification, the Section 906 certification is required in periodic reports that contain financial statements. Therefore amendments to periodic reports that do not contain financial statements would not require a new Section 906 certification but would require a new Section 302 certification to be filed with the Amendment. Moreover, unlike the Section 302 certification which require a separate certification for each of the chief executive officer and the chief financial officer, the Section 906 certification may take the form of a single statement signed by the Chief Executive and the Chief Financial Officer.

Do the Section 906 Certification Requirements Apply to Current Reports on Forms 8-K and 6-K?

In the SEC’s proposing release relating to certification amendments, the SEC stated that the Section 906 certification does not apply to Forms 8-K and 6-K because these reports are not periodic reports. However, in the June 5th Final Rules, the SEC noted the statement regarding Section 906 certifications introduced by Senator Joseph Biden into the Congressional Record on April 11th, 2003 which takes the position that Section 906 was intended to apply to any financial statement filed by a public company, not only to reports on Forms 10-K and 10-Q, but also financial statements in current reports on Forms 6-K and Form 8-K (in connection with significant acquisitions) and annual reports of certain benefit plans on Forms 11-K. The SEC stated that it is concerned about subjecting reports on Forms 8-K, 6-K and 11k to the Section 906 certification requirements and is considering the issue together with the Justice Department. Pending such clarification, the SEC Staff has informally advised law firms requesting telephone clarification that Forms 11-K should be accompanied by Section 906 certifications. Pending such clarification, law firms are taking the position that until the SEC advises to the contrary, the Section 906 certification requirements do not apply to reports on Forms 6-K and 8-K.



Exhibit A

(Bold Language may be omitted from the certification until the Second Compliance Date)


I [identify the Certifying individuals]

“1. I have reviewed this [specify report] of [identify company].

2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;

4. The registrant's other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and we have:

a) designed such disclosure controls and procedures or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

b) designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;

c) evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and

d) disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (or the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting

5. The registrant's other certifying officers and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of registrant's board of directors (or persons performing the equivalent functions):

a) all significant deficiencies and material weaknesses in the design or operation of internal control over financing reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information and;

b) any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.

Date:

__________________

Signature

Title”

Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. © 2017 Carter Ledyard & Milburn LLP.
© Copyright 2003

Related practice areas:


© Copyright 2017 Carter Ledyard & Milburn LLP