The Sarbanes-Oxley Certification Requirement: Analyzing the Comments

By Aamer Sheikh and Wanda A. Wallace

E-mail Story Print Story

As directed by Section 302(a) of the Sarbanes-Oxley Act of 2002, we are adopting rules to require an issuer’s principal executive and financial officers each to certify the financial and other information contained in the issuer’s quarterly and annual reports. …[W]e are adopting previously proposed rules to require issuers to maintain, and regularly evaluate the effectiveness of, disclosure controls and procedures designed to ensure that the information required in reports filed under the Securities Exchange Act of 1934 is recorded, processed, summarized and reported on a timely basis.

The SEC invited comments to these new requirements. The authors examined the contents of 91 electronic comment letters the SEC received, in order to provide a broad perspective on how market participants view the new certification requirements. (For comparison, a total of 167 comment letters were posted for S74002; the number of comments received for other proposals can be found at www.sec.gov.)

Over 46% of the letters received by the SEC were written by individual investors. Somewhat surprisingly, only 1% of the letters were written by CEOs. Lawyers and bar associations represented 23%; general counsel likely represent preparers, while outside securities lawyers and bar associations could focus on either preparers’ or investors’ perspectives. Another 15% of the comments came from financial entities such as exchanges, insurers, analysts, and bankers, while 4% were from other diverse firms, including a corporate governance consultancy in Europe. CFOs and controllers represented 6% of respondents, while comments from the Big Four and the Institute of Internal Auditors represented 5%.

Certain general themes were evident from the letters. The most popular themes were “supportive,” “duplicative” (because signatures already appear in SEC filings), “clarification needed on certification,” “practicality challenged,” and “transition period needed.”

Respondents pointed out that because the new signatures were to connote a certification, some clarification of the purpose of prior signatures (and their possible elimination) would be preferred. Whether a CEO and a CFO would practically be able to provide the assurance implied by the certification was challenged, as was the ability for “instantaneous” compliance of a meaningful nature. Commentators noted that other information is often furnished and is not a part of management’s information base. (This includes interim reports by foreign issuers, and respondents indicated that these should not be subject to CEO and CFO certifications any more than would benchmarks regarding general market movements.) Commentators asked that certification be required only for items under the direct or indirect control of the certifying officers or of the disclosure committees that they supervise.

Questions were raised as to the duties of inquiry and whether the operative standard is actual knowledge. As an example, one commentator stated that confusion exists and that Congressional intent was not to change existing law in the area to require the principal executive officer and financial officer of every public company to review, investigate, and concur with all disclosure decisions made by their company. The commentator asserted that this would be practically impossible at larger companies, requiring such an inordinate amount of time as to take officers away from other pressing matters.

Interpretive Analysis

Too many certifications. One general theme found in the comment letters was the question of what the distinction between previously signed filings and the new certifications required by the CEO and the CFO was intended to be. For example, if numerous officers’ signatures appear within filings and mean different things, will that not be confusing and potentially misleading to users of those filings? To clarify what is to be signed and for what purpose, could filings begin with a header clearly describing the setting and requirements? If a company judged others to be integrally involved in the design and implementation of its control structure, could other voluntary certifications be offered? Would the language of the certification be flexible and permit adaptation to special circumstances and other involved parties? When decentralized or shared authority exists, should the certifications reflect this concept through different signatories, in line with their respective responsibilities?

Does the signatory have responsibility? Commentators questioned what can reasonably be expected of the CEO and the CFO. Attention was directed toward the normal involvement of many individuals in the design, implementation, monitoring, enhancement, and oversight of controls. Moreover, such structures have evolved over time and often reflect extended historical decision making about effective and efficient operations and controls of economic activity. A current CEO or CFO could not certify that he had personally designed the existing controls, suggesting concern over precisely what the language of the certification adjustment was to represent.

Acquisitions, hostile takeovers, and changing relationships with subsidiary companies can lead to big changes during a reporting period. What due diligence would be necessary to place a CEO and a CFO in a position that both could reasonably claim responsibility? What if an officer changed companies? What due diligence would be required for that individual to be in a position of certifying the new employer’s filing? Or can it be presumed that the new executive’s responsibility begins only upon hiring?

Comment letters mentioned the role of bankruptcy courts, particularly when fraud has been alleged. Are there certain circumstances in which an alternative certification should be sought, such as through these courts? In a related vein, commentators called for certifications by general counsel, and possibly outside counsel, in light of their involvement in drafting and approving securities filings. A commentator who had previously served as in-house counsel for four public companies asserted that Enron and other debacles would not have happened without attorneys’ participation in structuring off–balance sheet mechanisms that elevated form over substance.

Where is the line drawn? A related issue noted by commentators was whether a CEO or a CFO of certain types of entities could reasonably opine about the entire control structure associated with its transactions. For example, if unaffiliated service providers were used, how could controls over such outsourced activities be “certified” by the customer of those services? Would reliance on auditors of third-party service bureaus be a sufficient basis for such certification? Or could the addition of a certification that relied on no more than an auditor’s report appear misleading, as though the oversight were similar to that exercised over internal operations?

This problem is more challenging for special-purpose entity (SPE) financial instruments, as well as for the investment management industry. The former often isolate certain cash-flow streams with fiduciaries with contractual specification of controls and property rights. In such cases, the scope of reporting and control, as well as of management discretion, is intrinsically narrowed by the special-purpose nature of the entity. Similarly, the investment management industry contended that the decentralized nature of funds, including their boards and managements, often results in the use of third-party entities for numerous operating responsibilities. The comment letters pointed out that a CEO or CFO of a holding company could have 100 funds that, if subject to certification, would raise questions of whether these individuals’ representations were either suitable or feasible in relation to the objectives of the certification.

Foreign registrants. Just as some lobbyists called for special-purpose entities, insurance annuity contracts, and investment management companies to be excluded from the certification requirement, many asked that foreign registrants be excluded. Comment letters noted that precedent between the International Organization of Securities Commissions (IOSCO) and the SEC would suggest the usual recognition of sovereignty and home country priority over U.S. requirements. It was pointed out that because filings are in home-country accounting and then reconciled to U.S. GAAP on an annual basis, any other interim filings are incomplete, not reconciled, and not even subject to signing as filings or submissions.

An inattention to home rule creates threats of double jeopardy (“ne bis in idem”; no one should be prosecuted twice for the same offense) and of conflicting laws (Does the registrant obey the home country guidance or U.S. guidance?), and presumes a “one-size-fits-all” approach to governance, reporting, and disclosure practices. Letters expressed concern that information commonly filed in Form 6-Ks that are neither complete in reporting financial information nor signed by the registrant might disappear. The uncertainty of what to do with non-GAAP-reconciled filings when evaluating their fairness of presentation was seen as a particular challenge.

Some lobbyists recognized that annual filings by foreign companies that are reconciled to GAAP fall within the certification provisions, and they objected only to extension beyond such filings. Nonetheless, even in such cases, the SEC encourages a substantial-equivalence test of home countries’ practices compared to U.S. promulgations, while providing flexibility that accords attention to the trade-off between costs and benefits and differing legal settings.

SOA directly addressed a concern that U.S. companies are shifting their home country abroad as a way to circumvent regulation. The result was a two-pronged message: that U.S. regulators sought a level playing field to deter a “rush to the floor” of effective disclosure; and that companies that have never been home-based in the United States were not the intended audience. Letters observed that, had foreign registrants imagined this kind of post-SOA regulatory move, they might not have entered the U.S. markets; furthermore, the proposed changes could be expected to deter future registration by foreign companies. On October 16, 2002, Porsche announced it had decided not to go forward on its intended listing on the New York Stock Exchange due to SOA, and it explained how, in particular, the certification provisions do not match the legal requirements in Germany.

Some observed that precedent merely discloses to U.S. investors what is different in the home country compared to the U.S., including reconciliation to GAAP, and hence they argue that a mere disclosure of what is or is not done in the home country is sufficient to ensure informed markets. Lobbyists went to some effort to describe the practices of Japan, Germany, Switzerland, and the United Kingdom, in particular, to illustrate how they approach similar concerns in diverse ways that could lead to superior results. An interesting point of divergence occurs in the definition of independence and boards of directors: Certain countries require employee representation on the board, and others have tiered boards with one largely internal and the other external.

One proposal was that independence should not be challenged if one happened to be an employee of a company, as long as the employee is not an executive. Both the United States and other countries have struggled with the definition of independence, the pros and cons of financial interests by directors, the distinction between external and internal as well as independent and nonindependent, and the definition of so-called gray directors. The form of corporate governance using audit committees, and the idea that all board members are equally accountable from a legal perspective, both diverge in corporate settings as one moves around the globe (detailed in the Cadbury Report in 1987, and the attention to internal control and bribery-associated legislation and guidance, such as that involving the OECD in 1976 and United Nations’ General Assembly in 1978).

Too little, too late. The comments above were part of the call for more guidance and for the postponement of requirements, enforcement, and formalization of final regulations until certain definitions and protocols could be well delineated. The blur across sections of the proposals; the desirability of alignment of requirements aside from whether they tie to criminal or civil sanctions; and the clarification of fair, material, significant, and knowledge criteria are examples of the guidance sought. Choices of internal control definitions; the term to which reports relate; questions of what are significant deficiencies; and the ability to treat such problems confidentially with the auditor and the audit committee were also cited. Whether a CEO or a CFO could delegate communication responsibilities with the board, rather than personally make such communication, is another example of the queries raised by commentators.

The lobbyists raised cost–benefit concerns about internal control reporting, particularly as it related to interim periods. It was suggested that annual reporting be required, with interim updates on known significant changes, similar to a note disclosure of a subsequent event. The potential effects on small businesses were cited, along with a request that requirements be deferred until larger companies had established best practices. Yet another commentator argued that all public companies should be required to certify, lest investors only have comfort placing their money in the entities so regulated.

Generally, while increased guidance was sought by commentators, they also held an attitude that prescription of a single approach to designing or monitoring controls, without flexibility to adapt to a particular setting, would be a mistake. A genuine controversy also appears to exist as to the wisdom or folly of certifying to fairness in the absence of a referent such as generally accepted accounting principles. One point of view was that the language would not fit, because both financial and nonfinancial representations are of relevance. Another point of view was that the proposed verbiage was meaningless without some consistent basis for evaluation. One respondent posed the question of what certification means if it is merely fairness in the mind of the party signing the statement, without any touchstone. The foreign issuers noted that any language of fairness tied to accounting principles should permit explicit mention of their home country’s framework as distinct from GAAP—especially for any sort of interim disclosures, which do not need to be reconciled to GAAP.

Suggestions for increased requirements. Some lobbyists took the opportunity to suggest other requirements to be imposed by the SEC. Examples include: requiring the signature of general counsel and primary outside counsel; requiring the signature of all audit committee members on the filings; requiring that corporate officers and directors provide 30-day public notice in advance of the sale of stock or the exercise of options; proscribing all corporate loans to corporate officers; proscribing stock option compensation and replacing it with restricted stock that cannot be sold until six months after an executive leaves a corporation; rescinding all stock sales by officers and directors that occur in an earnings restatement period; requiring the compensation committee of the board to retain independent outside counsel to negotiate employees’ employment agreements; mandating an internal audit department; and providing access to investors to corporate tax filings with the IRS.

Some Consensus Among Auditors

Three types of comments were shared by all of the Big Four public accounting firms. The first was a recognition that duplicate or overlapping legal requirements would result from the proposal. Specifically, the CEO and the CFO were viewed as already accountable, and sections 302 and 404 would need to be sorted out. The second was a call for clarification, citing how section 302 signature and section 906 certification labels needed to be set forth in the instructions. In particular, respondents requested clarification with regard to application to mutual funds and investment companies. The third called for a clarification of the internal control time frame for an effectiveness certification. A definition would be required, with clarity as to what “within 90 days” meant; for example, how it related to the 10-Q filed 45 days after the quarter-end filing date. The first and third of these comments were likewise expressed by the IIA.

A total of 11 comments were identified from three of the Big Four firms. They called for certifying only that which is in direct or indirect control of certifying officers or of the disclosure committee those officers supervise. There was a concern that the purpose of other disclosures, such as the fairness opinions of financial advisors, would be undercut if the “ability to influence” criterion was not invoked. The avoidance of double certifications that could confuse users was another area of concern, as were Rules 13a-14 and 15d-14. The burden derived from certification—considering that over 100 reports must be filed with the SEC—was cited, along with other impracticality considerations. The effect of SOA sections 302 and 906 on executives was described as likely to be devalued if a proliferation of certifications were to result. The practical limits to verifying other issuers’ data and meeting extremely short filing deadlines—particularly with regard to Form 8-K—were highlighted. Commentators requested transition periods to adopt those changes related to corporate structure. Both phase-in and grandfathering approaches were suggested, alongside time for definitions of internal control intended to underlie certifications and audits. A focus on substance rather than form when the composition of an audit committee is evaluated was also a concern.

Further elaboration on information not provided by companies’ management was offered, such as shareholders’ proposals, committee reports, and proxy contest–related information of a personal nature. Commentators expressed concern as to the form of non-GAAP disclosures and associated control concepts, particularly as related to nonfinancial information. Support was expressed for certification by both the CFO and the CEO, if flexible and alternative wording was considered. A call for certification by general counsel and by outside counsel was likewise expressed. The comment letters asked that “fairly presented” be defined relative to GAAP rather than the judgment of the CEO or CFO, in order to have a consistent standard with context. The letters called for clarification of the concepts of both significant deficiencies and material weaknesses, including whether they were related to definitions under GAAS and what the role of confidentiality would be.

Compared to users’ views. The comments received from the Association for Investment Management and Research (AIMR; since renamed the CFA Institute) have little in common with those received from the Big Four and the IIA, with the exception of support for the certification process. After providing a disclaimer that the letter solely described the views of its standing committee, the AIMR letter expressed support for an extension to “persons performing similar functions.” It explained that, given multidivisional companies with subsidiaries, a problem may arise when there is neither a CEO nor a CFO who can sign and determine equivalence. The AIMR urged that exemptions not be made, in particular not for foreign companies. In a similar vein, the letter expressed concern over U.S. corporations that have incorporated overseas in an attempt to evade regulation, leading to a race to the bottom. The message was that those benefiting from investment markets should be required to adhere to the rules of those markets.

Effective Date and Comment Letters

On January 22, 2003, the SEC approved the adoption of rule and form amendments that implemented the SOA section 302 certification requirement with respect to registered management investment companies. The amendments require mutual funds and other registered management investment companies to file shareholder reports on Form N-CSR, and they require each registered management investment company’s principal executive and financial officers to certify the information contained in these reports in the manner specified by section 302. This addressed some scope-related concerns found in the original comment letters. This is a circumstance where users’ views appear to have been elevated over preparers’ concerns.

In March 2003, the SEC issued for comment another document associated with certifications. The provisions are summarized in the Exhibit. The SEC responded to the comments relating to the duplicative and clarification themes in the earlier comment letters, as well as the filed-versus-furnished distinction. Generally, the scope of the certification was described as broad, encompassing foreign private issuers, small entities, asset-backed issuers, and investment companies. Some flexibility was permitted by allowing more than two individuals to sign the certification, but the content of the certification itself remained unchanged. The exemption sought by some preparers was generally set aside in favor of users’ call for inclusion.

On May 27, 2003, the SEC adopted rules requiring public companies (other than investment companies) to include in their Form 10-K a report of management on the company’s internal controls over financial reporting and an attestation report of the independent auditor on management’s assessment of the company’s internal controls. The SEC extended the transition period from September 15, 2003, to fiscal years ending on or after June 15, 2004, for accelerated filers as defined under Exchange Act Rule 12-B2 (foreign private issuers have rules effective for fiscal years ending on or after April 15, 2005).

The SEC has stated that the definition of “internal controls and procedures for financial reporting” would be established by the Public Company Accounting Oversight Board (PCAOB). Management’s evaluation of the company’s internal control is to be based on a uniform framework. CEOs and CFOs will have to certify on a quarterly basis that they have evaluated, as of the end of each fiscal quarter, whether any change in the company’s internal control over financial reporting occurred during such quarter that has materially affected, or is reasonably likely to materially affect, the company’s internal controls over financial reporting. These developments suggest attention to commentators’ requests for extensions, clarification, and reduced scope within quarterly reporting to a “change focus” regarding controls. Most of these comments stemmed from preparers and auditors rather than user groups. On March 9, 2004, Auditing Standard 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, was approved by the PCAOB. The approach is objectives-based rather than prescriptive, and allows reliance on others where appropriate. Registered investment companies, issuers of asset-backed securities, and nonpublic companies are not subject to the reporting requirements.

The Sidebar lists a number of open questions that could be addressed by future experience and possible further revision to the rules.

Observations

Participation in standards-setting processes increasingly involves individuals with an interest in the standards, and the legal community. Many professional associations lobby on behalf of their constituencies. The content of such letters varies broadly, ranging from off-the-cuff e-mails to carefully documented treatises. Often, the scope of a comment is limited to particular facets of a proposal. The substantive input received by the SEC regarding the new certification requirements is impressive in posing questions on advisability, implementation, and consequences.

Filers continued to seek flexibility. The interpretive analyses and open research questions point out mixed perceptions as to the objectives of the regulations; whether they might be achievable; their relative merit and feasibility; and their intended and unintended consequences. Because standards setters describe their attention to the merit of issues raised by commentators, rather than either the incidence or the source of such input, the relationship of individual comment letters to regulatory revisions is not transparent unless regulators themselves cite a particular letter.

Diversity of opinion within and across groups of users, preparers, and auditors is the norm. The authors have described here only those broad patterns which suggest a revision that addressed a prevalent concern or perspective of a preparer or a user group. Commentators’ insights suggest a plethora of unanswered questions and future research opportunities.

Some of the commentators’ fears have been realized and have been noted in media coverage. On March 21, 2005, Bloomberg reported that 356 U.S. companies were late in filing annual reports—three times as many as the prior year—with at least half of the companies attributing the delay to the SOA and the new certification requirements. An FEI survey quantified the average cost of meeting Sarbanes-Oxley rules in 2004 as $4.3 million. Respondents with over $5 billion in sales spent an average of $10.5 million.

One explanation for the SEC’s attention to mutual funds in its revisions can be found in a speech by SEC Chairman William H. Donaldson on March 4, 2005. He said that 61 mutual fund–related cases had been brought by the SEC in the past 18 months, with $1.4 billion in disgorgement and $1 billion in penalties. He likewise discussed attorney conduct as a high-profile consideration, an area of concern also raised in some comment letters.

The Wall Street Journal (January 30, 2005), in an article by Peter Loftus titled “Davos: Heat of Sarbanes-Oxley Is Felt in Cold Resort,” reported that non-U.S. executives felt discouraged from selling shares on U.S. stock exchanges and considered delisting, while noting that additional delays in implementation were under consideration by the SEC. In the June 24, 2004, testimony of Chairman William J. McDonough, the PCAOB reported that securities of about 1,400 non-U.S. public companies trade in U.S. securities markets. They reported that 164 non-U.S. accounting firms have registered with the PCAOB. IPOs numbered 406 in 2000, 68 in 2003, and 216 in 2004 (“New Stocks, Same Old Problems,” by Gretchen Morgensen, New York Times, January 23, 2005). Entities going private have been observed anecdotally. Delistings in 2003 were reported to be triple those in 2002 (“Corporations Protest Cost to Comply With Law, Sarbanes-Oxley,” by Laura Smitherman, Baltimore Sun, March 15, 2005).

Rating agencies, such as Fitch, have issued special reports on how SOA affects credit policy. There were a reported 414 restatements in 2004, up from 323 in 2003, in part attributable to SOA (“Restatements Up 28 Percent in 2004,” by Carrie Johnson, Washingtonpost.com, January 20, 2005).

Corporate boardrooms have been following the litigation and resulting settlements in Enron and other corporate cases, especially with regard to directors’ personal assets (“Ex-Enron Directors Settle Suit for $168M,” by Carolyn Pritcherd, CBS MarketWatch.com, January 7, 2005). The Financial Services Roundtable is seeking amendments to SOA, citing reports that the law has cost $60 billion to implement. The group cites anecdotes of “unhealthy” changes in corporate behavior, including reduced risk-taking, product offerings, and expansion (“Finance: Group Aims To Change Sarbanes-Oxley Governance Law,” by Molly M. Peterson, Congress Daily, February 2, 2005). A survey reported in BusinessWeek (March 14, 2005) posed the question ”Who wants to be a CEO?” and noted that in 2001 only 27% replied “not interested,” while in 2004 that number had grown to 60%.