In a nutshell, SOX 302 requires that your CEO and CFO attest to the accuracy and completeness of your financial statements. In order to execute that responsibility companies often form a Disclosure Committee to assist in gathering information, reviewing reports, and ensuring internal controls are in place.
Keep reading below for more information on what SOX 302 requires and how Disclosure Committees operate.
What is Section 302 CEO, CFO certification? SOX Section 302 requires management to evaluate quarterly the design and operational effectiveness of disclosure controls (including internal controls) and procedures. The CEO and CFO sign a certification in the 10Q or 10K related to internal controls.
Who owns the SOX 302 certification process? Typically Legal or Finance owns the SOX 302 certification process, including setting it up and running the certification process. We suggest that Legal lead with strong support or administration with Finance so that you have client-attorney privileges in case the certification responses include a slimy mess that requires legal protection.
If Legal runs the process, someone from Finance should read the responses for accounting implications (e.g. revenue commitments or accruals). If Finance runs the process, someone from Legal should read through the responses for legal implications and potential disclosures.
What are the responsibilities of the Disclosure Committee?
Now that you are a public company SOX compliance becomes relevant for you immediately, starting with Section 302. Forming a Disclosure Committee will be important to ensure these requirements are met.
The SEC recommends putting a Disclosure Committee in place (it is not required, but we highly recommend it).
The key responsibilities of the Disclosure Committee are to:
1. Collect information for financial disclosure completeness
2. Review draft financial statements (10K and 10Q)
3. Review draft press release for accuracy and completeness, specifically noting if anything is omitted that might be of interest to an investor, e.g. potential lawsuits, complexities, risk factors, cyber-security breaches, or other types of developments.
4. Ensure that disclosure controls are designed and executed
How often should the Disclosure Committee meet? A Disclosure Committee will meet at least once a quarter (before filing a 10K or 10Q).
Typically, the Disclosure Committee will meet between 30-40 days after the end of the quarter. Since you have 45 days after the end of the quarter to file your 10Q or 10K, this gives the committee time to meet before your statements are filed. Some committees meet a second time, or coordinate after the first meeting, to review and finalize any changes just before the statements are filed.
What are Disclosure Committee best practices? 1. Include the right people
2. Implement the right process – be consistent
Right process includes:
1. Govern by formal charter – define the committee's purpose and responsibilities
2. Establish meeting timeline – consistency aids in coordination
3. Establish agenda – ensure you address what is required at each meeting
4. Prepare before meeting – do your homework
5. Hold the meeting and have robust discussion – consider topics you might want to disclose to a potential investor (risk factors, potential liabilities, potential lawsuits, etc.)
6. Validate and review financial disclosures for completeness and accuracy
When should I start the sub-certification process? At least one quarter before you are public. It gives you time to communicate and educate the whole company about the process. Remember that many of your employees have not been through this process and will have questions. We recommend you do a practice run to work out the kinks.
Immediately after you are public with so many first-time deadlines, do you really need another task that could go wrong?
Here is a suggested timeline for implementing the sub-certification process:
Who should I include in the certification process? The short answer is everyone who is necessary for your CEO and CFO to feel comfortable signing their quarterly certification, especially Sales and Finance. How deep down the organization you certify depends on employee roles and responsibilities in your company. Some employees have innocent-sounding roles like “Sales Operations” and run an empire because they are a communication hub.
Depending on the organization and your business, certifications could include Facilities and IT (e.g. major data center or real estate construction commitments).
Look at your organization chart and build a rationale for the roles or responsibilities to include/exclude. You will want to document this rationale so that as the company quickly grows, you can re-visit it.
Who should be on the Disclosure Committee? Members will come from management, not the Board of Directors or Audit Committee. Include at least one member from Legal and one from Finance on the Disclosure Committee. Depending on your business, you may include the COO or CTO.
Typically, the Disclosure Committee includes:
CEO (optional) CFO General Counsel or Chief Legal Officer Controller VP Finance External or Technical Reporting Lead (the accounting manager who is drafting the 10K and 10Q reports, a.k.a. "SEC Reporting" observer) Investor Relations (IR) – an observer of the messaging is important Chief Security Officer (CSO) or Chief Information Security Officer (CISO) - now that so many people are working remotely there is heightened interest in disclosures that address cyber-security (hacks, data breaches, etc.). The SEC has issued guidance on this as to what needs to be disclosed pertaining to cyber-security, specifically related to how it affects vendors, customers, the company, and employees. How do I build a scalable sub-certification process? Use an electronic signature tool like DocuSign. We have come out of the Dark Ages into the Mobile Age. Emailing Word documents for employees to print, sign, scan and email/fax back is so inefficient.
As the company grows, the number of employees certifying will increase and email will not scale. For $20-$50 per month, DocuSign is cheap, easy, and mobile-device enabled which will increase your response rate. In three or four easy clicks you can have a PDF copy of the certification for your files and for the employee.
DocuSign has “widgets” so that you can customize your response forms for employees to add comments. Tracking responses (or non-response) also is easier with a tool.
Here are the steps to set up a 302 process:
,• Identify key stakeholders to involve • Identify certifiers by function, role, or location • Define annual and quarterly schedule • Assign roles and responsibilities ,• Certification process overview • Project timeline ,• Draft Disclosure Committee Charter • Draft Disclosure Committee meeting agenda • Draft related party questionnaire • Set up eSignature account • Prepare certification letters • Collect certifier distribution list • Set up tracking spreadsheet • Set up reminder notifications • Prepare training session with certifiers • Prepare reporting template ,• Disclosure Committee Charter • Disclosure Committee Agenda • Related party questionnaire • Certification letters • Tracking log template • Training presentation
Why is the Disclosure Committee important in a de-SPAC? As an operating company, when you merge with a public company (your SPAC), you are now the public company and SOX compliance becomes relevant for you immediately, starting with Section 302. Forming a Disclosure Committee is important to ensure these requirements are met.
Section 302 has requirements for effective disclosure controls to ensure accurate, complete, and timely disclosure of your financial information in your 10K and 10Q as filed with the SEC.
The SEC recommends putting a Disclosure Committee in place (it is not required, but we highly recommend it).
Section 906 of the law provides for criminal and civil penalties if you knowingly have false information in your 10K or 10Q report (you could go to jail).
When should you set up the Disclosure Committee in a de-SPAC? 1. Right after the merger is approved, or, even better,
2. After the de-SPAC occurred
You will need to be ready for your first 10Q or 10K filing. The sooner you set up the Disclosure Committee the sooner you can begin to build the muscle memory of the sequence of events that needs to happen. You only have 45 days after a quarter-end to file your 10Q and only a certain number of days to file your 10K at year-end.
After a de-SPAC, who is on the Disclosure Committee? The membership of the Disclosure Committee after a de-SPAC will be much the same as any other Disclosure Committee, however you will want to include a member of management from the SPAC (sponsor organization). After the de-SPAC process, this person can be helpful during the first several quarters to address any complexities or potential liabilities.
SOX 302 – as stated in the Sarbanes-Oxley Act
Sometimes there is no substitute for reading the original language of a law/act. Here is the official language for SOX 302.
a. Regulations Required. The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934, that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that--
1. the signing officer has reviewed the report;
2. based on the officer's knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
3. based on such officer's knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report; 4. the signing officers--
A. are responsible for establishing and maintaining internal controls; B. have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared; C. have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report; and D. have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
5. the signing officers have disclosed to the issuer's auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)--
A. all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data and have identified for the issuer's auditors any material weaknesses in internal controls; and B. any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls; and
6. the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
b. Foreign Reincorporations Have No Effect. Nothing in this section 302 shall be interpreted or applied in any way to allow any issuer to lessen the legal force of the statement required under this section 302, by an issuer having reincorporated or having engaged in any other transaction that resulted in the transfer of the corporate domicile or offices of the issuer from inside the United States to outside of the United States.