Menu Close

#31 | Part 1 SOX 302 Certification Set-up

Today, we are going to talk about SOX 302 certification process and how to set it up.  Once we have an overview of the SOX requirements, we can focus on building a scalable 302 certification process. In this series, we go through the 4 steps on how to do it practically. We’ll also tackle some tips on how to make things automated.

In part 1, we answer the following questions:

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

What are the SOX 302 requirements?

One requirement is the CEO and CFO evaluate the design and operational effectiveness of disclosure controls over financial reporting on a quarterly basis.  Disclosure controls include internal controls over financial statements. Once they’ve assessed disclosure controls over financial reporting and have found out that it operates effectively, they sign a certification letter in the 10Q or the 10K.  This happens like clockwork every quarter.

Below is an example of a certification of the chief executive officer and this is available to the public.  Everything in the certification letter can find on the web. Any 10k or 10Q that you go to, you should be able to go to the various exhibits. Each of the sentences in the certification should not be changed. It is a standard form that the SEC requires.

example of signed SOX 302 certification
Fig. 1 – example of Sarbanes Oxley 302 signed certificate

What does the SOX 302 certification set-up process look like?

If you are implementing a 302 certification process for the first time, we suggest that you break it down into 4 basic steps. Step 1 is to define and plan.  Step 2 is design and train. Step 3 is delivering the certifications. Step 4 is documenting the results.

SOX 302 certification process
Fig. 2 – Sarbanes Oxley 302 certification

Step 1: Define and Plan

SOX 302 process step 1
Fig. 3 – SOX 302 Step 1 Define and Plan

In Step 1, we’ve laid out the specific tasks, the output and even the time that is required. Now the time required is the minimum. We could actually do a lot of this in a day if we were focused and had all the right people in place.  Usually,it takes about a week because we have to talk to certain people and to think through certain consequences.

The first step is to identify the key stakeholders to involve and the key stakeholders are combination of people who are going to be signing the certifications, people who are going to be administering the process, and the disclosure committee that you have to report to.

Next up is identifying the certifiers. Remember, the requirement is for the CEO and the CFO to be involved in this process. Usually what they want to do is make sure that the people who are supporting them are telling them everything they need to know to disclose.  This means that you have to identify these people during the planning process.

You also want to build out an annual and a quarterly schedule of when to do the various tasks.  Next is to assign roles and responsibilities. Who’s going to do certain things and when?  This will ensure that you have nice hand off and things don’t fall through the cracks.  This will be based on the roles and responsibilities of each person.  You should also create a timeline for the project.

As a result of each of the activities in Step 1, you will have:

  1. certification process overview
  2. project timeline
  3. list of the certifiers and
  4. a memo explaining the rationale for selecting certifiers

Who owns the 302 certification process?

The answer is the Finance or Legal department.  We suggest that Legal lead with strong support or administration by the Finance team. This is so that we have client-attorney privileges just in case a messy issue comes up in the certification process or in the responses. Now, if Legal leads this process and runs it, someone from Finance should read the responses for accounting implications like revenue commitments or accruals and disclosures. If Finance runs the process, someone from Legal should read through the responses for the legal implications and regulatory requirements.


To recap, in Part 1; we answer the following questions:

Leave a Reply

Your email address will not be published.

Share This

Copy Link to Clipboard