• Section 404 Internal Controls and Section 302/906 Certifications: SEC Adopts Final Rules
  • June 10, 2003
  • Law Firm: Perkins Coie LLP - Seattle Office
  • The Securities and Exchange Commission (SEC) voted at its open meeting on Tuesday to adopt final "internal control" rules implementing Section 404 of the Sarbanes-Oxley Act. The SEC also voted to adopt final rules regarding Section 302 and 906 certification of disclosures in periodic reports.

    The SEC's latest word on these issues comes from its May 27, 2003 open meeting (http://www.sec.gov/news/openmeetings.shtml) and its related press release () http://www.sec.gov/news/press/2003-66.htm. Please watch for our more detailed Update after the SEC has published its adopting release.

    Internal Controls: Key Elements of the Final Rules

    We take away the following five key elements from the SEC's final rules regarding internal controls:

    1. Extended Compliance Deadline. The SEC has extended the compliance deadline for management's report on internal control over financial reporting. Accelerated filers will be required to comply with these requirements for fiscal years ending on or after June 15, 2004, and all other issuers (including small business issuers and foreign private issuers) will be required to comply for fiscal years ending on or after April 15, 2005. For calendar-year accelerated filers, this effectively represents a one-year extension. The first filing that will be required to include management's internal control report will be the Form 10-K filed in 2005 for a calendar-year accelerated filer and the Form 10-K filed in 2006 for all other calendar-year issuers.

    2. Contents of Management's Internal Control Report. Management's internal control report included in annual reports will be required to contain:

    • a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting;

    • a statement identifying the framework management used to evaluate the effectiveness of this internal control;

    • management's assessment of the effectiveness of this internal control as of the end of the most recent fiscal year; and

    • a statement that its independent auditor has issued an attestation report on management's assessment.

    3. COSO as Evaluation Framework Standard. The evaluation "framework" required to be identified in management's internal control report must be a suitable, recognized control framework established by a body that has followed due-process procedures, including the broad distribution of the framework for public comment. The SEC stated in its open meeting that the framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an example of a framework that would comply with this requirement. COSO may represent the only realistic standard currently available, and many companies are already using COSO as their framework. For additional information regarding the COSO standard, please see http://www.coso.org/Publications/NCFFR_Part_1.htm.

    4. One "Material Weakness" May Prevent "Effectiveness" Conclusion. Management's report will be required to disclose any material weakness and management may not conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in the internal control. We expect the SEC's adopting release to provide that in certain circumstances a series of weaknesses that are individually immaterial may, in the aggregate, be deemed a material weakness.

    5. Quarterly Evaluation Only of Material Changes. Companies will be required to perform quarterly evaluations of changes that have materially affected or are reasonably likely to materially affect the company's internal control over financial reporting. This represents a departure from the SEC's proposed rules, which required a quarterly evaluation of internal controls.

    Section 302 and Section 906 Certifications: Key Elements of the Final Rules

    The three key elements of the SEC's final rules regarding Section 302 and Section 906 certifications are:

    1. Section 302/906 Certifications as Exhibits. The final rules will amend the exhibit requirements for periodic reports to add the certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act, and generally will become effective 60 days after their publication in the Federal Register. This new requirement is most significant for Section 302 certifications, which were previously required to appear immediately after the signature blocks of the periodic report.

    2. Section 906 Certifications Can Be "Furnished" Rather Than "Filed". Companies will be permitted to "furnish" rather than "file" Section 906 certifications with the SEC (as a result, the certifications will not be subject to liability under Section 18 of the Exchange Act and will not be incorporated by reference in Securities Act registration statements).

    3. Form 11-K Likely Requires a Section 906 Certification. The open meeting revealed that the SEC and U.S. Department of Justice (DOJ) are currently discussing whether Section 906 certifications should extend beyond quarterly and annual reports. The SEC stated that the SEC and DOJ are "tending to a conclusion that [Form 11-K] may/should be properly covered [by the Section 906 certification requirement]." We believe it is unlikely that the SEC and DOJ will reach a different conclusion before the Form 11-K filing deadline at the end of June for calendar-year plans (for those unfamiliar with Form 11-K, it is the annual report for employee benefits plans where interests in the plans are required to be registered on Form S-8). Therefore, we believe it would be prudent for companies to plan to provide Section 906 certifications in connection with filing Form 11-K. The question then becomes: who should make the Section 906 certifications? Section 906 certifications must be made by the CEO and CFO of the issuer, but the "issuer" for purposes of Form 11-K is the plan and, of course, plans have no CEO or CFO. Since the boards of many companies have delegated the authority and fiduciary responsibility to oversee plans to an employee benefits committee composed of officers, an argument can be made that the chair of this committee should make the certification. Some companies are in fact doing this. Many companies, however, are having the CEO and CFO make the certifications. We currently believe that the latter approach, perhaps with subcertification by the appropriate officer, is the better one.

    Additional Information on the Final Rules

    This Update is intended only as a summary of the final rules the SEC voted to adopt. You can find the full text of the final rules on the SEC's Web site (http://www.sec.gov/rules/final.shtml) once they become available.