Regulatory SOX sign-offs - Sub-Certifications Sign-Offs 1468
-
The sub-certifications also help to reinforce the control ownership mentality at the lower levels of the organization. Too often, people look to someone else as the responsible party when something goes wrong. Having process owners certify that the controls that they are responsible for are working effectively brings the onus of responsibility back to them.
-
Absolutely Kymike.
Sub certification by Control Owners(apt because a process may have any control owners) can pin them for performance of the control.
It is a pity that one of the Big Four Managers, just day before yesterday in our SOX 2006 planning meeting emphatically stated that sub certification is not a 302 requirement. I had to justify my stand in front of 10 people who initially accepted this manager’s contention as sacrosanct and eventually, he had to toe my line.
Sub certification and CSA are emerging tools ensuring achievement of SOX compliance.
-
Sub-certification is not a requirement of section 302. It is one of many ways for management to get comfortable that controls have not changed and are still effective at quarter end.
-
I thought Milan has done his research (as he mentioned in his reply) to come to a conclusion that sub certification is a 302 requirement. I think that I have to research PCAOB material to get a confirmation whether sub certification is a 302 requirment. I think I have read sub certification being of 302 implication in one of Peekaboo’s publication. Well, I had explained the reason of sub certification being very pivotal for 302 compliance.
-
Chhaava,
The PCAOB sets the rules for the independent auditors. The SEC sets the rules for management reporting. You will not find anything in the PCAOB rules that govern management’s efforts, though you may find some items where the PCAOB is setting expectations of management for purposes of guiding the auditors.
I do not believe that there are any rules related to quarterly certification other than those included in the original act. This only requires the certification of the CEO and CFO (or those acting in that capacity) to certify the controls each quarter.
When you search for ‘302’ and ‘sub-certification’ on the web, you will find several SOX solution-providers who have designed their software to have workflow allowing for the sub-certification of controls on a quarterly basis as one way of assisting management in getting comfortable with the controls for their certification.
If you find anything that formally requires any sub-certifications, please let us know.
-
Kymike
I will unless Milan finds the answer.
Best regards
-
Or maybe another way of looking at this is that SOX 302 requires CEO/CFO certifications and they decribe the specifics of what’s needed for signoff without the specific methodologies to get there.
The PSAOB approach of using sub-certifications is just one of many approaches in the toolset to achieve SOX 302 compliancy. Still it’s a very good tool and best practice for creating ownership, accountability, and responsibilities in key areas of the company, as the experts here have shared
-
Thank you. The information provided was very useful.
-
I understand that while the CEO and CFO are the top level sign-offs , there are sub-certification positions that are required to sign-off as well.
The questions I have:- what are sub-certifiers signing for?
- what are the sub-certiofiers’ accountabilities?
- what are the sub-cerifiers’ responsibilities?
- Are the sub-certifiers at the VP and Director levels?
All,
The source of information in my reply was obtained from a document that was developed by Microsoft in response to SOX and the need for 302 certification and sub-certification functionality in Microsoft Office Solutions Accelerator for Sarbanes Oxley. Specifically, the document was intended to address 302 Quarterly Review Configuration Practices in the product.
When the document was published, 6/1/04, SOX compliance requirements were not yet clearly defined or accepted through industry practices…not that they are now, but that’s another issue altogether.
In short, the quick reply to the individual who posted the question on this Forum was made for the purpose of providing early feedback and directly answering his four questions (see above). Each of the questions was addressed in the reply.
As with all feedback, it is always a good idea to corraborate compliance initiatives with actual industry practices and guidance from the appropriate regulatory bodies for greater assurance.
Kind Regards,
Milan
The following is an extract from the document referenced above:
Microsoft Solution Accelerator for Sarbanes Oxley
302 Quarterly Review Configuration Practices
This document is provided in response to various requests around how the accelerator might be used to automate various Sarbanes Oxley related scenarios. The following example is provided for consideration but should not be considered as guidance or a recommendation. XYZ Inc. and the author do not provide compliance guidance or interpretation of Sarbanes Oxley regulations.
Guidance of this nature is available from the SEC, PCAOB, various audit firms and other resources. Please consult with proper authorities in order to ensure proper compliance.
-
As I mentioned earlier sub certification can be safely considered an industry practice. As I have been hearing from many peers about the implementation of sub certification.