Regulatory SOX sign-offs - Sub-Certifications Sign-Offs 1468

  • I understand that while the CEO and CFO are the top level sign-offs , there are sub-certification positions that are required to sign-off as well.
    The questions I have:

    1. what are sub-certifiers signing for?
    2. what are the sub-certiofiers’ accountabilities?
    3. what are the sub-cerifiers’ responsibilities?
    4. Are the sub-certifiers at the VP and Director levels?

  • Hi and welcome to the forums 🙂 I did a quick Internet search on ‘SOX subcertifications’ and found numerous articles, so that might also help you find more related items in your research.
    Subcertifications are signoffs many senior executives have asked their VPs or line managers for confirmations of financial accuracy and adherence to SOX guidelines for their specific areas.
    The following is an excerpt from one the links found in the search:
    A survey by the Association for Financial Professionals which reports that ‘approximately a third of corporate financial professionals are now being asked to subcertify data used in Securities and Exchange Commission (SEC) reports, as senior financial executives look for added Sarbanes-Oxley reporting assurances.’
    AFP survey reveals widespread practice of ‘subcertification.’’ The survey found the following areas were the most common areas where financial professionals were being asked to subcertify:

    • specific disclosures in Management’s Discussion and Analysis or footnotes
    • specific account balances
    • compliance with company policies and procedures
    • adequacy of internal controls in their department/area
    • compliance with company code of conduct

  • The Management Sub-certification process enables financial professionals within the organization other than the CEO and CFO to vouch for the ‘appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer.’
    Section 302 of the Sarbanes-Oxley Act of 2002 requires individual process owners to provide a quarterly sub-certification for their functional areas. Sub-certifications are then rolled-up throughout the organization and approved by managers at each business level.
    This could be performed in the following manner:
    Each process owner reviews the control evidence and evaluations which was documented as part of the 404 process. Upon completing a review, the process owner would add his or her signature to each individual control, process and/or sub process depending on the clients of standards requirements.
    IT and Sub-Certification
    The Chief Information Officer (CIO) is responsible for Sarbanes-Oxley compliance for the IT function. He or she prepares Section 302 and Section 404 sub-certifications for IT and reviews them with the Disclosure Committee.
    The Disclosure Committee includes the Senior Vice President and Controller, the Vice President and Assistant Controller, the Vice President of Audit Services, the Vice President of Investor Relations, and two representatives of the Corporate Legal Department.
    The Disclosure Committee then presents these sub-certifications to the CFO and the CEO.
    Internal controls to be assessed included:
    Company (entity) level controls,
    IT Database and operating systems,
    Application control, and
    General controls.
    Hope this further helps,

  • The sub-certifications also help to reinforce the control ownership mentality at the lower levels of the organization. Too often, people look to someone else as the responsible party when something goes wrong. Having process owners certify that the controls that they are responsible for are working effectively brings the onus of responsibility back to them.

  • Absolutely Kymike.
    Sub certification by Control Owners(apt because a process may have any control owners) can pin them for performance of the control.
    It is a pity that one of the Big Four Managers, just day before yesterday in our SOX 2006 planning meeting emphatically stated that sub certification is not a 302 requirement. I had to justify my stand in front of 10 people who initially accepted this manager’s contention as sacrosanct and eventually, he had to toe my line.
    Sub certification and CSA are emerging tools ensuring achievement of SOX compliance.

  • Sub-certification is not a requirement of section 302. It is one of many ways for management to get comfortable that controls have not changed and are still effective at quarter end.

  • I thought Milan has done his research (as he mentioned in his reply) to come to a conclusion that sub certification is a 302 requirement. I think that I have to research PCAOB material to get a confirmation whether sub certification is a 302 requirment. I think I have read sub certification being of 302 implication in one of Peekaboo’s publication. Well, I had explained the reason of sub certification being very pivotal for 302 compliance.

  • Chhaava,
    The PCAOB sets the rules for the independent auditors. The SEC sets the rules for management reporting. You will not find anything in the PCAOB rules that govern management’s efforts, though you may find some items where the PCAOB is setting expectations of management for purposes of guiding the auditors.
    I do not believe that there are any rules related to quarterly certification other than those included in the original act. This only requires the certification of the CEO and CFO (or those acting in that capacity) to certify the controls each quarter.
    When you search for ‘302’ and ‘sub-certification’ on the web, you will find several SOX solution-providers who have designed their software to have workflow allowing for the sub-certification of controls on a quarterly basis as one way of assisting management in getting comfortable with the controls for their certification.
    If you find anything that formally requires any sub-certifications, please let us know.

  • Kymike
    I will unless Milan finds the answer.
    Best regards

  • Or maybe another way of looking at this is that SOX 302 requires CEO/CFO certifications and they decribe the specifics of what’s needed for signoff without the specific methodologies to get there.
    The PSAOB approach of using sub-certifications is just one of many approaches in the toolset to achieve SOX 302 compliancy. Still it’s a very good tool and best practice for creating ownership, accountability, and responsibilities in key areas of the company, as the experts here have shared 🙂

  • Thank you. The information provided was very useful.

  • I understand that while the CEO and CFO are the top level sign-offs , there are sub-certification positions that are required to sign-off as well.
    The questions I have:

    1. what are sub-certifiers signing for?
    2. what are the sub-certiofiers’ accountabilities?
    3. what are the sub-cerifiers’ responsibilities?
    4. Are the sub-certifiers at the VP and Director levels?
      The source of information in my reply was obtained from a document that was developed by Microsoft in response to SOX and the need for 302 certification and sub-certification functionality in Microsoft Office Solutions Accelerator for Sarbanes Oxley. Specifically, the document was intended to address 302 Quarterly Review Configuration Practices in the product.
      When the document was published, 6/1/04, SOX compliance requirements were not yet clearly defined or accepted through industry practices…not that they are now, but that’s another issue altogether.
      In short, the quick reply to the individual who posted the question on this Forum was made for the purpose of providing early feedback and directly answering his four questions (see above). Each of the questions was addressed in the reply.
      As with all feedback, it is always a good idea to corraborate compliance initiatives with actual industry practices and guidance from the appropriate regulatory bodies for greater assurance.
      Kind Regards,
      The following is an extract from the document referenced above:
      Microsoft Solution Accelerator for Sarbanes Oxley
      302 Quarterly Review Configuration Practices
      This document is provided in response to various requests around how the accelerator might be used to automate various Sarbanes Oxley related scenarios. The following example is provided for consideration but should not be considered as guidance or a recommendation. XYZ Inc. and the author do not provide compliance guidance or interpretation of Sarbanes Oxley regulations.
      Guidance of this nature is available from the SEC, PCAOB, various audit firms and other resources. Please consult with proper authorities in order to ensure proper compliance.

  • As I mentioned earlier sub certification can be safely considered an industry practice. As I have been hearing from many peers about the implementation of sub certification.

Log in to reply