On August 28, 2002, the Securities and Exchange Commission released its final rules implementing the civil certification requirements mandated by Section 302 of the Sarbanes-Oxley Act of 2002. The rules are in effect now, and generally apply to all annual reports, quarterly reports and amendments to such reports filed with the SEC on or after August 29, 2002. (See SEC Release No. 33-8124, which you can access at http://www.sec.gov/rules/final/33-8124.htm.) The SEC’s rules go beyond the Sarbanes-Oxley Act’s requirements and include a new concept of “disclosure controls and procedures” that a company’s CEO and CFO must establish and oversee, and to which they must certify on a quarterly and annual basis.

These Section 302 civil certifications are in addition to the criminal certification requirements of Section 906 of the Sarbanes-Oxley Act, which we addressed in a prior memorandum entitled “Sarbanes-Oxley Act of 2002: What You Need to Know Now.” (For an electronic copy of this memorandum, visit our website at http://www.dorseylaw.com/, click on the link to “Firm News” and scroll down to “Corporate Advice Memos”).

The Section 302 Certifications

Required Language

The SEC’s Section 302 certification requirements are embodied in new rules 13a-14 and 15d-14 under the Securities Exchange Act of 1934. The rules require a company’s principal executive and financial officers to provide a certificate in the specific form designated by the SEC. (Attached as Exhibit A is a copy of the required language.) Each certification must be made separately by each principal executive and financial officer exactly as set forth in the Form for the report being filed. According to the SEC, “the wording of the required certification may not be changed in any respect (even if the change would appear to be inconsequential in nature).” In addition, each person required to give the Section 302 certification must personally sign the report. Signatures under a power of attorney are expressly prohibited.

Companies Subject to the Section 302 Certification Requirements

The Section 302 certification requirements apply to all companies that file quarterly and annual reports with the SEC under either Section 13(a) or 15(d) of the Exchange Act, including foreign private issuers, banks and savings associations and small business issuers. Issuers of asset-backed securities are also covered, although the SEC has provided separate guidance to these issuers based on their modified reporting obligations under the Exchange Act. (See Statement by the Staff of the Division of Corporation Finance of the Securities and Exchange Commission Regarding Compliance by Asset-Backed Issuers with Exchange Act Rules 13a-14 and 15d-14, dated August 27, 2002, which you can access at http://www.sec.gov/divisions/corpfin/8124cert.htm.)

Reports Subject to the Section 302 Certification Requirements

The certifications must be included in all annual reports on Forms 10-K, 10-KSB, 20-F and 40-F, in all quarterly reports on Forms 10-Q and 10-QSB and in all amendments to, and transition reports on, these forms. The SEC expressly stated that the certifications need not be included in any current reports, such as reports on Forms 6-K and 8-K. Therefore, foreign private issuers that report on Form 20-F or Form 40-F only need to include the Section 302 certifications in their annual reports on those forms. The SEC has requested comment on whether to extend the certification requirements to other documents filed under the Exchange Act, such as Forms 10 and 10-SB and definitive proxy and information statements.

Location of Section 302 Certifications

The SEC has amended its forms to provide for a designated “Certification” section underneath the “Signatures” section of each covered report.

The “Fair Presentation” Certification

As emphasized in the SEC’s release, the “fair presentation” certification covers more than just a company’s financial statements and footnote disclosure—it also covers “the other financial information included in the report,” including MD&A and selected financial data. In addition, the certification is not limited to compliance with generally accepted accounting principles. As the SEC stated in its release:

We believe that Congress intended this statement to provide assurances that the financial information disclosed in a report, viewed in its entirety, meets a standard of overall material accuracy and completeness that is broader than financial reporting requirements under generally accepted accounting principles. In our view, a “fair presentation” of an issuer’s financial condition, results of operations and cash flows encompasses the selection of appropriate accounting policies, disclosure of financial information that is informative and reasonably reflects the underlying transactions and events and the inclusion of any additional disclosure necessary to provide investors with a materially accurate and complete picture of an issuer’s financial condition, results of operations and cash flows.

Interaction With the Section 906 Certification

As previously noted, the Section 302 certifications are in addition to, and not in lieu of, the certifications required by Section 906 of the Sarbanes-Oxley Act which carry criminal sanctions for an officer who knowingly certifies a report that does not meet statutory standards. Therefore, each annual and quarterly report will include both the Section 302 and the Section 906 certifications. It has been reported that the SEC and the Department of Justice are discussing whether the Section 302 and the Section 906 certifications can be revised or combined in some way so as to eliminate the duplicative certifications. To date, however, no such action has been announced.

Disclosure Controls and Procedures

Establishment of Disclosure Controls and Procedures

Although not expressly mandated by the Sarbanes-Oxley Act, new rules 13a-15 and 15d-15 require reporting companies (including foreign private issuers, but excluding issuers of asset-backed securities) to establish and maintain “disclosure controls and procedures” designed to ensure that information which is required to be disclosed in annual and quarterly reports filed with the SEC is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms. As stated in the definition of “disclosure controls and procedures” in paragraph (c) of new rule 13a-14, disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed in annual and quarterly reports is accumulated and communicated to the company’s management, including its CEO and CFO, as appropriate to allow timely decisions regarding required disclosure.

The new rules do not require companies to implement any particular disclosure controls and procedures. Instead, each company must develop its own controls and procedures, consistent with its business and organizational structure, to support the certifications. The SEC recommends that each company form a disclosure committee with responsibility for evaluating the materiality of information and determining disclosure obligations on a timely basis. The committee would report to senior management, including those persons who will be making the certifications, and generally would be comprised of officers and employees with appropriate interest and expertise in the issues (such as the principal accounting officer, general counsel, principal risk management officer and chief investor relations officer).

Distinguished From “Internal Controls”

The SEC’s release stresses the distinction between “disclosure controls and procedures” and “internal controls.” The disclosure controls and procedures mandated by paragraph (a) of new rule 13a-15 relate to the company’s process for developing the non-financial portions of its disclosure documents. The term “internal controls” focuses on a company’s financial reporting mechanisms and refers to the internal accounting controls which all SEC reporting companies are currently required to maintain under Section 13(b)(2) of the Exchange Act. Although both terms are used in the certifications as adopted by the SEC, Section 302 of the Sarbanes-Oxley Act only used the term “internal controls.” Nevertheless, the SEC concluded, based on the context in which the term “internal controls” was used in the fourth certification, that Congress intended to create a system of disclosure controls and procedures to complement the existing internal controls already in place at reporting companies.

Periodic Evaluation of Disclosure Controls and Procedures

Paragraph (b) of new rule 13a-15 requires a company, under the supervision of its CEO and CFO, to evaluate the effectiveness of both the design and operation of the company’s disclosure controls and procedures as of a date within 90 days prior to the filing of each quarterly or annual report under the Exchange Act. This evaluation would then be part of the basis for the fourth certification included that report. Although a similar obligation to evaluate the company’s internal controls does not currently exist, Section 404 of the Sarbanes-Oxley Act requires the SEC to adopt rules requiring each annual report to include an internal control report assessing as of the end of the fiscal year the effectiveness of the company’s internal control structures and procedures for financial reporting. The Sarbanes-Oxley Act is silent as to when these rules must be adopted.

New Disclosure Requirements

Under new Item 307(a) of Regulations S-K and S-B, reporting companies (other than issuers of asset-backed securities) are now required to disclose in their annual and quarterly reports the conclusions of their principal executive and financial officers regarding the effectiveness of the company’s disclosure controls and procedures. The conclusions would be based on the evaluation mandated by new rule 13a-15 of the company’s disclosure controls and procedures as of a date within 90 days prior to the filing of the report at issue.

In addition, with respect to a company’s internal controls, Item 307(b) requires the company to disclose whether, since the date of its last evaluation, there were significant changes in the company’s internal controls or in other factors that could significantly affect internal controls subsequent to the evaluation date, including any corrective actions taken with respect to significant deficiencies and material weaknesses. Although paragraph (b) of new rules 13a-15 and 15d-15 requires the company’s management to evaluate the effectiveness of the company’s disclosure controls in connection with each report, there is no similar requirement with respect to the company’s internal controls. Section 404 of the Sarbanes-Oxley Act instructs the SEC to adopt rules that will require companies to do an annual assessment of the effectiveness of their internal controls, but there is no deadline under the Sarbanes-Oxley Act for the adoption of those rules. Thus, the only evaluation of the company’s internal controls that is currently required is the annual review conducted by the company’s independent auditors in connection with the annual audit. If no other review is conducted, then this would appear to be the evaluation that is referred to in Item 307(b). Nevertheless, we believe it would be prudent for the CEO and CFO to at least update this review of the company’s internal controls as part of their procedures to support their Section 302 certifications.

Although Forms 20-F and 40-F do not incorporate the provisions of Regulation S-K, the SEC has imposed these new disclosure requirements on foreign private issuers by amending Forms 20-F and 40-F to include the text of Item 307.

Transition Provisions

The first three certifications must be included in all annual and quarterly reports filed after August 29, 2002. However, recognizing the difficulties inherent in the backup required to support the remaining certifications, the SEC is requiring that certifications four through six be included in annual and quarterly reports covering periods ending after August 29, 2002. With respect to the new disclosure requirements pursuant to Item 307 of Regulations S-K and S-B, the release states that the disclosure under paragraph (a) of the results of the company’s evaluation of its disclosure controls and procedures will only be required in annual and quarterly reports covering periods ending after August 29, 2002. The release is silent with respect to the disclosure of changes in internal controls pursuant to paragraph (b) of Item 307, which appears to mean that disclosure is required in all annual and quarterly reports filed after August 29, 2002.

Establishing Disclosure Controls and Procedures

Unlike the internal financial controls mandated by Section 12(b) of the Exchange Act, which already exist at reporting companies and are evaluated at least on annual basis by the company’s independent accountants, a formal system of disclosure controls and procedures has not previously been mandated for reporting companies. Nevertheless, formal and informal controls and processes have naturally developed at reporting companies to enable management to compile and produce periodic reports. The first step in establishing a formal set of disclosure controls and procedures will be to review and document the company’s existing practices and procedures. These practices and procedures then need to be reviewed for effectiveness and revised as necessary to satisfy SEC requirements and management’s expectations.

Other than recommending that each company establish a disclosure committee, the SEC did not specify what disclosure controls and procedures reporting companies should adopt. Instead, the SEC stated that it expects “each issuer to develop a process that is consistent with its business and internal management and supervisory practices.” Although each company is different and will need to develop its own practices and procedures, we have outlined below a few points of general applicability.

Two Things to Keep in Mind

Accelerating Filing Deadlines. The SEC has adopted final rules which will shorten the time to file Forms 10-Q and 10-K to 35 days and 60 days, respectively, after the end of the related fiscal period. In addition, the SEC has proposed to increase substantially the events that require current reporting on Form 8-K. Accordingly, disclosure controls and procedures should be designed with flexibility to accommodate these changes.

Cover All SEC Filings. Although the Section 302 certification requirements do not apply to current reports on Form 8-K and 6-K, the SEC’s commentary makes it clear that a company’s disclosure controls and procedures are to be applied to the preparation of these and other filed documents:

Reports that are current reports, such as reports on Form 6-K and 8-K, rather than periodic (quarterly and annual) reports are not covered by the certification requirement. Disclosure controls and procedures, however, are required to be designed, maintained and evaluated to ensure full and timely disclosure in current reports, as well as definitive proxy statements and definitive information statements.

Form a Disclosure Committee

Although not required, the SEC recommends that each company form a disclosure committee with responsibility for evaluating the materiality of information and determining disclosure obligations on a timely basis. The committee would report to senior management, including those persons who will be making the certifications, and generally would be comprised of officers and employees with appropriate interest and expertise in the issues (such as the principal accounting officer, general counsel, principal risk management officer and chief investor relations officer). As its first task, this committee could perform the review and documentation of the company’s existing practices and procedures discussed above. This committee should also perform a review and evaluation of the company’s disclosure controls and procedures in connection with each periodic report filed by the company.

Prepare a Disclosure Timetable

The disclosure committee or persons to whom it delegates this responsibility should prepare a timetable for preparation of the company’s periodic reports. This timetable would need to include time for an evaluation of the effectiveness of the company’s disclosure controls and procedures by the committee, collection of information regarding potential disclosure items in the periodic report, a review and discussion by the committee of the draft disclosure document, input from outside accounting and legal advisors on the draft document and a meeting with the company’s outside auditors and audit committee of the board to review any financial reporting issues.

Documentation of Disclosure Controls and Procedures

In order to provide evidence of the company’s compliance with the mandate to establish disclosure controls and to facilitate the quarterly evaluation of the company’s disclosure controls, we recommend documenting the company’s disclosure controls and processes. As with the description of any compliance process, written procedures compound the risk of liability if those procedures are not followed. The disclosure committee should be responsible for maintaining the accuracy of this documentation, either through its insistence on adherence to the processes as described or by updating the documentation when disclosure practices at the company change.

Supporting the Section 302 Certifications

All companies are different, and there is no “one size fits all” set of procedures that can be prescribed to support the certifications by the CEO and CFO of every company. Nonetheless, best practices will be emerging in the coming weeks and months as companies address the Section 302 certification process. Set forth below are procedures that we believe companies should consider adopting in connection with the certification process.

Two Things to Keep in Mind

Section 906 Certifications. Although there is substantial overlap between the language of the Section 302 certifications and the Section 906 certifications to be made by the principal executive and financial officers, they are not identical (e.g., the Section 906 certifications appear to include compliance of the report with the requirements of the applicable form). In designing procedures to support the ability of the CEO and CFO to make the certifications, companies must be aware that there are six Section 302 certifications and two Section 906 certifications that need to be supported.

Forward Certification. The certifications made with respect to an issuer’s annual report on Form 10-K will cover portions of documents that have not been filed (or perhaps even drafted) if the issuer takes advantage of the common practice of incorporating the disclosure for Part III of Form 10-K from its definitive proxy statement. The CEO and CFO will need to apply the same level of review to these incorporated documents even though no certification will be signed at the time of their filing.

Careful Review of the Report

The CEO and CFO should thoroughly review the company’s report, including the financial statements, with the employees charged with preparing each section of the report. The CEO and CFO should ask questions with respect to any discretionary decisions, including determinations of materiality, underlying assumptions, choices of accounting polices and critical accounting estimates made by the employees in preparing the information. The CEO and CFO should understand how these choices and estimates impact the results reflected in the report. In addition, the CEO and CFO should independently identify any issues that may be worth further consideration or be a possible source of errors, including past issues raised by the SEC in comment letters to the company or with respect to other companies in the industry, issues identified by the company’s auditors, issues raised internally involving the disclosure process, judgments or discretion, issues raised by analysts or others outside the company and issues currently being addressed by companies in the same or related industries.

Confirm Compliance with Form of Report

The CEO and CFO should review the requirements of the SEC form applicable to the report with the company’s general counsel or securities counsel. The purpose of this review would be to inquire as to any issues that counsel has identified in the report and to confirm that the report meets the requirements of the form.

Review Disclosure Controls and Procedures

No more than 90 days prior to the filing date of the report, the CEO and CFO should meet with the disclosure committee to confirm that established procedures were carefully followed in generating the data underlying the report and to discuss the results of the committee’s evaluation of the effectiveness of the disclosure controls and procedures.

Review Internal Controls

The CEO and CFO should meet with senior managers working in the accounting and financial reporting areas at the company to discuss any problems or issues that have arisen with the company’s internal financial controls, to discuss any changes that have been made in the internal controls since the last review and to review the most recent management letter received from the company’s independent accountants to see if any matters cited in that letter require additional attention. The CEO and CFO should also confirm that procedures are in place that would allow employees in the accounting and financial reporting area to report any irregularities, including any indication of fraudulent behavior, without fear of reprisals.

Meet with Independent Auditor

The CEO and CFO should meet with the lead audit partner of the company’s independent accountants so that the auditors can communicate the results of their SAS 71 review of the report and any additional views or thoughts which they may have. The CEO should consider holding a portion of this meeting with the audit partner without the CFO present. The CEO, in particular, should inquire with respect to changes in the financial statements that the accountants have recommended and any alternative treatments that the company should consider in preparing its financial statements. The CEO and CFO should discuss with the auditor any deficiencies detected in the company’s internal controls, any changes made in response to these deficiencies or otherwise, and any occurrence of fraud that has become known involving an employee with a significant role in the company’s internal controls. The auditors should be asked to identify any weaknesses they observed in the company’s internal controls.

Review Report with Audit Committee

The CEO, CFO and the company’s audit partner should meet with the audit committee, and with the full board if necessary, to discuss the report’s contents, the results of the discussions outlined above and to understand any questions or concerns that they may have identified concerning the company’s financial and reporting systems, internal controls, risk assessment and risk management policies, auditor independence and effectiveness, financial statements and other public disclosure, or any related matters. The CEO and CFO should also report to and discuss with the audit committee any deficiencies detected in the company’s internal controls, any changes made in response to these deficiencies or otherwise, and any occurrence of fraud that has become known involving an employee with a significant role in the company’s internal controls.

Consider Obtaining Back-Up Certificates

Although back-up certificates from senior managers similar to the forms the CEO and CFO will be required to sign are not a substitute for the processes described above, and arguably add little additional protection if the foregoing procedures are followed and adequately documented, the CEO and CFO may want to consider obtaining back-up certificates from the principal internal management personnel who participated in the preparation and review of the report. Whether or not back-up certificates are obtained, at a minimum, the personnel who prepared and reviewed the report should be polled during the meetings described above to confirm that they are comfortable with the contents of the report, the processes used to obtain and verify the information and the steps they have taken to ensure the accuracy of the information.

Documentation of Review Process

The CEO and CFO should ensure that all the above steps are documented by the general counsel, corporate secretary or someone else charged with maintaining the back-up materials for any certification. The records should include notes describing the time and date of meetings, including, where appropriate, general descriptions of the topics discussed, a list of all people who were involved in the preparation and review of the report and any back-up certificates obtained from employees involved in the information gathering process. These records should be retained in the company’s records along with the report to which the records relate.

September 5, 2002

EXHIBIT A

FORM OF SECTION 302 CERTIFICATIONS

I, [identify certifying individual], certify that:

  1. I have reviewed this [quarterly][annual] report of [identify registrant];
  2. Based on my knowledge, this [quarterly][annual] report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this [quarterly][annual] report;
  3. Based on my knowledge, the financial statements, and other financial information included in this [quarterly][annual] report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this [quarterly][annual] report;
  4. The registrant’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-14 and 15d-14) for the registrant and we have:
    • designed such disclosure controls and procedures to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which the [quarterly][annual] report is being prepared;
    • evaluated the effectiveness of the issuer’s disclosure controls and procedures as of a date within 90 days prior to the filing date of this [quarterly][annual] report (the “Evaluation Date”); and
    • presented in this [quarterly][annual] report our conclusions about the effectiveness of the disclosure controls and procedures based on our evaluation as of the Evaluation Date;
  5. The registrant’s other certifying officers and I have disclosed, based on our most recent evaluation, to the registrant's auditors and the audit committee of registrant’s board of directors (or persons performing the equivalent function):
    • all significant deficiencies in the design or operation of