In Part 1, we summarized the SOX 302 requirements, the certification set-up overview and who owns the SOX 302 process.

Today in Part 2, we answer the following questions:

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

SOX 302 certification A2Q2
Fig. 1 – Sarbanex Oxley 302 certification

 

Who to include in the 302 certifications?

The short answer is everyone who is necessary for the CEO and CFO to feel comfortable before they sign their quarterly certifications. We definitely want to include sales and finance. How deep we go in the organization when we’re asking for the certification depends on the employee roles and the responsibilities in the organization.

If you are fairly flat organization, maybe go down to the manager level. Maybe all sales VPs and Directors need to sign.  Or you can include all sales managers.  On the other hand, if you have a more structured company, you can pick all regional heads or all division heads. The bottom line is that it depends on your organizational chart.

Depending on your organization, some employees have very innocent sounding roles like sales ops or facilitator and it turns out that they run all of the commitments for your real estate leases and you lease 500 stores across the country. In that case, that’s a big disclosure area that you may want to have this person pulled in too.

You want to consider people outside of finance and in the business because they have business information to share. You may want to consider IT if you have major data centers or IT infrastructure because it has a huge impact on the financial statements.

If you have a large physical footprint, you’re going to want to make sure that you reach people in facilities and real estate. You may be constructing brand new wind farms or large construction projects that need disclosures that have financial implications. Again, we suggest you look at your organization chart and build a rationale around the roles.

You should document this rationale so that as the company grows, you can revisit it and make sure that your process still makes sense quarter after quarter.

 

Who to include in the Disclosure Committee?

The next question we usually get is who should be included in the disclosure committee itself. You definitely need someone from legal and someone from finance. Typically, you would want a COO or a CTO if you are a tech company with heavy reliance on systems.

The COO is needed because the Disclosure Committee is broader than just financial statements. The technical side of the business should be considered..  You want someone from legal because they’re thinking of liabilities and protection for the company and other regulatory perspectives.

On the finance side, you want your CFO, the person who is going to sign it.We want to include the controller and the SEC reporting person who is writing the disclosures. Investor relations should also be included in the Disclosure Committee meetings just so that the investor relations person knows what to put out for press releases.  Or if they’re preparing a lot of the materials to be discussed on conference calls with investors, you want them to be in the loop.

When the Disclosure Committee has been put together, it should have a charter that will talk about how often they would review the results of the certifications. The Disclosure Committee is the organization that recommends or reports the results to the Audit Committee.

 

When should I set-up the 302 process?

There are actually two calendars that should be created. The first is for the set up phase of the 302 process and then second calendar is for the ongoing and recurring activities.

To demonstrate when to start the process, take a look at the example below.

when to start SOX 302 process
Fig. 2 – When should I start the SOX 302 process

In this example, let’s assume that we are going to go public on September 1st.We suggest that at least one quarter before you go public, you start to planning, set up the process and do a practice run.

Start planning the activities that we’ve discussed in Step 1 and Step 2 or even Step 3. Then, you take the time at the end of the June 30 quarter to do a practice run. If you have a younger organization, many of your employees may not have gone through this process and will have a lot of questions.

If you do a practice run beforehand you can work out the kinks.  Keep in mind that when you do go public, there are so many other deadlines to stay on top of.  It’s best to practice and work out all of the questions and make sure that you get this certification nailed.  Once you’re public, the clock just keeps going. It doesn’t matter whether you’re ready for it or not.

You’ll also notice on this calendar the ongoing quarterly certification are marked. Once you’re public, every quarter, it just repeats itself, so you don’t have that set up and planning time anymore.  This makes building a really strong process upfront very important as it will make it so much easier for you to administer the process.

Below is a more detailed calendar view to give you a sense of how a typical calendar would look like.

SOX 302 process calendar
Fig. 3 – Typical SOX 302 calendar

In this calendar, let’s assume a September-October time frame. Basically, if you’re going to sign a certification on September 30, you should start reviewing some of the stuff at the beginning of September.

Do you have the latest org chart to make sure that you have the right people to send it to? Do you have all of the right templates and the letters that you need and when do you need to stage some of this stuff to be sent out? Have you done the training for new people?

Even though you’re already public, you have new employees on board who may have never gone through this before. Maybe you provide some training to them and then you plan when you are going to send the certifications out. When do you need the certifications back? Because you also need time to review the certifications, follow up, and you’re going to need your Disclosure Committee meeting.  These are just some of the things you have to consider to plan out what to do before the big day and how you can build some cushion into your timeline.
Summary

To recap, today we learned:

 
watch video in youtube

 

If you found this post helpful and
want to receive the next segment
sign up for blog