In Part 2, we learned who to include in the 302 certifications, who to include in the Disclosure Committee and when to start the 302 certification process.

Today in Part 3, we answer the following questions:

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.


What tools can we use to automate the certification process?

Now that we know roles and responsibilities and who should be doing what and how to build a timeline, it’s time to move on to the second step.

Step 2: Design and Train

SOX 302 process step 2

To start it off, we recommend using an electronic signature tool like Adobe’s EchoSign or DocuSign. In the “old days”, companies were emailing word documents to employees who then have to print them to sign them, scan them and then email them or fax it back into the legal team or the paralegal who is administering all of these.  That whole process is very inefficient and makes the whole process not scalable. The using electronic signature tools will make the whole process smoother and more efficient.

One great thing about these various electronic signature tools is that they have widgets where you can customize your response forms for employees to add comments.  You can then track the responses and non-responses much easier.


What should be included in the certification letters?

After you set up your electronic signature account, you have to prepare your certification letters. Now you may find it necessary tailor certification letters for different teams or functions. You may have a certification letter tailored specifically for the sales team and another one for the finance organization.  Below is an example of a certifying letter.

SOX 302 certifying letter

This is an example of a letter sent to all the sub-certifiers. Basically, you would be the person signing it and confirming that you have reported any fraudulent activity involving the company and that you’ve done things according to the policies.

Step 3: Deliver Certifications

SOX 302 process step 3

Once you have the certifiers and certification letters, and you have designed the process, the next step to deliver the certifications. Remember that you also want to plan training sessions for certifiers. It could be a refresher course or training for new employees.


How can we track the results?

Unless you have a built-in process that can be repeated quarter after quarter, it becomes very time consuming. It’s about a 2-week process but it can stretch out depending on the situation.  In a perfect world, you will get the responses back on time but sometimes you will get no response and you have to spend more time to follow up.  To avoid confusion and to make life easier for you, we recommend a tracking spreadsheet.

Even if you are using a tool to send out the certifications, it is still nice to have the information in one place. You can build a spreadsheet to keep track of all the certifications.  Below is an example of a spreadsheet used to track certifications.

Sample SOX 302 certifier tracking spreadsheet

In this example, the data used includes the name of the certifying employee as well as their department and their title.  There are columns for the date when the certifications were sent out and when they responded.

Keeping everything in one spreadsheet makes presenting to the Disclosure Committee easy.

Step 4: Document Results and Disclose

SOX 302 process step 4

Step four is documenting results and disclosing them. Throughout the whole process, you may be setting up and conducting exception interviews and you are also evaluating your exceptions. For all exceptions, you have to document the conclusions.  Finally, you have to prepare a certification summary memo for presentation to the Disclosure Committee.

The tracking sheet sample above is one way to make documentation easier.  For presentation though, we recommend a summary instead of the whole excel sheet.  Using the data from the tracking sheet, you can create graphs like those below.

SOX 302 certification metrics

To recap, today we learned about:

watch video in youtube


If you found this post helpful and
want to receive the next segment
sign up for blog