Sarbanes-Oxley Section 302 requires that the Chief Executive Officer and Chief Financial Officer (or those in equivalent positions) of all companies publicly traded in the US certify the accuracy of all annual and quarterly financial reports. The actual text of the act itself is, of course, far more detailed – but the nutshell that we’ve all come to know is that the CEO and CFO have to sign-off on the financial reports and thereby take on personal responsibility for any inaccuracies or misrepresentation of the company’s financial status. Technically, it is the signatures of those two individuals that make up the 302 Certification.
Unless your entire company has fewer than 10 employees – in which case you probably aren’t subject to SOX requirements anyway – it is unlikely that your CEO or CFO is going to be comfortable simply signing off on the financial statements without something more to go on. They could go through and double-check every audit result, document and calculation. They could if they cloned themselves several times over and focused on nothing else all year. It’s not even in the ballpark of practical. So what do they do?
They take it down a level. Enter the 302 Sub-Certification Process.
I would venture to guess that almost every company subject to SOX requirements has some sort of 302 sub-certification process in place. At what level those sub-certifications are made varies across companies. Even more varied is the efficiency and effectiveness of those sub certifications.
I’m not going to pretend to provide advice on how deep your organization might want to go with sub-certification processes. That’s a decision to be made based on how you do business, how many levels of management are between the top and the bottom, and how much risk you think there is that something can go wrong in between. What I can do is help you to make that process more effective and more efficient with policyIQ.
Roll-up the sub-certifications.
Setting up your 302 Certifications in policyIQ is a matter of creating forms to push out to Standard Users. (I won’t go into the boring details of setup in this blog post, but you can check out our help guide – or our training on April 21st – for more information.)
If you want to build in several levels to your 302 sub-certifications, you may copy those Form Templates for each level in the process.
- Level 1 certifies, and their answers roll-up to Managers A – F.
- Managers A – F certify, and their answers roll-up to Directors G – J.
- Directors G – J certify, with their answers rolling up to the VPs K – N.
- And finally those VPs certify with their responses rolling up to the CEO and CFO.
Your process might not be quite so complicated – but at each level, you can have those answers sent on to the appropriate Manager, Director or VP. A few things you may want to consider when rolling out this type of sub-certification process:
a.) The more levels you have, the more time you’ll need to allow for responses to come in. Consider sending all of the certifications out at once – even if you expect that each level will wait for the one below to submit first. If your Directors have a deadline looming, they will be more motivated to remind their managers that they need responses.
b.) Assign an Administrator who will have oversight into the whole process – at all levels. That individual should be checking in to make sure that responses are being submitted and sending reminders as necessary. (Even if a VP has a deadline looming, the task of submitting a certification is likely to get lost in the daily list of meetings and tasks.)
c.) Balance the time frame that you want to have available for easy reporting with archiving off older answers. policyIQ will retain all of the responses until you decide to delete them. After a couple of years, your site may seem too busy with so many forms and reports. Consider keeping just two years worth of responses in your active site, and use the snapshot functionality to keep a backup if you need to go back further.
Implement for 302 Certifications and Sub-Certifications today!
If you aren’t already using policyIQ for SOX 302 sub-certifications, what is stopping you? The setup is simple and the cost is low. Most importantly, the result is a process that is efficient and easy to manage – with answers stored period over period in one central place for quick reporting. (Reminder: Check out our training session on April 21 at noon ET if you want to learn more about implementing policyIQ for SOX 302 Certifications!)
If you are thinking that the process sounds great, but you just don’t have the time or resources to spare to get it implemented, contact us. We can help you to implement your 302 Certifications – we even have some sample forms and questions.