Certifications and Sub-Certifications – Building confidence from below

signatureSarbanes-Oxley Section 302 requires that the Chief Executive Officer and Chief Financial Officer (or those in equivalent positions) of all companies publicly traded in the US certify the accuracy of all annual and quarterly financial reports.  The actual text of the act itself is, of course, far more detailed – but the nutshell that we’ve all come to know is that the CEO and CFO have to sign-off on the financial reports and thereby take on personal responsibility for any inaccuracies or misrepresentation of the company’s financial status.  Technically, it is the signatures of those two individuals that make up the 302 Certification.

Unless your entire company has fewer than 10 employees – in which case you probably aren’t subject to SOX requirements anyway – it is unlikely that your CEO or CFO is going to be comfortable simply signing off on the financial statements without something more to go on.  They could go through and double-check every audit result, document and calculation.  They could if they cloned themselves several times over and focused on nothing else all year.  It’s not even in the ballpark of practical.  So what do they do?

They take it down a level.  Enter the 302 Sub-Certification Process.

I would venture to guess that almost every company subject to SOX requirements has some sort of 302 sub-certification process in place.  At what level those sub-certifications are made varies across companies.  Even more varied is the efficiency and effectiveness of those sub certifications.

I’m not going to pretend to provide advice on how deep your organization might want to go with sub-certification processes.  That’s a decision to be made based on how you do business, how many levels of management are between the top and the bottom, and how much risk you think there is that something can go wrong in between.  What I can do is help you to make that process more effective and more efficient with policyIQ.

Roll-up the sub-certifications.

Setting up your 302 Certifications in policyIQ is a matter of creating forms to push out to Standard Users.  (I won’t go into the boring details of setup in this blog post, but you can check out our help guide – or our training on April 21st – for more information.)

If you want to build in several levels to your 302 sub-certifications, you may copy those Form Templates for each level in the process.

    • Level 1 certifies, and their answers roll-up to Managers A – F.
    • Managers A – F certify, and their answers roll-up to Directors G – J.
    • Directors G – J certify, with their answers rolling up to the VPs K – N.
    • And finally those VPs certify with their responses rolling up to the CEO and CFO.

Your process might not be quite so complicated – but at each level, you can have those answers sent on to the appropriate Manager, Director or VP.  A few things you may want to consider when rolling out this type of sub-certification process:

a.) The more levels you have, the more time you’ll need to allow for responses to come in. Consider sending all of the certifications out at once – even if you expect that each level will wait for the one below to submit first. If your Directors have a deadline looming, they will be more motivated to remind their managers that they need responses.

b.) Assign an Administrator who will have oversight into the whole process – at all levels. That individual should be checking in to make sure that responses are being submitted and sending reminders as necessary. (Even if a VP has a deadline looming, the task of submitting a certification is likely to get lost in the daily list of meetings and tasks.)

c.) Balance the time frame that you want to have available for easy reporting with archiving off older answers. policyIQ will retain all of the responses until you decide to delete them. After a couple of years, your site may seem too busy with so many forms and reports. Consider keeping just two years worth of responses in your active site, and use the snapshot functionality to keep a backup if you need to go back further.

Implement for 302 Certifications and Sub-Certifications today!

If you aren’t already using policyIQ for SOX 302 sub-certifications, what is stopping you?  The setup is simple and the cost is low.  Most importantly, the result is a process that is efficient and easy to manage – with answers stored period over period in one central place for quick reporting.  (Reminder: Check out our training session on April 21 at noon ET if you want to learn more about implementing policyIQ for SOX 302 Certifications!)

If you are thinking that the process sounds great, but you just don’t have the time or resources to spare to get it implemented, contact us.  We can help you to implement your 302 Certifications – we even have some sample forms and questions.

This entry was posted in Solutions by Chris Burd. Bookmark the permalink.

About Chris Burd

Chris is the Vice President of the policyIQ group at RGP. She gets geeky about compliance and technology, and gets to spend every day working at the crossroads of the two. With policyIQ since 2005, Chris has worked with hundreds of policyIQ clients to implement technology and enhance their internal compliance environment. In past lives, Chris worked as a system implementation consultant, a e-commerce specialist, a customer service call center manager, and - for one short but memorable summer during high school - a machine operator on midnight shift in a plastics factory. In her free time, she spoils her nieces, reads too many books, and spends more time than she should taking photos of her cats. She's on a mission to visit the hometown of every US President - so far managing to get to 14. She would like to be a rock star when she grows up.

5 thoughts on “Certifications and Sub-Certifications – Building confidence from below

  1. Hi, I randomly found this blog and was hoping you have some documentation to assist in building the sub-certification process, mainly around what kind of questions should be included in the sub-certifications. I obviously was not able to attend the training session in 2011 but hoping some information can be provided. Thanks! -Alexandra

  2. Hi Chris – wondering if you could share any policies, communication/training and certification templates (by levels within the org – Manager, Director, VP, etc or function – Finance, Controller, HR, IT, Legal etc). Thanks and appreciate your help with this.


    • Hi Abe – I apologize for the delay on responding to your comment. This is a great question. I am going to send you, via email, one example of 302 certification questions that are broken down by high level area. The truth is, though, that the actual questions that are asked are unique for every organization – depending on size, geographic spread, and the actual activities that are performed within the organization.

      Our RGP consultants have been known to help companies create a unique certification process, if you need that level of assistance. However, we can get you started with an example that can help!

      Thanks, Abe!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s