Section 302, also known as “302 certification” is a portion of the Sarbanes-Oxley Act that requires the principal executive officer or officers and principal financial officer or officers, or persons performing similar functions, to personally attest to the accuracy, documentation, and submission of all financial reports and internal control structure. The design of a 302 program will vary across organizations, depending on their size, structure, global footprint, culture, and technology capabilities. While the Section 302 requirements can seem like a check-the-box exercise, companies that embrace this quarterly exercise can gain more efficient information-gathering, which may have a broader impact on their systems of internal control.
SOXHUB elevates SOX compliance awareness and accountability.
Responsibility for Section 302 generally falls under the principal executive officer or officers and principal financial officer or officers, or persons performing similar functions. Certifiers range from CEOs and CFOs down to control owners. It’s important that certification ownership, authority, and accountability is embraced by the organization, and that there is clear accountability and ownership for certifications, along with a strong tone set at the top regarding their importance.
Section 302 attestation is submitted to the SEC and helps ensure corporate responsibility for accurate and truthful financial reports. 302 programs can help facilitate the identification, summary, and evaluation of information that formal disclosure controls and procedure change committees are tasked with oversight. A leading practice consideration is to drive accountability through 302 sub-certifications, which support the 302 programs. Criteria evaluated as part of the quarterly certification and sub-certification program can vary by company based on the complexity of the company’s structure. Criteria can include changes to financial statements and disclosures, governance structure, people, processes, and technology.
One of the most common challenges for organizations is that their 302 programs are highly manual, which increases the time and effort spent on dissemination, completion, and compilation of results. Without technology, it's also difficult to efficiently tie effectiveness of control to the certification process. Therefore, organizations are turning to technology like AuditBoard that can help facilitate, streamline, and automate 302 certification programs. AuditBoard expedites the dissemination and aggregation of responses; automates workflows to route assignment of 302 sub-certifications to individuals based on their roles and responsibilities and tracks responses; automates reporting of results; provides real-time dashboard reporting and trend analysis; and links operating effectiveness to sub-certification questionnaires.
Section 404 is an important component of SOX compliance that mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test, and maintain those controls and procedures to ensure their effectiveness. Section 404 essentially requires an auditor to attest and report on a company’s assessment of its internal controls. It also increases transparency, specifically around financial reporting and the likelihood of material misstatements. Although SOX 404 increases auditing costs, experts believe the information and insights the audit provides for investors is well worth the extra expense.
Section 404 applies to all publicly traded companies in the United States as well as wholly owned subsidiaries and foreign companies that are publicly traded and do business in the United States. SOX also regulates accounting firms that audit companies that must comply with SOX.
Section 404(a) requires all companies, regardless of filing status, that file an annual report pursuant to Section 13(a) or 15(d) of the Securities and Exchange Act of 1934 (Exchange Act) to include a report on internal controls.
Section 404(b) specifically requires a public company’s external auditor to attest to management’s assessment of its internal controls. However, not all companies must comply with Section 404(b).
Section 404(c) creates an exemption for small issuers, stating that any company that does not meet the qualifications of an accelerated filer or large accelerated filer does not need to comply with Section 404(b).
Section 404 is one of the main provisions in Sarbanes-Oxley Act and helps increase financial transparency by requiring public companies' annual reports to include the company's own assessment of internal control over financial reporting and an external auditor's attestation. One direct effect of the Sarbanes-Oxley Act on corporate governance is the strengthening of public companies’ audit committees.
SOX compliance is still one of the most important concerns for companies that fall under its requirements. When complying with SOX, it is certainly useful to have an engaged internal audit function, because not only may such a function assist management in assessment of internal controls but also external auditors are more likely to rely on internal audit’s work in their attestation. Internal audit activity must be independent and internal auditors must be objective in performing their work, in accordance with The IIA’s Attribute Standard 1100.
AuditBoard allows organizations to tackle all SOX requirements with ease and precision by centralizing and streamlining SOX documentation, testing, and reporting. To maintain compliance with Section 404, AuditBoard helps eliminate version control issues to maintain a single source of truth for your risk and control information across process documents, RCMs, and issue logs. Additionally, AuditBoard allows you to simplify and organize the entire testing process, manage PBC requests, test evidence, document workpapers, and share results with your external auditors. Finally, AuditBoard allows you to centralize enterprise-wide issue identification and automate remediation workflows to ensure timely resolution of identified control deficiencies.
Utilize the quarterly 302 sub-certification process as an effective monitoring control to identify changes in the effectiveness of the design and operation of relevant controls, which can serve to reduce the extent of rollforward testing.
An effective sub-certification process may enable an organization to help assess the steady state of processes to potentially eliminate the need for annual walkthroughs to inform the risk assessment process, both annual and ongoing.
Design specific sub-certifications to those who have roles and responsibility or access to sensitive information such as personnel, customer, or vendor data. Upon identification of cybersecurity risks and incidents through the 302 program.
SOX mandates that all listed companies have an audit committee whose members are independent of management as well as contain at least one financial expert. As a result, audit committees today are better equipped to provide accurate and truthful financial reports.
SOX compliance makes executives more accountable and protects investors. Executives are required to personally certify financial reports, with significant penalties in place for fraudulent activities.
SOX compliance enhances auditor independence by prohibiting audit firms from providing bookkeeping, actuarial, or management functions to the companies they audit.