Skip to main content
Find a Lawyer

Sarbanes-Oxley Act of 2002: What You Need to Know Now

This article was edited and reviewed by FindLaw Attorney Writers | Last reviewed March 26, 2008

This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.

The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.



SARBANES-OXLEY ACT OF 2002 WHAT YOU NEED TO KNOW NOW

On Tuesday, July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002, one of the most sweeping revisions of the federal securities laws in the last 60 years. Sarbanes-Oxley creates a significant, new oversight and regulatory regime over the public accounting industry and imposes many important and potentially far-reaching reforms in public company governance and disclosure requirements. It also dramatically increases criminal penalties for federal mail, wire and securities fraud, creates new criminal penalties for document and record destruction in connection with federal investigations and lengthens the statute of limitations for private securities claims.

Many of the provisions in the Act will go into effect only after rulemaking by the Securities and Exchange Commission or after other delays. Some crucial provisions, however, go into effect immediately and may require quick action by U.S. companies and foreign private issuers subject to the reporting requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934.

Key reforms taking effect immediately (or within the next 30 days) that may require quick action include:

  • New CEO and CFO certification requirement. U.S. and foreign reporting companies must now provide CEO and CFO certifications with their next SEC filing containing financial statements under Section 906 of the Act (the "906 Certificate"). This new certification requirement is different from, and in addition to, the one-time certification requirement pursuant to the SEC's June 27 order applicable to the 947 U.S. public companies with revenues over $1.2 billion (the "June 27 Order"). It is also different from, and in addition to, the new, ongoing CEO and CFO certification of quarterly and annual reports that Section 302 of the Act directs the SEC to adopt by rulemaking within 30 days (the "302 Certificate").
  • Prohibition on new loans to directors and executive officers. U.S. and foreign reporting companies are now prohibited from extending most types of personal loans to their directors and executive officers (and their "equivalents"). Existing loans are "grandfathered" under the Act, but may not be materially modified or renewed.
  • Acceleration of Section 16 reports. Effective August 30, 2002, directors, officers and 10% shareholders of U.S. public companies must file their Form 4 reports of transactions in company securities by the second business day after execution.

This memorandum discusses these and other important provisions of Sarbanes-Oxley that merit immediate attention.

CEO and CFO Certification Requirements

The Act includes two provisions relating to CEO and CFO certifications of periodic reports filed with the SEC. One, the 906 Certificate, is effective immediately; the other, the 302 Certificate, will become effective upon adoption of rules by the SEC, which must occur no later than August 30, 2002.

Section 906 of the Act creates a new CEO/CFO certification requirement in connection with all periodic reports that contain financial statements. This section is effective immediately and so applies to the filing of any such report (I, Form 10-Q, Form 10-K, Form 20-F, Form 40-F) on or after July 30, 2002. Under this section, CEOs and CFOs are obligated to certify that the periodic report "fully complies" with SEC requirements, and that the information contained in the periodic report "fairly presents, in all material respects, the financial condition and results of operations of the issuer." Section 906 also provides for criminal penalties ranging from up to $1 million in fines and up to 10 years in prison for filing a 906 Certificate "knowing" that the subject report does not comport with all the requirements of Section 906, to up to $5 million and up to 20 years if the officer "willfully certifies" a report "knowing" that the subject report does not comport with all the requirements of Section 906.

The 302 Certificate will only become effective after SEC rulemaking, which is mandated to occur by August 30, 2002. These rules will require the CEO and CFO of U.S. and foreign reporting companies to certify, in connection with each quarterly and annual filing, that: (1) the signing officer has reviewed the report; (2) based on the officer's knowledge, the report does not contain an untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which the statements were made, not misleading; (3) based on the officer's knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer; (4) the signing officers are responsible for establishing and maintaining internal controls and have designed them to ensure discovery of material information; (5) the signing officers have evaluated the internal controls within the 90 days prior to the report and have presented their conclusions about the effectiveness of the internal controls in the report; (6) the signing officers have disclosed to the company's auditors and audit committee all significant deficiencies in the internal control system and any fraud (whether or not material) by management or other employees with a significant role in the internal controls; and (7) the signing officers have indicated in the report whether or not there were significant changes in the internal controls or other factors that could significantly affect the controls since the date of their evaluation.

Although similar in some ways to the one-time certification requirement imposed by the June 27 Order (see our client advice memorandum, dated July 2, 2002, available at www.dorseylaw.com), these two new certification requirements are separate obligations applicable to all companies filing periodic reports under Section 13(a) or 15(d) of the Exchange Act. Thus, companies covered by the June 27 Order that have not yet filed their one-time certification will be providing two certifications: one pursuant to the June 27 Order (which is retrospective in its coverage), and a 906 Certificate (covering the most recently filed report which it accompanies), with a third form, the 302 Certificate (also covering the report with which it will be filed), to be required in connection with reports filed after the SEC rulemaking in late August.

Both Sections 302 and 906 apply to all companies filing periodic reports under Sections 13(a) or 15(d) of the Exchange Act. There is no exception made for non-U.S. issuers; therefore, foreign reporting companies now will also be required to submit 906 Certificates and 302 Certificates.

The Act is silent on the mechanics for compliance with the certification requirements. Section 906 states that a company's reports shall be "accompanied" by the required certification. There is no further guidance on the means by which the Section 906 certification is to be provided. Form 10-Qs filed on July 31, 2002 (the first day after enactment of the Act) used two methods to comply with the requirement—either including the certification language on the signature page of the Form, or filing one page certifications as exhibits 99 to the Form.

We believe that there is another approach, which differs from either of the above methods, that reporting companies should consider: file two certifications (one each for the CEO and CFO) in EDGAR, tagged as "correspondence," accompanying the Form, together with a simultaneous filing of a Form 8-K (or Form 6-K in the case of foreign reporting companies), attaching the two 906 Certificates as exhibits filed under Item 9 (the Regulation FD Item). By this means, the certifications will not be made part of the company's filing and do not become a separate basis for company liability under the Exchange Act while, at the same time, companies can avoid the risk of negative investor reaction to making the certifications in a non-public manner.

Loans to Directors and Executive Officers

Effective immediately, Section 402 of the Act prohibits any U.S. or foreign reporting company, as well as any private company that is in SEC registration for an IPO, from extending, maintaining, renewing or arranging for credit, directly or indirectly, in the form of personal loans to or for its directors and executive officers (or the "equivalent thereof"). Although existing arrangements are grandfathered under the Act, there can be no material modification or any renewal of such arrangements after July 30, 2002. There are limited exceptions under the Act for certain consumer and housing loans and loans made in the ordinary course of business and at market rates by U.S. banks and broker-dealers to their own employees. While no guidance is set forth on the subject, it appears that standard forms of employee relocation loans are not exempted from the Act.

Acceleration of Section 16 Reports

Effective as of August 30, 2002, directors, officers and 10% shareholders of U.S. public companies will be required to file their Form 4 reports under Section 16 of the Exchange Act by the second business day after execution of a transaction, instead of by the tenth day of the month following the month in which the transaction occurs. U.S. public companies should revise their internal procedures now to capture transaction information more quickly in order to enable their directors and officers to comply with this new timeline. Section 403 of the Act also mandates that, within one year of its enactment, all Form 4s must be filed electronically and made publicly available on the SEC's and the issuer's website.

Potential Forfeiture of Incentive Compensation by CEOs and CFOs

In addition to heightened personal certification requirements, CEOs and CFOs will now also face the possibility of a statutory "clawback" of all bonus and stock option exercise profits received in the 12 months following the first publication or filing with the SEC of financials subject to a restatement.

Section 304 of the Act applies to any U.S. or foreign reporting company and to any private company that is in SEC registration for an IPO. If any such company is required to prepare an accounting restatement due to "the material noncompliance of the issuer, as a result of misconduct, with any financial reporting requirement," then the CEO and CFO will be required to forfeit any incentive or equity-based compensation received from the company, and the profit on any sales of issuer securities, during the 12-month period following release of the financial statements to be restated.

This provision is effective immediately. It appears to apply retroactively to income and profits received by CEOs and CFOs during periods prior to July 30, 2002 if restatements meeting the standards of Section 304 subsequently occur.

Whistleblower Protection

Effective immediately, the Act prohibits U.S. and foreign reporting companies (and their officers, employees, contractors, subcontractors and agents) from taking any retaliatory action against an employee for commencing or participating in a legal proceeding based on, or providing information or assistance to supervisors, federal agencies or Congress with respect to an investigation of, conduct the employee reasonable believes violates U.S. securities or antifraud laws. Companies should review and update their personnel policies in light of the broad scope of this protection to ensure compliance with the Act.

Pre-Approval of Non-Audit Services

Although the Act includes independence requirements applicable to auditors which will become effective only after the newly mandated "Public Company Accounting Oversight Board" is in operation (which is to commence no later than the end of March 2003), the Act requires that, effective immediately, audit committees approve all audit and non-audit services provided by the company's outside auditors (subject to certain de minimus exceptions). Non-audit services include, for this purpose, the provision of tax services by the auditor. These approvals may be obtained at the time of engagement of the auditor for an annual audit, if the services are set forth as part of the annual audit plan. Any such approvals of non-audit services must also be disclosed in the company's periodic SEC reports.

Enhanced SEC Review of Periodic Filings

Section 408 of the Act requires the SEC to review periodic disclosures (including financial statements) made by U.S. and foreign reporting companies on a regular and systematic basis, with each issuer being reviewed no less frequently than once every three years. Prior to Sarbanes-Oxley, foreign reporting company filings were not regularly reviewed by the staff, so this new requirement constitutes an especially important development for foreign private issuers.

Officer and Director Bars

Section 1105 of the Act gives the SEC explicit authority in administrative cease and desist proceedings to bar an individual who has violated the antifraud provisions of the federal securities laws from acting as an officer or director of a reporting company if the person's conduct demonstrated unfitness to serve as an officer or director of a public company. In addition, Section 305 modifies the standard governing imposition of officer and director bars by a court (in actions brought by the SEC) by modifying the previous "substantial unfitness" standard to simple "unfitness."

Other Provisions of Sarbanes-Oxley Effective at Later Dates

Other significant provisions of the Act become effective after SEC rulemaking to be completed during the next year. These provisions of the Act, which are generally applicable to U.S. and foreign reporting companies, include:

  • Enhanced, real-time disclosure requirements. Section 409 of the Act will require disclosure of material changes in financial condition or operations on "a rapid and current basis." Section 401 of the Act will require disclosure of material off-balance sheet arrangements and will govern the use of pro forma financial information in SEC reports and press releases.
  • Annual report on internal controls. Section 404 of the Act will require issuers to provide an annual report assessing the effectiveness of the company's internal controls, together with a report by the company's auditors on this assessment.
  • Code of ethics and financial expert. Sections 406 and 407, respectively, of the Act will require disclosure of whether the company has a code of ethics for its senior financial officers and whether the audit committee has at least one member who is a "financial expert" (as defined by the SEC).
  • Auditors and audit committees. Titles I and II of the Act mandate the establishment of a new independent auditor oversight board with broad powers to investigate and sanction public accounting firms, require retention of audit records for a least seven years, limit non-audit services that may be provided by auditors and define director "independence" for purposes of audit committee participation.
  • Insider trades during retirement plan blackouts. Section 306 of the Act will, subject to certain exceptions, make it unlawful for any director or executive officer of a company to trade in equity securities of the issuer during any blackout periods for an issuer 401(k) or other retirement plan in which participants are not allowed to trade.
  • Lawyer professional conduct rules. Section 307 of the Act will require the SEC to adopt ethics rules obligating all counsel "appearing and practicing before the [SEC] in any way" to report evidence of material violations of securities law or breach of fiduciary duty "up the ladder" to more senior management or the board of directors.

We will address these and other Sarbanes-Oxley provisions more specifically in future memoranda as the SEC rulemaking process progresses and other developments and clarifications emerge. In the meantime, however, all U.S. and foreign reporting companies should be taking action in response to the immediately effective provisions of the Act.

August 1, 2002

Disclaimer

©2003 Dorsey & Whitney LLP. This Corporate Update is intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances. Members of the Dorsey & Whitney LLP Corporate Group will be pleased to provide further information regarding the matters discussed in this Corporate Update.

Was this helpful?

Copied to clipboard