With the twelfth anniversary of the implementation of the Sarbanes Oxley Act of 2002 ("SOX") swiftly approaching, it may or may not be coincidental that the SEC has been involved in several SOX-related enforcement actions recently, including (i) bringing charges against the CEO and former CFO of a Florida-based computer equipment company for misrepresenting the state of its internal controls over financial reporting and (ii) awarding more than $400,000 to a whistleblower who reported fraudulent activity to the SEC after the whistleblower's company repeatedly failed to address the issue internally. This Bulletin, however, should serve as a clear reminder that, even with the passage of time and additional mandates to implement other regulatory frameworks such as the Dodd-Frank Act and the JOBS Act, the SEC continues to actively and aggressively monitor reporting companies' compliance with the disclosure, internal control and certification practices and procedures mandated by SOX.

What Are the Certifications Related to Disclosure Controls and Procedures Required by Section 302 and Section 906 of SOX?

Section 302 and Section 906 of SOX generally require CEOs and CFOs of reporting companies to certify to the truth, accuracy and completeness of their company's disclosures in 10-Qs and 10-Ks and to their responsibilities and duties as officers related to ensuring such truth, accuracy and completeness.

What Is the Management Report Related to Internal Control over Financial Reporting Required by Section 404 of SOX?

Section 404 of SOX generally requires reporting companies to include in their 10-Ks a report of management that reiterates that management is ultimately responsible for establishing and maintaining adequate internal control over financial reporting, assesses the effectiveness of the company's internal control over financial reporting and identifies the framework used by management for that assessment and cites the attestation report issued by the company's registered public accounting firm related to its audit of internal control over financial reporting.

If CEOs and/or CFOs Fail to Fulfill Their Responsibilities under Section 302, Section 906 and Section 404 of SOX, Are There Ramifications?

Yes, and two recent enforcement actions illustrate certain potential consequences.

Enforcement Action Against CEO and Former CFO

In a recently instituted enforcement action, the SEC alleges that the CEO, Marc Sherman, and former CFO, Edward L. Cummings, of Quality Services Group, Inc. ("QSGI") (i) falsely represented in a management report filed with QSGI's 2008 10-K that the CEO had participated in the evaluation of QSGI's internal controls, (ii) falsely represented in certifications required under Section 302 of SOX that the CEO and CFO had evaluated QSGI's internal control over financial reporting and disclosed all significant deficiencies to the external auditors and (iii) affirmatively misled the company's external auditors by withholding information regarding certain inadequate inventory controls and certain improper accounting techniques designed by Sherman, and implemented by Cummings, to accelerate the recognition of certain inventory and accounts receivables in QSGI's books and records.

Signaling its zeal to regulate culpable conduct, the SEC stated that "[c]orporate executives have an obligation to take the Sarbanes-Oxley disclosure and certification requirements very seriously. Sherman and Cummings flouted these regulatory requirements and misled investors and external auditors in the process."

Although the SEC will continue to pursue its enforcement action against Sherman, Cummings entered into a cease-and-desist order finding that he willfully violated, and caused QSGI's violations of, federal securities laws. In connection with the cease-and-desist order, Mr. Cummings agreed to (i) pay a $23,000 civil monetary penalty, (ii) to be barred for five years from serving as an officer or director of a publicly traded company and (iii) to be barred for at least five years from practicing as an accountant on behalf of any publicly-traded company or other entity regulated by the SEC.

Significant Bounty Paid to Whistleblower

Recently, in a separate matter, a whistleblower received a sizable bounty in respect of certain fraudulent activity that the whistleblower ultimately reported to the SEC. Prior to informing the SEC, the whistleblower made repeated, but unsuccessful, internal reports through various company channels and mechanisms. When the company did not act to investigate or remediate the matter, the whistleblower reported the fraudulent activity to the SEC. According to the SEC, "[t]he whistleblower did everything feasible to correct the issue internally. When it became apparent that the company would not address the issue, the whistleblower came to the SEC in a final effort to correct the fraud and prevent investors from being harmed . . . this award recognizes the significance of the information that the whistleblower provided us and the balanced efforts made by the whistleblower to protect investors and report the violation internally."

The SEC's announcement did not provide any details regarding the nature of the problem or the circumstances of the whistleblower's complaint. Given that a bounty was ultimately paid (and, therefore, there was a successful enforcement action), it is interesting that (i) the company repeatedly failed to address the whistleblower's concerns and (ii) the CEO and CFO could deliver Section 302 and Section 906 certifications and a Section 404 management report in connection with the company's periodic reports unless the CEO and CFO were never made aware of the fraudulent activity.

According to the Wall Street Journal, the SEC's whistleblower program has generated tips from more than 6,500 people from at least 68 countries and resulted in more than $150 million in restitution and fines and more than $15 million in bounty payments to the whistleblowers. Interestingly, retirees comprised the largest group of whistleblowers with investors and engineers placing second and third.

What Can Be Done to Ensure Compliance with Section 302, Section 906 and Section 404 of SOX?

Although many of these recommendations are now commonplace, in light of recent events, companies may wish to reconsider the following action items:

  • Evaluate disclosure controls and procedures and internal control on a quarterly basis 
  • Require written sub-certifications from officers other than the CEO and CFO 
  • Review all periodic reports with the audit committee applying the "fairly presents" standard 
  • Ensure legal counsel reviews 10-Qs and 10-Ks for compliance with the Exchange Act 
  • Establish a Disclosure Committee to coordinate the review of SEC filings by all pertinent parties 

In addition, we would suggest that companies keep written records of all activities designed to ensure compliance with Section 302, Section 906 and Section 404 of SOX.

For further information visit Waller

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.