Why does the CEO's signature at the end of the 10-K carry criminal penalties?

The last pages of every 10-K contain signatures. The CEO and CFO sign, as do directors and the independent auditor. To many investors, these are formalities—a legal checkbox. But the CEO and CFO certifications are far more than formalities. When the CEO signs the 10-K, they are stating, under penalty of perjury, that the document is truthful and complete. If the 10-K later proves false, the CEO can face criminal prosecution, imprisonment, and massive fines. This is Sarbanes-Oxley in action. The law makes personal liability stick. As a result, the signature section is a window into management confidence and integrity. An CEO who signs quickly and confidently is asserting trust in the statements. An officer who hesitates, negotiates with auditors on language, or eventually resigns is signaling doubt.

Quick definition: The 10-K contains two SOX certifications. Section 302 (Exhibit 31) requires the CEO and CFO to certify that they have reviewed the 10-K, that it is accurate, and that they have disclosed material weaknesses in internal controls. Section 906 (Exhibit 32) is a separate, enhanced certification stating that the 10-K complies with securities laws. Violations of SOX 906 carry criminal penalties: up to 20 years imprisonment and fines up to $1M per violation.

Key takeaways

Sarbanes-Oxley 302 certifications make the CEO and CFO legally responsible for the accuracy of the 10-K. This is a powerful incentive to ensure the statements are defensible and complete.
Section 906 certifications carry criminal penalties: knowingly signing a false certification can result in up to 20 years imprisonment and $5M in fines per count. This is a severe deterrent.
If an officer refuses to certify, declines to sign the 10-K, or resigns before signing, it is a red flag. It signals doubt about the accuracy or completeness of the statements.
The signature page lists all directors who have reviewed the 10-K. Their signatures mean they have exercised due diligence and believe the statements are fair. Absent or undated signatures are yellow flags.
The auditor signs the audit opinion, not the 10-K itself. But the auditor's signature and the tone of the opinion (unqualified, qualified, going concern doubt) are critical signals.

The SOX 302 certification (Exhibit 31)

The CEO and CFO must sign the following certification (or a substantially similar statement):

I [officer name], certify that I have reviewed this annual report on Form 10-K of [company name].

Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which they were made, not misleading.

Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations, and cash flows of the registrant as of, and for, the periods presented in this report.

I am responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) for this registrant and have: (a) designed such disclosure controls and procedures, or caused them to be designed under my supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to me by others within those entities, particularly during the period in which this report is being prepared; (b) evaluated the effectiveness of such disclosure controls and procedures as of a date within 90 days prior to the filing date of this report on the basis of such evaluation; and (c) presented in this report my conclusions about the effectiveness of such disclosure controls and procedures based on my evaluation as of that date.

I have disclosed to this registrant's auditors and the audit committee of this registrant's board of directors (or persons fulfilling the equivalent function): (a) all significant deficiencies and material weaknesses in the design or operation of internal controls over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and (b) any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal controls over financial reporting.

I have indicated in this report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of my most recent evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.

I have disclosed to the auditors and the audit committee any change in internal control over financial reporting that occurred during the most recent fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) or in the related fiscal year that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting.

The officer signs and dates this statement. Breaking down the key assertions:

Accuracy of the 10-K: The officer is stating, under penalty of perjury, that the 10-K contains no material untrue statements or omissions. This covers both the financial statements and the MD&A.
Fairness of financial statements: The officer is confirming that the financial statements fairly present the company's financial condition, results of operations, and cash flows. This is stronger than "they comply with GAAP"; it requires qualitative judgment.
Disclosure controls and procedures: The officer has designed (or caused to be designed) and evaluated disclosure controls—systems to ensure that material information gets to management and into the filing. This is distinct from internal controls over financial reporting (ICFR). Disclosure controls are about whether information gets communicated; ICFR is about the accuracy of that information.
Internal control weaknesses: The officer must disclose significant deficiencies and material weaknesses to the audit committee and auditors. This is candid admission of where controls are broken.
Fraud disclosure: If management is aware of any fraud, the officer must disclose it to the auditors and audit committee. This is a critical assertion—if later evidence shows the officer knew of fraud and did not disclose it, the officer faces liability.
Changes in controls: The officer must disclose any changes to disclosure controls or ICFR during the year, particularly in the most recent quarter.

The SOX 906 certification (Exhibit 32)

Separate from the 302 certification, officers must file a "906 certification" for the CEO and CFO:

I, [officer name], certify, pursuant to Section 906 of the Sarbanes-Oxley Act of 2002, 18 U.S.C. Section 1350, that:

(1) the accompanying Form 10-K fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and

(2) the information contained in the accompanying Form 10-K fairly presents, in all material respects, the financial condition and results of operations of [company name].

This is a shorter statement but with severe consequences. The officer is asserting, subject to criminal penalties, that:

The 10-K complies with all applicable securities laws.
The financial information is accurate and complete.

Violating SOX 906 is a federal crime. The penalties are:

Up to 20 years imprisonment.
Up to $5M in fines per violation (effectively per certification, so both CEO and CFO certifications).

The severity of this penalty is intentional. Congress wanted to make executives personally liable for the accuracy of filings. In practice, this has deterred many executives from signing questionable 10-Ks and has encouraged more rigorous internal review before signing.

What happens when an officer refuses to certify?

History provides examples. If the CEO or CFO believes the 10-K contains material misstatements or omits material facts, they can refuse to certify. This is extremely rare and signals serious internal conflict. If an officer refuses to certify:

The company must disclose the refusal to the SEC (often via 8-K).
The market interprets this as a major red flag.
The officer often resigns (they cannot certify, so remaining is untenable).
The company faces credibility damage and potentially enforcement action.

One famous example: In 2006, Citigroup's CFO Sallie Krawcheck refused to certify one quarterly 10-Q because she believed certain reserves were inadequate. The refusal was disclosed, Citi's board supported her concerns, and the company adjusted the reserves. Krawcheck was later terminated for other reasons, but her refusal to certify showed that SOX has created a mechanism for financial officers to resist pressure from management or the board.

More commonly, officers and auditors negotiate over language. An auditor might insist on a disclosure about a control weakness; the CEO might push back. Eventually, they reach agreement. But if the officer ultimately signs and it later appears they knowingly signed a false statement, they face criminal liability.

Reading the signature page: what to look for

1. Are all signatures present and dated?

Every director must sign the 10-K (or, in some cases, attest to it). Every signature should be dated. Missing signatures or undated signatures are a procedural weakness. They suggest the filing was rushed or incomplete governance occurred.

2. Did any officers resign before signing?

If the CFO or CEO departed just before the 10-K was filed, before they could sign, investigate why. A resignation timed to avoid certification is a red flag. Check the company's 8-K filing for the resignation. Did they cite "disagreements with the board on accounting matters" or was it a routine retirement?

3. Are the certifications qualified or conditional?

The SOX certifications are standard templates. If an officer adds language ("to the best of my knowledge" or "except as noted"), it weakens the assertion. An officer who qualifies their certification is signaling doubt.

4. Did any directors abstain from signing?

All directors should sign. If a director (especially an audit committee member) abstained or is noted as "unavailable to sign," ask why. This is unusual and may signal governance issues.

A real-world scenario: when certifications get re-signed

In 2002, immediately after SOX was enacted, several companies re-filed 10-Ks with new certifications from new officers or with expanded disclosures of control weaknesses. These re-filings signaled that the initial certifications were questionable or that officers wanted cleaner ones.

More recently, during the COVID-19 pandemic, some companies disclosed in their certifications that they had not been able to fully evaluate disclosure controls (due to remote work). This was an explicit assertion of weakness. Investors had to weigh whether the company's controls were materially compromised or whether the disclosure was overly cautious.

A mermaid diagram: the SOX certification decision tree

Common mistakes when reading signatures and certifications

Mistake 1: Assuming certification means accuracy.

The CEO and CFO are certifying that they believe the 10-K is accurate based on their knowledge and the company's internal controls. But they are not auditors; they may not detect all errors. And later, restatements happen. Certification is a governance check, not a guarantee. If a restatement occurs after certification, the question is whether the original officer should have known about the problem.

Mistake 2: Not reading the actual certification language.

Investors often skim the signature page without reading the full certification. The certification text itself contains important information, especially regarding internal control weaknesses and changes to controls. Read the full text, not just the signatures.

Mistake 3: Overlooking changes in officers.

If the CEO or CFO changed during the year, and a new officer is signing the 10-K for the first time, note this. Has the new officer discovered control issues unknown to the predecessor? Or is the new officer simply signing what they inherited? Cross-reference with MD&A disclosures about internal controls.

Mistake 4: Ignoring the auditor's opinion signature.

The auditor signs the audit opinion, which appears just before the financial statements. The auditor's signature, the date of the opinion, and the tone (unqualified vs qualified vs adverse) are critical signals. A qualified opinion or going-concern doubt is as important as the CEO's certification. Don't skip the auditor's opinion.

Mistake 5: Not checking for contemporaneous governance disclosures.

If the 10-K certifications reference internal control changes or weaknesses, cross-check against the MD&A and Item 9A (Controls and Procedures). Are the disclosures consistent? If the CEO certifies "no material weaknesses" but Item 9A discloses "a significant deficiency in revenue recognition," there is an inconsistency that warrants scrutiny.

FAQ

If the CEO is imprisoned for signing a false 906 certification, what happens to the company and shareholders?

The company faces enforcement action, potential fines, and loss of credibility. Shareholders who relied on the false 10-K may file class-action lawsuits against the company and officers. The company may have to restate, triggering further shareholder litigation. The imprisoned CEO's position would be vacant and filled by an interim or new executive. The company's stock often plummets. For example, executives at Adelphia Communications and WorldCom faced criminal charges and imprisonment after signing false certifications. Shareholders suffered massive losses.

Can an officer be charged criminally even if the 10-K was signed unknowingly in reliance on others?

The SOX 906 penalty requires knowledge or reckless disregard. If an officer blindly signed without reviewing or verifying the information, prosecutors could argue recklessness. The safe harbor is due diligence—the officer must have a reasonable basis for believing the certification. An officer who signs without reviewing is taking a risk, even if unaware of specific falsehoods.

What is the difference between a significant deficiency and a material weakness in controls?

A significant deficiency is a control deficiency (or combination) that is important enough to merit attention by those responsible for oversight (the audit committee). A material weakness is a more severe condition that is reasonably likely to result in a material misstatement of the financial statements. Item 9A and the 302 certification must disclose material weaknesses; significant deficiencies should be disclosed if they are important. The distinction matters for materiality and investor concern.

Do directors face personal liability for signing the 10-K?

Directors do not have the same criminal liability as the CEO and CFO under SOX 906. But directors are liable for due diligence. If a shareholder lawsuit proves that directors breached their fiduciary duty by approving and signing a false 10-K, the director can face liability. This is why audit committees and independent directors are careful to review and verify before signing.

Is a "material weakness in internal controls" a reason to sell the stock?

Not automatically, but it is a yellow flag. A material weakness means the company's controls over financial reporting are broken to the degree that a material misstatement could occur and not be prevented or detected. This increases the risk of earnings surprises, restatements, or fraud. The company should disclose the weakness and its remediation plan. If the weakness persists for years, concern rises. Some material weaknesses are manageable (e.g., a small company without a large finance team); others are existential (e.g., the CFO is ineffective and no one else can review the accounting). Context matters.

Can the CEO certify truthfully if they know of fraud by a junior employee?

Yes, if they believe the financial statements are accurate overall. However, if they know of fraud and do not disclose it to the auditors and audit committee, they are violating the disclosure obligation in the 302 certification. The certification requires disclosure of fraud "whether or not material." So if the CEO knows of a $50K embezzlement, they must disclose it even though it is immaterial to the financials.

Disclosure controls and procedures: Systems and processes to ensure that material information is accumulated and communicated to management in time for evaluation and inclusion in SEC filings. These are distinct from internal controls over financial reporting and focus on communication, not accuracy.

Material weakness: A deficiency (or combination) in internal controls over financial reporting such that a material misstatement could occur and not be prevented or detected. Material weaknesses must be disclosed; they are serious.

Significant deficiency: A deficiency in internal controls that is important enough to be considered for disclosure to the audit committee, but is less severe than a material weakness.

Section 906 certification: The criminal certification required by Sarbanes-Oxley Section 906, subject to criminal penalties of up to 20 years imprisonment and $5M in fines per violation.

Due diligence: The effort an officer must make to verify the accuracy of a filing before signing. Due diligence can be demonstrated by reviewing documents, asking questions, and relying on representations from auditors and internal controls. An officer who signs without due diligence is at risk.

Summary

The CEO and CFO certifications are powerful mechanisms of accountability. By signing the 10-K, officers assert, under penalty of perjury, that the statements are accurate and complete. The SOX 906 certification carries criminal penalties for knowing violations. This creates a strong incentive for officers to ensure accuracy and to escalate doubts. If an officer refuses to certify, resigns before signing, or qualifies the certification, it is a red flag. The signature page and full certification text should be read carefully. They offer a window into management confidence and internal governance. A properly signed 10-K with clear, unqualified certifications is a positive signal; one with missing signatures, resignations, or qualified language warrants investigation.

Learn to read a 10-K efficiently using a structured framework: A one-hour 10-K reading framework.

Key takeaways​

The SOX 302 certification (Exhibit 31)​

The SOX 906 certification (Exhibit 32)​

What happens when an officer refuses to certify?​

Reading the signature page: what to look for​

1. Are all signatures present and dated?​

2. Did any officers resign before signing?​

3. Are the certifications qualified or conditional?​

4. Did any directors abstain from signing?​

A real-world scenario: when certifications get re-signed​

A mermaid diagram: the SOX certification decision tree​

Common mistakes when reading signatures and certifications​

Mistake 1: Assuming certification means accuracy.​

Mistake 2: Not reading the actual certification language.​

Mistake 3: Overlooking changes in officers.​

Mistake 4: Ignoring the auditor's opinion signature.​

Mistake 5: Not checking for contemporaneous governance disclosures.​

FAQ​

If the CEO is imprisoned for signing a false 906 certification, what happens to the company and shareholders?​

Can an officer be charged criminally even if the 10-K was signed unknowingly in reliance on others?​

What is the difference between a significant deficiency and a material weakness in controls?​

Do directors face personal liability for signing the 10-K?​

Is a "material weakness in internal controls" a reason to sell the stock?​

Can the CEO certify truthfully if they know of fraud by a junior employee?​

Related concepts​

Summary​

Next​