Since the passage of the much-hailed (and cursed) Sarbanes-Oxley Act of 2002 (Sarbox), many publicly traded companies have restructured their boards, revised their financial recording and accounting practices and updated their codes of ethics. Many people have asked whether privately held companies and non-profits should be subject to the same requirements now imposed upon public companies. Are taking these kinds of measures and applying Sarbox to privately held companies and non-profits appropriate? Before addressing these issues, it is important to understand the spirit of Sarbox, as well as provisions that are expressly applicable to privately held and non-profit companies.
Corporate scandals over the last few years planted the seeds for Sarbox and a host of related legislation, rules, and regulations. Corporations such as Enron, Global Crossing, Worldcom and Tyco have become in some circles synonymous with “greed” and “deception.” When the WorldCom scandal broke, Congress abandoned the idea that all we needed to do was to remove a few bad apples. The result was Sarbox, which altered the way board members, management teams, auditors, financial institutions, and investors work with one another.
Make no mistake, the scope of Sarbox is far reaching. While Sarbox primarily applies to corporations with publicly traded securities and those that have to file public reports under Section 15(d) of the Securities and Exchange Act of 1934, some provisions apply beyond these public companies. For example, some of the provisions relating to retaliation, whistle-blowing, and record destruction apply to all businesses, including non-profit organizations.
Perhaps just as important, if not more important as these explicit requirements to all businesses, are the requirements mandated to publicly traded companies through Sarbox. Many of these public company mandates are working their way down to private companies through various legal and economic channels, such as courts, state laws, insurance carriers, shareholders, and some public corporations. These “trickle-down” provisions are really the meat of Sarbox. They include the following:
Title II contains numerous requirements designed to ensure the independence of a company’s auditors
Title III covers rules pertaining to audit committees, certification of financial statements by CEOs and CFOs, and professional responsibility for attorneys
Title IV is designed to improve financial disclosure, such as limiting off-balance sheet arrangements, requiring disclosure of insider transactions, and limiting certain types of arrangements and transactions (loans) with directors and executive officers. Title IV also requires a management assessment of internal controls (Section 404). This section forces those companies that have not historically followed an authoritative framework, such as the “Internal Control – Integrated Framework” by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), to overhaul their documentation and assessment methodologies.
Privately held and nonprofit companies should consider adopting provisions in these three Sarbox titles.
Senior management of privately held and nonprofit companies may ask, “Why would I want to comply with federal regulations when I am not required to?” Consider the following:
1. Going Public. Companies that plan to go public should have appropriate measures in place well in advance of going public. Failing to do so may jeopardize or delay the ability of a company to go public.
2. Limit Litigation Exposure. Having solid accounting policies and procedures in place may limit the exposure from a derivative lawsuit or other claim by shareholders, third party creditors, the Internal Revenue Service, or other stakeholders.
3. Bank and Insurance Requirements. Insurance companies and banks may require companies to have appropriate board of directors’ composition or financial and accounting policies and procedures in place (or alternatively, charge higher prices to companies that don’t).
4. Investors and Acquirers. Investors (and in some contexts, even purchasers or vendors) may require that privately held companies adopt many of the Sarbanes-Oxley safeguards. Also, acquirers and investors may either discount the valuation of a company that does not have appropriate measures in place or even possibly take a pass on the opportunity.
While organizations are scrambling to understand Sarbox, a clear divide has evolved between those who simply want to “skate by” with minimal compliance efforts and those who are embracing it. Many within this latter group are changing the composition of their boards, implementing new conflict of interest policies, and examining their abilities to leverage information technology for better decision support, not simply regulatory compliance or cost reduction. A slue of proprietary software packages have sprung up to identify risks and exposures across the business by evaluating operating results, business-unit reporting, disclosure controls and procedures, ethics, document retention, and other areas. Data mining, business intelligence, and enterprise risk management now are seen as essential to promote the spirit of Sarbox, which is management accountability to shareholders through transparent financial reporting. With dynamic and comprehensive information technology systems, companies will have more assurance of their financial data and deep capabilities to support their operations while also being Sarbox compliant.
The bottom line is that you cannot create integrity through regulation. Either people have it or they don’t. However, the severe consequences of unethical behavior, conflict- of interest transactions not properly disclosed or approved, and insider sweetheart deals, can, and in some contexts, have been mandated. Information systems are in many contexts the conduit that captures the data and brings it to the forefront. It is the critical medium that can either make or break a company in terms of both the spirit and the letter-of-the-law of Sarbanes-Oxley. We will take a deeper look at these relationships both in the private and public company contexts next month.
Ronald Kral is a founding partner of Candela Solutions, a specialized public accounting firm focusing on governance, internal auditing, and technology.