Following a string of corporate and accounting scandals at U.S. public companies, Congress passed The Sarbanes-Oxley Act of 2002 (" SOX ") to regulate corporate governance, help prevent future abuses and restore public faith in federal oversight of public company governance. SOX and related rules initiated accounting and disclosure reforms designed to heighten corporate accountability and ethics. While most of SOX applies only to public companies, with two notable exceptions, SOX raised the bar for compliance by all companies1. Some accounting firms and insurance companies have now adopted one-size-fits-all policies as to their clients' governance requirements, without regard to whether their clients are public or private companies. While certain of SOX's provisions are not readily applicable to not-for-profit companies ("NFPs"), many are. Because of the widespread current emphasis on corporate accountability and greater scrutiny of corporate actions, without regard to public or private status, NFPs should consider applying various SOX principles as a matter of best practices. Of course, because NFPs vary greatly in size and resources, an NFP's Board will need to evaluate the feasibility of implementing these suggested reforms in light of its needs and abilities.
In Part I of this Article, we discuss SOX generally and its application to NFPs, and suggest how an NFP might implement SOX-type reforms as a matter of best practices. In Part II, we will discuss SOX-type requirements currently (or proposed to be) imposed on NFPs by various governmental authorities.
SOX Provisions Applicable To NFPs
Two SOX provisions directly apply to public and private entities (including NFPs), namely its provisions prohibiting retaliation against whistleblowers and its prohibition of intentional destruction of documents.
Whistleblower Protections.SOX provides extensive protections for whistleblowers, who report suspected illegal corporate activities. SOX Section 1107, which applies to public and private companies, amended the federal criminal laws to require fines or up to 10 years in prison, or both, for anyone who knowingly, with the intent to retaliate, takes any action harmful against any person (including interference with any person's lawful employment or livelihood) because such person provided truthful information to a law enforcement officer relating to any federal offense.2
Document Destruction. SOX Section 802 (part of which applies to all companies3) amended the federal laws to provide that whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of a U.S. department or agency or a federal bankruptcy case will be fined, imprisoned for up to 20 years, or both. SOX Section 1102 established the same penalty for anyone who corruptly alters, destroys, mutilates or conceals a document with the intent to impair its integrity or availability in an official proceeding.
Other SOX Provisions Generally
Audit Committees. Under SOX-related rules, exchanges were required to implement rules requiring audit committee members to be independent directors, with the definition of "independent" being a strict one precluding certain relationships with (and receipt of most types of compensation from) the relevant company. Other SEC rules require disclosure as to whether at least one audit committee member is an "audit committee financial expert" (and if not, why not), implying that each audit committee should have one.
Auditors. Because SOX attempts to ensure auditors' independence, SOX-related rules prohibit auditors from providing certain non-audit services to public companies (including certain broker-dealer, investment banking, bookkeeping and appraisal or valuation services). Audit committees must approve all allowable audit services performed by auditors and must approve in advance all non-prohibited non-audit services (including tax services) performed by auditors, with de minimus exceptions for certain services that are approved by the audit committee or a designated representative before the audit is completed. Lead and certain other significant audit partners must be rotated at least once every 5-7 years, and an auditor may not audit a company if, within the year before the audit start date, certain executive officers were employed by the auditor and provided a minimum number of services for the company. Auditors also must report to the audit committee, before they file an audit report with the SEC, as to certain matters (including critical accounting policies used, material alternative treatments of financial information that were discussed with management, and other material written communications between the auditor and management).
Certified Financials. Because a recurring SOX theme is corporate accountability, public company principal executive and financial officers must certify annual and quarterly filings as a safeguard against inaccurate or misleading reports, and executives who knowingly and intentionally make false certifications may be subject to criminal sanctions.
Personal Loans. Under SOX Section 402, a company may not directly or indirectly extend or maintain (or arrange for or renew the extension of) credit to or for executive officers or directors.
Internal Controls. Under SOX Section 404, public companies will need to file an internal control report, indicating that they have designed, tested and maintained a system of internal controls for financial reporting and that the system is successfully operating, and the principal executives must certify quarterly that the internal controls systems have not undergone significant changes.
Disclosure Controls. Because adequate disclosure and transparency are recurring SOX themes, SOX requires disclosure controls and procedures to be designed to ensure that information required to be disclosed is properly recorded, processed, summarized and reported.
Codes of Conduct. The SEC requires public companies to make their codes of ethics publicly available, and the exchanges (NYSE, AMEX and NASDAQ) require adoption and disclosure of codes of conduct and waivers thereof.
Recommendations Based On SOX And Best Practices
Due to the SOX requirements applicable to all companies, public and private, an NFP should:
Whistleblower Protection. Adopt a written policy regarding employee complaint procedures and preventing retaliation. To be safe, the NFP also should fully disclose the policy and related procedures to its employees, and should carefully document all complaints, investigations and findings. Even if a claim is unfounded, the NFP should not reprimand an employee who makes a claim in good faith, and NFP executives should take all complaints seriously, investigate the situation, fix any problems or justify why corrections are not necessary, and document their findings, analysis and conclusions.
Document Destruction. Adopt a written policy regarding procedures for disposing and archiving corporate records, which includes guidelines for handling electronic files and voicemail, and covers back-up procedures, and regular check-ups as to system reliability. If an official investigation is underway or even suspected, management should stop any document purging in order to avoid criminal obstruction charges.
Best Practices Recommendations.Using SOX as a guide, an NFP should as a matter of best practices:
Audit Committees. Establish an audit committee with responsibility for overseeing accounting and financial reporting processes, which committee consists of independent board members and at least one financial expert. It also should establish procedures regarding the audit committee's processing of employees' complaints regarding accounting, internal control and related matters, and should timely investigate complaints and carefully document subsequent resolution of such complaints. Many larger NFPs have a finance committee that oversees NFP financial matters (including preparation of financial statements and working with auditors on the annual report), and such NFPs should consider whether to separate the finance and audit committees.
Auditors. Consider having its financials audited annually. If it chooses not to have an annual audit conducted, it should engage an accountant to review its annual financial statements and IRS Forms 990. If it has an audit conducted, it should:
* retain an accounting firm that has NFP experience and rotate its lead auditor or lead partner every five years;
* require auditor disclosure to the committee of critical accounting policies; and
* consider requiring its audit committee to pre-approve certain audit services and prohibiting certain non-audit services, consistent with the SOX rules as described above. Certified Financials. Ensure that NFP officers certifying the IRS Form 990 (the key financial document for NFPs, which requires a corporate officer's signature) review the Form to be sure that it is accurate and complete (and consider having its board and any audit committee review the Form for accuracy). In addition, the NFP's audit committee should examine its financial systems, policies and reporting to help improve accuracy and completeness of the form of financial report to the board and audit committee generally. It also should also file the Form electronically and make the filing easily available publicly by posting them on its website.
Personal Loans. Generally prohibit the practice of providing personal loans to directors or officers. If an NFP believes that it is necessary to extend a loan, its board should formally approve the loan. Of course, because existing rules already safeguard against the flow of money away from an NFP toward a person with a significant relationship with the NFP for private purposes (called "private inurement"), and because excessive personal benefit and self-dealing all cause serious penalties for NFPs that step out of line and "intermediate sanctions" laws specifically address compensation and excess benefit transactions with "disqualified" individuals (typically NFP board members or senior management), as discussed in Part II, an NFP already is subject to controls on its extensions of credit.
Internal Controls. Evaluate whether strengthening its internal controls is feasible and cost-effective. If it determines that it must strengthen its internal controls, methods of doing so include strengthening information systems that produce reports and implementing activities to monitor the reporting system to assess the quality of its performance over time.
Disclosure Controls. Evaluate whether strengthening disclosures is feasible, and provide an accurate picture of its financial condition to donors, clients, public officials, the media and others by electronically filing its Forms 990 and making such Forms freely available to anyone who requests them.4
Codes of Conduct. Consider adopting a code of conduct (including a conflict of interest policy) and include policies for enforcement thereof.
In recent years, with increased scrutiny of corporate governance, best practices have evolved based on SOX rules. NFPs should be encouraged to analyze their practices and methods of operation. Many NFPs may need to conduct a top-down review of their practices and certain relationships, such as with their auditors. To that end, NFPs may need to consider updating their organizational documents and committee structures to reflect certain of these best practices. In the end, it is important to note that for NFPs, self-regulation and proactive behavior will usually prove more powerful than reactive and defensive governance policies.
1Certain Delaware judges have implied that SOX standards could influence an assessment as to whether a company's management and directors have complied with their fiduciary duties to the company and its stockholders. See In re The Walt Disney Co. Derivative Litigation (August 9, 2005), in which the Delaware court found that while the directors did not breach their fiduciary duties under Delaware law, certain of their actions reflected the absence of good corporate governance and could give rise to liability in a different case. The implication is that, in the post-SOX world, a case like the Disney one might have a different outcome. Delaware does not have separate statutes for NFPs and for profit companies, and instead administers both types of companies under one statute, so that directors of both types of companies have similar duties.
2SOX Section 806 (which applies only to public companies) protects persons who provide information to (or otherwise assist in) investigations by supervisors or the U.S. government as to possible securities law violations or fraud by allowing such persons to seek relief against a company.
3Section 802 also includes rules designed to ensure that auditors retain workpapers for a minimum amount of time and establishes punishing destruction of corporate audit records relating to public companies.
4 The IRS is currently pursuing proposals to require such measures.
Published February 1, 2006.