Private companies can embrace safeguards of the Sarbanes-Oxley Act
As many predicted when President Bush signed the Sarbanes-Oxley Act (SOX) in 2002, the spirit of the corporate governance law is having a significant impact on all of American business, private and public. Unlike publicly-traded companies, private companies and nonprofits are not required to implement most of the act's strict internal controls and financial reporting procedures. Yet companies of all sizes are embracing parts of the law and the financial safeguards it brings.
The result of this trend is generally seen as positive. But before private companies jump on the Sarbanes-Oxley bandwagon, they should examine what they hope to gain from the reforms, and weigh that against the cost. Private companies and nonprofits should pick and choose the provisions of Sarbanes-Oxley that make sense for them.
The trend toward voluntary compliance
A 2005 study of private organizations revealed that 87 percent of survey respondents felt that corporate governance reform has impacted their business in some way. In addition, 78 percent of the private organizations surveyed have made moves to impose their own corporate governance reforms.
The study also indicated that the reforms being implemented were those that are relatively inexpensive, including CEO/CFO financial certification, appointment of independent directors, adopting a corporate ethical code, establishing whistle blower procedures and approval of non-audit services by the board of directors.
What is driving this rush to self-imposed reform? Some private corporations view SOX as a sort of template for corporate best practices. Trust, financial transparency, adequate controls and openness are seen as a path to avoiding conflicts of interest, fraud and other mismanagement that can cost dearly in dollars, customer confidence and reputation. At the same time, lenders, customers and investment partners are putting direct and indirect pressure on companies to reform.
There are several scenarios that should cause private companies to consider compliance with Sarbanes-Oxley.
Financing sources are increasing their focus, weight and analysis on accounting controls and corporate governance as part of their due diligence. Quite often, representations, warranties and covenants required in the financing document regularly address SOX-like concerns for private companies, even though these requirements are not mandatory. At the very least, a private company should expect to be able to demonstrate that its:
- Financial statements are accurate.
- Internal control and accounting systems are reliable and capable of detecting as well preventing fraud.
- Outside financial auditor is independent.
- Transactions with insiders do not exist or have been conducted at arm's length and are approved by company directors not personally vested in the transaction.
Organizations making themselves attractive for acquisition by a public company will likely find potential buyers more receptive if they have already achieved compliance. Besides being more receptive, private organizations that have adopted SOX controls will also likely realize a greater price appreciation upon sale or initial public offering (IPO) issuance. Buyers will be hard pressed to pay full value for a private company unless they are assured that the financials and related controls are valid, the company's integrity is intact and that the current owners indemnify the buyers for any breaches of personal representations and warranties.
Private companies preparing to file for an IPO need to be SOX compliant. SOX requirements actually apply in full to a private company upon filing the Securities and Exchange Commission registration statement, which is done prior to even approaching investors. The fact that investment bankers and potential investors will want to ensure that the company is SOX compliant makes it prudent that advance planning and compliance efforts be started at least one year in advance.
Order winners & order qualifiers
Select organizations have already been “requested” or “required” by their clients to obtain an independent attestation of their internal controls in order to continue being a qualified contractor. A SAS 70 is often the attestation report that is required, and most typically these requests are imposed upon outsourced financial and/or technology providers.
In addition, if other states follow the regulatory lead of California, companies doing business with state or federal government entities may eventually have to adopt practices very similar to Sarbanes-Oxley to qualify and win contracts.
Personal liability risks
Although SOX has substantially icreased the potential penalties to privately-owned companies and their officers/directors, the odds of going to jail are relatively remote. However, the potential civil lawsuit liability exposure has only increased. As such, SOX standards are expected to become the norm when courts and juries look to consider whether fiduciary duties were fulfilled. No logical reason explains why a private shareholder is harmed any less than a public shareholder when fraud or misconduct impairs, de-values or wipes-away the shareholder's investment.
Some rules already apply
Several provisions of SOX apply to private and nonprofit companies. These include:
- New penalties for retaliation against whistle blowers. Anyone threatening the employment of a person who shares information about a person under federal investigation faces up to 10 years in prison. Programs are sprouting up that allow employees to report fraudulent activities.
- Harsher penalties for destroying or tampering with documents. Knowingly destroying, altering or concealing documents during a federal investigation or bankruptcy proceeding can result in a prison sentence of up to 20 years.
- Extension of the statute of limitations for securities fraud. The statute of limitations is now two years after discovery of the fraud or five years after the commission of the fraud.
- Daily penalties for insufficient retirement plan blackout period notification. Plan administrators of all 401(k) plans, pension plans and other ERISA plans must notify participants and beneficiaries at least 30 days in advance of any blackout period or be subject to fines of up to $100 per day, per participant.
- Increased criminal penalties for mail and wire fraud. Maximum prison sentences have increased from five to 10 years.
So what is a privately-held company to do? As with any other significant business move, changes should be considered carefully, implemented completely and monitored closely. Public companies were given nearly three years to get their houses in order. Private companies, especially those being targeted for acquisition or planning an IPO, should allow plenty of time to research, develop and implement new rules and procedures.
These types of changes are not going to happen over night. Goals must be established, costs must be considered and the board of directors and senior management must give the plan their stamp of approval. There will be training involved for top management and key personnel. Once the new practices and procedures are in place, they must be monitored and their impact measured to determine if the desired results are being reached or if adjustments are needed.
Start with a code of ethics
Sarbanes-Oxley requires public companies to draft a formal code of ethics. More and more private companies are following suit if they don't already have a set of directives. The code of ethics should evolve into a pervasive corporate culture. Employees from top to bottom must understand the behavior that is expected of them, and the consequences if they don't hold up their end of the deal. Organizations should consider that the behavior of top executives is routinely mimicked and ingrained into the organization's operating culture.
A code of ethics demonstrates that the company is serious about ethical behavior, and opens deeper discussions about the value of integrity in the workplace.
Sarbanes-Oxley is considered the most far-reaching reform of the laws governing publicly-traded companies since the 1930s.
Hope Wheeler is an assurance partner with Clifton Gunderson LLP. She can be reached at 217-351-7400 or firstname.lastname@example.org.