Cherry Picking Sarbanes-Oxley

Provisions that deserve a second look.

by Richard S. Savich

EXECUTIVE SUMMARY

Private companies and charities aren’t required to comply with the Sarbanes-Oxley Act. But they can adopt some of its requirements as best practices. Cherry-picking the provisions that will help them the most means they can get maximum benefit at minimum cost. Among the private entities that might want to voluntarily adopt the provisions of Sarbanes-Oxley are companies planning an IPO and those that might merge with or be acquired by a public company within the next two or three years. Such companies might earn a premium for already being Sarbanes-Oxley compliant. A number of Sarbanes-Oxley provisions also might make sense for other private companies or NPOs. For example, many private organizations are creating audit committees composed of outside directors or naming an audit committee financial expert. A code of ethics is a good idea for any organization, as it establishes the tone at the top and helps employees understand what is expected of them. Similarly, putting whistle-blower provisions in place can help private companies and NPOs fight fraud. While large public companies are required to establish and maintain internal controls over financial reporting, it isn’t yet clear whether the benefits of doing so are worth the high cost for private organizations. Richard S. Savich, CPA, PhD, is president of ABKO Consulting in Bermuda Dunes, Calif. He is also on the faculty of the accounting and finance department at California State University in San Bernardino. His e-mail address is dicksavich@abko.com.

hile public companies are required to comply with the Sarbanes-Oxley Act, privately held businesses and charitable organizations generally are immune from the act’s far-reaching provisions. Still, many such entities are finding that certain aspects of the act can benefit their overall operations and are cherry-picking those parts that will do them the most good. Here are some requirements of Sarbanes-Oxley that deserve a second look even from organizations that don’t have to implement any of the act’s provisions.

THE WHO AND WHY
What types of private entities might want to voluntarily adopt the Sarbanes-Oxley provisions that so many public companies have been struggling to implement? For companies that might soon go public, the voluntary aspect of adoption becomes almost mandatory. Companies planning an IPO within the next two to three years would be better off adopting Sarbanes-Oxley guidelines now rather than waiting until they go public, when they might face unknown costs and delays.

Companies contemplating a merger or being acquired by a public company within the next few years also are prime candidates. If a private company owner’s exit strategy is to prepare the company for eventual sale, one of the suitors might be a public company willing to pay a premium for an acquisition target that already is Sarbanes-Oxley compliant.

Many not-for-profit organizations also are adopting some Sarbanes-Oxley provisions. In California, for example, the Nonprofit Integrity Act of 2004 requires charitable organizations with over $2 million in gross revenues to have an audit committee, which also approves nonaudit services, and audited financial statements. The directors of these entities may themselves be officers of public companies who understand the benefits of stronger internal controls and some of the other requirements of Sarbanes-Oxley, and would like to see the NPOs they help preside over comply voluntarily.

Companies with absentee owners also might consider adopting certain parts of the act voluntarily to ensure the professional management is doing a good job. And finally, banks that extend loans or lines of credit to private companies are asking borrowers for more internal controls—like those found in Sarbanes-Oxley—before making loans.

BEYOND CONTROLS
Sarbanes-Oxley is more than just a requirement for stricter internal control audits. It includes other elements that affect overall corporate governance and audit relationships. In some instances even public companies are making changes that the act doesn’t require but that stem from the new climate of corporate behavior. CPAs should encourage private companies and NPOs to look carefully at some or all of the actions described below that can potentially improve overall operations at relatively minimal cost.

Audit committee membership. The act requires that all public company audit committee members be outside directors not employed by or associated with the company. Many private organizations are adopting similar rules to ensure the external auditors have a conduit to the board outside of management.

Audit committee “financial expert.” Under Sarbanes-Oxley, at least one audit committee member must be a financial expert. While no specific qualifications are required, exhibit 1 lists some that companies can consider when making such a designation. Private organizations should name at least one audit committee member as a financial expert who can question the auditors about various transactions and the handling of accounts in the financial statements and accompanying footnotes. Of course, this does not preclude other members from asking questions as well.

Defining a “Financial Expert” Under Sarbanes-Oxley, to be considered a “financial expert,” an individual—through education and experience as a public accountant or auditor or as a principal financial officer, comptroller or principal accounting officer of an issuer or from a position involving the performance of similar functions—must have An understanding of generally accepted accounting principles and financial statements. Experience in The preparation or auditing of financial statements of generally comparable issuers. The application of such principles in connection with the accounting for estimates, accruals and reserves. Experience with internal accounting controls. An understanding of audit committee functions.

Audit committee compensation. The law makes no mention of compensation for audit committee members. However, studies show companies have begun to compensate these individuals at a slightly higher rate than regular board members, mainly due to the amount of outside work necessary to prepare for meetings with the board and with the auditors, as well as for the increased number and duration of meetings. Many organizations also are providing extra compensation for the committee chair because of the additional preparation work and the increased number of meetings with the CEO, CFO and outside auditors.

Audit committee funding. The law says public company audit committees must be funded sufficiently to allow them to perform their duties adequately. Private organizations should be aware their audit committees may require extra funding because of additional meetings or having to engage consultants to answer questions that are beyond the scope of the members’ knowledge or to determine alternative accounting treatments. Companies should budget accordingly when they establish audit committees.

Communications with auditors. The audit committee of any organization—public, private or charity—should be able to meet with both the external and internal auditors separately from management to ask any necessary questions. These meetings may be distinct from regularly scheduled board meetings. Also, the external or internal auditor should be able to call a meeting whenever the attention of the audit committee or board is needed.

Audit committee approval of nonaudit services. Under Sarbanes-Oxley any allowed nonaudit services that exceed 5% of total revenues paid by the issuer to the audit firm require audit committee approval. Some services require board approval no matter what they cost. Adopting such a policy in a private organization would help guarantee that management is not relying solely on one CPA firm to provide all financial services. Recent history has shown us this is not a good idea even where it is permitted. (See exhibit 2 for a partial listing of nonaudit services prohibited by the act and exhibit 3 for services that require audit committee approval.)

Prohibited Nonaudit Services Under Sarbanes-Oxley Bookkeeping or other services related to the accounting records or financial statements of the audit client. Financial information systems design and implementation. Appraisal or valuation services. Fairness opinions or contribution-in-kind reports. Actuarial services. Internal audit outsourcing services. Management functions. Human resources. Broker/dealer, investment adviser or investment banking services. Legal services. Expert services unrelated to the audit. Any other service the PCAOB determines, by regulation, is impermissible.

Code of ethics. A code of ethics is a great idea for any organization. It sets the tone at the top and explains what is expected of employees and associates in their behavior toward customers, suppliers, fellow employees, management and other stakeholders. A significant number of private organizations are adopting ethic codes as a best practice.

Whistle-blower provisions. Public companies haven’t cornered the market on fraud; private companies and NPOs have their share as well. Any employee, customer or supplier who detects fraud or misrepresentation within an organization should be able to follow the procedures the audit committee has established for the receipt, retention and treatment of such complaints. Many organizations outsource this function to maintain the whistle-blower’s confidentiality, while the allegation itself is referred to the audit committee for action.

Use of outside advisers. The audit committee should not have to rely solely on the organization’s legal counsel or internal consultants for advice. In fact, there may be instances where in-house counsel is part of any alleged misconduct. The act says public companies should provide the audit committee with funding for outside advisers, including legal counsel or consultants. Funding for similar resources would be a good idea for private companies as well.

Nonaudit Services Requiring Audit Committee Approval Transfer pricing studies. Cost segregation studies. Tax-only valuations. Comments on candidates for senior executive positions. Tax Compliance Planning Advisory But not representation in court case Lending tax staff for special projects. Compensation packages. ESOPs. Requests for rulings.

Management’s responsibility for internal control over financial reporting. This is a major provision of the act, the section public companies are spending the most money on. It says management is responsible for establishing and maintaining an internal control structure and conducting a yearend assessment of the structure’s effectiveness over financial reporting.

For private organizations, the cost/benefit relationship of adopting similar rules has not yet been proven. Accelerated filing public organizations must comply regardless of the benefits. Nonaccelerated public company filers (those with less than $75 million in capitalization) still have time to comply—until fiscal years ending after July 15, 2007. However, both the SEC and PCAOB are still considering extending the deadline or increasing the capitalization amount. So, unless your organization is one of those preparing for an IPO or merger, the jury is still out on whether the act’s internal control rules are recommended best practices.

Management certification of financial statements. Having the CEO and CFO sign off on the financial statements and footnotes is key for all organizations, public and private. Many charitable organizations are asking this of their management as well. By taking responsibility for the numbers, executives show their leadership and qualifications for the positions they hold. This step goes beyond the basic representation letter and has executives taking formal responsibility for the financial statements. Under Sarbanes-Oxley, public company executives can be held criminally liable for misrepresentations.

For privately held companies some other best practices that are not specifically part of Sarbanes-Oxley might include establishing an internal audit department or internal audit function or at least outsourcing internal audit to a specialist. Doing so might improve overall operations and provide additional benefits beyond the cost. The charter for many internal audit departments is no longer just helping the external auditors with their annual audit, but also helping management improve overall operations and controls. Outsourcing is a good idea for entities that may not need a full-time internal audit staff or do not have the resources to develop the necessary competencies internally. The outsourced staff can be expanded to meet seasonal or other needs, and, typically, its lower cost outweighs the benefits an internal audit function will bring.

Practical Tips

Recommend that companies planning an IPO within the next two to three years adopt Sarbanes-Oxley guidelines now rather than waiting until they go public—when they could face unknown costs and delays. Remind organizations of all sizes, public or private, that adopting a code of ethics is a good idea. It sets the tone at the top and explains what is expected of employees and associates in their behavior toward others. Advise private companies and NPOs that their boards of directors should have the ability and funding to consult with outside advisers on financial reporting and legal questions that may arise.

PICK AND CHOOSE
Private organizations are in a unique position with regard to Sarbanes-Oxley; they can pick and choose those parts of the act that potentially offer the most benefit. At the same time they don’t have to spend inordinate amounts of money to prepare for an auditor’s assessments of internal controls, nor institute an elaborate system of controls to comply with the act. Instead, they can take a more reasonable cost/benefit approach and select those provisions and controls that might benefit their organization without incurring significant costs. This is an enviable position to be in.

Entities that aren’t required to comply with Sarbanes-Oxley also should use some caution. Following the entire act’s requirements can be time consuming and costly. And some provisions relate closely to others and shouldn’t be adopted separately. CPAs should advise clients or employers as to which sections of the act might be best for their organizations and how to begin implementing them. While the list will vary from organization to organization, the result will be a stronger entity better able to deal with today’s financial challenges.