Managing Sarbanes-Oxley Compliance
William V. Botts, Management Consultant
The Sarbanes-Oxley legislation of 2002 (SOX) was borne out of abuses by corporations, their lawyers, and their auditors during the wild business environment of the late 1990s. It was clear in many cases before SOX that corporate CEOs, CFOs, and/or boards of directors in concert or alone were not only not minding the store but were more or less cooking the books. Corporate governance in many corporations was either non-existent or simply ignored.
What is SOX? Corporate governance sums up SOX. SOX is a comprehensive law that first established a Public Company Accounting Oversight Board (Board) under the auspices of the U.S. Securities and Exchange Commission (SEC). The Board registers auditing firms and makes and adopts rules related to independence, quality control, and other auditing report standards. Additionally, the Board conducts inspections of audit firms and audits, investigates, disciplines, and imposes sanctions where appropriate. It also enforces SOX compliance, professional standards, and securities laws among other responsibilities.
The Board has a great deal of power to deal with financial reporting standards and rules. This is Congress’ attempt to make the accuracy and reliability of corporate financial reports more reliable and preclude financial manipulations by management alone or in conjunction with a corporation’s auditors and lawyers.
Many sections of SOX deal with how audit firms, law firms, and their employees can and cannot interact with corporate clients and management. It clearly defines the interface between boards, management, and the corporate auditors. Further it sets clear standards for audit committee participation and most importantly the CEO and CFO’s ultimate responsibility for the accuracy of financial reports.
Damned if you do.
The real hooker in SOX, from a corporation’s viewpoint, is Section 404, Management Assessment of Internal Controls. “404 compliance,” as it so often called, is the “damned if you do” position of SOX; it involves a myriad of organizational, process, accounting, and procedural controls and changes.
The cost to implement, audit, and operate to “404 compliance” is expensive.
For example, recently a $100 million corporation spent over $1.5 million to implement Section 404, pass the testing phase, and prepare to be audited for compliance. Now they must maintain the process, continue to staff training, complete in-process audits, and much more. This is a huge financial and operational burden for any private company wanting to use SOX as a pattern for corporate governance and internal controls.
Damned if you don’t. The other side of the coin is ignoring SOX or SOX-like procedures. Even though small- to medium-sized, private companies are not required by the Act to implement Section 404, there are several requirements that seem applicable to private companies and their executives, owners, and boards of directors. If your company has shareholders or a board of directors, might consider being acquired, or is contemplating an IPO, you should at least implement some of the basic controls that support good, if not perfect SOX-level, corporate governance.
Right off the top, directors have a fiduciary duty to the shareholders whether public or private, and shareholders can sue them if they breach their fiduciary responsibilities. In addition, if directors are counting on indemnification agreements and Directors and Officers (D&O) insurance to protect themselves, they should be vigilant and insist that basic corporate governance processes are in place and upheld.
Equally important for companies who are contemplating an IPO or being acquired by a public company is the fact that either event will trigger a SOX compliance requirement. Specifically, a company preparing to go public must be 404 compliant upon filing. In the case of being acquired, the acquiring public company may require the acquiree to be 404 compliant. At minimum, the attractiveness of a compliant acquisition target will be a plus to the acquirer and could affect valuation.
As SOX has gained momentum in the public arena, other organizations and agencies are looking to SOX or SOX-like controls as one way of providing risk reduction in areas related to lending, insurance, D&O insurance, and the like.
There are a number of direct impacts on private companies emerging out of SOX, including a mandate to provide a channel for and protection of whistle blowers. A more serious direct impact imposes criminal sanctions for improper falsification, destruction, disposal, and/or modifications of documents when a company is involved in any government proceeding. In addition, there are indirect impacts connected to auditor relations, board composition, audit committees, and 404 controls that should be considered as “best practice” items.
So what’s a private company to do? If the private company is small, has no outside shareholders, and is basically closely held, the owner/CEO can basically choose their own path for ensuring accuracy of financial statements. As long as the company’s bankers and other service providers are satisfied, the company probably needs no SOX-like actions. If on the other hand the company has significant investors, might contemplate an IPO, could be acquired in the future, or has operated with limited attention to corporate governance, there are some basics controls that are generally affordable and can set the stage for adopting SOX in the future.
There are productive and cost-effective actions that a private company can take to optimize its SOX compliance.
All told, a private company can benefit from most of the above actions resulting in better corporate governance.
© 2006 William V. Botts. All rights reserved.
comments powered by