Compliance Readiness The Impact Of Sarbanes-Oxley On Private Companies

Thursday, September 1, 2005 - 00:00

I. Introduction

In 2002, in the wake of Enron, Worldcom and other similar examples of corporate greed, scandal and corruption, the federal government took significant steps to attempt to deter similar activities with the passage of the Sarbanes-Oxley Act of 2002, as amended ("Sarbanes-Oxley" or "SOX").1 Since being signed into law by President Bush, SOX has been the driving force behind publicly traded companies instituting and enforcing stricter internal governance controls, limiting the number of services for which they engage their accountants and providing more fulsome disclosure to its stockholders. Failure to institute these and other measures will continue to result in stiff penalties for non-compliant companies and in some cases possible personal liability and imprisonment for members of their senior management.

While the mere mention of SOX tends to illicit angst and frustration in public company board rooms and in the offices of the CEOs and CFOs, as the hours and costs of compliance with SOX continue to rise, those looking in from the world of private companies initially breathed a long sigh of relief. When SOX was first promulgated, private company CEOs and boards of directors initially believed that this new legislative initiative did not impact their business. That sense of relief, however, has been short lived, since over the past three years, the reach of SOX has extended into the board rooms of privately held companies where it has had a significant impact upon a company's strategy and day-to-day operations.

Why do private companies need to concern themselves with Sarbanes-Oxley? The wording of the statute itself does not explicitly bind private companies to adhere to the various "best practices" instituted by SOX.2 What then is the impetus behind private companies instituting many, if not all, of the SOX-driven checks and balances?

The answer is the return of a more robust market. As the economy continues to move beyond the doldrums of the past few years, the investment community and public companies, which are implementing and executing on a growth-by-acquisition strategy, are moving ahead and executing on their strategies. Recently, the opportunity not only to invest, but divest from investments either by a sale or initial public offering in a manner that results in significant returns to investors on their investment, has again become much more of a reality than the pipe dreams of a few years ago. These "exit strategies," however, will require privately held companies to demonstrate compliance with SOX in order to be successfully implemented. Venture capitalists are also now more often than not holding privately held companies to a stricter "best practices" standard in order to satisfy the demands of their own limited partners and to help assure a profitable exit strategy.

II. The "IPO"

Upon the filing of its registration statement with the SEC, a pre-IPO company becomes subject to the rules and regulations of SOX.3 Accordingly, a soon to be public company must demonstrate compliance with SOX in areas such as: (i) restrictions on insider loans, (ii) internal audit controls, (iii) majority of boards of directors comprised of independent directors, and (iv) CEO and CFO certifications of quarterly and annual financial statements. Compliance with these requirements is never accomplished over night. Enlisting independent directors and requiring the independence of auditors, for example, may take many months to accomplish. Consequently, these and other requirements must be instituted, to the extent possible, early in the life of a private company that is a realistic IPO candidate.

Lead underwriters have taken on the role of "SOX police" when it comes to the process of initiating an IPO. These underwriters and their counsel are spending significantly more time and effort on due diligence than in the pre-SOX era prior to taking their clients on the road. A private company will likely never get beyond the initial strategic decision to go public or the initial stages of due diligence if it can not meet this heightened scrutiny.

III. The Acquisition By The Public Company

Since the passage of SOX, an increasing number of public companies appear to be choosing to "go private" rather than incur the costs of compliance with SOX. Similarly, faced with the inability to satisfy an underwriter's due diligence scrutiny or unwillingness to subject itself to SOX, a private company may forego an IPO as a potential exit strategy. In the alternative, a private company may look to consummate a sale to a publicly traded company. This strategy, however, does not alleviate the need for the target company to be able to demonstrate that it is SOX-compliant when entering into a transaction with a publicly traded acquiror. In the public filings following the consummation of the acquisition, the acquiror's CEO and CFO will need to certify as to the correctness of acquired companies' financials, and, accordingly, will want to have a relatively high comfort level that they will be able to certify as to the financial statements and internal controls within a reasonable period of time after the acquisition. Accordingly, the acquiror will need to have reliable financial statements from the acquired entity for inclusion into its own financial statements.

This increase in the reporting burden has lead to greater due diligence and a heightened sense of caution among potential public company acquirors prior to the execution of a purchase and sale agreement. These transactions have witnessed a significant increase in time and efforts on due diligence as well as more extensive representations and warranties with longer survival periods and more stringent indemnification provisions in the purchase and sale agreement. Those private companies that in the course of this due diligence are found to have substandard financial reporting and internal controls will be adversely impacted. Weaknesses in financial reporting and internal controls may adversely impact valuation while at the same time lengthening the indemnification obligations of the sellers. Severe deficiencies in any one or more of these areas may in fact prevent the consummation of a deal altogether.

IV. Venture Capitalists

Improved reliability and clarity of financial statements appeal not only to acquirors of private companies, but also to venture capitalists investing in such companies. Pressured, in many instances, by the expectations of their own limited partners, venture capitalists have begun to expect portfolio companies to have instituted corporate governance safeguards as well as reasonable financial and other internal controls. As is the case with underwriters and potential public company acquirors, venture capitalists have begun to extend the due diligence process and add more protections in their investment documents entered into with their portfolio companies to address these SOX-related concerns. Moreover, in many instances, it is the venture capital investors who are the driving force behind their portfolio companies proceeding with the sale of the company or IPO, and, accordingly, will in turn require many of the best practices promulgated by SOX to be instituted in order to ensure a high rate of return on their investment when the exit strategy is consummated. The delay or failure of a successful exit strategy as a result of shoddy financial reporting and internal controls of the portfolio company will result in greater internal scrutiny of portfolio companies by venture capitalists, and consequently, an increased burden on their portfolio companies.

V. "Best Practices" That Should Be Implemented By A Private Company

In light of the heightened scrutiny of private companies by purchasers, underwriters and investors, what is a private company to do? The message of Sarbanes-Oxley to both private and public companies has and continues to be simple and straightforward: institute "best practices" that demonstrate common sense, ethical and detailed corporate management or internal and financial control along with heightened disclosure. There is no downside for a private company to operate as a public company and to institute various best practices earlier rather than later, and, as described above, there is potential for a significant upside. Taking these steps has, and will, certainly come at a cost as well as require additional demands on the company's CEO and CFO. However, with respect to those companies who are boot-strapping while waiting for a capital infusion, these precautions can be instituted over time in anticipation of their initial round of private institutional financing and then be augmented on an ongoing basis as they proceed towards an eventual exit strategy.

In this period of heightened scrutiny, if they have not already done so, private companies should consider taking some or all of following steps, some of which can be implemented over time, when and if they become applicable:

  • Limit the scope of services provided by the company's independent auditors so as to exclude any non-audit service that is prohibited under SOX, making certain that the service does not compromise auditor independence.

  • Refrain from engaging a firm as independent auditors if the private company's officers worked for that firm and participated in the audit of the private company during the one year period prior to the initiation of the audit.

  • Require that the CEO and the CFO provide its board of directors and shareholders certifications similar to those that are required to be provided by a public company in its SEC filings.

  • Carefully scrutinize and make appropriate disclosure to shareholders concerning all off-balance sheet transactions.

  • Prohibit loans by the company to its officers or directors (with the possible exception of relocation loans).

  • Give careful attention to internal controls and strive to put in place, the same types of controls required of public companies such as the adoption of a code of business conduct and ethics for officers, directors and employees of the company and to protect whistle blowers.

  • Approve all related party transactions by action of the full board of directors or, in appropriate cases, the shareholders.

  • Maintain well organized corporate and stock records.

One of the major requirements placed upon public companies by AMEX, NASDAQ and the NYSE arising out of the passage of SOX to be instituted by public companies is to have a board of directors of which a majority of directors are independent. Independent directors typically are those individuals who are not affiliated with either the company and/or major investors. This may be a challenge for venture-backed private companies. Bringing independent members to the board room is challenging not only from a cost perspective (i.e., how to incentivize such an individual either by cash or stock as well as the cost of D&O insurance), but also because of the possible reluctance of a lead investor to cede control to one or more independent, non-investor directors. Board seats are a staple of most investor term sheets with the number of seats increasing as the dollar value of the investment increases. Despite these difficult obstacles, more and more private companies are taking steps to engage independent directors who bring both industry expertise as well as his or her own views. Many of these individuals also sit on the audit and compensation committees to the extent that such committees are in place. It may, however, not be feasible to have the board controlled by independent directors. This may only be possible if the company moves closer to the time of an IPO.

V. Conclusion

Private companies must address whether or not they should operate like public companies by instituting the best practices guidelines established by Sarbanes-Oxley despite no legal requirement to do so. Implementing all or some of the aforementioned measures will not be without additional cost, significant time and effort on the part of management and, at times, angst. In the end, however, such compliance may provide a private company and its investors with greater financial rewards at the time of the execution of an exit strategy than if they had simply relied on the wording of the statute and not implemented any of these measures.

1 Sarbanes-Oxley Act of 2002, Pub. L. No. 187-204, 116 Stat. 745 (2002).

2 While SOX does not specifically cover privately held companies, certain provisions relating to securities fraud and related criminal activities apply to any "person," which definition would encompass both private and public companies.

3 Under Section 2(a)(7) of SOX, the term "issuer" includes any issuer "that files or has filed a registration statement that has not yet become effective under the Securities Act of 1933 (15 U.S.C. 77a et.seq.) and that has not been withdrawn."

David M. Barbash is a partner in the corporate department of Nixon Peabody LLP, a national law firm. Mr. Barbash's practice consists of representing both private and public companies in mergers and acquisitions, venture capital financing, securities and general corporate law. The views expressed herein are the author's own and do not necessarily represent the views of Nixon Peabody LLP.

Please email the author at dbarbash@nixonpeabody.com with questions about this article.