Following a string of corporate and accounting scandals at U.S. public companies, Congress passed The Sarbanes-Oxley Act of 2002 (" SOX ") to regulate corporate governance, help prevent future abuses and restore public faith in federal oversight of public company governance. SOX and related rules initiated accounting and disclosure reforms designed to heighten corporate accountability and ethics. While most of SOX applies only to public companies, with two notable exceptions, SOX raised the bar for compliance by all companies1. Some accounting firms and insurance companies have now adopted one-size-fits-all policies as to their clients' governance requirements, without regard to whether their clients are public or private companies. While certain of SOX's provisions are not readily applicable to not-for-profit companies ("NFPs"), many are. Because of the widespread current emphasis on corporate accountability and greater scrutiny of corporate actions, without regard to public or private status, NFPs should consider applying various SOX principles as a matter of best practices. Of course, because NFPs vary greatly in size and resources, an NFP's Board will need to evaluate the feasibility of implementing these suggested reforms in light of its needs and abilities.
In Part I of this Article, we discuss SOX generally and its application to NFPs, and suggest how an NFP might implement SOX-type reforms as a matter of best practices. In Part II, we will discuss SOX-type requirements currently (or proposed to be) imposed on NFPs by various governmental authorities.
SOX Provisions Applicable To NFPs
Two SOX provisions directly apply to public and private entities (including NFPs), namely its provisions prohibiting retaliation against whistleblowers and its prohibition of intentional destruction of documents.
Other SOX Provisions Generally
Codes of Conduct
Recommendations Based On SOX And Best Practices
Due to the SOX requirements applicable to all companies, public and private, an NFP should:
Whistleblower Protection. Adopt a written policy regarding employee complaint procedures and preventing retaliation. To be safe, the NFP also should fully disclose the policy and related procedures to its employees, and should carefully document all complaints, investigations and findings. Even if a claim is unfounded, the NFP should not reprimand an employee who makes a claim in good faith, and NFP executives should take all complaints seriously, investigate the situation, fix any problems or justify why corrections are not necessary, and document their findings, analysis and conclusions.
Document Destruction. Adopt a written policy regarding procedures for disposing and archiving corporate records, which includes guidelines for handling electronic files and voicemail, and covers back-up procedures, and regular check-ups as to system reliability. If an official investigation is underway or even suspected, management should stop any document purging in order to avoid criminal obstruction charges.
Best Practices Recommendations.
Audit Committees. Establish an audit committee with responsibility for overseeing accounting and financial reporting processes, which committee consists of independent board members and at least one financial expert. It also should establish procedures regarding the audit committee's processing of employees' complaints regarding accounting, internal control and related matters, and should timely investigate complaints and carefully document subsequent resolution of such complaints. Many larger NFPs have a finance committee that oversees NFP financial matters (including preparation of financial statements and working with auditors on the annual report), and such NFPs should consider whether to separate the finance and audit committees.
Auditors. Consider having its financials audited annually. If it chooses not to have an annual audit conducted, it should engage an accountant to review its annual financial statements and IRS Forms 990. If it has an audit conducted, it should:
* retain an accounting firm that has NFP experience and rotate its lead auditor or lead partner every five years;
* require auditor disclosure to the committee of critical accounting policies; and
* consider requiring its audit committee to pre-approve certain audit services and prohibiting certain non-audit services, consistent with the SOX rules as described above. Certified Financials. Ensure that NFP officers certifying the IRS Form 990 (the key financial document for NFPs, which requires a corporate officer's signature) review the Form to be sure that it is accurate and complete (and consider having its board and any audit committee review the Form for accuracy). In addition, the NFP's audit committee should examine its financial systems, policies and reporting to help improve accuracy and completeness of the form of financial report to the board and audit committee generally. It also should also file the Form electronically and make the filing easily available publicly by posting them on its website.
Personal Loans. Generally prohibit the practice of providing personal loans to directors or officers. If an NFP believes that it is necessary to extend a loan, its board should formally approve the loan. Of course, because existing rules already safeguard against the flow of money away from an NFP toward a person with a significant relationship with the NFP for private purposes (called "private inurement"), and because excessive personal benefit and self-dealing all cause serious penalties for NFPs that step out of line and "intermediate sanctions" laws specifically address compensation and excess benefit transactions with "disqualified" individuals (typically NFP board members or senior management), as discussed in Part II, an NFP already is subject to controls on its extensions of credit.
Internal Controls. Evaluate whether strengthening its internal controls is feasible and cost-effective. If it determines that it must strengthen its internal controls, methods of doing so include strengthening information systems that produce reports and implementing activities to monitor the reporting system to assess the quality of its performance over time.
Disclosure Controls. Evaluate whether strengthening disclosures is feasible, and provide an accurate picture of its financial condition to donors, clients, public officials, the media and others by electronically filing its Forms 990 and making such Forms freely available to anyone who requests them.4
Codes of Conduct. Consider adopting a code of conduct (including a conflict of interest policy) and include policies for enforcement thereof.
In recent years, with increased scrutiny of corporate governance, best practices have evolved based on SOX rules. NFPs should be encouraged to analyze their practices and methods of operation. Many NFPs may need to conduct a top-down review of their practices and certain relationships, such as with their auditors. To that end, NFPs may need to consider updating their organizational documents and committee structures to reflect certain of these best practices. In the end, it is important to note that for NFPs, self-regulation and proactive behavior will usually prove more powerful than reactive and defensive governance policies.
1 Certain Delaware judges have implied that SOX standards could influence an assessment as to whether a company's management and directors have complied with their fiduciary duties to the company and its stockholders. See In re The Walt Disney Co. Derivative Litigation (August 9, 2005), in which the Delaware court found that while the directors did not breach their fiduciary duties under Delaware law, certain of their actions reflected the absence of good corporate governance and could give rise to liability in a different case. The implication is that, in the post-SOX world, a case like the Disney one might have a different outcome. Delaware does not have separate statutes for NFPs and for profit companies, and instead administers both types of companies under one statute, so that directors of both types of companies have similar duties.
2 SOX Section 806 (which applies only to public companies) protects persons who provide information to (or otherwise assist in) investigations by supervisors or the U.S. government as to possible securities law violations or fraud by allowing such persons to seek relief against a company.
3 Section 802 also includes rules designed to ensure that auditors retain workpapers for a minimum amount of time and establishes punishing destruction of corporate audit records relating to public companies.
4 The IRS is currently pursuing proposals to require such measures.
M. Ridgway Barker is Co-Chair of the Securities Practice Group of Kelley Drye & Warren LLP. Randi-Jean G. Hedin is a Partner in the Securities Practice Group. Acknowledgement is given to Jeanne R. Solomon, an Associate at Kelley Drye & Warren LLP, for her efforts in the preparation of this article.