Editor: Why is it beneficial for a private company or nonprofit to become Sarbanes-Oxley compliant or at the least partially compliant?
Pennett: Adopting Sarbanes-Oxley principles is beneficial for both private and non-profits insofar as this ensures better controls, proper corporate governance and greater creditworthiness. SOX is the de facto gold standard for good corporate governance in the U.S. Board members and executive officers need to show from a legal perspective that they have taken all proper and appropriate care to carry out their duties. If there is ever litigation or fraud alleged, the company will be judged by Sarbanes-Oxley as the standard. That is a significant reason for following its precepts.
Other reasons companies should comply with all or at least most of its terms are: (1) any company planning on going public in the next few years through an IPO needs to bring the company into compliance; (2) private companies that are planning on being acquired by a public company over the next few years need to consider strategies to become compliant, making it easier for a possible acquirer to do their due diligence and improving their chances of becoming an attractive acquisition target; (3) if the owners of the company are absentee owners who rely on professional managers, it is important for the owners to know that their professional managers are managing the firm with the proper internal controls in place, and (4) from a financial perspective, banks are more willing to grant loans and lines of credit and provide more favorable terms where good compliance is practiced. Rating agencies are starting to track this as well.
Editor: Provisions dealing with the whistleblower and document destruction provisions are mandated for private and nonprofit companies. What other provisions do you consider to be best practices to be followed?
Pennett: Requiring the CFO and the CEO to sign off on the financial statements and footnotes for private companies is a good step to take. It puts another layer of responsibility on the officers running the organization if they are personally attesting to the validity of the information.
The establishment of an audit committee with the membership being made up of independent members and several financial experts is another good practice. The audit committee should approve non-audit services to avoid potential conflicts of interest.
A code of ethics for the organization should be established.
The completion of a top down risk assessment as part of an internal audit is highly desirable. A private or nonprofit company should conduct a risk assessment so that it can determine the organization's greatest risks, their probability and magnitude. Executives and board members can then have a discussion about the potential risks and how to mitigate them.
Often times management assumes that they know their risks and after a cursory examination attempt to correct one problem at a time. They do not spend time to do a thorough and systematic risk assessment. What is becoming popular in all companies today is enterprise risk management, that is, looking at every aspect of risks - evaluating and prioritizing the risk universe.
A recent survey showed that 70 percent of respondents felt that Sarbanes-Oxley added value. Twenty percent said it added no value and 10 percent said they were not sure. The biggest benefits in that study were the streamlining of business processes. Twenty-eight percent indicated that they had better financial information because of Sarbanes. Fourteen percent said it better secured good information systems. In addition, driving efficiencies is a hidden benefit.
Editor: Do you suggest that private companies and nonprofits have audited financials?
Pennett: Yes, but even if they do not, officers should sign off on the financial statements to the effect that they are accurately represented. It becomes a cost benefit equation for companies to determine whether they should implement this practice.
Editor: Should private companies follow the same rules as to rotation of outside auditors, etc.?
Pennett: It is a good practice. It would be a valuable standard to develop.
Editor: Is there anything else you'd like to add?
Pennett: My key message is that adherence to SOX principles can reduce your board's and organization's potential liability and risk profile. It increases the organization's flexibility whether it decides to go public, be acquired or favors some other exit strategy. The knowledge that board members take their fiduciary obligation seriously and run a tight organization can help with fund raising. By documenting good internal controls and increasing transparency organizations can also reduce the cost of D&O insurance and reduce the frequency of shareholder lawsuits. This in turn reduces the cost of capital in reducing borrowing costs.
Adherence to SOX standards improves the executive focus on risk because the board is holding them accountable. Doing a risk assessment is a business priority rather than a side issue. By having to sign a quarterly certification gives pause to the executive who must think about whether all the internal controls are in place. That personal accountability is enough to be sobering.
Other influences on private companies are the private equity or venture capital firms which may offer financing. Significant time is being spent by private equity firms in evaluating internal controls during their due diligence. Of course, poor internal controls often lead to push back on deal pricing. These firms themselves have a high level of accountability and seek the same in the prospects they consider for financing.