Cherry-Picking Sarbanes-Oxley

Provisions that deserve a second look.

Private companies and charities aren’t required to comply with the Sarbanes-Oxley Act. But they can adopt some of its requirements as best practices. Cherry-picking the provisions that will help them the most means they can get maximum benefit at minimum cost.

Among the private entities that might want to voluntarily adopt the provisions of Sarbanes-Oxley are companies planning an IPO and those that might merge with or be acquired by a public company within the next two or three years. Such companies might earn a premium for already being Sarbanes-Oxley compliant.

A number of Sarbanes-Oxley provisions also might make sense for other private companies or NPOs. For example, many private organizations are creating audit committees composed of outside directors or naming an audit committee financial expert.

A code of ethics is a good idea for any organization, as it establishes the tone at the top and helps employees understand what is expected of them. Similarly, putting whistle-blower provisions in place can help private companies and NPOs fight fraud.

While large public companies are required to establish and maintain internal controls over financial reporting, it isn’t yet clear whether the benefits of doing so are worth the high cost for private organizations.

Richard S. Savich, CPA, PhD, is president of ABKO Consulting in Bermuda Dunes, Calif. He is also on the faculty of the accounting and finance department at California State University in San Bernardino. His e-mail address is .

hile public companies are required to comply with the Sarbanes-Oxley Act, privately held businesses and charitable organizations generally are immune from the act’s far-reaching provisions. Still, many such entities are finding that certain aspects of the act can benefit their overall operations and are cherry-picking those parts that will do them the most good. Here are some requirements of Sarbanes-Oxley that deserve a second look even from organizations that don’t have to implement any of the act’s provisions.

What types of private entities might want to voluntarily adopt the Sarbanes-Oxley provisions that so many public companies have been struggling to implement? For companies that might soon go public, the voluntary aspect of adoption becomes almost mandatory. Companies planning an IPO within the next two to three years would be better off adopting Sarbanes-Oxley guidelines now rather than waiting until they go public, when they might face unknown costs and delays.

Companies contemplating a merger or being acquired by a public company within the next few years also are prime candidates. If a private company owner’s exit strategy is to prepare the company for eventual sale, one of the suitors might be a public company willing to pay a premium for an acquisition target that already is Sarbanes-Oxley compliant.

Voluntary Compliance

In a January 2006 survey of the CEOs of “fast-growing” private companies,

• 27% said their companies had adopted Sarbanes-Oxley best practices in areas such as governance and transparency.

• 73% opposed any future federal or state regulations that would impose Sarbanes-Oxley provisions on entities other than public companies.

• 67% of those considering going public said the cost of Sarbanes-Oxley compliance was a potential barrier.

Source: PricewaterhouseCoopers, Trendsetter Barometer, .

Many not-for-profit organizations also are adopting some Sarbanes-Oxley provisions. In California, for example, the Nonprofit Integrity Act of 2004 requires charitable organizations with over $2 million in gross revenues to have an audit committee, which also approves nonaudit services, and audited financial statements. The directors of these entities may themselves be officers of public companies who understand the benefits of stronger internal controls and some of the other requirements of Sarbanes-Oxley, and would like to see the NPOs they help preside over comply voluntarily.

Companies with absentee owners also might consider adopting certain parts of the act voluntarily to ensure the professional management is doing a good job. And finally, banks that extend loans or lines of credit to private companies are asking borrowers for more internal controls—like those found in Sarbanes-Oxley—before making loans.

  Private vs. Public

Congress never intended the Sarbanes-Oxley Act to apply to nonpublic companies and nonprofit organizations. But a national study by Foley & Lardner LLP, The Impact of Sarbanes-Oxley on Private & Nonprofit Companies, revealed that these entities continue to adopt provisions of the act as best practices.

The study showed that while for-profit private companies have been consistently self-imposing Sarbanes-Oxley standards, nonprofit entities have been even more aggressive in adopting corporate governance reforms. Nonprofits are more likely to implement or plan to implement whistle-blower procedures, board approval of nonaudit services by auditors and restrictions on executive compensation, among other changes.

Here are some other study findings:

Private companies tend to adopt the least expensive reforms, as opposed to more costly initiatives such as section 404 audits of internal controls.

Some 84% of private organizations responding to the survey believed corporate governance reform was “about right,” an increase over the 78% who had responded that way in 2005.

Survey respondents estimated an average annual price tag of $105,000 for corporate governance procedures, a 26% increase over their estimated costs before Congress enacted Sarbanes-Oxley.

Foley & Lardner surveyed 56 private entities in January 2006—20 nonprofit organizations and 36 for-profit private companies. The full survey results are available at .

Sarbanes-Oxley is more than just a requirement for stricter internal control audits. It includes other elements that affect overall corporate governance and audit relationships. In some instances even public companies are making changes that the act doesn’t require but that stem from the new climate of corporate behavior. CPAs should encourage private companies and NPOs to look carefully at some or all of the actions described below that can potentially improve overall operations at relatively minimal cost.

Audit committee membership. The act requires that all public company audit committee members be outside directors not employed by or associated with the company. Many private organizations are adopting similar rules to ensure the external auditors have a conduit to the board outside of management.

Audit committee “financial expert.” Under Sarbanes-Oxley, at least one audit committee member must be a financial expert. While no specific qualifications are required, exhibit 1 lists some that companies can consider when making such a designation. Private organizations should name at least one audit committee member as a financial expert who can question the auditors about various transactions and the handling of accounts in the financial statements and accompanying footnotes. Of course, this does not preclude other members from asking questions as well.

Defining a “Financial Expert”
Under Sarbanes-Oxley, to be considered a “financial expert,” an individual—through education and experience as a public accountant or auditor or as a principal financial officer, comptroller or principal accounting officer of an issuer or from a position involving the performance of similar functions—must have

An understanding of generally accepted accounting principles and financial statements.
Experience in

The preparation or auditing of financial statements of generally comparable issuers.
The application of such principles in connection with the accounting for estimates, accruals and reserves.

Experience with internal accounting controls.
An understanding of audit committee functions.

Audit committee compensation. The law makes no mention of compensation for audit committee members. However, studies show companies have begun to compensate these individuals at a slightly higher rate than regular board members, mainly due to the amount of outside work necessary to prepare for meetings with the board and with the auditors, as well as for the increased number and duration of meetings. Many organizations also are providing extra compensation for the committee chair because of the additional preparation work and the increased number of meetings with the CEO, CFO and outside auditors.

Audit committee funding. The law says public company audit committees must be funded sufficiently to allow them to perform their duties adequately. Private organizations should be aware their audit committees may require extra funding because of additional meetings or having to engage consultants to answer questions that are beyond the scope of the members’ knowledge or to determine alternative accounting treatments. Companies should budget accordingly when they establish audit committees.

Communications with auditors. The audit committee of any organization—public, private or charity—should be able to meet with both the external and internal auditors separately from management to ask any necessary questions. These meetings may be distinct from regularly scheduled board meetings. Also, the external or internal auditor should be able to call a meeting whenever the attention of the audit committee or board is needed.

Audit committee approval of nonaudit services. Under Sarbanes-Oxley any allowed nonaudit services that exceed 5% of total revenues paid by the issuer to the audit firm require audit committee approval. Some services require board approval no matter what they cost. Adopting such a policy in a private organization would help guarantee that management is not relying solely on one CPA firm to provide all financial services. Recent history has shown us this is not a good idea even where it is permitted. (See exhibit 2 for a partial listing of nonaudit services prohibited by the act and exhibit 3 for services that require audit committee approval.)

Prohibited Nonaudit Services Under Sarbanes-Oxley
Bookkeeping or other services related to the accounting records or financial statements of the audit client.
Financial information systems design and implementation.
Appraisal or valuation services.
Fairness opinions or contribution-in-kind reports.
Actuarial services.
Internal audit outsourcing services.
Management functions.
Human resources.
Broker/dealer, investment adviser or investment banking services.
Legal services.
Expert services unrelated to the audit.
Any other service the PCAOB determines, by regulation, is impermissible.

Code of ethics. A code of ethics is a great idea for any organization. It sets the tone at the top and explains what is expected of employees and associates in their behavior toward customers, suppliers, fellow employees, management and other stakeholders. A significant number of private organizations are adopting ethic codes as a best practice.

Whistle-blower provisions. Public companies haven’t cornered the market on fraud; private companies and NPOs have their share as well. Any employee, customer or supplier who detects fraud or misrepresentation within an organization should be able to follow the procedures the audit committee has established for the receipt, retention and treatment of such complaints. Many organizations outsource this function to maintain the whistle-blower’s confidentiality, while the allegation itself is referred to the audit committee for action.

Use of outside advisers. The audit committee should not have to rely solely on the organization’s legal counsel or internal consultants for advice. In fact, there may be instances where in-house counsel is part of any alleged misconduct. The act says public companies should provide the audit committee with funding for outside advisers, including legal counsel or consultants. Funding for similar resources would be a good idea for private companies as well.

Nonaudit Services Requiring Audit Committee Approval
Transfer pricing studies.
Cost segregation studies.
Tax-only valuations.
Comments on candidates for senior executive positions.

But not representation in court case

Lending tax staff for special projects.
Compensation packages.
Requests for rulings.

Management’s responsibility for internal control over financial reporting. This is a major provision of the act, the section public companies are spending the most money on. It says management is responsible for establishing and maintaining an internal control structure and conducting a yearend assessment of the structure’s effectiveness over financial reporting.

For private organizations, the cost/benefit relationship of adopting similar rules has not yet been proven. Accelerated filing public organizations must comply regardless of the benefits. Nonaccelerated public company filers (those with less than $75 million in capitalization) still have time to comply—until fiscal years ending after July 15, 2007. However, both the SEC and PCAOB are still considering extending the deadline or increasing the capitalization amount. So, unless your organization is one of those preparing for an IPO or merger, the jury is still out on whether the act’s internal control rules are recommended best practices.

Management certification of financial statements. Having the CEO and CFO sign off on the financial statements and footnotes is key for all organizations, public and private. Many charitable organizations are asking this of their management as well. By taking responsibility for the numbers, executives show their leadership and qualifications for the positions they hold. This step goes beyond the basic representation letter and has executives taking formal responsibility for the financial statements. Under Sarbanes-Oxley, public company executives can be held criminally liable for misrepresentations.

For privately held companies some other best practices that are not specifically part of Sarbanes-Oxley might include establishing an internal audit department or internal audit function or at least outsourcing internal audit to a specialist. Doing so might improve overall operations and provide additional benefits beyond the cost. The charter for many internal audit departments is no longer just helping the external auditors with their annual audit, but also helping management improve overall operations and controls. Outsourcing is a good idea for entities that may not need a full-time internal audit staff or do not have the resources to develop the necessary competencies internally. The outsourced staff can be expanded to meet seasonal or other needs, and, typically, its lower cost outweighs the benefits an internal audit function will bring.

Practical Tips
Recommend that companies planning an IPO within the next two to three years adopt Sarbanes-Oxley guidelines now rather than waiting until they go public—when they could face unknown costs and delays.

Remind organizations of all sizes, public or private, that adopting a code of ethics is a good idea. It sets the tone at the top and explains what is expected of employees and associates in their behavior toward others.

Advise private companies and NPOs that their boards of directors should have the ability and funding to consult with outside advisers on financial reporting and legal questions that may arise.

Private organizations are in a unique position with regard to Sarbanes-Oxley; they can pick and choose those parts of the act that potentially offer the most benefit. At the same time they don’t have to spend inordinate amounts of money to prepare for an auditor’s assessments of internal controls, nor institute an elaborate system of controls to comply with the act. Instead, they can take a more reasonable cost/benefit approach and select those provisions and controls that might benefit their organization without incurring significant costs. This is an enviable position to be in.

Entities that aren’t required to comply with Sarbanes-Oxley also should use some caution. Following the entire act’s requirements can be time consuming and costly. And some provisions relate closely to others and shouldn’t be adopted separately. CPAs should advise clients or employers as to which sections of the act might be best for their organizations and how to begin implementing them. While the list will vary from organization to organization, the result will be a stronger entity better able to deal with today’s financial challenges.


Implementing a global statutory reporting maturity model

Assess your organization's capabilities and progress toward an ideal state of global statutory reporting. Sponsored by Workiva.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.