Implementation Uncertainties: Should Nonprofits Comply with SOX?

June 30, 2005

By Barbara K. Green, CPA

While the Sarbanes-Oxley Act (SOX) was designed only for publicly traded companies, its impact is reaching many nonprofit organizations and making their executives and board members sit up and take notice. According to recent studies, despite the fact that Congress intended corporate reforms to apply only to public companies, the effect of the legislation has been much greater.

While not required by law, many private companies and nonprofits are now adopting public company governance standards in anticipation of eventual federal and/or state requirements, or because of stakeholder pressure. But compliance can be expensive, so many organizations are adopting the less expensive reforms such as approval of audit and non-audit services by the board or audit committee, codes of ethics, and, in some cases, certification of the financial reports by the CEO or CFO of the organization.

Background

SOX was enacted on July 30, 2002 to improve the quality and transparency of financial reporting and increase corporate responsibility in public companies. Most of the compliance work mandated by SOX falls on management, so in the case of small nonprofits, full and immediate voluntary adoption of the rules would be nearly impossible without an increase in staff and a corresponding increase in the budget.

Managing constituent expectations may, however, require the voluntary adoption of certain portions of the legislation. While SOX does not specifically apply to nonprofits in most states at the present time, current trends suggest that it will be applied in some form in the future. New York and California have already made some provisions of SOX applicable to nonprofit organizations operating in those states.

Is complying with certain aspects of SOX right for your organization? It depends. Audit committees should carefully identify the components of the Act where the benefits will outweigh the costs of adoption. Without such evaluation, becoming fully compliant will be expensive, time-consuming and, most importantly, may not be in the best interests of the organization.

Two provisions of SOX, document destruction and whistleblower protection, do apply to all entities, including nonprofits, and require implementation now.

Complying with extensive regulatory standards is the norm for some nonprofits already. Organizations receiving federal grants may have had to comply with regulations from the U.S. Office of Management and Budget. Also, nonprofits have been required to disclose IRS Forms 990 for a long time, and those returns are readily available now on the Internet. Many organizations also publish their audited financial statements in the interests of transparency.

Below are a few areas of SOX that nonprofits may choose to implement without being directly mandated by law.

Reporting to the Audit Committee

Auditors are required by SOX to report to the audit committee. This is not really a substantive change because the auditor's primary reporting responsibility has, in the past, been to the organization's board of directors rather than to the staff of the organization. As a direct reaction to increased realization of the visibility of board oversight of the organization's financial policies, procedures and reporting, most organizations now have an increased level of board interest in meeting with the auditors in a less perfunctory way.

Audit Committee Standards

Audit committees exist to facilitate effective corporate governance through oversight. A primary function of audit committees is to provide quality and effective oversight of the accounting and financial reporting processes of the organization and the annual audit of the financial statements. The audit committee serves a crucial role in the prevention and detection of fraudulent accounting and financial reporting.

SOX is clear that the audit committee is directly responsible for the hiring, compensation and oversight of the accounting firm employed to perform the audit and related work. That firm reports directly to the audit committee.

Under SOX, all members of the committee must be members of the board and independent — meaning that they do not receive any compensation from the company as a consultant for other professional services. The work of the committee should be clearly described in a charter and carried out by financially literate people. It is important to recognize that the committee's work involves oversight of the organization's accounting and financial reporting processes as well as audit oversight.

There is also a recommendation in the SOX legislation that at least one member of the committee be a "financial expert." This is defined as one with education and experience as a public accountant or auditor or as a principal financial officer, comptroller or principal accounting officer of a public company. If there is not such a person on the committee, the rationale behind that decision must be disclosed.

Best practices dictate that the audit committee be composed of members who do not have a financial interest in or any other conflict of interest with any entity doing business with the organization. No members of the staff, including the chief executive, should serve on the audit committee. The audit committee should meet with the external auditor, review the annual audit and recommend its approval or modification to the full board. In addition, orientation of board members should include financial literacy training.

SOX requires that the audit firm report to the audit committee all critical accounting policies and practices used by the organization, as well as any changes in assumptions and any discussions with management about such policies. Critical accounting practices include segregation of duties, policies to use restricted funds for intended purposes, processes to review off-balance sheet transactions, if any, and procedures for monitoring inventory fluctuations. This reporting is generally accomplished in the standard letter to the audit committee at the conclusion of the annual audit.

Code of Ethics

SOX requires disclosure of whether a code of ethics exists for senior financial officers, and the legislation prohibits virtually all types of personal loans to executives and directors of the company. Providing loans to insiders can cause problems either from the perception of a conflict of interest or because of inappropriate documentation as part of executive compensation.

This is an easy part of SOX any organization can adopt, and there are written model codes easily available for specific adaptation.

The audit committee should understand and ensure full compliance with all laws regarding compensation and benefits provided to directors and management, including intermediate sanctions rules and self-dealing laws. In cases when the board wants to provide a loan to a director or manager, all terms should be disclosed and officially approved by the board, the process should be documented and the terms and value of the loan should be publicly disclosed.

In addition, management should emphasize to all organization employees the importance of their fiduciary responsibilities and that inappropriate behavior by anyone in the organization will not be tolerated.

CEO and CFO Certification of Financial Reports

Under SOX Section 404, the CEO and CFO of public companies are required to review and certify the financial reports. This involves reviewing the reports and certifying that there are no errors or omissions, as well as taking responsibility for the establishment and maintenance of effective internal controls. Management is required, after studying and testing the internal controls, to disclose to the auditors, the audit committee and the board of directors all significant deficiencies in internal control.

The organization's external auditors need to be involved early in the planning for this internal work to provide insight regarding their expectations and to ensure their comfort with the methodology and approach.

Significant time should be spent documenting and assessing the organization's current controls, with the goal being to identify and mitigate significant control weaknesses prior to the financial year-end. The final step is the external auditor's attestation on management's assessment of the internal controls, which is in fact a second audit opinion (in addition to the one traditionally given for the financial statements themselves).

This certification is probably the most costly part of the SOX legislation because no one is likely to put his or her reputation in jeopardy by certifying something that they have not thoroughly studied. In addition, there are criminal sanctions for intentional false certification. The certification process often requires hiring a team of knowledgeable accountants to provide outside assurance to the entity, and this has led to much discussion of the relative costs and benefits of Section 404 of the legislation.

In the nonprofit world, consideration must be given to the reaction of donors who may be less likely to contribute to organizations if they see that the money they contribute is being used to comply with costly accounting reform regulations.

There are, however, many controls and procedures that all organizations can easily adopt. These include strong board involvement, careful hiring practices, third-party bank statement review, bank lockbox arrangements, separation of duties, annual audits and comprehensive insurance protection.

An outside eye is crucial to review budgets, monthly financial statements, audits, investment policies, major contracts and any other documents that affect the organization's finances. This is especially important in organizations that have staffs too small to allow much separation of duties.

Having the bank statements received unopened by someone outside the staff (often the treasurer), not allowing the person reconciling the bank statements to be a check signer, and having a policy requiring two signatures on checks in excess of a specific amount all provide strong controls. Using a bank lockbox reduces the possibility of diversion of funds. Annual audits provide professional feedback about procedures and instill a type of discipline in the accounting staff through the process of preparing for the audit itself.

A well-written financial procedures manual can help ensure that all similar transactions are treated consistently, aid in the training of new staff if turnover occurs or allow for delegation of some tasks to other employees. The process of creating written policies and procedures, instructions and duty assignments can reduce inefficient efforts, point out duplicated or omitted procedures and improve existing practices.

Internal controls are essentially the backbone of any effective financial reporting system. Implementation of strong controls sends a clear message that the organization is serious in its commitment to a transparent financial reporting system. Since it is the responsibility of the CEO to ensure good stewardship of the organization's resources, signing off on financial statements signals the importance that the chief executive attaches to understanding the nonprofit's financial condition.

It is important to note that financial statement audits of nonprofits involve only the auditor's "consideration" of the internal control, and that the auditor's opinion on the financial statements does not include an opinion on internal control. An opinion on internal control requires more extensive and costly audit work, which is now a requirement for public companies under SOX.

Looking to the Future

A report on final recommendations to strengthen the operations of charitable organizations is expected this fall from the Panel on the Nonprofit Sector, an independent coalition of charities and foundations. The group presented its interim report to the Senate Finance Committee on March 1, 2005. Recommendations in the interim report covered 15 areas and recommended actions for nonprofit organizations, the IRS and Congress.

Among the recommendations are implementation of conflict of interest policies, requiring persons with financial literacy skills on nonprofit boards and adoption of whistleblower policies. The panel also supports suspending exempt status for organizations that fail to file IRS Form 990 for two consecutive years, requiring electronic filing of Form 990, mandatory independent audits for organizations with $2 million in annual revenues, and requiring CEOs to certify that their Form 990's are complete and correct.

Each organization needs to weigh the costs and benefits of implementing all or parts of new governance standards. As best practices evolve, stakeholders or governing bodies may cause many of the reforms to become required operating procedures. For now, it is important for all organizations to look carefully at their own operations and determine which, if any, of the SOX provisions would make them stronger and more effective in pursuing their overall goals.

At the time this article was written, Barbara K. Green, CPA, was an associate principal with Murray, Jonson, White & Associates, Ltd., PC, in Falls Church, where she worked primarily with audit and tax issues affecting the nonprofit community. She recently joined the Department of Defense, Office of the Inspector General. The opinions or assertions contained herein are the private ones of the author and are not to be construed as official or reflecting the views of the Department of Defense or the Office of the Inspector General.