Sarbanes-Oxley 'Creep'

State Legislative Initiatives

The Attorneys General or legislators in New York, California and Massachusetts have floated proposed “baby” SOX laws applicable to not-for-profits. The general terms of these proposals help focus on issues possibly requiring attention:

• Audited financial statements for organizations with gross revenues above a specified level;
• CEO and CFO certification of financial reports;
• For larger organizations, CEO and CFO verification of the effectiveness of internal financial controls;
• Creation of an Audit Committee whose members may not serve on the Finance Committee, may not include the CEO, CFO or other staff, and may not accept compensation apart from payment for Board duties;
• CEO and CFO disclosure to corporate auditors and the Audit Committee of significant deficiencies in the design and operation of internal controls and of any fraud;
• Audit Committee to establish procedures for the receipt, retention, investigation and remedy of reports of wrongdoing, and advise the Attorney General of actions taken to address these reports;
• Auditors not to perform any other service for the audited organization other than preparing tax returns;
• Annual Board review and approval of CEO and CFO compensation, including benefits;
• Non-retaliation against employees who complain to the Audit Committee or Attorney General.
• 'Related-party transactions are presumed reasonable only if the Board or committee: 1) gave prior approval by a two-thirds vote of all members; 2) was fully apprised of the terms and interests at issue; 3) relied upon appropriate comparability data in approving the transaction; and 4) adequately documented the basis for approval of the transaction;
• Records to be maintained for 10 years.

Regulatory Responses

Various regulators have anticipated pieces of SOX or are in the process of formulating SOX-like mandates.

IRS

The Internal Revenue Service Exempt Organizations Office reportedly is increasing its enforcement presence via closer review of the publicly available Form 990 information returns filed annually by tax-exempt entities. See 26 U.S.C. ' 6104. Beyond general financial data, Form 990 requires disclosure of certain transactions between the tax-exempt entity and its Board members and officers. Note that the IRS can impose “intermediate sanctions” on decision-makers of tax-exempt entities for providing “excess benefits” to Board members or other control persons. 26 U.S.C. ' 4958.

In response to reported financial abuse at charitable foundations, Iowa Senator Charles E. Grassley reportedly is considering legislation to boost the IRS budget for auditing foundations, tightening conflict of interest restrictions on directors and increasing penalties for directors who fail to disclose financial information. Finally, the IRS is reportedly drafting a document regarding best practices for not-for-profit Boards.

HHS OIG

The Office of Inspector General (OIG) for Health and Human Services last year published “Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors” (available at: http://oig.hhs.gov/fraud.html). This OIG guide focuses on the organization's information, reporting and compliance infrastructure, response to detected violations and implementation of codes of conduct.

The OIG also recently issued a draft Supplemental Compliance Guidance for Hospitals, which re-emphasizes the importance of a code of conduct, ongoing quantitative and qualitative reviews of compliance program effectiveness, provision of adequate resources for compliance functions, ensuring compliance officer access to the CEO and Board, implementation of employee hotlines and followup on issues raised by complaints and internal audits. 69 Fed. Reg. 32012 (June 8, 2004).

U.S. Sentencing Commission

On April 13, 2004, the United States Sentencing Commission proposed amendments to the Organizational Sentencing Guidelines to toughen the criteria for “effective” compliance programs. The proposed compliance Guideline, requiring “due diligence and the promotion of an organizational culture” that encourages a commitment to compliance, emphasizes:

• Management and Board oversight of the effectiveness of the compliance program;
• Assigned high-level personnel ensuring the effectiveness of the program, having sufficient resources, and reporting directly to the Board;
• Effective training programs for the Board, management, employees and agents;
• Ongoing program audits and risk assessment; and
• Anonymous reporting for employees, and appropriate incentives and disciplinary measures to ensure reporting, compliance and correction of violations.

Unless Congress objects — unlikely in this post-Enron world — this amendment will be effective on Nov. 1, 2004 (available at: http://www.ussc.gov).

GAO

In January 2002, the federal General Accounting Office amended the auditor independence requirements of the Government Auditing Standards (also known as the “Yellow Book”). These standards apply to not-for profit (and for-profit) recipients of federal grant and loan assistance, eg, hospitals, Small Business Administration borrowers and some state-administered programs and contracts. They prohibit auditors from auditing their own work or from providing non-audit services in areas that are significant to the subject matter of the audit (available at: http:// www.gao.gov/govaud/ybk01.htm).

NAIC

As of April 2004, the National Association of Insurance Commissioners was drafting a model regulation for state-regulated insurance companies concerning financial reporting. Proposals include having insurance companies 1) designate audit committees composed of independent members, 2) file reports on the effectiveness and deficiencies of the insurer's internal controls over financial reporting, 3) insist that lead audit partners periodically rotate, and 4) ensure auditor independence by prohibiting the provision of certain non-audit services.

Market Pressures

Market pressures to adopt SOX-like standards also exist. Bond dealers, investment banks, lenders and bond rating services are beginning to ask more probing questions about financial controls to help gauge investment risk.

Auditors responding to SOX regulations as regards their publicly traded clients may tend to adopt similar standards with not-for-profit clients to maintain uniformity of practice or, at least, require more demanding representation letters from them. Underwriters for D&O liability insurers may also seek more information about internal controls in order to minimize loss exposures. Indeed, even sophisticated donors may begin to inquire about matters such as auditor and Board independence.

What Should Not-for-Profits Do?

Some themes emerge from the legislative, regulatory and market-based initiatives discussed above. The following questions are not meant to suggest a checklist of mandatory actions. Rather, they provide a basis for considering whether additional action in certain “hot” areas should be taken.

• Management and Board: Are management-Board relations structured to create a Board role in ensuring the integrity of internal reporting systems? Does the Board have a clear understanding, in writing, of its role?
• Code of Ethics: Does the organization have a code of ethics? Should it include “up-the-ladder” reporting responsibility for counsel (both inside and outside)?
• Conflicts of Interest: Should the organization have a broadly written conflict of interests policy, embracing executive compensation and loans, interests in potential transactions of the organization, disclosure of confidential information, duty of loyalty, nepotism and the like? Does it require completion of an annual conflicts disclosure questionnaire?
• Audit Committee: Should the Board have an Audit Committee? What level of financial literacy and independence for members is appropriate? How is independence defined (eg, beyond Board fees, no compensation from or business with the organization)? Should the Committee meet in executive session without the participation of management? Do direct lines of communication exist with the compliance officer and the auditor?
• Auditor Independence: Should the organization's auditor perform other consulting or non-audit services for the organization which might impair its objectivity? Do lead auditors rotate periodically?
• Internal Investigations: Does the organization have an anonymous hotline and a response team, either internal or through outside counsel if appropriate? Are processes in place to investigate complaints and avoid violation of whistleblower retaliation statutes, including that in SOX? See 18 U.S.C. ' 1513(e).
• Document Control: Are document integrity, retention and destruction policies in place to avoid violation of obstruction of justice statutes, including that in SOX? See 18 U.S.C. ' 1519. Are the policies suitably designed to cover electronic documents?
• Financial Disclosures: Although the SOX financial and control certification requirements do not apply to not-for profits, Boards should consider whether an internal due-diligence process regarding financial disclosures should be adopted and documented. It might include: 1) reviewing draft and final versions of reports and Form 990 filings; 2) meeting with financial officers and those responsible for key functions to understand the judgment calls and assumptions underlying the report and gauge whether operational results are being fairly presented; and 3) discussions with auditors and the Audit Committee regarding close calls and matters omitted in the preparation of a report.

Of course, resources are limited, and risk management is not a one-size-fits-all proposition. Policy-specific exposures and benefits must be evaluated.

Conclusion

Whether or not SOX-like laws ultimately are imposed on not-for-profits, the culture shift regarding corporate governance likely will be reflected in judicial interpretations of “fiduciary duty,” prosecutors' investigative and charging agendas, and media scrutiny. Not-for-profit CEOs, compliance officers and counsel would do well to anticipate these developments.

The Sarbanes-Oxley Act (SOX) responded to well-publicized allegations of securities fraud. Its commandments about financial and internal control certifications, audit committees, auditor independence and the like expressly target publicly traded corporations. Yet much has been written about the “inevitable” spillover of SOX-type obligations onto not-for-profit organizations, especially in the health care sector. As a result, not-for-profit CEOs, compliance officers and counsel have practical questions.

What SOX-like standards apply or are likely to apply to them? As a matter of risk management, what standards should be adopted as “best” practices? Importantly, how does one draw the line between reasonably meeting any such standards and overreacting at financial cost to their mission-driven institutions?

This article examines recent trends and provides a framework for dealing with these legitimate questions.

State Legislative Initiatives

The Attorneys General or legislators in New York, California and Massachusetts have floated proposed “baby” SOX laws applicable to not-for-profits. The general terms of these proposals help focus on issues possibly requiring attention:

• Audited financial statements for organizations with gross revenues above a specified level;
• CEO and CFO certification of financial reports;
• For larger organizations, CEO and CFO verification of the effectiveness of internal financial controls;
• Creation of an Audit Committee whose members may not serve on the Finance Committee, may not include the CEO, CFO or other staff, and may not accept compensation apart from payment for Board duties;
• CEO and CFO disclosure to corporate auditors and the Audit Committee of significant deficiencies in the design and operation of internal controls and of any fraud;
• Audit Committee to establish procedures for the receipt, retention, investigation and remedy of reports of wrongdoing, and advise the Attorney General of actions taken to address these reports;
• Auditors not to perform any other service for the audited organization other than preparing tax returns;
• Annual Board review and approval of CEO and CFO compensation, including benefits;
• Non-retaliation against employees who complain to the Audit Committee or Attorney General.
• 'Related-party transactions are presumed reasonable only if the Board or committee: 1) gave prior approval by a two-thirds vote of all members; 2) was fully apprised of the terms and interests at issue; 3) relied upon appropriate comparability data in approving the transaction; and 4) adequately documented the basis for approval of the transaction;
• Records to be maintained for 10 years.

Regulatory Responses

Various regulators have anticipated pieces of SOX or are in the process of formulating SOX-like mandates.

IRS

The Internal Revenue Service Exempt Organizations Office reportedly is increasing its enforcement presence via closer review of the publicly available Form 990 information returns filed annually by tax-exempt entities. See 26 U.S.C. ' 6104. Beyond general financial data, Form 990 requires disclosure of certain transactions between the tax-exempt entity and its Board members and officers. Note that the IRS can impose “intermediate sanctions” on decision-makers of tax-exempt entities for providing “excess benefits” to Board members or other control persons. 26 U.S.C. ' 4958.

In response to reported financial abuse at charitable foundations, Iowa Senator Charles E. Grassley reportedly is considering legislation to boost the IRS budget for auditing foundations, tightening conflict of interest restrictions on directors and increasing penalties for directors who fail to disclose financial information. Finally, the IRS is reportedly drafting a document regarding best practices for not-for-profit Boards.

HHS OIG

The Office of Inspector General (OIG) for Health and Human Services last year published “Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors” (available at: http://oig.hhs.gov/fraud.html). This OIG guide focuses on the organization's information, reporting and compliance infrastructure, response to detected violations and implementation of codes of conduct.

The OIG also recently issued a draft Supplemental Compliance Guidance for Hospitals, which re-emphasizes the importance of a code of conduct, ongoing quantitative and qualitative reviews of compliance program effectiveness, provision of adequate resources for compliance functions, ensuring compliance officer access to the CEO and Board, implementation of employee hotlines and followup on issues raised by complaints and internal audits. 69 Fed. Reg. 32012 (June 8, 2004).

U.S. Sentencing Commission

On April 13, 2004, the United States Sentencing Commission proposed amendments to the Organizational Sentencing Guidelines to toughen the criteria for “effective” compliance programs. The proposed compliance Guideline, requiring “due diligence and the promotion of an organizational culture” that encourages a commitment to compliance, emphasizes:

• Management and Board oversight of the effectiveness of the compliance program;
• Assigned high-level personnel ensuring the effectiveness of the program, having sufficient resources, and reporting directly to the Board;
• Effective training programs for the Board, management, employees and agents;
• Ongoing program audits and risk assessment; and
• Anonymous reporting for employees, and appropriate incentives and disciplinary measures to ensure reporting, compliance and correction of violations.

Unless Congress objects — unlikely in this post-Enron world — this amendment will be effective on Nov. 1, 2004 (available at: http://www.ussc.gov).

GAO

In January 2002, the federal General Accounting Office amended the auditor independence requirements of the Government Auditing Standards (also known as the “Yellow Book”). These standards apply to not-for profit (and for-profit) recipients of federal grant and loan assistance, eg, hospitals, Small Business Administration borrowers and some state-administered programs and contracts. They prohibit auditors from auditing their own work or from providing non-audit services in areas that are significant to the subject matter of the audit (available at: http:// www.gao.gov/govaud/ybk01.htm).

NAIC

As of April 2004, the National Association of Insurance Commissioners was drafting a model regulation for state-regulated insurance companies concerning financial reporting. Proposals include having insurance companies 1) designate audit committees composed of independent members, 2) file reports on the effectiveness and deficiencies of the insurer's internal controls over financial reporting, 3) insist that lead audit partners periodically rotate, and 4) ensure auditor independence by prohibiting the provision of certain non-audit services.

Market Pressures

Market pressures to adopt SOX-like standards also exist. Bond dealers, investment banks, lenders and bond rating services are beginning to ask more probing questions about financial controls to help gauge investment risk.

Auditors responding to SOX regulations as regards their publicly traded clients may tend to adopt similar standards with not-for-profit clients to maintain uniformity of practice or, at least, require more demanding representation letters from them. Underwriters for D&O liability insurers may also seek more information about internal controls in order to minimize loss exposures. Indeed, even sophisticated donors may begin to inquire about matters such as auditor and Board independence.

What Should Not-for-Profits Do?

Some themes emerge from the legislative, regulatory and market-based initiatives discussed above. The following questions are not meant to suggest a checklist of mandatory actions. Rather, they provide a basis for considering whether additional action in certain “hot” areas should be taken.

• Management and Board: Are management-Board relations structured to create a Board role in ensuring the integrity of internal reporting systems? Does the Board have a clear understanding, in writing, of its role?
• Code of Ethics: Does the organization have a code of ethics? Should it include “up-the-ladder” reporting responsibility for counsel (both inside and outside)?
• Conflicts of Interest: Should the organization have a broadly written conflict of interests policy, embracing executive compensation and loans, interests in potential transactions of the organization, disclosure of confidential information, duty of loyalty, nepotism and the like? Does it require completion of an annual conflicts disclosure questionnaire?
• Audit Committee: Should the Board have an Audit Committee? What level of financial literacy and independence for members is appropriate? How is independence defined (eg, beyond Board fees, no compensation from or business with the organization)? Should the Committee meet in executive session without the participation of management? Do direct lines of communication exist with the compliance officer and the auditor?
• Auditor Independence: Should the organization's auditor perform other consulting or non-audit services for the organization which might impair its objectivity? Do lead auditors rotate periodically?
• Internal Investigations: Does the organization have an anonymous hotline and a response team, either internal or through outside counsel if appropriate? Are processes in place to investigate complaints and avoid violation of whistleblower retaliation statutes, including that in SOX? See 18 U.S.C. ' 1513(e).
• Document Control: Are document integrity, retention and destruction policies in place to avoid violation of obstruction of justice statutes, including that in SOX? See 18 U.S.C. ' 1519. Are the policies suitably designed to cover electronic documents?
• Financial Disclosures: Although the SOX financial and control certification requirements do not apply to not-for profits, Boards should consider whether an internal due-diligence process regarding financial disclosures should be adopted and documented. It might include: 1) reviewing draft and final versions of reports and Form 990 filings; 2) meeting with financial officers and those responsible for key functions to understand the judgment calls and assumptions underlying the report and gauge whether operational results are being fairly presented; and 3) discussions with auditors and the Audit Committee regarding close calls and matters omitted in the preparation of a report.

Of course, resources are limited, and risk management is not a one-size-fits-all proposition. Policy-specific exposures and benefits must be evaluated.

Conclusion

Whether or not SOX-like laws ultimately are imposed on not-for-profits, the culture shift regarding corporate governance likely will be reflected in judicial interpretations of “fiduciary duty,” prosecutors' investigative and charging agendas, and media scrutiny. Not-for-profit CEOs, compliance officers and counsel would do well to anticipate these developments.