Compliance Programs for Private Companies

We all know that a proactive Securities Exchange Commission (SEC), combined with implementation of the Sarbanes-Oxley Act of 2002 (SOX), and activation of the Public Company Auditor Oversight Board (PCAOB), has triggered intense scrutiny on corporate ethics and accountability. One by-product of this is that the public company has come to serve as a mentor of sorts to the private company in the arena of corporate compliance programs, offering certain 'best practices' that may also be useful to the privately held company, its management, and its shareholders or owners.

A compliance program establishes an environment that generates certain positive results, such as protection of owners' capital or shareholders' equity, creation of a positive work environment where high standards of ethics are the standard, and encouragement of customer or client confidence where strong control functions indicate the importance of quality, accountability and accuracy. It also establishes an infrastructure of proactively created controls, resulting in business judgment and good faith defenses in the event of unforeseen issues and problems.

Looking At Private Companies

Various regulatory bodies have directed their attention toward changes that will impact private companies. Recently, the Financial Accounting Standards Board (FASB) and the American Institute of Certified Public Accountants (AICPA), under a joint proposal, suggested that they would make improvements to the procedures associated with private company accounting and financial reporting. In doing so, they are addressing use of an appropriate version of Generally Accepted Accounting Principles for private companies. The comment period on the joint proposal ends Aug. 15, after which the board plans to 'analyze and evaluate whether differences are warranted for private companies.'

Why would a private company have an interest in putting in place corporate compliance programs when many companies maintain the privately held structure in the first place so that they are the sole regulators of their destiny? The answer is simple: There may be justification in doing so. Following are some reasons:

Among other things, use of public company 'best practices' provide private companies with valuable tools tested elsewhere, and do not have the associated development cost of implementation. Corporate compliance programs can also be an integral component of overall risk management. All companies maintain risk management programs, whether formal or informal, whether the company is self-insured or insured by others.

There are also several reasons to believe the private entrepreneur may have less choice in these matters in days to come. Application and use of corporate compliance programs that are modeled after those of public companies may be mandated by public companies or others, such as lenders, doing business with private companies, thereby assuring the public company or other party that the level of internal controls in place at the 'partner' organization meets their standards. As a result, business ventures can be entered into with a degree of confidence.

After Enron

In the post-Enron era, robust corporate compliance standards have become the norm in the business community. As a result, functional corporate compliance programs may be assumed or considered the industry standard and demanded by customers. In any event, any company that may be acquired by a public company or itself 'go public' will need to meet the standards of reporting, certifications and internal controls as a public company, not only at a point in time, but also historically for a period of time.

Certain aspects of a public company compliance program may be required by law for private companies. Many private companies operate in regulated industries and are subject to regulation or reporting requirements, such as the securities, manufacturing of environmentally monitored product, banks and financial services, among others. Additionally, certain provisions of SOX, such as those relating to criminal liability for document destruction, trading suspension notice requirements for 401(k) Plans and liability for retaliation against whistleblowers, apply to both public and private companies alike.

In private companies, many topics can be covered in internal compliance programs. The key to identification of the components of the compliance program is to identify the functions within the company where risk may exist or the potential for loss can occur. Risk areas and potential for loss include the tangible and intangible, and should be prioritized. As is required in any risk management program, the probability of loss needs to be considered along with the impact of the loss, both financially and otherwise. The company's reputation, image in the marketplace, market share and the value of the customer and supplier relationship base are critical factors in this assessment, as is the cost of implementing and monitoring aspects of compliance programs.

Costs

Compliance costs are always a concern to companies, whether they are publicly traded or privately-held. A comparison of compliance spending and value derived surely drives any decisions made by a private company in instituting compliance programs. According to a PricewaterhouseCoopers LLP Management Barometer Survey, companies will typically track certain types of expenses associated with their compliance initiatives. Such tracking is particularly important as measurement of the expenses and benefit of compliance initiatives indicates the importance to the company of the compliance initiative.

Per the survey, for U.S.-based companies, the leading expense is that associated with external, third-party costs of performing compliance measures, with the cost of dedicated staffing being second. Not surprisingly, the information technology component of a compliance program is extremely large and expensive. Accordingly, the cost of such is a major concern. Private companies are also concerned over the costs of non-compliance. Not unlike their public company brethren, non-compliance can generate fines and penalties, lost management and employee time and loss of business. The cost of such has both a financial and non-financial impact that may be significant.

A 'menu' of functional areas should be considered and may include:

Sales, Marketing and Advertising

• Sales, marketing and advertising practices and procedures including those that may involve antitrust or product warranty issues;
• Protection of customer and/or cli-ent information; and
• Communications with the media.

Ethics

• Code of conduct;
• Code of conduct employee handbook;
• Conflicts of interest;
• Employee supervision, structure and supervisory procedures;
• Outside business activities;
• Political contributions; and
• Gifts and entertainment.

Information Technology and Document Storage

• Electronic communications;
• Record retention; and
• Privacy of employee information.

Finance and Accounting

• Regulatory/financial reporting;
• Audit Committee responsibilities;
• Financial reporting policies and pro-cedures;
• Internal audit function; and
• Travel/entertainment expenses.

Corporate Governance

• Board of Directors, including in-dependent directors;
• Fiduciary duties; and
• Disclosure of activities.

Other

• Continuing education; and
• Legal department infrastructure and responsibilities.

Conclusion

There are many good reasons to implement corporate compliance programs within a private company. An increased level of awareness and interest in itself is a positive impact of developing and implementing programs throughout a company. Strong internal controls provide demonstrable value to the company, its management and owners, its employees, and its business partners.

Jeff J. Marwilis a partner in Jenner & Block's Chicago office. He may be reached at [email protected]. Jerry J. Burgdoerfer is a partner in the same office and a member of its Corporate Practice. He is Co-Chair of the firm's Securities Practice, and a member of its Business Services and Transactions Committee. Burgdoerfer may be reached at [email protected].

We all know that a proactive Securities Exchange Commission (SEC), combined with implementation of the Sarbanes-Oxley Act of 2002 (SOX), and activation of the Public Company Auditor Oversight Board (PCAOB), has triggered intense scrutiny on corporate ethics and accountability. One by-product of this is that the public company has come to serve as a mentor of sorts to the private company in the arena of corporate compliance programs, offering certain 'best practices' that may also be useful to the privately held company, its management, and its shareholders or owners.

A compliance program establishes an environment that generates certain positive results, such as protection of owners' capital or shareholders' equity, creation of a positive work environment where high standards of ethics are the standard, and encouragement of customer or client confidence where strong control functions indicate the importance of quality, accountability and accuracy. It also establishes an infrastructure of proactively created controls, resulting in business judgment and good faith defenses in the event of unforeseen issues and problems.

Looking At Private Companies

Various regulatory bodies have directed their attention toward changes that will impact private companies. Recently, the Financial Accounting Standards Board (FASB) and the American Institute of Certified Public Accountants (AICPA), under a joint proposal, suggested that they would make improvements to the procedures associated with private company accounting and financial reporting. In doing so, they are addressing use of an appropriate version of Generally Accepted Accounting Principles for private companies. The comment period on the joint proposal ends Aug. 15, after which the board plans to 'analyze and evaluate whether differences are warranted for private companies.'

Why would a private company have an interest in putting in place corporate compliance programs when many companies maintain the privately held structure in the first place so that they are the sole regulators of their destiny? The answer is simple: There may be justification in doing so. Following are some reasons:

Among other things, use of public company 'best practices' provide private companies with valuable tools tested elsewhere, and do not have the associated development cost of implementation. Corporate compliance programs can also be an integral component of overall risk management. All companies maintain risk management programs, whether formal or informal, whether the company is self-insured or insured by others.

There are also several reasons to believe the private entrepreneur may have less choice in these matters in days to come. Application and use of corporate compliance programs that are modeled after those of public companies may be mandated by public companies or others, such as lenders, doing business with private companies, thereby assuring the public company or other party that the level of internal controls in place at the 'partner' organization meets their standards. As a result, business ventures can be entered into with a degree of confidence.

After Enron

In the post-Enron era, robust corporate compliance standards have become the norm in the business community. As a result, functional corporate compliance programs may be assumed or considered the industry standard and demanded by customers. In any event, any company that may be acquired by a public company or itself 'go public' will need to meet the standards of reporting, certifications and internal controls as a public company, not only at a point in time, but also historically for a period of time.

Certain aspects of a public company compliance program may be required by law for private companies. Many private companies operate in regulated industries and are subject to regulation or reporting requirements, such as the securities, manufacturing of environmentally monitored product, banks and financial services, among others. Additionally, certain provisions of SOX, such as those relating to criminal liability for document destruction, trading suspension notice requirements for 401(k) Plans and liability for retaliation against whistleblowers, apply to both public and private companies alike.

In private companies, many topics can be covered in internal compliance programs. The key to identification of the components of the compliance program is to identify the functions within the company where risk may exist or the potential for loss can occur. Risk areas and potential for loss include the tangible and intangible, and should be prioritized. As is required in any risk management program, the probability of loss needs to be considered along with the impact of the loss, both financially and otherwise. The company's reputation, image in the marketplace, market share and the value of the customer and supplier relationship base are critical factors in this assessment, as is the cost of implementing and monitoring aspects of compliance programs.

Costs

Compliance costs are always a concern to companies, whether they are publicly traded or privately-held. A comparison of compliance spending and value derived surely drives any decisions made by a private company in instituting compliance programs. According to a PricewaterhouseCoopers LLP Management Barometer Survey, companies will typically track certain types of expenses associated with their compliance initiatives. Such tracking is particularly important as measurement of the expenses and benefit of compliance initiatives indicates the importance to the company of the compliance initiative.

Per the survey, for U.S.-based companies, the leading expense is that associated with external, third-party costs of performing compliance measures, with the cost of dedicated staffing being second. Not surprisingly, the information technology component of a compliance program is extremely large and expensive. Accordingly, the cost of such is a major concern. Private companies are also concerned over the costs of non-compliance. Not unlike their public company brethren, non-compliance can generate fines and penalties, lost management and employee time and loss of business. The cost of such has both a financial and non-financial impact that may be significant.

A 'menu' of functional areas should be considered and may include:

Sales, Marketing and Advertising

• Sales, marketing and advertising practices and procedures including those that may involve antitrust or product warranty issues;
• Protection of customer and/or cli-ent information; and
• Communications with the media.

Ethics

• Code of conduct;
• Code of conduct employee handbook;
• Conflicts of interest;
• Employee supervision, structure and supervisory procedures;
• Outside business activities;
• Political contributions; and
• Gifts and entertainment.

Information Technology and Document Storage

• Electronic communications;
• Record retention; and
• Privacy of employee information.

Finance and Accounting

• Regulatory/financial reporting;
• Audit Committee responsibilities;
• Financial reporting policies and pro-cedures;
• Internal audit function; and
• Travel/entertainment expenses.

Corporate Governance

• Board of Directors, including in-dependent directors;
• Fiduciary duties; and
• Disclosure of activities.

Other

• Continuing education; and
• Legal department infrastructure and responsibilities.

Conclusion

There are many good reasons to implement corporate compliance programs within a private company. An increased level of awareness and interest in itself is a positive impact of developing and implementing programs throughout a company. Strong internal controls provide demonstrable value to the company, its management and owners, its employees, and its business partners.

Jeff J. Marwilis a partner in Jenner & Block's Chicago office. He may be reached at [email protected]. Jerry J. Burgdoerfer is a partner in the same office and a member of its Corporate Practice. He is Co-Chair of the firm's Securities Practice, and a member of its Business Services and Transactions Committee. Burgdoerfer may be reached at [email protected].