Private Companies Follow in Public Footsteps
Private companies are seeing the benefits of SOX compliance—even if it isn’t required of them.
By Clare Fitzgerald
When the Sarbanes-Oxley (SOX) Act came into effect three years ago—intent on tightening corporate governance within public companies—the standards that accompanied it didn’t exactly make board directors swoon. But through the ups and downs of implementation, a trend has developed among private—as well as public—companies: Their directors are watching the effects of the legislative changes, and complying with certain key standards of due care set forth by the Act. Sure, they don’t have to; but it shows great foresight and wisdom that they are. After all, implementing the same type of governance and control practices SOX requires of public companies can improve business practices and protect private companies should litigation arise.
Complying with all the standards required of public companies would be unusual, but a few provisions—specifically those relating to accountability, independent audit committees, internal controls and document retention—have worked their way into private company consciousness.
“What we’re seeing,” says Bill Schramm, a Chicago assurance partner in PricewaterhouseCoopers’ (PwC) private company services group, “is that privately held companies are pausing to take a look, and asking ‘Are there some elements that make sense to comply with?’”
Of the organizations participating in a recent study conducted by law firm Foley & Lardner LLP, 80 percent of for-profit private companies reported that Sarbanes-Oxley has had an impact on their organizations. The study also found that 78 percent of the private organizations surveyed have self-imposed public company governance reforms, such as CEO/CFO certification of financial reports, election of independent directors, development of ethical codes and approval of non-audit services by the board.
Furthermore, according to a June 2005 PricewaterhouseCoopers’ Trendsetter Barometer survey, 30 percent of fast-growth private companies are applying, and looking to benefit from, Sarbanes-Oxley principles, using them to improve control documentation and testing, update governance procedures and strengthen their codes of conduct. This is especially important given the fact that private company directors are being held to the same ethical standards as their public company counterparts—and therefore are subject to the same level of scrutiny.
But it isn’t just outside analysis that’s leading to the adoption of SOX governance stipulations. It’s also the search for better business practice, which means better internal controls. As PwC’s Schramm explains, “For privately held companies, internal control documentation has risen to the number one spot on the list of Sarbanes-Oxley-related issues.”
Section 404, which defines requirements for reporting on internal controls, is where most of the cost, effort and attention are being directed, says James Pajakowski, managing director of Business Risk Services, central region, for Protiviti, an international provider of independent internal audit, business and technology risk consulting services.
“Lenders and state regulators increasingly are asking private companies about the status of their internal controls environment,” he explains. “Public companies involved in potential acquisition deals with privately held companies are pushing those private companies to document their internal accounting controls and processes. And companies contemplating an initial public offering or that view themselves as acquisition targets are being advised to consider adopting reforms.” Also, according to Pajakowski, more companies are trending toward implementing a risk-based approach for internal controls, enabling them to better address their operational risks and turn up risk information that otherwise may be overlooked.
According to Michele Lange, a staff attorney at Kroll Ontrack Inc., an Eden Prairie, Minn.-based firm that provides large-scale electronic and paper-based discovery and computer forensics services, Sarbanes-Oxley has led private companies to establish better guidelines for the retention of appropriate records, and has inspired a more routine approach to monitoring compliance via those guidelines.
“Private companies have to be thinking about this, too, in case they are sued,” says Lange. She suggests bringing together finance, IT, legal, HR and other key departments to craft a policy. “It’s easy to forget about document retention in an electronic era,” she notes. “When companies literally could see the papers stacking up, it was much easier to make it a priority.”
Not only has Sarbanes-Oxley heightened the need among private companies for better control over financial information, but it also has become a standard by which to measure business management. For example, some private companies are applying a Section 302 provision, which mandates that senior financial officers certify the accuracy of their financial statements. While finance officers within private companies may not need to report to shareholders, they see the viability of adopting the intent of the standard, says Pajakowski. “In the case of private companies, it is division and financial heads certifying financials to corporate,” he explains.
Heightened accountability also speaks to broader corporate governance concerns, particularly in reference to ethics standards. “Private companies are taking a hard look at codes of conduct,” says Schramm. “Not only are they more often drafting and distributing firm-wide codes of conduct to enforce honest and ethical approaches to business, but they also are adhering to the ‘whistleblower’ provision.”
“Another area of the Act that companies are specifically looking at is in hiring independent directors to audit committees,” says Pajakowski. “They’re better understanding the level of expertise needed among audit committee members, and giving the audit committee a better oversight role. Spurred on by boards of directors and outside constituents, private companies are requiring all or a majority of audit committee members to be independent.”
Whether it’s review of internal control compliance procedures, development of document retention policies, establishing internal complaint hotlines, or better aligning financial audit, disclosure and reporting procedures, private companies are paying close attention to the issues—both painful and beneficial—emanating from Sarbanes-Oxley. And not because the statute requires it, but because the public and company investors, donors and, in many cases, board members, expect it.
“Nobody has ignored that Sarbanes-Oxley exists,” says Pajakowski. “Everyone is looking to see the potential application to their businesses.” But he also notes that board members are in part driving the trend. Many private company board members also serve on the boards of public companies and are recommending implementation of SOX-like practices. “A lot of it is coming from the boards asking the question: ‘Should you be doing that?’” he explains.
“It’s a matter of becoming Sarbanes-capable, if you will,” he continues. “Obviously, there are some things that come with SOX that are painful for public companies, but pick out some of the things that are good and see how they can be applied.”
Certainly, every company needs strong internal financial controls and knowledgeable and independent directors and audit committees. And encouraging companies to adopt formal codes of ethics promoting honest and ethical conduct, appropriate handling of conflicts of interest, accurate financial reporting and compliance is never a bad thing, especially considering that some state legislatures are considering formerly applying parts of the law to private companies. Private company directors who are paying attention know that Sarbanes-Oxley will become a benchmark against which every company’s financial and corporate governance practices will be measured.
“The advice I try to give is to consider complying with the spirit of the law, if not the letter,” says Schramm. “You have to look at the future of your company and ask if it makes sense—if it’s to your advantage. A lot depends on where private companies are headed. [ ^Top ]
The Key to SOX
PwC’s Bill Schramm says that some private companies are more sophisticated than others when it comes to SOX details. “Some have more of a baseline, more anecdotal knowledge,” he explains. Though the specific provisions may not be applicable to privately held companies, it’s important to identify and understand them. Food for thought, at the very least.
Section 404 – Requires management to report on the effectiveness of their internal financial controls and for outside auditors to attest to the management reports.
Section 802 – Makes it a criminal violation to alter, destroy, mutilate, conceal or make a false entry in a record, document or tangible object with the intent to impede, obstruct or influence any investigation or bankruptcy matter.
Section 1107 – Provides criminal penalties for retaliation related to an employee’s whistleblowing activities.
Section 301 – Requires the independence of audit committees.
Section 302 – Mandates that CEOs and financial officers certify financial statements.
Section 406 – Requires public companies to disclose whether they have adopted a code of ethics governing the behavior of senior financial officers.
Why Follow the Crowd?
When it comes to best business practices and good corporate governance, it can benefit any company—including those that are privately held—to follow the Sarbanes-Oxley example. According to a June 2005 PricewaterhouseCoopers survey, some of the underlying reasons behind private companies’ implementation of SOX-related initiatives include:
- To achieve best business practices (60%)
- To address future or potential problems (59%)
- As the result of a recommendation by an outside constituent (43%)
- As the result of a consideration of future sale to another company (26%)
- To solve present business problems (19%)
- The potential to go public (17%)
Other reasons cited include: audit committees that evaluated Sarbanes-Oxley and thought it to be the best practice available to all companies; getting ahead of possible IRS rules; the fact that regulators eventually may require compliance; and potential use as a risk management tool.