The Sarbanes-Oxley Act of 2002, which was signed into law on July 30, 2001, by President Bush, is Congress’ response to concerns regarding the accuracy and reliability of financial disclosures made by public corporations. The new legislation imposes requirements on corporate executives, public accounting firms, and corporate attorneys.
Most of the provisions of the act are aimed at public companies. A few provisions of the act have broader applications.
The act has caused consternation in the nonprofit world, despite the fact that the most onerous provisions have no direct application to nonprofits. Nonprofit boards are concerned that the act raises the bar for oversight, and that members and attorney generals will use the act as a benchmark for measuring prudent business practices.
This is especially true for Section 501(c)(3) organizations, such as bar foundations, because bar foundations have a public purpose, as opposed to an associational purpose. Some states, such as New York, have already announced that they are considering applying Sarbanes-Oxley provisions to nonprofits.
Not all of the Sarbanes-Oxley provisions make sense for nonprofits. A few of them, however, represent a fair benchmark for nonprofit activities. Here is a look at some of the act’s provisions, and at what nonprofits are doing or should be doing in these areas.
Certification of financial reports
Sarbanes-Oxley now requires the principal executive officer and principal financial officer of public companies to certify in each annual and quarterly report that, among other things: the signing officer has reviewed the report, the report contains no untrue statements or omissions of material fact, and the financial statements fairly represent the financial condition of the company. Fines for willful miscertification go up to $5 million.
Is it sensible to apply this provision to nonprofits? That depends. The CEO and CFO may already be required to provide these certifications to outside auditors, so requiring them to provide them to the board is not a substantial additional burden. On the other hand, leadership positions are often voluntary, noncompensated positions. There will be a limit on the weight of the burden—and the liability risk—that volunteer leaders will be willing to undertake. If they perceive that their personal assets are at risk because of these certifications, nonprofits may lose some of their best talent. Of course, the statutory fines would not apply, but the implication of requiring a certification is that the organization could claim against the individuals if financial statements are incorrect.
Many nonprofits are compromising on this point and requiring a certification by the CFO, but not the CEO, who is often less versed in financial matters.
Audit committee financial experts
Sarbanes-Oxley requires disclosure in an annual report of a public company’s audit committee details, including the number and names of persons that the board of directors has determined to be “financial experts.” Financial expertise is given a daunting definition. The attributes that indicate financial expertise are: an understanding of generally accepted accounting principles (GAAP) and financial statements; experience applying GAAP in connection with the accounting for estimates, accruals, and reserves; experience preparing or auditing financial statements; and experience with internal controls and procedures for financial reporting.
Bar associations and other nonprofits would be hard pressed to find audit committee members who will qualify as “financial experts” under this definition. In fact, many public companies are scrambling to meet this requirement.
Even if they don’t follow this definition to the letter, nonprofits are focusing on the need to have an audit committee and on the expertise of the volunteers serving on the audit committee. The ability to comprehend financial statements and interact appropriately with staff and outside auditors is crucial for audit committee members. Many nonprofits are more carefully selecting audit committee members based on background and experience, or are hiring outside consultants for the audit committee, to provide the necessary expertise.
Independence of auditors
Sarbanes-Oxley makes it unlawful for a public accounting firm that performs an audit to provide certain other services to public companies. In general, accountants are prohibited from providing audits and providing other services that would put the accounting firm in a position to audit its own work, perform management functions, or act as an advocate for the client. Some of the listed services that are prohibited are bookkeeping, appraisal, actuarial, and human resources.
For smaller nonprofit organizations, utilizing this rule as a benchmark could be particularly burdensome. Bar foundations and similar nonprofits typically use one accounting firm for a variety of functions, and having to use multiple firms could impose serious inconvenience or a financial burden.
The main focus of nonprofits should be on making sure that the outside accountant is not put into a position of auditing his own work. Bookkeeping functions should be separated from auditing functions. Internal controls may be established by consultants outside of the regular auditing firm. Defalcation (e.g., embezzlement) and mismanagement are very common in the nonprofit world and having a second set of outside professional eyes on the books and internal control system of a nonprofit organization is an excellent idea.
Disclosure of management’s evaluation of internal controls
Under Sarbanes-Oxley, public companies must disclose management’s evaluation of internal controls. In particular, management must review the procedures designed to provide reasonable assurance that transactions are properly authorized, that assets are safeguarded against unauthorized and improper use, and that transactions are properly recorded and reported.
Internal controls are often the most neglected system in nonprofit organizations. The CEO and CFO are often unaware of weaknesses in internal controls until a defalcation or other abuse of assets occurs. Because of this unfamiliarity, it’s questionable that a report by the CEO or CFO with respect to the effectiveness of the company’s internal controls would add value to members or donors.
Frequent review of internal controls by an outsider, such as an accountant specializing in internal controls, may have more value than a certification by management. The report should be directed to the board rather than to management.
The bottom line
While Sarbanes-Oxley is not currently applicable to nonprofits, it has focused the attention of donors and members on the need for substantive oversight by the board of directors and responsible control by management. It has taken away the ability of boards and management to say, “We didn’t know …” or “We didn’t think it was our responsibility to …” The board of directors of a nonprofit organization is ultimately responsible for every action or omission of the organization. It may delegate authority, but not responsibility. Sarbanes-Oxley provides a good impetus for bar leaders to review the practices in bar associations and, especially, bar foundations, to help prevent abuse of assets and ensure accuracy in reporting. After all, an association or foundation’s most important asset is its good name, and proper controls and sound reporting ensure the continuation of that good name. BL
Paula Cozzi Goedert is a partner in the Chicago law firm Jenner & Block LLC, and is chair of her firm’s association practice. She can be reached at firstname.lastname@example.org.