Have You Been Ignoring Sarbanes-Oxley Because Your Company Isn't Public?

Computerworld - The Sarbanes-Oxley Act of 2002 has been called the most significant new securities law since the Securities and Exchange Commission was created in 1934. Although it's generally known that Sarbanes-Oxley places substantial responsibilities on officers and directors of public companies and imposes very significant criminal penalties on CEOs, CFOs and others who violate various provisions of the act, it's less widely recognized that it will have effects on nonpublic companies as well. Corporations that aren't public today but hope to become publicly owned or to be sold to a public company in the future need to be aware of the basic requirements for operating in compliance with certain requirements of Sarbanes-Oxley, particularly for establishing and following detailed internal controls.
Sarbanes-Oxley doesn't define how a company that is subject to the act must comply with it, largely in recognition that there is no "one size fits all" solution. However, the law does provide enough specificity for companies to formulate compliance strategies, and IT departments will be key to those strategies. Given the complexity of financial and operational record keeping and reporting, as well as the high stakes for noncompliance, the use of automated systems is key. This is particularly important in the application of Section 404 of Sarbanes-Oxley, which mandates that management directly certify the system of internal controls and disclose the framework it is using to assess the effectiveness of the underlying systems, procedures and controls that affect financial information and reporting.
Not for public companies only
Many observers believe that the requirements imposed by Sarbanes-Oxley will be applied to nonpublic companies. This application could come about in a number of ways:

• Banks and other lenders often require audited financial statements, operational reviews and compliance certificates from their borrowers; the issues that public companies must certify to, particularly regarding the accuracy of systems and financial statements, are just as applicable to lenders as they are to the investing public.


• Insurers may choose to impose similar requirements as a means of ensuring the accuracy of information of their clients as a means for reducing the frequency and amount of claims, particularly with regard to errors-and-omissions insurance coverage.


• Sophisticated investors are likely to consider the procedures and requirements imposed by Sarbanes-Oxley to be just as important to their interests as they are to shareholders of public companies, particularly in the case of hedge funds, mutual funds and other investments that get their funds from the public.