Have You Been Ignoring Sarbanes-Oxley Because Your Company Isn't Public?

August 30, 2004 (Computerworld)

The Sarbanes-Oxley Act of 2002 has been called the most significant new securities law since the Securities and Exchange Commission was created in 1934. Although it's generally known that Sarbanes-Oxley places substantial responsibilities on officers and directors of public companies and imposes very significant criminal penalties on CEOs, CFOs and others who violate various provisions of the act, it's less widely recognized that it will have effects on nonpublic companies as well. Corporations that aren't public today but hope to become publicly owned or to be sold to a public company in the future need to be aware of the basic requirements for operating in compliance with certain requirements of Sarbanes-Oxley, particularly for establishing and following detailed internal controls.
Sarbanes-Oxley doesn't define how a company that is subject to the act must comply with it, largely in recognition that there is no "one size fits all" solution. However, the law does provide enough specificity for companies to formulate compliance strategies, and IT departments will be key to those strategies. Given the complexity of financial and operational record keeping and reporting, as well as the high stakes for noncompliance, the use of automated systems is key. This is particularly important in the application of Section 404 of Sarbanes-Oxley, which mandates that management directly certify the system of internal controls and disclose the framework it is using to assess the effectiveness of the underlying systems, procedures and controls that affect financial information and reporting.
Not for public companies only
Many observers believe that the requirements imposed by Sarbanes-Oxley will be applied to nonpublic companies. This application could come about in a number of ways:

• Banks and other lenders often require audited financial statements, operational reviews and compliance certificates from their borrowers; the issues that public companies must certify to, particularly regarding the accuracy of systems and financial statements, are just as applicable to lenders as they are to the investing public.


• Insurers may choose to impose similar requirements as a means of ensuring the accuracy of information of their clients as a means for reducing the frequency and amount of claims, particularly with regard to errors-and-omissions insurance coverage.


• Sophisticated investors are likely to consider the procedures and requirements imposed by Sarbanes-Oxley to be just as important to their interests as they are to shareholders of public companies, particularly in the case of hedge funds, mutual funds and other investments that get their funds from the public.

All of these factors are likely to make provisions of Sarbanes-Oxley the standard, not only for the public companies at which the law was aimed, but also for other companies that never thought they would be affected by the law.
Management certification under Sarbanes-Oxley
Section 404 requires the management of a public company to assess the effectiveness of the company's internal control over financial reporting. Section 404 also requires management to include in the company's annual report to shareholders management's conclusion as a result of that assessment about whether the company's internal control is effective. While there are a variety of steps companies must take to comply with Sarbanes-Oxley, Section 404 has the most relevance to information security, with its requirement that management develop, document, test and monitor internal controls and disclosure controls and procedures.
The most significant new responsibility faced by the CEO and CFO of every company subject to Sarbanes-Oxley reporting is the required personal certification of their company's annual and quarterly reports. The SEC has specified the exact form of personal certification that must be made, without modification, in every annual and quarterly report, including a certification that the CEO and CFO have evaluated the company's internal and disclosure controls within the past 90 days and disclosed to the audit committee and outside auditor any deficiencies in such controls. In order to meet the certification requirements regarding the internal and disclosure controls, the SEC recommends that every company establish a disclosure committee consisting of the CFO, controller, heads of divisions and other people having significant responsibility for the company's principal operating divisions. The disclosure committee should review the company's existing internal and disclosure controls and procedures, document them, evaluate their adequacy, correct any material weaknesses and create monitoring and testing procedures that will be used every quarter to continuously evaluate the company's internal and disclosure controls and procedures.
Involving the auditors
It will be critical for every company to involve its auditors in the design and implementation of the internal and disclosure controls and procedures, because the SEC requires a public company's outside auditor to report on the company's internal controls and procedures. The Big Four accounting firms have issued public advice that they won't be able to audit a company's internal controls without some documentation of the design and procedures, including the monitoring and testing procedures used by the company. This means that a company will need to establish detailed records, as well as reporting, testing and monitoring procedures that must be reviewed by the company's outside auditors. If an outside auditor finds that there are significant deficiencies or material weaknesses in the company's internal controls, the auditor will be required to disclose its findings in its audit report on the company's financial statements. The company will then be forced to correct the deficiencies, or its CEO and CFO will be unable to issue their personal certifications that the internal controls are adequate.
Private companies should be aware that the standards imposed by the Big Four are often being adopted by other auditing firms; as a result, these standards are becoming the de facto standard for all audits. When a bank requires an audited financial statement as part of its annual compliance and when a venture capitalist requires an annual audit as a condition to its investment, the borrower or entrepreneur may unwittingly be agreeing to the reporting, testing and monitoring procedures of Sarbanes-Oxley.
Corporate controls and standards
While Sarbanes-Oxley was adopted in response to perceived inadequacies and misconduct by corporate officers and directors, its focus on systems and on certification of the adequacy of reporting schemes is likely to have a broad effect on the establishment of corporate controls and standards. A variety of consultants, including accounting firms, software developers and others, have developed and are actively marketing automated systems. These systems are intended to assist in establishing a reporting regimen for corporations, allowing certifying officers and boards of directors to establish compliance with the requirements imposed by Sarbanes-Oxley and ensuring that corporate controls are followed.
Companies have long recognized that ensuring that corporate IT systems are accurate and secure is key to the kind of high-quality information necessary to build successful companies. The development of stringent standards under Sarbanes-Oxley, and the extension of those standards to nonpublic companies, is even more reason to implement those systems.
Robert Braun is a partner in the corporate department at Jeffer, Mangels, Butler & Marmaro LLP in Los Angeles. His practice, spanning more than 20 years, focuses on corporate, finance and securities law with an emphasis on banking law, emerging technologies and hospitality businesses.