Best Foot Forward: SOX and Financial Standards
ACORPORATE CEO MIGHT RISK SCANDAL and bad press in the pursuit of profits, but prison? When the Sarbanes-Oxley Act of 2002 (often known as SOX) included criminal penalties for fraud in financial statements, corporate executives took notice. And in their fear, they made SOX seem like a horrible burden. "There's nothing in Sarbanes-Oxley that is harmful to anybody," contends Peggy M. Jackson, author of Sarbanes-Oxley for Nonprofit Boards: A New Governance Paradigm (Wiley, 2006), whose background is in business administration and insurance. "It's all things people should be doing anyway."
SOX legislation applies to publicly traded companies as well as those that hope to become public or to be acquired by a public company some day. While it does not apply to such nonprofit organizations as colleges and universities, its underlying principles shouldn't be ignored. The Sarbanes-Oxley Act sets forth standards for good organizational governance; it helps donors, trustees, and other stakeholders have confidence in the financial statements that the organization presents; and it's increasingly the model for proposed state and federal laws addressing nonprofit accountability.
"We thought at some point in time this would flow down to nonprofits, so why not get started?" explains Marshall Moore, chief business officer at Montgomery College (Md.). "Some of these things made sense to do whether they were mandated or not." It took big scandals-such as those at Enron and World- Com-to show public company investors just how lax the oversight was at many companies. And the current concern over payments and donations for student loan company referrals is raising questions about how conflicts of interest, one of the areas covered by Sarbanes-Oxley, are being addressed on campus.
The Sarbanes-Oxley Act was passed in response to a spate of huge corporate scandals, where executives at major corporations misled their shareholders; these businesses were not nearly as stable as people had thought. Pension funds, mutual funds, and other investors lost billions of dollars, and thousands of people lost their jobs and their retirement savings. It turned out that the managers, the boards of directors, and the audit firms had developed such a collegial working relationship that no one questioned it when either small or large corners were cut.
In 2002, Senator Paul Sarbanes (D-Md.) and Representative Michael Oxley (R-Ohio) proposed a bill that would overhaul financial reporting for public companies, and it passed.
The Sarbanes-Oxley Act is a huge bill, and public companies have been scrambling to keep up with it ever since. Its key provisions include:
- the creation of a new regulatory body, the Public Company Accounting Oversight Board (PCAOB);
- the establishment of independent audit committees on boards of directors;
- conflict of interest disclosure;
- protections for employees reporting suspected financial wrongdoing;
- requirements that the company's chief executive officer and chief financial officer attest to the validity of the financial statements, with criminal penalties for making false attestations;
- regular rotation of auditors, who may not provide other services to the organization;
- maintenance of detailed financial records; and
- testing and documentation of all financial controls in the company (covered under Section 404 of the Act).
"Those who passed the law explicitly excluded nonprofits," notes James Keller, chair of the higher education practice group at the law firm of Saul Ewing LLP in Philadelphia. Still, he says, it makes sense to implement the key concepts of Sarbanes-Oxley so that colleges and universities can show students, parents, and donors that they're committed to transparency, accountability, and avoiding conflicts of interest.
The business press is filled with stories of companies facing enormous expenses and headaches trying to comply with SOX, with most of those challenges related to Section 404. Managers have been bogged down in debates over how many signatures are required on expense forms and who can hand out pay stubs, with the decisions possibly affecting whether or not the company can pass its audit. (Regulators and Congress are considering changes to Section 404 that would eliminate some of the trivia, but it's unlikely the entire law will be repealed.)
Because of these complications, many nonprofits are looking at every SOX provision but the dreaded 404. "I think it would be unwise for [higher ed leaders] to wipe their brows and say, 'Whew, I'm glad we don't have to deal with that," says Robert Clark, chief auditor at Georgia Institute of Technology in Atlanta. "We have an obligation to follow many of the underlying principles embedded in SOX."
According to Clark, Section 404 has four key requirements that an institution of higher ed can apply while avoiding the mire of minutiae:
1. Establishing and maintaining internal controls
2. Assessing the effectiveness of those internal controls
3. Managing oversight of the structure and effectiveness of those controls
4. Providing security on those controls.
"The approach we have used here at Georgia Tech is to weed through the letter of the law and see what's being required," Clark says. "Those are things that can be accomplished within good business practice." A relatively simple example, he says, was that the campus audit staff went through all the financial reports being produced to ensure that no one could go in and make changes without documentation.
By including criminal penalties, Sarbanes- Oxley was designed to force corporate executives to pay attention to what was happening at every level of the business. The fish rots from the head first, as the clich? goes; the only way that an institution can make a substantive commitment to governance is if the president and board are committed. Otherwise, it becomes another memo that can be safely ignored. "We adopted a letter that is similar to what you'd see in a for-profit company," says Jeff Amburgey, vice president of finance at Berea College (Ky.). "It's a management confirmation of the data, signed by the president and the financial officer."
-Peggy Jackson, author, Sarbanes-Oxley for Nonprofit Boards: A New Governance Paradigm
And at the University of North Carolina, President Emerita Molly Broad led the SOX charge during the decade leading up to 2006 when she was at the helm. Her commitment was due in part to her experiences serving on the audit committees of two public companies. Such committees are comprised of financial experts on the board who are neither employees nor officers of the organization itself nor members of the board's budget and finance committee. The audit committee is supposed to act as a liaison between the organization and the audit firm to ensure that the financial results reflect the organization fairly.
With no audit committee in place at UNC, Broad explains, she went to work setting one up. It meets monthly to review every financial report issued in the 16- campus system. In addition, UNC created an automatic financial review of a campus that occurs whenever its chancellor or chief financial officer leaves. "It's enormously helpful for an incoming senior officer," Broad says. "Because it's done systematically and routinely, it's not going to imply any wrongdoing."
SOX enumerates board responsibilities and management responsibilities so that problems can't fall through the cracks. Montgomery College officials copied that approach to ensure that the right people were accountable. The board needed to address the structure of the audit committee, and the campus staff needed to expand its internal audit functions and create a tracking system to keep the board apprised of changes. One result, Moore says, is that the finance office has developed better credibility on campus, which helps improve compliance.
Montgomery College officials also made some bylaw changes. "We listed in the bylaws exactly what the audit committee's responsibilities are," Moore says, rather than assuming that the members would know or could figure it out.
And at Drexel University (Pa.), which is governed by two boards (one for Drexel's medical school and one for the rest of the university), the bylaws of the medical school board were changed so that the president would no longer be an ex-officio member of the audit committee; he was never on the audit committee of the general board.
Adopting SOX benefits a higher ed institution for practical reasons as well. "We're heavily reliant on donors to entrust us with the good stewardship of their resources," Amburgey says. So the staff and board members at Berea College try to stay in front of governance issues. After all, donors have many choices for what to do with their money. They not only face solicitations from worthy educational, religious, humanitarian, and arts organizations, but they can also spend the money on themselves and their families. "Donors and other stakeholders want evidence that their money is being used as they intended," Jackson says. "They want to see a return on donation." That alone means good institutional governance brings long-term benefits.
It's not just that donors want to see accountability; many major donors become accountable when they join a board. A board nomination is an honor that carries much responsibility-and not just to raise money. Board members serve everyone from Nobel Prize winners on faculty to incoming freshmen and entry-level food service employees. Many organizations have been worried that meeting the Sarbanes- Oxley test of having financial experts on the audit committee will make it more difficult to recruit board members, but Broad says this has not been the case. "There are always enough people interested in serving in these roles," she says.
Trustees are usually savvy people, which is why they are on the board. They have done things with their lives that bring respect, and they have contributed to the growth of the institution. But even if they have corporate backgrounds, they may not be experts in finance and accounting. Given their many accomplishments, board members may be reluctant to admit that they have this weakness. That does, however, create an opportunity for an IHE to promote its educational mission.
Jackson says boards of trustees need to show thoughtful consideration, even if it later turns out that they didn't make the right decision. "Boards make decisions on business matters," she says. "No one is asking for perfection, just evidence of an informed decision." This means that the minutes take on a high level of importance, both when they are taken and how they are preserved.
Although it does not apply to nonprofits, SOX is serving as a model for state laws and different proposed federal laws that would change nonprofit governance. In 2004, California's legislature passed SB 1262, the Nonprofit Integrity Act, which requires nonprofits with more than $2 million in revenue chartered or doing business in the state to have an annual audit and an independent audit committee on the board. Educational institutions are currently exempt, but they could be just a scandal away from being included.
Georgia now requires that the chief business officer and president of state universities sign off on financial statements. Even without laws, state attorneys general, such as Andrew Cuomo of New York, are looking at whether conflicts of interest and improper oversight are harming consumers residing in their state.
No matter how good a job the board members and administrators of a college think they're doing, the public might not be convinced. A 2003 Brookings Institution study showed that while 31 percent of Americans believed charitable organizations are very good at helping people, only 11 percent of them felt that nonprofit organizations are very good at spending money wisely. And just 19 percent believed that nonprofits are very good at running their programs or services.
That's why the principles of Sarbanes- Oxley are not going away. Although there is some talk of changing the rigor of Section 404, the basic requirements that organizations be able to identify every process that affects reported financial results and then document that these work the way that they are supposed to are things that organizations should be doing, experts say. How can a board pass on tuition increases to students, ask donors for more funds, and cut health benefits to faculty and staff in the name of fiscal responsibility if the members don't know how or if the accounting systems work?
Sarbanes-Oxley, or any attempt at better governance, won't solve all problems, but it may lead to faster recognition and a better resolution. Clark says, "There is a lot more accountability and responsibility than there used to be, and that is a good thing."
Ann C. Logue is a Chicago-based freelance writer who specializes in covering finance.