Avoiding Lawsuits and Prosecution under Sarbanes-Oxley
How do you keep yourself, your department, and your company out of the Sarbanes-Oxley (SOX) spotlight? Here are a few tips for keeping the litigators off your doorstep and sleeping soundly with SOX compliance.
Maintain an active and visible audit committee
Under SOX, every public company is required to have an audit committee that interfaces with the company's outside auditors. Many not-for-profit and private companies are opting to establish audit committees as well because they provide additional credibility for the audit process. The audit committee is responsible for giving good information to the auditors and communicating audit issues to management, so this is one committee you want to make active, visible, and well funded in your company.
Communicate about how to communicate
In the first major case to go to trial after SOX, James Scrushy, the CEO of the teetering HealthSouth Corporation, was acquitted in July 2005 of 36 counts of signing false financial filings. Scrushy claimed he didn't know of the fraudulent activity that sent the five HealthSouth subordinates who reported to him to jail. As this lawsuit makes clear, documented communication channels and visible networks can help you and your company maintain credibility in a SOX-related investigation. Documentation can help buttress testimony and jog memories.
Put policies in place to document how delegated work is supervised and how results and conclusions are communicated. Policies will vary for every company and may even be different within particular departments. An employee titles don't always convey the actual level of supervisory responsibility a position entails.
Combat policy paranoia and Section 404 audit-chondria
Communication is key under SOX, but too much of it can also be a bad thing. Policies that micromanage workflow and audit minutiae can create their own red flags. For example, cynical attorneys may raise questions about why trivial policies were flexibly applied, or future auditors may demand discussion about why nonmaterial discrepancies weren't further investigated or why items from last year's audit were dropped from this year's agenda.
Under SOX, a company's audit committee has the authority to hire independent advisors, such as attorneys, to help write good policies and determine how to handle audit issues. SOX-savvy attorneys can help the committee adopt policies that contain an appropriate level of detail. Attorneys also can act as good advocates when auditors propose resources reviewing potentially irrelevant or nonmaterial issues or when issues arise about the scope of sensitive SOX-related projects under Section 404.
Policies that have ill-conceived phrasing or extraneous detail create the risk that the employees cannot literally comply with them and leave insufficient room for employees to exercise appropriate discretion in unforeseen circumstances.
Keep bonuses within bounds
During Enron, WorldCom, and other corporate scandals, the media had a field day reporting on huge, questionable bonuses paid to executives of these failing corporations. In the post-SOX era, executive compensation has become a politically sensitive issue.
Document how and why executive bonuses were awarded. Your company's compensation committee should have a market analysis on hand to support that bonus amounts are in line in the event that they are later challenged. For instance, questions may be raised in a lean year as to why big bonuses were paid in a prior profitable one.
Separate the whistle-blowers from the whiners
Whistle-blowers are employees who raise questions of fraud or noncompliance with accounting or governmental regulations in the workplace. So that a serious and valid complaint doesn't get glossed over and later return to cause major lawsuit trouble for the company, every whistle-blower complaint should be fully investigated and its disposition documented. Make sure that levels of review are afforded to complaints based upon their seriousness and credibility and that compliance with company policy is documented at every level to determine which complaints may have hidden merit.
Invest in IT tools and tricks
Buying and using a sensible SOX software product is a good way to demonstrate that your company is committed to strong internal controls and is being systematic in its compliance.
If the software tool generates good reports and summaries, it's easier to document what people in the company knew for certification purposes.
Do something with all that data
Data gathered during a Section 404 audit should be evaluated according to a stated policy and also should be shared with the audit committee, management, and board of directors as appropriate.
It's logical that many companies, having spent considerable resources to comply with Section 404, don't want to dedicate more resources to analyze the data. Understandably, companies want to get back on track developing core services and products. However, taking extra steps to parcel out the data to relevant decision makers can provide valuable databases of company-specific and current information on which to base future decisions affecting their departments.
Be attuned to triggering events
Within four days of their occurrence (and sometimes less), SOX requires companies to disclose to the public (on Form 8-K) certain triggering events, such as the termination of major contracts, new financial obligations, write-offs, and financial restatements. Companies that don't disclose these events in a timely manner risk both public sanctions and private litigation.
Document what's delegated
Litigation under SOX has an increased focus on what management knew and what it was supposed to know. Under SOX, management is allowed to delegate authority and even outsource certain types of decisions. It is not, however, acceptable for management to take measures to insulate itself from information as to how that authority is being carried out.
Delegation of authority was a key issue in the HealthSouth scandal, when CEO Richard Scrushy walked free while five of his subordinates were convicted of fraud. Prosecutors and the public were aghast and determined not to let many more slippery CEOs escape liability under SOX by claiming they didn't know what their subordinates were doing.
Focus on product and service delivery
SOX is legislation aimed at protecting the public from false financial reporting. If your company's credo is to focus on product and service delivery that generates real growth, rather than on plumping up paper profits, your company will meet the objectives of SOX.