Sarbanes-Oxley For Dummies Cheat Sheet

The Sarbanes-Oxley Act (SOX) provides a legal model for running corporations of all sizes, regardless of whether they’re publicly traded and technically subject to SOX. The best legal minds agree that good liability-limiting governance after SOX requires corporations to do the following:

• Evaluate your board members. After SOX, shareholders expect the directors who sit on the boards that run companies to be independent and financially literate.

• Create the correct kinds of committees. After SOX, well-governed companies of all sizes break their board members up into audit committees, nominating committees, compensation committees, and maybe even disclosure committees.

• Get good counsel for corporate officers. The legal trend is that chief executive officers (CEOs) and chief financial officers (CFOs) are held responsible for everything that appears on financial statements. CEOs and CFOs need good legal counsel inside and outside the company to help them ask questions and spot issues necessary to reasonably protect these officers from liability.

• Set defensive communication standards. When a legal battle ensues, communications processes within the company are scrutinized. Establish clear communication procedures that reflect responsibility and accountability within the company.

• Know the “hidden” risks to board members. Board members are responsible to shareholders and third parties that rely on the company’s financials. Even in small, private companies, board members can be sued by creditors and third parties that rely on the financial statements.

• Know when to say “no” to a Section 404 auditor. Attorney opinions can be instrumental in cutting Section 404 costs in a company’s first year of Section 404 compliance. Attorneys can help cut costs in the Section 404 process by identifying areas in which legal liabilities and exposures are minimal.

• Don’t treat whistle-blowers like whiners. Whistle-blowers are people who alert the company to breaches of internal policy and government regulations, and they must be treated with special care after SOX.

• Know when to file an 8-K report. SOX Section 404 contains a list of seemingly routine events in the life of a corporation that call for the filing of an 8-K report. These events include (among many others) changes in management and loss of a major client. Know these triggering events.

• Figure out whether your company needs an SAS 70 Form. Even small companies that technically don’t have to comply with SOX Section 404 may be asked to provide certifications about their internal control to their clients who do have to comply using this form.

Sarbanes-Oxley (SOX) was passed to combat corruption at big public companies like Enron, WorldCom, Tyco, Adelphia, Global TelLink, HealthSouth, and Arthur Andersen. But small and not-for-profit companies are finding they have no choice but to adopt many of the same standards if they want to get insurance, attract investors and donors, and repel lawsuits. SOX compliance is becoming a portfolio building block that no company can ignore. Here’s what to do:

• Form an audit committee. Your company’s audit committee should consist of independent directors who sit on the board and ensure the integrity of your company’s audit process. After SOX, it’s tough to explain to investors and regulatory authorities why your company never got around to convening an audit committee.

• Combat Section 404 audit-chondria and policy paranoia. Auditors and governance officers want to shine by conscientiously complying with SOX Section 404. However, they have to do their jobs within the bounds of budget and reason. Not every audit issue deserves full-throttle testing, and not every trivial process needs accompanying polices and controls.

• Prevent whistle-blower complaints from becoming lawsuits. Every company has its share of complainers and malcontents. However, when employee or vendor complaints regard matters than can affect the company’s financial statements, the issues need to be fully documented and vetted.

• Keep a lid on insurance premiums. Increasingly, insurance companies are looking at SOX compliance as an unofficial underwriting criterion in quoting officers’ and directors’ liability policies and other coverage relative to companies’ exposure. Put simply, SOX compliance can save premium dollars.

• Be credible in raising capital. No investor or donor wants to assume unnecessary risk. Documenting your company’s compliance with the relevant aspects of SOX shows creditors and donors that your company operates in an ethical, controlled environment and that its future growth is a good bet.

• Deal with real data in making decisions. No company can make good decisions if its financial data is speculative and its procedures are hazy. The good news about SOX is that it has created spinoff software tools and checklists to help your CEOs, CFOs, and other management team members get a handle on what’s happening with your company.

• Figure out if SAS 70 applies to you (even if the rest of SOX doesn’t). If your company provides services to publicly traded companies, your clients may be asking you for an SAS 70 report. Even if you don’t have to comply with SOX, your customers may have to document that they only outsource to service providers with good internal controls in place and may be looking for you to provide the appropriate SAS 70 documentation.

• Communicate about control. When a company experiences a breach of ethics or internal control, it’s important to be able to trace the company communications to see where the breakdown occurred. Clear communications about controls, procedures, and ethics can protect conscientious management and employees at all levels while laying the blame on those attempting to circumvent SOX standards. The SOX spinoff market has produced tools and checklists to test communication as well as other types of control.

• Prepare management for new levels of liability. SOX places more responsibility (and potential liability) on management than ever before. Management needs to understand what it can no longer delegate under SOX and develop a strategy for maintaining control over what can be handed off to others.

• Adopt a code of ethics, and mean it. Every company should adopt a simple code of ethics and communicate it to everyone in the organization. In any company, new situations that aren’t covered by specific policies will arise. However, in the post-Enron era of SOX, the company’s code of ethics should cover everything.