Sarbanes Oxley Compliance Financial Security Audit and Management

Saturday, March 26th, 2011

Various rules and regulations require management of companies to the protection of proprietary and confidential information. Sarbanes-Oxley and SB-1386 are examples of such rules and regulations. The Sarbanes-Oxley Act was passed into law in 2002 to protect investors by improving the accuracy and reliability of corporate disclosures. The requirements of Sarbanes-Oxley are that a public company must have written policies and procedures that are followed to protect the interests of its stock holders.

Sarbanes-Oxley SB-1386 mandates that if a company maintains client personal information. This information must be maintained in a secure manner. In the event any client personal information is compromised each client who may have been affected must be informed within a reasonable period of time.

Data Triage Technologies provides confidential auditing services that comply with Sarbanes-Oxley and ISO (1)7799. DTT’s consultants will test and review network security policies and procedures and provides a detailed report addressing the security findings. Recommendations will be made if needed to insure proper compliance.

Upon request, DTT can further assist the client by drafting written policies and procedures. Details of all work performed including testing and our analysis of the network security situation is included in a comprehensive report and delivered to the client in a timely manner after completion of work.

Our network security policies and procedures will ensure that your end-to-end Network security solution always provides you the suitable level of protection. We will find out the essential processes and procedures to track and test your network security to ensure that it remains effective and can be improved over time as threats continue to grow.

The Sarbanes-Oxley Compliance For Corporates

Saturday, March 26th, 2011

Auditing is a major concern of any company. Every organization should comply with rules and regulations set forth by the US government. One such regulation is Sarbanes-Oxley Act which applies to public companies.

The Sarbanes-Oxley Act was enacted as a reaction to a number of corporate and accounting scandals. These scandals shook the confidence of the public because they cost investors millions of dollars when the share price of the affected companies collapsed.

This Act does not apply to privately held companies though.

The Sarbanes-Oxley Act was passed into law in 2002 to protect investors by improving the accuracy and reliability of corporate disclosures. The requirements of Sarbanes-Oxley are that a public company must have written policies and procedures that are followed to protect the interests of its stock holders. This law totally changed the standards of all US public company boards, management and public accounting firms.The SOX orders strict reforms to improve financial disclosures from corporations and prevent accounting fraud.

The Sarbanes-Oxley Act (SOX) requires that if a company records client personal information, it must be maintained in a secure manner. In the event any client’s personal information is compromised each client who may have been affected must be informed within a reasonable period of time.

The Act

  • Creates a Public Company Accounting Oversight Board to enforce professional standards, ethics, and competence for the accounting profession
  • Strengthens the independence of firms that audit public companies
  • Increases corporate responsibility and usefulness or corporate financial disclosure
  • Increases penalties for corporate wrongdoing
  • Protects the objectivity and independence of securities analysts
  • Increases Securities and Exchange Commission resources

Data Triage Technologies (DTT) provides confidential auditing services that comply with the Sarbanes-Oxley and ISO (1)7799. DTT’s consultants test and review network security policies and procedures and provide a detailed report addressing the security findings. Details of all work performed including testing and analysis of the network security situation is included in a comprehensive report and delivered to the client in a timely manner after completion of work.

The Sarbanes-Oxley Act and Implications for Nonprofit Organizations

Monday, June 11th, 2007

The Sarbanes-Oxley Act and Implications for Nonprofit Organizations

A collaboration between BoardSource and independent sector has produced the following report on the effects of the Sarbanes-Oxley Act on nonprofits.

BoardSource and INDEPENDENT SECTOR wish to thank Dan Moore, Vice President for Public Affairs, GuideStar; Tom Hyatt, Principal, Ober Kaler; and Paul Nelson, President, Evangelical Council for Financial Accountability for sharing their professional insights and expertise on this document.

The American Competitiveness and Corporate Accountability Act of 2002, commonly known as the Sarbanes-Oxley Act, was signed into law on July 30, 2002. Passed in response to the corporate and accounting scandals of Enron, Arthur Andersen, and others of 2001 and 2002, the law’s purpose is to rebuild public trust in America’s corporate sector. The law requires that publicly traded companies adhere to significant new governance standards that increase board members’ roles in overseeing financial transactions and auditing procedures.

While nearly all of the provisions of the bill apply only to publicly traded corporations, the passage of this bill should serve as a wake-up call to the entire nonprofit community. If nonprofit leaders do not ensure effective governance of their organizations, the government will step forward and also regulate nonprofit governance. Indeed, some state attorneys general are already proposing that elements of the Sarbanes-Oxley Act be applied to nonprofit organizations.

Nonprofit leaders should look carefully at the provisions of Sarbanes-Oxley and determine whether their organizations ought to voluntarily adopt particular governance practices. This resource will review those provisions and assess their relevance to nonprofit organizations.

Finally, it is important to note that two provisions of Sarbanes-Oxley apply to all corporate entities, including nonprofit organizations. This resource will also review those features of the bill that require immediate nonprofit compliance.

Main Provisions of the Sarbanes-Oxley Act

With two notable exceptions, the Sarbanes-Oxley Act affects only American publicly traded companies and regulates what boards must do to ensure auditors’ independence from their clients. The Act also creates and defines the role of the Public Company Accounting Oversight Board, a new entity empowered to enforce standards for audits of public companies. The Act explains processes for electing competent audit committee members and for ensuring that adequate reporting procedures are in place. In addition, it calls for regulations, and closes most of the loopholes, for all enterprises —for-profit and nonprofit—relating to document destruction and whistle-blower protection.

The following sections cover each of the major provisions of the new law and discuss their relevance to nonprofit organizations. In addition, BoardSource and INDEPENDENT SECTOR offer recommendations for how nonprofit leaders should implement various provisions of the new law.

  1. Independent and Competent Audit Committee

Summary of Sarbanes-Oxley Provision

The Sarbanes-Oxley Act requires that each member of the company’s audit committee be a member of the board of directors and be independent. Independence in the Act is defined as not being part of the management team and not receiving any compensation (either directly or indirectly) from the company for service on the audit committee, though board service may be compensated.

In addition, companies must disclose whether they have at least one “financial expert” serving on the audit committee. If they do not have such an expert, they must disclose the rationale behind that decision. Who qualifies as a “financial expert” is still being debated. The Securities and Exchange Commission (SEC) proposes a definition that relies on an individual’s education and experience as a public accountant, auditor, or principal accounting officer. At present, however, the company’s board seems to retain the final right to establish specific qualifications for a financial expert.

The audit committee is directly responsible for hiring, setting the compensation, and overseeing the auditor’s activities. It sets rules and processes for complaints concerning accounting and internal control practices.

Relevance to Nonprofit Boards

While not all nonprofits conduct outside audits, most nonprofit boards have established one or more financial committees (e.g., finance, audit, and/or investment). In those organizations that undertake annual audits, particularly medium to large nonprofit organizations, the board is likely to have a separate audit committee or subcommittee. It is already good practice for nonprofit organizations to take steps to ensure the independence of the audit committee. While most nonprofit board members already serve as volunteers without any compensation and staff members do not participate as voting members, all nonprofit organizations should review their practices to ensure the independence of the audit committee. Also, many states provide additional liability protection for volunteer directors that may be lost if the directors are compensated for their service.

Because of recruitment priorities to create a well-balanced and diverse board, financial literacy may be more challenging for nonprofit boards. Nonprofit organizations need to ensure that board members of the audit committee have the financial competency to understand financial statements, evaluate accounting company bids to undertake auditing, and make sound financial decisions as part of their fiduciary responsibilities. A nonprofit that has a limited number of financial experts on its board may struggle with filling the treasurer’s position, a finance committee, and an audit committee.

Recommendations

  • While no standard guidelines mandate when a nonprofit organization should undertake a full audit, the board is responsible for assessing the potential benefits and costs of an audit. Generally, nonprofits that have budgets of more than $500,000 and that receive federal funds are required to conduct an annual audit. Some state laws have lower thresholds. In addition, participating in the Combined Federal Campaign requires an audit at $100,000. Smaller nonprofits, for whom an audit would be an unreasonable financial burden, should choose a review or at least have their financial statements compiled by a professional accountant. The boards of nonprofit organizations that forego an audit should evaluate that decision periodically.
  • All nonprofit organizations that conduct outside audits, particularly medium to large organizations, should have an audit committee and should separate the audit committee from the finance committee.
  • The audit committee should be composed of board members who are not compensated for their service and do not have a financial interest in or any other conflict of interest with any entity doing business with the organization. Most nonprofit organizations have volunteer board members. Nonprofit organizations that do compensate board members should not compensate audit committee members for their additional service. In addition, all nonprofits should ensure that no members of staff, including the chief executive, serve on the audit committee, although it is reasonable to have the chief financial officer provide staff support to the audit committee.
  • The audit committee should ensure that the auditing firm has the requisite skills and experience to carry out the auditing function for the organization and that its performance is carefully reviewed.
  • The audit committee should meet with the auditor, review the annual audit and recommend its approval or modification to the full board. The full board should review the annual audit and the audit committee’s report and recommendations. Ideally the full board meets with the auditor before formally accepting or rejecting the audit.
  • At least one member of the audit committee should meet the criteria of financial expert and have adequate financial literacy to understand, analyze, and reasonably assess the financial statements of the organization and the competency of the auditing firm.
  • Orientation of board members should include financial literacy training.
  • To support the accounting field and help ensure that nonprofit boards have available financial expertise, professional accreditation and membership organizations of accountants should require CPAs to participate in a pro bono nonprofit board service program.
  1. Responsibilities of Auditors

Summary of Sarbanes-Oxley Provisions

The Sarbanes-Oxley Act requires that the lead and reviewing partner of the auditing firm rotate off of the audit every five years. This does not necessarily mean that the auditing firm must be changed, although that may be the most direct way to comply with this requirement.

In addition, the Act prohibits the auditing firm from providing any non-audit services to the company concurrent with auditing services. This prohibition applies to bookkeeping, financial information systems, appraisal services, actuarial services, management or human resource services, investment advice, legal services, and other expert services unrelated to the audit. The board’s audit committee may, however, pre-approve certain services (not included in the above categories), such as tax preparation, which can then be carried out by the auditing firm. In addition, the pre-approval requirement is waived for non-auditing services if the value of the non-auditing services is less than five percent of the total amount paid by the organization to the auditing firm for auditing services.

The Act also requires that the auditing firm report to the audit committee all “critical accounting policies and practices” that are used by the organization, discussed with management, and represent the preferred way management wants these policies and practices treated. These critical accounting practices include methods, assumptions, and judgments underlying the preparation of financial statements according to generally accepted accounting principles (GAAP) and assurance that any results would be disclosed in case of changed assumptions.

Relevance to Nonprofit Boards

Changing auditors (partner or firm) every five years is presently considered good practice for all organizations, nonprofit and for-profit alike. The rationale: Auditing firms may grow accustomed to the financial procedures within one organization after a certain number of years, and bringing in a new firm helps ensure that all proper financial practices are closely examined.

Nonprofit organizations would be well served to adopt the Sarbanes-Oxley rule of preventing auditing firms from providing non-auditing services. This provision precludes a conflict of interest between the auditing firm and the client. At a minimum, the application of the rule should be considered in each case. At the same time, certain services can be pre-approved by the audit committee, and there is no reason why tax services and preparation of the Form 990 or 990-PF, for example, could not and should not be undertaken by a nonprofit’s auditing firm. This can also ensure that certain economies are achieved for the nonprofit client organization.

Finally, the provisions about disclosure to the audit committee of critical accounting policies and discussions with management also seem to fall well within the bounds of good practice. Greater disclosure of these internal control practices and management’s views on them will foster more informed judgments by the audit committee, enhanced oversight by the board, and greater transparency. The critical accounting practices would include, among other things, processes for segregation of duties, policies to use restricted funds for intended purposes, processes to review off-balance sheet transactions, and procedures for monitoring inventory fluctuations. In addition, the audit committee may be an effective committee for overseeing implementation and enforcement of the governing body’s conflict of interest policy.

Recommendations

  • Nonprofits should ensure that the auditor or auditing firm, or at least the lead and reviewing partners, are rotated every five years.
  • Nonprofit organizations should be cautious when using their auditing firms to provide non-auditing services except for tax preparation, which should be approved in advance, while the firm is contracted to provide auditing services.
  • Audit committees should require auditing firms to disclose to the audit committee all critical accounting policies and practices used within the organization as well as share with the audit committee any discussions with management about such policies and practices.
  1. Certified Financial Statements

Summary of Sarbanes-Oxley Provisions

The chief executive and the chief financial officers must certify the appropriateness of financial statements and that they fairly present the financial condition and operations of the company. There are criminal sanctions for false certification, but violations of this statute must be knowing and intentional to give rise to liability.

In addition, to avoid conflicts of interest, the CEO, CFO, controller, and chief accounting officer cannot have worked for the auditing firm for one year preceding the audit.

Relevance to Nonprofit Organizations

Any CFO who is responsible for generating timely and accurate financial statements for the company or organization should feel comfortable about certifying document integrity.

In a for-profit company, a positive bottom line is the CEO’s responsibility. Business acumen, capacity to interpret financial statements in detail, and skillfulness in convincing the board and shareholders that the corporation is meeting all expectations are obvious characteristics in a manager. Likewise, a nonprofit chief executive may be handicapped without adequate financial skills. He or she may be hired, however, primarily for other qualities. Nonprofit CEOs may excel in fundraising, knowledge of the organization’s field of interest, or a variety of other skills. Lack of superior financial prowess must be complemented by a skillful financial officer; without it, the organization cannot convince donors and funders that their money is properly managed. Nevertheless, it is still the responsibility of the CEO to ensure good stewardship of the organization’s resources.

Under Sarbanes-Oxley, CEO and CFO certification carries with it the weight of the law, but part of the underlying rationale is to ensure that both the CEO and CFO know and understand the financial statements. For a nonprofit organization, CEO and CFO sign-off on financial statements would not carry the weight of law, but it would signal the importance that the CEO, in particular, pays to understanding the nonprofit’s financial condition.

For nonprofit organizations, a key financial document is the Form 990 or 990-PF (for private foundations). The form requires a signature from an officer of the organization. Research from a number of studies reveals that the accuracy of these forms leaves much to be desired. Many of the errors in the Form 990 relate to failures to send a complete form, including Schedule A. Other problems include presenting an inaccurate report on fundraising costs, therefore distorting the financial picture of the organization’s operations. Thus, it is critical that nonprofit organizations examine their financial systems, policies, and reporting to help improve the accuracy and completeness of these forms.

There is, in all likelihood, considerably less staff movement in the nonprofit world between accounting firms and client organizations than there is in the for-profit world. Furthermore, because nonprofit executives do not receive lucrative stock options, the relevance of possible conflicts of interest from an auditor joining the executive staff of a nonprofit client is correspondingly less.

Recommendations

  • CEOs and CFOs, while they need not sign off on the financial statements of the organization, do need to fully understand such reports and make sure they are accurate and complete. Signing off on the financial statements provides formal assurance, however, that both the CEO and the CFO have reviewed them carefully and stand by them.
  • The CEO and CFO should review the Form 990 or 990-PF before it is submitted to ensure that it is accurate, complete and filed on time.
  • Regardless of whether the CEO and CFO certify the financial report, the board has the ultimate fiduciary responsibility for approving financial reports. Just as the financial and audit reports are reviewed and approved by the audit committee and the board, the Form 990 or 990-PF should also be reviewed and approved.
  1. Insider Transactions and Conflicts of Interest

Summary of Sarbanes-Oxley Provision

The Act generally prohibits loans to any directors or executives of the company.

Relevance to Nonprofit Organizations

Nonprofits are presently highly regulated with respect to financial transactions that take place within the organization. Private inurement, excessive personal benefit, and self-dealing all cause serious penalties for any nonprofit that steps out of line. “Intermediate sanctions” laws specifically address compensation and excess benefit transactions with “disqualified” individuals, generally meaning board members and executive staff.

Providing private loans to insiders—the specific item included in the Sarbanes-Oxley Act—is not a common practice in the nonprofit sector. However, when it has occurred, it has raised problems either from the perception of a conflict of interest or because it has not been appropriately documented as part of executive compensation. In addition, in some states, nonprofit law expressly prohibits loans to directors and officers.

Recommendation

  • Because the practice of providing loans to nonprofit executives has been a source of trouble in the past and because this practice is specifically prohibited under Sarbanes-Oxley and in some states is prohibited for nonprofit organizations, it is strongly recommended that nonprofit organizations not provide personal loans to directors or executives.
  • If such loans are provided, they should be formally approved by the board, and the process for providing the loan should be documented, and the value and terms of the loan should be disclosed.
  • To guide the board and staff in independent decision making, the organization must have a conflict of interest policy with disclosure and this policy must be enforced without fail.
  1. Disclosure

Summary of Sarbanes-Oxley Provision

The Sarbanes-Oxley Act requires a number of disclosures, including information on internal control mechanisms, corrections to past financial statements, and material off-balance sheet transactions (adjustments). The Act also requires companies to disclose information on material changes in the operations or financial situation of the company on a rapid and current basis.

Relevance to Nonprofit Organizations

While many of the transactions the new law requires publicly traded companies to disclose do not apply to nonprofit organizations, they should nevertheless provide their donors, clients, public officials, media, and others with an accurate picture of their financial condition. Current law already requires tax-exempt organizations to make their Forms 990 or 990-PF freely available to anyone who requests them. These informational reports, as mentioned before, need improvements both in accuracy and in timeliness of disclosure. One way to achieve that objective is through electronic filing, something which the Internal Revenue Service is currently pursuing and which the nonprofit community generally endorses.

Recommendations

  • The Internal Revenue Service should ensure that as planned it is prepared to receive electronically filed Forms 990 and 990-PF by FY2005.
  • Nonprofit organizations should improve the timeliness, accuracy, and completeness of the Forms 990 or 990-PF by filing electronically when that is available to them.
  • Nonprofits should not rely on automatic extensions for filing Forms 990 and 990-PF without cause.
  • Audited financial statements should be easily accessible for review.

Two provisions of the Sarbanes-Oxley Act apply to all corporations be they nonprofit or for-profit. Thus, all nonprofit organizations need to understand these two provisions and comply with them.

  1. Whistle-Blower Protection

Summary of Sarbanes-Oxley Provision

The Sarbanes-Oxley Act provides new protections for whistle blowers and criminal penalties for actions taken in retaliation against whistle blowers. The Act protects whistle blowers who risk their careers by reporting suspected illegal activities in the organization. It is illegal for a corporate entity for-profit and nonprofit alike—to punish the whistle blower in any manner.

Relevance to Nonprofit Organizations

Nonprofits must start by protecting themselves. They must eliminate careless and irresponsible accounting practices. A nonprofit organization would benefit from an internal audit that brings to light weak spots and installs processes that are not vulnerable to fraud and abuse. Written policies that are vigorously enforced by executive staff and the board send a message that misconduct is not tolerated.

An organization must develop procedures for handling employee complaints. A nonprofit must establish a confidential and anonymous mechanism to encourage employees to report any inappropriateness within the entity’s financial management. No punishment—including firing, demotion, suspension, harassment, failure to consider the employee for promotion, or any other kind of discrimination—is allowed. Even if the claims are unfounded, the nonprofit may not reprimand the employee. The law does not force the employee to demonstrate misconduct; a reasonable belief or suspicion that a fraud exists is enough to create a protected status for the employee.

Recommendations

  • Nonprofits must develop, adopt, and disclose a formal process to deal with complaints and prevent retaliation.
  • Nonprofit leaders must take any employee complaints seriously, investigate the situation, and fix any problems or justify why corrections are not necessary.
  1. Document Destruction

Summary of Sarbanes-Oxley Provision

The Sarbanes-Oxley Act addresses destruction of litigation-related documents. The law makes it a crime to alter, cover up, falsify, or destroy any document (or persuade someone else to do it) to prevent its use in an official proceeding (e.g., federal investigation or bankruptcy proceedings). The Act turns automatic document destruction into a process that must be monitored, justified, and carefully administered.

Relevance to Nonprofit Organizations

Common sense dictates that individuals, nonprofit organizations, and companies regularly need to shred or otherwise dispose of unnecessary and outdated documents and files. Like their for-profit counterparts, nonprofit organizations need to maintain appropriate records about their operations. For example, financial records, significant contracts, real estate and other major transactions, employment files, and fundraising obligations should be archived according to guidelines established by the organization. Because of current technology, electronic files and voicemail can become complicated as we understand the irrelevance of the delete button in a computer as a permanent method of file removal.

Recommendations

  • A nonprofit organization should have a written, mandatory document retention and periodic destruction policy. Such a policy also helps limit accidental or innocent destruction.
  • The document retention policy should include guidelines for handling electronic files and voicemail. Electronic documents and voicemail messages have the same status as paper files in litigation-related cases. The policy should also cover back-up procedures, archiving of documents, and regular check-ups of the reliability of the system.
  • If an official investigation is underway or even suspected, nonprofit management must stop any document purging in order to avoid criminal obstruction.

Conclusion

The Sarbanes-Oxley Act has now been in force for over a year. During these months of intense corporate governance scrutiny, the Act has also forced the nonprofit sector to analyze its board practices and methods of operation. Individual organizations have begun to identify loopholes—and figure out how to eliminate them. Watch-dog agencies and other nonprofit field-building organizations are reconsidering assumptions and standard operating procedures in an effort to identify guidelines, standards, and best practices in the sector.

Regardless of whether this critical self-analysis is prompted by a set of potential laws ultimately governing the actions of nonprofit organizations, we have heard the wake-up call. For all of us in the sector, the Sarbanes-Oxley Act has caused a renewed realization that nonprofit organizations rely on—and must protect—the indispensable and unequivocal confidence and trust of our constituents. Self-regulation and proactive behavior will always prove more powerful than compulsory respect of laws.

Additional Resources

  • Press Release from the Office of New York State Attorney General http://www.oag.state.ny.us/press/2003/mar/mar12a_03.html.
  • Summary of the Sarbanes-Oxley Act http://www.aicpa.org/sarbanes/index.asp.
  • Recommendations from the National Association of Corporate Directors Concerning Reforms in the Aftermath of the Enron Bankruptcy http://www.nacdonline.org/nacd/enron_recommendations.asp
  • “Corporate Governance. The Wall Street Journal Reports.” Wall Street Journal, February 24, 2003.
  • “Raising the Bar on Governance: Board Committee Performance in the New Era of Accountability.” American Governance & Leadership Group, 2002.
  • Hamel, W. Warren. “What Corporate Governance Legislation Means to You.” Association Management, March 2003.
  • Heinz, Patrice A. “The Financial Reporting Practices of Nonprofits”. Alliance for Children and Families, 2003. http://www.alliance1.org/Home/SOX_final_8-03.pdf
  • Kokourek, Paul F., Christian Burger, and Bill Birchard. “Corporate Governance: Hard Facts about Soft Behaviors: Seven steps to fixing what Sarbanes-Oxley can’t.” strategy + business, Issue 30, Spring 2003.
  • McLaughlin, Thomas A. “For-Profit Spillover: New Regulation of Independence.” NonProfit Times, February, 1, 2003.
  • Michaelson, Martin. “A New Era of Corporate Governance Bears Down on Higher Education.” Trusteeship, January/February 2003.

Article Source : http://www.guidestar.org/DisplayArticle.do?articleId=883