Somehow, all the publicity about Sarbanes-Oxley made it seem as if this legislation applied to nonprofits, too. But contrary to what is frequently thought (and said in nonprofit boardrooms!), Sarbanes-Oxley is not applicable to nonprofits, albeit with just a couple of exceptions. In other words, there are a couple of small points to note (templates later in this article), a lot to relax about, and a lesson to be learned in nonprofit leadership.
You may remember that this multi-component legislation (nicknamed SOX) was passed by the U.S. Congress in 2002 in response to a large number of for-profit scandals involving Enron, Tyco, WorldCom, Arthur Anderson, and others. Extreme fraud, conflicts of interest on boards, unethical executive compensation practices, and improper auditing led to the failure of these mega-companies and deep, negative impacts on consumers, shareholders, employees, and many other individuals and institutions.
In response, Sarbanes-Oxley set in place a number of required processes for publicly held corporations (corporations that issue stock to the public), of which the best known may be the requirement that the CEO personally vouch for the accuracy of financial statements and that the external audit firm be different from the firm providing financial consulting.
There are only two aspects of Sarbanes-Oxley that are applicable to nonprofits:
- Strengthened whistleblower protection and
- Retention of documents related to lawsuits
The new Form 990 also asks whether you have policies related to these two areas, making it more important to get them adopted. To make it easy, nationally recognized attorney Tom Silk of Silk Nonprofit Law has created model policies in each of these areas, and made them available at no charge to the nonprofit community through CompassPoint Nonprofit Services. Blue Avocado is pleased as well to be able to present these for use by nonprofits. See the end of this article for links to these templates.
Perhaps the most intriguing aspect of Sarbanes-Oxley is that many of the provisions it mandated for for-profit businesses were already common, nearly universal practices in nonprofits, including:
- Requirement that the audit committee be comprised of board members
- Requirement that audit committee members not be on staff, and
- Prohibition of loans from the organization to board members.
Although Sarbanes-Oxley was not aimed at nonprofits and its key provisions are already widely practiced in nonprofits, some voices in the nonprofit sector saw the law’s passage as a wake-up call for nonprofits to adopt a variety of governance and financial practices.
For example, Independent Sector, the national coalition that proposes standards for nonprofit governance, now suggests that nonprofit boards include at least one “financial expert,” and provide “financial literacy training” to all board members. While such practices may be good ideas for some organizations, turning them into requirements would be, for most organizations, defensive, unnecessary moves. (Two whitepapers that explore possible implications are The Sarbanes-Oxley Act and Implications for Nonprofit Organizations from BoardSource and Ten Emerging Principles of Governance of Nonprofit Corporations and Guides to a Safe Harbor by Tom Silk.)
The bottom line for nonprofits and Sarbanes-Oxley?
- A. Adopt and implement a whistleblower policy.
- B. Adopt and implement a document retention policy
- C. Consider formalizing such non-required practices such as:
- If you have an audit committee, have it comprised of board members who are not also on staff, and if you are audited but don’t have an audit committee, consider forming such a committee or task force
- Prohibit loans from the organization to board members (some states’ corporate laws prohibit this)
- If you have a financial consulting firm, choose one that is different from your auditing firm
- Have the full board approve compensation for the executive director and the top staff financial officer
- Adopt an Ethics or Conflict of Interest Policy
Upcoming issues of Blue Avocado will discuss Ethics and Conflict of Interest Policies and include Model Policies. See also:
- Sample Whistleblower Policy for Nonprofit
- Model Document Retention Policy for Nonprofits by Tom Silk
- Is It Time for an Audit? by Jeanne Bell
- Should Nonprofits Be More Like Business?
- Nonprofit Embezzlement: More Common and More Preventable Than You Think from Board Cafe
Special thanks to attorney Michael Schley and CPA Steve Zimmerman for assistance on this article as well as to the brilliant and generous Tom Silk. This article is adapted from The Best of the Board Cafe, Second Edition, published by Fieldstone Alliance in the fall of 2009. Click here to order.
Could someone please provide the specific legal cite for the proposition that a whistleblower policy is required for an incorporated nonprofit? Thanks.
You can check out the actual Sarbanes-Oxley Law or the Whistleblower Protection Act of 2007.
We are a small nonprofit start-up in Michigan. We have no paid employees, this is an all volunteer organization. Would the whistleblower policy be required or necessary?
If your nonprofit is incorporated, then yes, you must establish a whistleblower policy. If you are not incorporated, it is not required.
I have read mixed messages about Whistleblower provisions and their applicability to non-profits. Can anyone clarify this for me?
I’m looking for information regarding a non-profits’ use of donor funds for non-mission related activities. Do you have any articles like this in your archive?
As the manager of a small nonprofit (annual budget under $300K, 2 full-time staff) I cannot begin to tell you how frustrating and disruptive it is to the organization, not to mention the outrageous cost…we pay 6K per annual audit. It is the single biggest threat to our well-being.
It has been my experience as a consulting auditor that since SOX all audits are now fraud audits. Gary Pigg, MBA
Andersen was not cleared of any charges. The conviction was overturned because of the way the judge instructed the jury, and not because of errors by prosecutors. This "great company" was Enron’s auditor and certainly should be seen as involved in the Enron mess. (Not that the many Andersen people uninvolved with that account deserve direct blame.)
The facts are that, by the 1990s, the big audit firms were more interested in management consulting fees than doing scrupulous audits. I think government was correct in seeking the end of that era, and in prosecuting Andersen when it suddenly decided to destroy tons of documents relating to the work it did for Enron.
Anyone who wants to read some coverage of what happened in that Andersen court case:
My experience has been that SOX has prevented auditors from doing basic services that they used to provide for small non-profits (like making adjusting entries) and has made the work so much more time consuming for the auditor that their services are no longer cost effective. The average price in Virginia for a small organization (less than $300,000 annual budget) is now $7,000 with only a very small number of firms willing to participate in the market. Funders continue to pursue their path of unwillingness to contribute to such operational expenses without modifying their requirement that this work be undertaken. We are not having an independent audit this year.
Thank you for calling attention to the twin problems of a) audit costs for nonprofits being out-of-whack with their size (and their ability to afford them) and b) the few number of firms willing to participate in the market. One would think that high prices would lead firms INTO the market, but the complexity of nonprofit audits makes it hard for them to charge small organizations what their costs are. Especially as more states think about requiring audits for nonprofits at various sizes, we and the accounting industry need to argue against requirements or at least for having them at higher levels (such as $5 million).
Not sure you meant to say "pubicity"…you seem to be missing an "l"…"publicity"
Hope that helps.
You are completely right and I’ve corrected it. How embarrassing! Thanks for the catch. Jan
You folks may find the following nonprofit audit committee paper relevant to your discussion,
Dave Tate, Esq. (San Francisco)
Interesting article. However, I think that you missed the biggest effect that SOX has had on NPOs: the procedures that SOX requires for publicly traded corporation have been into the Generally Accepted Accounting Principles that are used by CPAs to conduct audits. So, even tho’ our NPO has a budget of only $250K and only 2 full-time employees, we have to separate duties just like Exxon / Mobile, etc.
First off, you mixed up generally accepted accounting principles (GAAP) and generally accepted auditing standards (GAAS). Second off, you mixed up sound internal control procedures (such as segregating record keeping from custody of the assets, known as segregation of duties) and GAAS. If you do not have effective segregation of duties, and your comment sounds as if you did not, you leave your not for profit entity vulnerable to fraud, theft, and embezzlement.
Effective internal controls including segregation of duties is an auditing concept that pre-dates SOX by many decades. All SOX did, in regards to this, is hold publicly held corporations responsible for having effective internal controls. As a Board member, it is and has been your fiduciary responsibility to have effective internal controls.
Let’s set the record straight: Arthur Andersen was cleared of charges. The government overstepped their authority and destroyed a great company.