Compliance Sarbanes Oxley

Compliance With Sarbanes - Oxley Can Impact Family Businesses -
not just public companies

compliance sarbanes oxley

Compliance Sarbanes Oxley all started because Enron, WorldCom and other financial / accounting scandals shook investor trust and confidence in the integrity of US capital markets and revealed deficiencies in the standards of corporate governance .

Public companies facing compliance with Sarbanes Oxley find increased paperwork and compliance costs - particularly for smaller public companies where some of the processes have not yet been adapted to their smaller size and lower risk.

But no one seems to really say its principles aren't good. And some of them are actually good and area being adopted by private companies that don't have to comply under threat of penalty.

First, we look at what is required for compliance with Sarbanes Oxley and suggest how business is approaching compliance.

Later, we'll provide 4 suggestions for private companies who need or want to benefit [yes, they might need to - they might be going public soon, or expect to be acquired by a public company, or have a significant business relationship with a public company and thus have to conform to that customer's compliance with Sarbanes Oxley.]

Executive Summary

The Sarbanes-Oxley Act of 2002 [officially - The US Public Company Accounting Reform and Investor Protection Act of 2002] is one effort to curtail corporate fraud and mismanagement by setting higher standards of corporate governance. The International Accounting Standards (IAS) board is working on a number of new and revised standards to ensure better financial reporting in an international context; and the Basel II initiative [target implementation is 2006] aims for a new operational risk management framework for G10 nation banks and financial services companies.

Sarbanes-Oxley's three key sections are sections 302, 404 and 409.

  • Section 302 - officers must certify annual or quarterly reports submitted to the SEC (penalties are defined in section 906)
  • Section 404 - requires report validating the internal controls over the financial reporting process
  • Section 409 - requires prompt notification in plain English of material changes in the financial condition or operations

Complying with 302 will depend on steps taken to meet 404 and 409. Compliance will involve both process and technology.

Executives are also challenged to maintain focus on core organizational missions and plan for short- and long-term compliance.

For a more complete summary, check here.

Sarbanes-Oxley Act:
Scope and Stakeholders

The primary focus of the Sarbanes-Oxley Act is US public companies - corporate issuers of securities registered under the Securities Exchange Act and their company officers. But the scope of the Act and the range of stakeholders is much wider.

Public Companies – US and Non-US

  • US public companies registered with the Securities and Exchange Commission (SEC)
  • non-US companies operating in the United States, including those listed on the NYSE and the NASDAQ
  • the subsidiaries of these US and non-US public companies

Private Companies – US and Non-US

  • US and non-US private companies that may go public in the future by listing on a US stock exchange
  • any private company, anywhere, that has a significant business partner relationship with US-listed public companies
  • these will have to comply in the future when they list; and they have to consider now how their business relationships might be affected by partners who already have to comply

US State Legislation

  • There will be a trickle-down effect on more businesses as states begin to legislate their own variations of Sarbanes-Oxley.


  • sub-certification makes middle managers responsible for the material that the CEOs and CFOs rely on in doing their certification to meet Section 302
  • finance departments / managers will obviously bear part of the burden, since CFOs have to certify
  • IT departments / managers will also be impacted, since IT co-owns the systems that produce the information and support the systems that are relied upon

What You Need to Do Now

  1. Determine whether your business is likely to be impacted.
  2. SEC recommends task force or disclosure committee
    • communications program to educate about Sarbanes-Oxley and what a control environment really means
    • determine readiness to comply; readiness to introduce sub-certification
  3. SEC expects these typical activities
    • existing controls - identify; document and test for design effectiveness and operating effectiveness
    • identify areas of risk
    • evaluate if any risk areas not subject to controls or have inadequate controls
    • new controls - design, document and test for identified risk areas [areas with inadequate or no controls]
    • document results of all testinG
    • discuss procedures and results with audit committee
  4. SEC recommends evaluating certain specific types of controls relating to
    • Financial statements - initiating, recording, processing and reconciling... account balances, classes of transactions and disclosure and related assertions
    • Non-routine and non-systematic transactions - initiatiating and processing
    • Accounting policies - selecting and applying as appropriate
    • Fraud - preventing, identifying and detecting
The control deficiencies will help build a Gap Analysis Report for review by process owners and managers, executives, Board and Audit Committee and Sarbanes-Oxley task force or disclosure committee.

Family business owners and executives can lose track of what is happening on a day-to-day basis, and don't necessarily find out about problems. Employees are reluctant to identify problems for fear of reprisals. ODS-OL (Organizational Diagnostic Survey OnLine) is a management tool used to streamline board member communication while improving interaction between directors and management executives.CLICK HERE to learn how this proven and highly effective organizational feedback and assessment tool can help you better organize your organization.

Going Dark
Is an Alternative

Finally, we don't suggest this as a "need to do now", but we note that many small public companies are "going dark" in reponse to Sarbanes-Oxley. Going private would be an alternative, but that is quite cumbersome - you have to buy back shares. Going dark is much simpler - the company does not even need shareholder approval to deregister from the exchange or market on which it was listed. Once delisted, quarterly and annual reports under Section 302 don't need to be filed and certified. The downside? Now that there isn't much or any market for the shares, prices tend to drop, even with infrequent trades on a "pink sheet" basis.

4 Suggestions for
Private Companies from
Compliance with Sarbanes-Oxley

(A "sidebar conversation" between Family Business Audit Expert David Jones and Don Schwerzler, founder, Family Business Institute.)

While David Jones was doing this corporate governance section, I made a chance remark, "So, this new section will be of interest to our publicly traded readers...". David replied, "Well, that's true enough, Don - but that's not the half of it!"

Here's what David had to say about corporate governance, and his four suggestions for private companies (plus a darn good idea that is also related to corporate governance.)

But first, I should mention that David's reading on corporate governance is so fascinating because he's spent his whole career right in the thick of it... as an auditor, with small firms and the Big 4, here and in Canada; as a CFO of family businesses here and in Canada; as a Director of family businesses and two of Canada's largest credit unions. He's been on the compliance side and the monitoring side.

David observed that "The Sarbanes Oxley Act in 2002 does increase the paperwork and compliance costs for publicly traded companies. They don't like it - not so much because they have to do unreasonable things but because for the smaller companies it is overkill. I suspect that over time, as companies, their auditors and the regulators gain more experience, some of the initial requirements will be modified to be less onerous. That typically happens after a major shift in compliance or regulation."

He went on, "An interesting side-effect is that Sarbanes Oxley has a wider impact that many thought it would... it affects private - that is, not publicly traded - companies in a number of indirect ways."

  • US and non-US private companies that may go public in the future by listing on a US stock exchange
  • any private company, anywhere, that has a significant business partner relationship with US-listed public companies
  • these will have to comply in the future when they list; and they have to consider now how their business relationships might be affected by partners who already have to comply

"And its sub-certification process is drawing midlevel corporate managers into the compliance net as well as the CEO and CFO."

David makes a very strong point, "Private companies that might fall under Sarbanes Oxley in the future, or that just want to use the guidance of Sarbanes Oxley to ensure they operate with better corporate governance can do a number of things right now to be petter prepared. And, the beautiful thing for them is that they can pick and choose what to apply without the threat of penalty and legal action that faces the companies that must comply."

So, I asked him to outline his suggestions for private companies that might need, or just want, to follow the spirit and guidelines of Sarbanes Oxley. Here they are.

4 suggestions for private companies

  1. Make your independent board - Directors or Advisors - truly independent

    "Having a Board that works for the CEO or are his cronies is a waste of time and bad for the company. No one can know everything and carry a company on their own, so a truly independent Board is an effective means to assist the CEO and benefit the business."

    "Sarbanes Oxley puts more onus on Board members to act independently and question matters that arise."

  2. Have an audit committee of your Board

    "This committee is appropriate where there is a larger Board. In the case of smaller Boards, or even with an Advisory Board of one or two outsiders, the concept can still apply - simply have the whole group act like an audit committee when needed."

    "An audit committee mainly engages an audit firm, then is available to receive and discuss the auditor's report and findings. This is a vital task and critically important in corporate governance and responsibility. The CEO is responsible for the systems and procedures - despite the defenses that Enron's Lay and WorldCom's Ebbers and others use to try to duck responsibility. The auditor must be independent and objective - Arthur Andersen died a quick and spectacular death because it forgot this basic point. Similarly, the Board / committee must be independent and able to receive and act on an independent auditor's report. Weaken any link in this chain and the whole chain fails."

  3. Enable whistle blower protections
  4. "This concept is odious to some. Some executives justify limiting or thwarting the concept and use the excuse that it increases risk by making it more likely to invite regulatory or legal interference."

    "It must be possible for employees to identify internal problems without fear of reprisal or losing their job. On balance, it is better for the company to become aware of problems and take proactive measures than to systematically ignore them. It seems to me that when problems are serious enough, they are going to come to light sooner rather than later - whether it is through whistle blowing or that the problem is just too big to cover up."

    "The legal and regulatory actions taken against the company are always bigger, heavier and more costly - especially when the company is found to have deliberately covered up or prevented knowledge from being used."

  5. Work with two audit / accounting firms instead of one

    "Don, my accounting friends won't like this suggestion very much. Business development wisdom within the profession was quite correctly based on the philosophy that it was easier to develop new business from a client you already knew and who trusted you than it was to seek and develop new clients. And our client businesses knew and operated the same way."

    "But, this gets a little murky for an audit engagement because the auditor is supposed to be truly independent. There have always been some within and outside the audit profession who believe that the auditor is not truly independent on the audit if he is also advising on other financial matters like estate planning, tax planning, systems and procedures, etc. And they call on the famous saying, I think attributed to Justice Holmes, that 'Justice must not only be done, but it must also appear to have been done.' "

    "Anyway, especially since Enron, it is becoming more normal to divide up the work amongst two or more firms - obviously depending on the company's size. And you don't have to hire just big firms to do your audit - there are many regional and even locals that can do a perfectly effective job."

David went on to offer this observation, "You know, Don, these suggestions I have all have a common thread - independence and responsibility. Although there have been some spectacular examples where I personally think responsibility was sacrificed - like Enron and WorldCom - and Sarbanes Oxley was a predictable reaction - I really don't think our corporate world is riddled with irresponsible executives and Directors. I think that most are honest and straightforward - they realize they can't carry the whole load themselves, they want the benefit of independent advice and outlook, and they want to know what is going on in their companies so they can identify and solve problems and be more effective."

"Ironically, there is a tool available for them that is also helping Boards and management cope under Sarbanes Oxley. Dr. Mackenzie's Organizational Diagnostic Survey On-Line ODS-OL (Organizational Diagnosis Survey OnLine) is an extremely effective tool to help them look into their organization and find out what is really going on. It is like an independent viewpoint and provides effective feedback to management and to the Board of Directors or Advisors. It even provides something of a substitute for whistle blowing in that it provides a secure and non-threatening way for problems to be identified. All this in addition to the obvious fact that it is a proactive tool by which Boards under Sarbanes Oxley can show they are looking for and responding to problems."

And a darn good idea!

And he concluded our conversation with this.. "Don, there's one last thing I would like to mention. I'm not aware that it's dealt with directly under Sarbanes Oxley or corporate governance, but it sure gets to the heart of independence and responsibility!"

"CEOs and Boards should stop making variable compensation [bonuses] based on profits such a large component of CFO pay."

"I can't think of a more obvious conflict of interest."

"Shareholders, analysts, Boards and CEOs already put on enough pressure to report and increase profits. CFOs and auditors used to be the bastion of accountability, even though they were always hired and influenced by CEOs and Boards. But human nature will ensure that the more they stand to gain from the company's profits that they are supposed to help determine, the harder it will be for them to apply accounting rules objectively."

"And this is just as true in private companies - profits drive value, they help obtain financing and favorable bonding..."


Do you have questions about your Family Business?
Don't have the answers - don't know who to ask?
It's FREE to

Contact the
Reply within 48 hours.

Chaos Busters - The Management Guide

Identifies 160 Key Business Questions

  • 160 Key Business Questions will stimulate creativity and innovation for your entire management team!

  • 160 Key Business Questions are the keys to unlock the hidden potential of your organization!

  • 160 Key Business Questions will save you time and make your work more effective!

  • 160 Key Business Questions is a Multi-purpose tool with unlimited applications!

How Well Organized is YOUR Organization?

Your Business Will Succeed...


You have The Roadmap for Success

That's What

The Practitioner's Guide for Organizing an Organization
Is All About

  • PGOO shows how to identify the most pressing problems to solve
  • PGOO introduces the ODS-OL (Organizational Diagnostic Survey –Online) - an electronic assessment tool that is highly effective, easy to use, systematic and data-based
  • PGOO explains how to produce a better-organized organization


Family Business Experts Understands
Family Values and Business Systems

Please stay in touch and subscribe to our
Understanding Family Business e-zine.

Return from Sarbanes-Oxley / Corporate Governance to
Family Business Experts Home Page


Would you prefer to share this page with others by linking to it?

  1. Click on the HTML link code below.
  2. Copy and paste it, adding a note of your own, into your blog, a Web page, forums, a blog comment, your Facebook account, or anywhere that someone would find this page valuable.