Vol. 77, No. 6, June
Sarbanes-Oxley Affects Your Private Company Clients
Although the Sarbanes-Oxley Act does not directly affect financial
reporting and corporate governance practices of private companies in the
same extensive manner that it affects public companies, it could become
the "best practices" standard for private companies. In many situations
a private company could benefit from voluntarily adopting governance
by Larry D. Lieberman
The enactment of the Sarbanes-Oxley Act of 20021 has led to enormous changes in financial reporting
and corporate governance practices of U.S. public companies. In response
to the scandals at Enron, WorldCom, Tyco and other large public
companies, Sarbanes-Oxley and related rulemaking by the Securities and
Exchange Commission (SEC) and stock exchanges sweep broadly in
transforming the public accounting industry and in reforming disclosure
and governance practices of publicly traded companies.
Sarbanes-Oxley applies primarily to companies registered under the
Securities Exchange Act of 1934. Increasingly, however, the
ramifications of Sarbanes-Oxley also are being felt by private
companies. Attorneys should be mindful of the manner in which
Sarbanes-Oxley can affect their private company clients. In addition,
any company can benefit by improving its governance practices, and a
private company may simply want to adopt enhanced governance practices
even though it is not obligated to do so. Counsel for a private company
should understand the potential positive benefits of good corporate
governance and consider whether to recommend that a company voluntarily
adopt at least some governance changes.
The term "corporate governance" has now become commonplace, but it is
used by different people in very different ways. For purposes of this
article, "corporate governance" is used in the manner defined by the
Organization for Economic Co-Operation and Development:
"[T]he system by which business corporations are directed and
controlled. The corporate governance structure specifies the
distribution of rights and responsibilities among different participants
in the corporation, such as the board, managers, shareholders and other
stakeholders, and spells out the rules and procedures for making
decisions on corporate affairs. By doing this, it also provides the
structure through which the company objectives are set, and the means of
attaining those objectives and monitoring performance."2
This definition includes the organizational structure and corporate
procedures and systems designed to improve financial performance and
corporate transparency and accountability. It also includes the
corporation's culture and ethics.
Requirements of Sarbanes-Oxley for Private Companies
Private companies have not entirely escaped the reach of
Sarbanes-Oxley. Sarbanes-Oxley already contains important provisions
that apply directly to them as well as to public companies.
Notice of blackout periods under defined contribution
plans. Plan administrators must notify participants in any
defined contribution plan in writing at least 30 days before any
"black-out period." A black-out period is any period of more than three
consecutive business days during which participants are restricted from
diversifying assets in their account or obtaining plan loans or
Criminal liability for retaliation against
informants. Sarbanes-Oxley criminalizes retaliation against any
person, including interfering with that person's employment, for
providing truthful information to law enforcement officers relating to
the possible commission of any federal offense.4 This provision of Sarbanes-Oxley is not limited to
securities-related offenses or to employees of public companies.
Other criminal provisions. Sarbanes-Oxley adds other
criminal penalties and remedies, including criminal liability for
altering or destroying documents to impede any federal investigation or
bankruptcy case,5 and enhanced liability for
white collar crimes and securities fraud, whether involving public or
Some private companies are amending applicable retirement plan,
employment, and document retention policies and procedures in order to
incorporate these aspects of Sarbanes-Oxley.
Voluntary Adoption of Governance Changes by Private Companies
Beyond the few provisions of Sarbanes-Oxley directly applicable to
them, private companies increasingly also are adopting at least some of
the corporate governance reforms that are required of public companies
under Sarbanes-Oxley. In response to a recent survey of 1,400 chief
financial officers (CFOs) of privately held companies, 58 percent said
they planned to implement new procedures in response to the corporate
governance standards being imposed on their public company
Many companies no doubt will feel increasing pressure from external
forces to adopt changes. For example, important business partners such
as investors, lenders, customers, or vendors may well prefer to do
business with companies that have good corporate governance practices.
An outside director of a private company may insist as a condition to
service that the company have good corporate governance practices,
particularly if the director has public company experience. The
International Organization for Standardization (ISO) is exploring the
desirability and feasibility of proposing ISO corporate responsibility
standards along the lines of the ISO 9000 quality management
standards.8 As a result, private companies
that desire ISO certification may want to change their governance
practices. Regulators of financial institutions increasingly are
imposing enhanced governance requirements on banks and other financial
institutions in light of the perceived benefits to the
institutions.9 In fact, legislation has been
introduced in more than a dozen states, although not in Wisconsin, to
extend certain Sarbanes-Oxley provisions to private companies.10 These or other external factors may push a
company toward implementing corporate governance improvements.
Even in the absence of external forces, private companies would do
well to recognize that many of the concepts underlying Sarbanes-Oxley
promote better management of any company, whether public or
private,11 and that a private company can
benefit in important ways by making at least some changes in governance
practices. The following are some of the more important potential
Better strategic decision-making. Improving
corporate governance practices can result in directors more carefully
exploring and analyzing important strategic decisions. In addition,
improving accounting controls and procedures may allow the provision of
better, more timely information to assist in these decisions. These
changes can add tremendous value to a private company.
More reliable financial information. A company with
strong internal controls is less likely to prepare unreliable financial
statements or make ill-advised business decisions based on unreliable
Reduced litigation exposure. The directors of
private and public companies are legally obligated to satisfy their
fiduciary duties. To the extent that governance practices of public
companies have established higher standards of director conduct, courts
are likely to look to those standards to determine whether directors
have exercised the requisite degree of care and loyalty. A private
company's implementation of improved corporate governance practices can
reduce the directors' exposure to litigation from disaffected
shareholders or other constituencies who claim that the directors failed
to fulfill their fiduciary obligations.
Preparedness for going public. Private companies
that eventually want to go public will become subject to Sarbanes-Oxley
at the time of the transaction. Complying with Sarbanes-Oxley will
require substantial planning and resources, and a company contemplating
an initial public offering (IPO) should prepare to comply with
Sarbanes-Oxley well in advance.
Improved desirability as an acquisition candidate.
As part of its due diligence, a public company typically will assess the
corporate governance practices, particularly the accounting controls, of
any private company acquisition candidate. This assessment is most
important if the acquisition would be material to the public company
because the public company will be responsible for the adequacy of the
accounting controls after the acquisition date. Good corporate
governance and accounting controls could make a private company more
attractive as an acquisition candidate.
Fraud deterrence. Better corporate governance
practices, particularly accounting controls, will not eliminate the
possibility of fraud or embezzlement but could reduce the likelihood or
severity of such acts.
Improving Governance Practices
In deciding how to improve governance practices, a private company
should consider what steps are reasonable and practical for it. The
extent of the recommended changes will very much depend on the
particular company's situation. Nevertheless, a number of measures to
upgrade governance standards are applicable to a wide range of private
Larry D. Lieberman,
Stanford 1984, practices with Godfrey & Kahn S.C., Milwaukee. He is
a shareholder member of the firm's securities and financial institutions
Add independent directors. Under new NYSE and Nasdaq
requirements, the majority of the directors of a listed company must be
independent. This may be impractical for most private companies, but
neither is it advisable to have no independent directors, which
currently is the practice of many private companies. Independent board
members can provide objective oversight and advice to complement
management's vision and activities. In addition, independent directors
are best equipped to serve as a check on audit, internal control, and
related-party activities of a private company.
As an alternative to adding independent directors to the board of
directors, a private company might consider establishing an advisory
board. Advisory board members also can provide independent advice, but
they would not have the full range of legal responsibilities incumbent
Establish an independent audit committee. Many
private companies do not have an independent audit committee. An audit
committee can help a company improve the integrity, reliability, and
readability of its financial statements. The audit committee should have
a formal written charter that outlines its role and responsibilities,
including meeting with management and the independent auditors regarding
the financial statements, selecting or recommending the auditor,
approving the nonaudit services provided by the auditor, and reviewing
and approving related-party transactions. To the extent practicable,
consideration should be given to including an audit committee financial
expert on the committee, as many public companies do.
Establish corporate governance guidelines.
NYSE-listed companies are required to establish corporate governance
guidelines.12 No single set of guidelines
would be appropriate for every company, but certain key areas of
importance for private companies may include the matters listed
- Director qualification standards.
- Director responsibilities. These responsibilities should clearly
articulate what is expected from a director, including, for example, a
policy concerning a director's expected time commitment and basic duties
and responsibilities with respect to attendance at board meetings and
advance review of reading materials.
- Director access to management and, as necessary and appropriate, to
independent advisers, such as legal counsel.
- Director orientation and continuing education.
- Management succession. Succession planning should include policies
and principles for chief executive officer (CEO) selection and
performance review, as well as policies regarding succession in the
event of an emergency or the CEO's retirement.
- Meeting frequency and preparation. The board should meet at least
four times a year for a half-day at a time. For some companies, it may
be necessary to meet more often, perhaps for shorter periods. Before the
meeting, preferably a week before, a package of materials including an
agenda, supporting materials, and an executive summary should be sent to
- Director compensation.
- Evaluation of the board and board committees. The board should
conduct a periodic self-evaluation to determine whether the board and
its committees are functioning properly.
For many private companies, particularly companies with a CEO who is
the controlling shareholder, issues such as director selection,
management succession, and CEO review and compensation cannot be
addressed adequately without the CEO's full support and involvement.
Improve internal control environment. A private
company should consider periodically reviewing the adequacy, scope,
implementation, and operation of the company's internal accounting
controls and practices. It may be prudent, for example, for the company
to establish a separate internal audit function, which is now required
of NYSE-listed companies. In addition, a private company may want to
consider obtaining a certification from its auditors as to the
effectiveness of the company's internal controls. Starting in 2004, such
a certification will be required for public companies. In order for the
auditor to provide this certification, a company's internal controls and
procedures need to be documented.
Review related-party transactions. Policies should
be implemented that require all transactions with directors, officers,
and other affiliates to be on an arm's-length basis and approved in
advance by the audit committee or other independent directors.
Consideration should be given to prohibiting loans to directors and
officers, as is required for public companies. Related-party
transactions are subject to heightened risks of abuse, and it is
therefore prudent for the independent directors to take reasonable
precautions to prevent over-reaching.
Adopt a code of ethics. Public companies are now
required to disclose whether or not they have adopted a code of ethics
applicable to the company's principal executive, financial, and
accounting officers. The NYSE and Nasdaq now require listed companies to
adopt a code of conduct and ethics for directors, officers, and
employees. The NYSE notes that such a code can focus the board and
management on areas of ethical risk, provide guidance to personnel to
help them recognize and deal with ethical issues, provide mechanisms to
report unethical conduct, and help foster a culture of honesty and
accountability. These codes typically cover conflicts of interest,
confidentiality, fair dealing, protection of company assets, compliance
with laws, and encouraging the reporting of illegal or unethical
behavior. A code of ethics can enhance a company's stature with third
parties, and it may provide some legal protection if a company is sued
for misconduct and the company can demonstrate that it has a code of
ethics and diligently attempted to follow it.
Review relationship with auditor. Sarbanes-Oxley
requires accounting firms that audit public companies to register with
the newly created Public Company Accounting Oversight Board (PCAOB). If
it hasn't already done so, a private company that is contemplating an
IPO should consider changing to a registered accounting firm prior to
the IPO. Sarbanes-Oxley also prohibits the independent accountants from
performing specified nonaudit services for a public company audit
client, and the nonaudit services that are not prohibited must be
pre-approved by the audit committee. Many private companies rely on
their auditors to provide them with a wide range of important services.
Particularly in smaller cities, where there may be fewer qualified
accounting firms, restricting the range of services that the auditor
provides may not necessarily be in a private company's best interest. In
many cases, however, a private company may be better served by engaging
another firm to provide nonaudit services.
Sarbanes-Oxley does not directly affect private companies in the same
extensive manner that it affects public companies. Nevertheless, because
Sarbanes-Oxley is the standard for public companies, even if it is not a
legal mandate, it could become the "best practices" standard for private
companies. In any event, in many situations a private company may
benefit from voluntarily adopting governance improvements. As a result,
attorneys should stay informed regarding Sarbanes-Oxley and related
rulemaking and make appropriate recommendations for their private
1Pub. L. No. 107-204 [H.R. 3763]
2See Encycogov, AcadPublishing.
3Sarbanes-Oxley Act § 306(b)
(amending 29 U.S.C. § 1021).
4Sarbanes-Oxley Act § 1107
(amending 18 U.S.C. § 1513).
5Sarbanes-Oxley Act §§
802, 1102 (amending 18 U.S.C. §§ 1519, 1512,
6Titles IX, XI of Sarbanes-Oxley
Act of 2002, also referred to as "White-Collar Crime Penalty Enhancement
Act of 2002" and "Corporate Fraud Accountability Act of 2002,"
7The Impact of Sarbanes-Oxley
on Private Business, Robert Half International Inc. (July 2003), at
8"The Desirability and Feasibility
of ISO Corporate Social Responsibility Standards," Final Report, May
2002, prepared by the Consumer Protection in the Global Market Working
Group of the ISO Consumer Policy Committee.
Financial Institutions Letter 17-2003, "Effects of the Sarbanes-Oxley
Act of 2002 on Insured Depository Institutions" (FDIC March 5, 2003);
"Interagency Policy Statement on the Internal Audit Function and Its
Outsourcing" (Federal Reserve System Board of Governors, FDIC, OCC, OTS
March 17, 2003).
10See "2003 Overview of
Accounting Reform State Legislation Activity"; "Additional Business
Related Legislative Proposals" (Am. Inst. of Certified Public
11The Impact of
Sarbanes-Oxley on Private Business, supra n.7.
12New York Stock Exchange Listed
Company Manual § 303A ¶ 9.