Principles of Sarbanes-Oxley Impacts Directors of All Organizations

Only three provisions of the Sarbanes-Oxley Act of 2002 (SOX) apply to persons other than public reporting companies.¹ These three provisions, generally known as the “Arthur Andersen provisions,” make it illegal to:

• Destroy or falsify any record with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any bankruptcy case;² 
• Knowingly, with the intent to retaliate, interfere with the lawful employment or livelihood of any person providing to a law enforcement officer any truthful information relating to the commission or possible commission of any Federal offense;³ or
• Obstruct, influence, or impede any official proceeding.⁴ 

The remainder of SOX, including its basic principles, literally applies only to public reporting companies. The basic principle of SOX is that the first and best line of defense against corporate mismanagement and fraud is independent oversight of management by independent directors with the assistance of independent advisers, including independent audits of financial statements by independent auditors, and with accountability of executives for the information provided.

However, SOX is only one of a complex maze of federal and state laws dealing with corporate governance and responsibility. Although this maze of laws ranges from state statutory and common laws to federal tax and securities laws to laws governing the conduct of lawyers and accountants, the touchstone of this complex maze is and will remain state laws governing corporations and other organizations. The basic and other principles of SOX can be achieved under these state laws by stakeholders of any organization, including shareholders of closely held organizations, regulators of companies in regulated industries, the Internal Revenue Service with respect to tax-exempt entities, state attorneys general with respect to non-profit corporations, and creditors of any organization. Accordingly, the impact of SOX is much greater than just public reporting companies.

Oversight by Independent Directors Is the Basic Principle of SOX

The basic principle underlying all of SOX is that first and best line of defense against corporate mismanagement and fraud is independent oversight of management by independent directors with the assistance of independent advisers, including independent audits of financial statements by independent auditors, and with accountability of executives for the information provided.⁵ 

The reasons that independent directors are the first and best line of defense include:

• Directors are closer to the business and operations than any regulator or other stakeholder. At best, regulators may visit an organization every three years while directors are generally present quarterly if not bimonthly or monthly;
• Directors are more familiar with the business and operations, as well as with management, and can make better decisions of what is material; and
• Management is likely to provide fuller disclosure to directors than to regulators or other stakeholders who, because they are more adversarial, present a greater risk of liability to management.

Three Key Areas for Oversight

As a result of SEC rules under SOX and NYSE and NASDAQ rules after SOX, the three key areas for oversight are:

• Financial statement preparation and auditing (or review) processes;
• CEO compensation (which must exclude CEO’s participation) and other executives’ compensation (which may include CEO’s participation); and
• Nominations for succession of directors and planning for succession of management.

The same areas are key for oversight under state law. The life of any organization is dependent upon the:

• Accuracy of its financial statement;
• Reasonableness of its compensation; and
• Appropriateness of its actions taken for succession.

Right of Boards and Committees to Independent Counsel and Advisers

Another principle of SOX is that an audit committee is to have authority to engage independent counsel and other advisers, as it determines necessary to carry out its duties, the fees and expenses of which are to be funded by the organization. The NYSE and NASDAQ are expanding these rules to authorize compensation and nominating/governance committees to engage their own independent counsel and other advisers to be funded by their organizations. 

Most states’ for-profit and non-profit corporation laws are consistent with this SOX principle. Those laws entitle:

• A committee of an organization’s board to rely upon information, opinions, reports, or statements provided by legal counsel, public accountants, or other persons as to matters that the committee reasonably believes are within the person’s professional or expert competence; and
• A director who is not on a committee to rely upon that committee as to matters within its designated authority as long as the director reasonably believes the committee merits confidence.

Again, because the same result can be achieved under most states’ laws, a likely impact of SOX is that stakeholders in any organization will require:

• Audit committees have authority for hiring, firing, and determining the scope of work and compensation of their organizations’ external auditor;
• Compensation committees have authority for hiring, firing, and determining the scope of work and compensation of their organizations’ compensation consultants; and
• Nominating/governance committees to assume similar authority for their organizations’ executive and director search and recruiting consultants.

These stakeholders will likely include shareholders of closely held organizations, regulators of companies in regulated industries, the Internal Revenue Service with respect to tax-exempt entities, state attorneys general with respect to non-profit corporations, and creditors of any organization.

Caution to Directors

Although all authority of an organization is vested in the organization’s board, a board does not directly exercise all of that authority. Instead, such authority is exercised “under the direction” of the board. Day-to-day management of the organization and its business is left to management. A board cannot run day-to-day operations of an organization.

Executive Accountability

The most publicize principle of SOX is that executives are to be accountable for the financial records and reporting processes of their organizations. Furious with the “I didn’t know” defense of Enron’s Kenneth Lay, Congress now requires through SOX that a public reporting company’s CEO and CFO assume accountability for their organization’s: 

• Financial reports filed with the Securities and Exchange Commission (SEC), and the disclosure controls and procedures regarding the information to be so reported; and
• Financial statements filed with such reports, and the internal controls regarding the financial information contained in, substantiating, or underlying those financial statements.

However, most states’ for-profit and non-profit corporation laws or judicial decisions under such laws require that all officers, including the CEO and CFO, must act with the care that an ordinarily prudent person in a like position would use under similar circumstances. Further, most states’ statutory laws do not afford officers protection similar to the business judgment rule protecting directors. Accordingly, a likely impact of SOX is that executive officers will be held accountable for their organization’s financial disclosures, disclosure controls, financial statements, and internal controls by stakeholders of that organization, including shareholders, regulators, the Internal Revenue Service, state attorneys general and creditors.

This is another caution to directors not to try managing the day-to-day operations of their organizations. Doing so is functioning as management. The result will be the loss of the business judgment rule because the business judgment rule typically does not apply to officers or those functioning as officers.

Functions and Duties of Directors

The three clearly accepted functions of directors are:

• Decision making as to matters of policy, direction, strategy, and governance;
• Oversight as to matters critical to the health of the organization for its various stakeholders; and
• Mentorship of the CEO and senior management.

The two clearly accepted duties of directors are:

• Duty of care – to exercise the care that an ordinarily prudent person in a like position would use under similar circumstances; and
• Duty of loyalty – to act in good faith, in a manner he or she reasonably believes to be in or not opposed to the best interests of the corporation.

Protection of Directors

A final, albeit unstated, principle of SOX is that nothing in SOX is to preempt or override the protections afforded directors by state law. In order to encourage independent persons to serve as directors, state law offers a number of legal protections to persons serving as directors. These protections are not preempted or overruled by SOX and include:

• Business Judgment Rule. Under the business judgment rule, courts do not inquire into the wisdom of actions taken by directors in the absence of self interest, fraud, bad faith, or abuse of discretion. A court applying the business judgment rule will not second guess the merits of the decision as long as the court finds all of the following to be true:
  • The directors made a business decision (the rule does not apply to acts of directors which do not constitute business decisions);
  • The directors were disinterested (that is, they are not “on both sides of the transaction” and will not derive any personal benefit from their decision);
  • The directors exercised “due care” (as noted above, this means acting like an ordinarily prudent person would act);
  • The directors acted in good faith; and
  • The directors did not abuse their discretion.
• Right of Reliance on Others. Directors are permitted to rely reasonably upon information presented by officers or employees, board committees, and independent professional advisors in making their decisions. They may rely upon:
  • Officers or employees of the organization as to matters for which they are reasonably believed to be reliable and competent;
  • Legal counsel, public accountants, or other experts as to matters reasonably believed to be within their professional competence; and 
  • Committees as to matters within their designated authority, and that the director reasonably believes to merit confidence.

The right of reliance is perhaps the most important of directors’ protections because it is based upon one of the basic tenets of corporation law: A board directs rather than manages, and management manages under that direction.

• Statutory Indemnification. Most states’ for-profit and non-profit corporation laws mandate indemnification of directors, officers, and other employees if they are successful on the merits or otherwise in defense of any claim, action, suit, or proceeding brought against them as directors, officers, or employees.
• Contractual Indemnification. Most states’ for-profit and non-profit corporation laws permit contractual indemnification of directors, officers, and other employees for any claim, action, suit, or proceeding brought against them as directors, officers, or employees. However, many state courts have held that indemnification is not available for intentional misconduct and federal courts have held that indemnification is not available for securities law violations for reasons of public policy.
• D&O Insurance. Most states’ for-profit and non-profit corporation laws permit broader coverage under D&O insurance than under statutory indemnification. If provided by the policy of insurance, courts typically will enforce D&O insurance protecting against intentional misconduct and securities law violations. Another value of D&O insurance is that it is available even if the corporation is insolvent and even after a change in control.
  Accordingly, although SOX does not preempt or override the protections afforded to directors by state law, one of the impacts of SOX should be a review under the direction of boards of all organizations of the protections provided by their organizations’ directors and officers and the extent that such protections are adequate in light of new principles of governance resulting from SOX.

How Should Directors Satisfy Their Duties

Because a board directs rather than manages and because management manages under that direction, a board must determine reliability and competence of management for each matter that the board delegates to them. The best way to determine reliability and competence is to ask questions. Accordingly, the purpose of the questions must be to test management’s reliability and competence.

The same questions should be asked separately of different persons, trying to include where appropriate someone independent of management. Possible persons independent of management include the person serving the internal auditor function, representatives of the external auditor, outside legal counsel, and outside experts with experience in the matters under consideration.

The consistency of the different answers should be compared. The answers among different constituencies will unlikely be the same. For example, management is more likely to view certain business issues more positively than the external auditor or chief legal officer. On the other hand, the external auditor and chief legal officer are more likely to view risks of liability as material than management.

The skill is to learn when to stop asking questions. Nothing is more bothersome to management than irrelevant, unnecessary questions.

As a general rule, directors should stop asking questions and accept the answers when the answers to questions about a matter are consistent. On the other hand, directors should delve deeper when the answers to the questions are inconsistent.

Directors and management should expect that there will be some tension between them during this process. Management needs to understand that directors must ask questions to determine whether management is reliable and competent for the matters delegated to them. The board should understand that management will fear “being micro-managed” or “not being trusted.”

A way to relieve this tension is for the board to have regular executive sessions separately with different members of management so that it becomes part of the routine operation of the board. A board should consider meeting regularly with the CEO, CFO, chief legal officer, internal auditor, and representatives of the external auditor.

Conclusion

This is a great time to be a member of the board of any organization because governance is being re-thought and fine-tuned. Non-profit and tax-exempt organizations can be models for the rest of Corporate America because many non-profit and tax-exempt entities have learned to operate with independent boards.

For-profit boards can learn from non-profit boards how to provide direction without micromanaging. For-profit CEOs can learn from non-profit CEOs how to communicate with independent board members to get and keep them engaged.

And if lucky, we can restore investor confidence so that the stock market can recover in time for us to retire.

footnotes

1.  Public reporting companies are those companies required to file annual reports on Form 10-K or 10-KSB with the Securities and Exchange Commission.

2.  18 USC §1519.

3.  18 USC §1513.

4.  18 USC §1512.

5.  SOX delegates to independent directors the sole authority for hiring, firing, and determining the scope of work and compensation of the organization’s external auditors. The NYSE and NASDAQ have expanded the authority of independent directors to include: