By its terms, the Sarbanes–Oxley Act of 2002 (SOX) applies only to publicly traded companies. Why, then, would its use be considered in other realms? The largest auditor of universities across the country, PricewaterhouseCoopers, has counseled that “notwithstanding activities at the state and federal level, this is a time when closer scrutiny of internal controls is appropriate for colleges, universities . . . and other not-for-profit educational institutions.”1 They identify the most significant risks for educational institutions as operational, strategic, compliance and reputational and suggest that the Government Accountability Office and Internal Revenue Service might impose higher standards on recipients of federal funds in the foreseeable future.
Few would deny that the goals of SOX—reliability, transparency and accountability—are very important in the non-profit sector, and for that reason SOX has grabbed the attention of non-public corporations, not-for-profit organizations, their professional associations and the government organizations that interact with them. Non-profits have investors, too: They are funders and alumni (who give money), board members and volunteers (who give their time). Taxpayers also invest in non-profits, via these organizations' tax-exempt status as well as the income tax deduction allowed for charitable contributions. Driven by mission more than profit, stakeholders are every bit as insistent as government watchdogs that non-profits use their money efficiently and for the intended purposes.The mere allegation of waste, misuse or even simple inattention can be catastrophic for a non-profit organization.
So it is for good reason that non-profits are paying heed to SOX. Board members, typically volunteers, are also placing pressure on their organizations to adopt “best practices” that will protect them from embarrassment or even personal liability.
Drexel's Approach to Sarbanes–Oxley
Drexel became the first university in the country to adopt the spirit of SOX, beginning in November 2002. Believing that a university should be run as efficiently as for-profit business, President Constantine Papadakis decided that Drexel's board and senior management team should be held to the same high standards.2 But realizing that non-profits are not the same as publicly traded corporations, he was careful to mandate that only those “best practices” that made sense for a University be adopted.
A special Governance, Compliance and Audit Committee of the Drexel University Board of Trustees was appointed to study the University's “responsibility matrix.” The committee commissioned a first-ever University-wide risk assessment by PricewaterhouseCoopers covering all of Drexel's programs and initiatives, which was completed in the summer of 2003.
Drexel's leadership wanted to understand the risks that Drexel might face, and the systems by which those risks were either managed or eliminated. COSO (the Committee of Sponsoring Organizations) provides the recommended and most widely accepted framework used in overall SOX assessment.3 COSO views risks as financial, operational and regulatory and discusses the five interrelated components of internal control: the control environment, risk assessment, control activities, monitoring and information and communication. Internal audit groups in many industries have been utilizing the COSO framework for some time. In COSO terms, Drexel has begun the process of establishing the control environment: making all in the organization aware of the risks, and of their responsibility for controlling them.
The boards of trustees of Drexel and its various subsidiaries studied and amended their by-laws to incorporate best practices suggested by SOX. Among other changes, the audit committee was given direct authority over internal audit, external auditors and whistleblower complaints; its members must all be financially literate; and at least one must possess accounting or financial management expertise.
The University also worked on “tone.” Senator Paul S. Sarbanes, co-sponsor of the Act, came to Drexel's LeBow College of Business in May 2004 to discuss “Sarbanes-Oxley and Ethical Principles of Corporate Behavior.” The Board of Trustees commissioned an advisory committee comprising University officials to write a Code of Conduct that was adopted in December 2003. The University's Conflict of Interest Policy and Conflict of Interest Disclosure Statement were revised in September 2004. The CEO and CFO now sign annual certifications (based on section 302 of the Act, which requires a quarterly certification from the senior finance officer and the CEO) regarding the accurate disclosure in the financial statements and the effectiveness of internal control (risk assessment/control activities). Policy and procedures for reporting improper conduct were developed. Anonymous hotlines were created and a chief compliance officer appointed in February 2003. And the board made sure the rules applied to everyone, from its own chair to the most junior secretary.
Implementation of SOX is neither easy nor inexpensive: Beyond money paid to consultants and auditors, there is the “opportunity cost” of the time spent examining issues instead of getting the work done. It is recommended that non-profits utilize a “continuous improvement” approach to documenting controls surrounding the financial processes. Under this process the organization (1) initiates the project and assesses risk, (2) documents and evaluates control design, (3) remediates risks identified, (4) tests the operating effectiveness, (5) prepares a report on internal control over financial reporting and (6) attests and reports on the processes.4 Drexel engaged Smart and Associates to prepare section 404 documentation, which was completed in September 2005.
To read background documents about Drexel's adoption of Sarbanes-Oxley best practices, visit www.drexel.edu/papadakis/sarbanes.
The Benefits: Beyond Compliance
Drexel's implementation has shown that attention to the spirit of SOX can deliver benefits beyond mere compliance (although that in itself is wise). For example, Drexel's Internal Audit Department was re-organized in 2004, becoming the Internal Audit and Management Consulting Services Department. The department transformed from a function that historically looked for errors to one that identifies opportunities and works with management to develop sound action plans. In addition, the department identifies the value added by the study of critical systems, including those systems that section 404 of the Act requires to be documented.
The documentation process is not performed for compliance's sake alone, but for strategic reasons. Documentation provides managers with visual descriptions of control processes. The information produced is compared with global best practices, and a “best practice gap analysis” is created and provided to the manager. This has allowed Drexel's managers to rethink the way we do business, to re-engineer our processes to better fit our needs and to ensure that our policies, procedures and processes fit Drexel's overall business strategy. In just two years, we have identified millions of dollars in savings available through streamlining business processes and capturing unrecognized financial assets. In our experience, the benefits of adopting the spirit of SOX have exceeded the cost of implementation.
Because we have used SOX to “add value” to the operations and mission of the University, we have achieved significant buy-in from management. Today, the Internal Audit and Management Consulting Services Department is appreciated for its business consultation services, and risks to the University have been reduced. Audits are used to promote communication, create effective documentation practices and educate. The University has established a healthy “control environment.”
For Drexel University , our commitment to accountability is also part of “practicing what we teach.” In 2002, Drexel's LeBow College of Business established the Christopher and Mary Stratakis Endowed Chair in Corporate Governance and Accountability, which is held by Dr. Ralph Walkling, and in 2005 the College created the Center for Corporate Governance. The Center promotes research and awareness, educating and mentoring executives and future business leaders through forums, workshops, panel discussions and invited presentations. Its inaugural event in December 2005 featured keynote speaker Michael G. Capellas, CEO of MCI Inc.
Three years ago, adopting Sarbanes-Oxley was a matter of attitude: Our President wanted to show our stakeholders that we were committed to “best practices.” SOX is still an attitude today, but now it is shared by the entire organization: a common commitment to adopt sound control practices and make the University the best it can be. Who would have thought a draconian law that sought to catch and punish corrupt corporate leaders would have such a salutary impact on academe?
Notes
1. Internal Controls: The Key to Accountability , PricewaterhouseCoopers, 2005.
2. Bernard Wysocki, Jr., “How Dr. Papadakis Runs a University Like a Company,” Wall Street Journal, February 23, 2005.
3. COSO Internal Controls–Integrated Framework is the most widely used risk-assessment model in North America .
4. Health Research Institute, Not-for-Profit Healthcare Update, PricewaterhouseCoopers, 2005.
- top - |
