This morning I attended a workshop on the impact of Sarbanes-Oxley on
nonprofit organizations. The combination of SOX and nonprofits intrigued
me. Since Sarbanes-Oxley is all about public companies, with rules issued
by the SEC, my impression was that the connection between SOX and nonprofits was
zip. It followed that the workshop was likely to be either very
interesting or very short.
It turned out to be very interesting.
Boiled down to essentials, there at least four ways in which the governance
and internal control concerns intersect with nonprofit organizations:
- The "whistleblower protection" in section 1107 of
Sarbanes-Oxley, which provides substantial penalties for any retaliation
against employees or others who provide law enforcement officers with
information about possible violation of Federal law, applies to nonprofits
as well as to other kinds of entities.
- The penalties for document destruction in section 802 of
Sarbanes-Oxley also apply to nonprofits.
- As SOX applies to more and more for-profit entities, parts of it are
emerging as the expected standard of performance in the eyes of public and
private funding sources. At the very least, nonprofits should expect
that expectations regarding conflicts of interest, audits, and evidence of
internal controls will increase and will follow the general outline of SOX
- Some states are beginning to consider state regulations that impose parts
of the COSO framework and other aspects of SOX on nonprofits.
California has already passed such legislation. (For a summary of
other state activity, take a look at from the National Council of Nonprofit Associations).
Practically speaking, my sense was that the most immediate impact on
nonprofits from a content management point of view was that, regardless of size,
these organizations need to document policies and procedures and ensure that
they are available and that they are used. The focus of this effort
should, of course, be on staff and on board members, but should also extend to
volunteers who act as agents of the organization. The policies and
procedures should include mechanisms for handling employee complaints and
document retention and destruction, in accord with SOX requirements. They
should also, of course, deal with broader internal control issues such as
handling cash, soliciting and accounting for donations, making bank deposits,
and so on.