Risk & Compliance

Rites of Privacy

With the dust settling on Sarbox compliance in the public sector, eyes turn to private companies.
David KatzNovember 1, 2003

Much has been made in the past year about the potential tab for complying with the Sarbanes-Oxley Act of 2002, as well as the burden in terms of man-hours and liability. So it’s logical to assume that any company that didn’t have to comply wouldn’t comply. Think again.

At Cargill Inc., adhering to Sarbox is not required, because the Minneapolis-based company is private. However, as part of a decision to operate within the spirit of the act, Cargill’s board of directors has made a number of changes, including shaving the maximum amount of time a lead audit partner can serve from seven years to five. And in its May 31 quarterly financial report, the company also started disclosing material details of its off-balance-sheet dealings and explaining them in the Management’s Discussion and Analysis section. Says CFO Robert Lumpkins, “Given all that was going on—the scandals, Sarbanes-Oxley—we thought it was time to reexamine our processes.”

Cargill isn’t the only private-company adapter. Almost 40 percent of nonpublic-company CFOs say their companies would benefit from implementing elements of the year-old law, according to a recent survey of 356 CFOs by Robert Half International. That figure rises to 52 percent of CFOs at private companies of 500 employees or more.

Increasingly, however, compliance is not a matter of choice, even for private companies. Already, many are running into Sarbox simply by raising capital. And if several attorneys general have their way, compliance will be extended to private companies on a state-by-state basis. The year following the law’s July 30, 2002, enactment was “public-company time,” says John Vail, an attorney with Quarles & Brady LLP in Chicago, but now the private company’s time has come.

Bonds in the Stocks

Sarbox, for instance, applies to a company offering public debt as well as to one issuing public equity—a fact Interline Brands, a Jacksonville, Florida-based plumbing and hardware distributor, knows firsthand. Still-private Interline will file a third-quarter 10Q early this month. At that point, it will become subject to Section 302 of Sarbox as a result of the company’s offering of $200 million in senior subordinated notes in May 2003. (As a nonaccelerated filer under the act, the company doesn’t have to fully comply until 2005.)

The transition might not be all that hard for Interline. Some of its executives have experience filing financial reports with the Securities and Exchange Commission, since the stock of Wilmar Industries, Interline’s predecessor, was publicly traded before 2000. In that year, Wilmar exited the public arena because, as a small-cap industrial distributor, says Interline CFO William Sanford, “our sector was out of favor at that time.”

Still, Sanford maintains that Sarbox will serve the company well. While the toughest and most-expensive requirement may be the internal-controls assessment embodied in Section 404, Sanford says the process will help many of Interline’s 2,200 employees grasp where they stand in “the custody chain of information.” Moreover, it could also ready the company for a potential initial public offering. “We’re owned by private-equity firms, and their exit strategy might involve a public offering,” says the finance chief.

The Merge to Comply

Issuing public debt, however, is only one of the circumstances that make private companies subject to Sarbox. Those attempting to merge with public companies, of course, must prepare to comply. And, increasingly, lenders and investment bankers are using the act’s provisions as a due-diligence gold standard.

For example, says Vail, some Chicago banks are requiring CFOs and CEOs to certify financial statements in their loan covenants with private companies. Other bankers are said to be mulling whether to demand internal-controls sign-offs. Says Jack Capers, a partner at King & Spalding in Atlanta: “In the past, investment bankers and lenders were more likely to deal with financial statements on the surface. They’re now asking extra questions about how the financial statements are built.”

Such disclosure may soon be mandated on the state level. In New York, for example, state attorney general Eliot Spitzer has proposed a bill that would require the CFOs and CEOs of nonprofits to verify annual reports. It’s one of several “Little Sarbanes” bills—designed to extend Sarbox beyond the public-company sphere—making their way in and out of state legislatures. In New Jersey, a bill withdrawn earlier this year would have barred auditors from providing nonaudit services to all companies, not just public ones.

What isn’t legislated may end up being court-ordered, says Vail. Inspired by Sarbox, he says, courts are poised to judge the performance of private-company boards much more harshly. They might, for instance, question the number of boards directors sit on and how much they rubber-stamp management decisions, says the attorney.

One federal judge has already suggested that board members and executives of private firms be held to even higher governance standards than their peers at public companies. Earlier this year, five former directors and officers of bankrupt Trace International Holdings, including ex-CFO Robert Nelson, were found liable for failing to keep the company’s CEO, Marshall Cogan, from enriching himself at the company’s expense. “Given the lack of public accountability present in a closely held private corporation, it is arguable that such officers and directors owe a greater duty to the corporation and its shareholders,” wrote Judge Robert Sweet in his decision.

Picking and Choosing

As of now, Sarbox compliance is largely voluntary for private companies. And even those that choose to comply, such as Cargill, can always pick which rules to obey.

For example, Cargill’s governance processes, which were reviewed and updated a year ago, are “a hybrid between public and private,” notes Lumpkins. So unlike public companies, Cargill limits Web access to detailed financial data. And it has decided not to comply with Section 404. “We don’t think it’s a valuable exercise,” says Lumpkins. “We just think it’s a lot of work, it’s costly, and we don’t really see the benefits.”

Nonprofits fall into a similarly gray area. Because of the public-service role many of them play, they bear a responsibility to the public for their governance practices. Some Sarbox provisions, such as those requiring audit-committee members to be independent, “make sense in a not-for-profit world,” says Kim Schwartz, vice president of corporate finance for the American Red Cross. “You have the same inherent conflict of interest you could have in a for-profit world.”

However, there might not be much gain, however, in requiring a not-for-profit to separately disclose that it has a financial expert on its audit committee, she says, since many already disclose that information in their annual report. For its part, although the Red Cross is likely to adopt some provisions of the act—its executives are currently analyzing Sarbox’s long-term effects on its 1,000 operating units and observing how things shake out in the public sector. “Our mantra here is: proceed with caution,” adds Schwartz.

Opting Out

Of course, flexibility in adopting Sarbox’s provisions could be behind the sudden rush to go private. As of July, 95 U.S. public companies had gone private in 2003, according to Thomson Financial—the biggest number in the past five years.

The costs of Sarbox could also be a factor. In fact, private-equity investors “are saying there is a larger pool of small-cap public companies willing to explore the merits of going private” because of compliance expenses, says William Koehler, a managing director of Cleveland-based KeyBanc Capital Markets.

Once there, however, newly private companies quickly realize that when it comes to Sarbox, they can run, but they can’t hide.

David M. Katz is deputy editor of CFO.com.