Does SOX Apply to Private Companies?
The Sarbanes-Oxley Act of 2002 (SOX) was established in the United States in response to high-profile financial reporting scandals that negatively impacted the public’s faith in American financial markets. The most important compliance focuses are requirements surrounding financial disclosures, internal control, and a greater emphasis on auditor independence. For public companies in the U.S., Sarbanes-Oxley requires very stringent compliance with each of these points to protect financial integrity and transparency.
SOX for Public vs. Private Companies
The Sarbanes-Oxley Act of 2002 was designed to increase the reliability and transparency of public companies’ financial reporting. Public companies have shares of stock that are traded on public stock exchanges in the U.S. Private companies also become subject to SOX compliance when they register debt securities with the Securities and Exchange Commission (SEC), thus effectively becoming a public entity for the purposes of its debt issuance. With SOX compliance comes greater transparency, reducing the risk of misconduct and misstatement in financial reporting. This results in increased investor and overall public confidence in public companies.
Private companies are those companies that do not have shares of stock that are traded on public stock exchanges or registered debt securities with the SEC. Though private companies are not required to comply with the Sarbanes-Oxley Act of 2002, they may be subject to the penalties, fines, and imprisonment imposed by SOX.
Impacts of Sarbanes-Oxley on Private Companies
Sarbanes-Oxley has broadened the scope of liability and/or increased penalties for fraud-related activities or any activity that may impact the enforcement of federal laws or regulations. These changes impact all companies. For this reason, voluntary adoptions of SOX provisions are looked on favorably by law enforcement when these types of infractions occur. Examples include:
- Document Destruction: If anyone intentionally destroys, alters, or falsifies records or documents with the intent to impede or otherwise influence a federal agency investigation (e.g., EEOC, IRS or bankruptcy), SOX penalties may apply. Penalties include up to 20 years’ imprisonment, fines, or both.
- Whistleblower Retaliation: Sarbanes-Oxley protects whistleblowers. SOX makes it a crime punishable by a fine and up to 10 years in prison to knowingly retaliate against any person who provides a law enforcement officer truthful information relating to the commission or possible commission of any federal offense.
- White Collar Crime: Sarbanes-Oxley increases the monetary penalties and prison sentence for fraudulent violations of ERISA reporting and disclosure requirements and increases the maximum prison sentence for mail and wire fraud from five to 20 years.
- Blackout Notice Requirements: Department of Labor rules issued under Sarbanes-Oxley require administrators of 401(k) plans to give employees 30 days’ advance written or electronic notice of any suspension of trading in an account or access to funds in the account for more than three business days and authorizes civil penalties for failure to provide timely notice of such periods.
Voluntary Adoption of SOX
Although private companies are not legally required to comply with SOX, some choose voluntary adoption. In addition to the increased penalties identified above, there are reasons why private companies might decide to take on these practices. Some examples include the following:
- Investor Relations: Private companies that are aiming to get investments or are preparing to launch an initial public offering (IPO) in the future might adopt SOX-like policies and procedures so they can tangibly display their strong commitment to internal controls and transparency.
- Corporate Governance: Private companies that adopt controls that are like SOX can increase their overarching corporate governance and risk management capabilities. This can create a framework for increased accountability and stronger decision-making.
- Industry Standards: For private companies in some industries, complying with stringent financial controls can create a competitive advantage. Compliance with SOX-like standards might also be a requirement for conducting business with public companies or larger partners.
- State Regulations: While SOX is not necessarily a requirement for private companies, there are some states in which laws and regulations might exist that are similar to SOX or that encourage best business practices. The constant evolution can impact the financial reporting standards and governance practices of private companies.
Summary
Although the Sarbanes-Oxley Act does not directly impact private companies, the compliance standards and principles that are outlined in SOX can provide beneficial guidelines. Private companies may implement SOX-404 like practices for a variety of reasons. Having a strong understanding of SOX and how it can affect organizations allows private companies to make information-based choices about adopting practices that improve the system of internal controls and increase financial transparency. An independent risk assessment provides benefits by identifying areas of high risk with potential for increased control to mitigate the risk.
Please contact Elaine Nissley or Victor Kong for more information about McKonly & Asbury’s Internal Audit and consulting services.
About the Authors
Victor joined McKonly & Asbury in 2023 and is currently a Senior Manager with the firm. He is a member of the firm’s Audit & Assurance Segment. Victor is a Certified Internal Auditor (CIA) and Certified Fraud Examiner (CFE), and hol… Read more
Elaine is a Director with McKonly & Asbury. Her primary responsibilities include management of the Internal Audit Services group. Elaine handles client relationships and is accountable for the delivery of high quality and timely d… Read more