Recent buzz says small, private companies are implementing certain Sarbanes-Oxley-like best practices, even though there is no requirement for them to do so.

Despite what can be an expensive venture, implementing two provisions of this law -- whistleblower protection and document preservation -- is an excellent habit for a small business to form, says Peggy Jackson, a risk-management consultant and author of the forthcoming book Sarbanes-Oxley for Small Businesses: Leveraging Compliance for Maximum Advantage (Wiley, Sept. 2006).

"SOX has become the platinum standard for management," Jackson explained in a recent interview with SmartPros. She said compliance with the whistleblower and document provisions, combined with other best practices from the law, "can establish efficiency and position the business to increase sales and to improve general operations."

In today's environment, she added, a bank or venture capitalist is impressed by the small, private firm that has made the extra effort to meet the "platinum standard."

The Sarbanes-Oxley Act, signed into law in 2002, is widely considered a knee-jerk reaction to high-profile scandals like Enron and WorldCom. The law only applies to publicly traded companies, and within this small portion of U.S. companies there are the smaller public companies who continue to complain the law is too expensive. In particular, Section 404 has come under fire, the portion of SOX that requires companies to report and have audited their internal controls. But despite these protests, the five commissioners at the Securities and Exchange Commission said they have no intention to exempt the small-cap firms from Section 404.

Commenting on this decision, Jackson nodded in approval, citing research that proves small publicly traded companies are more likely to see SEC-enforcement action because they tend to have a "they'll never catch us" attitude. 

"I'm not going to presume this is cheap," Jackson said. "But I don't blame the SEC for not giving an exemption, because we're talking about public accounting and investor protection. Shareholder activism is not a fad; it is not going away."

Protection for the investor -- but also protection of the company -- is the perspective from which Jackson approaches voluntary SOX compliance. The private business's compliance efforts, she explained, will make a company "worthy of fill-in-the-blank. It's a means by which the company can document and prove and demonstrate the business is attractive to deal with, and that it's a good risk."

High-standard internal control practices will demonstrate accountability to not just the banker or venture capitalist, added Jackson. Indeed, it could also be leveraged at levels perhaps not previously considered, such as for negotiating a decent insurance premium.

As mentioned above, Jackson is adamant that, if nothing else, small, private companies implement two SOX provisions: whistleblower protection and document preservation.

"Whistleblower protections should be something that they really embrace," she said, adding, "Whistleblowers deserve a raise when they speak up because they often save a company X number of dollars."

She contends that a good whistleblower protection program goes beyond a written policy. It should also:

• outline how the employee should report a problem (such as an anonymous hotline);
• designate at least one board member responsible for whistleblower reports;
• embed a culture or system that ensures employees there will be no negative consequences, such as harassment or reprimands, should they report a problem.

The second provision, document preservation, is necessary simply to "capture what needs to be captured" and to save time and energy. Again, this calls for a written policy, and an understanding that you can't destroy documents during an investigation.

Quick steps to get started

For the financial executive looking to implement SOX practices from scratch, Jackson shared two quick-start steps. First, look at your internal controls financial management system. This includes expense reimbursements, travel claim reimbursements, how revenue is recorded, how checks are received and how credit cards are processed. Segregate the duties among employees to create a check-and-balance system and to thwart internal fraud.

Next, talk to the CEO and chief operating officer to make sure the whole organization has an overall commitment to SOX compliance and best practices. This includes making sure the entire management team and the board are financially literate -- as they are charged with reviewing the monthly reports.

Other best practices, outlined in Sarbanes-Oxley for Small Businesses, include:

• upgrading the current quality of audits by means of auditor independence and an audit committee;
• ensuring accuracy of certified financial statements;
• instituting a higher level of management accountability;
• establishing a conflict of interest policy;
• developing a code of ethics;
• implementing internal controls that comply with laws and regulations at the federal, state and local levels;
• ensuring transparency at all levels of management and in all transactions;
• assuring consistent adherence to and enforcement of new policies and procedures.

Jackson tells companies to take a holistic perspective and to ask a few questions: What could go wrong if you don't strengthen internal controls? How can you leverage SOX to build a business continuity plan? To strengthen relationships with your banker, auditor, insurance provider, legal counsel, IT person? Are you leaving money on the table by not leveraging SOX?

(c) 2006 SmartPros Ltd. Reprinted with permission.