Advisory Report 2003-03
November 20, 2003
The Sarbanes-Oxley Act of 2002: Recommendations for Higher Education
This report addresses recommendations of the National Association of College and University Business Officers (NACUBO) with respect to issues raised by the Sarbanes-Oxley Act of 2002 (Act). While the Act does not apply to institutions of higher education or other public or not-for-profit entities, the concerns it covers are universal. They are in the forefront of issues many governing board members deal with in their corporate activities. The recommendations provided in this report address how institutions might choose to deal with issues such as auditor independence, corporate responsibil-ity, enhanced financial disclosures, accountability, and certification of financial results.
The purpose of this report is to provide emerging best practice guidance for higher education institu-tions, as many colleges and universities are considering the new standards for publicly traded compa-nies and deciding which aspects to implement. NACUBO believes that institutions of higher education should look at the Sarbanes-Oxley Act as a framework to help evaluate overall financial risks, and not simply comply with accountability concepts that stem from structures, and circumstances that differ fundamentally from the stewardship responsi-bilities and public obligations they face. The report was prepared by NACUBO’s Accounting Principles Council (APC), in consultation with several public accounting firms and other campus administrators. The recommendations are the result of APC research and collaboration with colleagues during the year since passage of the Act.
NACUBO and the APC will continue to monitor interpretation of the Act and gather feedback from higher education administrators, trustees, standard-setting bodies, and government officials. If neces-sary, the guidance in the Advisory Report will be updated to reflect changing wisdom and practice.
NACUBO is also interested in learning about other ways that institutions have addressed accountability and governance issues on their campuses. Contact information is provided at the end of the report.
Because the business office continually seeks to enhance institutional accountability and responsibil-ity, certain provisions of the Sarbanes-Oxley Act have relevance to higher education. The guidance in this advisory report is intended to assist presidents, chief financial officers, and trustees with interpreta-tion of the Act. The guidance focuses on three main areas: independent auditors, senior management, and audit committees. NACUBO’s recommendations are summarized below.
- The board’s audit committee should receive the audit engagement letter and take direct respon-sibility for appointing, compensating, and over-seeing the audit.
- Institutions should prohibit their independent auditors from providing nonaudit services barred by the Act. When extenuating circum-stances exist, the board’s audit committee should approve such nonaudit services in ad-vance.
- The lead audit partner should be rotated every seven years, with a timeout of two years.
- Senior financial managers should adopt a code of ethics and consider methods to ensure com-pliance.
- A confidential complaint mechanism should be made available to employees to communicate concerns about accounting, auditing, or internal control processes.
- Institutions should consider assessing the need for disclosures required by section 302 of the Act. Section 302 requires the chief executive officer (CEO) and the chief financial officer (CFO) to assert that the financial statements have no material misstatements or omissions and that they have evaluated “disclosure con-trols and procedures.” Large decentralized insti-tutions should consider requiring section 302 assertions by business unit leaders responsible for financial results.
- Section 404 of the Act addresses internal con¬trols, which are fundamental to sound financial reporting. A recommended business practice is to document and evaluate internal controls over a planned time period.
- The board of directors should have an audit committee or its equivalent.
- The audit committee should exercise direct control over the external auditors.
- Members of the audit committee must be independent, and management should not be voting members of the audit committee.
- The audit committee should have a charter that includes role and authority language.
- At least one financial expert should be included on the audit committee.
The Sarbanes-Oxley Act of 2002 was enacted as a formal response to unprecedented corporate and accounting scandals. Its purpose is to protect inves¬tors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. As such, the Act applies officially, or in a legal sense, only to Securities and Exchange Commission (SEC) registrants or publicly traded companies. Although colleges and universities are not subject to the Act’s provisions, it is relevant to institutions of higher education for the following reasons:
- Trustees of colleges and universities may expect institutions to adopt certain aspects of the Act as best practices.
- Several states are considering adopting varia-tions of the Act and applying it to certain not-for-profit organizations domiciled in the state.
- Bond rating agencies and directors and officers’ liability insurers may consider governance as-pects of the Act in their underwriting and/or pricing policies.
- Colleges and universities that receive federal funding must adhere to new General Accounting Office standards related to auditor independence. GAO standards for independence are in some cases more restrictive than the standards in the Act.
This report summarizes and discusses relevant provisions of the Act that apply to the following three groups in higher education:
- Independent Auditors
- Senior Management
- Audit Committees
A checklist that references all relevant titles and sections of the Act, with corresponding recommended best practices for higher education, is also provided in the PDF version of this Advisory Report beginning on page 6. Knowing the Act is designed for SEC registrants, the summary of require¬ments explains in plain language the provi-sions deemed to have the most relevance for col¬leges and universities. The intent is to provide discussion and insight related to the higher education best practice guidance on the checklist.
The Act imposes specific requirements to ensure that auditors remain independent. Independent external auditors are prohibited from providing any of a range of nonaudit services to their audit clients, including actuarial services, bookkeeping services, internal audit outsourcing services, and system implementa¬tion services. The general theory is that external auditors cannot perform management functions or be involved in any activity that they might later be required to audit.
The GAO issued new independence standards in January 2003 that also limit the services that an independent auditor can provide. The GAO uses two “overarching principles”:
- Auditors should not perform management functions or make management decisions.
- Auditors should not audit their own work or provide nonaudit services in situations where the amounts or services involved are signifi-cant/material to the subject matter of the audit.
Higher education institutions that receive federal funding must follow the GAO government auditing standards, or their annual A-133 audit reports will not be accepted. GAO standards for independence are in some cases more restrictive than the standards in the Act.
The Act requires the audit committee to approve audit or nonaudit services before they are rendered. Discussions about the use of external auditors for nonaudit services might include:
- What is management’s rationale for using the firm?
- Is this an exclusive service that other firms cannot provide?
- Was the work competitively bid?
- Could the work impair the auditor’s ability to provide the external audit?
- Might an objective third party conclude that the audit firm is not independent?
The Act does not require companies to change audit firms periodically but recommends significant efforts to preserve the independence of the external audit firm. The Act also directed the GAO to study mandatory rotation of external audit firms, but does mandate rotation of external audit partners (both lead and concurring partners). The Act requires rotation after five years, with a five-year timeout period during which the former audit partners can have no decision-making authority with respect to the audit.
In the nonprofit environment, external audit firms have traditionally rotated partners after 10 years. The limited availability of audit firms with knowledge of higher education, and of experienced partners within those firms, could make a five-year rotation difficult to implement. In addition, because nonprofit organizations do not typically have the same frequency or intensity of partner involvement as public companies, it is reasonable to consider a longer time period before rotation. Consequently, NACUBO recommends rotation of the lead partner every seven years, with a two-year timeout provi-sion. Institutions of higher education should work with their audit firms on the issue of partner rotation and document any difficulties.
The Act requires a code of ethics for senior financial managers. Recently finalized rules from the SEC require that the code of ethics address:
- honest and ethical conduct, including the ethical handling of actual or apparent conflicts of inter-est between personal and professional relation-ships;
- full, fair, accurate, timely, and understandable disclosure in reports that the registrant files with the SEC;
- compliance with applicable government laws, rules, and regulations;
- the prompt reporting of code violations to an appropriate person or persons identified in the code; and
- accountability for adherence to the code.
The concept of a code of business ethics for higher education is not new. In 1993 NACUBO adopted a code of ethics in recognition of the role that business officers play in ensuring high standards of account-ability for the resources society entrusts to higher education. A copy of the NACUBO Code of Ethics is provided at the end of this report.
Careful consideration ought to be given to account-ability for adherence to a code of ethics and related enforcement. Institutions should implement a signoff by senior leaders acknowledging receipt of the code of ethics. In higher education, the process of enforce¬ment and the level of compliance will likely vary by institution type (public or independent) and complexity (size, number of programs, number of departments, extent of decentralization, etc.).
Institutions are encouraged to inventory and assess current procedures and policies. Coordination of units responsible for administering policies will help meet the challenge of enforcement. For example, conflict of interest policies for researchers and general outside teaching/consulting policies may already exist. If the current inventory of policies and procedures fails to address ethics and/or conflicts of interest, management should consider establishing policies appropriate for the institution.
Once this is accomplished, emphasis should shift to documenting compliance procedures. Senior mana-ge¬ment in the business office should consider how other areas enforce policies and should strive for consistent enforcement across the institution. Fi¬nally, the audit committee (or equivalent) of the board of directors should review the code of ethics and the compliance procedures to ensure adequacy.
Section 301 of the Act requires the establishment of a confidential complaint mechanism for employee concerns about accounting, internal control, or auditing matters. NACUBO recommends that institutions publicize the complaint mechanism and have it periodically reviewed by the audit commit-tee. Institutions could incorporate the new complaint mechanism within existing human resource commu-nication policies. Colleges and universities should also consider establishing hot lines, anonymous voicemail, and anonymous e-mail or secure sugges-tion drop boxes to facilitate the complaint process. Regardless of the specific mechanisms selected, there should be a process for communicating with employees, receiving information, and addressing identified concerns.
Section 302 of the Act requires CEO and CFO assertions that extend beyond financial statement compliance with generally accepted accounting principles (GAAP). The Act requires the CEO and CFO to certify that the financial statements have no material misstatements or omissions. The certifica-tion also acknowledges responsibility for establish-ing and maintaining “disclosure controls and pro-cedures,” a new term that refers to the quality of a company’s overall disclosures (such as the notes to the financial statements, management discussion and analysis, or selected financial data). This requires a detailed evaluation of financial reporting and disclosure processes before the assertion is made.
Institutions should begin assessing the additional assertions suggested in Section 302. NACUBO believes that most institutions would benefit from developing a plan for documenting their financial reporting process and assessing the adequacy of controls over both financial reporting and financial disclosures. However, be aware that the new certifications are extensive.
Institutions planning for additional certifications should consider the extent to which their financial operations are decentralized, as an emerging practice known as subcertification may be required. Sub-certification requires division or school officials to sign off on subsets of financial results or information as a basis of reliance by senior officials. Organiza¬tions should evaluate the divisions’ accountability for financial results. If sub-certification is adopted, each business units’ responsibility for financial reporting should be clearly defined and policies established.
Perhaps the most far-reaching provision of the Act is a requirement under section 404 that the senior officers of a public company certify the adequacy of the systems of internal control. Further, the man-agement assertion must be audited and certified by the external auditor. Since the Act is not binding on educational institutions, an alternative would be for management to provide the assertions and testing without the external audit attestation.
Identifying, designing, and maintaining controls and procedures that safeguard assets and minimize risk are sound business practices. A recommended busi¬ness practice is to start planning how an internal control assessment might be conducted. The effort to document the existence and adequacy of the controls would require a major institutional commitment. Institutions should reference a well-accepted model for internal controls, such as that published by the Committee of Sponsoring Organizations (COSO) in 1992. NACUBO is not aware of any institutions of higher education that have committed to provide the assertions on financial reporting (section 302) and internal controls (section 404). We will continue to monitor this situation and provide updates to the NACUBO membership.
The Act sets very high expectations concerning the background and responsibilities of the audit commit-tee of the board of directors. The audit committee is required to take direct control of independent aud-itors; be responsible for appointing, compensating, and overseeing them; and preapproving all services. The Act requires the audit committee to be inde-pendent. Management or employees may not serve on the committee. Members of the committee may not receive consulting, advisory or other fees from the institution.
At least one member of the audit committee is expected to possess financial expertise. Recently issued final rules from the SEC require that this person have the following attributes:
- an understanding of generally accepted account-ing principles and financial statements
- the ability to assess the general application of such principles in connection with the account-ing for estimates, accruals, and reserves
- experience in preparing, auditing, analyzing, or evaluating financial statements that present a breadth and level of complexity of accounting issues generally comparable to the issues rea-sonably expected to be raised by the registrant’s financial statements (or experience actively su-pervising one or more persons engaged in such activities)
- an understanding of internal controls and procedures for financial reporting
- an understanding of audit committee functions
The SEC’s final rules allow some flexibility in how audit committee members might acquire this expertise, including:
- education and experience as a principal financial officer, principal accounting officer, controller, or public accounting auditor
- experience actively supervising the above positions
- experience overseeing or assessing the perform-ance of companies
- other relevant experience
The Act suggests that the entire board of trustees determine whether the designated financial expert possesses the necessary expertise.
NACUBO recommends colleges and universities that do not have separate audit committees assign requisite responsibilities to an existing committee such as the finance committee. However, such a committee must take on audit committee composi-tion and accountability. For equivalent or combined committees, the name should be changed to reflect the audit oversight function, for example, the “Finance and Audit Committee.” Assigning these duties to a committee does not relieve the whole board of oversight responsibility. Boards that do not operate using a committee structure should assume direct responsibility for oversight of audits. Higher education institutions should consider the following factors to ensure sufficient expertise on the audit committee:
- familiarity of committee members with esti-mates, accruals, and reserves relevant to higher education
- training audit committee members and retaining financial expertise
- recruiting financial experts
- current committee members’ longevity and experience with a given institution can be con-sidered “other relevant experience"
Colleges and universities should also consider rotating the individual in the role of financial expert when feasible.
This guidance considers elements of governance, ethics, business process, and accountability raised by the Sarbanes Oxley Act of 2002 that are relevant to institutions of higher education. Institutions should carefully consider the substance of these elements and determine, with their boards, which actions best suit their situation. If any of the recommended steps are considered unsuitable, burdensome, or cost prohibitive, NACUBO recommends that an explana-tion be prepared for the institution’s board of trustees to review.
NACUBO is very interested in learning about steps that institutions have taken to increase accountability and governance. To share information, provide comments on these recommendations, or for questions, contact Sue Menditto at email@example.com or 202-861-2542.
The PDF Version of this Advisory Report contains the following additional information:
- Checklist for Higher Education
- NACUBO Code of Ethics