Editors’ note: This article is featured in NPQ‘s special winter 2012 edition: “Emerging Forms of Nonprofit Governance.”


It was only a decade ago that Congress passed the Sarbanes-Oxley Act (SOX) in response to the meltdown of the Enron Corporation and the Arthur Andersen accounting firm. The two official names of the legislation—the Public Company Accounting Reform and Investor Protection Act (in the Senate) and the Corporate and Auditing Accountability and Responsibility Act (in the House of Representatives)—tell you where Congress was focused: on publicly traded corporations and the accounting practices necessary for protecting investors.

Sarbanes-Oxley wasn’t aimed at the nonprofit sector and contained almost no legislative language applicable to nonprofits. While trade associations in the corporate sector have loudly bemoaned the burdens SOX imposed on corporations, Sarbanes-Oxley survives. Despite corporate complaints, SOX has become part of the landscape of corporate governance writ large—for publicly owned corporations and, by absorption, for 501(c)(3) public charities, which have seen the value of a more rigorous regime of improved corporate governance practices.

What the Law Requires

Only two provisions of Sarbanes-Oxley apply to nonprofits: retaliation against whistleblowers and destruction of documents that could be used in an official investigation. But this didn’t stop nonprofits from worrying that more of the law would seep from public corporations into the nonprofit sector. Based on the two tiny components of a sixty-sixpage statute, though, the nonprofit sector has little to worry about and actually much to gain.

Section 1107 of the statute makes it a crime for a nonprofit to retaliate against an employee who provides a federal law enforcement officer with truthful information about a nonprofit’s having committed or planned to commit a federal offense. In truth, the provision has relatively limited application, yet it generated a wave of reaction among nonprofits. Nonprofit executives and boards probably feel just as uncomfortable as corporate players do with colleagues blowing the whistle. In fact, some academic and legal literature describe whistleblowers as disgruntled employees or troublemakers rather than virtuous characters exposing organizational wrongdoing, and includes advice from legal experts often focused on how to deal with rather than protect the “troublemakers.” But interest in the plight of whistleblowers has not abated. This past November, Congress passed the Whistleblower Protection Enhancement Act, strengthening the provisions to safeguard legitimate whistleblowers and broadening the range of issues covered by federal legislation. Still, the act is focused on federal whistleblowers, not nonprofit ones.

Are nonprofit whistleblowers important? Ask the ProPublica and Frontline investigative team that in 2012 was able to reveal the sources of secret money behind the social welfare organization Western Tradition Partnership (WTP), eventually uncovering alleged illegal coordination between the purportedly independent WTP and a number of candidates for political office. Sometimes nonprofit whistleblower issues aren’t large compared to such massive corporate malfeasance as was discovered when Sherron Watkins blew the cover of Exxon’s illegal operations, but the ability to speak up about wrongdoing within nonprofits is a critical element of good governance in the sector. Nonetheless, as Louis Clark of the Government Accountability Project told NPQ, much of the nonprofit sector doesn’t get whistleblower coverage, even when nonprofits are dealing with some parts of the federal bureaucracy. Although the stimulus legislation, which went through a number of nonprofit groups, built in whistleblower protections for vendors and contractors, other federal problems might not cover nonprofit vendors. SOX opened up the culture of whistleblowing to the nonprofit sector—or, perhaps more accurately, within the nonprofit sector—but the nation is still far from providing appropriate and necessary protections to nonprofit whistleblowers.

The other element of the statute that specifically applies to nonprofits is Section 1102, which makes it a crime for nonprofits to alter or destroy documents that should be maintained for use in official proceedings. It also makes it a crime to impede or obstruct such official proceedings. The legislation adds the qualifier “corruptly” to the prohibition, without explaining what exactly “corruptly” means. In any case, the destruction-of-documents language in SOX has led many nonprofits to adopt specific policies detailing which documents must be kept and for how long.

There’s no easy answer, however, to the length of time a given document should be kept. Some documents may have lengths of time established by state or federal statutes or regulations; others by virtue of business needs that could go beyond anything established in the law, or that could vary by the type of business activity the nonprofit is pursuing; and still others based on historical or intrinsic purposes. In light of recent federal investigations into the e-mail correspondence of top Pentagon and CIA officials, nonprofits should keep in mind the broad scope of documents that ought to be retained.

And retaining documents may be just as important to nonprofit employees as to the employers. The obvious parallel is in the government. Scores of veterans of U.S. military action in Iraq and Afghanistan recently discovered that they cannot receive benefits for their overseas deployments because of lost or missing U.S. Army records from around 2004 to 2008. This serves as a reminder that nonprofit organizations are gatherings of people, and it is these people whistleblower and document retention policies serve to protect.

The Sarbanes-Oxley Ethos

Almost immediately upon the law’s passage, the U.S. Chamber of Commerce and other business associations launched a widespread assault on the legislation and its potential negative impact on corporate business practices and profits. That is the sort of reflexive response of business in general to any enacted or pending regulatory requirement, but SOX hardly did in the corporate sector. In fact, for much of the decade after the enactment of the law, the corporate sector fared exceptionally well until overly rapacious banks and investment houses did in the economy in 2008—due in part to inadequate government regulation and oversight.

The corporate hysteria about SOX concerned Section 404 of the law, which calls for independent auditors to examine and certify the adequacy of corporations’ internal controls and financial reporting. This was deemed to be an expensive new proposition, with studies emerging indicating that corporations were facing hugely increased operating costs due to SOX compliance. With the downturn in the economy and challenges in the world of business competition, the corporate drumbeat against the presumed additional costs of corporate compliance with SOX remains strong.

Regardless of the corporate thinking, some elements of SOX as good practice seeped into the nonprofit sector—one significant area being the restructuring of nonprofit boards’ financial committees. Increasingly, following the SOX corporate model, nonprofits established separate and independent audit committees and even tried to recruit financial experts. States began creating laws with financial thresholds that would require the establishment of audit committees and, consequently, audits.

This is still a big challenge for smaller nonprofits, but the emphasis on bringing in someone with financial expertise to do battle with the auditors is considered good practice. It is no longer sufficient for a nonprofit CEO or executive committee to wheedle with auditors to get clean audits with nothing of substance in the auditors’ management letter. Opening up the process to an audit that gets translated through an audit committee, sometimes over the discomfort of an organization’s CEO and financial committee, is a major step toward nonprofit accountability. In fact, nonprofits, unlike their for-profit corporate brethren, sometimes now welcome the opportunity to receive a management letter, and make it available with the auditors’ recommendations and the nonprofit’s specific ameliorative actions. The letter becomes a mark of strength, accountability, and self-improvement. It also sometimes means, in accordance with the public corporation requirements of Sarbanes-Oxley, a regular review and replacement of the auditors themselves.

On the corporate side, the law went further, limiting or prohibiting the services that an auditor might deliver. All too often, auditors were also providing bookkeeping services, investment advice, and other functions that really had no relationship to their functions as independent auditors, and sometimes compromised the integrity and reliability of the audits. It is easy to see why that might happen in a smaller nonprofit, too. An auditor will see a problem, recommend a solution, and be the logical entity to help the nonprofit client carry it out, but with the result that the auditor’s judgment could be clouded by self-interest. Avoiding conflicts of interest doesn’t mean being shortsighted about logical efficiencies. It makes perfect sense for the auditor to have a role in the preparation of a nonprofit’s Form 990s and other tax documents. Similarly, since an auditor should be sharply focused on an organization’s financial controls, helping to design the controls to protect and enhance nonprofit accountability also makes sense.

There was, of course, pushback against the application of SOX “best practices” to the nonprofit sector; and, not surprisingly, it emerged sounding much like the corporate critique of the legislation. Nonprofit leaders suggested that the movement toward requiring audits for smaller organizations—though the revenue thresholds established in most state laws made the audit requirement applicable to nonprofits that were clearly in the top 10 percent or even top 5 percent of nonprofits based on annual revenues—would create additional “compliance costs” that, unlike in for-profit circumstances, could not be easily absorbed or passed along to customers or users. Even some larger nonprofits operate on barebones financial structures, with minimal operating reserves, constrained overheads, and little financial flexibility. Adding the requirement of audits, as powerful as they are in establishing the veracity of a nonprofit’s finances and controls, could mean taking money away from the delivery of crucial services.

Concerned that extra costs could force nonprofits out of business, some nonprofit leaders also suggested that the SOX origins in the corporate sector, particularly with the predatory and self-serving actions of Enron’s Kenneth Lay, Jeffrey Skilling, and Andrew Fastow, were unlikely to be issues for the nonprofit sector. Lay, Skilling, and, particularly, Fastow used Enron’s lack of controls to enrich themselves through stock options and complex financial structures that most nonprofits couldn’t even fathom, much less try to design or replicate. Corporate audits, if conducted by auditors not in the pockets of the executives, would in theory uncover these depredations; in the nonprofit sector, comparable self-enrichment was unlikely to occur. To nonprofits, SOX aimed at uncovering and undoing problems in the corporate sector that were at most hardly pervasive among nonprofits and more than likely all but nonexistent.

Although California came out with a Nonprofit Integrity Act in 2004, and several states established audit thresholds, there was hardly a widespread replication of SOX for nonprofits at the state level. Efforts to increase nonprofit accountability at the federal level foundered as the Senate Finance Committee’s investigations in 2004 were channeled into a self-regulatory regime promoted in the two reports of Independent Sector’s “Panel on the Nonprofit Sector,” and, in 2006, Title XII of the Pension Protection Act, largely focusing on addressing abusive donor-advised funds and supporting organizations and some technical issues concerning charitable deductions. Nonetheless, SOX created an ethos in the nation and within the nonprofit sector, restoring and elevating the importance of governance, particularly that carried out by the nonprofit board. Many boards and their partner CEOs still operate as though best practices in good governance were an alien imposition. But unlike the pre-SOX era, in which governance was sold to the nonprofit public simply as something innately good, SOX put good governance and board oversight into the public policy parlance.

After decades of management professionals training boards and staff about the necessary functions of boards of directors, SOX underscored that nonprofit board membership was not to be looked at as a frivolous, resume-burnishing activity. In other words: board members are supposed to know what the organizations they oversee are actually doing; fiduciary responsibility has meaning and consequences for board members; there is a relationship between good governance and organizational effectiveness; and, with the new public ethos of SOX, institutional funders and individual donors should be legitimately concerned with and attentive to nonprofit governance.

Sarbanes-Oxley didn’t eliminate the likes of Andrew Fastow preying on the corporations they oversaw, and the 2002 legislation didn’t suddenly make the oversight of the Securities and Exchange Commission muscular and effective. The same holds true for the nonprofit sector. There are still people of dubious ethics abusing the charitable sector, and effective oversight and enforcement from state attorneys general are spotty and even less in evidence from the overburdened and under-resourced tax-exempt division of the Internal Revenue Service. But, despite only two provisions of specific applicability to the nonprofit sector, Sarbanes-Oxley did effect a positive change of context and behavior for nonprofits in the arenas of governance and financial accountability.


Rick Cohen is the Nonprofit Quarterly’s national correspondent.