Editors’ note: This article is featured in NPQ‘s special winter 2012 edition: “Emerging Forms of Nonprofit Governance.”


It was only a decade ago that Congress passed the Sarbanes-Oxley Act (SOX) in response to the meltdown of the Enron Corporation and the Arthur Andersen accounting firm. The two official names of the legislation—the Public Company Accounting Reform and Investor Protection Act (in the Senate) and the Corporate and Auditing Accountability and Responsibility Act (in the House of Representatives)—tell you where Congress was focused: on publicly traded corporations and the accounting practices necessary for protecting investors.

Sarbanes-Oxley wasn’t aimed at the nonprofit sector and contained almost no legislative language applicable to nonprofits. While trade associations in the corporate sector have loudly bemoaned the burdens SOX imposed on corporations, Sarbanes-Oxley survives. Despite corporate complaints, SOX has become part of the landscape of corporate governance writ large—for publicly owned corporations and, by absorption, for 501(c)(3) public charities, which have seen the value of a more rigorous regime of improved corporate governance practices.

What the Law Requires

Only two provisions of Sarbanes-Oxley apply to nonprofits: retaliation against whistleblowers and destruction of documents that could be used in an official investigation. But this didn’t stop nonprofits from worrying that more of the law would seep from public corporations into the nonprofit sector. Based on the two tiny components of a sixty-sixpage statute, though, the nonprofit sector has little to worry about and actually much to gain.

Section 1107 of the statute makes it a crime for a nonprofit to retaliate against an employee who provides a federal law enforcement officer with truthful information about a nonprofit’s having committed or planned to commit a federal offense. In truth, the provision has relatively limited application, yet it generated a wave of reaction among nonprofits. Nonprofit executives and boards probably feel just as uncomfortable as corporate players do with colleagues blowing the whistle. In fact, some academic and legal literature describe whistleblowers as disgruntled employees or troublemakers rather than virtuous characters exposing organizational wrongdoing, and includes advice from legal experts often focused on how to deal with rather than protect the “troublemakers.” But interest in the plight of whistleblowers has not abated. This past November, Congress passed the Whistleblower Protection Enhancement Act, strengthening the provisions to safeguard legitimate whistleblowers and broadening the range of issues covered by federal legislation. Still, the act is focused on federal whistleblowers, not nonprofit ones.

Are nonprofit whistleblowers important? Ask the ProPublica and Frontline investigative team that in 2012 was able to reveal the sources of secret money behind the social welfare organization Western Tradition Partnership (WTP), eventually uncovering alleged illegal coordination between the purportedly independent WTP and a number of candidates for political office. Sometimes nonprofit whistleblower issues aren’t large compared to such massive corporate malfeasance as was discovered when Sherron Watkins blew the cover of Exxon’s illegal operations, but the ability to speak up about wrongdoing within nonprofits is a critical element of good governance in the sector. Nonetheless, as Louis Clark of the Government Accountability Project told NPQ, much of the nonprofit sector doesn’t get whistleblower coverage, even when nonprofits are dealing with some parts of the federal bureaucracy. Although the stimulus legislation, which went through a number of nonprofit groups, built in whistleblower protections for vendors and contractors, other federal problems might not cover nonprofit vendors. SOX opened up the culture of whistleblowing to the nonprofit sector—or, perhaps more accurately, within the nonprofit sector—but the nation is still far from providing appropriate and necessary protections to nonprofit whistleblowers.

The other element of the statute that specifically applies to nonprofits is Section 1102, which makes it a crime for nonprofits to alter or destroy documents that should be maintained for use in official proceedings. It also makes it a crime to impede or obstruct such official proceedings. The legislation adds the qualifier “corruptly” to the prohibition, without explaining what exactly “corruptly” means. In any case, the destruction-of-documents language in SOX has led many nonprofits to adopt specific policies detailing which documents must be kept and for how long.

There’s no easy answer, however, to the length of time a given document should be kept. Some documents may have lengths of time established by state or federal statutes or regulations; others by virtue of business needs that could go beyond anything established in the law, or that could vary by the type of business activity the nonprofit is pursuing; and still others based on historical or intrinsic purposes. In light of recent federal investigations into the e-mail correspondence of top Pentagon and CIA officials, nonprofits should keep in mind the broad scope of documents that ought to be retained.

And retaining documents may be just as important to nonprofit employees as to the employers. The obvious parallel is in the government. Scores of veterans of U.S. military action in Iraq and Afghanistan recently discovered that they cannot receive benefits for their overseas deployments because of lost or missing U.S. Army records from around 2004 to 2008. This serves as a reminder that nonprofit organizations are gatherings of people, and it is these people whistleblower and document retention policies serve to protect.

The Sarbanes-Oxley Ethos

Almost immediately upon the law’s passage, the U.S. Chamber of Commerce and other business associations launched a widespread assault on the legislation and its potential negative impact on corporate business practices and profits. That is the sort of reflexive response of business in general to any enacted or pending regulatory requirement, but SOX hardly did in the corporate sector. In fact, for much of the decade after the enactment of the law, the corporate sector fared exceptionally well until overly rapacious banks and investment houses did in the economy in 2008—due in part to inadequate government regulation and oversight.

The corporate hysteria about SOX concerned Section 404 of the law, which calls for independent auditors to examine and certify the adequacy of corporations’ internal controls and financial reporting. This was deemed to be an expensive new proposition, with studies emerging indicating that corporations were facing hugely increased operating costs due to SOX compliance. With the downturn in the economy and challenges in the world of business competition, the corporate drumbeat against the presumed additional costs of corporate compliance with SOX remains strong.

Regardless of the corporate thinking, some elements of SOX as good practice seeped into the nonprofit sector—one significant area being the restructuring of nonprofit boards’ financial committees. Increasingly, following the SOX corporate model, nonprofits established separate and independent audit committees and even tried to recruit financial experts. States began creating laws with financial thresholds that would require the establishment of audit committees and, consequently, audits.

This is still a big challenge for smaller nonprofits, but the emphasis on bringing in someone with financial expertise to do battle with the auditors is considered good practice. It is no longer sufficient for a nonprofit CEO or executive committee to wheedle with auditors to get clean audits with nothing of substance in the auditors’ management letter. Opening up the process to an audit that gets translated through an audit committee, sometimes over the discomfort of an organization’s CEO and financial committee, is a major step toward nonprofit accountability. In fact, nonprofits, unlike their for-profit corporate brethren, sometimes now welcome the opportunity to receive a management letter, and make it available with the auditors’ recommendations and the nonprofit’s specific ameliorative actions. The letter becomes a mark of strength, accountability, and self-improvement. It also sometimes means, in accordance with the public corporation requirements of Sarbanes-Oxley, a regular re