|
IMPACT OF THE 2002
SARBANES-OXLEY ACT (SOX) ON NONPROFITS
All corporations - publicly traded or
not, including nonprofits - must comply with two provisions pf SOX:
1. A. Sample Whistleblower
Protection Policy (Short Version)
NPC
encourages its employees to report suspected or actual illegal or
improper activity, financial or otherwise. NPC will not condone
any activity that is illegal or improper, whether done by a Board Member
or employee.
Report
to the Executive Director or Chair any activities that you believe to be
illegal or improper. Employees
will be protected
against retaliatory actions resulting from reporting unethical conduct.
Any employee who
feels that adverse action has been taken toward him/her due to a report
of improper activity should notify the Executive Director or the Chair
as soon as possible.
1.
B. Sample Whistleblower Policy (Long
Version - based
on National Center for Nonprofit Associations policy)
General. NPC
Code of Ethics and Conduct (“Code”) requires directors, officers and
employees to observe high standards of business and personal ethics in
the conduct of their duties. As employees and representatives of the
NPC, we must practice honesty and integrity in fulfilling our
responsibilities and comply with all applicable laws and regulations.
Reporting Responsibility. It
is the responsibility of all directors, officers and employees to comply
with the Code and to report violations or suspected violations in
accordance with this Whistleblower Policy.
No Retaliation. No
director, officer or employee who in good faith reports a violation of
the Code shall suffer harassment, retaliation or adverse employment
consequence. An employee who retaliates against someone who has reported
a violation in good faith is subject to discipline up to and including
termination of employment. This Whistleblower Policy is intended to
encourage and enable employees and others to raise serious concerns
within the NPC prior to seeking resolution outside the NPC.
Reporting Violations. The
Code addresses the NPC’s open door policy and suggests that employees
share their questions, concerns, suggestions or complaints with someone
who can address them properly. In most cases, an employee’s supervisor
is in the best position to address an area of concern. However, if you
are not comfortable speaking with your supervisor or you are not
satisfied with your supervisor’s response, you are encouraged to speak
with someone in the Human Resources Department or anyone in management
whom you are comfortable in approaching. Supervisors and managers are
required to report suspected violations of the Code of Conduct to
(insert name of individual designated by NPC), who has specific and
exclusive responsibility to investigate all reported violations. For
suspected fraud, or when you are not satisfied or are uncomfortable with
following the NPC’s open door policy, individuals should contact the
designee directly.
Reporting Individual.
(Insert name of individual designated by NPC) is responsible for
investigating and resolving all reported complaints and allegations
concerning violations of the Code and, at his discretion, shall advise
the Executive Director and/or the audit committee. Designee has direct
access to the audit committee of the board of directors and is required
to report to the audit committee at least annually on compliance
activity. Designee is the chair of the audit committee.
Accounting and Auditing Matters. The
audit committee of the board of directors shall address all reported
concerns or complaints regarding corporate accounting practices,
internal controls or auditing. (Insert name of individual designated by
NPC) shall immediately notify the audit committee of any such complaint
and work with the committee until the matter is resolved.
Acting in Good Faith. Anyone
filing a complaint concerning a violation or suspected violation of the
Code must be acting in good faith and have reasonable grounds for
believing the information disclosed indicates a violation of the Code.
Any allegations that prove not to be substantiated and which prove to
have been made maliciously or knowingly to be false will be viewed as a
serious disciplinary offense.
Confidentiality. Violations
or suspected violations may be submitted on a confidential basis by the
complainant or may be submitted anonymously. Reports of violations or
suspected violations will be kept confidential to the extent possible,
consistent with the need to conduct an adequate investigation.
Handling of Reported Violations. (Insert
name of individual designated by NPC) will notify the sender and
acknowledge receipt of the reported violation or suspected violation
within five business days. All reports will be promptly investigated and
appropriate corrective action will be taken if warranted by the
investigation.
2. Record Retention and Document
Destruction Policy (based on
National Center for Nonprofit Associations policy)
NPC shall retain records for the period
of their immediate or current use, unless longer retention is necessary
for historical reference or to comply with contractual or legal
requirements. Records and documents outlined in this policy includes
paper, electronic files (including e-mail) and voicemail records
regardless of where the document is stored, including network servers,
desktop or laptop computers and handheld computers and other wireless
devices with text messaging capabilities.
In accordance with 18 U.S.C. Section 1519
and the Sarbanes Oxley Act, an NPC shall not knowingly destroy a
document with the intent to obstruct or influence an “investigation or
proper administration of any matter within the jurisdiction of any
department agency of the United States . . . or in relation to or
contemplation of such matter or case." If an official investigation
is underway or even suspected, document purging must stop in order to
avoid criminal obstruction.
In order to eliminate accidental or
innocent destruction, NPC has the following document retention
requirements: (Insert policy customized for NPC).
The following table provides sample
minimum requirements. NPCs are
encouraged to investigate individual state requirements and consult
their accountants for guidance (NPCs serving multi-state/jurisdictional
VAMCs must investigate all corresponding requirements).
| Type of Document |
Minimum Best Practice
Requirement |
| Accounts
receivable & payable ledgers & schedules |
7
years |
| Affirmative
Action Plan* - (EO 11246, Vietnam Era Veterans Readjustment Act and
the Rehabilitation Act of 1973) |
Updated annually then 1 year after expiration of plan |
| Articles
of Incorporation, charter, bylaws, minutes and other
incorporation records |
Permanently |
| Audit
reports, Financial Statements (year end): general/private
ledgers, trial balance, journals |
Permanently |
| Bank Reconciliation |
3
years |
| Bank
statements, deposit records, electronic fund transfer documents,
& cancelled checks |
3 years |
| Chart
of accounts |
Permanently |
| Checks
(for important payments & purchases) |
Permanently |
| Contracts,
mortgages, notes and leases (expired) |
7
years |
| Contracts
(still in effect) |
Permanently |
| Correspondence
(general) |
3
years |
| Correspondence
(legal and important matters) |
Permanently |
| Correspondence
(with customers and vendors) |
2
years |
| Deeds,
mortgages, and bills of sale |
Permanently |
| Depreciation
schedules |
Permanently |
| Donations |
7
years |
| EEOC
reports |
Permanently |
| Employee
demographic info & compensation records* (Davis-Bacon Act, Service
Contract Act & Walsh-Healy Public Contracts Act) |
3
years |
| Employment
applications* (depending on the # of employees, employers must
retain applications & other personnel records relating to
hires, rehires, tests, promotions, transfers, demotions,
selection for training, layoff, recall, termination
or discharge)
(Civil Rights Act of 1964, Title VII, ADA, ADEA) |
3
year from making the record or taking the personnel action |
| Expense
Analyses/expense distribution schedules |
7
years |
| Garnishments |
7
years |
| Grants
(un-funded) |
1
year |
| Grants
(funded) |
7
years after closure |
| I-9’s* |
3
years after date of hire or 1 year after termination |
| Insurance
Policies (expired) |
3
years |
| Insurance
records, current accident reports, claims, policies, etc. |
Permanently |
| Internal
audit reports |
3
years |
| Invoices
(to customers, from vendors) |
7
years |
| Inventory
records |
7
years |
| Loan
documents and notes |
Permanently |
| OSHA
logs* (Records related to medical exams – 30 years after
termination) |
5
years |
| Patents
and related papers |
Permanently |
| Payroll
records & summaries including records related to
employee’s leave* (Equal Pay Act, FLSA) |
7
years |
| Personnel
files (terminated employees) (Title VII, ADA, ADEA) |
7
years after termination |
| Polygraph
test results and records* (Employee Polygraph Protection Act) |
3
years |
| Purchase
orders |
7
years |
| Retirement
and pension records including Summary Plan Descriptions* (ERISA) |
Permanently |
| Tax
returns and worksheets |
Permanently |
| Timesheets |
7
years |
| Trademark
registrations and copyrights |
Permanently |
| Withholding
tax statements* (FICA, FUTA, Federal Income) |
7
years |
| Workers
compensation documentation |
10
years after 1st closure |
* Federal requirements for organization
with government contracts or subcontracts.
Evolving SOX “Best
Practices”
- The board president may want to
address the fairness of the financial statements or internal
controls in the organization’s annual report or newsletter.
- The board should receive training on
financial stewardship and understanding financial statements.
- The Finance Committee should have
financial experts among its members and should consider establishing
an Audit Committee.
- The organization should have policies
regarding conflicts of interest, code of conduct, and code of
ethics, and should review them regularly.
- The organization should consider a
policy prohibiting loans to officers, employees and trustees if this
is not already in the bylaws.
- The Finance Committee or Audit
Committee should hire and communicate directly with the auditors.
- The Finance Committee or Audit
Committee should understand and approve non-audit services performed
by the auditor.
- The Finance Committee or Audit
Committee should meet with the auditors without management staff
present.
|
