The overriding objective of the Sarbanes-Oxley Act is to strengthen the public securities market by holding management accountable for material information filed with the SEC and released to investors.

To help achieve this overall goal, Sarbanes-Oxley
includes several underlying objectives, specifically improving corporate governance, promoting
ethical business practices, enhancing the transparency of financial statements and disclosures, and ensuring that company executives are aware of material
information emanating from their business.

Sarbanes-Oxley is not law for nonprofit organizations, but guidelines for achieving its underlying objectives can be applied to all organizations, including nonprofits. By adopting the principles and best practices promoted by Sarbanes-Oxley – customized to meet an organization's unique nature and needs – a nonprofit organization can better realize its mission and meet the expectations of its key stakeholders.

This article follows the case of The Philadelphia Zoo;
and provides insight into how Sarbanes-Oxley implementation can be the key to improved governance for nonprofit organizations.

Welcome to the Zoo
The Philadelphia Zoo, America's first zoo, was chartered in 1859 and opened its gates to the public in 1874. Over the course of its 131-year history, the Philadelphia Zoo has maintained its position as one of the country's leading zoos, and is the second-largest ticketed attraction in the Philadelphia region.

With 1.2 million visitors each year, annual spending in excess of $40 million, and the responsibility of caring for a collection of more than 1,500 mostly endangered animals, the Philadelphia Zoo is continuously in the public spotlight.

Keeping these responsibilities in mind, the Philadelphia Zoo's board of directors has for several years placed governance in the forefront of its goals. In fact, the board agreed that the passage of the Sarbanes-Oxley legislation in 2002 was an opportunity to revisit the Philadelphia Zoo's corporate governance standards. Recent actions have spanned from the pragmatic appointment of a chief governance officer to the board, to the time-consuming increase in the number of committee meetings. The board has used Sarbanes-Oxley to generate discussion and resulting activism to adopt Sarbanes-Oxley-like (i.e., best practice) principles that
have moved the Philadelphia Zoo into the forefront of nonprofit governance.

Best Practice Considerations
For CPAs appointed to a nonprofit board, as well as those CPAs working for, performing the audit of, or otherwise having a vested interest in the governance of a nonprofit organization, the following are best-practice considerations based on the direction of Sarbanes-Oxley. The nature, size and complexity of a nonprofit organization, however, will affect how these best practices are most appropriately and effectively implemented.

Board of Directors. The board of directors or board of trustees of a nonprofit organization plays a critical role in defining and monitoring the nonprofit's mission, providing oversight to the management team, and ensuring effective governance on behalf of key stakeholders. Thus, the board should be actively involved and should have significant influence over the nonprofit organization.

Board Charter. The board should clearly define its purpose, duties and responsibilities in an overarching board charter, and then approve individual charters for each board committee. These charters should be reviewed at least annually, and should be amended as deemed necessary.

Board Members. Directors should have sufficient knowledge, experience and time to serve the nonprofit organization effectively. The Philadelphia Zoo assists its board members in this regard as best as it can. For example, each board member annually receives a binder that contains copies of all critical documents: the organization's mission, bylaws, committee work plans, board policies, a calendar with key events and other governance-related materials.

Board members also must be able to understand the nonprofit's business operations and effectively present alternate views as needed, especially with regard to strategic initiatives and major investments. Each board member is periodically required to attend “Zoo School,” a full-day workshop that provides a working knowledge of all aspects of the Zoo's day-to-day operations.

To ensure that board directors are qualified, there should be an effective process for nominating and approving new members and for evaluating the performance of existing members. The board should consist of an appropriately diverse group of members, but not so many as to become unruly and ineffective.

The Philadelphia Zoo's nominating process is rigorous. Board candidates are generally solicited by existing members and reviewed by a nominating committee. The days of significant contributions creating entitlement to a board seat are long gone. Candidates meet several times with the nominating committee, board officers and key management. Responsibilities and expectations are discussed frankly. The entire board votes on all nominees recommended by the nominating committee.

Board Committees. The board should create committees based on the need for in-depth attention or focus into specific matters. Many larger nonprofit organizations have standing audit, finance and compensation committees, as well as ad hoc committees as needed. Each committee should have an appropriate number of qualified members, and report the results of its efforts back to the board.

Due to the size and operational complexity of the Philadelphia Zoo, board committees play a key governance role. Each standing committee has a distinct approved mission and annually develops a specific work plan, priority areas of focus and an 18-month meeting schedule. Committee composition is reviewed each year to ensure member backgrounds and experience match the committee's needs and requirements.

Conflict of Interest Policy. To avoid conflicts of interest, the board should create and ensure that its members uphold a conflict of interest policy. The board and its key committees also should consist of a sufficient number of independent directors. To be independent, a director must not accept consulting, advisory or other compensatory fees or be an affiliated person of the organization, except for board-related compensation. The Philadelphia Zoo requires all board members to sign a conflict of interest policy. In addition, management and select staff are required to annually complete an employee conflict-of-interest statement that discloses any transactions with board members or other related parties.

Board Policies. The board should determine the organization's major policies, including those that address significant business control issues, financial and operational risk management, and delegation of authority.

Recently, the Philadelphia Zoo's board of directors adopted a series of statements and policies on financial and operational risk management. Boards historically have adopted financial policies, but it is only recently that they have delved into operational risks. The Zoo's board views oversight of all risk as its responsibility. It has adopted statements and supporting policies governing employee and volunteer welfare, behavior to guests, safety of the animal collection, and legal and regulatory compliance.

The board should clearly define its key governance
principles and periodically perform board-effectiveness self audits and refine its policies, procedures and structure as appropriate. The Philadelphia Zoo's board, directed in this effort by its officers, recognizes that an annual performance evaluation is both a healthy and necessary exercise. It spans from the basic – such as annually reviewing, revising and approving key board policies – to the bold – such as limiting board members to no more than three consecutive three-year terms.

The Audit Committee. The audit committee plays a
critical role in organizational governance. Its key responsibility is oversight, particularly oversight of an organization's financial statements and disclosures, risk management activities, compliance efforts, as well as internal and external audit functions.

The audit committee should document its purpose, duties and responsibilities in a formal audit committee charter. The charter should be reviewed at least annually and amended as appropriate.

The Philadelphia Zoo has had an audit committee for many years, but it was a subcommittee of the finance committee. After Sarbanes-Oxley, the committee was separated from the finance committee, and now stands alone. Its scope was expanded to include the monitoring of operational risk in addition to financial risk; its name was changed to the Audit & Compliance Committee; and its size was increased to include two attorneys. The Philadelphia Zoo's audit committee now has a published charter, annual work plan and four prescheduled meetings per year.

Financial Experts. All audit committee members should be financially literate. In addition, either the audit committee chair or other members of the committee should have accounting or finance-related management expertise. All members of the Philadelphia Zoo's audit committee are financially literate, and there are three financial experts, including a CPA, retired CFO and CEO.

The audit committee should be responsible for engaging and providing oversight to the organization's external auditor, having direct responsibility for appointing, evaluating, and terminating the auditor. The committee should evaluate the external auditor's qualifications and independence at least annually, pre-approve all audit and other services that will be provided, and approve the scope of activities to be performed via an engagement letter.

To provide appropriate oversight, the audit committee should formally meet with the external auditor at least twice per year: once to review the auditor's annual work plan and again to discuss the final audit report.

The Philadelphia Zoo's Audit & Compliance Committee engages the organization's auditors, meets with them at least twice each year, and requires an annual
management letter. In addition, the committee reviews its auditor relationship every three years and does not employ its auditor to perform any non-audit services except tax return preparation.

Whistleblower Hotline. The audit committee should establish procedures that enable employees and others to confidentially and anonymously submit concerns regarding questionable accounting or auditing matters. All reported issues must be investigated and resolved in a timely fashion, with appropriate disciplinary action taken if needed.

The Philadelphia Zoo has a published whistleblower policy that has been presented and distributed to all current employees and reviewed with new employees during orientation. The policy provides whistleblowers with multiple avenues of disclosure. It is worth noting this practice was introduced based on a management advisory control comment by the Zoo's external auditors.

Other Considerations
The culture of a nonprofit organization, ethical or otherwise, is a reflection of the collective behaviors and values of the organization's leaders, managers and other associates. As such, management should set the appropriate “tone at the top,” including specific moral guidance regarding what is right and wrong. Management should effectively communicate its commitment to integrity and ethics throughout the organization, both in words and deeds. Finally, staff should feel pressure to do what is right.

At the Philadelphia Zoo, the tone for an appropriate
control environment is definitely established at the top by the board of directors. There is no mistaking the board expects the staff to adhere to the most effective practices for managing good internal controls within a framework of the highest ethics.

Codes of Conduct. Management should maintain a code of conduct as well as other policies that outline acceptable business practices, expected ethical and moral standards, conflicts of interest, and others. Staff must understand these policies and know what to do if improper behavior is encountered. As a result of its awareness of Sarbanes-Oxley, the Philadelphia Zoo has policies in place covering board conflicts of interest, board code of ethics, staff conflicts of interest, a comprehensive board delegation of authority, and, important but often overlooked, a statement on record retention guidelines.

Internal Controls Assessment. Adequate internal controls over financial reporting and disclosure, including an appropriate level of documentation, is a must. To effectively assess that internal controls are working as expected, management should consider implementing a control self-assessment program.

Following the Sarbanes-Oxley guidelines, the Philadelphia Zoo's financial team evaluated its internal control structure and the supporting level of documentation. It established an organizational tone that a strong, effective control environment is necessary and expected. The finance team prefers to center its focus on preventive, rather than detective, controls. The most critical question they ask is, “Are key people receiving the information they require on a timely basis?” This led the Philadelphia Zoo to introduce an accelerated closing schedule, requiring the complete financial reporting package to be in the hands of the
board's finance committee no later than the tenth workday each month.

Internal Audit Function. Management should consider an internal audit department. At the Philadelphia Zoo, this is not practical. Budget constraints prohibit a full-time internal audit function. However, the board’s increased awareness of governance has led management to continuously evaluate the organization’s internal controls and perform an ongoing review of policies and procedures. As previously stated, the Audit & Compliance Committee requires the external
auditors to issue a management control letter. The committee reviews implementation of corrective actions to address all audit comments, and is particularly sensitive to any repeat comments.

Sarbanes-Oxley is not law for not-for-profit organizations, but it is quite possible that legislation at the state or federal levels will provide similar regulation in the future. Implementing controls similar to those required by Sarbanes-Oxley could be a prudent, pre-emptive safeguard.

More importantly, by adopting the principles of Sarbanes-Oxley and implementing best practices related to corporate governance, a nonprofit organization will operate in an environment of solid internal controls and will be in a better position to realize its mission, meet the expectations of its key stakeholders and preserve the public’s trust.

About the Authors
J. Stephen McNally, CPA, is director of finance for Campbell Soup Co.'s Campbell U.S.A. Division, and is chair of the Pennsylvania CPA Journal Editorial Board. He can be reached at j_stephen_mcnally@campbellsoup.com.
Joseph T. Steuer, CPA, is executive vice president and chief financial officer for the Philadelphia Zoo. He can be reached at steuer.joe@phillyzoo.org.

Reprinted with permission from the Pennsylvania Institute of Certified Public Accountants.

Top