27
The Sarbanes-Oxley Act and its Impact on Nonprofit Organizations in Maryland By Debra Jung, General Counsel Introduction The American Competitiveness and Corporate Accountability Act of 2002, more commonly known as the Sarbanes-Oxley Act, was signed into law on July 30 th , 2002. The law addresses governance standards and financial oversight in publicly traded companies. It does not specifically regulate these issues in the nonprofit arena with two notable exceptions: the document destruction provisions and the whistle-blower protections. However, many commentators have recommended that nonprofit organizations voluntarily adopt some of the governance standards set forth in the Act, both to indicate to the public that nonprofits are willing to hold themselves to the same standards as for profit corporations, and to stave off further regulation by state governments, some of which are considering legislation that incorporates portions of Sarbanes-Oxley for nonprofit organizations. Board Source and Independent Sector published an excellent review of the Sarbanes- Oxley Act as it relates to nonprofits 1 , and have made a number of suggestions as to how a nonprofit organization can voluntarily comply with Sarbanes-Oxley. Using the Board Source-Independent Sector article as a blueprint, this paper makes recommendations as to which policies and procedures a nonprofit should review to determine if it meets the Sarbanes-Oxley standards. If your organization falls short of meeting these standards, actions you can take and sample policies are set forth to help you comply with the Act. A. Independent and Competent Audit Committee The Sarbanes-Oxley Act requires a corporation to establish an audit committee. The audit committee is responsible for hiring and compensating the auditor and overseeing the audit activities. It also establishes the policies and procedures for complaints regarding internal controls and accounting procedures. The Act provides that all members of the audit committee be members of the Board of Directors. Moreover, members of the Audit Committee must be independent, i.e. not part of the management team, and cannot receive any compensation from the organization as a consultant for the organization. In addition to its independence, the audit committee is expected to have at least one financial expert, a term which has not yet been defined, and to function as a separate 1 . The Sarbanes-Oxley Act and Implications for Nonprofit Organizations, a publication of Board Source and Independent Sector located on the internet at www.boardsource.org or www.Independent Sector.org. 1

Sar Bane Oxley

Embed Size (px)

DESCRIPTION

sarbanes oxley act on NPO

Citation preview

Page 1: Sar Bane Oxley

The Sarbanes-Oxley Act and its Impact on

Nonprofit Organizations in Maryland By Debra Jung, General Counsel

Introduction The American Competitiveness and Corporate Accountability Act of 2002, more commonly known as the Sarbanes-Oxley Act, was signed into law on July 30th, 2002. The law addresses governance standards and financial oversight in publicly traded companies. It does not specifically regulate these issues in the nonprofit arena with two notable exceptions: the document destruction provisions and the whistle-blower protections. However, many commentators have recommended that nonprofit organizations voluntarily adopt some of the governance standards set forth in the Act, both to indicate to the public that nonprofits are willing to hold themselves to the same standards as for profit corporations, and to stave off further regulation by state governments, some of which are considering legislation that incorporates portions of Sarbanes-Oxley for nonprofit organizations. Board Source and Independent Sector published an excellent review of the Sarbanes-Oxley Act as it relates to nonprofits1, and have made a number of suggestions as to how a nonprofit organization can voluntarily comply with Sarbanes-Oxley. Using the Board Source-Independent Sector article as a blueprint, this paper makes recommendations as to which policies and procedures a nonprofit should review to determine if it meets the Sarbanes-Oxley standards. If your organization falls short of meeting these standards, actions you can take and sample policies are set forth to help you comply with the Act.

A. Independent and Competent Audit Committee The Sarbanes-Oxley Act requires a corporation to establish an audit committee. The audit committee is responsible for hiring and compensating the auditor and overseeing the audit activities. It also establishes the policies and procedures for complaints regarding internal controls and accounting procedures. The Act provides that all members of the audit committee be members of the Board of Directors. Moreover, members of the Audit Committee must be independent, i.e. not part of the management team, and cannot receive any compensation from the organization as a consultant for the organization. In addition to its independence, the audit committee is expected to have at least one financial expert, a term which has not yet been defined, and to function as a separate

1 . The Sarbanes-Oxley Act and Implications for Nonprofit Organizations, a publication of Board Source and Independent Sector located on the internet at www.boardsource.org or www.Independent Sector.org.

1

Page 2: Sar Bane Oxley

entity from the finance committee. The CFO is allowed to provide staff support to the committee but should not serve as a member of the committee. Your organization may have an audit committee or a finance committee, which has among its responsibilities, review of the organization’s annual audit. While your organization’s committee may well have a member or members who have financial acumen, you may not have a written policy regarding this issue. If you have a well-written conflict of interest policy, your audit committee members should be signing a conflict of interest statement every year that will reveal any potential conflicts. If a finance or audit committee member has a conflict of interest, he or she should be removed from the committee, in accordance with your written conflict of interest policy. The Sarbanes-Oxley Act also requires that audit committee members have the ability to understand financial statements, to evaluate bids to choose an auditor, and to make sound financial decisions. It is suggested that an organization consider financial literacy training for new Board members to ensure that all Board members understand the financial reports presented to the Board. This is a topic that could be included in an organization’s Board orientation for all new Board members with a refresher course delivered at budget time. Recommendation: Smaller nonprofit organizations typically do not have the resources to establish an audit committee separate and apart from a finance committee. Whether or not to establish a separate audit committee is for the Board to decide. A nonprofit organization should establish a written policy describing the Audit Committee responsibilities and membership criteria. The policy should also indicate that no Board member may serve on the finance committee if he/she has any financial interest in the nonprofit organization, and, that at the least, some members of this committee must have financial acumen. In addition, a nonprofit should establish financial literacy training as part of its Board orientation, if it is not already doing so. See Sample Policy A.

B. Responsibilities of Auditors The Sarbanes-Oxley Act requires the lead and reviewing partner in an audit firm to rotate off the audit every five years. This does not mean that the organization has to change audit firms, but that is the simplest way to comply with this directive. Moreover, the organization’s audit firm is not allowed to provide non-audit services to the organization while the audit company is serving as auditor with a few exceptions (tax preparation ((Form 990)) and non-audit services if the value of the services is less than 5% of the total paid for auditing services). The Sarbanes-Oxley Act mandates audit firms to report all “critical accounting policies and practices” that are used by the organization, discuss those policies and practices with management, and represent the preferred way that management wants to conduct

2

Page 3: Sar Bane Oxley

business under these policies and practices. “Critical accounting polices and procedures” includes methods, assumptions, and judgments underlying the preparation of financial statements according to generally accepted accounting principles. Check to see how often your nonprofit organization rebids its audit business and how many different audit firms have been used by the organization since its inception. Make sure that your auditors are reporting your organization’s critical accounting policies and procedures. Confirm that your nonprofit does not use its auditing firm to provide non-audit services unless an exception to this prohibition applies. Recommendation: Put in place a written policy requiring the organization to rebid its audit services at least every five years and make sure that the auditors report critical accounting polices and procedures in their Board presentations. If the audit firm presently used by the organization is the successful bidder, then establish in the policy that the lead partner on the audit must change. Address the provision of non-audit services in this policy, as well as forbidding such a practice, except as allowed in Sarbanes-Oxley. See Sample Policy B.

C. Certified Financial Statements Under Sarbanes-Oxley, the chief executive officer and the chief financial officer must certify the financial statements of the corporation. Their signatures represent that the statements are appropriate and fairly represent the financial condition and operations of the company. In addition, the CEO, CFO, controller, and chief accounting officer cannot have worked for the organization’s auditing firm for at least one year preceding the audit. In the nonprofit world the signatures of the CEO and the CFO on the organization’s financial statements do not carry the weight of the law. However, their signatures indicate to the outside world, the CEO in particular, that it is important to understand the nonprofit’s financial condition. In a nonprofit organization, the audit firm typically signs the certified financial statement. The CEO and CFO should sign the 990 Form. The Board Source article opines that movement of accountants into nonprofit organization clients does not present the problem faced by the corporate world. Nor would such hiring practices present the problems encountered in the for-profit world, as nonprofits cannot offer lucrative stock options. Recommendation: Make sure that both the CEO and CFO sign the 990 Forms. Conform with the one-year off requirement before a former employee of your auditor becomes employed by your organization.

D. Insider Transactions and Conflicts of Interest This is an area within nonprofits that is already well controlled through regulations addressing private inurement, excessive personal benefit, and self-dealing, all of which

3

Page 4: Sar Bane Oxley

carry considerable penalties. The Sarbanes-Oxley Act specifically prohibits providing private loans to insiders. While this is not a common practice in the nonprofit sector, when it happens, it can cause problems because of the perception of conflict of interest or because the loan was not properly documented as a part of executive compensation. The Board Source article recommends that such loans be prohibited, and if provided, that they be well documented and approved only after disclosure under a conflict of interest policy. You should check to see if your nonprofit has a policy regarding loans to officers and directors. Recommendation: Put in place a written policy prohibiting loans to officers and directors. See Sample Policies D on Insider Loans and Conflict of Interest.

E. Disclosure The Sarbanes-Oxley Act requires corporations to make various financial disclosures, including information on internal controls, corrections to past financial statements, and material off-balance sheet transactions (adjustments). Companies must also disclose material changes in the operations or financial situation of the company. The article recommends that nonprofits disclose an accurate picture of its financial condition, which most presently do through 990s, as required by law. The article also recommends making the audited financial statements available to the public. Recommendation: Make your organization’s audited financial statements and 990 forms available to the public. In addition to making hard copies available, post this information on your website. See Sample Policy E.

F. Whistle-Blower Protection The Sarbanes-Oxley Act protects whistleblowers who report suspected illegal activity in an organization. The Act also prohibits the organization from punishing the whistleblower in any manner. The article recommends putting procedures into place that allow for confidential, anonymous reporting of such activity, and that clearly state that no retaliation will take place against anyone who reports such activity. Make sure that your organization has both a financial impropriety policy and a grievance policy. The financial impropriety policy should allow for the reporting of misconduct on an anonymous basis. Recommendation: Adopt a financial impropriety policy that includes a provision allowing for the anonymous reporting of illegal activity. Adopt a grievance policy that allows for the reporting of other types of activities. See Sample Policies F on Reporting of Financial Improprieties and Grievance Policy.

4

Page 5: Sar Bane Oxley

G. Document Destruction The Sarbanes-Oxley Act makes it a crime to destroy, alter, cover-up, or falsify a document to prevent its use in an official proceeding. Accordingly, intentional document destruction must be monitored, carefully administered, and justified. The article recommends putting into place a policy concerning retention and destruction of documents that also addresses how to handle electronic files and voicemail. The policy should also cover back-up procedures, archiving of documents, and regular check ups of the reliability of the system. Recommendation: Put in place a written policy outlining your organization’s document destruction and retention schedules. See Separate section regarding Document Retention.

5

Page 6: Sar Bane Oxley

A. Sample Policy Describing Audit Committee (or Finance Committee) Membership and Responsibilities

The Audit Committee (“Committee”) shall consist of members of the Board of Directors of the Nonprofit Organization. No staff members or outside financial advisors may sit on this Committee or vote on any matter before the Committee. At least one member of the Committee shall have financial acumen sufficient to understand the financial and budget reports that the Committee is charged with preparing, reviewing and/or commenting upon. Among its duties, the Audit Committee is responsible for hiring and compensating the auditor, and overseeing the audit activities. Members of the Audit Committee must be able to understand financial statements, evaluate competing audit firm bids, and make sound financial decisions. (List the committee’s other activities in this paragraph) Members of the Audit cannot receive any compensation from the organization as a consultant to the organization. All members of the Audit Committee must sign a conflict of interest form revealing any potential personal or financial interest the Committee member may have regarding the organization (a sample form is contained under the conflict of interest policy). Members of this Committee must attend a mandatory financial literacy training upon becoming a member of this Committee. NOTE: This provision can be inserted in your Bylaws description of your finance or audit committee, or it can be set forth in a separate Board policy notebook. FURTHER NOTE: An audit is required to participate in the Combined Federal Campaign if the organization has revenues of over $100,000, by Maryland law if the organization brings in over $200,000 in a fiscal year, and, and if the organization receives federal funds and has combined revenues of over $500,000. An audit may also be required of organizations with lower revenues in accordance with a grant contract or agreement.

B. Sample Policy on Audit Responsibilities The Nonprofit Organization shall ensure that its audit services are rebid at least every five years. If the Nonprofit Organization’s auditors who are presently performing its audit are the successful bidders, then the Organization shall require the audit company to change its lead partner for the performance of the Organization’s audit.

6

Page 7: Sar Bane Oxley

Any audit conducted on behalf of the Organization must include a narration of the Organization’s critical accounting policies and procedures in their report to the Board, which will address the methods, assumptions, and judgments underlying the preparation of the financial statements according to generally accepted accounting principles. No audit firm may be hired for the provision of nonaudit services, unless those services involve tax preparation such as preparation of the 990 Form, or the value of the nonaudit services is less than 5% of the total paid for the auditing services. The Audit Committee has primary oversight of compliance with this provision. The CFO shall aid the Committee in ensuring compliance.

D. Sample Policies on Insider Transactions and Conflicts of Interest

Loans To Officers and Directors of the Organization Loans of any type to an officer or director of the Nonprofit Organization are prohibited unless exceptional circumstances exist. If such a loan is made, it must be properly revealed and documented as set forth in the Conflict of Interest policy. Any such loan must be approved by the full Board and the terms fully documented in the minutes of the Board meeting in which such approval was sought. NOTE: You can also simply prohibit all such loans with no exceptions. You should still adopt a conflict of interest policy even if you do prohibit such loans. Conflict of Interest Policy This policy applies to board members, staff and certain volunteers of the Nonprofit Organization. A volunteer is covered under this policy if that person has been granted significant independent decision making authority with respect to financial or other resources of the organization. Persons covered under this policy are hereinafter referred to as “interested parties.” Determining a Conflict of Interest A conflict of interest may exist when the interests or concerns of an interested party may be seen as competing with the interests or concerns of the organization. There are a variety of situations that raise conflict of interest concerns including, but not limited to, the following: Financial Interests - A conflict may exist where an interested party or a relative or business associate of an interested party directly or indirectly benefits or profits as a

7

Page 8: Sar Bane Oxley

result of a decision or transaction entered into by the organization. Examples include situations where: the organization contracts to purchase or lease goods, services, or property

from an interested party or a relative or business associate of an interested party;

the organization purchases an ownership interest in or invests in a business

entity owned by an interested party or by a relative or business associate of an interested party;

the organization offers employment to an interested party or a relative or

business associate of an interested party, other than a person who is already employed by the organization;

an interested party or a relative or business associate of an interested party

is provided with a gift, gratuity, or favor of a substantial nature from a person or entity which does business or seeks to do business with the organization;

an interested party or a relative or business associate of an interested party

is gratuitously provided use of the facilities, property, or services of the organization.

[ADD ADDITIONAL EXAMPLES, IF ANY]

Other Interests - A conflict may also exist where an interested party or a relative or business associate of an interested party obtains a non-financial benefit or advantage that he/she would not have obtained absent his/her relationship with the organization, or where his/her duty or responsibility owed to the organization conflicts with a duty or responsibility owed to another organization. Examples include: an interested party seeks to obtain preferential treatment by the

organization for her/himself, a relative, or business associate; an interested party seeks to make use of confidential information obtained

from the organization for her/his own benefit or for the benefit of a relative, business associate, or other organization; or

an interested party seeks to take advantage of an opportunity or enables a

relative, business associate or other organization to take advantage of an opportunity which s/he has reason to believe would be of interest to the organization.

[ADD ADDITIONAL EXAMPLES IF ANY]

8

Page 9: Sar Bane Oxley

Disclosure of Actual or Potential Conflicts of Interest An interested party is under a continuing obligation to disclose any actual or potential conflict of interest as soon as it is known or reasonably should be known. An interested party shall complete a questionnaire, in the form attached hereto as Appendix A, to fully and completely disclose the material facts about any actual or potential conflicts of interest. The disclosure statement shall be completed upon his/her association with the organization, and shall be updated annually thereafter. An additional disclosure statement shall be filed at such time as an actual or potential conflict arises. For board members, the disclosure statements shall be provided to the President (Chairman) of the Board. The President’s (Chairman’s) disclosure statement shall be provided to the Secretary of the Board. Copies shall also be provided to the Chief Executive Officer of the organization. In the case of staff or volunteers with significant decision-making authority, the disclosure statements shall be provided to the Chief Executive Officer of the organization. The Chief Executive Officer’s disclosure statement shall be provided to the President (Chairman) of the board. The Secretary of the Board shall file copies of all disclosure statements with the official corporate records of the organization. Whenever there is reason to believe that an actual or potential conflict of interest exists between the Nonprofit Organization and an interested party, the board of directors shall determine the appropriate organizational response. This shall include, but not necessarily be limited to, invoking the procedures described in Section IV, below, with respect to a specific proposed action or transaction. Procedures for Addressing Conflicts of Interest - Specific Transactions Where an actual or potential conflict exists between the interests of the Nonprofit Organization and an interested party with respect to a specific proposed action or transaction, the Nonprofit Organization shall refrain from the proposed action or transaction until such time as the proposed action or transaction has been approved by the disinterested members of the board of directors of the organization. The following procedures shall apply: • An interested party who has an actual or potential conflict of interest with

respect to a proposed action or transaction of the corporation shall not participate in anyway in, or be present during, the deliberations and decision making of the organization with respect to such action or transaction. The

9

Page 10: Sar Bane Oxley

interested party may, upon request, be available to answer questions or provide material factual information about the proposed action or transaction.

• The disinterested members of the board of directors may approve the proposed

action or transaction upon finding that it is in the best interests of the corporation. The board shall consider whether the terms of the proposed transaction are fair and reasonable to the organization and whether it would be possible, with reasonable effort, to find a more advantageous arrangement with an entity that is not an interested party.

• Approval by the disinterested members of the board of directors shall be by vote

of a majority of directors in attendance at a meeting at which a quorum is present. An interested party shall not be counted for purposes of determining whether a quorum is present, or for purposes of determining what constitutes a majority vote of directors in attendance.

• The minutes of the meeting shall reflect that the conflict disclosure was made,

the vote taken and, where applicable, the abstention from voting and participation by the interested party.

Violations of Conflict of Interest Policy If the board of directors has reason to believe that an interested party has failed to disclose an actual or potential conflict of interest, it shall inform the person of the basis for such belief and take the appropriate action.

Nonprofit Organizations, Inc. Conflict of Interest Policy Annual Affirmation of Compliance

and Disclosure Statement I have received and carefully read the Conflict of Interest Policy for board members, staff, and volunteers of Nonprofit Organization, Inc. and have considered not only the literal expression of the policy, but also its intent. By signing this affirmation of compliance, I hereby affirm that I understand and agree to comply with the Conflict of Interest Policy. I further understand that Nonprofit Organization, Inc. is a charitable organization and that in order to maintain its federal tax exemption it must engage primarily in activities that accomplish one or more of its tax-exempt purposes.

Except as otherwise indicated in the Disclosure Statement and any attachments, I hereby state that I do not, to the best of my knowledge, have any conflict of interest that may be seen as competing with the interests of Nonprofit Organization, Inc., nor does any relative or business associate of mine have such an actual or potential conflict of interest.

10

Page 11: Sar Bane Oxley

If any situation should arise in the future which I think may involve me in a conflict of interest, I will promptly and fully disclose the circumstances to the President (Chairman) of the board of Directors of Nonprofit Organization, Inc., or to the Chief Executive Officer, as applicable. I further certify that the information set forth in the Disclosure Statement and any attachments is true and correct to the best of my knowledge, information, and belief. _______________________________ Name (Please print) __________________________________ ______________________________ Signature Date

Disclosure Statement

Please complete the questionnaire below indicating any actual or potential conflicts of interest. In answering these questions, please refer to any current relationship or transaction, or any which have taken place in the last twelve months. If you answer “yes” to any of the questions, please provide a written description of the details of the specific action or transaction in the space allowed. Attach additional sheets as needed. Financial Interests - A conflict may exist where an interested party, or a relative or business associate of an interested party, directly or indirectly benefits or profits as a result of a decision made or transaction entered into by the organization. Has the organization contracted to purchase or lease goods, services, or property from you or from any of your relatives or business associates? If yes, please describe: Has the organization purchased an ownership interest in or invested in a business entity owned by you or owned by any of your relatives or business associates? If yes, please describe: Has the organization offered employment to you or to any of your relatives or business associates other than a person who was already employed by the organization? If yes, please describe:

11

Page 12: Sar Bane Oxley

Have you or have any of your relatives or business associates been provided with a gift, gratuity, or favor of a substantial nature from a person or entity which does business or seeks to do business, with the organization? If yes, please describe: Have you or any of your relatives or business associates been gratuitously provided use of the facilities, property, or services of the organization? If yes, please describe: [add additional examples, if any] Other Interests - A conflict may also exist where an interested party or a relative or business associate of an interested party obtains a non-financial benefit or advantage that s/he would not have obtained absent his/her relationship with the organization, or where his/her duty or responsibility owed to the organization conflicts with a duty or responsibility owed to some other organization. Did you obtain preferential treatment by the organization for yourself or for any of your relatives or business associates? If yes, please describe: Did you make use of confidential information obtained from the organization for your own benefit or for the benefit of a relative, business associate, or other organization? If yes, please describe: Did you take advantage of an opportunity, or enable a relative, business associate or other organization to take advantage of an opportunity, which you had reason to believe would be of interest to the organization? If yes, please describe: [ADD ADDITIONAL EXAMPLES IF ANY]

12

Page 13: Sar Bane Oxley

E. Sample Policy on Disclosure It shall be the policy of this Nonprofit Organization to make its audited financial statements and Form 990 available to the public for inspection. Following preparation and filing of the same, these documents shall be posted on the Nonprofit Organization’s website.

F. Sample Policy on Confidential Reporting of Financial Impropriety or Misuse of Organization’s Resources

Reporting of Organizational Improprieties or Misuse of Resources

Any member of the staff, member of the board of directors, or volunteer affiliated with the Organization who has information about known or suspected financial improprieties or misuse of the organization’s resources, or other ethical problems, is encouraged to report their concerns to (the organization Treasurer, the person designated as the Ethics Hotline volunteer for the year --recently retired board member, recently retired ombudsman from a related industry) who will then ask the (President, Executive Director) of the Organization to investigate. In the event that the allegations involve the (President, Executive Director), the ethics director, with the assistance of the (Executive Director, President), will investigate the reported misconduct. The person reporting may choose to do so anonymously via mail or through other means of communication that protects the individual’s identity. All efforts will be made to protect the confidentiality of those who report financial improprieties and choose not to do so anonymously. However, in certain situations, legal requirements make it impossible to keep the individual’s identity confidential. In accordance with the Sarbanes-Oxley Act, no retaliatory organizational action will be taken against those who report truthful information, even if the person incorrectly believes that a violation has occurred, about the commission or possible commission of any federal offense to a ”law enforcement officer.” The phrase "law enforcement officer" is defined by the Sarbanes-Oxley Act as including any "officer or employee of the Federal Government . . . authorized under law to engage in or supervise the prevention, detection, investigation, or prosecution of an offense."

Grievance Procedures Whenever a number of people work together, personal problems or differences will occasionally arise. Normally, these concerns can be resolved informally within each department. The first step toward a solution of a problem is a frank and early discussion with your immediate supervisor. You and your supervisors may also call upon the Human Resources Department for counsel and assistance.

13

Page 14: Sar Bane Oxley

In exceptional cases, a need may arise for a more formal approach to the problem. In such a case, you may file a written grievance with the Director of Human Resources, who will notify the Senior Management Team of the grievance or with a member of the Senior Management Team directly. If the grievance involves the director of human resources, you may file the grievance directly with a member of the Senior Management Team. You or your supervisor must also distribute copies of the written grievance to the party who caused the grievance and that party’s supervisors. The director of human resources, with the assistance of the deputy director, will investigate the grievance. The director of human resources will inform you of the resolution, both verbally and in writing as promptly as possible, unless exceptional circumstances delay the consideration or investigation of the grievance. If the grievance involves a member of the Senior Management Team, the employee may file his or her written grievance directly with the president (or chairman) of the Board of Directors. The Board will determine the method it will use to resolve the grievance and will make every effort to do so in a timely manner. Note: It is important to the process that you investigate and conclude an employee grievance in as timely a manner as possible.

14

Page 15: Sar Bane Oxley

G. Retaining And Destroying Documents

There are many reasons for retaining and destroying the documents an organization creates. A thoughtful and well-written document retention policy that is tailored to the documents you maintain in your organization, will go a long way to achieving your document retention goals and ensuring that your organization is in full legal compliance with retention laws. The most important reasons for maintaining and destroying documents in a systematic manner are: 1) numerous laws and regulations require corporations to retain certain documents for specified periods of time; 2) in the event your organization is involved in a legal claim, the maintenance and orderly destruction of documents can both bolster your position, as well as prevent a successful claim of spoliation (illegal destruction) of documents; and 3) your documents build the basis upon which to create an accurate financial picture for auditors, funders, governmental bodies, and your Board of Directors. Regulations and Laws Record retention is governed by many laws and regulations, including:

• IRS Regulations; • Labor and Employment laws; • State and federal environmental statutes; • Criminal statutes prohibiting obstruction; • Sarbanes-Oxley Act of 2002 and related SEC regulations requiring auditors to

maintain workpapers and other audit records for 7 years from the conclusion of the audit;

• Contract and grant requirements that oftentimes require a recipient or contractee to maintain grant-related or contract-related documents for up to three years after the completion of the contract or closeout of the grant;

• Statutes of Limitations that indirectly create document retention obligations by making certain documents relevant to potential claims until the period has passed in which suit can be filed; and

• Codes of ethics, professional rules, and industry-specific statutes that impose unique document retention requirements.

It is simply impossible to list every statute and regulation that addresses the retention of documents. Accordingly, the attached schedule highlights the major laws in existence and notes retention periods set forth by those laws or recommends longer retention periods where it might be easier to adopt a uniform retention period for like documents, such as all potential hire documents. Not all documents are subject to regulatory retention periods. Where no regulations exist, most commentators suggest basing the retention period on the relevant Statute of Limitations. The Statute of Limitations is the period of time a person or entity has to file a claim or lawsuit starting from the date that the potential action was discovered or should have been discovered. Maryland follows a three-year Statute of Limitations for

15

Page 16: Sar Bane Oxley

most causes of actions. The Maryland Statute of Limitations for a breach of contract is four years. Most legal claims filed against nonprofit organizations are employment-related (as high as 85% of all claims). Thus, it is particularly important to pay attention to retaining employment-related documents. To file a claim with the Equal Opportunity Commission, a plantiff must do so within 180 days or 300 days if the state in which the filing is taking place has an anti-discrimination statute covering the same claims. Maryland has such a statute, Article 49B of the Maryland Code. Accordingly, a claimant in Maryland generally has 300 days from the date of the discriminatory action in which to file suit. In addition, some employment-related claims may be based on common law causes of action, which can be filed up to three years after the adverse employment action took place. Legal Claims and Spoliation An organization must also keep documents in the event of future litigation to prove or disprove various facts. The common law doctrine of spoliation prohibits the improper destruction of evidence if a suit or claim is pending or reasonably foreseeable. Improper destruction of relevant documents can lead to severe sanctions, including hefty fines and/ or an instruction from the judge that the point the other side hoped to prove from the destroyed documents is now assumed to be true. Keep in mind, that under the Federal Rules of Evidence, digital documents are treated the same as paper copies. Thus, your document retention policy should treat the preservation of computerized records, voice recordings and e-mail as it would paper copies. Maintaining Financial Documents Many laws and regulations regarding record-keeping apply to financial documents. In addition, nonprofit corporations whose annual gross receipts are $25,000 or more must file Form 990 with the IRS every year, describing their receipts and expenditures. If a 501(c)(3) is unable to produce the documents that support the sources reported on the 990, the organization could lose its tax-exemption or be subject to penalties. These records must also be available for inspection in the event that the IRS conducts an audit and are used to monitor programs and prepare financial statements for funders, as well. Under the recently enacted Sarbanes-Oxley Act, auditors must maintain all workpapers and audit records related to any audit report for a period of seven years. While this provision applies only to auditors, nonprofits would be wise to adopt similar standards for their organization, particularly if the organization is not professionally audited.

16

Page 17: Sar Bane Oxley

Safe Communication One often overlooked but critical aspect of document retention, is the importance of training your employees about safe communication. Train your employees to choose their words carefully when discussing sensitive matters in writing. Explain to employees how easily their “private” communications can become public documents during the litigation process. Establish protocols for the dissemination of certain types of communication. Stress to your employees the importance of writing truthful, informative documents in a manner that will not jeopardize your organization unnecessarily in litigation. Review the major principles of safe communication with your employees:

1) Use alternatives to writing things down when possible; 2) Assume that anything written must be turned over to the other side in the event of

litigation; 3) Ensure that all written communication is accurate and sensitive subjects are dealt

with carefully; 4) Understand and make sure that your employees understand, that if there is a way

to misconstrue a written communication in a negative way against the organization, your adversary will do so;

5) Do not comment in writing about potential liability or litigation; and, 6) Address “bad” documents through investigation or written responses-don’t try to

cover up or destroy the communication. Encourage employees to destroy drafts of documents. Such documents rarely serve any organizational purpose after the final document has been created and may contain troublesome comments or alternate ideas that were properly addressed during the creation process and are contained in the final document. For example, a draft document that points out all the risks of a new program may later be addressed in the final program document or may have even been addressed before the author wrote the draft document. Moreover, the program group could decide to completely dispose of those portions of the potential program that posed the risk. For the same reason, make sure that employees destroy personal notes after they are no longer needed. Notes can also contain items that were later addressed or discarded but can easily be misconstrued when in someone else’s hands. Ordinarily, such notes should be destroyed after the project is completed. Keep in mind, however, that some notes must be retained, such as those taken by a corporate secretary and those that may give rise to a negative inference at trial if destroyed. Creating a Document Retention Policy Now that you have informed yourselves about the need for a document retention policy, and the importance of creating a policy that is crafted for your organization, it is time to write the actual policy. In order to ensure that your document policy is appropriate for

17

Page 18: Sar Bane Oxley

your organization, you must involve managers, administrative staff and others who often create and /or save and file documents, as well as your auditors. You cannot create an effective document retention program without input from these individuals. You must review the records generally retained by members of your staff and find out how those documents are usually maintained, destroyed or stored. If necessary, you may need to buy a shredder to aid in document destruction and find storage space for those documents that must be retained. You must also clearly identify the individuals who will be in charge of enforcing your policy to ensure that it is properly executed. Finally, be mindful of the fact that the document retention policy following this introduction is written for a general audience. Your organization may be subject to regulatory retention requirements that are beyond the scope of this general policy. For example, government contractors, medical providers, and financial institutions are subject to a myriad of specific record retention requirements that are not addressed in this policy. Do your homework before adopting a document retention policy and make sure that the documents relevant to your organization are addressed in your organization’s policy.

18

Page 19: Sar Bane Oxley

DOCUMENT RETENTION POLICY

The purpose of this policy is to provide a system for complying with document retention laws, ensure that the organization retains valuable documents, saves money, time and space, protect the organization against allegations of selective document destruction, and provide for routine destruction of nonbusiness, superfluous, and outdated documents. Documents that should be retained and the period of retention are listed below. In general, documents that are not subject to a retention requirement should be kept only long enough to accomplish the task for which they were generated. The (Name of Position) is in charge of making sure that the appropriate department head or manger is complying with document retention schedule. On January 15th of each year (or six months after the end of the fiscal year, or at the start of each fiscal year) each responsible department head or manger will submit to (Name of Position) a list of the documents that have been sent to storage or destroyed. The list will identify the documents with enough specificity that one outside the department could determine which documents were stored or destroyed. Lists of documents stored or destroyed will be kept by (Name of Position). Our organization has a legal duty to retain relevant documents which it knows or believe may be relevant to any legal action. Such documents also include those that could lead to discovery of admissible evidence. Accordingly, all document destruction is automatically suspended when a lawsuit, claim, or government investigation is pending, threatened or reasonably foreseeable. In such a case, paper document destruction, as well as electronic destruction must cease immediately. In the case of electronic destruction, the system administrator is responsible for ensuring that any automatic destruction program is disabled and reviewing all electronic systems that contain documents potentially relevant to the litigation or claim. All documents, including electronic documents, that are no longer relevant to the organization’s business, should be destroyed every 60 days. Do not retain drafts of any documents that have been finalized. Personal notes should not be kept after they are no longer needed. In accordance with the Nonprofit Organization’s policy, the following documents must be retained or destroyed as set forth in the schedule below. Please review the schedule and any applicable documents in your possession on an annual basis to ensure compliance with this schedule. Your supervisor will direct the deposit or filing of all documents that must be retained, as well as the destruction of documents that must be purged.

19

Page 20: Sar Bane Oxley

NOTE: Neither this policy nor the accompanying schedule sets forth the means of storing documents during the retention period or the means of destroying documents at the end of the retention period. You must consider how best to accomplish this task for your organization, whether to store information on paper, disks, microfilm, etc. and whether to store on-site or off-site. After the retention period has ended, you should consider how best to rid the organization of the documents, for example whether to order the documents shredded, reduced to pulp, recycled, or sent to the dump. Some nonprofit organizations save time and money by having a shredding company come to the organization every two weeks and shred documents for them on a high speed shredder. These are important decisions that every organization will have to make in crafting your document retention policy and which should be contained in your written policy.

A quick guide to abbreviations:

• ADA – American’s With Disabilities Act • ADEA - Age Discrimination in Employment Act • DLLR - Department of Labor, Licensing, and Regulation • EEO – Equal Employment Opportunity • ERISA – Employee Retirement Income Security Act • FICA - Federal Insurance Contributions Act • FLSA – Fair Labor Standards Act • FMLA – Family Medical Leave Act • FUTA - Federal Unemployment Tax Act • MOSH – Maryland Occupational Safety and Health • OFCCP - Office of Federal Contract Compliance Programs • OSHA – Occupational Safety Health Administration

20

Page 21: Sar Bane Oxley

FINANCIAL

DOCUMENTS

MINIMUM RETENTION REQUIREMENT

NOTE: How long should you keep the documents listed below? In the nonprofit world, the answer is less clear than in the for-profit sector, as most of the document retention statutes are directed at profit-making corporations or those that issue securities. As a general rule, you should keep the below listed documents until the statute of limitations has expired on the item of income or deduction for that particular return. For most purposes, the minimum limitations period is three years after the date the return is due or filed, whichever is later, as that is when the limitations period generally runs for an IRS audit. However, in light of the Sarbanes-Oxley Act that requires auditors to keep audit records for 7 years following a final audit report, it may be prudent to keep most financial documents for 7 years. Remember, many of the same records listed below will also be used to monitor programs and prepare statements for funders. Accordingly, you should check your grant applications, awards and contracts to determine if reporting requirements and subsequent document retention periods are set forth in those documents. Accounts Payable Ledgers and Schedules

5 years

Audit Reports 7 years (many organizations keep these records permanently). Bank Reconciliations and Statements

5 years and/or until all federal and state audit requirements have been met.

Checks (for important payments and purchases

5 years or 4 years after item purchased is no longer owned.

Correspondence – customers/vendors

Depends on issue in correspondence and whether there is a contract; if potential litigation-3 Y until threat of litigation has passed; if contract claim is possible, 4 years or until potential claim has dissipated.

Depreciation Schedules While active + 3 years Expenses and Purchases - Documentation can include: cash register tapes, account statements, canceled checks, invoices, credit card sales slips. Separate deductible expenses in the event organization pays unrelated business income tax.

5 years

Gross Receipts-amounts received from all sources. Documents that support gross receipts include: cash register tapes, bank deposit slips, receipt books, invoices, credit card charge slips, and Form 1099-MISC

5 years

Year-end financial statements If Audit Report is generated by organization- 7 years; if no audit is conducted and year-end financial report is used in place of audit – permanently.

21

Page 22: Sar Bane Oxley

HUMAN RESOURCE

DOCUMENTS

MINIMUM RETENTION

REQUIREMENT

NOTE: A former employee in Maryland generally has 300 days to file an EEO claim. Employees under contract may have up to four years to file a claim. Other types of employment claims, for example defamation, intentional infliction of emotional distress, and wrongful discharge are subject to a three-year statute of limitations. If the statute governing the record specifies no time limit, then you can usually apply the Uniform Preservation of Private Business Records, which specifies a three-year time limit for preserving documents. The Office of Federal Contract Compliance Programs (OFCCP) requires federal contractors to preserve most employment records for 2 years. To make things easier for the document retainers, you may want to adopt a uniform guideline that will work for almost all employment documents, such as four years, with exceptions for longer periods of time. Affirmative Action Plan and Related Information

5 years from date of Plan Year-Maryland law.

Age Discrimination in Employment Act

Records relating to discrimination charges-Until final disposition of the charge.

Applications for Employment and Résumés-For those who were not hired Unsolicited Applications for Employment

Age Discrimination in Employment Act (ADEA), Title VII and ADA-1 year from date of submission; OFCCP large contractor and schools-2 years; driving records are regarded as hiring records and should be kept for same period of time. Answer is unclear; recommend same as above; online submissions of resumes may be discounted but no definitive ruling in this area.

EEO Claims While active, plus three years.

EEO Reports As long as current. If an OFCCP contractor-1 year. If OFCCP contractor with more than 150 employees and $150,000 in contracts, then must keep for 2 years.

Employee Benefit Plans ERISA Records relating to Welfare and Pension Benefits

Records relating to ADEA-1 year after termination of plan. Records relating to payment of premiums while on FMLA leave- 3 years after final payment was made for premiums. Records relating to data mentioned in the Summary Plan Description-6 years after data and description were published temployees. 6 years.

22

Page 23: Sar Bane Oxley

HUMAN RESOURCE

DOCUMENTS

MINIMUM RETENTION REQUIREMENT

Employment Tax Records and Returns

4 years after the date the tax becomes due or is paid.

Employment Documents Relevant to Discrimination or other Statutory Claims

Title VII-The Act itself only requires the employer to keep records until final disposition of the charge; recommend that records be kept at least 1 year after charge is resolved.

Employment Turn-downs (Rejection Letters)

1 year after letter is sent.

FMLA Leave Documents 3 years after end of leave period.

I-9s 3 years from date of hire or 1 year after termination, whichever is later. Many experts recommend keeping these forms separate from the employee’s personnel file, but such action is not required by law.

Interview Information and Reference Checking Notes

1 year after job is filled under ADA, ADEA, and Title VII; References-1 year after record is made.

Job Advertisements and Job Requests Made to Agencies

1 year after placement of advertisement or request for an employee-ADEA.

Job Descriptions 2 years after record is made under Equal Pay Act.

OSHA and MOSH Logs 5 years for OSHA Form 200, 300 and 301 and OSHA or MOSH (Maryland Occupational Safety and Health) 101; legally required medical exams and toxic exposure records for duration of the individual’s employment, plus 30 years.

Personal Medical Information Make sure that no medically related information is in an employee’s personnel file; all such information should be kept in a separate file.

1 year after termination; OSHA Records-See above. Medical Certifications: 3 years after certification is obtained. Medical information includes all medical records, physical examinations, workers comp claims, drug and alcohol testing, medical forms requesting health information for insurance purposes.

Payroll Records and Summaries

3 years from the last date of entry. 4 years for FICA-related information. 4 years for FUTA-related information.

23

Page 24: Sar Bane Oxley

HUMAN RESOURCE

DOCUMENTS

MINIMUM RETENTION

REQUIREMENT

Personnel Files (terminated employees)- Should include employment application, discipline reports, evaluations, salary history, etc.

7 years, though experts differ on the time period for these records as there is no specific law regulating retention periods for most of the documents kept in personnel files; some recommend as few as 4 years after employee terminates; ADEA, ADA, FLSA and FMLA require 3 years for basic employment info.

Policies, Guidelines and Employee Handbooks

For as long as they are current and at least 3 years after they are outdated.

Recruiting Information-Advertisements, Job Postings, interview information, Applications for Employment when not hired.

1 year after record is made.

Retirement and Pension Records

During the time the Plan is active plus 6 years after discontinuance of the Plan. Other experts recommend keeping such documents permanently.

Timesheets 3 years from last date of entry. Other experts recommend keeping for 7 years.

Unemployment Insurance Documents-DLLR Forms, Quarterly Contribution Report and Employment Report

5 years after return is filed (Maryland law).

MISCELLANEOUS

DOCUMENTS

MINIMUM RETENTION REQUIREMENT

Contracts 4 years after contract term has expired. Correspondence – general 3 years. Correspondence – legal/important

Keep with legal issue file whether lawsuit, insurance claim, etc. then retain according to that retention requirement.

Grant applications and Awards

Life of grant, plus 3 years after expiration of grant; grant itself may have separate record-keeping requirements that organization must adhere to.

24

Page 25: Sar Bane Oxley

MISCELLANEOUS

DOCUMENTS

MINIMUM RETENTION REQUIREMENT

Grant and Contract Reports Life of grant or contract, plus 3 years after expiration of grant or contract; review grant or contract for any separate record-keeping requirements.

Insurance Records, Accident Reports, Claims

Workers Compensation Claims-10 years after close of matter. Long-term Disability-10 years after return to work, retirement or death.

Insurance Policies (expired) 3 years if a Claims-Made policy; permanently, if the it is an Occurrence policy.

Internal Audit Reports Generally retain most recent 5 years or until resolved + 5 years.

Inventories of Products, Materials, Supplies

Generally the most recent two inventories and/or until all audit requirements have been met.

DOCUMENTS THAT SHOULD BE KEPT PERMANENTLY

Minute Books Charter (Articles of Incorporation) Bylaws and all Amendments Form 990 and any Schedules filed with the form, Form 990-T Exempt Organization Income Tax Form (if your organization files such a form) Note: this document is subject to the public disclosure regulations for up to 3 years after the due date or the filing date of the return. IRS Determination Letter Granting Organization 501(c) Status. Note: this document is subject to the public disclosure regulations. 1023 Application for Tax-Exempt Status, all Supporting Documents submitted with the form, and all documents that the IRS requires the organization to submit. Note: these documents are subject to the public disclosure regulations. Older organizations may not have a 1023 Form as this requirement did not come into existence until the late 1960s. If your organization does not have a 1023, you should obtain a letter from the IRS to that effect. If your 1023 is lost, you can obtain another copy from the IRS. Trademark Registrations and Copyrights- Life of trademark – there is no legal retention requirement but should keep for the lifetime of the trademark plus applicable statute of limitations (6 years). Patents, Related Papers. Life of patent + 6 years. Deeds, Mortgages, Notes and Leases. Combined Registration Applications.

25

Page 26: Sar Bane Oxley

Sarbanes Oxley Requirements

Organization’s Current Policies and

Procedures

Changes Needed

Independent and Competent Audit Committee

Recommended that organization establish an audit committee with at least one person with financial acumen.

Describe organization’s current policy or practice.

Create a separate Audit Committee and move the responsibilities of selecting auditor and approving audits to the new committee. Adopt policy incorporating ideas set forth in the attached draft policy.

Responsibilities of Auditors The lead and reviewing partner of the auditing firm needs to rotate off of the audit every five years. Prohibits the auditing firm from providing any non-audit services to the company concurrent with auditing services.

Describe organization’s current policy or practice.

Adopt policy requiring public disclosure of audited financial statements and 990s. See attached draft policy.

Certified Financial Statements Not necessary for CEO and CFO to certify audited financial statements. Recommended that they sign Form 990.

Describe organization’s current policy or practice.

Recommend that CEO and CFO sign Form 990.

Insider Transactions and Conflicts of Interest

Recommended that the organization prohibit loans to insiders and have in place a policy and procedures addressing conflict of interest.

Describe organization’s current policy or practice.

Adopt policy prohibiting loans to officers and directors and a policy addressing conflicts of interest. See attached draft policies.

Disclosure of financial information. Recommended that organization make audited financial statements and 990 available to the public.

Describe organization’s current policy or practice. Note that the law already requires an organization to make the 990 public.

Adopt policy requiring public disclosure of audited financial statements and 990s. See attached draft policy.

Whistle-Blower Protection Must have policy in place that encourages reporting of financial improprieties with a provision to do so anonymously.

Describe organization’s current policy or practice. Adopt policy that encourages reporting of such conduct, as well as grievance policy. See attached draft policies.

Document Destruction Must have policy in place that describes organization’s document retention schedule.

Describe organization’s current policy or practice. Adopt policy setting forth retention schedule that includes retention procedures for electronic and voicemail records. See attached draft policy.

26

Page 27: Sar Bane Oxley

27