The Sarbanes-Oxley Act of 2002: Recommendations

for Higher Education

This report addresses recommendations of the updated to reflect changing wisdom and practice.
National Association of College and University NACUBO is also interested in learning about other
Business Officers (NACUBO) with respect to issues ways that institutions have addressed accountability
raised by the Sarbanes-Oxley Act of 2002 (Act). and governance issues on their campuses. Contact
While the Act does not apply to institutions of information is provided at the end of the report.
higher education or other public or not-for-profit
entities, the concerns it covers are universal. They Executive Summary
are in the forefront of issues many governing board
members deal with in their corporate activities. The Because the business office continually seeks to
recommendations provided in this report address enhance institutional accountability and responsibil-
how institutions might choose to deal with issues ity, certain provisions of the Sarbanes-Oxley Act
such as auditor independence, corporate responsibil- have relevance to higher education. The guidance in
ity, enhanced financial disclosures, accountability, this advisory report is intended to assist presidents,
and certification of financial results. chief financial officers, and trustees with interpreta-
tion of the Act. The guidance focuses on three main
The purpose of this report is to provide emerging areas: independent auditors, senior management, and
best practice guidance for higher education institu- audit committees. NACUBO’s recommendations are
tions, as many colleges and universities are consid- summarized below.
ering the new standards for publicly traded compa-
nies and deciding which aspects to implement. Independent Auditors
NACUBO believes that institutions of higher The board’s audit committee should receive the
education should look at the Sarbanes-Oxley Act as audit engagement letter and take direct respon-
a framework to help evaluate overall financial risks, sibility for appointing, compensating, and over-
and not simply comply with accountability concepts seeing the audit.
that stem from structures, and circumstances that
Institutions should prohibit their independent
differ fundamentally from the stewardship responsi-
auditors from providing nonaudit services
bilities and public obligations they face. The report
barred by the Act. When extenuating circum-
was prepared by NACUBO’s Accounting Principles
stances exist, the board’s audit committee
Council (APC), in consultation with several public
should approve such nonaudit services in ad-
accounting firms and other campus administrators.
vance.
The recommendations are the result of APC research
and collaboration with colleagues during the year The lead audit partner should be rotated every
since passage of the Act. seven years, with a timeout of two years.

NACUBO and the APC will continue to monitor Senior Management

interpretation of the Act and gather feedback from Senior financial managers should adopt a code
higher education administrators, trustees, standard- of ethics and consider methods to ensure com-
setting bodies, and government officials. If neces- pliance.
sary, the guidance in the Advisory Report will be

NACUBO Advisory Report 2003-3 1

 A confidential complaint mechanism should be Several states are considering adopting varia-
made available to employees to communicate tions of the Act and applying it to certain not-
concerns about accounting, auditing, or internal for-profit organizations domiciled in the state.
control processes. Bond rating agencies and directors and officers’
Institutions should consider assessing the need liability insurers may consider governance as-
for disclosures required by section 302 of the pects of the Act in their underwriting and/or
Act. Section 302 requires the chief executive pricing policies.
officer (CEO) and the chief financial officer
(CFO) to assert that the financial statements Colleges and universities that receive federal fund-
have no material misstatements or omissions ing must adhere to new General Accounting Office
and that they have evaluated “disclosure con- standards related to auditor independence. GAO
trols and procedures.” Large decentralized insti- standards for independence are in some cases more
tutions should consider requiring section 302 restrictive than the standards in the Act.
assertions by business unit leaders responsible
for financial results. This report summarizes and discusses relevant
provisions of the Act that apply to the following
Section 404 of the Act addresses internal con-
three groups in higher education:
trols, which are fundamental to sound financial
reporting. A recommended business practice is Independent Auditors
to document and evaluate internal controls over Senior Management
a planned time period. Audit Committees
Audit Committees
A checklist that references all relevant titles and
The board of directors should have an audit sections of the Act, with corresponding recom-
committee or its equivalent. mended best practices for higher education, is also
The audit committee should exercise direct provided beginning on page 6. Knowing the Act is
control over the external auditors. designed for SEC registrants, the summary of
requirements explains in plain language the provi-
Members of the audit committee must be
sions deemed to have the most relevance for col-
independent, and management should not be
leges and universities. The intent is to provide
voting members of the audit committee.
discussion and insight related to the higher education
The audit committee should have a charter that best practice guidance on the checklist.
includes role and authority language.
At least one financial expert should be included Discussion
on the audit committee.
Independent Auditors
Introduction
The Act imposes specific requirements to ensure that
The Sarbanes-Oxley Act of 2002 was enacted as a auditors remain independent. Independent external
formal response to unprecedented corporate and auditors are prohibited from providing any of a
accounting scandals. Its purpose is to protect inves- range of nonaudit services to their audit clients,
tors by improving the accuracy and reliability of including actuarial services, bookkeeping services,
corporate disclosures made pursuant to the securities internal audit outsourcing services, and system
laws. As such, the Act applies officially, or in a legal implementation services. The general theory is that
sense, only to Securities and Exchange Commission external auditors cannot perform management
(SEC) registrants or publicly traded companies. functions or be involved in any activity that they
Although colleges and universities are not subject to might later be required to audit.
the Act’s provisions, it is relevant to institutions of
higher education for the following reasons: The GAO issued new independence standards in
January 2003 that also limit the services that an
Trustees of colleges and universities may expect independent auditor can provide. The GAO uses two
institutions to adopt certain aspects of the Act as “overarching principles”:
best practices.
Auditors should not perform management
functions or make management decisions.

NACUBO Advisory Report 2003-3 2

 Auditors should not audit their own work or Senior Management
provide nonaudit services in situations where
the amounts or services involved are signifi- The Act requires a code of ethics for senior financial
cant/material to the subject matter of the audit. managers. Recently finalized rules from the SEC
require that the code of ethics address:
Higher education institutions that receive federal
funding must follow the GAO government auditing honest and ethical conduct, including the ethical
standards, or their annual A-133 audit reports will handling of actual or apparent conflicts of inter-
not be accepted. GAO standards for independence est between personal and professional relation-
are in some cases more restrictive than the standards ships;
in the Act. full, fair, accurate, timely, and understandable
disclosure in reports that the registrant files with
The Act requires the audit committee to approve the SEC;
audit or nonaudit services before they are rendered. compliance with applicable government laws,
Discussions about the use of external auditors for rules, and regulations;
nonaudit services might include: the prompt reporting of code violations to an
What is management’s rationale for using the appropriate person or persons identified in the
firm? code; and
Is this an exclusive service that other firms accountability for adherence to the code.
cannot provide? The concept of a code of business ethics for higher
Was the work competitively bid? education is not new. In 1993 NACUBO adopted a
Could the work impair the auditor’s ability to code of ethics in recognition of the role that business
provide the external audit? officers play in ensuring high standards of account-
Might an objective third party conclude that the ability for the resources society entrusts to higher
audit firm is not independent? education. A copy of the NACUBO Code of Ethics
is provided at the end of this report.
The Act does not require companies to change audit
firms periodically but recommends significant Careful consideration ought to be given to account-
efforts to preserve the independence of the external ability for adherence to a code of ethics and related
audit firm. The Act also directed the GAO to study enforcement. Institutions should implement a signoff
mandatory rotation of external audit firms, but does by senior leaders acknowledging receipt of the code
mandate rotation of external audit partners (both of ethics. In higher education, the process of
lead and concurring partners). The Act requires enforcement and the level of compliance will likely
rotation after five years, with a five-year timeout vary by institution type (public or independent) and
period during which the former audit partners can complexity (size, number of programs, number of
have no decision-making authority with respect to departments, extent of decentralization, etc.).
the audit.
Institutions are encouraged to inventory and assess
In the nonprofit environment, external audit firms current procedures and policies. Coordination of
have traditionally rotated partners after 10 years. units responsible for administering policies will help
The limited availability of audit firms with meet the challenge of enforcement. For example,
knowledge of higher education, and of experienced conflict of interest policies for researchers and
partners within those firms, could make a five-year general outside teaching/consulting policies may
rotation difficult to implement. In addition, because already exist. If the current inventory of policies and
nonprofit organizations do not typically have the procedures fails to address ethics and/or conflicts of
same frequency or intensity of partner involvement interest, management should consider establishing
as public companies, it is reasonable to consider a policies appropriate for the institution.
longer time period before rotation. Consequently,
NACUBO recommends rotation of the lead partner Once this is accomplished, emphasis should shift to
every seven years, with a two-year timeout provi- documenting compliance procedures. Senior mana-
sion. Institutions of higher education should work gement in the business office should consider how
with their audit firms on the issue of partner rotation other areas enforce policies and should strive for
and document any difficulties.

NACUBO Advisory Report 2003-3 3

consistent enforcement across the institution. Fi- for financial results. If sub-certification is adopted,
nally, the audit committee (or equivalent) of the each business units’ responsibility for financial
board of directors should review the code of ethics reporting should be clearly defined and policies
and the compliance procedures to ensure adequacy. established.

Section 301 of the Act requires the establishment of Perhaps the most far-reaching provision of the Act is
a confidential complaint mechanism for employee a requirement under section 404 that the senior
concerns about accounting, internal control, or officers of a public company certify the adequacy of
auditing matters. NACUBO recommends that the systems of internal control. Further, the man-
institutions publicize the complaint mechanism and agement assertion must be audited and certified by
have it periodically reviewed by the audit commit- the external auditor. Since the Act is not binding on
tee. Institutions could incorporate the new complaint educational institutions, an alternative would be for
mechanism within existing human resource commu- management to provide the assertions and testing
nication policies. Colleges and universities should without the external audit attestation.
also consider establishing hot lines, anonymous
voicemail, and anonymous e-mail or secure sugges- Identifying, designing, and maintaining controls and
tion drop boxes to facilitate the complaint process. procedures that safeguard assets and minimize risk
Regardless of the specific mechanisms selected, are sound business practices. A recommended busi-
there should be a process for communicating with ness practice is to start planning how an internal
employees, receiving information, and addressing control assessment might be conducted. The effort to
identified concerns. document the existence and adequacy of the controls
would require a major institutional commitment.
Section 302 of the Act requires CEO and CFO Institutions should reference a well-accepted model
assertions that extend beyond financial statement for internal controls, such as that published by the
compliance with generally accepted accounting Committee of Sponsoring Organizations (COSO) in
principles (GAAP). The Act requires the CEO and 1992. NACUBO is not aware of any institutions of
CFO to certify that the financial statements have no higher education that have committed to provide the
material misstatements or omissions. The certifica- assertions on financial reporting (section 302) and
tion also acknowledges responsibility for establish- internal controls (section 404). We will continue to
ing and maintaining “disclosure controls and pro- monitor this situation and provide updates to the
cedures,” a new term that refers to the quality of a NACUBO membership.
company’s overall disclosures (such as the notes to
the financial statements, management discussion and Audit Committees
analysis, or selected financial data). This requires a
The Act sets very high expectations concerning the
detailed evaluation of financial reporting and
background and responsibilities of the audit commit-
disclosure processes before the assertion is made.
tee of the board of directors. The audit committee is
required to take direct control of independent aud-
Institutions should begin assessing the additional
itors; be responsible for appointing, compensating,
assertions suggested in Section 302. NACUBO
and overseeing them; and preapproving all services.
believes that most institutions would benefit from
The Act requires the audit committee to be inde-
developing a plan for documenting their financial
pendent. Management or employees may not serve
reporting process and assessing the adequacy of
on the committee. Members of the committee may
controls over both financial reporting and financial
disclosures. However, be aware that the new not receive consulting, advisory or other fees from
certifications are extensive. the institution.

Institutions planning for additional certifications At least one member of the audit committee is
should consider the extent to which their financial expected to possess financial expertise. Recently
operations are decentralized, as an emerging practice issued final rules from the SEC require that this
known as subcertification may be required. Sub- person have the following attributes:
certification requires division or school officials to an understanding of generally accepted account-
sign off on subsets of financial results or information ing principles and financial statements
as a basis of reliance by senior officials. Organiza-
tions should evaluate the divisions’ accountability

NACUBO Advisory Report 2003-3 4

 the ability to assess the general application of current committee members’ longevity and
such principles in connection with the account- experience with a given institution can be con-
ing for estimates, accruals, and reserves sidered “other relevant experience”
experience in preparing, auditing, analyzing, or Colleges and universities should also consider
evaluating financial statements that present a rotating the individual in the role of financial expert
breadth and level of complexity of accounting when feasible.
issues generally comparable to the issues rea-
sonably expected to be raised by the registrant’s Conclusion
financial statements (or experience actively su-
pervising one or more persons engaged in such This guidance considers elements of governance,
activities) ethics, business process, and accountability raised by
an understanding of internal controls and the Sarbanes Oxley Act of 2002 that are relevant to
procedures for financial reporting institutions of higher education. Institutions should
carefully consider the substance of these elements
an understanding of audit committee functions
and determine, with their boards, which actions best
The SEC’s final rules allow some flexibility in how suit their situation. If any of the recommended steps
audit committee members might acquire this are considered unsuitable, burdensome, or cost
expertise, including: prohibitive, NACUBO recommends that an explana-
tion be prepared for the institution’s board of
education and experience as a principal financial trustees to review.
officer, principal accounting officer, controller,
or public accounting auditor NACUBO is very interested in learning about steps
experience actively supervising the above that institutions have taken to increase accountability
positions and governance. To share information, provide
experience overseeing or assessing the perform- comments on these recommendations, or for
ance of companies questions, contact Sue Menditto at
other relevant experience sue.menditto@nacubo.org or 202-861-2542.

The Act suggests that the entire board of trustees

determine whether the designated financial expert
possesses the necessary expertise.

NACUBO recommends colleges and universities

that do not have separate audit committees assign
requisite responsibilities to an existing committee
such as the finance committee. However, such a
committee must take on audit committee composi-
tion and accountability. For equivalent or combined
committees, the name should be changed to reflect
the audit oversight function, for example, the
“Finance and Audit Committee.” Assigning these
duties to a committee does not relieve the whole
board of oversight responsibility. Boards that do not
operate using a committee structure should assume
direct responsibility for oversight of audits. Higher
education institutions should consider the following
factors to ensure sufficient expertise on the audit
committee:
familiarity of committee members with esti-
mates, accruals, and reserves relevant to higher
education
training audit committee members and retaining
financial expertise
recruiting financial experts

NACUBO Advisory Report 2003-3 5

 Checklist for Higher Education

The following section contains a checklist addressing issues of particular relevance to higher education. The
guidance is considered best practice for higher education. The issue will continue to be monitored by NACUBO
and the Accounting Principles Council and additional guidance may be provided if appropriate.

Section Sarbanes-Oxley Act of 2002 NACUBO Recommendations

Title I Public Company Accounting Oversight Board
101 - 109 Describes public company accounting oversight board Not applicable
duties.
Title II Auditor Independence
201 Public accounting firms are prohibited from performing Institutions should prohibit their independent auditors from
these nonaudit services to financial statement audit providing the nonaudit services prohibited by the Act unless
clients: extenuating circumstances exist and the audit committee
approves the work in advance.
(1) Bookkeeping or other services related to the
accounting records or financial statements;
(2) Financial system design and implementation;
(3) Appraisal or valuation services, fairness opinions, or
contribution-in-kind reports;
(4) Actuarial services;
(5) Internal auditing outsourcing services;
(6) Management or human resource functions;
(7) Broker or dealer, investment adviser, or investment
banking services;
(8) Legal services and expert services unrelated to the
audit;
(9) Any other service the Accounting Oversight Board
determines, by regulation, is impermissible.

A registered public accounting firm may engage in any

other service, including tax services for an audit client,
but only if the Audit Committee approves the activity in
advance.

202 The audit committee must pre-approve all services Institutions should require pre-approval by the audit commit-
provided by the auditor. tee for all prohibited, nonaudit services performed by the
independent auditor.
203 The lead (or coordinating) audit partner and the review- Institutions should require a rotation of the lead partner every
ing audit partner of the public accounting firm must seven years with a timeout of two years.
rotate off the audit every five years.

204 The public accounting firm must report to the audit Audit committee oversight is critical to ensure the independ-
committee: ence of the audit decisions.

(1) All critical accounting policies and practices used by The audit engagement letter should be addressed to the audit
the client that have been discussed with manage- committee rather than internal management.
ment;
(2) All alternative treatments of financial information,
ramifications of such use, and the treatment preferred
by the public accounting firm;
(3) Other material written communication between the
public accounting firm and management, such as the
management letter or schedule of unadjusted differ-
ences.

205 Conforming amendments to the SEC Act of 1934. Not applicable

NACUBO Advisory Report 2003-3 6

Section Sarbanes-Oxley Act of 2002 NACUBO Recommendations
206 The public accounting firm cannot have employed the Institutions should carefully consider the benefits of employ-
CEO, controller, CFO, chief accounting officer, or any ing a CFO or controller who has worked for the auditing firm
person in an equivalent position, during the one-year within the last year and consider how the position may relate
period preceding the audit. to the institution’s external audit.
To forego the one-year waiting period, institutions should
document the benefits and risks and seek board approval.

207 The GAO will do a study on the potential effects of The current emphasis is on rotation of audit partners (section
mandatory rotation of public accounting firms. 203) rather than rotation of firms. The audit committee should
annually evaluate the performance of the external auditor. In
addition, the committee should consider periodically recom-
peting the selection of the external audit firm.

208 - 209 SEC final authority for Section 10A and considerations Not applicable
by appropriate State regulatory authorities.

Title III Corporate Responsibility

301 (1) The Commission may prohibit the listing of securi- Institutions that do not have an audit committee should assign
ties of any firm found not to be in compliance with the audit function to another committee of the board of
paragraphs 2 - 6 of this section. trustees, for example, the finance committee, or to the board
(2) The audit committee shall be directly responsible for as a whole. Institutions that assign audit committee functions
the appointment, compensation, and oversight of the to another committee should add “audit” to the committee
work of any registered public accounting firm em- title, for example, “Finance and Audit” committee.
ployed by its company and the public accounting
firm shall report directly to the audit committee. (1) Not applicable
(3) Each member of the audit committee shall be a
member of the Board of Directors and shall other- (2) Audit committee involvement is critical in the selection
wise be independent. Independent is defined as not of auditors and the performance of the audit.
receiving, other than for service on the Board of Di-
rectors, any consulting, advisory, or other compensa- (3) Independence of audit committee members is important.
tory fee from the company, and not being an affili- Management representatives should not be voting mem-
ated person of the company. bers of the committee.
(4) The audit committee shall establish procedures for:
(a) The receipt, retention, and treatment of com- (4) A good practice would be the establishment of confiden-
plaints received by the company regarding ac- tial complaint mechanisms for employees; for example, a
counting, internal controls and auditing matters. hot line, anonymous e-mail/voicemail, secure complaint
(b) The confidential, anonymous submission by boxes, or extending existing employee grievance proc-
employees of questionable accounting or audit- esses or communication channels to the institution’s in-
ing matters. ternal auditors. The audit committee should review the
(5) The Audit Committee shall have the authority to nature and disposition of reported matters.
engage independent counsel or other advisors, as
necessary to carry out its duties. (5) The audit committee should have all necessary authority
(6) Each company shall provide appropriate funding as contained in its charter.
determined by the Audit Committee for payment to
the public accounting firm and any advisors em- (6) The charter should also specify that appropriate funding
ployed by the Audit Committee under paragraph 5 be available for the audit committee.
above.

302 The CEO and CFO shall certify along with the annual The provisions of the Act extend the current audit representa-
audit report that: tion letter responsibilities. If institutions publicly disclose
financial statements, they should consider these assertions.
(1) They have reviewed the report; However, be warned that assertion 4 includes new and
(2) Based on their knowledge, the report does not complex affirmations on the adequacy of internal controls
contain any untrue statement of a material fact or over both financial reporting and financial disclosures.
omission of a material fact that makes the statements
misleading; The degree of decentralization of financial operations is an
(3) Based on their knowledge, the financial statements important consideration for higher education. Business units’

NACUBO Advisory Report 2003-3 7

Section Sarbanes-Oxley Act of 2002 NACUBO Recommendations
present in all material respects the financial condition responsibility for financial reporting should be clearly
and results of operations; defined, including policies for those activities. Institutions
(4) They are responsible for establishing and maintain- that are decentralized should consider implementing “sub-
ing internal controls, ensuring that material informa- certification” requirements from financial leaders responsible
tion relating to the company and its consolidated for the financial results of units, departments, or schools. The
subsidiaries is made known to officers and others sub-certification provides assurance on the underlying
within those entities; have evaluated the effective- numbers and controls.
ness of internal controls within 90 days prior to the
report; and have presented their conclusions about Institutions should start documenting their financial reporting
the effectiveness of their internal controls based on process; and identifying and evaluating the adequacy of
their evaluation as of that date; controls over financial reporting and other financial disclo-
(5) They have disclosed to the auditors and the audit sures.
committee all significant deficiencies and material
weaknesses in the internal controls that could ad- The audit committee should consider periodic inquiries of
versely affect the company's ability to record, proc- financial executives on the adequacy of controls.
ess, summarize, and report financial data;
(6) They have indicated in the report whether or not
there were significant changes in internal controls or
in other factors that could significantly affect internal
controls subsequent to the date of their evaluation,
including any corrective actions.

Reincorporating outside of the United States does not

lessen the requirements of Section 302.

303 It is unlawful for any officer or director of a company to This should be addressed in the institution’s code of con-
take an action to fraudulently influence, coerce, manipu- duct/code of ethics.
late, or mislead an auditor engaged in the performance of
an audit for the purpose of rendering the financial
statements materially misleading.

304 If an accounting restatement is necessary due to miscon- Not applicable. However, the audit committee may want to
duct, the CEO and CFO shall reimburse the company for review compensation arrangements for the CEO and CFO.
any bonus or other incentive or equity-based compensa- Incentives related to financial results should be disclosed to
tion received by that person during the 12-month period the audit committee.
following the issuance of the financial statements, as well
as reimburse the company for any profits realized from
the sale of securities of the company during that same 12-
month period.
305 The SEC may issue an order to prohibit, conditionally or Not applicable. However, institutions should consider any
unconditionally, permanently or temporarily, any person SEC action in connection with hiring officers and nominating
who has violated section 10(b) of the 1934 Act from trustees; and ensure that employment contracts of senior
acting as an officer or director of a company if the SEC officers allow removal for financial impropriety.
has found that such person is unfit.
306 - 308 Concerns sales of stock, fair funds for investors and Not applicable
attorneys practicing before the SEC.

Title IV Enhanced Financial Disclosures

401 SEC shall study off-balance sheet disclosures to deter- Higher education should follow current and appropriate
mine their extent and whether GAAP results reflect the accounting standard guidance (i.e. FASB, GASB).
economics of such transactions.
402 In general, it shall be unlawful for a company to extend The audit committee should be aware of and review policies
personal loans to any director or executive officer. on personal loans and understand that housing assistance
included as part of compensation is not a personal loan.
403 Directors, officers, and 10%+ owners must report The audit committee should be aware of and review policies
designated equity security transactions by the end of the on ownership interests in related ventures or start-ups.
second business day following the day the transaction Existing conflict of interest policies can be leveraged and

NACUBO Advisory Report 2003-3 8

Section Sarbanes-Oxley Act of 2002 NACUBO Recommendations
was executed. should be reviewed with the audit committee.
404 Each annual report shall contain an internal control Identifying, designing, and maintaining controls and proce-
report, which: dures that safeguard assets and minimize risk is sound
business practice. A good business practice would be to start
(1) States the responsibility of management for estab- planning how an internal control assessment might be
lishing and maintaining an adequate internal control conducted. A few institutions have started doing risk assess-
structure and procedures for financial reporting; and ments and documenting key financial processes. The audit
(2) Contains an assessment, as of the end of the fiscal committee should consider independence issues if
year, of the effectiveness of the internal control contemplating using the external auditor for this review
structure and procedures of the company for finan- function. For reference, institutions can obtain a copy of the
cial reporting. Committee of Sponsoring Organizations (COSO) model of an
internal control framework. The COSO model is considered
The public accounting firm shall attest to and report on the most widely accepted model for controls.
the internal control assessment made by management.
Institutions with internal audit departments should consider
using them to periodically report on internal controls to the
audit committee in addition to reporting to management.
These activities should be coordinated with the risk assess-
ment and internal control initiatives described above.

The results of the internal control assessment should be tested

to ensure compliance. A positive assertion on controls would
require a large sustained effort and would require the external
auditor to perform an attestation on internal controls, which
would be expensive and time consuming. NACUBO does not
recommend external auditor attestation or audit of internal
controls. An alternative would be for management to provide
the assertions and testing without the external audit attesta-
tion.

NACUBO encourages institutions to take this topic seriously

and start planning how an internal control assessment might
be conducted. NACUBO will monitor the actions of institu-
tions and communicate discoveries. At this point NACUBO
and the APC are not aware of any institutions that have
committed to this positive assertion on controls.

405 Sections 401, 402, and 404 do not apply to any invest- Not applicable
ment company registered under section 8 of the Invest-
ment Company Act of 1940.

406 Requires each company to disclose whether it has A best practice is the adoption of a code of ethics for senior
adopted a code of ethics for its senior financial officers financial officers. Subsequently, the audit committee should
and the contents of the code of ethics. review the adequacy of the code and periodically review how
compliance is assured.

407 Companies are required to disclose whether at least one A best practice would be the inclusion of at least one financial
member of the audit committee is a "financial expert." expert on the audit committee. Institutions should consider the
following in defining financial expertise:
The final rule also provides a definition of a financial
expert. In the final rule, recognition was given that an • familiarity with estimates, accruals, and reserves
audit committee financial expert can acquire the requisite relevant to higher education
attributes of an expert in many different ways and that • longevity and experience with a given institution can
experience, in addition to education, is an important be considered “other relevant experience”
consideration.
Colleges and universities should also consider rotating the
financial expert and begin planning for the process and cost of

NACUBO Advisory Report 2003-3 9

Section Sarbanes-Oxley Act of 2002 NACUBO Recommendations
recruiting, training, and retaining financial expertise.

The recruitment and retention of a financial expert by public

institutions might be limited when alumni or elected officials
appoint the board.

408 - 409 Addresses enhanced and real time disclosure by issuers of Not applicable
securities.

Title V Analyst Conflicts of Interest

501 Treatment of security analysts by registered securities Not applicable
associations and national security exchanges.

Title VI Commission Resources and Authority

601 - 604 Appearance and practice before the SEC, funding, federal Not applicable
court authority and qualifications of brokers and dealers.

Title VII Studies and Reports

701 - 705 Concerns studies regarding accounting firms, credit Not applicable
rating agencies, violators, violations, investment banks,
financial advisors, and enforcement of securities laws.

Title VIII Corporate and Criminal Fraud Accountability

801 - 807 Discusses securities fraud, penalties, statute of limita- Not applicable, however regarding section 802, a good
tions, sentencing, and employee protection. practice would be to ensure that documents and records sent
or received in connection with the audit are retained for seven
years.
Title IX White Collar Crime Penalty Enhancements
901 - 906 This section advances criminal penalties for fraudulent Not applicable
acts and the US Department of Justice jurisdiction of
financial statement certification. The certification
requirement under section 906 is separate from the
requirement under section 302.

Title X Corporate Tax Returns

1001 The chief executive officer, per the “sense of the senate,” Institutions should review the level of authority of signers on
should sign the federal income tax return of a corpora- the various tax returns; a senior financial manager with
tion. financial accountability for the information presented on the
tax return should sign the return.

Title XI Corporate Fraud Accountability

1001 - Discusses fines, consequences, and sentencing for Not applicable
1004 individuals and issuers.

1005 Gives the SEC the authority to prohibit anyone convicted Institutions should consider securities fraud convictions
of securities fraud from being an officer or director of any relevant in background checks for new employees.
publicly traded company.

1006 - Addresses criminal penalties under the SEC Act of 1934 Not applicable
1007 and penalties for retaliation against informants.

NACUBO Advisory Report 2003-3 10

 NACUBO Code of Ethics
On April 15, 1993 the NACUBO Board of Directors adopted a new code of ethics, which is
presented below:

Institutions of higher education are entrusted by society with great resources and commensurately great
responsibilities for creation, dissemination, and preservation of knowledge. College and university
business officers play a key role in assuring that high standards of ethical practice attend to the custody
and use of these resources. The business officer’s personal and professional conduct reflects on his or
her institution, the collective profession, and the higher education enterprise at large. To guide business
officers in setting and practicing high standards of ethical conduct, the National Association of College
and University Business Officers has devised the following Code of Ethics. NACUBO embraces the
values expressed in this Code and advocates their observance by its members.

The business officer’s conduct should be characterized by integrity and dignity, and he or she should
expect and encourage such conduct by others.

The business officer should adopt and be faithful to personal values that

accord respect to self and others;

preserve honesty in actions and utterances;
give fair and just treatment to all;
accept intellectual and moral responsibility;
aspire to achieve quality;
refuse conflict, or the appearance of conflict, between personal and institutional interests; and
engender forthright expression of one’s own views and tolerance for the views of others.

The business officer should act with competence and should strive to advance competence, both in self
and in others.

The business officer should understand and support his or her institution’s objectives and policies,
should be capable of interpreting them within and beyond the institution, and should contribute con-
structively to their ongoing evaluation and reformulation.

The business officer should communicate to institutional colleagues the content of this Code of Ethics
and should strive to ensure that the standards of professional conduct contained therein are met.

In discharging his or her duties in accordance with this Code of Ethics, the business officer should enjoy
the following rights:

the right to work in a professional and supportive environment;

the right to have a clear, written statement of the conditions of his or her employment, proce-
dures for professional review, and a job description outlining duties and responsibilities;
within the scope of his or her authority and policy, the right to exercise judgment and perform
duties without disruption or harassment; and
freedom of conscience and the right to refuse to engage in actions that violate the ethical princi-
ples contained in this Code or provisions of law.

NACUBO Advisory Report 2003-3 11