We're private, so Sarbanes-Oxley doesn't affect us, right?

Sarbanes-Oxley is the bill signed last July to restore confidence in the US markets in the wake of Enron and WorldCom. The most publicized provision is management certification of financial statements. The act applies only to issuers regulated by the SEC, so those of you with private companies can ignore Sarbanes-Oxley, right?

Wrong! Says Tracy Lefteroff, Global Managing Partner for PricewaterhouseCoopers' Private Equity and Venture Capital practice in the current issue of PwC NextWave. If you ever IPO, or get acquired by a public company, or get acquired by a company that IPOs, or ... (you get the idea) then your current books will become part of a public company's books, and will be subject to Sarbanes-Oxley. To avoid due diligence issues at acquisition or IPO time, you should start thinking about Sarbanes-Oxley now, says PwC.

Also, according to the newsletter, an insurer or lender may want to apply some of the standards of Sarbanes-Oxley in deciding whether or not your internal controls are adequate.

There's more to Sarbanes-Oxley than just the management certification (and this is of course a 50,000 foot summary; for more details see the act itself, PwC's information page about the act, or your attorney):

1. Loans to Officers and Directors are prohibited. This is an area I could see affecting many smaller software companies.

2. Internal Controls must be certified by management as "adequate." Sure, you know your mom is an honest bookkeeper, but do you have the systems in place to prove it?

3. Management Certification of financials.

4. Whistleblower Process must be documented. I'll bet most smaller SW companies don't have that.

5. Independence of Directors and Audit and Compensation committees.

6. Finally, PwC recommends that you have in place a written documentation policy and Code of Conduct.