Two Step's Private Company Equity Management Blog

One of our speakers at a recent webinar on Compliance, Craig Newfield, General Counsel at Gomez, Inc., aptly used the phrase “from fraud to greed” to explain the transition from the Enron period scandals that brought us the Sarbanes-Oxley Act of 2002 to the executive compensation and option backdating scandals that have brought us CEO resignations and new SEC executive compensation disclosure requirements in 2006. I’ve always thought the unique connection between these two scandals was that almost all of the intentional option backdating ended in 2002 as a result of the expedited Section 16 filing requirements of Sarbanes-Oxley. However, as a result of Sec. 409A, FAS 123R, and increased scrutiny of equity compensation reporting, we may now have entered a new period where the risks and penalties associated with "inadvertent” stock option backdating, rather than primarily intentional backdating, will become the next “gotcha” for financial executives at both public and privately-held companies with deferred compensation plans, including the most basic forms of stock option plans.

Recently, John Hancock, a corporate partner at the Boston law firm of Foley Hoag LLC, highlighted for an audience of financial executives at a Two Step Software webinar the connection between the end of the transitional rules period for Sec. 409A and on-going stock option backdating scrutiny. The overriding principle is to offer the greatest clarity as possible as to when an option grant occurred by providing written evidence that all steps were taken with respect to an option grant on a specific date.

If there is any uncertainty with respect to the number of shares, the vesting period or the list of recipients, this will increase the likelihood that the option could be considered to be granted on a later date when potentially the fair market value of the stock could be higher, resulting in an option being granted below fair market value. This could convert a qualified option to a non-qualified option, change the financial and tax implications to the employee and the company, and potentially trigger the severe penalties under Sec. 409A that apply to discounted stock options.

As far as practice tips for new stock option grants, his recommendations included:

1. Avoid actions by written consent.
2. Promptly create minutes reflecting board actions and file in minute books.
3. Avoid subsequent changes to the authorization by the Board.
4. Avoid authorizations that suggest there will be future decisions to be made.

Following the SEC Chief Accountant’s September 2006 letter that addressed option granting practices, the IRS making option backdating a Tier 1 issue in June 2007, and the new SEC executive compensation disclosure rules, it is clear that auditors will be giving greater scrutiny to equity compensation reporting and the related back up legal documentation.

With that in mind, every company, public or private, should work on standardizing their stock option granting and administration practices to reduce the risk of option backdating and improve their equity compensation reporting. In addition, companies should adopt appropriate internal controls to insure their policies and procedures are actually being followed. This type of work at the front end will pay big dividends at your next audit, your next financing transaction, or when the company goes public.

At a recent Two Step Software webinar entitled “Lessons Learned in 2007: A Recap of Stock Option Reporting Updates,” more than half the audience of financial executives responded that they had not taken any steps to prepare for the new risk assessment auditing standards that apply to non-public companies (Statement on Auditing Standards 104-111) despite the fact that according to Dan DeVasto, the CEO of Wolf & Company, P.C., these changes to the audit standards are some of the most significant in two decades.

As explained by his partner Scott Goodwin, although non-public companies are not required to provide the same types of certifications and management reports as public companies, since they are not subject to the Sarbanes-Oxley Act, the audit standards by which the internal controls of non-public companies are going to be reviewed are now relatively similar to those of public companies (SAS 104-111 from the AICPA for non-public companies; Auditing Standard 5 from the PCAOB for public companies). In both cases, auditors will be using a COSO type framework to assess whether a company’s internal controls over financial reporting are sufficient and will need to advise the audit committee if they are not. Of course, for a non-public company there is no requirement that the executives provide a Sec. 302 certification, that management provide a Section 404(a) report, or that the auditors provide a Sec. 404(b) opinion (which is not yet required for smaller public companies).

Question: Why are public companies spending significant amounts of money addressing their internal controls to comply with Sec. 404 of SOX and satisfy AS 5 while GAAP reporting venture-backed companies are largely paying little attention to satisfying SAS 104-111, although the exercise that their auditors will be going through evaluating the sufficiency of the internal controls over financial reporting for both types of companies will largely be the same.

Answer: For a non-public company, there is no threat of public embarrassment, lower share price, and criminal penalties for the company and management if they do not satisfy the internal controls requirements. There is only the risk that an audit will take longer, become more costly, and the audit firm will be required to document and communicate any material weaknesses to management and “those charged with governance” (SAS 112).

Let’s Ask: With the impact of SOX clearly being felt by non-public companies already, whether based on pressure and covenants from investors, lenders, insurers, and other stakeholders, is it really necessary to add the threat of criminal sanctions to encourage companies that plan to be acquired by publicly-held companies in the near future to raise the level of their internal controls over financial reporting?

I hope not. Maybe by sufficient education on the benefits that companies receive by adopting good corporate governance and appropriate internal controls over financial reporting, we can avoid “SOX Lite” from becoming mandatory for companies without public investors. Hopefully, instead, sufficient oversight can be provided by audit committees and directors of venture-backed companies that hope to one day become public themselves or be acquired by publicly-held companies. Better internal controls over financial reporting are relevant to any company that is looking to increase its value in the financial marketplace. Every venture-backed company finds this out during the business due diligence process which is eventually when the “rubber meets the road.”

Talking with hundreds of companies over the past year about our stock plan and corporate governance applications, we've seen the "tectonic shift" that some analysts have referred to with regard to the acceptance of SaaS applications in the business application market. Even Bill Gates has referred to it as a "sea change" that has arrived and the Microsoft Chief Software Architect, Ray Ozzie, has been pushing it as inevitable. Perhaps the change in attitude started with Salesforce.com and Google Apps, with a slight nudge from Youtube, Facebook, and Craig's List, but it has clearly arrived. Having watched the change in attitudes and acceptance from real buyers between the beginning of 2007 and today, I wondered what has accounted for the shift in the acceptance of online applications by somewhat conservative business, financial and legal executives who are generally not technology "early adopters."

The primary impetus is that most internal IT executives, the ones that need to make the decision on whether to sign off on a new SaaS application, now are proponents of hosted applications and agree that in most cases SaaS applications have as good or better systems infrastructure as they could provide for their own internally installed applications. But, what is the cause of their shift in attitudes between 2006 and 2007? Infrastructure improvements.

First, the bar has been raised for the standard offerings from the top hosting providers that now offer a level of reliability, redundancy, security, and data backup that is difficult for a single company to match. Second, the bar has been raised for software application providers so that every enterprise level business application must offer an infrastructure that is properly configured, tested and hosted at a leading hosting provider. There is no longer any excuse for downtime from a SaaS provider of mission critical business applications. Whether you are Salesforce.com, RIM Blackberry, or Two Step Software, customers expect the same standard for service level agreements and zero downtime. Not to say it can't happen despite the highest levels of technology diligence, as we have experienced from almost every one of Two Step's SaaS providers, but every step should be taken to reduce the risk.

There are five basic areas to think about when looking at a SaaS provider:

1. Security: Physical on-premise security; personnel selection; user authentication; and preventing unauthorized access
2. Redundancy: power supplies; internet access; hardware, and failover systems
3. Monitoring: 24/7 application, server, network, and user access
4. Data Back Up: Daily and intermittent on-site and off-site backups
5. Getting Your Data: Retrieval of data when service ends

For instance, at Two Step Software, we use one of the nation's leading managed hosting providers that offers a zero downtime guarantee and provides a level of physical, operational, and system security that would be difficult for any business to match. (see: http://www.twostep.com/solutions/install_options.asp) It's like your own systems, on steroids with redundant internet access, back-up power supplies, physical and online access security, redundant hardware as well as back up inventory, 24/7 monitoring, and daily data backups.

We believe that once you find an application that satisfies your business requirements, you shouldn't have to worry about the application hosting infrastructure. Let your SaaS provider focus on the details of delivering a reliable and high performance infrastructure so you can focus on your business needs. Although you can't take a walk through your SaaS vendor's hosting location, look for a SaaS provider with an excellent reputation and one that offers a technical infrastructure that you feel is superior to your own. Then, rest easy.