Add to collection(s) Add to saved
  1. Business
  2. Accounting

Coming Clean With SOX

advertisement 
Coming Clean With SOX
How Private Companies Can Benefit From Modeling Sarbanes-Oxley
By Steve McGraw
Not since Y2K or HIPAA has a topic received as much
publicity as the Sarbanes-Oxley (SOX) Act of 2002.
SOX has gotten a lot of attention and if your company
is public, you’ve already spent plenty of time and
money on compliance. But if you’re private, does
SOX matter?
While your company may not be required to comply,
there are many advantages you can gain by utilizing
SOX principles. There is a wealth of general information
available about SOX, so we’re not going to review why
SOX was enacted or dwell on any one section of the
law, but focus on the best practices and how private
healthcare organizations can use them to complement
existing compliance programs.
SOX is composed of 11 titles with five to nine sections
each. Almost every accountant, consultant and software
vendor focuses much of his or her attention on one
– Section 404, Internal Controls. Granted, effectively
creating and managing all of the key controls in a large
company can go a long way to curbing problems. But,
there are plenty of other aspects of SOX that can be
highly beneficial to healthcare entities as well.
• The benchmark for corporate governance.
SOX has rapidly become the reference point for
governance practices; if you ever have a governance
problem, you can bet one of you board members
is going to look to SOX as model.
• Shareholders will be happier. Owners will have
more confidence in management’s risk assessments,
financial statements and governance if you have
adopted the best practices of SOX.
• Lending costs will be reduced. Lenders are
increasingly demanding more confidence in the
company’s financial statement and will punish those
(with higher costs) who have not adopted SOX. This
constituency will focus on Section 404.
• Acquisitions are easier. Potential acquirers will
be more confident in your financials if you have
complied with SOX.
• Insurers will be happier. Insurance companies charge
money for covering risk. If you can demonstrate that
your organization understands risk management,
then insurance is easier to obtain from more suppliers.
This is especially applicable to D & O (Directors and
Officers) insurance.
• The risk management benefits will out-weigh the
start-up costs. Implementing SOX comes with a price
tag, and sometimes it can be a hefty one. But, once
the practices are engrained in your organization, you
will be able to identify risk earlier, reduce fraud and
abuse, and reduce liabilities arising from lawsuits or
regulators’ actions. The return on investment can
be significant.
• Required if you plan on going public. If you
plan on filing for a public offering within the next
couple of years then you must start complying with
Sarbanes- Oxley.
• State law and certain trade associations require
adoption of SOX. Some states are adopting certain
provisions of SOX. Also the National Association of
Insurance Companies (NAIC) is actively discussing how
SOX should be adopted by insurance companies and
enforced by the state insurance commissioners.
1165 Sanctuary Parkway Suite 100 Alpharetta, GA 30004 Tel: 678.992.0262 www.compliance360.com
SOX Best Practices and How Private
Companies Can Utilize Them
While private companies aren’t required to comply
with any of these regulations, obviously some of them
can enhance compliance programs while producing
many of the benefits we discussed above. Let’s take
a look at SOX, title by title. In order for you to have
a good idea of the titles that can benefit you and the
ones that can be ignored, we’ll use the common “five
stars” rating system. If a regulation only merits one or
two stars, you can pay less attention; but those with
five stars have the potential to knock your SOX off.
Title I.
Title I establishes the Public Company Accounting
Oversight Board. Private companies can safely ignore
this one.
Title II. - Auditor Independence
Section 201: Services Outside
the Scope of Practice of Auditors
This section requires that your audit firm perform
no other services but the audit. The purpose is to
eliminate any conflict of interest from the auditors.
If you think about the situation, your audit firm has
direct access to the most influential leaders in your
company. If they are allowed to sell other services such
as IT project management, legal services or internal
audit functions, there could be excessive influence or
conflict of interest. In the past, the audit firm that sold
a wide range of services had broad scope over rules
of evaluation and procurement. SOX helps ensure
that auditors are truly independent and not unduly
influenced by other business opportunities they may
have within the account.
Section 203: Audit Partner Rotation
If you are a private company, audit partner rotation
is more subjective. Over the course of doing business
with you, your audit firm builds up a great deal
of expertise concerning both your industry and
firm. Auditors know your key controls, your joint
ventures, major vendor agreements, compensation
agreements, etc. Your healthcare auditor is not only
an accounting expert but also a student of coding
and billing practices, Stark self-referral, anti kickback
statutes and other OIG requirements. Do you really
want to trade this person out and educate a brand new
partner every few years? If you are public company
the law is clear and you must, but if you are private
the value of adopting such a practice is debatable
and you may be better off keeping the auditor who
knows the ins and outs of your business.
Section 204:
Audit Firm Reports to the Audit Committee
Your audit firm should report to the Audit Committee.
The purpose here is clear there should be no appearance
of influencing or filtering results.
This opens other important issues, such as within your
company, who should report to the Audit Committee?
Moreover, what is the role of the Chief Compliance
Officer? Section 301 establishes the requirements
for the Audit Committee, but SOX does not directly
discuss the internal reporting structure to the Audit
Committee. In our discussions with hundreds of
healthcare companies, we’ve seen scores of reporting
permutations. Most are flawed and have some
historical and political rationale. The right answer is
actually pretty simpleand that is that the company
should establish a Chief Compliance Officer and the
CCO should report to the Audit Committee.
The CCO should be responsible for all compliance
activities, fraud and abuse, enterprise risk management
and generally be accountable for ensuring that
programs are in place to demonstrate compliance
with all laws, regulations and standards. The CCO
should have responsibility for Internal Audit, CMS
requirements, state audits, the hotline, corporate
policy, and oversight of the quality programs such
as NCQA, URAC or Joint Commission.
1165 Sanctuary Parkway Suite 100 Alpharetta, GA 30004 Tel: 678.992.0262 www.compliance360.com
Title III. - Corporate Responsibility
There are two sections that stand out as best practices
for privately held healthcare organizations in this
title: Section 301 and Section 302. The rest of Title
III is a grab bag of various rules designed to enforce
accountability at the officer and board level as well
as a series of guidelines for particular behavior and
certain transactions. Most of these rules and guidelines
have little applicability to private healthcare concerns,
but 301 and 302 can be helpful.
Section 301:
Public Company Audit Committee
This section establishes the guidelines of the Audit
Committee. There is a lot of material on this subject
and it is better explored by a Board of Directors, which
can review the subject in much more detail than we
can provide here. A very useful site is: http://www.
aicpa.org/audcommctr/homepage.htm.
There are some basics to the Audit Committee that
may serve, however, to get you started.
The Audit Committee:
• Establishes a chart of responsibility and corporate
governance.
• Contains independent members.
• Establishes a method for receiving confidential
complaints from vendors, employees and others
in regards to accounting irregularities.
Establish a chart of responsibility and corporate
governance.
These are auditing functions and any other items
that could have an impact on financial performance
and company valuation. You can locate a thorough
checklist at the AICPA web site, mentioned above.
Examples of these auditing functions are, for
instance, that the Audit Committee should conduct
executive sessions, hire the outside auditors, review
management travel and expense policies, review
adequacy of internal controls, and understand all
regulatory and legal proceedings impacting the
company.
Each member of the Audit Committee should
be independent.
• A member should not have been employed
by the company for at least five years.
• A member should not currently be a
director of a company where anyone on
the management team also serves as a
director.
• A member should not perform business
with the company as a customer, consultant,
supplier, or have interest in a firm that
conducts business with the company.
• A member should not have a relationship
with a joint venture, subsidiary or other
affiliate of the company.
Establish a method for receiving confidential
complaints from vendors, employees and others
in regards to accounting irregularities.
Since the OIG requires a method of reporting
fraud and abuse, nearly every healthcare
company has a hotline. One hotline should
support the SOX and OIG requirement. A
quick primer on the role and importance of a
hotline can be found at http://www.hotlines.
com/sarbanes_oxley.htm
Be advised that the penalty for retaliation
against a whistleblower is steep. (See SOX Section
1107 for details.)
Section 302:
Corporate Responsibility of Financial Statement
This section requires the senior officers to certify that
the financial statements are complete and accurate.
Section 302 directly correlates to Section 404. Without
properly implemented internal controls, it is very hard
to certify financial statements. However, company
leaders must stand behind the company’s financial
reports.
1165 Sanctuary Parkway Suite 100 Alpharetta, GA 30004 Tel: 678.992.0262 www.compliance360.com
Title IV. - Financial Disclosures
When most people refer to SOX, they are referring
to this title and more specifically to Section 404.
Broadly speaking, this title regulates off balance
sheet transactions, loaning money to executives and
directors, management assessment of financial internal
controls, code of ethics, mandating a financial expert
to the audit committee, and the reporting and timing
of certain financial events.
The effort is so daunting that many hesitate to start.
If you identify the top 50 key controls, you soon will
realize that there are some you just cannot ignore. Let’s
look at an obvious example: coding and billing. You
know there is a high risk of a billing error when you’re
processing thousands of transactions, sometimes on
a daily basis. With the OIG oversight and its related
penalties, one would be foolish not to fully comply
with Section 404.
It is worth devoting at least a couple of paragraphs
on this, the section that gets all the press, however,
this is only a simple primer on the topic. Extensive
information is available to help you build and manage
internal controls. For books on this topic, see your
auditor (or their web site), or go to http://www.
coso.org/.
Only by pinpointing all of your key controls and
focusing on those with the highest risk and highest
volume can you be more confident of having accurate
statements and be certain that controls are in place to
ferret out potential fraud and abuse. It may take two
or more years to be fully compliant with 404, but this
investment is definitely worth the time and money.
First, what is an internal control? Internal controls are
processes that help you achieve:
Title V. - Analyst Conflict of Interest
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and
regulations
Like any regulated business, healthcare organizations
are complex. How do you ensure that your business is
reporting numbers accurately? You have to develop key
controls around the processes that affect your financial
reporting. In short, you must do the following:
1. Identify the key processes and document them
2. Document policies and procedures
3. Define the control and the measurement for the
control
4. Assess the effectiveness of the measurement
I n any business, this process of identifying,
documenting, defining, and assessing is a lot of work
and it’s monumental in companies with stiff guidelines
and reporting requirements. For most healthcare
companies, Section 404 requires a significant amount
of consulting, internal labor and new systems to
achieve full compliance.
Title V requires objectivity from the analysts and since
analysts rarely follow private companies, this section
does not apply.
Title VI. - Commission Resources and
Authority
This Title provides the resource funding for the
Commission and places some requirements on penny
stocks and investment bankers. This section doesn’t
apply to private companies.
Title VII. - Studies and Reports
This Title requires the Commission to report on
various impacts of Sarbanes-Oxley. It does not apply
to private companies.
Title VIII. - Corporate and Criminal Fraud
Accountability
Title VIII discusses the various practices that constitute
fraud and obstruction of justice. There are lots of
modifications of existing law, which make for fairly
difficult reading and require an attorney for a full
explanation. We’ll take a brief look at the two sections
1165 Sanctuary Parkway Suite 100 Alpharetta, GA 30004 Tel: 678.992.0262 www.compliance360.com
that are most pertinent to private companies. You’ll
want to check with your Legal Department or an
attorney for more information regarding Title VIII.
Section 802:
Criminal Penalties for Altering Documents
This section forbids the alteration or destruction
of documents when one expects to be part of an
investigation. The real lesson inherent in this section is
that companies should examine their record retention
policy. Your records retention policy should be an
integral part of your business, regardless of SOX. Your
disaster recovery plan, various laws and standards,
as well as just common business sense, require a
document archive and retention plan. Implicit in this
practice is the idea that you need to educate your
people on your document retention policy and the
potential penalties for failing to comply.
Section 806: Protection of Whistle-blowers
Whistle-blowers are specifically protected and penalties
for retaliation are stiff. Have a disinterested party
assess the whistle-blower directly to ascertain if he
or she feels harassed. In a long investigation, this
process should be done at least quarterly.
Title IX. - White Collar Crime Penalty
Enhancements
This Title strengthens the penalties for fraud and
abuse if you are a public company.
Again, the act only applies to publicly traded
companies, but it would be in every company’s best
interest to take this regulation seriously.
Summary
Healthcare is a highly regulated industry with myriad
rules, procedures, policies, and regulations. While
Sarbanes-Oxley compliance is not required for private
healthcare companies, they can certainly benefit from
implementing some of its processes, which will help
ensure overall compliance. SOX compliance can help
any company execute greater internal control and
improve its external image with stockholders, the
community and customers alike. Numerous books
have been written on SOX and there is a wealth of
information available on the Internet, from auditors
and other sources. By choosing to investigate and
utilize the best practices of SOX, you help your private
healthcare organization enhance compliance initiatives
and operate more efficiently.
Steve McGraw is the CEO of Compliance 360. Compliance
360 helps companies in regulated industries address the most
important facets of a comprehensive compliance program—
reducing risks, reducing costs, improving efficiencies and
enhancing global visibility of compliance activities. Compliance
360 has headquarters in Atlanta, GA and serves over 200
customers in healthcare, financial services, managed care,
life sciences, pharmaceutical and other complex business
environments. For more information, visit Compliance 360
on the World Wide Web at www.compliance360.com.
Title X. - Corporate Tax Returns
This is the shortest title in the whole act – one sentence.
It requires that the CEO sign the company’s federal
tax returns.
Title XI. - Fraud and Accountability
This Title strengthens the existing law and the
penalties for bad behavior. Section 1107 specifies that
retaliatory actions against whistle-blowers can result
in jail time up to ten years, among other punishments.
1165 Sanctuary Parkway Suite 100 Alpharetta, GA 30004 Tel: 678.992.0262 www.compliance360.com
Related documents
JD Manager, Internal Audit
JD Manager, Internal Audit
Subject Category: Microbial population and community
Subject Category: Microbial population and community
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Home Was a Horse Stall Name: Directions: Answer the following
Home Was a Horse Stall Name: Directions: Answer the following
Sarbanes-Oxley (SOX) How should your company respond
Sarbanes-Oxley (SOX) How should your company respond
CSC Final Part 2
CSC Final Part 2
Mystery Fraud Training Outline
Mystery Fraud Training Outline
a sample animated slide
a sample animated slide
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Download
advertisement