The Sarbanes-Oxley Act - Global Health Care, LLC

advertisement
The New World of
Corporate
Responsibility
Nancy Lanis
Senior VP & General Counsel
Curative Health Services
Hauppauge, NY
Michael L. Shaw
Senior Manager
PricewaterhouseCoopers LLP
Washington, DC
Jody Ann Noon RN, JD
Partner
Deloitte & Touche LLP
Portland, OR
An Overview of the New Drivers of Corporate
Responsibility: The Sarbanes-Oxley Act,
NYSE Listing Requirements, and NASDAQ
Proposal
Discussion of Key Considerations and
Intersection with Traditional Compliance
Program and Internal Control Concepts
It’s The Law!
PricewaterhouseCoopers LLP 2
1
It’s also expensive!
SEC Reporting and Disclosure Changes
Summary of Estimated Impact (Incremental Costs)
One Time / Initial
Ongoing / Annual
Independent audit scope changes
and fee increases
$1,000,000 - $5,000,000
$1,000,000 - $5,000,000
Internal audit expansion
$250,000 - $500,000
$200,000 - $300,000
Internal audit expansion
$250,000 - $500,000
$200,000 - $300,000
External legal fees increases
$800,000 - $1,500,000
$500,000 - $1,000,000
Legal resources expansion
$150,000 - $250,000
$100,000 - $200,000
Outside consulting services
$400,000 - $600,000
$250,000 - $300,000
Corporate governance changes
(BOD, D&O premiums)
$200,000 - $250,000
$200,000 - $400,000
Finance/accounting/reporting
expansion
$250,000 - $500,000
$250,000 - $300,000
Required process improvements
$200,000 - $400,000
$100,000 - $200,000
System enhancements
$250,000 - $500,000
$200,000 - $300,000
Total Incremental Costs
$4,000,000 - $9,000,000
$3,000,000 - $8,000,000
The added expenses as
a result of increased
regulatory requirements:
(Assumes a "typical"
Fortune 500 company
with $3 billion in sales,
global operations, an inhouse internal audit
function, in-house legal
counsel and significant
disclosure
requirements.)
Source: Financial
Executive, January /
February 2003 – “New
Regulations: Preparing
for the Unplanned
Costs” By Johnsson
and Wiechart
PricewaterhouseCoopers LLP 3
Topics Overview
•Sarbanes Oxley Act, NYSE and NASDQ Listing Requirements
Overviews-Corporate Governance and Disclosures
•Practical Impact on Compliance Standards and Corporate Governance
– Integrity and Disclosure Requirements
– Executives, Individual Directors
– Board of Directors, Board Committees
– Outside Auditor
– Recommended Actions to Enhance Compliance Programs
• Discussion
4
Topics Overview (cont’d)
•Additional Aspects of Sarbanes-Oxley
– Document Retention and Destruction
– Whistleblowers
– Attorney Reporting Responsibilities
– Enforcement Penalties
• Intersection with Compliance Programs
• Discussion of Internal Controls
• Question & Answers
5
Sarbanes Oxley Act,
NYSE and NASDAQ
Listing Requirements
AN OVERVIEW
Nancy Lanis
Curative Health Services
Sarbanes Oxley Act OverviewCorporate Governance and
Disclosures
• Sarbanes-Oxley Act of 2002 (“SOA”) enacted July 30, 2002
•Corporate scandals (Enron, WorldCom) provided impetus for Congress to act
quickly
•SOA approved by near unanimous vote in Congress (vote of 99-0 in the
Senate and 423-3 in the House)
•Fast pace of approval likely to result in need for numerous interpretations
and explanations
•Potential for far reaching impact on Corporate Governance and Conduct,
Financial Reporting and the Public Accounting Profession
•Also impacts legal community and investment banking analysts
Curative Health Services 7
Sarbanes Oxley Act OverviewCorporate Governance and
Disclosures (cont.)
•Several provisions of the SOA require detailed regulations by the SEC and other
regulatory bodies
•SOA aims to restore investor confidence in financial reporting and public capital
markets
•Broadly speaking the Act’s provisions seem to be built around the following
principles:
–
–
–
–
–
–
–
Integrity
Independence
Proper Oversight
Accountability
Strong Internal Controls
Transparency
Deterrence
Curative Health Services 8
NYSE and NASDAQ Listing
Requirements Overview- Corporate
Governance and Disclosures
•Board of Directors of NYSE approved new proposals in August, 2002
•Board of Directors of NASDAQ approved new proposals in May and July, 2002;
Summary issued 10/10/02; Bulletin/New rule proposals issued 1/6/03
– Heightened Corporate Governance standards through additional listing
requirements
– Some additional requirements beyond SOA requirements
– SEC, after public comment period, will vote to approve proposals
– SEC voiced intent to combine NYSE and NASDQ requirements
Curative Health Services 9
The Impact of New Standards on
Compliance Programs and
Corporate Governance
Nancy Lanis
Curative Health Services
Practical Impact- Disclosures and
the Integrity Chain
•Intended to provide more reliable, timely and useful information to
investors
•Requirements span the reporting supply chain, reinforce accountability
•Requirements affecting Senior Executives, Individual Directors
•Requirements affecting the Board of Directors and Board Committees
•Requirements affecting outside Auditors
Curative Health Services 11
Requirements Affecting Senior
Executives, Individual Directors
•CEO/CFO Certifications to assure accuracy, completeness and
timeliness (separate civil, criminal certifications) (see appendix)
•Establish and assess disclosure controls and procedures for collecting,
processing and disclosing information required to be disclosed in periodic
reports (10K, 10Q, 8-K) (current requirement); internal control reports in
annual reports (fiscal years post 9/15/03)
•Accelerated reporting by Executive Officers and Directors (2 days)
•Code of Ethics, Senior Financial Officers (Disclose in 10K after 1/26/03)
•Clawbacks for CEO/CFO bonus, stock sales profits if company’s financial
statements are restated due to misconduct (12 months from 1st
disclosure)
Curative Health Services
12
Requirements Affecting Senior
Executives, Individual Directors
(cont’d)
•Additional disclosure issues
– Off-balance sheet transactions, contractual commitments, and
contingent liabilities ( Q1 ‘03)
– Pro forma (non-GAAP) information- quantitative reconciliation (Q1 ‘03)
– Earnings releases; other material, non-public information about
annual/quarterly fiscal periods on Form 8-K (Q1 ‘03)
– Additional (and accelerated) Form 8-K events (SEC proposed 6/02)
– MD&A critical accounting policies (SEC proposed 5/02)
– SHS approve equity-based compensation plans (NYSE/NASD 10/02
filings with SEC)
– Company web-site address
– New filings deadlines- Forms 10K and 10Q (‘04)
•No improper influence of Auditors (SEC proposed 10/02; effective Q1 ‘03)
•Trading restrictions for Executive Officers and Directors- benefit plan
blackout periods
Curative Health Services 13
Requirements Affecting Senior
Executives, Individual Directors
(cont’d)
Code of Ethics (NASDAQ-6 months post SEC approval)
–
–
–
–
CEO, CFO, principal accounting officer or Controller, similar functions
Exhibit to annual report
SOA Disclosure obligation only; (NYSE and NASD propose requirement)
Content
– honest and ethical conduct
– avoidance of conflicts of interest
– full, fair, accurate, timely, understandable disclosures
– compliance with applicable laws, rules and regulations
– prompt internal reporting of code violations
– accountability for adherence
– Form 8-K disclosure of modifications, waivers (NYSE/NASD propose require
disclose waivers)
Curative Health Services 14
Requirements Affecting Board of
Directors, Board Committees
•Corporate Governance requirements affecting full Board of Directors
•Audit Committee oversight, composition/integrity, reporting mechanism,
pre-approvals
– Audit Committee and independent Auditors seen as key to restoring faith
in the process of financial reporting and oversight
– Audit Committee will have enhanced role in Corporate Governance
•Bans on loans to Executive Officers/Directors (Compensation Committee)
Curative Health Services 15
Requirements Affecting Board of
Directors, Board Committees
(cont’d)
•Corporate Governance Requirements Affecting Full Board:
•Current NYSE/NASDAQ proposals (SEC may combine):
– Majority of independent directors (NYSE- within 24 months SEC
approval) (NASDQ-1st annual meeting after 1/1/04)
– Regularly convened executive sessions (independent Directors only)
(NYSE/NASDAQ-6 months from SEC approval)
Curative Health Services 16
Requirements Affecting Board of
Directors, Board Committees
(cont’d)
•Corporate Governance (Proposed) Requirements Affecting Full Board:
•Independent Director standards will be increased (for example):
• NASDAQ
–
–
–
–
–
No family member employed as executive officer in past 3 years
No former outside auditor partner/employee during last 3 years
No interlocking compensation committee issue during past 3 years
Not-for-profits covered if size tests met
Director or family member may not receive any payments >$60,000
other than for board service
• NYSE
– Similar requirements; but 5 year cooling off periods
– Board must affirmatively determine no material relationship with
company and disclose determination
Curative Health Services
17
Requirements Affecting Board of
Directors, Board Committees
(cont’d)
•Additional Corporate Governance (Proposed) Requirements:
– Independent Director approval of Director nominations
– Adopt/disclose code of business conduct and ethics
– SH approval for adoption/material modification of stock option plans
– Independent Director approval of CEO and Executive Management
compensation (NASDAQ)
– Director Continuing Education to be mandated (NASDAQ)
– Material misrepresentation/omission to NASDAQ may be basis for
delisting (NASDAQ)
–
–
–
–
Nominating/Governance Committee Charter (NYSE)
Compensation Committee Charter (NYSE)
Adopt/disclose Corporate Governance guidelines (NYSE)
Annual CEO disclosure not aware of listing violation (NYSE)
Curative Health Services 18
Audit Committee Oversight
Increased Audit Committee Oversight Responsibilities:
– Directly responsible for “appointment, compensation and oversight” of
independent Auditors (SOA);) Have sole authority to appoint,
compensate and oversee outside Auditor (NASDAQ)
• Approve, in advance, the provision by the Auditor of all permissible nonaudit services
• Authority to engage and determine funding for independent counsel and
other advisors; company must provide funding
• Have a written charter (NYSE)(NASDAQ- 6 months post SEC approval)
Curative Health Services 19
Audit Committee Oversight (cont’d)
• At least annually, obtain and review a report by the independent Auditor
describing the firm’s internal quality control procedures; any material
issues raised by the most recent internal quality control review, peer
review or any inquiry or investigation within the preceding five years and
assess the Auditor’s independence with respect to all relationships
between the independent Auditor and the company (NYSE)
• Discuss annual and quarterly financial statements with management
and independent Auditor, including MD&A (NYSE)
• Establish complaint reporting procedures/mechanism
• Audit Committee must review and approve all related-party transactions
(NASDAQ)
• Additional NYSE requirements (e.g., discussing risk assessment and
Curative Health Services
risk management)
20
Audit Committee Composition
• Independence
– Audit Committee member not to receive any compensation other than
for board or committee service
– Audit Committee member may not be affiliate of the company or its
subsidiary (NASDAQ= own/control >20% voting stock )
– NASDAQ
– Limit time non-independent Audit Committee members can serve to
2 years; prohibited from serving as chair. Cannot be company
employee/family member; affirmative board determination required
that in best company interests; disclosure requirements
Curative Health Services 21
Audit Committee Composition
(cont’d)
• Financial Expertise
– Audit Committee must include at least one “financial expert.”(SOAdisclosure requirement in 10K after 1/26/03)(NYSE/NASD require)
• All Audit Committee members must be able to read and understand
financial statements (NYSE/NASDAQ- at time of appointment)
• At least one member of the Audit Committee must have accounting or
related financial management expertise (NYSE); consider education and
experience as public accountant or Auditor or public company CFO,
Controller, and sufficient financial expertise in the accounting and
auditing areas specified in SOA (NASDAQ)
Curative Health Services 22
Audit Committee Reporting
Mechanism
•Complaint Procedures:
– Must establish procedures for receipt, retention and treatment of
complaints regarding accounting, internal accounting controls and
auditing issues.
– Implies reporting mechanism, record-keeping and responsive
actions
– Provide mechanism for employees to submit concerns on a
confidential, anonymous basis regarding questionable auditing or
accounting matters.
Curative Health Services 23
Audit Committee Pre-approvals
• Must pre-approve any non-auditing service to be performed by outside
auditors (but certain services prohibited- see next slide)
• Disclose such non-auditing approvals in periodic reports (10K, 10Q)
Curative Health Services 24
Requirements Affecting Outside
Auditors
•New Auditor Independence Requirements
•Registered public accounting firms will be prohibited from providing eight
types of non-audit services to audit clients:
– Bookkeeping or other services related to company’s accounting
records or financial statements
– Financial information systems design and implementation
– Appraisal or valuation services, fairness opinions
– Actuarial services
– Internal audit outsourcing services
– Management functions or human resources
– Broker or dealer, investment adviser or investment banking services
– Legal services and expert services unrelated to the audit
– Any other service determined to be impermissible by the future
Public Company Accounting Oversight Board
Curative Health Services 25
Requirements affecting Outside
Auditors (cont’d)
•Public Company Accounting Oversight Board established
– Oversight of audit of public companies, protect investor interests
– Responsibilities include:
– Register and inspect public accounting firms
– Set standards for outside Auditors
– Enforce compliance with SOA
– Not a government agency; First meeting held January, 2003
– 5 members (only 2 CPAs)
Curative Health Services 26
Requirements Affecting Outside
Auditors (cont’d)
•Mandatory Auditor rotation: Partner cannot be lead or review partner
for more than 5 consecutive years
•Outside Auditor must timely report to Audit Committee:
– All critical accounting policies and practices to be used in financial
reports
– All alternative treatments of financial information within GAAP that
have been discussed with management, ramifications of their use,
and treatment preferred by the Auditor
– Other material written communications with management
Curative Health Services 27
Provisions Affecting Board
Compensation Committees
•Prohibitions on loans to top management and Directors:
– Public companies now prohibited from directly or indirectly making
personal loans to Executive Officers
– Elimination of other types of loan-related “sweetheart deals” for
Executive Officers
• Covers company and subsidiaries
• Grandfathers loans outstanding prior to 7/30/02 (but no material
modifications or extensions)
Curative Health Services 28
Recommended Actions to Enhance
Compliance- Specific Steps
•Assess/document P&P, processes already in place; determine gaps requiring
new standards
•Develop and implement new standards
•Communicate to and train appropriate individuals
– Board of Directors
– Senior Management
– Compliance Officer
– Other Employees
• Enhance reporting mechanism (ensure Audit Committee link)
Curative Health Services 29
Recommended Actions to Enhance
Compliance- Specific Steps (cont’d)
•Consider/clarify relationship of Internal Audit/Public Reporting
Compliance Coordinator, Compliance Officer, Compliance Committee,
Board and Board Committee Oversight
•Consider/incorporate auditing, monitoring approaches in compliance
program
•Opportunity to consider/incorporate overall risk assessment and risk
management
•Incorporate responsive actions in compliance program
Curative Health Services 30
Recommended Actions to Enhance
Compliance- Specific Steps (cont’d)
•Financial and Disclosure controls:
– Develop timeline/calendar for preparing annual/quarterly reports,
distribute to Management, Directors, Legal Counsel and Auditors
– Prepare Disclosure Guidelines
– Assess/document P&P, processes already in place
– Review/research disclosure rules to assure all covered in
process; review industry information- competitor reports,
analyst research reports (identify issues that be material to
investing public); determine gaps requiring new P&P
Curative Health Services 31
Recommended Actions to Enhance
Compliance- Specific Steps (cont’d)
•Financial and Disclosure controls:
– Prepare Disclosure Guidelines (continued)
– Identify appropriate individuals to involve in process- principal
accounting officer/controller, risk management, investor
relations, compliance officer, in-house counsel, business unit
heads, subsidiary parallel positions, CEO/CFO review
– Assign responsibility to appropriate specific individuals
– Consider appropriate oversight and disclosure mechanismse.g., checklists, form Disclosure Committee
Curative Health Services 32
Recommended Actions to Enhance
Compliance- Specific Steps (cont’d)
•Financial and Disclosure controls:
– Prepare Disclosure Guidelines (continued)
– Back-up certifications by key individuals
– Consider parallel clawbacks in event of material restatement
– Legal Counsel review of reports
– Outside Auditor/Audit Committee roles, including review
– Document meetings, reviews, approvals/pre-approvals
– Review/revise Audit Committee charter
Curative Health Services 33
Discussion
•Compliance Officers’ Brave New World? Familiarity with Financial and
Disclosure Controls?
•Respective roles of Compliance Officer, Internal Audit, Disclosure
Committee, Compliance Committee, Board Committees (Audit,
Governance, Compliance), CFO, Legal Counsel
– How many have Board Compliance Committees?
•Hotlines/reporting mechanisms- how many already include accounting,
internal accounting controls, auditing issues?
•Can Auditor also provide CIA IRO services?
•Risk Assessment/risk management relationship with Compliance
officer/compliance policies
Curative Health Services 34
APPENDIX
Reporting
&
Internal Controls
Act Imposes Important Reporting
Requirements on Management
Section 302 (and related SEC rule) (Civil)– CEO/CFO Must Certify Quarterly and Annually that:
• SEC report being filed has been reviewed
• Report does not contain any untrue statements or omit any material facts necessary to make the
statements made not misleading
• Financial statements fairly present, in all material respects, the financial position, results of
operations and cash flows
• He/she is responsible for and has designed, established, and maintained Disclosure Controls &
Procedures (“DC&P”), as well as evaluated and reported on the effectiveness of those controls
and procedures within 90 days of the report filing date
• Deficiencies and material weaknesses in internal control have been disclosed to Audit Committee
and auditors, as well as any fraud (material or not) involving anyone with a significant role in
internal control
• Significant changes in internal control affecting controls for periods beyond review have been
reported in the certification, including any corrective actions with regard to significant deficiencies
and material weaknesses
Note: Individual certifications above and any corresponding disclosure requirements have various effective
dates beginning with filings made after August 29, 2002.
PricewaterhouseCoopers LLP 36
Act Imposes Important Reporting
Requirements on Management
(continued)
Section 404 – Management Must Assess Internal Controls Annually
(Effective date pending)
• Internal control report states management’s responsibility for establishing and maintaining
adequate internal control structure and procedures for financial reporting
• Management must assess effectiveness of internal control structure and procedures for
financial reporting as of the end of the most recent fiscal year
• Attestation by external auditor (Section 404 and 103)
Section 906 (Criminal) – CEO/CFO Must Certify that Periodic Financial Reports
(Effective July 30, 2002)
• Fully comply with 34 Act and information fairly presents financial condition and results of
operations
PricewaterhouseCoopers LLP 37
Cautionary Note
Recent CEO/CFO certifications filed
with the SEC (either in respect of its
“one time” Order or pursuant to
Section 906) do not contain any
explicit assertions about internal
controls. As Section 302 and 404
provisions require certification or
assessment of specified controls,
companies will need to assess the
implications of these expanded
reporting responsibilities, and
determine the nature of any
additional steps that should be taken
in response thereto.
PricewaterhouseCoopers LLP 38
General Rather Than Specific
Requirements Have Been
Established
• Management must determine for themselves the structure, approach and level of
documentation and formalization that gives the CEO/CFO the requisite basis (and
confidence) to provide Section 302 quarterly certifications.
• The SEC provides a definition of Disclosure Controls and Procedures and related
objectives but does not outline specific requirements, other than recommending the
establishment of a disclosure committee.
• In general, the new certification requirements may require some companies to
formalize control structures, enhance controls and establish monitoring programs to
enable CEOs and CFOs to make their evaluations and report their conclusions.
The SEC expects that each company will develop a process that is consistent
with its business and internal management and supervisory practices.
PricewaterhouseCoopers LLP 39
Understanding Requirements for
Disclosure Controls and Procedures
The SEC defines DC&P as follows:
Controls and other procedures of an issuer that are designed to ensure that
information required to be disclosed by the issuer in the reports filed or submitted
by it under the Exchange Act is recorded, processed, summarized and reported,
within the time periods specified in the Commission's rules and forms.
"Disclosure controls and procedures” include, without limitation, controls and
procedures designed to ensure that information required to be disclosed by an
issuer in its Exchange Act reports is accumulated and communicated to the
issuer's management, including its principal executive and financial officers, as
appropriate to allow timely decisions regarding required disclosure.
In this regard, the SEC intends that companies maintain controls and
procedures (commensurate with those already required with respect to
financial reporting) for gathering, analyzing and disclosing all information –
BOTH financial and non-financial – that is required to be disclosed in
specified and periodic filings.
PricewaterhouseCoopers LLP 40
Special Issues for Lawyers and
Compliance Officials
Michael L. Shaw
PricewaterhouseCoopers LLP
Special Issues for Lawyers and
Compliance Officials
•Document retention and destruction
•Whistleblowers protection
•Attorney reporting responsibilities
•Increased enforcement penalties
PricewaterhouseCoopers LLP 42
Documents (cont’d)
• 18 U.S.C. § 1519: “Whoever knowingly alters, destroys . . . with the
intent to impede, obstruct, or influence the investigation or proper
administration of any matter within the jurisdiction of any [U.S.]
department or agency . . . or in relation to or contemplation of any
such matter or case . . .”
• Highlighted language raises questions:
– Could common document retention/destruction policies result
in violations where they call for destruction of documents
relevant to a matter that could arise in the future?
– Potential problem if a document retention program is set up
with the intent to avoid future Government liability.
PricewaterhouseCoopers LLP 43
Documents (cont’d)
•Need to develop a business justification for every element of the
document destruction plan
•Document destruction program should exempt from destruction all
documents that could be used in future investigations
•Company’s e-mail policy and document retention policies should be
reviewed and revised to accord with new statutory requirements.
PricewaterhouseCoopers LLP 44
SEC Lawyers
•New Lawyer Disclosure Obligation: SEC to issue rules within 180 days
setting minimum standards for lawyers appearing/practicing before the
SEC (Sec. 307)
•Two-tiered disclosure obligation:
(1) Rules will require in-house and outside counsel to report
securities law violations to company’s CEO or chief legal officer;
(2) If they don’t respond appropriately, lawyer must report directly to
Board of Directors or designated Board committee
PricewaterhouseCoopers LLP 45
SEC Lawyers (cont’d)
•Materiality standard: SEC is to adopt rule “requiring an attorney to
report evidence of a material violation of securities law or breach of
fiduciary duty or similar violation by the company or any agent thereof ”
•Good news
– “Materiality” limitation
– No reporting outside the company is required
•Troublesome issues:
– “Practicing before the Commission” is a broad standard; will probably
include work on registration statements
– What kind of “evidence” should an attorney have?
PricewaterhouseCoopers LLP 46
SEC Lawyers (cont’d)
– What is a “similar violation?”
– What is an “inappropriate” response on the part of the CEO or
Chief Legal Officer, that would require the attorney to go to the
Audit Committee or full Board?
– What if the Audit Committee or Board are complicit in the
wrongdoing, or refuse to take remedial action?
•Legal department may want to articulate and disseminate standards to
staff as to when they must come forward to the General Counsel
PricewaterhouseCoopers LLP 47
Whistleblowers (cont’d)
• Sweeping new protections for whistleblowers-• Modeled after protections for airline employees reporting safety
violations
• Two new criminal provisions to protect whistleblowers
• 18 U.S.C. § 1513
• 18 U.S.C. § 1514A
PricewaterhouseCoopers LLP 48
Whistleblowers (cont’d)
• 18 U.S.C. § 1513: “Whoever knowingly, with the intent to retaliate,
takes any action harmful to any person . . . for providing to a law
enforcement officer any truthful information relating to the
commission or possible commission of any Federal offense . . .”
• Elements added to 18 U.S.C. § 1513(e):
– Knowing and intentional action to retaliate
– Against any person (not just an employee)
– Providing truthful information relating to commission or
possible commission
– A law enforcement official (not just a Federal agent)
– Regarding any Federal offense
PricewaterhouseCoopers LLP 49
Whistleblowers (cont’d)
•Elements of 18 U.S.C. § 1514A:
– Prohibits a company from sanctioning an employee because of
any lawful act to provide information about “fraud against
shareholders” to (1) a Federal agency, (2) Congress, or (3)
employee’s supervisor.
– Authorizes civil action for damages and equitable relief, including
reinstatement, back pay, attorneys’ fees, etc.
– 90-day statute of limitations: employee must file claim within 90
days of retaliation.
– Provision construed narrowly: applies only to information provided
in connection with an ongoing proceeding.
PricewaterhouseCoopers LLP 50
New Felonies and Increased
Criminal Penalties
•Substantive new offenses added by the Act:
– 18 U.S.C. § 1348: Scheme or artifice to defraud
– 18 U.S.C. § 1350: Knowing violations involving new CEO/CFO
certifications
•Enhanced Penalties:
– Multiple directives to U.S. Sentencing Commission to boost
penalties for obstruction of justice, criminal fraud, accounting and
securities fraud, and the new “white collar” provisions in the Act
related to document destruction or tampering
PricewaterhouseCoopers LLP 51
New Felonies and Increased
Criminal Penalties (cont’d)
– Enhanced penalties for conspiracies (from 5 years to same level
as underlying offense)
– Stiffer penalties for criminal ERISA violations
– Doubles the penalties for criminal violations of Securities Act of
1934
PricewaterhouseCoopers LLP 52
Intersection with Compliance
Programs and Internal Control
Concepts
Michael L. Shaw
PricewaterhouseCoopers LLP
Intersection with Elements of a
Compliance Program
Standards and Procedures
Oversight Responsibility
Education and Training
Lines of Communication
Monitoring and Auditing
 Federal
Sentencing
Guidelines
 Experience from other
industry sectors
 OIG Compliance
Program Guidance
Enforcement and Discipline
Response and Prevention
PricewaterhouseCoopers LLP 54
Intersection with Elements of a
Compliance Program
Standards and Procedures
Oversight Responsibility
Education and Training
Lines of Communication
Monitoring and Auditing
Enforcement and Discipline
 Code of Conduct
 Commitment by senior
management
 Distribution to applicable
employees and contractors
 Updating to address
new risks
 Values approach
 Records retention
Response and Prevention
PricewaterhouseCoopers LLP 55
Intersection with Elements of a
Compliance Program
Standards and Procedures
 High-level involvement
Education and Training
 Responsibility for developing,
operating, and monitoring the
compliance program
Lines of Communication
 Direct access to Board and/or
CEO
Oversight Responsibility
Monitoring and Auditing
 Updates to Board and/or CEO
 Operational Committee
Enforcement and Discipline
Response and Prevention
PricewaterhouseCoopers LLP 56
Intersection with Elements of a
Compliance Program
Standards and Procedures
Oversight Responsibility
Education and Training
Lines of Communication
Monitoring and Auditing
 General and specific training
sessions on a periodic basis
 Cover commitment, reinforce
policies and procedures, and
address risks
 Conducted for applicable
employees and contractors
 Documentation of training
efforts
Enforcement and Discipline
Response and Prevention
PricewaterhouseCoopers LLP 57
Intersection with Elements of a
Compliance Program
Standards and Procedures
Oversight Responsibility
Education and Training
Lines of Communication
Monitoring and Auditing
Enforcement and Discipline
 Hotlines
 Exit interviews
 Periodic surveys
 Supervisor accountability
 Documentation of issues
identified and resolved
 Periodic reports on issues
handled
 Non-retaliation policy
Response and Prevention
PricewaterhouseCoopers LLP 58
Intersection with Elements of a
Compliance Program
Standards and Procedures
Oversight Responsibility
Education and Training
Lines of Communication
Monitoring and Auditing
Enforcement and Discipline
 Internal or external evaluators
to perform regular reviews
 Focus on high-risk areas
 Validation of policies and
procedures
 Qualifications of reviewers
 Corrective action in response to
audit results
 Monitoring and reporting of
audit efforts
Response and Prevention
PricewaterhouseCoopers LLP 59
Intersection with Elements of a
Compliance Program
Standards and Procedures
Oversight Responsibility
Education and Training
Lines of Communication
Monitoring and Auditing
 Consequences of violating the
law, the Code of Conduct, or
policies and procedures
 Violations reviewed and
resolved on a case-by-case basis
 Consistent disciplinary action
 Confidentiality
 Periodic reports of action taken
Enforcement and Discipline
Response and Prevention
PricewaterhouseCoopers LLP 60
Intersection with Elements of a
Compliance Program
Standards and Procedures
Oversight Responsibility
Education and Training
Lines of Communication
Monitoring and Auditing
 Prompt investigations of
reasonable allegations of
suspected noncompliance
 Decisive steps to correct
problems identified
 Reporting to Government when
appropriate under the advice of
legal counsel
Enforcement and Discipline
Response and Prevention
PricewaterhouseCoopers LLP 61
Addressing DC&P Requirements
LEGEND
Disclosure Requirements
Disclosure
Controls
and
Procedures
Operations
Financial
Reporting
Internal
Accounting
Controls
Compliance
Other aspects
of Compliance
and Operations
pertaining to
DC&P
Internal Controls
Over Financial
Reporting
62
Operationalizing the Control
Structure, Including the Certification
Effort
63
What
are
‘Internal
Controls’?
What are Internal Controls?
•COSO defines internal controls as a process effected by an entity’s
Board of Directors, Management and other personnel, designed to
provide reasonable assurance regarding achievement of the
objectives in each of the following categories:
 Effectiveness & Efficiency of Operations
 Reliability of Financial Reporting
 Compliance with Applicable Laws and Regulations
PricewaterhouseCoopers LLP 64
5
The Five Components under the COSO
the COSO Framework
Framework
Monitoring
Control Activities
• Assessment of a control system’s
performance over time.
• Policies/procedures that ensure
management directives are carried
out.
• Combination of ongoing and
separate evaluation.
• Range of activities including
approvals, authorizations,
verifications, recommendations,
performance reviews, asset
security and segregation of duties.
• Management and supervisory
activities.
• Internal audit activities.
Control Environment
Information and Communication
• Pertinent information identified, captured
and communicated in a timely manner.
• Access to internally and externally
generated information.
• Flow of information that allows for
successful control actions from
instructions on responsibilities to
summary of findings for management
action.
• Sets tone of organization-influencing
control consciousness of its people.
• Factors include integrity, ethical values,
competence, authority, responsibility.
• Foundation for all other components of
control.
Risk Assessment
• Risk assessment is the
identification and analysis of
relevant risks to achieving the
entity’s objectives-forming the
basis for determining control
activities.
All five components must be in place
for a control to be effective.
PricewaterhouseCoopers LLP 65
6
Benefits of the New Law
•
•
•
•
Increased confidence of CEO/CFO in meeting reporting requirements
Improved coordination of Company Management Team
Improved and clarified Corporate Governance process
Systematized process for early identification of business risks/ whistle
blowing issues/incident management
• Systematized approach to dealing with change (i.e., transactions,
personnel, accounting principles, internal controls and operating
procedures)
• Increased operational effectiveness
PricewaterhouseCoopers LLP 66
Final Observation
The Sarbanes-Oxley legislation has established a new paradigm for corporate
responsibility, accountability, transparency, and behavior. Responsibilities of some
parties have increased; while those of others have been made more explicit. And
the Act has established a new standard for companies regarding the reporting of
internal control effectiveness.
Good internal controls are not just a best practice……the Act reinforces
them in the Law!
PricewaterhouseCoopers LLP 67
Compliance Programs – The
Missing Link
Jody Ann Noon, RN, JD
Complex Processes and
Organizational Models
The Health Care & Life Sciences Industry faces an everchanging spectrum of risks:
• Who is responsible for managing risks related to each
activity? What should be done to plug any gaps?
• What are the mechanisms for escalating emerging risks?
• Who monitors risk management activities to ensure they are
effective?
69
Scope of Compliance
Corporate Governance
•
•
•
•
•
•
Fraud (Sarbanes-Oxley)
Foreign Corrupt Practices Act
RICO
Anti-Trust
Federal Sentencing Guidelines
Financial Reporting (e.g., Revenue
Recognition)
Health & Safety
•
•
•
•
•
Medicare
Medicaid
Environmental Protection (EPA)
Occupational Health (OSHA)
Food & Drug (FDA)
Consumer Protection
• HIPAA
• Gramm Leach Blilely
• EU Directive
• Complex, rapidly changing, global industry
• Increasing regulatory oversight
• Complex and inconsistent regulations
around the world
• Heightened awareness of compliance as a
result of corporate scandals
• Compliance risks impact almost everyone in
the global enterprise
The Compliance challenge – to leverage and
integrate the full resources of the enterprise
to manage key risk and product quality
70
Point of View
• Organizations tend to manage risks in “silos”
– Limited ability to aggregate risk exposures
– Difficult to identify interrelationships between risks
– Timely, frank communication of emerging issues may not always occur
• Inconsistent approaches to managing risks between “silos”
– Quality, Compliance and Risk Management not well integrated
– IT often an issue – opportunity for Compliance to take a broader view in assessing
IT controls across the silos
– Few internal audit functions have a true enterprise-wide view of risk
• Opportunity for Compliance to play a more strategic role:
– New compliance requirements demand that companies take a broader view of risk
(e.g., Sarbanes-Oxley, OIG compliance guidelines, FDA)
– Compliance impacts almost all functions and employees
– Processes to monitor compliance can be used to monitor other risks and quality
– Compliance can serve as a focal point for debating emerging risk issues, quality
and management strategies
– Compliance well placed to “connect the dots” across the enterprise
71
The Role of Compliance
The effectiveness of Senior Management’s oversight is typically limited because:
• Limited linkage between governance and control activities
• Existing internal control structures do not address the full range of risks
• Key risks are managed by separate groups (e.g., FDA compliance, clinical trials, manufacturing quality)
Compliance
The “missing link” is a compliance program and infrastructure to measure and
monitor the effectiveness and alignment between corporate governance and business
unit / functional risk management, compliance and quality activities.
72
Traditional Model
Compliance
Finance
SEC
(e.g., Sarbanes)
Service
Delivery
FDA
Privacy
False Claims
CoPs
Sales
&
Marketing
Kickbacks
Privacy
Accounts
Receivable
False Claims
SEC
Quality, compliance and business risks managed by silo difficult to track all of the moving parts
73
Emerging Model
Board
Chief
Compliance
Officer
• Financial Risk
• Regulatory Risk
• Systems/IT Risks
• Operational Risks
Day-to-Day
Operations
Quality, compliance and business risks managed in a coordinated manner easier to see key interrelationships and interdependencies
74
Organizational Approaches
• Board Oversight
– Committee of Directors
• Senior Management Involvement
– Compliance Committee
• Centralized vs. Decentralized Strategy
– Strong central function
– Pockets of expertise in the business units
• Teaming with Other Risk Management Functions
– Internal Audit
– IT
– Manufacturing
– Sales and Marketing
– Etc.
75
Some Critical Success Factors
•Senior Management/Board commitment
•Clearly defined mission, communicated and understood throughout the organization
•Mutual agreement on respective roles of compliance and other risk management groups
•Realistic and manageable short-term objectives
•Effective communication mechanisms
•Effective strategy for identifying and monitoring key risks
•Robust methodologies and tools that are consistent with the corporate culture
76
For More Information Contact:
Michael L. Shaw
Senior Manager
PricewaterhouseCoopers
1300 K Street, N.W. – Suite 800
Washington, D.C. 20005
(202) 414-1552
michael.l.shaw@us.pwcglobal.com
Nancy Lanis
Senior Vice President & General Counsel
Curative Health Services
150 Motor Parkway
Hauppauge, N.Y. 11788
(631) 232-7016
nlanis@curativehealth.com
Jody Ann Noon RN, JD
Partner
Deloitte & Touche LLP
Health Care Regulatory Practice
jodynoon@deloitte.com
(503) 727-5207
77
Download