Feature

How “SOX-Like” Compliance Can Benefi t the Healthcare Industry

By Mark B. Zajac, CICA

held directly or indirectly (or Executive Summary debt) stakes in these companies. The Sarbanes-Oxley Act of 2002 (SOX) is no longer limited only to public But what type of capital-at-stake does organizations that fi le fi nancial statements with the Securities and Exchange the healthcare industry hold? Most Commission (SEC). SOX has been undertaken successfully by many private healthcare providers do not have stocks organizations, including hospitals and not-for-profi ts. Over the years, this or bonds issued to the public, and most unprecedented legislation has been adapted, to some extent, cannot be purchased for your 401k (or in its applicability as a best-in-class corporate governance methodology. Fully 403b) plan at work. Therefore, healthcare implemented SOX addresses many aspects of corporate governance that are not providers do not satisfy the defi nition applicable to the private sector such as analyst confl icts of interest and, to some of “too big to fail” and thus are not extent, . There are, however, signifi cant portions of the considered to be “at risk.” Keeping the legislation that apply on a one-for-one basis to healthcare providers. The healthcare aforementioned in mind, why should industry should look to these portions to serve as a corporate governance best healthcare providers voluntarily comply practice. with Sarbanes-Oxley? Easy. It’s what This article will evaluate the applicability of SOX in the healthcare industry and your stakeholders would want you to provide the reader with a historical foundation of the law and best practices that can do, it is the right thing to do, and there applied within a provider setting. are many benefi ts to following the best practices guidelines set forth within SOX.

Introduction from fi nancial executives and Board What Went Wrong members to auditors and shareholders It’s hard to believe it was over eight of public companies in the U.S. When Before I get into the details of SOX, or any years ago, on July 30, 2002, when the I fi rst heard of SOX, my initial reaction of its applications to healthcare, a high- most sweeping corporate responsibility was that it was going to be expensive level analysis of the auditing profession and fi nancial reporting legislation since and companies were going to fi nd prior to SOX seems appropriate. the Great Depression was signed into creative ways to not do it, or do it the law by President Bush. Senator Paul The more I have talked to people about way they wanted. Well, I was 50% right. Sarbanes and Representative Michael what events have led to SOX legislation, Companies did fully comply with it, and Oxley crafted the Act and Congress the more I am convinced that my initial it was incredibly expensive. Although the delivered it to American business in an list below is correct. While many events new rules were strict, enforceable, and, unprecedented timeframe in the wake of were considered to be infl uential in one not to mention, expensive, no one will the scandal. form or another, the ones below are can be argue that SOX did not help corporate considered the main trigger points. The primary objective of SOX was to reign America achieve a level of accountability, in corporate irresponsibility and restore transparency, and independence that was • Loss of Auditor Independence— investor confi dence in big business. It so desperately needed. fi rms, by their nature, have always had also provided investors with a level of an incentive to sell additional services Although the original law specifi cally transparency never before imagined. In to their clients. Ever since audit catered to larger-sized public companies , the days of using creative fi rms began branching out into the known as “accelerated fi lers,” its techniques to misrepresent corporate consulting arena many years ago they applications and “spirit” to the private profi tability and fi nancial position were knew it was going to be a cow. sector can no longer be discounted. Public over. Corporate America was introduced But, when fi rms found clients willing companies with large amounts of public to an entirely new set of ideas which to pay top dollar for consulting advice, capital at stake were the primary audience included accountability, transparency, and they did not think twice. It is supply of SOX. As the thinking goes, these were independence. and demand in its perfect form. the organizations that had the most For the uninitiated, SOX was a far-reaching profound effect on the American public Basically, why not sell ABC Company corporate legislation that affected everyone (voting public that is) since the public an external fi nancial statement

September 2010 Association of Healthcare Internal Auditors New Perspectives 55 audit along with a financial systems This marketing technique may sound reviewed, a simple slap on the wrist implementation or an familiar to you. Your local grocery occurred. The rule-breaker promised outsourcing arrangement? Just package store uses bread and milk as loss to fix it and everybody got on with them together and show the client leaders to get you to buy products business. Nothing was ever published; how much value is provided through that have a “fatter margin” like no firm made the news headlines, efficient use of economies of scale. premium ice cream, deli meats, etc. there was nothing in place to prevent Another added benefit to clients was It is the same thing. As you can see repeated violations of professional the perception of having a “one-stop in the graph, it was not until after standards from occurring. Simply shop” of available financial advice. the SOX legislation passed that you put, the process did not work. Now, could begin to observe a correction the peer review process has been Take for example, Arthur Andersen in audit fees, as percent of total fees, replaced by the PCAOB whose and Enron. During 2000, Enron paid collected. responsibility it is to set audit Andersen $25 million in audit fees. To standards and enforce compliance. the average person, that would seem For non-PCAOB firms, a modified like a large number. But, Andersen peer review program administered was accepting a lot of risk for There are two by the American Institute of Certified those fees, so they were, in a sense, basic components Public (AICPA) has been justifiable. Also, in 2000, Enron paid developed since the passage of the Andersen an additional $27 million in of SOX applicable SOX legislation. tax and consulting fees. Rather than to all organizations • Loss of Auditor Skepticism—Prior to generating $25 million in fees from SOX, auditor’s no longer thought it Enron, Andersen generated a total regardless of was necessary to ask basic questions of $52 million for that year. Not bad. legal form. as part of their audit engagements. If Andersen took a auditor’s programs told them not to audit product line and cross-sold audit a certain area on the financial millions of dollars more in tax and • Self-Regulated Accounting Industry— statements, they did not. In addition, consulting fees. Peer reviews were the main check and as I have elaborated above (Auditor The same story is true for another balance audit firms used to make sure Independence), the imbalance between one of Andersen’s clients. Again, $4.4 they had no “quality control” issues. audit and consulting fees was the million in audit fees, $7.6 million for Prior to the establishment of the Public primary driver for auditor’s failure to taxes, and $4.8 million for ‘other fees’. Company Accounting Oversight ask the simple, basic questions. There The name of this client was Worldcom. Board (PCAOB), audit firms regulated was just no incentive to ask the tough themselves through a series of what questions. In both examples, Andersen made the industry called “peer reviews.” more money providing higher • Pressures to Keep Audit Fees Low— Once every couple of years, a Big Five margin consulting services than Audit firms were constantly pressured firm would “audit” another Big Five. lower margin attestation services. to find ways to keep fees low, but Some of what they would look at Andersen was using the financial concomitantly expand their services. during these reviews was workpaper statement audit as a loss leader in Much is the same today. However, the quality, compliance with independence favor of charging the client fatter difference between today and back rules, client risk , and margin services from the consulting then is that audit firms would agree professional conduct. area. However, in the process they to the lower fees knowing they could lost sight of their professional When another audit firm found make up for it with higher margin skepticism during the . something material in what was being consulting fees. Today, audit firms no longer have the “consulting option” to fall back on and thus are more apt to keep fees higher, or to say “no” to clients more often. • Focus on Efficiencies—The birth of risk-based and quantitative auditing was supposed to increase audit efficiency and quality. No firm wanted to capitalize on this trend more than Arthur Andersen did. Andersen was generations ahead of the other Big Five firms when it came to risk-based auditing methodologies and quantitative auditing techniques. For Andersen, it ended up being a monumental disaster. Computer or “black box” models would quantify all the risks that were inherent with an audit client

56 New Perspectives Association of Healthcare Internal Auditors September 2010 and produce reports telling the Exhibit A—Highest Profile Fraud Cases Publicly Reported—Pre-Sarbanes-Oxley engagement team where they needed to spend the majority of their Company Auditor Year Fraud Technique time. Although these models and Off liabilities Enron (Energy) Andersen 2001 methodology were sound, when not to hide debt used in a vacuum, the absence of Improper capitalization of professional skepticsm and judgment Worldcom (Telecom) Andersen 2002 period utlitimately made the models bad Global Crossing business practice, and in the end Andersen 2002 Related-party transactions obsolete. (Telecom) recognition, HealthSouth (Healthcare) E&Y 2003 Overview of SOX reserves, related-parties

The Sarbanes-Oxley Act includes 11 Acquisition accounting, Tyco (Industrial) PwC 2002 unique sections called “titles.” Each corporate governance title contains sections—66 in total Waste Management Manipulation of to throughout the entire act—which Andersen 1999 (Industrial) inflate income break down the various aspects of the legislation. While compliance with SOX Sunbeam Improper revenue recogni- Andersen 1998 is not yet required of healthcare or other (Manufacturing & Dist) tion, reserves, other private organizations, there are two Bristol-Myers Squibb Improper booking of sales— PwC 2002 basic components of SOX applicable to (Pharma) channel stuffing all organizations that transact business, Xerox Timing of revenue on copy regardless of legal form. These two KPMG 2000 components are 1) Document Retention (Manufacturing, Services) machine leases and 2) Protection of Whistleblowers. Adelphia Comm Corp Corporate abuse, personal D&T 2002 (Services) , commingling In my opinion, the key features of SOX applicable to a healthcare provider Improper revenue recogni- Microstrategy (Services) PwC 2000 include the following: tion on contracts • Document Destruction (Section responsible for establishing and • Reliable financial reporting 802) Makes it illegal to destroy or maintaining an adequate control alter documents during a federal • Discovery of cost efficiencies structure and procedures for financial investigation or bankruptcy reporting. An annual assessment • Minimized knowledge transfer loss proceeding. of the internal control structure • Integrated compliance with other • Protection of Whistleblower Rights is required to be completed by statutory requirements like HIPAA (Section 1107) Makes it a federal management and signed off by the crime to retaliate or take any harmful same audit firm who the SOX Application in Healthcare action against any person who has financial statements. truthful information relating to the One of the advantages for healthcare • CEO Signs the Federal Income Tax commission or possible commission providers implementing SOX today is Return (Section 302) Apparently, of any Federal offense. those organizations can take a paced the U.S. Senate thought this was approach to compliance. Unlike publicly • Services Prohibited by Audit Firms important enough to include in the traded companies in 2002, organizations (Section 201)—Firms cannot provide legislation. attempting to implement SOX now are professional services that undermine not faced with the same challenges such their independence as it relates to The Case for Compliance in as heavy interpretation of the law and attestation services. Healthcare competition for scarce SOX knowledge- • Mandatory Audit Partner Rotation base resources. Taking a paced approach, As a healthcare provider, because it (Section 203)—Lead audit partners are with time to do things right, will serve is not required, it is easy to pass on required to rotate off engagements your entity well if the law eventually implementing SOX for your organization. every five years. requires not-for-profit compliance. However, by passing on compliance • Certification of Financial Statements by you could be ignoring the many benefits Your entity’s initial focus can begin with: the CEO and CFO (Section 302)—The compliant organizations have enjoyed • Developing and/or revamping the CEO and CFO certify the financial since 2004. Below are some of the benefits document destruction policy; statements and disclosures. Senior a healthcare organization can gain from Management is now held legally after becoming SOX compliant. • Initiating a whistleblower hotline; accountable for any erroneous or • Reduced opportunity for damaged • Training the organization on hotline use; factual misstatements. reputation • CEO signing the federal income tax • Management’s Assessment of Internal • Additional support of tax-exempt return; and later: Controls (Section 404)—This is the status section most people think of when • Identification and documentation of SOX is discussed. Management is • Good stewardship of donated dollars key controls in critical processes;

September 2010 Association of Healthcare Internal Auditors New Perspectives 57 • Determining a testing strategy. independence. The Audit Committee not serious about compliance, why should take on this task. should employees be serious? SOX Best Practices in Healthcare • Rotate Lead Audit Partners Every • Strict adherence to completion dates. At the very least, healthcare providers Five Years. Request your external Set goals and completion dates and should be sure to include the following audit firm to conform. The Audit stick to them. SOX compliance items in their program: Committee should take on this task. • Involve your external auditors • Establish a Document Destruction • Require the CEO to Sign the Federal early since they will have to attest and Retention Policy. Implement Income Tax Return. This should be to the controls. Similarly, involve a structured policy around the a governance policy. The Audit internal audit early. Internal Audit retaining and destroying of Committee should take on this task. is best positioned to hit the ground documents within your organization. running, as their familiarity with • Prohibit Personal Loans to Directors The policy should include not only the entire organization will be a and/or Officers. This should be a hard documents, but also: niche skill set. governance policy. cc electronic media • Focus on key financial controls. Take a risk-based approach to internal cc voicemails A Word about SOX Section 404 and controls identification. Familiarize Internal Controls cc backups of electronic media yourself with PCAOB Standard 5 For Section 404, keep in mind you will (AS5). Further, the policy should include want to use a methodology that is easy procedures to follow when there • Keep people focused and to understand and based on the COSO is notice of an official federal interested in the project, especially internal controls framework. Additionally, investigation initiated against the operational managers. Sometimes selecting a methodology with a history of organization. it is hard keeping a manager being successfully implemented at other with profit center responsibility • Adopt a Whistle-blower Hotline. The organizations can help as well. Lastly, your interested in a regulatory key points include making sure approach to compliance should always be: compliance project. that all calls are documented and • top down followed up. Formally document • Employee training—ensure the hotline in a policy that is readily • risk-based employees understand the available to all employees. No one requirements and how it will affect • designed to ensure all requirements should ever retaliate against a person their work. are satisfied appropriately providing truthful information • Remind employees that SOX is through the hotline. A typical framework for Section 404 a continuous on-going process • Develop a Formal Code of Ethics and compliance might look like the following: and because development and Communicate it to all Employees. The goal here is to communicate a positive image and a “doing the right thing” mindset to your employees so the right is established. • Establish an Independent Audit Committee with at Least One Financial Expert. Make sure, at a minimum, that the Audit Committee is responsible for the selection, retention, and supervision of the external auditors. Ultimately, the audit committee should have responsibility over accounting and financial reporting processes. • CEO and CFO Certify the Financial Statements and Disclosures. If you want to implement this section and need the language for the certificate, implementation is completed, it Lessons Learned you can go to the SEC website, SEC. does not mean it will not need to be gov and select any public company’s I would encourage organizations thinking continually revisited. Section 302 certificate and use that about pursuing SOX-like compliance as a starting point. Most of the ones to take a lesson from entities that have Conclusion you will find online are boilerplate already gone through compliance. Below Although healthcare providers are anyway. are some “key lessons learned” I have not yet subject to the Sarbanes-Oxley collected over the years. • Evaluate All Projects Performed by regulation, regardless, it is obvious Your . Determine • Buy-in from top management is very from the discussion above that there any impairment to the audit firm’s important. If Senior Management is are many advantages to implementing

58 New Perspectives Association of Healthcare Internal Auditors September 2010 SOX-like compliance. Healthcare Mark Zajac is a Certified Internal Controls compliance programs in a number of industries, providers should want to show the Auditor (CICA) in Chicago. He has more than including healthcare. Mark works in Plante & communities they serve that they are 10 years of professional services and corporate Moran’s Enterprise Risk Services group and good corporate citizens and financial experience in the areas of internal audit, ac- serves clients in healthcare, manufacturing and stewards. What better way to do counting, and finance. Mark has participated in distribution, and services. You can reach Mark that than to voluntarily become SOX consulting engagements in public and private at 312-602-3579 or via email at mark.zajac@ compliant? companies and has implemented Sarbanes-Oxley plantmoran.com.

September 2010 Association of Healthcare Internal Auditors New Perspectives 59