A version of this article was published in The Daily Record on January 18, 2008.
The Sarbanes-Oxley Act (SOX) was signed into law on July 30, 2002, in an effort to prevent abuses in financial reporting by public companies, and to reshape corporate governance. Although SOX generally applies only to public companies that must file periodic reports with the Securities and Exchange Commission, many private companies (including tax-exempt health care organizations) are adopting parts of SOX for a variety of reasons.
For example, there has been pressure from underwriters who rate tax-exempt debt for nonprofit hospitals to adopt certain parts of SOX. There is also a belief in the nonprofit hospital industry that the voluntary adoption of SOX will keep Congress and state legislators at bay during a time of increased scrutiny of the tax-exempt status of hospitals.
Some nonprofit health care providers are adopting parts of SOX to manage risk, to achieve efficiencies and to improve performance with more effective internal controls and financial reporting methods. Additionally, board members who serve on both public company and tax-exempt boards are demanding the adoption of SOX by tax-exempt health care providers. Of course, establishing a sound corporate governance environment can also result in much greater confidence in an organization internally and externally.
However, complete compliance with SOX can be a very costly, complex and time consuming, especially compliance with Section 404 of SOX. Among other things, Section 404 requires an extensive and expensive annual review by an internal audit department and the outside auditor of all of an entity's financial processes.
As a result, many nonprofit hospitals are implementing a "Sarbanes Oxley Lite" approach-they are not adopting all of the SOX rules, but are only implementing certain measures, including most notably the following:
1. Director Independence. Whether an organization is public or private, good corporate governance includes increased independence of the board of directors or trustees from management. At least a majority, if not more, of the directors or trustees should be independent directors selected by the other independent board members.
2. Audited Financial Statements and Auditor Responsibilities. Unless it would cause an unreasonable financial burden, a tax-exempt entity should undertake an annual audit of its financial statements by an independent, outside accounting firm.
Additionally, rotating the lead audit partner or the audit firm itself every five years is generally good practice for any organization. When the same partner or firm continually performs the audit for an entity, it may become accustomed to the financial procedures of the entity. A fresh perspective in the audit of financial statements can help generate ideas from the auditor, and help ensure a fair presentation of the entity's financial condition.
Further, to avoid conflicts of interest between the outside auditor and the entity, most non-audit related services should not be performed by the outside auditor, particularly bookkeeping, appraisal and financial systems design and implementation. If the entity continues to engage the auditor for certain non-audit services, such as tax preparation, those engagements should be pre-approved by the audit committee on a case-by-case basis.
3. Audit Committee and Oversight of the Auditor. If a tax-exempt hospital does not have a separate audit committee, the organization should establish one. The audit committee should be comprised of members who are completely independent from management, and such members should not receive any consulting or advisory fees from the organization. Also, one member of the audit committee should be a "financial expert" and have a strong accounting and audit background to help foster a better understanding of the audit process.
The responsibility to assign duties to, and oversee the relationship with, the outside auditor lies with the board, not management, and the audit committee should provide the link between the board and the outside auditors. The audit committee should have the direct responsibility for the appointment, compensation, and oversight of the outside auditor.
4. Financial Statement Certifications. The CEO and CFO (or other persons in equivalent positions), as well as the full audit committee, should review the annual and quarterly financial statements and Form 990 tax returns for accuracy, and the CEO and CEO should certify them in writing. This certification should include, at a minimum, a statement that the officer has received reasonable assurance as to the accuracy and completeness of the financial statements and Form 990.
5. Assessment of Controls. A full blown assessment of internal controls in accordance with Section 404 of SOX is very expensive and time consuming. A Sarbanes Oxley Lite approach would involve the audit committee assessing an organization's key financial controls in high risk areas-accounts receivable valuation, revenue recognition through managed care contracts, malpractice, research, technology and investment accounting-and reviewing the relevant processes that have the greatest impact on financial reporting.
6. Code of Ethics. Whether a company is public or private, good corporate governance entails establishing formal policies regarding conduct, ethics and conflicts of interest. A written policy sets the tone at the top, and makes employees aware of what is expected of them. Private companies should establish guidelines that clearly spell out what constitutes a conflict of interest, and include a process for resolving or waiving these conflicts.
All proposed transactions between the organization and an insider should be carefully scrutinized by a group of independent board members. Additionally, personal loans to management or directors should be avoided.
7. Whistle-Blower Protections. The whistle-blower provisions of SOX actually apply to both private and public companies alike. Therefore, both profit and nonprofit entities should establish and disclose a formal, confidential and anonymous process to deal with employee reporting of improper practices regarding the company's audit and financial management.
All complaints should be fully investigated and reported. Management should also strongly enforce written policies and make it clear to employees that misconduct will not be tolerated. In addition, organizations should not punish or retaliate against whistle-blowers.
8. Document Retention. SOX also creates a new criminal obstruction of justice offense that actually applies to all individuals, not just those who are employed by a public company. Therefore, nonprofit entities need to establish written procedures with respect to document retention and periodic destruction, and to make all employees fully aware of those policies. The document retention policy should cover the handling of electronic files and voicemails as well.
Whether required or not, all organizations, whether big or small, public or private, including tax-exempt health care organizations, should be considering voluntary compliance with many of the foregoing SOX Lite concepts.