MD - Health Care Compliance Association
MD - Health Care Compliance Association MD - Health Care Compliance Association
The OIG’s roadmap for effective compliance programs ...continued from page 39 6. Response to detected deficiencies ■ Has the hospital created a response team to evaluate detected deficiencies ■ Are all deficiencies thoroughly and promptly investigated ■ Are corrective actions taken to resolve compliance violations ■ Are subsequent periodic reviews performed to verify that corrective actions have eliminated compliance problems ■ Are overpayments promptly identified and returned to the fiscal intermediary or other payors ■ Are compliance violations promptly reported to the appropriate law enforcement agency, if required 7. Enforcement of disciplinary standards ■ Are disciplinary standards publicized to all hospital personnel ■ Are disciplinary standards consistently enforced throughout the organization ■ Are enforcement actions of disciplinary standards properly documented ■ Are employees, contractors, medical and clinical staff checked routinely against the government sanctions list In summary, there are at least three ways a hospital can evaluate the effectiveness of its compliance programs. The first is for the hospital to conduct an internal review using its own personnel. Note: The OIG cautions that the reviewers should be independent of linemanagement. In other words, the reviews should be conducted as independently and objectively as possible. The second way is to utilize external consultants. This generally provides an independent and objective evaluation of the compliance program’s ability to meet the seven elements required for effective compliance programs. The third way is through a government investigation. Government investigators have the right to request copies of the compliance plan and standards of conduct and to review the hospital’s compliance activities to determine if the compliance program is effective. Without a doubt, hospitals should perform their own compliance effectiveness reviews at least annually to evaluate if their compliance programs are operating properly. The OIG has provided a good roadmap of its expectations for an effective compliance program. Now, hospitals are in the driver’s seat to develop and maintain effective compliance programs. ■ A new value proposition ...continued from page 31 Legal and regulatory context The emerging control frameworks converge for the purposes of SOX section 404 and the development of compliance programs. Another common denominator is the focus on antifraud programs and controls. Each of the standards establishes criteria for evaluating such controls from a distinct vantage point. The COSO framework 3 establishes criteria for internal control over financial reporting which forms the basis of management and auditor obligations under SOX 404. The standards under the amended U.S. Sentencing Guidelines for Organizations are designed to address what prosecutors and courts look for in determining whether an organization has exercised due diligence in establishing a program to prevent and deter violations of law. The listing requirements of the stock exchanges define certain control standards in greater detail. Still, the various criteria share similar characteristics that can be organized under the overall COSO framework. Sarbanes-Oxley and ensuing regulations and standards Reaffirming the obvious, Sarbanes-Oxley is focusing attention on standards that will have far-reaching governance and control expectations on organizational compliance systems. It is now abundantly clear that many of the principles found in Sarbanes-Oxley overlap and complement existing compliance guidances, and those principles are being further adopted and enhanced by other regulatory authorities. To further restate what is well known, the credibility of public company financial reporting was undermined following a string of corporate accounting scandals. These events led to a number of proposals to improve the financial reporting process and restore investor confidence. In 2002, Congress passed the Sarbanes-Oxley Act 4 to improve the integrity of financial reporting and to restore public confidence. Subsequently, the Securities and Exchange Commission (SEC), various stock exchanges, and the National Association of Securities Dealers adopted rules and regulations mandating processes tailored to meet the requirements of the new law. Failures in internal control, particularly over financial reporting, were among the specific concerns addressed by Congress in SOX. 5 Congress required that management affirmatively report on a company’s internal control over financial reporting, and that auditors attest to the accuracy of management’s report. The Act thus created the Public Company Accounting Oversight Board (PCAOB) to oversee the audits of public companies. Organizations use internal controls as safeguards and checks on a variety of processes January 2006 40 Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
including the three objectives set forth under COSO: financial reporting, operating efficiency and effectiveness, and compliance with applicable laws and regulations. Most companies and their auditors will use the COSO framework, which has been deemed suitable by the PCAOB for purposes of management’s assessment. 6 The COSO integrated framework includes five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) that are also acknowledged by the PCAOB. SOX refers explicitly to controls related to the prevention, identification and detection of fraud. And the PCAOB repeatedly notes that strong internal controls provide better opportunities to detect and deter fraud. 7 Although antifraud programs and controls must include all five components of COSO, special emphasis is placed on the control environment, 8 such as tone at the top, because of its pervasive effect on the achievement of many overall objectives of control criteria. Amendments to the Organizational Sentencing Guidelines Prior to SOX, the U.S. Sentencing Commission adopted the Federal Sentencing Guidelines (FSG) which introduced the seven criteria for management of ethics and compliance risk, 9 and that have served as the primary framework for compliance program effectiveness. The FSG and COSO frameworks share many characteristics. Much of the FSG criteria are contained in the components of COSO, especially under the control environment. However, a main distinction is that as a practical matter, the FSG only requires evaluation of its elements when a company is seeking to mitigate penalties for corporate misconduct. Additionally, if a Department of Justice attorney finds that a truly effective compliance program has been implemented, this “may result in a decision to charge only the corporation’s employees and agents” and not the organization itself. 10 This year the U.S. Sentencing Commission voted to amend the existing guidelines. 11 These amendments narrow even further the differences between the Guidelines and the COSO framework. Many of the same forces that led to the Sarbanes-Oxley requirements had led to the initiation of the FSG and the new amendments. The amendments approved by the Commission make the standards for compliance and ethics programs more rigorous and put greater responsibility on boards of directors and executives for the oversight and management of such programs. Board directors and senior management must now take active roles in the content and operation of ethics and compliance programs. Similarly, SOX devotes considerable attention on how to ensure adequate board and management oversight. Significantly, the FSG states that the organization must issue standards of conduct and internal control systems that reduce criminal activity and detect and prevent violations of law. Just like SOX, the organizational sentencing guidelines recognize the value of internal controls and view them as an essential feature of an effective compliance program. Under the FSG, internal controls are tied to risk assessment and monitoring activities—also to COSO components. The value proposition As noted, many of the attributes of the COSO components and their points of focus implicate a compliance program under the organizational sentencing guidelines. The amendments to the FSG are therefore a means for a compliance officer to get more involved in Sarbanes-Oxley compliance. The function is pivotal because many of the compliance processes undertaken by the compliance program can be applied to the SOX internal control requirements. Yet in most cases, SOX is managed out of a unit under the purview of the controller’s office or internal audit. And most of those outside a compliance or legal department are unaware of the compliance standards under the FSG. As a result, many in charge of managing SOX 404 implementation or assessment are not familiar with the elements of effective compliance processes. What should be apparent is that involvement in the SOX internal control process can set the stage for demonstrating compliance effectiveness to mitigate penalties if the occurrence of fraud or corporate misconduct should occur. Given the overlap between the FSG and SOX, it makes sense to leverage and integrate compliance program activities with those of SOX internal control implementation and assessment. What are likely to emerge are the best practice standards that for organizations can also serve as a demonstration of compliance program effectiveness to the government. The following are areas of opportunities for an organization contemplating a formal compliance program, or for an existing compliance officer to consider: Integration of control processes. There is often a tendency to compartmentalize compliance responsibilities (e.g., SOX, FSG, industryspecific legal mandates, etc.). But consider the benefits to managing these processes with similar controls and technology. Otherwise organizations can face inefficient and ultimately fragmented compliance processes. A compliance Continued on page 42 Health Care Compliance Association • 888-580-8373 • www.hcca-info.org January 2006 41
- Page 1 and 2: Volume Eight Number One January 200
- Page 3 and 4: ASK ON THE LEADERSHIP ONCALENDAR JO
- Page 5 and 6: Join us for the following HCCA Audi
- Page 7 and 8: in 2006 will assess hospital compli
- Page 9 and 10: By Susan C. L. Theuns Editor’s no
- Page 11 and 12: ■ ABNs were used for preventive c
- Page 13 and 14: Figure 1: ABN Reference Guide Servi
- Page 15 and 16: feature article Editor’s note: Th
- Page 17 and 18: GJ: Yes. The Fraud, Waste, and Abus
- Page 20: ■ There will be Compliance expert
- Page 23 and 24: Here’s your chance to share your
- Page 25: espective nonprofit law compliance
- Page 29 and 30: suffix that identifies package size
- Page 31 and 32: By José A. Tabuena JOSÉ A. TABUEN
- Page 33 and 34: AP: As far as the Auditing and Moni
- Page 35 and 36: that would provide the intelligence
- Page 37 and 38: Case study of Dana Farber Cancer In
- Page 39: JOSEPH M. WATT ■ Solicit staff an
- Page 43: expect a measurable impact of compl
- Page 46 and 47: New HCCA Members ...continued from
- Page 48: C ORPORATE C OMPLIANCE & ETHICS: G
The OIG’s roadmap for effective compliance programs ...continued from page 39<br />
6. Response to detected deficiencies<br />
■ Has the hospital created a response team<br />
to evaluate detected deficiencies<br />
■ Are all deficiencies thoroughly and<br />
promptly investigated<br />
■ Are corrective actions taken to resolve<br />
compliance violations<br />
■ Are subsequent periodic reviews performed<br />
to verify that corrective actions<br />
have eliminated compliance problems<br />
■ Are overpayments promptly identified and<br />
returned to the fiscal intermediary or<br />
other payors<br />
■ Are compliance violations promptly reported<br />
to the appropriate law enforcement<br />
agency, if required<br />
7. Enforcement of disciplinary standards<br />
■ Are disciplinary standards publicized to all<br />
hospital personnel<br />
■ Are disciplinary standards consistently<br />
enforced throughout the organization<br />
■ Are enforcement actions of disciplinary<br />
standards properly documented<br />
■ Are employees, contractors, medical and<br />
clinical staff checked routinely against the<br />
government sanctions list<br />
In summary, there are at least three ways a<br />
hospital can evaluate the effectiveness of its<br />
compliance programs. The first is for the hospital<br />
to conduct an internal review using its<br />
own personnel. Note: The OIG cautions that<br />
the reviewers should be independent of linemanagement.<br />
In other words, the reviews<br />
should be conducted as independently and<br />
objectively as possible.<br />
The second way is to utilize external consultants.<br />
This generally provides an independent<br />
and objective evaluation of the compliance<br />
program’s ability to meet the seven elements<br />
required for effective compliance programs.<br />
The third way is through a government<br />
investigation. Government investigators have<br />
the right to request copies of the compliance<br />
plan and standards of conduct and to review<br />
the hospital’s compliance activities to determine<br />
if the compliance program is effective.<br />
Without a doubt, hospitals should perform<br />
their own compliance effectiveness reviews at<br />
least annually to evaluate if their compliance<br />
programs are operating properly. The OIG has<br />
provided a good roadmap of its expectations<br />
for an effective compliance program. Now,<br />
hospitals are in the driver’s seat to develop and<br />
maintain effective compliance programs. ■<br />
A new value proposition ...continued from page 31<br />
Legal and regulatory context<br />
The emerging control frameworks converge<br />
for the purposes of SOX section 404 and the<br />
development of compliance programs.<br />
Another common denominator is the focus<br />
on antifraud programs and controls. Each of<br />
the standards establishes criteria for evaluating<br />
such controls from a distinct vantage point.<br />
The COSO framework 3 establishes criteria for<br />
internal control over financial reporting which<br />
forms the basis of management and auditor<br />
obligations under SOX 404. The standards<br />
under the amended U.S. Sentencing<br />
Guidelines for Organizations are designed to<br />
address what prosecutors and courts look for<br />
in determining whether an organization has<br />
exercised due diligence in establishing a program<br />
to prevent and deter violations of law.<br />
The listing requirements of the stock<br />
exchanges define certain control standards in<br />
greater detail. Still, the various criteria share<br />
similar characteristics that can be organized<br />
under the overall COSO framework.<br />
Sarbanes-Oxley and ensuing<br />
regulations and standards<br />
Reaffirming the obvious, Sarbanes-Oxley is<br />
focusing attention on standards that will have<br />
far-reaching governance and control expectations<br />
on organizational compliance systems. It<br />
is now abundantly clear that many of the principles<br />
found in Sarbanes-Oxley overlap and<br />
complement existing compliance guidances,<br />
and those principles are being further adopted<br />
and enhanced by other regulatory authorities.<br />
To further restate what is well known, the<br />
credibility of public company financial reporting<br />
was undermined following a string of corporate<br />
accounting scandals. These events led<br />
to a number of proposals to improve the<br />
financial reporting process and restore investor<br />
confidence. In 2002, Congress passed the<br />
Sarbanes-Oxley Act 4 to improve the integrity<br />
of financial reporting and to restore public<br />
confidence. Subsequently, the Securities and<br />
Exchange Commission (SEC), various stock<br />
exchanges, and the National <strong>Association</strong> of<br />
Securities Dealers adopted rules and regulations<br />
mandating processes tailored to meet the<br />
requirements of the new law.<br />
Failures in internal control, particularly over<br />
financial reporting, were among the specific<br />
concerns addressed by Congress in SOX. 5<br />
Congress required that management affirmatively<br />
report on a company’s internal control<br />
over financial reporting, and that auditors<br />
attest to the accuracy of management’s report.<br />
The Act thus created the Public Company<br />
Accounting Oversight Board (PCAOB) to<br />
oversee the audits of public companies.<br />
Organizations use internal controls as safeguards<br />
and checks on a variety of processes<br />
January 2006<br />
40<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
Change language