Sarbanes Oxley Compliance Services — download pdf

Before financial certifications are made, every CEO/CFO must have an internal control process review in
place to reduce their exposure. Board members who fail to educate themselves as to the practical operating control implications of the Act will be portrayed as “uninformed” and could be considered at “risk.”

Audit Committee Responsibilities and Governance
This committee conducts reviews of management’s assessment of the effectiveness of internal controls annually;
provides a vehicle for communication between the Board and management with regard to proper operations of the facility; ensures that all applicable accounting and auditing reporting practices are proper and accurately reflected in the financial statements; and, assists the Board of Directors in fulfilling its fiduciary responsibilities.

Auditor Independence
All auditing services on behalf of the facility must be performed by a CPA firm. Public Accounting firms performing any audit shall report to the Audit Committee in a timely manner. Any auditing or accounting firm engaged for accounting services shall not be permitted to perform non-audit services. Non-audit services must be pre-approved by the Audit Committee. The Audit Committee has a duty to review the impact on the independence of auditors (i.e. the scope of services provided by the auditors) to determine whether the list of prohibited nonaudit services would effect the auditor’s independence where provision of the service creates a conflict of interest with the audit client.

Code of Ethics and Complaint Mechanisms
This element focuses primarily on the deterrence of wrongdoing and to promote honest and ethical conduct.
It also addresses:

• the ethical handling of actual or apparent confl icts of interest between personal and professional relationships;
• appropriate disclosure in reports and documents;
• compliance with all applicable governmental laws and regulations;
• prompt reporting of violations of the code to an appropriate person or persons identifi ed in the code; and,
• accountability for adherence to the code.

A facility must develop and maintain a code of ethics that applies to all employees in order to provide them
with guidance on expectations for workplace conduct. All employees should be provided with a copy of the code and participate in an education seminar that includes a thorough review of this document. The Sarbanes-Oxley Act requires Audit Committees to establish procedures for employees to report their concerns confi dentially rather than taking them to management. The best method is establishing an employee hotline to receive complaints and concerns and relay them directly to a designated representative of the Audit Committee of the Board of Directors.

Section 302 - Disclosure Controls and Procedures
The major objective is for management to ensure more accurate reporting of business and fi nancial conditions; assure the integrity of periodic fi nancial statement disclosure; and carry out an ongoing commitment for improved internal controls. The facility must disclose whether or not the facility has an Audit Committee with at
least one expert. The CEO and CFO must certify that:

• the financial statements do not contain any materially untrue or misleading information;
• appropriate internal controls are in place that ensure that officers are aware of all relevant facts needed for a complete reporting of financial information; and,
• any fraudulent activity involving personnel who deal with the internal controls has been reported to the company’s auditors and Audit Committee.

In addition, the CEO and CFO must disclose any conclusions about the effectiveness of such controls and explanations of any actions taken to correct problems with the controls must be reported in the required financial statements, rather than in the certifi cation. The CEO and CFO will notify all third party payors in writing,
within 30 days of the date of discovery of any overpayments discovered subsequent to the submission of a claim for reimbursement or the filing of a cost report, regardless of the financial impact on the organization. The Audit Committee must ensure that remedial steps have been put in place to correct any defi ciency within 60 days from the discovery of the material error.

Section 404 - Internal Controls and Financial Reporting
Under Section 404, management is required to document the system of Internal Controls over fi nancial reporting. Management must assess the effectiveness of these controls. The evidence management uses to support its assertion about the effectiveness of its internal controls must also be documented. Per ASB, failure
to document the system of controls or the evidence used in making the assessment should be considered a weakness in internal control. Positive testing of controls must be performed to make the assessment under SOX Section 404. Inquiry alone is not adequate testing. Negative evidence is not evidence of good internal control.
The assessment must be made using suitable criteria for an effective internal control system. All significant deficiencies and material weaknesses need to be communicated to the Board in writing. The existence of a material weakness in internal control precludes an unqualifi ed opinion that internal control is effective. When using outside service organizations, management should consider the activities of the service organization when making an assertion about the effectiveness of the company internal control over financial reporting. The Act refers to a report issued in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) regarding internal control. The following is a brief summary of the major points made in the COSO report:

• Primary objectives were to establish a common definition of internal control and provide a standard to help auditing professionals assess control systems and determine how to improve them.
• COSO defines internal control as “a process, effected by an entity’s Board of Directors, Management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and effi ciency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.” COSO says internal control consists of five interrelated components that are derived from the way management runs a business and integrated into the management process:

1. Control Environment The tone of the organization influences the control consciousness of its people;

2. Risk Assessment Identifi cation and analysis of risks relevant to achieving corporate goals, determination of how such risks should be managed and implementation of a process to address risks associated with change;

3. Control Activities Policies, procedures and processes that help ensure a company carries out management directives;

4. Information and Communications Communication within the facility and with external parties such as customers, regulators and shareholders; and,

5. Monitoring Assessing the quality of a company’s internal control system. This is done through ongoing monitoring of activities within the business unit and an independent evaluation of existing controls by auditors.