Professional Documents
Culture Documents
Nancy Lanis Senior VP & General Counsel Curative Health Services Hauppauge, NY Michael L. Shaw Senior Manager PricewaterhouseCoopers LLP Washington, DC Jody Ann Noon RN, JD Partner Deloitte & Touche LLP Portland, OR
An Overview of the New Drivers of Corporate Responsibility: The Sarbanes-Oxley Act, NYSE Listing Requirements, and NASDAQ Proposal Discussion of Key Considerations and Intersection with Traditional Compliance Program and Internal Control Concepts
PricewaterhouseCoopers LLP 2
The added expenses as a result of increased regulatory requirements: (Assumes a "typical" Fortune 500 company with $3 billion in sales, global operations, an inhouse internal audit function, in-house legal counsel and significant disclosure requirements.)
Source: Financial Executive, January / February 2003 New Regulations: Preparing for the Unplanned Costs By Johnsson and Wiechart
PricewaterhouseCoopers LLP 3
$200,000 - $400,000
$250,000 - $500,000 $4,000,000 - $9,000,000
$100,000 - $200,000
$200,000 - $300,000 $3,000,000 - $8,000,000
Topics Overview
Sarbanes Oxley Act, NYSE and NASDQ Listing Requirements Overviews-Corporate Governance and Disclosures Practical Impact on Compliance Standards and Corporate Governance Integrity and Disclosure Requirements Executives, Individual Directors Board of Directors, Board Committees Outside Auditor Recommended Actions to Enhance Compliance Programs
Discussion
4
Nancy Lanis
SOA approved by near unanimous vote in Congress (vote of 99-0 in the Senate and 423-3 in the House)
Fast pace of approval likely to result in need for numerous interpretations and explanations Potential for far reaching impact on Corporate Governance and Conduct, Financial Reporting and the Public Accounting Profession Also impacts legal community and investment banking analysts
Curative Health Services 7
Integrity Independence Proper Oversight Accountability Strong Internal Controls Transparency Deterrence
Curative Health Services 8
Heightened Corporate Governance standards through additional listing requirements Some additional requirements beyond SOA requirements SEC, after public comment period, will vote to approve proposals SEC voiced intent to combine NYSE and NASDQ requirements
Intended to provide more reliable, timely and useful information to investors Requirements span the reporting supply chain, reinforce accountability Requirements affecting Senior Executives, Individual Directors Requirements affecting the Board of Directors and Board Committees Requirements affecting outside Auditors
12
Form 8-K disclosure of modifications, waivers (NYSE/NASD propose require disclose waivers) Curative Health Services 14
Corporate Governance requirements affecting full Board of Directors Audit Committee oversight, composition/integrity, reporting mechanism, pre-approvals Audit Committee and independent Auditors seen as key to restoring faith in the process of financial reporting and oversight Audit Committee will have enhanced role in Corporate Governance
NASDAQ
No family member employed as executive officer in past 3 years No former outside auditor partner/employee during last 3 years No interlocking compensation committee issue during past 3 years Not-for-profits covered if size tests met Director or family member may not receive any payments >$60,000 other than for board service
NYSE
Similar requirements; but 5 year cooling off periods Board must affirmatively determine no material relationship with company and disclose determination Curative Health Services
17
Independent Director approval of CEO and Executive Management compensation (NASDAQ) Director Continuing Education to be mandated (NASDAQ) Material misrepresentation/omission to NASDAQ may be basis for delisting (NASDAQ)
Nominating/Governance Committee Charter (NYSE) Compensation Committee Charter (NYSE) Adopt/disclose Corporate Governance guidelines (NYSE) Annual CEO disclosure not aware of listing violation (NYSE)
Curative Health Services 18
Increased Audit Committee Oversight Responsibilities: Directly responsible for appointment, compensation and oversight of independent Auditors (SOA);) Have sole authority to appoint, compensate and oversee outside Auditor (NASDAQ) Approve, in advance, the provision by the Auditor of all permissible non-audit services
Authority to engage and determine funding for independent counsel and other advisors; company must provide funding Have a written charter (NYSE)(NASDAQ- 6 months post SEC approval)
At least annually, obtain and review a report by the independent Auditor describing the firms internal quality control procedures; any material issues raised by the most recent internal quality control review, peer review or any inquiry or investigation within the preceding five years and assess the Auditors independence with respect to all relationships between the independent Auditor and the company (NYSE)
Discuss annual and quarterly financial statements with management and independent Auditor, including MD&A (NYSE)
Audit Committee member may not be affiliate of the company or its subsidiary (NASDAQ= own/control >20% voting stock ) NASDAQ Limit time non-independent Audit Committee members can serve to 2 years; prohibited from serving as chair. Cannot be company employee/family member; affirmative board determination required that in best company interests; disclosure requirements
Prohibitions on loans to top management and Directors: Public companies now prohibited from directly or indirectly making personal loans to Executive Officers Elimination of other types of loan-related sweetheart deals for Executive Officers
Consider appropriate oversight and disclosure mechanismse.g., checklists, form Disclosure Committee
Discussion
Compliance Officers Brave New World? Familiarity with Financial and Disclosure Controls?
Respective roles of Compliance Officer, Internal Audit, Disclosure Committee, Compliance Committee, Board Committees (Audit, Governance, Compliance), CFO, Legal Counsel How many have Board Compliance Committees? Hotlines/reporting mechanisms- how many already include accounting, internal accounting controls, auditing issues?
APPENDIX
Reporting & Internal Controls
36
Fully comply with 34 Act and information fairly presents financial condition and results of operations
PricewaterhouseCoopers LLP 37
Cautionary Note
Recent CEO/CFO certifications filed with the SEC (either in respect of its one time Order or pursuant to Section 906) do not contain any explicit assertions about internal controls. As Section 302 and 404 provisions require certification or assessment of specified controls, companies will need to assess the implications of these expanded reporting responsibilities, and determine the nature of any additional steps that should be taken in response thereto.
PricewaterhouseCoopers LLP 38
PricewaterhouseCoopers LLP 39
PricewaterhouseCoopers LLP
PricewaterhouseCoopers LLP 42
Documents (contd)
18 U.S.C. 1519: Whoever knowingly alters, destroys . . . with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any [U.S.] department or agency . . . or in relation to or contemplation of any such matter or case . . . Highlighted language raises questions: Could common document retention/destruction policies result in violations where they call for destruction of documents relevant to a matter that could arise in the future? Potential problem if a document retention program is set up with the intent to avoid future Government liability.
PricewaterhouseCoopers LLP 43
Documents (contd)
Need to develop a business justification for every element of the document destruction plan Document destruction program should exempt from destruction all documents that could be used in future investigations Companys e-mail policy and document retention policies should be reviewed and revised to accord with new statutory requirements.
PricewaterhouseCoopers LLP 44
SEC Lawyers
New Lawyer Disclosure Obligation: SEC to issue rules within 180 days setting minimum standards for lawyers appearing/practicing before the SEC (Sec. 307)
Two-tiered disclosure obligation: (1) Rules will require in-house and outside counsel to report securities law violations to companys CEO or chief legal officer; (2) If they dont respond appropriately, lawyer must report directly to Board of Directors or designated Board committee
PricewaterhouseCoopers LLP 45
Materiality standard: SEC is to adopt rule requiring an attorney to report evidence of a material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent thereof
Good news
Materiality limitation No reporting outside the company is required
Troublesome issues:
Practicing before the Commission is a broad standard; will probably include work on registration statements What kind of evidence should an attorney have?
PricewaterhouseCoopers LLP 46
What is a similar violation? What is an inappropriate response on the part of the CEO or Chief Legal Officer, that would require the attorney to go to the Audit Committee or full Board? What if the Audit Committee or Board are complicit in the wrongdoing, or refuse to take remedial action? Legal department may want to articulate and disseminate standards to staff as to when they must come forward to the General Counsel
PricewaterhouseCoopers LLP 47
Whistleblowers (contd)
Sweeping new protections for whistleblowers- Modeled after protections for airline employees reporting safety
violations
Two new criminal provisions to protect whistleblowers 18 U.S.C. 1513 18 U.S.C. 1514A
PricewaterhouseCoopers LLP 48
Whistleblowers (contd)
18 U.S.C. 1513: Whoever knowingly, with the intent to retaliate, takes any action harmful to any person . . . for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any Federal offense . . . Elements added to 18 U.S.C. 1513(e): Knowing and intentional action to retaliate Against any person (not just an employee) Providing truthful information relating to commission or possible commission A law enforcement official (not just a Federal agent) Regarding any Federal offense
PricewaterhouseCoopers LLP 49
Whistleblowers (contd)
Elements of 18 U.S.C. 1514A:
Prohibits a company from sanctioning an employee because of any lawful act to provide information about fraud against shareholders to (1) a Federal agency, (2) Congress, or (3) employees supervisor. Authorizes civil action for damages and equitable relief, including reinstatement, back pay, attorneys fees, etc. 90-day statute of limitations: employee must file claim within 90 days of retaliation. Provision construed narrowly: applies only to information provided in connection with an ongoing proceeding.
PricewaterhouseCoopers LLP 50
PricewaterhouseCoopers LLP 51
PricewaterhouseCoopers LLP 52
PricewaterhouseCoopers LLP
Sentencing Guidelines
Experience from other industry sectors OIG Compliance Program Guidance
PricewaterhouseCoopers LLP 54
Records retention
PricewaterhouseCoopers LLP 55
Operational Committee
PricewaterhouseCoopers LLP 56
PricewaterhouseCoopers LLP 57
PricewaterhouseCoopers LLP 60
PricewaterhouseCoopers LLP 61
Disclosure Requirements
Disclosure Controls and Procedures
Operations
Compliance
Other aspects of Compliance and Operations pertaining to DC&P Internal Controls Over Financial Reporting
62
63
COSO defines internal controls as a process effected by an entitys Board of Directors, Management and other personnel, designed to provide reasonable assurance regarding achievement of the objectives in each of the following categories: Effectiveness & Efficiency of Operations
Reliability of Financial Reporting Compliance with Applicable Laws and Regulations
PricewaterhouseCoopers LLP 64
5
The Five Components under the COSO the COSO Framework Framework
Monitoring
Assessment of a control systems performance over time. Combination of ongoing and separate evaluation. Management and supervisory activities. Internal audit activities.
Control Activities
Policies/procedures that ensure management directives are carried out. Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.
Control Environment
Information and Communication Pertinent information identified, captured and communicated in a timely manner. Access to internally and externally generated information. Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. Sets tone of organization-influencing control consciousness of its people. Factors include integrity, ethical values, competence, authority, responsibility. Foundation for all other components of control.
Risk Assessment
Risk assessment is the identification and analysis of relevant risks to achieving the entitys objectives-forming the basis for determining control activities.
Final Observation
The Sarbanes-Oxley legislation has established a new paradigm for corporate responsibility, accountability, transparency, and behavior. Responsibilities of some parties have increased; while those of others have been made more explicit. And the Act has established a new standard for companies regarding the reporting of internal control effectiveness.
Good internal controls are not just a best practicethe Act reinforces them in the Law!
PricewaterhouseCoopers LLP 67
The Health Care & Life Sciences Industry faces an everchanging spectrum of risks: Who is responsible for managing risks related to each activity? What should be done to plug any gaps? What are the mechanisms for escalating emerging risks? Who monitors risk management activities to ensure they are effective?
69
Scope of Compliance
Corporate Governance
Fraud (Sarbanes-Oxley) Foreign Corrupt Practices Act RICO Anti-Trust Federal Sentencing Guidelines Financial Reporting (e.g., Revenue Recognition)
Health & Safety
Medicare Medicaid Environmental Protection (EPA) Occupational Health (OSHA) Food & Drug (FDA) Consumer Protection
HIPAA
The Compliance challenge to leverage and integrate the full resources of the enterprise to manage key risk and product quality
70
Point of View
Organizations tend to manage risks in silos
Limited ability to aggregate risk exposures Difficult to identify interrelationships between risks Timely, frank communication of emerging issues may not always occur Inconsistent approaches to managing risks between silos Quality, Compliance and Risk Management not well integrated IT often an issue opportunity for Compliance to take a broader view in assessing IT controls across the silos Few internal audit functions have a true enterprise-wide view of risk Opportunity for Compliance to play a more strategic role: New compliance requirements demand that companies take a broader view of risk (e.g., Sarbanes-Oxley, OIG compliance guidelines, FDA) Compliance impacts almost all functions and employees Processes to monitor compliance can be used to monitor other risks and quality Compliance can serve as a focal point for debating emerging risk issues, quality and management strategies Compliance well placed to connect the dots across the enterprise
71
Compliance
The missing link is a compliance program and infrastructure to measure and monitor the effectiveness and alignment between corporate governance and business unit / functional risk management, compliance and quality activities.
72
Traditional Model
Compliance
Quality, compliance and business risks managed by silo difficult to track all of the moving parts
73
Emerging Model
Board Chief Compliance Officer
Financial Risk Regulatory Risk Systems/IT Risks Operational Risks Day-to-Day Operations
Quality, compliance and business risks managed in a coordinated manner easier to see key interrelationships and interdependencies
74
Organizational Approaches
Board Oversight
Committee of Directors Senior Management Involvement Compliance Committee Centralized vs. Decentralized Strategy Strong central function Pockets of expertise in the business units Teaming with Other Risk Management Functions Internal Audit IT Manufacturing Sales and Marketing Etc.
75
76
Michael L. Shaw Senior Manager PricewaterhouseCoopers 1300 K Street, N.W. Suite 800 Washington, D.C. 20005 (202) 414-1552 michael.l.shaw@us.pwcglobal.com
Nancy Lanis Senior Vice President & General Counsel Curative Health Services 150 Motor Parkway Hauppauge, N.Y. 11788 (631) 232-7016 nlanis@curativehealth.com
Jody Ann Noon RN, JD Partner Deloitte & Touche LLP Health Care Regulatory Practice jodynoon@deloitte.com (503) 727-5207
77