CREATING A CULTURE OF COMPLIANCE FOLLOWING THE SARBANES-OXLEY ACT Presented by Markus P. Cicka To the LeadingAge Annual Meeting & Expo October 19, 2014

Introduction – The Changing Landscape Both publicly traded and not for profit healthcare organizations are affected. Caremark decision in 1996 – Board has duty to assure, for compliance purposes, that adequate corporate information gathering and reporting systems exist. Result – Corporate management and boards of directors of publicly traded companies have significant responsibility to ensure integrity of information reported to the public and integrity of the company itself. Increasingly, similar obligations being placed on management of companies (such as health care providers), that are not publicly traded. 2

Sarbanes-Oxley Act (SOA) July 20, 2002 – President Bush signs the SOA Aimed at publicly owned corporations Imposes substantial obligations to disclose and certify to the true and accurate financial condition of their businesses. Increased oversight scrutiny from government regulators and oversight boards. Congress intent: increase transparency and reliability of reports filed with the Securities Exchange Commission and made available to the investing public. 3

Section 302 of the SOA Requires principal executive and financial officers (CEOs and CFOs) of publicly traded companies certify contents of companies’ periodic reports to the SEC. Signing officers certify that they are responsible for designing (or having designed) the company’s financial reporting controls and procedures. Must also certify as to their ongoing oversight of the company’s “disclosure controls”. “Disclosure controls” = controls and procedures to ensure quality and timeliness of the disclosures (both financial and non-financial information). 4

Section 906 of SOA Section 906 of SOA imposes criminal penalties for false certifications as to those reports. SOA sections 302 and 906 certification provisions target individual CEOs and CFOs of publicly traded companies, but If the CEO and/or CFO are targeted, very likely the company is also going to be targeted. 5

Privately held and Not-for-Profit Companies affected by SOA Congress and enforcement agencies imported some SOA provisions into statutes and regulations applicable to privately held companies: – Prohibiting retaliation against whistleblowers Prohibiting destruction of certain documents. Other SOA standards making their way into scrutiny of privately held and not-for-profit companies: – HHS OIG requiring senior management and/or Board to certify compliance with applicable rules as part of Corporate Integrity Agreements which may accompany civil settlements with the DOJ under the False Claims Act. 6

Privately held and Not-for-Profit Companies affected by SOA (continued) DOJ’s guidelines for initiating criminal prosecution: key factor is prosecutor’s evaluation of the efficacy of an organization’s corporate compliance program. US Sentencing Commission’s advisory “organizational” sentencing guidelines take into account and incentivize creation of strong corporate compliance programs. Federal government officials show increased interest in criminally charging and/or sanctioning individual corporate executives. 7

Privately held and Not-for-Profit Companies affected by SOA (continued) May be necessary to change behavior of recalcitrant companies who see sanctions as merely a cost of doing business. Remember that HHS OIG has authority to “exclude” executives from participating in business which is reimbursed by federal health care programs. IRS revisions to Form 990 reporting requirements include emphasis on “Governance, Management and Disclosure” and more strictly enforce intermediate sanctions to hold tax exempt organizations to SOA-type standards of behavior. 8

Privately held and Not-for-Profit Companies affected by SOA (continued) Not for profit regulation generally left to the states. State attorneys general and legislatures are mandating compliance program requirements. Board members becoming more aware of their financial and reputational exposure. 9

The Message of Sarbanes Oxley If a company desires to protect itself, and the corporate officers who manage them, heed the message of Sarbanes Oxley: Establishing an effective compliance program (in practice as well as on paper) is no longer optional, but rather a mandatory risk management endeavor. In fact, the federal government has argued that a health care provider’s lack of an effective compliance program is sufficient to constitute reckless disregard under the False Claims Act. 10

The Intersection between SOA’s Certification Requirements and Compliance SOA Mandates Internal Controls Over “Disclosure” and “Financial Reporting” – In accordance with SEC regulations, CEOs and CFOs must certify that they are responsible for designing and maintaining (or delegating responsibility for designing and maintaining) two kinds of internal controls. – First, they must acknowledge responsibility for “disclosure controls and procedures”. – Defined as “Controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer [in its periodic reports] is recorded, processed, summarized and reported, within the time periods” specified for the filing of those reports. 11

The Intersection between SOA’s Certification Requirements and Compliance (continued) SOA Mandates Internal Controls Over “Disclosure” and “Financial Reporting” – These “disclosure controls” address both financial and nonfinancial information that is included in a company’s periodic reports. – SEC left the particular requirements for establishing and evaluating these controls to each filing company: “we expect each issuer to develop a process that is consistent with its business and internal management and supervisory practices”. – However, the SEC recommended that companies create a committee that would be charged with considering the materiality of information and determining the company’s resulting disclosure obligations. 12

The Intersection between SOA’s Certification Requirements and Compliance (continued) SOA Mandates Internal Controls Over “Disclosure” and “Financial Reporting” – Signing officers must also certify that they are responsible for establishing and maintaining “internal control over financial reporting” for their companies. – Term is defined as “a process defined by, or under the supervision of, the issuer’s principal executive and principal financial officers… effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.” 13

The Intersection between SOA’s Certification Requirements and Compliance (continued) SOA Mandates Internal Controls Over “Disclosure” and “Financial Reporting” – It includes procedures regarding the maintenance of reasonably detailed records regarding assets and transactions, the approval or authorization of receipts and expenditures, and means to prevent or detect any unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements. 14

The Intersection between SOA’s Certification Requirements and Compliance (continued) SOA Mandates Internal Controls Over “Disclosure” and “Financial Reporting” – These SOA provisions effectively mandate at least some form of compliance program with respect to publicly held companies’ SEC reporting requirements. – In fact, while the SOA requirements for “internal controls over financial reporting” may be limited to accounting measures, the broader requirement for “disclosure controls” necessarily implicates regulatory and other forms of compliance. – In addition, other SOA provisions reinforce the notion that the law now requires a comprehensive compliance program. For example, in the regulations adopted under Section 406 of the Act, companies must disclose whether or not they have adopted a code of ethics for senior officers – and if not, companies must explain why such a code has not been adopted. 15

The Intersection between SOA’s Certification Requirements and Compliance (continued) For healthcare companies, which have been urged for years by the OIG-HHS to adopt compliance programs that will ensure regulatory compliance, the adoption of a compliance program will become mandatory under the ACA for most providers that want to participate in federal programs. This mandate flows directly from the policy considerations underlying the SOA. 16

The Challenge for Privately Held and Not for Profit Organizations The Challenge is Two Fold: – First, management-Board relations must be structured so that Board members have a role in ensuring the integrity of internal reporting systems but maintain sufficient distance to help direct the overall strategic direction of the entity. – Board members cannot be micromanagers or auditors. (NIFO or BIGO). – Second, management must develop methods to demonstrate and document its due diligence in assuring that these reporting systems have integrity and that related reports and certifications are accurate and fair. 17

The Challenge for Privately Held and Not for Profit Organizations (continued) For the Board or its audit committee, this means developing a clear understanding, in writing, of Board Members’ roles. Also means creating direct lines of communication with key players such as the compliance officer and auditor so that pertinent oversight questions can be put directly to the responsible individual. Consider whether the Board should develop a list of oversight questions, financial or otherwise, to help frame its inquiries of management as matters are presented or as “red flags” appear. 18

The Challenge for Privately Held and Not for Profit Organizations (continued) For top management, the challenge is to demonstrate and document good faith in its reporting process. OIG has issued compliance guidelines for most types of providers. ACA requires, as a condition of participation in Medicare, that many providers and suppliers of medical goods and services establish a compliance program that contains “core elements”. 19

The Challenge for Privately Held and Not for Profit Organizations (continued) Top management should consider the following steps: Reviewing draft and final versions of compliance reports; – Meeting with top financial, operational and compliance officers to understand the process by which the report is produced and to get at the assumptions and judgment calls underlying the report; – Meeting with those responsible for key functions and major business units to gauge whether the results of operations are being fairly presented; and – Participating in discussions with compliance officers, auditors and the Board audit committee regarding tough issues, close calls, problem resolution and any matters that were omitted in the preparation of the report. 20

MARKUS CICKA STINSON LEONARD STREET LLP