EVIDENCING EFFECTIVE COMPLIANCE TO MINIMIZE AN ORGANIZATION’S CULPABILITY SCORE HFMA – TEXAS GULF COAST CHAPTER SEPTEMBER 17, 2004 Presented by

2 Sarbanes-Oxley  2002 Legislation  Response to accounting, reporting and executive misconduct  Enron, WorldCom, Adelphia, Tyco, HealthSouth, & others  Attempts to safeguard against future collapses in: –Corporate governance –Auditor independence  “Spill-over” applicability to non-public healthcare entities* *See: “A readiness check: Your organization should be preparing for Sarbanes-Oxley spillover,” Compliance Today, July 2004

3 Compliance Test 101 Question No. 1 Federal Sentencing Guidelines refer to: A.Instructions for attorneys in writing court briefs. B.Proper sentence structure by expert witnesses. C.Title of a book written by the “hanging judge.” D.Statutory guidelines for prison sentences based on the seriousness of criminal offenses, including certain compliance violations.

4 Federal Sentencing Guidelines U.S. Sentencing Commission Amended April 8, 2004 Chapter Eight, Part B, added new Subpart 2 “Effective Compliance and Ethics Program”

5 Effective Compliance and Ethics Program “Such compliance and ethics program shall be reasonably designed, implemented and enforced so that the program is generally effective in preventing and detecting criminal conduct.”

6 Evidencing Compliance Many, if not most providers have taken steps to document policies and procedures relative to compliance matters. Significantly fewer have accumulated evidence of the effectiveness of internal controls on a comprehensive basis.

7 Evidencing Compliance Step 1: Identify applicable internal controls, policies & procedures. Step 2: Implement internal control procedures. Step 3: Monitor (test) consistent application of controls.

8 Evidencing Compliance-Identify Controls over Total Costs Claimed on cost report Step 1: Control Procedure: Reconcile Worksheet A (trial balance) of cost report to total expenses per general ledger. Step 2: (A) Design a reconciliation template and include it in the cost report review checklist. (B) Assign preparation and review responsibility including workpaper sign-off. Step 3: Implement independent review of cost report files to verify that the reconciliation was performed and the preparer and reviewer signed-off as required.

9 Evidencing Compliance Evidencing compliance does not equate to auditing compliance. In the previous example, the evidencing need not verify that the reconciliation was correct, but rather, was it completed using the designated method and evidenced in the cost report workpapers.

10 Compliance Test 101 Question No. 2 What is a Culpability score? A.The number of times a defendant exclaims “mea culpa” in one minute. B.An integral part of the Federal Sentencing Guidelines which is used to assess the seriousness of compliance violations and arrive at an appropriate penalty. C.A mathematical function derived from an individual’s arrest record. D.It just sounds bad, and I really don’t want to know.

11 Culpability Score The Culpability Score is an integral part of the Federal Sentencing Guidelines which is used to assess the seriousness of compliance violations and arrive at an appropriate penalty.

12 Culpability Score Culpability is evaluated in terms of:  The steps taken prior to the offense to prevent and detect criminal conduct;  The level of involvement and tolerance of the conduct by certain personnel; and  The actions taken by the organization following the offense.

13 Culpability Score  The culpability score is a range of “zero or less” to “ten or more.”  An organization with a compliance violation automatically begins with a score of five points.

14 Culpability Score Multipliers Culpability ScoreMin. MultiplierMax. Multiplier 10 or more

15 Culpability Score To the minimum culpability score, points may be added for:  Involvement of high-level personnel in the offense or tolerance of the offense by substantial authority personnel (add 3-5 points depending on organization’s size).  Past history of the same offense within 10 years following a civil or administrative settlement or within 5 years following a criminal adjudication (add 1-2 points).  Violation of a judicial order or conditions of probation (add 1-2 points); and  Obstruction of justice (add 3 points).

16 Culpability Score The culpability score may be lowered by the following:  The existence of a program to prevent and detect violations of the law (deduct 3 points); and  Self-reporting, cooperation in the investigation, or affirmative acceptance of responsibility for the conduct (deduct the greatest of 3, 2, or 1 points, respectively).

17 Compliance Test 101 Question No. 3 What is compliance effectiveness? A.Sufficient activity during the year on compliance matters to avoid compliance staffing reductions. B.Compliance monitoring and auditing which is based on zero tolerance and zero violations. C.A subjective and judgmental process of determining whether the organization's compliance plan will increase or decrease the culpability score. D.A subjective and judgmental process to ensure an organization’s compliance program is effective to prevent and detect violations of law.

18 Compliance Effectiveness An “effective program to prevent and detect violations of law” means a program that has been reasonably designed, implemented and enforced so that it generally will be effective in preventing and detecting criminal conduct.

19 Compliance Effectiveness  Failure to prevent an offense, by itself, does not mean the compliance program was not effective.  The hallmark of an effective program is that the organization exercised due diligence in seeking to prevent and detect criminal conduct by its employees and other agents.  Due diligence requires at a minimum that the organization must have taken steps to address the seven elements identified in the Federal Sentencing Guidelines.

20 Seven Elements of an Effective Corporate Compliance Program 1.Established compliance standards and procedures 2.Oversight by high-level personnel 3.Discretionary authority vested in persons unlikely to engage in criminal conduct 4.Effective lines of communication to employees of compliance standards

21 Seven Elements of an Effective Corporate Compliance Program 5.Reasonable methods to achieve compliance with standards, including monitoring and auditing systems and hotlines 6.Appropriate and consistent enforcement and discipline 7.Appropriate and consistent responses to detected violations

22 CMS Compliance Effectiveness Initiative  May 2004 Pilot Program announced  hospitals in Eastern/Southeastern states  Planned 18 month study  assess effectiveness  gather best practices  September 2004 Program start  Recommendations expected in late 2006

23 Consequences of Compliance Violations  Administrative Sanctions  Civil Money Penalties  $10,000 per claim  $100,000 per conspiracy scheme  Treble damages  Program Exclusion  Criminal Charges  Corporate Integrity Agreement (CIA)

24 Evidencing Compliance Effectiveness Many providers have taken steps to document policies and procedures, significantly fewer have gone as far as they could to evidence the effectiveness of internal controls.

25 Strategy for Evidencing Effective Compliance  Conduct a risk assessment  Document existing internal controls, policies & procedures  Conduct a “Base Line” evaluation  Perform “Annual Reviews” to monitor effectiveness

26 Base Line Evaluation 1.Evaluate compliance policies  Review/update written compliance policies  Compare existing policies to industry best practices  Assess adequacy of compliance policies 2.Evaluate procedures and practices  Review reconciliation worksheets  Evaluate integrity of data (e.g., source references)  Assess available supporting documentation  Review consistency of data  Assess evidence of internal independent review

27 Base Line Evaluation 3.Evaluate internal review scope and process  Determine the extent and timing of independent review  Review internal workpaper documentation  Evaluate skill and experience of independent reviewer  Assess procedures relative to clearing review points, unusual data fluctuations and other issues noted  Assess evidence of internal review (e.g., initial/sign- off) 4. Evaluate procedures for identify and reporting upon sensitive compliance issues within area

28 Annual Review 1.Review existing control environment policies, procedures and practices between the Base Line or Prior Year to the Current Year. 2.Review specific key focus areas of OIG Workplans 3.Identify regulatory changes and effects on data 4.Evaluate procedures applicable for assuring the integrity of data for sensitive issues 5.Assess the integrity and adequacy of review and reconciliation procedures applied to critical data

29 Compliance Test 101 Question No. 4 What does physician self-referral mean? A.The attending physician asks the patient to select the laboratory for needed testing. B.Due to Medicare payment pressure, the attending physician voluntarily admits himself to a rehab for treatment. C.The attending physician orders tests that will be performed within his practice office. D.The attending physician orders tests that will be performed by another provider where the attending has a financial interest.

30 Evidencing Compliance  To ensure the Base Line Evaluation is objective and provides the greatest measure of evidencing effectiveness, consider the use of an external consultant  To the extent that any “audit” of data or transactions is included, perform the work under the direction of counsel.  For annual reviews, perform a risk assessment to ensure an appropriate focus and consider an external review over the proposed workplans to add a degree of objectivity  Compile a report on the Base Line Evaluation and the Annual Reviews which evidences the controls, procedures, practices, and policies which have been effective.

31 For more information contact: Lance S. Loria, CPA, FACHE, FAAMA President L ORIA A SSOCIATES, LLC Falling Creek Drive, Suite 225 Houston, TX Direct Fax