View PDF

Congress passed the Sarbanes-Oxley Act of 2002 as a result of several financial scandals that were reported in the for-profit industry sector. It represents the beginning of a new era for improved quality and "corporate responsibility." Companies that report to the Securities and Exchange Commission (SEC) are now required to comply with a new set of standards for good corporate governance.

Evaluation of Internal Controls

Section 404 of the Sarbanes-Oxley Act of 2002 requires: a) that organizations include management's assessment on the company's "internal control over financial reporting" in their annual report; and b) that the company's external auditors audit and report on management's assessment and the effectiveness of the company's internal control.

Although these requirements are designed for SEC reporting companies, these standards are certainly making their way to the healthcare industry in order to establish higher standards of conduct and reduce liability. Several states are now incorporating some of the SOX provisions into their legislation and some hospitals have even begun to implement some sections of Sarbanes-Oxley as best practices for their organizations.

Internal Controls can mean different things to different people. Internal Control over financial reporting is defined by the AICPA SEC Rule 13a-15f as a process designed by, or under the supervision of, the issuer's principle executive and principle financial officer, or persons performing similar functions. It is effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statement for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

1. Maintain records in reasonable detail that accurately and fairly reflect the transactions and dispositions of the assets of the issuer;


2. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with authorizations of management and directors of the issuer; and


3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisitions, use or disposition of the issuer's assets that could have a material affect on the financial statements.

Internal controls reside along an entire process of a cycle from beginning to end. Effective internal controls ensure accurate financial reporting, help reduce the loss of resources and increase performance and an organization's ability to achieve its targets. They are methods of providing security over financial transactions and segregation of duties.

Aligning Best Practices and Implementing Internal Controls

There are a lot of similarities between Sarbanes-Oxley requirements and Healthcare Compliance programs. It is important to identify the differences between them in order to develop one framework with which to work.

Begin by mapping out the requirements and then re-examine the current processes in place for gathering information and monitoring procedures.

Internal Audit Program Components

Phase 1: Planning & Scoping

• Conduct a review of the current business processes and the Information Technology environment.


• Identify and interview key process owners to understand the process flow and key transactions.


• Document the current process flow.

• Assess and measure the risks in each process.


• Verify that transactions are complete, accurate and valid.


• Identify any significant events that would create an impact on existing controls.

• Evaluate the operating effectiveness of a control by determining if the control is operating as designed and if the person performing the control has the necessary authority and qualifications to perform the control effectively.

• Test controls using a combination of inquiry, observation, examination (inspection) and re-performance of the procedure / control.

• Try to understand any exceptions to a control procedure that are discovered during the testing of a manual or automated control.

• Outline the audit steps performed, provide audit ratings, findings and recommendations for remediation.


• Monitor the progression of any actions taken for remediation with management and key process owners.