This really did happen, and people really did hold these views. But, once I calmed down and had time (years!) to consider these perceptions and to really assess the public’s general lack of understanding of financial statements, auditing procedures and internal controls, it became apparent that something more constructive had to be done, something other than reducing the number of firms providing audit and attestation services.

Reliability of financial statements and the information they’re intended to convey faded at corporate, governmental and general public levels. Integrity needed to be put back into the process. Hence, the beginning of an era defined by a far greater interest in corporate governance and internal controls. The centerpiece of this period is undeniably the Sarbanes-Oxley Act of 2002.

What is the Sarbanes-Oxley Act and what does it mean to physicians practices? Let’s start with first recognizing that the Act ("SOX" is the common vernacular) does not currently apply to not-for-profit organizations. However, with each passing year since 2002, more and more non-public health systems and organizations report that they intend to comply with some or nearly all of the provisions of this legislation. According to a recent survey of more than 700 not-for-profit entities, 83 percent of respondents say they are "very" or "somewhat" familiar with the act, compared to 56 percent in the 2003. A significant percentage of those organizations have further committed to modifications in their corporate governance policies and procedures. Many physicians are increasingly performing significant roles in these not-for-profit organizations, especially in hospitals and physician organizations where they serve as CEOs, board and key committee members. Therefore, it is increasingly important for physicians to understand what is meant by the SOX requirements and how they will impact on the business and financial practices of other than for-profit organizations.

There are various drivers for why SOX is beginning to infiltrate not-for-profit organizations. If Securities and Exchange Commission registrants (public companies) experience a lower incidence of financial statement misstatements as a result of implementing SOX, the pressure will no doubt increase on not-for-profits to adopt similar requirements. In addition, the capital markets are already beginning to ask questions regarding the appropriateness of requiring public companies to comply with SOX when raising debt and equity, yet not-for-profits need not comply when raising tax-exempt debt. Further, many of the compliance and regulatory organizations in the health care industry are already reviewing the SOX requirements and considering the adoption of SOX principles as new compliance requirements. Another key driver has been the sharing of information at the Board level. Specifically, Board members that sit on both public company boards and not-for-profit boards bring to the table the practical knowledge regarding the benefits (and potential requirement) of improving the corporate governance and internal control structure.

So, what is involved with SOX compliance? Generally, when people talk about Sarbanes-Oxley, they are referring to Sections 404 and 302. Section 404 refers to management’s assessment of internal controls over financial reporting. The key points of this section can be summarized this way:

· Management must file an annual internal control report articulating their responsibility to establish and maintain an adequate internal control structure and procedures.

· It also must include management’s conclusion, based on their evaluations, as to the effectiveness of internal controls and procedures for financial reporting.

· The external audit firm must attest to, and report on, the assessment made by management.

This is a tremendous simplification of the requirements, but this is what most public companies wrestled with (and some are still addressing) throughout 2004. With regard to Section 302 (disclosure controls and procedures over financial reporting), here is a similar synopsis. A quarterly evaluation of the effectiveness of disclosure controls and procedures over financial reporting that is personally certified to by the organization’s certifying officers, typically the CEO and CFO. Further, any fraud or deficiencies identified in the past quarter must be reported to the organization’s Audit Committee and to the external auditors.

In general, these sections, along with others, require that management establish and maintain an adequate internal control structure for the financial reporting process. This typically means identifying and assessing the internal control environment and determining relevant processes that have the greatest impact on financial reporting (i.e., billing and accounts receivable). Risks (what could go wrong) in the processes must be identified, along with the controls in place designed to prevent or detect when something does go wrong. In the end, the external auditors perform independent procedures and sign an opinion as to whether they believe controls are designed appropriately and operating effectively. This is in conjunction with the financial statement audit, so now two opinions are rendered.

There are a growing number of not-for-profit health care organizations already beginning to adopt SOX principles in their corporate governance programs. Physicians are becoming increasingly involved as CEOs, directors and committee members in a number of these enterprises. Many such programs being implemented are not being referred to as SOX or Sarbanes projects, but as enterprise-wide risk assessments, or corporate governance reviews. Regardless of what you call it, there are already trends and emerging best practices with regard to how your organization can begin to understand and adopt basic SOX principles. Here are some assessments you might want to consider.

Reassess the audit committee. If the organization doesn’t have an audit committee, strongly consider implementing one, and do it the SOX way from the beginning. Key considerations here are to ensure that the audit committee members are truly independent of the organization they are serving, and that this committee is separate from your Finance Committee. At least one member should have significant accounting and auditing expertise. The audit committee should also understand and implement the rules regarding prohibited and restricted services provided by your external audit firm.

Review or establish the corporate governance structure. It’s surprising to me how many organizations do not have documented policies and procedures in place. If you do have comprehensive policies and procedures, review and update them in light of SOX. If you don’t, get help and get them in place. Remember, having them documented is not the goal; it’s the communication of management’s expectations that is the real goal.

Ask for a review of specific controls over financial reporting. Internal controls provide the check-and-balance structure that management relies upon to ensure the organization is operating effectively and efficiently. This is also the area that the public companies spent so much time addressing, so better to begin to address this now, and spread the burden over a greater time period than what the public companies had to work with.

If one does not exist, inquire about implementing a compliance hotline. Establish procedures for the timely reporting of improper practices within your organization (whistleblower).

There are benefits to understanding and adopting principles of SOX, if not the specific requirements. Here are a few:

· Stronger Board and Committee structure and involvement, along with better defined roles and responsibilities.

· Greater understanding throughout your organization of corporate governance and the importance of a strong internal control structure.

· Advantages in the marketplace by proactively adhering to better corporate governance practices.

· Improved operating efficiencies and cost reductions by identifying and eliminating inefficient practices and implementing stronger controls.

Sarbanes-Oxley’s principles will eventually penetrate all organizations in some manner. In the meantime, physicians with fiduciary responsibilities for not-for-profit health care organizations, including physician practices, should prepare for this eventuality by asking the pertinent questions now to lay the groundwork and help to spread the associated cost and effort over several years. For physicians who are engaged in corporate governance matters, the learning experience may also prove to be valuable as future regulatory requirements impact directly on individual physician practices.