In the wake of nationally publicized corporate accounting scandals, compliance officers often are being tasked with the responsibility of ensuring that their organizations have appropriate internal controls and auditing mechanisms, says Brent Saunders, a partner with Price-WaterhouseCoopers in Washington, DC. From a practical standpoint, he says, monitoring and auditing mechanisms offer some of the greatest benefits.
Audit committees and boards of directors also are becoming more attuned to internal controls in corporate compliance, specifically in the wake of the Sarbanes-Oxley bill that recently was passed by Congress, Saunders told participants in a Health Care Compliance Association audio conference Sept. 10. That law gives boards not only a fiduciary responsibility but also a new legal responsibility to ensure the control environment.
Sheryl Vacca, director of the national health care compliance practice at Deloitte and Touche in Los Angeles, says one of the ways that boards can execute that responsibility is through development of a strong auditing and monitoring plan or by making sure that their compliance or internal audit department has a strong audit or monitoring plan in place.
Vacca says it’s important for compliance officers to recognize the role of boards and the opportunity to enhance their compliance programs and provide an impetus behind the compliance efforts. She says it is useful to use the legal responsibilities imposed by the Sarbanes-Oxley Act to assure that appropriate controls are in place.
It also is important that there be independent leadership who can act without relying on management’s initiative, and that they have guidelines and procedures for their own operational functioning, says Vacca.
Boards must be independent in evaluating management company performance and strategy, says Vacca. "The board’s role is to be active and independent in the oversight of the corporation that they are overseeing," she explains.
According to Vacca, the audit committee often is the board committee to which compliance programs report within their organization. "Usually, the audit committee is the governing board that has that oversight," she explains.
In a normal board structure, Vacca says there usually is an audit or finance committee that oversees the external auditors who are responsible for auditing the company’s financial statements and evaluating the company’s system of internal controls. Then there is the oversight of the internal auditors who are responsible to ensure the effectiveness of internal controls and bringing any weakness to management’s attention.
Vacca says it is important to recognize the difference in focus between an external audit and an internal audit. Typically, she says, the external audit looks for material financial risk, while the internal audit tends to focus more on the business risk. However, the two go hand-in-hand, she says.
With regard to business misconduct, if compliance program activities must be filtered through layers of management, Vacca says it is less likely that information will be provided to the committee in a direct fashion.
Vacca says it is important to remind people there is now legal responsibility for the board to oversee compliance. If there are not enough resources to assure that controls are in place, that is a great opportunity for compliance departments to ask for more resources, she says.