Sarbanes-Oxley Compliance

The Sarbanes-Oxley (SOX) Act of 2002 represents landmark legislation in the world of corporate compliance, securities and capital markets, and overall organization governance and responsibility.

UPMC's voluntary compliance with the legislation marks the first nonprofit ever to meet these rigorous accounting rules intended for corporate America.

• UPMC established formal governance over financial reporting and interaction with the Board of Directors, Audit Committee, and external financial auditors.
• CEOs and CFOs certify quarterly whether the company’s financial statements are true, complete, and fairly stated.
• CEOs and CFOs evaluate the effectiveness of the company’s disclosure controls and procedures each quarter and present their conclusions about the effectiveness in each quarterly and annual filing.
• Management annually assess and assert to the effectiveness of the company’s internal controls and procedures for financial reporting.

This last requirement, known as Section 404, has had one of the largest impacts on corporations in America. Companies impacted have initiated projects to document, assess the gaps over, remediate, and test the internal controls over financial reporting (ICOFR). In addition, each company must assert as to its findings resulting from this process and that the ICOFR are adequate within the parameters established by the Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC).

As a not-for-profit organization, UPMC is not required to comply with the regulations established by SOX. However, UPMC and its Board of Directors has determined that voluntary compliance with SOX is in the best interest of the organization. UPMC initiated a project in June 2004 to comply with the key components of SOX. Among the activities included in this project are:

• Review of key financial reporting governance areas
• Identification and strengthening of the corporate ethics program
• Development of an entity-wide project plan to comply with SOX
• Review of entity level controls that impact ICOFR
• Initiation of the ICOFR evaluation program required by Section 404, including the following:

• Identification of the key business operations and locations for inclusion
• Development of an entity-wide ICOFR documentation program
• Completion of a pilot ICOFR documentation project
• Initiation of ICOFR documentation within the key business operations and locations
• Initiation of a gap analysis over the ICOFR documentation components

Within the not-for-profit industry segment, UPMC is leading the way in adopting the requirements of SOX. Many organizations have begun to realize the value to be gained through an assessment of internal controls over financial reporting. In fact, organizations such as UPMC see it as making good business sense. However, while others have waited, UPMC decided it was time to act.