Risk Management

Sarbanes-Oxley and Health Plans

The structure of employee health plans often obscures the view of benefit costs and internal controls that the Sarbanes-Oxley Act demands.
David KatzMay 13, 2004

Among the many compliance perils created by the Sarbanes-Oxley Act of 2002, one of the least talked about could well be the act’s effect on corporate health-benefit programs.

The lack of discussion is understandable. To be sure, benefit managers commonly operate under the wing of human resources executives, who in turn report up to chief financial officers. Yet finance and HR often seem to live in two different worlds. That’s been especially true since the passage of Sarbanes-Oxley: While finance executives have scrambled to comply with new reporting and certification requirements, benefits caretakers have largely watched from the sidelines.

That’s changing. Under Sarbanes-Oxley Section 302, CFOs and CEOs must certify that their companies’ quarterly and annual filings are true and that they omit no material facts. And facts about employee health care are becoming nothing if not more material: Employee benefits now typically represent a company’s third-biggest expense, trailing only cost of goods sold and non-manufacturing payroll, according to a report published earlier this year in The McKinsey Quarterly. Health insurance is the fastest-rising component; between 1986 and 2003, it climbed at an annual compound growth rate of 6.7 percent. By comparison, the report noted that government-mandated benefits — including Social Security, Medicare, unemployment insurance, and workers’ compensation — rose 5.3 percent during that period.

What’s more, in order to sign off on those filings, finance chiefs arguably must have some grasp of the statements’ underlying content. That can be an especially formidable challenge in the retiree-benefits arena, where a transparency-challenged accounting system holds sway. The system’s volatility-smoothing techniques — projected out over decades — may obscure real cash demands. (For more on the accumulating cloudiness of retiree-benefit accounting, see “Prescription Change” in the June issue of CFO magazine.)

Determining a company’s future benefit burden, in turn, involves the mystifying task of predicting the future of health-care costs. The alarmingly sustained double-digit inflation in benefit expense over the last five years, coupled with “the inherent complexity of the health-care supply chain,” make such forecasting extremely difficult for individual companies, says Sreedhar Potarazu, president and chief executive officer of VitalSpring Technologies. (In this context, supply chain means the complicated billing, service, and financial connections among employees and retirees, doctors and hospitals, employers, insurers, and third-party administrators.)

And when wide-of-the-mark forecasts lead to errors on the income statement, those errors can build on themselves and invite unwanted attention from investors and regulators. “This has a cascading effect,” says Potarazu, whose company provides software that culls corporate health-benefits data. “When previous estimates turn out to be inaccurate, increased scrutiny is inevitably placed on the processes and controls behind those predictions.”

Sarbanes-Oxley Section 404 has already trained the spotlight on Corporate America’s internal controls for financial reporting. Given the increasing national focus on the cost of health care — witness the recently-passed Medicare reform law — some finance departments have already found it prudent to take a closer look at the intersection of employee benefits and internal controls.

Sarbanes-Oxley has raised expectations that benefits-related errors will be rectified, observes Mike Aldrich, director of total compensation at Pactiv Corp., the maker of Hefty bags. Aldrich says that the need to supply Sarbox documentation has compelled him to dig deeper into the company’s benefit-payment processes and data. If an internal-controls breakdown produces errors on the financials, he adds, “people are not going to care that it’s come from health insurance.”

Tricky Lineups

The way employee health coverage is structured at most companies, however, presents barriers for a finance executive who needs a clear view of benefit costs and internal controls, experts suggest.

That’s because corporate health-benefit plans are largely self-funded. In 2003, 52 percent of employees with coverage were in a plan that was partly or completely self-insured, according to a survey by the Kaiser Family Foundation’s. For companies with 5,000 or more workers, that figure was 79 percent.

But companies that insure themselves may also be saddling themselves with unacknowledged risk. “Investors need to take this risk into account when valuing a company with [a retiree health-benefits] plan,” advised a 2003 Credit Suisse First Boston report on retiree benefits. “They are not only investing in an operating company, but they may also be purchasing a healthcare insurance company.” Added CSFB analyst David Zion, one of the report’s authors, “Is the company capable of managing that risk?”

For many companies, to be sure, the benefits of self-insuring outweigh the risks; money that might have been dedicated to premiums can be used for other corporate purposes until claims must be paid. At Delphi Corp, for example, a single catastrophic health-care case isn’t likely to cause much of a financial ripple. CFO Alan Dawes notes that health-care spending at the auto-parts giant totals about $1.5 billion annually.

Still, while the financial risk of self-insuring might be readily absorbed by some companies, managing internal controls can be a far thornier matter since self-funded plans don’t tend to administer the plans themselves. More often, they outsource that job to a third-party administrator (TPA), which handles such things as doctor and hospital payments, claims processing, and benefit reimbursements for a fee.

Splitting the funding off from the administration has made it tough for self-insured employers to get a coherent picture of their payment flows. A big part of the problem, suggest participants, is drawing a straight billing line from the health-care provider to the TPA to finance. “The trickiest part is getting all the different data to line up,” says Aldrich.

Pactiv is about 60 percent self-insured, according to the compensation manager (other employees and retirees are covered through fully insured health maintenance organizations). Pactiv’s finance managers write checks based on claims the company receives from providers, but Aldrich says that it’s hard to reconcile the company’s own claims data with the data he gets from Blue Cross/Blue Shield, one of the company’s TPAs. The BCBS data, for instance, might contain more-up-to-date information on discounts negotiated with health-care providers than Pactiv itself has on hand.

Indeed, many companies have a fragmentary view of their health-benefit payouts, says Potarazu of VitalSpring Technologies. At some companies, transactions with doctors and hospitals may not be automatically reported in the corporation’s general ledger, creating a situation ripe for errors. The software executive says that he’s seen cases where HR employees risk redundant reporting by first subtracting the costs of self-insurance from a company’s books, then delivering the data on spreadsheets to the finance department to record as corporate expenses.

Furthermore, says Potarazu, TPAs might fail to invoice an company for care provided to its employees, or they might aggregate invoice information and thus cloud the details of services provided. Under Sarbox 404, he notes, the inability to tie a transaction to an invoice — and provide an adequate audit trail — might be seen as a breakdown in internal controls.

Misplaced Incentives

Another question for many self-insured employers is one confronted by every outsourcer: How do you assess that the internal controls of your third-party administrator — which have, essentially, become an extension of your own — are shipshape?

A common solution is for the company’s auditor to test the TPA for benefits-related errors. At Consolidated Edison, controller Ed Rasmussen says that the New York-based utility’s auditors, PricewaterhouseCoopers, “have to be comfortable” with the internal controls of ConEd’s benefits administrator. PwC performs an audit according to the Statement on Auditing Standards No. 70 (SAS 70), which governs examinations of the internal controls of outsourcing providers generally.

The effectiveness of SAS 70 audits is limited, however. Service providers must report control failures themselves, but not the scope or exact substance of the audits that uncovered them.

Further, routine spot-checks of benefit claims aren’t likely to uncover broader internal-controls failures. The probability that a claims audit “would identify a systemic problem, and therefore help [an employer] manage the risk, is very low,” says David McSweeney of Healthcare Data Management. According to the chief operating officer of the Wayne, Pennsylvania-based health-plan auditor, spot-checks are unlikely to pick up a coding error that generates claim overpayments or one that results in payments that were never intended.

To avoid such broad problems, risk management experts suggest, finance executives should take a hard look at their companies’ contracts with third-party administrators. A company’s outsourced claims processors should have contractual incentives to focus less on speed and more on accuracy, says George Aldhizer, an associate professor of business and accounting at Wake Forest University.

Today, a TPA might be held to handling 90 percent of an employer’s claims accurately within 10 days of receiving them; such an agreement can provide little motivation for a claims processor to uncover and report fraud and systems errors. “The administrator has no financial incentive to carefully monitor the bills that come in from hospitals, physicians, and clinics. There is no downside risk for them” in foregoing such care, says Aldhizer.

Better, then, for an employer to build more such incentives into the services contract and to keep a tight grip on the right to monitor the TPA’s adherence to its terms. Instead of fussing over the cost of the services, says McSweeney, employers should pay greater heed to holding claims processors accountable for such things as fraud control and the protection of employee privacy.

Most important, he says, finance executives of self-insured companies should be especially chary of surrendering their contractual right to audit the TPA in exchange for a cheaper price. “I can’t emphasize that the review of that agreement and the rights ceded and enforced is critical,” adds McSweeney.