Upload
lybao
View
218
Download
0
Embed Size (px)
Citation preview
experience perspective //
CPAs & ADVISORS
ENTERPRISE-WIDE RISK ASSESSMENT DISCUSSION & RISK ASSESSMENT CASE STUDY
November 17, 2015
HFMA Regional 9 Annual Conference
TABLE OF CONTENTS
Executive Summary ………..….…………………………………………………………………………..3
Risk Assessment Overview …….….…………………………………………………………………..4
Risk Assessment Walk-Through ….……….…………………………………………………………14
Risk Assessment Case Study …..…………………………………………………………………..…25
Appendix
2 // experience perspective
EXECUTIVE SUMMARY
This presentation includes
An overview of the risk assessment process, with
An introduction to & objectives of the risk assessment process
A description of risk assessment methodology
Types of risk assessments & definitions
A value proposition for conducting a risk assessment
A suggested timeline for the risk assessment
A walk-through of a typical risk assessment, with
A sample risk/audit universe
Key stakeholders interviewed during the risk assessment
Typical activities conducted during the risk assessment
A sample questionnaire
A sample residual heat map
A sample internal audit plan
Discussion of a risk assessment case study
3 // experience perspective
HEALTH CARE INTERNAL AUDIT LANDSCAPE Impact of the Affordable Care Act
Responding to increasing number of regulatory requirements, based on impact of Affordable Care Act (ACA), is critical
Best practices for managing these complexities require strong internal audit & compliance functions Many organizations do not have appropriate resources to meet these concerns internally
Health care internal audit & compliance Complexities of these new regulations, & compliance with those requirements, have heightened current risk landscape, as health care reform provides backbone of transformation in several areas, including
IT-related concerns, such as EHR & Health Information Exchanges Privacy & security (HITECH/HIPAA) requirements, including OCR audits Meaningful use regulation compliance & CMS audits Quality data collections & measurement compliance 501(r)
Risk assessments can help to identify areas exposed to high risk Resulting internal audit plan would address appropriate areas, as well as identify necessary resources Readiness assessments may also be conducted for compliance areas that are a concern, but not high-risk
4 // experience perspective
RISK ASSESSMENT OVERVIEW
Introduction
Risk & compliance are becoming greater concerns to health care organizations as governance, senior management & physicians are required to assume more responsibility & personal liability
With increased transparency, health care facilities’ patients & the general public are also becoming more knowledgeable of organizational risks
Objective
A well-developed risk assessment model will provide an efficient & systematic process to
Determine auditable areas of an entity
Assess risk of each area & identify activities exposed to high risk
Rank area by risk
Estimate resources necessary to conduct internal audits
Develop annual & long-term (typically three-year) internal audit plans
6 // experience perspective
RISK ASSESSMENT OVERVIEW
Methodology Risk assessment methodology includes the following activities
Identify audit universe, categorized by key risk areas of organization
Interview key stakeholders of organizations to help identify areas of greatest risk
Identify common themes
Develop a heat map based on those discussions, & validate risk ranking with key stakeholders
Develop a proposed internal audit plan based on key risk areas identified during process
7
RISK ASSESSMENT OVERVIEW
Types of risk assessments
There are various types of risk assessments health care organizations could conduct, including
Corporate compliance
Fraud
Financial
Information technology
Meaningful use
Operational
Privacy & security
Most organizations prefer coverage in all of these areas, as part of an enterprise-wide risk assessment
8 // experience perspective
RISK ASSESSMENT OVERVIEW
Key definitions
Enterprise Risk Management
Enterprise Risk Management (ERM) is an approach used by management to integrate internal controls, Sarbanes-Oxley Act requirements & strategic planning. This process is utilized by an organization to help their stakeholders understand how they are managing their key risks. Monitoring the process is typically performed as part of internal audit plan
Enterprise-Wide Risk Assessment
Results of an Enterprise-Wide Risk Assessment may be integrated as part of ERM process, or it can be utilized separately as part of process to develop an internal audit plan
9 // experience perspective
RISK ASSESSMENT OVERVIEW
Value proposition for conducting a risk assessment Value proposition for conducting a risk assessment includes the following
Identify key risks – internal & external – to an organization Determine whether risks have been mitigated by management, & if not, help management develop a plan to address critical areas Reduce potential for unwanted surprises
Assess likelihood & impact of critical risks affecting earnings Strengthen controls over operations & thereby increase efficiencies/reduce costs Provide an independent risk management tool to help governance meet their increasingly demanding fiduciary responsibilities Proactively understand organization’s risks & actively manage those risks Identify opportunities to increase net revenue & optimize third-party reimbursement Help ensure organization is meeting compliance objectives & therefore reducing risks & consequences of non-compliance
OIG workplan PCI data security standards Meaningful use Fraud & abuse HITECH/HIPAA (privacy & security) IRS/tax-exempt status 340B compliance
10 // experience perspective
RISK ASSESSMENT OVERVIEW Value proposition for conducting a risk assessment
Consequences of non-compliance can include (but not limited to) fines, penalties, legal action, reductions in third-party reimbursement, loss of tax-exempt status & reputational damage. Liability could extend beyond organization to individuals, including officers, board members & physicians
11 // experience perspective
Timeline Risk assessment process takes approximately three to six weeks. The following is a sample four-week timeline
12
Activity Week 1 Week 2
Week 3
Week 4
Planning & information review
Design of survey templates & interview questionnaires
Conduct risk assessment interviews
Compile results of interviews & develop heat map
Develop recommendation & listing of suggested audit or
assessment areas
Review results with senior management
Complete final project documents
RISK ASSESSMENT OVERVIEW
Resulting documents Key documents based on results of this project would typically include the following
Risk definitions & risk framework
Heat map tailored for key risk areas
Summary of recommendations, including a listing of proposed audit areas
Three-year internal audit plan
13
RISK ASSESSMENT OVERVIEW
RISK ASSESSMENT WALK-THROUGH
Risk/audit universe
Audit universe identified during an enterprise-wide risk assessment is typically as follows, categorized by organization’s key risk areas
Governance Risk
• Organization Structure
• Leadership
• Strategic Planning
• Risk Management
• Policies & Procedures
• Communication
Financial Risk
• Contractual Allowances & Third-party Estimates
• Revenue Recognition
• Financial Statement Estimations
• Managed Care Contracting
• Debt Covenants
• Cost Reporting
• Financial Reporting & Disclosure
Operations & Process Risk
• Supply Chain
• Revenue Cycle
• Payroll
• Financial Statement Close
• Construction
• Purchasing & Payables
Technology Risk
• IT Security
• Health Information Exchanges
• Data Integrity
• Disaster Recovery Planning
• Change Management
• ICD-10 Readiness
• Mobile Devices
Compliance Risk
• Tax-Exempt Status
• Corporate Compliance Program
• HITECH/HIPAA (Privacy & Security)
• EHR/Meaningful Use Compliance
• Fraud & Abuse
• 501(r) /Community Health Needs Assessment
• Payment Card Information Data Security Standards
• Stark Laws/Anti-Kickback Regulations
• Quality Measures
• Health Breach Notification Rules
Personnel/Human Capital Risk
• Physician Acquisition/Contracting
• Authority
• Nursing Staff
• Hiring/Retention/Training
• Supervision & Management
• Workload/Personnel/Turnover
15 // experience perspective
Finance Other
Audit Committee Chair
Chief Executive Officer
Chief Medical Officer
Chief Information Officer
Chief Quality Officer
Chief Privacy Officer
Corporate Compliance Officer
VP Human Capital
Director of Business Office
Director of Supply Chain
Chief Financial Officer
Corporate Controller
Director of Finance
Director of Accounting
Participants Key stakeholders to interview, including the following
16
RISK ASSESSMENT WALK-THROUGH
Preliminary stage The methodology includes the following activities in the preliminary stage of the project
Develop project plan, milestones & timing
Determine risk tolerance levels
Identify audit universe, categorized by key risk areas
Determine key documents to be reviewed & personnel to be interviewed
Develop & distribute surveys to be utilized
Develop questionnaires to be utilized during risk assessment interviews
Identify & notify key stakeholders of project’s objectives & their roles
17
RISK ASSESSMENT WALK-THROUGH
Second stage Individual interviews & facilitated group sessions are conducted, utilizing questionnaires developed for each area. Discussions begin with open-ended questions related to participants’ roles, goals, challenges, issues, responsibilities & concerns. Key stakeholders typically included during these sessions include
Chief executive, operating & financial officers
Chief medical, legal & information officers
Corporate compliance
Key finance & accounting personnel
Key department heads of operations
Key board & committee members
18
RISK ASSESSMENT WALK-THROUGH
Final stage During the final stage of project, results of documentation review & interview sessions are analyzed to help Identify common themes noted during interviews
Design heat map, including key risk areas based on the results of risk assessment
Develop a summary of recommendations, including a listing of proposed internal audit areas & related deliverables
19
RISK ASSESSMENT WALK-THROUGH
SAMPLE QUESTIONNAIRE RESULTS Accounting Manager Maturity Rating Impact Risk
Financial statements used in management
decisions are received timely & prepared
accurately 1
2 2 Maturity Ranking Definitions Impact if Control Fails
Financial statement accounts are supported
by reconciliations & subsidiary ledgers/detail 1 1 1 0=Not Applicable to Respondent 0=Not Applicable to Respondent
Management views accounting treatment for
transactions or activities in a balanced
manner, neither too aggressive nor too
conservative 2 3 6 1=Optimized 1=Low
Management views accounting function as an
important element in overall system of
internal control rather than an obstacle to be
avoided or overcome 1 2 2 2=Repeatable/Partially Defined 2=Moderate
Management has a consistent methodology
in computing allowance for uncollectible
accounts & contractual adjustments &
doesn't deviate without appropriate support
reasons 2 3 6 3=Initial or Non-Existent 3=High
Management has adequate documentation to
support third-party reserves such as cost
reports, RAC accruals & other estimates 1 2 2
Organization has review processes in place
to ensure payments received are according to
contracts 3 3 9
Management has a process in place to review
expenses that exceed approved budget & to
implement cost reductions when appropriate 2 3 6
RISK ASSESSMENT WALK-THROUGH
20 // experience perspective
LIKELIHOOD OF CONTROL/PROCESS ISSUES
HIGH Low High
Low
H
igh
IMP
OR
TA
NC
E T
O
BU
SIN
ES
S
ST
RA
TE
GY
10
7
3.5
4.5
5
1
8
4
3
2
3.5 4.5
Audit Areas
Personnel/Human Capital Risk
6. Physician Acquisition/Contracting
Compliance Risk
7. Corporate Compliance Program
8. Stark Laws/Anti-Kickback Regulations
9. EHR/Meaningful Use
Financial Risk
10. Financial Statement Estimations
Technology Risk
1. IT Security
2. ICD-10 Readiness
3. Health Information Exchanges
Operations and Process Risk
4. Supply Chain
5. Revenue Cycle
RISK ASSESSMENT WALK-THROUGH Heat map The following is a sample heat map for a health care organization, based on the results of the risk assessment
6
9
21 // experience perspective
Audit Process Risk Ranking Description of Audit Estimated
Hours
Auditee/
Process Owner
Health Information Exchanges
Compliance Assessment
High --- 125 ---
IT Security Audit High --- 125 ---
Revenue Cycle – Denial
Management Audit
High --- 125 ---
Physician Acquisition/
Contracting Audit
High --- 125 ---
ICD-10 Readiness Assessment High --- 100 ---
RISK ASSESSMENT WALK-THROUGH
Results/Recommendations – listing of proposed audit areas (sample) Chart below & on next slide reflect a sample of the 10 highest risk areas identified as a result of risk assessment process, derived from residual heat map on preceding page
22 // experience perspective
Audit Process Risk Ranking Description of Audit Estimated
Hours
Auditee/
Process Owner
Meaningful Use Compliance
Assessment
High -- 150 --
Corporate Compliance Program
Assessment
High --- 150 ---
Stark Laws/Anti-Kickback
Regulations Assessment
High --- 125 ---
Supply Chain Audit Moderate --- 150 ---
Financial Statement Estimations
Audit
Moderate --- 125 ---
RISK ASSESSMENT WALK-THROUGH
Results/Recommendations – listing of proposed audit areas (sample)
This plan also allows for management requests identified during year, as well as quarterly follow-ups designed to address recommendations noted during audits/assessments
23 // experience perspective
Q1 Q2 Q3 Q4
Year One
ICD-10 Readiness Assessment
Health Information Exchanges Compliance Assessment
Year Two
IT Security Audit
Stark Laws/Anti-Kickback
Regulations Assessment
Meaningful Use Compliance
Revenue Cycle – Denial
Management Audit
Year Three
Corporate Compliance Program Assessment
-
Physician Acquisition/
Contracting Audit
Supply Chain Audit
Financial Statement Estimations Audit
PROPOSED THREE-YEAR INTERNAL AUDIT PLAN MAP
RISK ASSESSMENT WALK-THROUGH
24 // experience perspective
RISK ASSESSMENT CASE STUDY Background
Health care organization has never had a risk assessment conducted
External auditors cited this fact in 2014 year-end audit management letter comments
Objective will be to provide a road map for an internal audit plan
Process
Review of background materials
Distribution of surveys for initial understanding of each key area/process
Interviews conducted with key stakeholders
Validate common themes identified
Develop audit plan
26 // experience perspective
RISK ASSESSMENT CASE STUDY Issues identified
Concerns related to third-party payment process & related contractual allowances for non-traditional governmental payors
Issues related to operations of employed & provider-based physicians, including charge capture & billing/payment processes
Concerns related to Information Technology (IT), including
IT service management processes (asset management, incident & change)
Business continuity & disaster recovery
Confidentiality of data (electronic protected health information)
Staff turnover & associated retraining
Succession planning
Appropriate segregation of duties due to staffing limitations
27 // experience perspective
RISK ASSESSMENT CASE STUDY
Draft internal audit plan
Revenue Cycle - Third-Party Payment Process Audit This audit would focus on controls established by management to ensure payments for patient services performed at hospital are collected according to third-party contracts. This would include ensuring payments received from non-traditional governmental payors are appropriate through effective monitoring of contractual allowances & key contractual terms, including timely payment
Employed & Provider-Based Physician Audit This audit would focus on controls established by management to ensure services performed by employed & hospital-based physicians are properly billed, that reimbursement is optimized on related billings, that these relationships are properly documented through current contracts with terms monitored for regulatory compliance factors & that associated payments to physicians are properly paid & documented Regulatory Compliance Assessment This assessment would focus on whether management is meeting its objectives to ensure regulatory requirements are met for areas such as OIG Workplan, HITECH/HIPAA Security & Privacy, Meaningful Use, Fraud & Abuse and Stark Laws
IT Assessment This assessment would focus on identified higher risk elements of IT general controls & security objectives related to IT service management & data confidentiality. IT service management includes governance & operational support for asset life cycle management, change management, continuity management, security management & incident management. Assessment would also focus on whether management has policies, procedures, controls & skilled resources in place or available to support IT service management requirements
28 // experience perspective