CPAs & ADVISORS - HFMA Region 9 · A sample questionnaire A sample residual heat map A sample internal audit plan Discussion of a risk assessment case study 3 // experience perspective

experience perspective //

CPAs & ADVISORS

ENTERPRISE-WIDE RISK ASSESSMENT DISCUSSION & RISK ASSESSMENT CASE STUDY

November 17, 2015

HFMA Regional 9 Annual Conference

TABLE OF CONTENTS

Executive Summary ………..….…………………………………………………………………………..3

Risk Assessment Overview …….….…………………………………………………………………..4

Risk Assessment Walk-Through ….……….…………………………………………………………14

Risk Assessment Case Study …..…………………………………………………………………..…25

Appendix

2 // experience perspective

EXECUTIVE SUMMARY

This presentation includes

An overview of the risk assessment process, with

An introduction to & objectives of the risk assessment process

A description of risk assessment methodology

Types of risk assessments & definitions

A value proposition for conducting a risk assessment

A suggested timeline for the risk assessment

A walk-through of a typical risk assessment, with

A sample risk/audit universe

Key stakeholders interviewed during the risk assessment

Typical activities conducted during the risk assessment

A sample questionnaire

A sample residual heat map

A sample internal audit plan

Discussion of a risk assessment case study


HEALTH CARE INTERNAL AUDIT LANDSCAPE Impact of the Affordable Care Act

Responding to increasing number of regulatory requirements, based on impact of Affordable Care Act (ACA), is critical

Best practices for managing these complexities require strong internal audit & compliance functions Many organizations do not have appropriate resources to meet these concerns internally

Health care internal audit & compliance Complexities of these new regulations, & compliance with those requirements, have heightened current risk landscape, as health care reform provides backbone of transformation in several areas, including

IT-related concerns, such as EHR & Health Information Exchanges Privacy & security (HITECH/HIPAA) requirements, including OCR audits Meaningful use regulation compliance & CMS audits Quality data collections & measurement compliance 501(r)

Risk assessments can help to identify areas exposed to high risk Resulting internal audit plan would address appropriate areas, as well as identify necessary resources Readiness assessments may also be conducted for compliance areas that are a concern, but not high-risk


Risk Assessment Overview


RISK ASSESSMENT OVERVIEW

Introduction

Risk & compliance are becoming greater concerns to health care organizations as governance, senior management & physicians are required to assume more responsibility & personal liability

With increased transparency, health care facilities’ patients & the general public are also becoming more knowledgeable of organizational risks

Objective

A well-developed risk assessment model will provide an efficient & systematic process to

Determine auditable areas of an entity

Assess risk of each area & identify activities exposed to high risk

Rank area by risk

Estimate resources necessary to conduct internal audits

Develop annual & long-term (typically three-year) internal audit plans



Methodology Risk assessment methodology includes the following activities

Identify audit universe, categorized by key risk areas of organization

Interview key stakeholders of organizations to help identify areas of greatest risk

Identify common themes

Develop a heat map based on those discussions, & validate risk ranking with key stakeholders

Develop a proposed internal audit plan based on key risk areas identified during process

7


Types of risk assessments

There are various types of risk assessments health care organizations could conduct, including

Corporate compliance

Fraud

Financial

Information technology

Meaningful use

Operational

Privacy & security

Most organizations prefer coverage in all of these areas, as part of an enterprise-wide risk assessment



Key definitions

Enterprise Risk Management

Enterprise Risk Management (ERM) is an approach used by management to integrate internal controls, Sarbanes-Oxley Act requirements & strategic planning. This process is utilized by an organization to help their stakeholders understand how they are managing their key risks. Monitoring the process is typically performed as part of internal audit plan

Enterprise-Wide Risk Assessment

Results of an Enterprise-Wide Risk Assessment may be integrated as part of ERM process, or it can be utilized separately as part of process to develop an internal audit plan



Value proposition for conducting a risk assessment Value proposition for conducting a risk assessment includes the following

Identify key risks – internal & external – to an organization Determine whether risks have been mitigated by management, & if not, help management develop a plan to address critical areas Reduce potential for unwanted surprises

Assess likelihood & impact of critical risks affecting earnings Strengthen controls over operations & thereby increase efficiencies/reduce costs Provide an independent risk management tool to help governance meet their increasingly demanding fiduciary responsibilities Proactively understand organization’s risks & actively manage those risks Identify opportunities to increase net revenue & optimize third-party reimbursement Help ensure organization is meeting compliance objectives & therefore reducing risks & consequences of non-compliance

OIG workplan PCI data security standards Meaningful use Fraud & abuse HITECH/HIPAA (privacy & security) IRS/tax-exempt status 340B compliance


RISK ASSESSMENT OVERVIEW Value proposition for conducting a risk assessment

Consequences of non-compliance can include (but not limited to) fines, penalties, legal action, reductions in third-party reimbursement, loss of tax-exempt status & reputational damage. Liability could extend beyond organization to individuals, including officers, board members & physicians


Timeline Risk assessment process takes approximately three to six weeks. The following is a sample four-week timeline

12

Activity Week 1 Week 2

Week 3

Week 4

Planning & information review

Design of survey templates & interview questionnaires

Conduct risk assessment interviews

Compile results of interviews & develop heat map

Develop recommendation & listing of suggested audit or

assessment areas

Review results with senior management

Complete final project documents


Resulting documents Key documents based on results of this project would typically include the following

Risk definitions & risk framework

Heat map tailored for key risk areas

Summary of recommendations, including a listing of proposed audit areas

Three-year internal audit plan

13


RISK ASSESSMENT WALK-THROUGH



Risk/audit universe

Audit universe identified during an enterprise-wide risk assessment is typically as follows, categorized by organization’s key risk areas

Governance Risk

• Organization Structure

• Leadership

• Strategic Planning

• Risk Management

• Policies & Procedures

• Communication

Financial Risk

• Contractual Allowances & Third-party Estimates

• Revenue Recognition

• Financial Statement Estimations

• Managed Care Contracting

• Debt Covenants

• Cost Reporting

• Financial Reporting & Disclosure

Operations & Process Risk

• Supply Chain

• Revenue Cycle

• Payroll

• Financial Statement Close

• Construction

• Purchasing & Payables

Technology Risk

• IT Security

• Health Information Exchanges

• Data Integrity

• Disaster Recovery Planning

• Change Management

• ICD-10 Readiness

• Mobile Devices

Compliance Risk

• Tax-Exempt Status

• Corporate Compliance Program

• HITECH/HIPAA (Privacy & Security)

• EHR/Meaningful Use Compliance

• Fraud & Abuse

• 501(r) /Community Health Needs Assessment

• Payment Card Information Data Security Standards

• Stark Laws/Anti-Kickback Regulations

• Quality Measures

• Health Breach Notification Rules

Personnel/Human Capital Risk

• Physician Acquisition/Contracting

• Authority

• Nursing Staff

• Hiring/Retention/Training

• Supervision & Management

• Workload/Personnel/Turnover


Finance Other

Audit Committee Chair

Chief Executive Officer

Chief Medical Officer

Chief Information Officer

Chief Quality Officer

Chief Privacy Officer

Corporate Compliance Officer

VP Human Capital

Director of Business Office

Director of Supply Chain

Chief Financial Officer

Corporate Controller

Director of Finance

Director of Accounting

Participants Key stakeholders to interview, including the following

16


Preliminary stage The methodology includes the following activities in the preliminary stage of the project

Develop project plan, milestones & timing

Determine risk tolerance levels

Identify audit universe, categorized by key risk areas

Determine key documents to be reviewed & personnel to be interviewed

Develop & distribute surveys to be utilized

Develop questionnaires to be utilized during risk assessment interviews

Identify & notify key stakeholders of project’s objectives & their roles

17


Second stage Individual interviews & facilitated group sessions are conducted, utilizing questionnaires developed for each area. Discussions begin with open-ended questions related to participants’ roles, goals, challenges, issues, responsibilities & concerns. Key stakeholders typically included during these sessions include

Chief executive, operating & financial officers

Chief medical, legal & information officers

Corporate compliance

Key finance & accounting personnel

Key department heads of operations

Key board & committee members

18


Final stage During the final stage of project, results of documentation review & interview sessions are analyzed to help Identify common themes noted during interviews

Design heat map, including key risk areas based on the results of risk assessment

Develop a summary of recommendations, including a listing of proposed internal audit areas & related deliverables

19


SAMPLE QUESTIONNAIRE RESULTS Accounting Manager Maturity Rating Impact Risk

Financial statements used in management

decisions are received timely & prepared

accurately 1

2 2 Maturity Ranking Definitions Impact if Control Fails

Financial statement accounts are supported

by reconciliations & subsidiary ledgers/detail 1 1 1 0=Not Applicable to Respondent 0=Not Applicable to Respondent

Management views accounting treatment for

transactions or activities in a balanced

manner, neither too aggressive nor too

conservative 2 3 6 1=Optimized 1=Low

Management views accounting function as an

important element in overall system of

internal control rather than an obstacle to be

avoided or overcome 1 2 2 2=Repeatable/Partially Defined 2=Moderate

Management has a consistent methodology

in computing allowance for uncollectible

accounts & contractual adjustments &

doesn't deviate without appropriate support

reasons 2 3 6 3=Initial or Non-Existent 3=High

Management has adequate documentation to

support third-party reserves such as cost

reports, RAC accruals & other estimates 1 2 2

Organization has review processes in place

to ensure payments received are according to

contracts 3 3 9

Management has a process in place to review

expenses that exceed approved budget & to

implement cost reductions when appropriate 2 3 6



LIKELIHOOD OF CONTROL/PROCESS ISSUES

HIGH Low High

Low

H

igh

IMP

OR

TA

NC

E T

O

BU

SIN

ES

S

ST

RA

TE

GY

10

7

3.5

4.5

5

1

8

4

3

2

3.5 4.5

Audit Areas

Personnel/Human Capital Risk

6. Physician Acquisition/Contracting

Compliance Risk

7. Corporate Compliance Program

8. Stark Laws/Anti-Kickback Regulations

9. EHR/Meaningful Use

Financial Risk

10. Financial Statement Estimations

Technology Risk

1. IT Security

2. ICD-10 Readiness

3. Health Information Exchanges

Operations and Process Risk

4. Supply Chain

5. Revenue Cycle

RISK ASSESSMENT WALK-THROUGH Heat map The following is a sample heat map for a health care organization, based on the results of the risk assessment

6

9


Audit Process Risk Ranking Description of Audit Estimated

Hours

Auditee/

Process Owner

Health Information Exchanges

Compliance Assessment

High --- 125 ---

IT Security Audit High --- 125 ---

Revenue Cycle – Denial

Management Audit

High --- 125 ---

Physician Acquisition/

Contracting Audit

High --- 125 ---

ICD-10 Readiness Assessment High --- 100 ---


Results/Recommendations – listing of proposed audit areas (sample) Chart below & on next slide reflect a sample of the 10 highest risk areas identified as a result of risk assessment process, derived from residual heat map on preceding page


Audit Process Risk Ranking Description of Audit Estimated

Hours

Auditee/

Process Owner

Meaningful Use Compliance

Assessment

High -- 150 --

Corporate Compliance Program

Assessment

High --- 150 ---

Stark Laws/Anti-Kickback

Regulations Assessment

High --- 125 ---

Supply Chain Audit Moderate --- 150 ---

Financial Statement Estimations

Audit

Moderate --- 125 ---


Results/Recommendations – listing of proposed audit areas (sample)

This plan also allows for management requests identified during year, as well as quarterly follow-ups designed to address recommendations noted during audits/assessments


Q1 Q2 Q3 Q4

Year One

ICD-10 Readiness Assessment

Health Information Exchanges Compliance Assessment

Year Two

IT Security Audit

Stark Laws/Anti-Kickback

Regulations Assessment

Meaningful Use Compliance

Revenue Cycle – Denial

Management Audit

Year Three

Corporate Compliance Program Assessment

-

Physician Acquisition/

Contracting Audit

Supply Chain Audit

Financial Statement Estimations Audit

PROPOSED THREE-YEAR INTERNAL AUDIT PLAN MAP



RISK ASSESSMENT CASE STUDY


RISK ASSESSMENT CASE STUDY Background

Health care organization has never had a risk assessment conducted

External auditors cited this fact in 2014 year-end audit management letter comments

Objective will be to provide a road map for an internal audit plan

Process

Review of background materials

Distribution of surveys for initial understanding of each key area/process

Interviews conducted with key stakeholders

Validate common themes identified

Develop audit plan


RISK ASSESSMENT CASE STUDY Issues identified

Concerns related to third-party payment process & related contractual allowances for non-traditional governmental payors

Issues related to operations of employed & provider-based physicians, including charge capture & billing/payment processes

Concerns related to Information Technology (IT), including

IT service management processes (asset management, incident & change)

Business continuity & disaster recovery

Confidentiality of data (electronic protected health information)

Staff turnover & associated retraining

Succession planning

Appropriate segregation of duties due to staffing limitations


RISK ASSESSMENT CASE STUDY

Draft internal audit plan

Revenue Cycle - Third-Party Payment Process Audit This audit would focus on controls established by management to ensure payments for patient services performed at hospital are collected according to third-party contracts. This would include ensuring payments received from non-traditional governmental payors are appropriate through effective monitoring of contractual allowances & key contractual terms, including timely payment

Employed & Provider-Based Physician Audit This audit would focus on controls established by management to ensure services performed by employed & hospital-based physicians are properly billed, that reimbursement is optimized on related billings, that these relationships are properly documented through current contracts with terms monitored for regulatory compliance factors & that associated payments to physicians are properly paid & documented Regulatory Compliance Assessment This assessment would focus on whether management is meeting its objectives to ensure regulatory requirements are met for areas such as OIG Workplan, HITECH/HIPAA Security & Privacy, Meaningful Use, Fraud & Abuse and Stark Laws

IT Assessment This assessment would focus on identified higher risk elements of IT general controls & security objectives related to IT service management & data confidentiality. IT service management includes governance & operational support for asset life cycle management, change management, continuity management, security management & incident management. Assessment would also focus on whether management has policies, procedures, controls & skilled resources in place or available to support IT service management requirements


QUESTIONS?

THANK YOU!

29

Documents

CPAs & ADVISORS - HFMA Region 9 · A sample questionnaire A sample residual heat map A sample internal audit plan Discussion of a risk assessment case study 3 // experience perspective