Continuous Auditing and Monitoring Leveraging Your Data for Compliance
|
|
- Stuart Carr
- 8 years ago
- Views:
Transcription
1 Continuous Auditing and Monitoring Leveraging Your Data for Compliance A Phyllis Patrick & Associates LLC White Paper April 2014 Gail Hormats, B.S., M.B.A., C.I.A., C.I.S.A., C.R.M.A., C.A.D.A. Automated Continuous Testing and Monitoring Ad-hoc Testing and Monitoring Manual Testing and Monitoring
2 Executive Summary Data analysis solutions, including automated continuous auditing and monitoring approaches, can enable information security and privacy compliance. This is a new trend and one that we predict will not only leverage the resources of information security and privacy programs, but will evolve the programs to a higher level of credibility and sustainability through the use of analytic tools and reporting. In this paper, we will explain how continuous auditing and monitoring (CAM) can provide ongoing assurance for security, privacy, compliance and audit in your organization. We will describe some of the key tools and types of testing that will benefit your organization. CAM is a process or methodology used to test transactions based upon prescribed criteria, identify anomalies, and provide written assurance via the reporting process simultaneously with or shortly after the review. CAM employs computer aided audit techniques (CAATs) to mine data to check whether an organization s security, privacy, financial, clinical, or other controls are working to ensure regulatory compliance or to prevent fraud, waste, abuse, or errors. The deployment of these tools provides the capability for data to be checked in near real-time and the results shared with those having a need to know. One of the most common CAAT applications is ACL Analytics (ACL). ACL is a data mining and analytic application developed by ACL Services, Inc. (Vancouver, CN). Coupled with Visual Basic for Applications and Excel, ACL provides a platform for creating routines that can be scheduled to run automatically on a pre-set schedule. These routines can range from simple, such as testing applications for authorized access or dormancy, to complex analytics that verify meaningful use calculations. Other possibilities include routines that allow management to monitor compliance with level of care regulations related to an Electronic Medical Record or to identify possible invoice duplicates before they are paid. Routines can be designed such that Security, Privacy, Audit or Compliance Departments receive responses from management as a result of automated routines. Routines are designed to be a turnkey solution requiring minimal or no intervention on the part of Security, Privacy, Compliance or Audit staff. Phyllis A. Patrick & Associates LLC 2
3 Table of Contents What Is Continuous Auditing and Monitoring... 4 Data Analytics... 5 Success Factors... 6 Management Agreement... 6 CAAT Tools... 6 Data Availability... 6 Examples of CAM Routines... 8 Development of a CAM Routine... 9 Planning... 9 Developing Data Understanding... 9 Script and Output Report Development Moving to Production Summary Appendix A Sources Appendix B About the Author Phyllis A. Patrick & Associates LLC 3
4 What Is Continuous Auditing and Monitoring? The Institute of Internal Auditors defines Internal Audit as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations... bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Audit is the application of a methodical process to gathering and analyzing processes to ensure that controls exist to mitigate risk. Audit is generally the responsibility of the Internal Audit Department. Merriam Webster defines monitor as to watch, keep track of, or check usually for a special purpose. 1 The Environmental Protection Agency (EPA) defines monitoring as measurement data or other information for assessing performance against a standard or status with respect to a specific requirement. 2 Thus, monitoring is the routine collection or review of data to ensure that operations are functioning properly. Monitoring is a responsibility of operational management, which generally includes Security, Privacy and Compliance departments. Merriam-Webster defines continuous as continuing without stopping: happening or existing without a break or interruption; marked by uninterrupted extension in space, time, or sequence 1 In an automated, continuous auditing and monitoring (CAM) process, however, continuous can better be defined as done repetitively, on a pre-defined schedule. It is continuous, in the sense that, compared to a traditional audit or review which may be done annually or less frequently, CAMs occur routinely on a set schedule. CAM is used to test transactions based upon prescribed criteria, identify anomalies, and provide written assurance via the reporting process simultaneously with or shortly after the review. CAM has also been defined as the automated and frequent analyses of data through the use of computer assisted audit tools (CAATs) and other audit techniques. CAM employs CAATs to check whether an organization s data is processed correctly and determines whether internal controls are working to prevent errors and fraud. As noted above, deployment of these tools provides the capability for controls to be checked in near real-time and the results shared with those having a need to know. Use of these tools also allows testing of complete populations not just sampling. Putting these tools in place provides assurance regarding the integrity of information at given points in time and provides constant checking for issues, errors or fraud. CAM may be used to audit controls or it may be used to strengthen compliance monitoring. Phyllis A. Patrick & Associates LLC 4
5 Data Analytics According to the Institute of Internal Auditors, Data analysis is the process of identifying, gathering, validating, analyzing, and interpreting various forms of data within an organization to further the purpose and mission... 3 ISACA indicates that data analytics allow enterprises to make better business decisions and increase competitive advantage. 4 In the security and privacy arena, data analytics can provide assurance that data integrity is maintained and that the date is appropriately protected. Data analytics can also help to ensure that employees are complying with regulations and that the information is properly reported. Data analysis technologies are computer programs the reviewer or auditor uses to process data of significance in order to improve the effectiveness and efficiency of the review process. When data analysis is being used, the overall objective and scope of a review does not change. Data analytics can also be used to develop controls to ensure that a process is functioning as designed. For example, data analytics can be used to create alerts if employees access patient data outside of job needs that is, an alert concerning a potential patient privacy breach and/or violation of an organization s Minimum Necessary Policy. The use of data analytic tools ranges in maturity from ad-hoc to a vigorous continuous (or at least repetitive) monitoring. A capability or maturity model describes process components that are believed to lead to better outputs and better outcomes. A low level of maturity implies a lower probability of success in consistently meeting an objective while a higher level of maturity implies a higher probability of success. 5 ACL Figure 1: Audit Analytic Capability Model Source: ACL Services, LTD. The Audit Analytic Capability Model (AACM) in Figure 1 shows the stages of CAM development. At the basic Data Analysis level (1), analytics are typically ad-hoc and mostly used during a single audit for simple summarizations of data. At the Applied Analytics level (2), analytics are still ad-hoc but more comprehensive, and integrated into the audit process. At the Managed Analytic level (3), analytics are a core part of the audit process. Data analyses may occur near real-time, are maintained in a central repository, and are often scripted. Although an individual generally initiates testing, analysis at this level is repeatable and sustainable. Phyllis A. Patrick & Associates LLC 5
6 At the Continuous Auditing level (4), suites of tests are in production and run in an automated, or near automated fashion. Testing is now real-time or near real-time. This increases the ability of Security, Privacy, Compliance, and Audit Departments to more effectively and efficiently identify and share opportunities for improvement (OFI) with management. The Continuous Monitoring level (5) moves automated analytics away from the Audit Department and into management s responsibility. The analytics at this stage are used by management to continuously or near continuously monitor a process. Together, continuous auditing and continuous monitoring provide management with continuous assurance that processes security, privacy, and business controls are functioning as designed. This assures that fraud, waste, and abuse are likely to be identified and corrected, and that the organization is complying with required laws and regulations. Success Factors A number of factors must be in place for a CAM routine to be successfully implemented. The three key factors are management agreement, CAAT tools, and data availability. Management Agreement A successful CAM routine requires management agreement. A CAM routine will identify conditions that need a response, e.g., a possible breach will need to be investigated, a user s access may need to be terminated, or revenue may need to be returned to a payer. Additionally, business processes may need to be modified or changed based on the results of the CAM process. CAAT Tools Many healthcare organizations use ACL. ACL permits data analysis without changing the original data and while tracking each step in the analysis (maintaining an audit log). ACL has a scripting language that allows the development of programs to facilitate repetitive or near continuous testing. Visual Basic for Applications and the use of a job scheduler extends the ability of ACL to create a completely automated CAM. Other CAAT tools that can be used include IDEA, a data analytic tool similar to ACL, and Excel or any other spreadsheet application. As data sets become more complex (what is referred to as big data), more elaborate data analytic tools are required. These include, but are not limited to, SAS (Statistical Analysis System), HADOOP (big data strings), and NoSQL (representing different database technologies). Data Availability The CAM process relies on obtaining and analyzing data from various sources, including computer applications, spreadsheets, lists, and even Adobe files. Key applications used in many CAM routines are defined in Figure 2 below. Data may be in the form of a stand-alone file, an ODBC connection into the application s database, or a direct link into the application s database. Phyllis A. Patrick & Associates LLC 6
7 Figure 2: Common Applications Used in CAM Routines APPLICATION 1. Electronic Medical Record PURPOSE Contains clinical information, including physician orders. Information can be used for many CAM routines including but not limited to meaningful use validation, PHI mapping, and revenue recovery. Examples include EPIC, Cerner, and Meditech. 2. Data Loss Prevention Used to detect potential data breach or ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use, in-motion, and at-rest. Can be used in conjunction with PHI mapping and CAM routines to strengthen safeguards and minimize data leakage risks, due to workforce error. Examples include Cisco, Symantec, and McAfee. 3. Physician Billing System Usually includes a combined Provider Patient Registration, Scheduling, Accounts Receivable, and Billing System. An example is IDX. 4. Facility Billing System Usually is a combined Master Patient Index, Hospital Patient Registration and Accounts Receivable System. Two examples are SMS and Meditech. 5. Reimbursement Results 6. Badge/Security Identification Contains hospital paid claims data used in billing reviews (i.e. RAC); generally is the 835 reimbursement file data or an application that aggregates this information such as The Advisory Board Company s Revenue Integrity Compass. Used to assign and track physical access to the organization s property; may or may not be the application that actually prints the badges. An example is Premisys. 7. Time Application Employee time capture. One of the most commonly used is KRONOS. 8. Enterprise Resource Management System (ERM) The major financial application(s) used to manage the organization. Generally consists of General Ledger, Asset Management, Purchasing, and Accounts Payable modules. Examples include Lawson, Oracle Financials, and Meditech. 9. HRMIS Human Resources Information Management System (including employee data, payroll and benefits. Examples include Oracle HRMIS and PeopleSoft. 10. Research or Project Application(s) that contain research or project related information such as special purpose fund budgets or construction budgets. Phyllis A. Patrick & Associates LLC 7
8 Examples of CAM Routines Following are examples of CAM routines, organized by review focus: Security and Privacy, Compliance, and Audit. This list is a starting point for determining how you can use data analytics and CAM tools to meet auditing and monitoring objectives throughout an organization. Information security and privacy officers, internal auditors, compliance officers, quality officers, safety officers, and other functional areas can leverage the value of these tools and processes to identify potential issues and analyze data in new and creative ways while improving programs and reporting results. Security and Privacy Meaningful Use - Validate meaningful use attestation calculations, determining accuracy of payments and requests for incentive monies from CMS and state Medicaid agencies. PHI Mapping - Identify where protected health information (PHI) resides in systems, on devices, in network drives, and other areas. Use information to develop strategies for minimizing data leakage. Logical Security Access Testing - Test additions, transfers, and terminations of users. Test dormancy, last login, and unapproved access. Business Associate Agreements (BAA) - Assist in developing and testing BAA Inventories and determining high-risk vendors. Data Breach - Develop tests and alerts to identify possible data breaches. This is particularly useful to test applications other than the electronic medical record, i.e., interfacing systems that provide lab, radiology, and other diagnostic results. Compliance Revenue Recovery and Protection - Compare group practice and facility billing for missing revenue either by the hospital or physician s group practice (usually organization based) and identify mismatched data that may lead to compliance concerns. These types of CAM routines are particularly effective in areas such as Surgery, Interventional Radiology, Cardiac Catheterization, Electrophysiology Laboratory, and other high-dollar clinical areas. Outcomes Reporting - Compare clinician documentation and use electronic health record (EHR) modules to determine potential over-coding, cloning, errors, and other issues related to EHR integrity. Level of Care - Compare EHR and patient accounting systems (daily and quarterly) to ensure level of care is billed appropriately. The value is captured by using a quarterly look back comparing the daily accounts to the actual reimbursement received. Exclusions - Test personnel inclusion on Federal and State exclusion lists. This routine can be fully automated if employee and physician social security numbers (SSN) are available for comparison to the exclusion lists. If only names and addresses are available, a final manual check must be made by comparing the SSN of the hit to the employee or physician SSN. Phyllis A. Patrick & Associates LLC 8
9 Physician Contracting - Validate that payments to and from physicians do not violate Stark and Anti-Kickback Laws, including lease payment testing. 72-hour Rule Testing - Provide assurance that all charges that fall within the 72-hour rule are rolled into a single bill. Human Resources (HR) - Test for compliance with labor regulations and an organization s policies including minimum wages and employees paid as vendors. Audit Overtime - Develop tests to ensure excess overtime has not been charged. Pension Validation - Test that pension payments have been properly calculated. General Ledger Analyze the trial balance roll-forward and anomalous transactions. Accounts Receivable - Test the accounts receivable aging. Accounts Payable - Test possible upcoming duplicates and provide a look back to identify any already paid duplicates. Vendor Master File (VMF) - Test the VMF data integrity including but not limited to dormant and duplicate vendors and missing data. Development of a CAM Routine The continuous audit approach used to develop a CAM routine consists of five major stages: Planning Understanding process / data Developing scripts Developing reports Implementing routine into production Each phase is important and plays a key role in continuous auditing and monitoring. Planning The planning phase involves developing a general understanding of the process being considered for CAM and identifying potential testing routines. During the planning phase the scope and objectives of the CAM routine are documented. Approximately 5% of the project time is spent in planning. Developing Data Understanding In developing data understanding, the CAM developer works with the subject matter experts and Information Systems Departments to identify the specific data needed and to determine how it is stored. During this phase, one or more sample data files are produced, and the automated extraction schedule and storage location are defined. If sensitive data is involved (e.g. protected health information or employee social security numbers), protective measures such as limited access shared drives, are established. This phase represents about 30% of the project. Phyllis A. Patrick & Associates LLC 9
10 Script and Output Report Development The script and output report development phases are intertwined. During these phases, data analytics are programmed and results validated with subject matter experts. The final format of the output report and any required management response(s) are defined and developed. Together, these two phases comprise about 50% of the project. Moving to Production The last phase is the move to production. During this phase, instructions for maintaining the CAM routine are developed and shared with the responsible parties. Also, if required, the developer creates the code needed for ensuring the routine runs on the agreed schedule. This phase encompasses 15% of the project. Figure 3 shows the process flow of a continuous audit or monitoring project from start to completion depicted by stage. Click on Figure 3 below to see a larger version. Figure 3: Continuous Audit and Monitoring Process Flow Source: Gail Hormats, C.I.A., C.I.S.A., A.C.D.A. and Feline O Gorman, C.P.A., A.C.D.A., Case Study: Continuous Audit Recovers Lost Cardiac Catheterization Laboratory Revenue, New Perspectives, Association of Healthcare Internal Auditors, Fall Phyllis A. Patrick & Associates LLC 10
11 Summary This white paper explains automated continuous auditing and monitoring (CAM) and describes how it can be used to facilitate security and privacy compliance, as well as other compliance and audit functions. As noted earlier, there are five stages of maturity in the development of using data analytics for ongoing auditing and monitoring. Together, the two most mature stages provide continuous assurance that processes are functioning as designed. A five-stage process (planning, understanding data, developing scripts, developing output reports, and moving CAMs to production) provides the methodology for developing automated CAM routines. While CAM routines and CAAT tools have been used in internal and financial functions for many years, use of these tools and techniques to achieve data analytics objectives is new for security, privacy, and related functions such as, meaningful use, PHI mapping, data integrity in EHRs and other systems, and vendor risk assessment. We are confident that these tools will provide the key to improving and sustaining security and privacy programs and related functions by providing compliance measures, new reporting capabilities, and an effective adjunct to an organization s risk analysis and risk mitigation programs. Phyllis A. Patrick & Associates LLC 11
12 Appendix A Sources Environmental Protection Agency, Technology Transfer Network Clearinghouse for Inventories & Emissions Factors 3 Altus J. Lambrechts, C.I.S.A., C.R.I.S.C., Jacques E. Lourens, C.I.A., C.I.S.A., C.G.E.I.T., CRISC, Peter B. Millar, and Donald E. Sparks, C.I.A., C.I.S.A., The Institute of Internal Auditors Global Technology Audit Guide (GTAG ) 16 : Data Analysis Technologies, August Generating Value from Big Data Analytics, ISACA, IPPF Practice Guide Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements, The Institute of Internal Auditors, July The ACL Audit Analytic Capability Model, ACL, Gail Hormats C.I.A., C.I.S.A., A.C.D.A. and Feline O Gorman C.P.A., Case Study: Continuous Audit Recovers Lost Cardiac Catheterization Laboratory Revenue, New Perspectives, Association of Healthcare Internal Auditors, Fall Gerard (Rod) Brennan, Ph.D., Continuous Auditing Comes of Age, ISACA, David Coderre, Royal Canadian Mounted Police (RCMP), The Institute of Internal Auditors Global Technology Audit Guide 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment, July Practice Advisory : Continuous Assurance, The Institute of Internal Auditors, June Appendix B About the Author Gail Hormats, B.S., M.B.A., C.I.A., C.I.S.A., C.R.M.A., C.A.D.A. Ms. Hormats served as Project Leader (Audit Services), as Manager of Audit Services, and most recently, as Manager of Audit and Compliance at Baystate Health. In her roles at Baystate Heath, she developed and managed the Continuous Audit and Monitoring Program. The program averaged direct recoveries or revenue protection of approximately $7.5 million annually. Prior to working for Baystate Health, Ms. Hormats was the Associate Director of IT Audit for the University of Massachusetts where she introduced Computer Aided Audit Techniques using ACL. Ms. Hormats has held audit positions at Boston Medical Center, John Hancock Financial Services, Boston Children s Hospital and the University of Massachusetts Medical Center. Ms. Hormats is a member of the Institute of Internal Auditors, the Association of Healthcare Internal Auditors, and ISACA. She has served as the Chair, Technology Committee for the Association of Internal Auditors and program coordinator for ISACA. Phyllis A. Patrick & Associates LLC 12
13 Phyllis A. Patrick & Associates LLC partners with Gail Hormats to provide this service. Ms. Hormats is passionate about the use of data and data analytics to foster robust information security and privacy programs, and to identify and reduce risks associated with confidential information its creation, use, storage, and maintenance. Office: Mail: Phyllis A. Patrick & Associates LLC 13
How to Leverage Data Analytics in Healthcare Auditing
Feature How to Leverage Data Analytics in Healthcare Auditing Unleash the power of the computer to vastly improve your audit reach By Scot Murphy, CFE, CIA, ACDA, and Tom Stec, CIA, ACDA Healthcare auditing
More informationThe Medicare and Medicaid EHR incentive
Feature The Meaningful Use Program: Auditing Challenges and Opportunities Your pathway to providing value By Phyllis Patrick, MBA, FACHE, CHC Meaningful Use is an area ripe for providing value through
More informationUsing CAAT in Compliance
Using CAAT in Compliance Auditing Suzann Hall, CPA, ACDA November 12, 2010 CHAN Founded in 1997 through the collaboration of Ascension Health and Catholic Health Initiatives, the two largest not-for-profit
More informationUsing Technology to Automate Fraud Detection Within Key Business Process Areas
Using Technology to Automate Fraud Detection Within Key Business Process Areas 2013 ACFE Canadian Fraud Conference September 10, 2013 John Verver, CA, CISA, CMA Vice President, Strategy ACL Services Ltd
More informationInternal Control Deliverables. For. System Development Projects
DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls...
More informationAuditing Application User Account Security and Identity Management with Data Analytics
Auditing Application User Account Security and Identity Management with Data Analytics James Kidwell, JD, CISA Senior Information Systems Auditor Audit Services Session Agenda and Learning Objectives Brief
More informationCurrent Uses and Trends in ACL and Data Mining
Current Uses and Trends in ACL and Data Mining Weaver and Tidwell, L.L.P. January 10, 2013 Marlon B Williams, CPA, ACDA Partner, Assurance Reema Parappilly, CISA Senior Manager, IT Advisory Objective Discuss
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationCONTINUOUS CONTROLS MONITORING
Clarity. Certainty. Confidence. CONTINUOUS CONTROLS MONITORING Support Regulatory Compliance Improve Cost Management Drive Operational Performance Executives today are more challenged than ever to make
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationContinuous Auditing with Data Analytics
Continuous Auditing with Data Analytics Brooke Miller, CPA, CIA, CPCU brooke.miller@rlicorp.com Sean Scranton, CPCU, CISSP, CISM, CISA sean.scranton@rlicorp.com Overview Understand embedding data analytics
More informationAn Auditor s Guide to Data Analytics
An Auditor s Guide to Data Analytics Natasha DeKroon, Duke University Health System Brian Karp Services Experis, Risk Advisory May 11, 2013 1 Today s Agenda Data Analytics the Basics Tools of the Trade
More informationLeveraging Big Data to Mitigate Health Care Fraud Risk
Leveraging Big Data to Mitigate Health Care Fraud Risk Jeremy Clopton, CPA, CFE, ACDA Senior Managing Consultant BKD, LLP Forensics & Valuation Services Introduction Health Care Is Victimized by Fraud
More informationMDaudit Compliance made easy. MDaudit software automates and streamlines the auditing process to improve productivity and reduce compliance risk.
MDaudit Compliance made easy MDaudit software automates and streamlines the auditing process to improve productivity and reduce compliance risk. MDaudit As healthcare compliance, auditing and coding professionals,
More informationHealthcare Solutions: Giving you the freedom to care.
Healthcare Solutions: Giving you the freedom to care. viders Our deep industry-wide experience helps create better outcomes across the entire healthcare ecosystem. Gove Better Outcomes What s the business
More informationUsing Data Analytics to Detect Fraud
Using Data Analytics to Detect Fraud Gerard M. Zack, CFE, CPA, CIA, CCEP Introduction to Data Analytics CPE Instructions Course Objectives How data analytics can be used to detect fraud Different tools
More informationAre CAATs keeping you awake at night?
Are CAATs keeping you awake at night? SUMMARY: The importance of using Computer-Assisted Audit Techniques is discussed. A challenge is made regarding the audit profession s traditional methodology. The
More informationChapter 2 Standards for EHRs 1 Chapter 2 Content: LO 2.1 Describe EHR Standards History LO 2.2 Identify basic HIPAA regulations LO 2.3 List basic CHI regulations LO 2.4 Summarize IOM s Core Functions LO
More informationSolution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Publication Date: Jan 27, 2015 8815 Centre Park Drive, Columbia MD 21045 HIPAA About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized
More informationU S I N G D A T A A N A L Y S I S T O M E E T T H E R E Q U I R E M E N T S O F R I S K B A S E D A U D I T I N G S T A N D A R D S
U S I N G D A T A A N A L Y S I S T O M E E T T H E R E Q U I R E M E N T S O F R I S K B A S E D A U D I T I N G S T A N D A R D S A C a s e W a r e I D E A R e s e a r c h R e p o r t CaseWare IDEA Inc.
More informationOFFICE OF AUDITS & ADVISORY SERVICES ACCOUNTS PAYABLE VENDOR MASTER FILE AUDIT FINAL REPORT
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES ACCOUNTS PAYABLE VENDOR MASTER FILE AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Senior Audit Manager: Lynne Prizzia,
More informationSunday March 30, 2014, 9am noon HCCA Conference, San Diego
Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose
More informationACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances
ACL WHITEPAPER Automating Fraud Detection: The Essential Guide John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances Contents EXECUTIVE SUMMARY..................................................................3
More informationRSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS
RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,
More informationThe HIPAA Omnibus Final Rule
WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationMedical Assistance Provider Incentive Repository (MAPIR) - 13 State Collaborative
Medical Assistance Provider Incentive Repository (MAPIR) - 13 State Collaborative Category Contact Cross-Boundary Collaboration and Partnerships Sandy Patterson, Commonwealth of Pennsylvania Project Initiation
More informationReal- time Performance Improvement for Patient Safety
Real- time Performance Improvement for Patient Safety one two Introduction Real- time Value Proposition three Patient Safety Indicators four five six Point- of- care Alerts & Advice Documentation Improvement
More informationCompliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire
Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on
More informationThese are some labor burden test queries that auditors can make if they have the contractor s or vendor s labor burden breakdown:
Applying Data Mining and Analytics to Efficiently Audit Vendors and Contractors By Paul Pettit, Protiviti Inc. Each year, companies spend billions of dollars to start up, operate and maintain their businesses
More informationSecuring Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use
Securing Patient Portals What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use September 2013 Table of Contents Abstract... 3 The Carrot and the Stick: Incentives and Penalties for Securing
More informationInternal Audit Practice Guide
Internal Audit Practice Guide Continuous Auditing Office of the Comptroller General, Internal Audit Sector May 2010 Table of Contents Purpose...1 Background...1 Definitions...2 Continuous Auditing Professional
More informationREGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI
REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI Healthcare Organizations Can Adopt Enterprise-Wide Disclosure Management Systems To Standardize Disclosure Processes,
More informationAdvanced Forms Automation and the Link to Revenue Cycle Management
Advanced Forms Automation and the Link to Revenue Cycle Management Chris Joyce Director of Healthcare Solutions Engineering Today s healthcare providers are facing growing financial pressures that can
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationUsing Computer Assisted Audit Techniques For More Effective Compliance Auditing and Monitoring In Healthcare Organizations
Using Computer Assisted Audit Techniques For More Effective Compliance Auditing and Monitoring In Healthcare Organizations Author: Glen C. Mueller, Chief Audit & Compliance Officer, Scripps Health, San
More informationREALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS
IT GOVERNANCE SUMMIT OCTOBER, 2015 REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS Presented by Ralph Ugbodu CGEIT, CISA, CRISC, CISSP, CFE, EDRP, ISO 27001 Lead Auditor, COBIT5.
More informationWho is looking at your electronic health record?
Who is looking at your electronic health record? A practical guide to building an audit plan. April 22, 2013 Sandy Gilmore Audit Plan April 2013 2 1 Audit Plan April 2013 3 Who is looking at your EHR Objectives
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationInformation Security Governance:
Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens
More informationUse of Data Extraction & Analysis Software In a Financial Statement Audit
Use of Data Extraction & Analysis Software In a Financial Statement Audit A Message from The Audit Wizard April 2008 Making Auditors Proficient, Inc. Phone: 352-750-9636 www.billallen.com E-mail: ballen@billallen.com
More informationDIVURGENT S ACORM FRAMEWORK
white paper DIVURGENT S ACORM FRAMEWORK The Right IT Infrastructure for ACOs written by David Shiple CMS Is Driving ACO IT Planning After reading the final rule for Medicare Accountable Care Organizations
More informationContinuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006
Continuous Controls Monitoring ISACA, Houston Chapter August 17, 2006 Purpose of Discussion Understand impact of Continuous Controls Monitoring (CCM) on the Information Systems Audit community To perform
More informationAgenda 3/7/2011. 2011 ERM Symposium March 14 16, 2011. Continuous Controls Monitoring. I. Changes In Corporate Environment
2011 ERM Symposium March 14 16, 2011 Continuous Controls Monitoring Futuristic Approach to Enterprise Risk Management Swissotel, Chicago, Chicago IL. Speakers: Syed M. Ali Alan Ash Sr. Audit Manager, Director
More informationWhat Virginia s Free Clinics Need to Know About HIPAA and HITECH
What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics
More informationHealthcare Data Interoperability: What s Required to Establish Meaningful Use
WHITEPAPER Healthcare Data Interoperability: What s Required to Establish Meaningful Use Driving Healthcare Efficiency As the cost of healthcare increases, so does the drive of healthcare organizations
More informationEric Moriak - CISSP, CISM, CGEIT, CISA, CIA Program Manager - IT Audit Children s Medical Center Dallas. Dallas, Texas
Eric Moriak - CISSP, CISM, CGEIT, CISA, CIA Program Manager - IT Audit Children s Medical Center Dallas Dallas, Texas Objectives The purpose of this presentation is to develop a general awareness of DLP/SIEM
More informationLeveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com
Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency kpmg.com Leveraging data analytics and continuous auditing processes 1 Executive
More informationIntegration for your Health Information System
Integration for your Health Information System Achieve comprehensive healthcare IT integration that leverages your existing IT investments and helps you meet the growing demands of Meaningful Use, HIE,
More informationInpatient EHR. Solution Snapshot. The right choice for your patients, your practitioners, and your bottom line SOLUTIONS DESIGNED TO FIT
Inpatient EHR The right choice for your patients, your practitioners, and your bottom line SOLUTIONS DESIGNED TO FIT Our customers do more than save lives. They re helping their communities to thrive.
More informationFramework for Audit Oversight INTERNATIONAL WORKSHOP ON ACCOUNTABILITY IN SCIENCE AND RESEARCH FUNDING JUNE 2 4, 2011
Framework for Audit Oversight 1 INTERNATIONAL WORKSHOP ON ACCOUNTABILITY IN SCIENCE AND RESEARCH FUNDING JUNE 2 4, 2011 Overview 2 Forensic Audit and Oversight Forensic Techniques Identify Anomalies Framework
More informationFeature. Multiagent Model for System User Access Rights Audit
Feature Christopher A. Moturi is the head of School of Computing and Informatics at the University of Nairobi (Kenya) and has more than 20 years of experience teaching and researching on databases and
More informationFire Department Overtime Audit Report
Audit Report Issued by the May 23, 2006 EXECUTIVE SUMMARY The has concluded its audit of the Overtime Procedures at the City of El Paso s Fire Department. The has identified the Fire Department s Overtime
More informationAGA Kansas City Chapter Data Analytics & Continuous Monitoring
AGA Kansas City Chapter Data Analytics & Continuous Monitoring Agenda Market Overview & Drivers for Change Key challenges that organizations face Data Analytics What is data analytics and how can it help
More informationHow to select a practice management system
How to select a practice management system New challenges and opportunities are impacting your practice today The physician practice environment is changing dramatically. The transition to ICD-10-CM and
More informationInternal Auditing & Controls. Examination phase of the internal audit Module 5. Course Name: Internal Auditing & Controls
Course Name: Internal Auditing & Controls Module: 5 Module Title: Examination phase of the internal audit Lecture and handouts prepared by Chuck Campbell Examination phase of the internal audit Module
More informationA SELECTICA GUIDE ALL THINGS STARK LAW WHAT IS STARK LAW, AND HOW CAN CONTRACT MANAGEMENT SOFTWARE HELP YOU COMPLY?
A SELECTICA GUIDE ALL THINGS STARK LAW WHAT IS STARK LAW, AND HOW CAN CONTRACT MANAGEMENT SOFTWARE HELP YOU COMPLY? 1 A Selectica Guide All things Stark: What is Stark Law, and how can contract management
More informationInformation overload: How to make data analytics work for the internal audit function
Information overload: How to make data analytics work for the internal audit function Danny Miller, Scott Higgins and Michael Rose Contents 1 A value proposition for internal audit 2 Leveraging data analytics
More informationSecurely Yours LLC Top Security Topics for 2013. Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com
Securely Yours LLC Top Security Topics for 2013 Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com Contents Background Top Security Topics What auditors must know? What auditors must do? Next Steps
More informationTom Deas, Jr. MD, MMM. Karen Van Wagner, Ph.D. Executive Director, North Texas Specialty Physicians
Essential Role of Health Information Exchange in Quality Improvement Tom Deas, Jr. MD, MMM Board Member, North Texas Specialty Physicians CMO, Sandlot, LLC Karen Van Wagner, Ph.D. Executive Director, North
More informationMay 2011 Report No. 11-030. An Audit Report on Substance Abuse Program Contract Monitoring at the Department of State Health Services
John Keel, CPA State Auditor An Audit Report on Substance Abuse Program Contract Monitoring at the Department of State Health Services Report No. 11-030 An Audit Report on Substance Abuse Program Contract
More informationCertification and Meaningful Use of Electronic Health Records what. care leaders must know
Certification and Meaningful Use of Electronic Health Records what hospice and home care leaders must know OBJECTIVES Define meaningful use requirements of electronic health records Explain certification
More informationTransformational Data-Driven Solutions for Healthcare
Transformational Data-Driven Solutions for Healthcare Transformational Data-Driven Solutions for Healthcare Today s healthcare providers face increasing pressure to improve operational performance while
More informationDon t Panic! Surviving a Meaningful Use Audit October, 2014
Don t Panic! Surviving a Meaningful Use Audit October, 2014 Angie Falletti, RN, PMP Senior Consultant, Encore, A Quintiles Company DISCLAIMER: The views and opinions expressed in this presentation are
More informationInternal Audit Quality Assessment. Presented To: World Intellectual Property Organization
Internal Audit Quality Assessment Presented To: World Intellectual Property Organization April 2014 Table of Contents List of Acronyms 3 Page Executive Summary Opinion as to Conformance to the Standards,
More informationData Analytics Leveraging Data Visualization and Automation in Audit Real World Examples
Data Analytics Leveraging Data Visualization and Automation in Audit Real World Examples June 3, 2015 Cliff Stephens, CISA Agenda Introductions Technological Advances in Analytics Capitalizing on Analytics
More informationTHE ABC S OF DATA ANALYTICS
THE ABC S OF DATA ANALYTICS ANGEL BUTLER MAY 23, 2013 HOUSTON AREA SCHOOL DISTRICT INTERNAL AUDITORS (HASDIA) AGENDA Data Analytics Overview Data Analytics Examples Compliance Purchasing and Accounts Payable
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationInformation & Asset Protection with SIEM and DLP
Information & Asset Protection with SIEM and DLP Keeping the Good Stuff in and the Bad Stuff Out Professional Services: Doug Crich Practice Leader Infrastructure Protection Solutions What s driving the
More informationData & Analytics in Internal Audit. January 13, 2015
Data & Analytics in Internal Audit January 13, 2015 With You Today KPMG Brian Greenberg, Director, Data & Analytics-enabled Internal Audit (National) Sean Mulyanto, Manager IT Advisory (Los Angeles) 1
More informationHow To Do In-House What You Do Best, Outsource The Rest
Do In-house What You Do Best, Outsource the Rest: The Shared Services Model for Release-of-Information (ROI) Processing that Lets Healthcare Organizations Maintain Control, Work Efficiently, and Generate
More informationHIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com
HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations
More informationPlease feel free to call on our organizations if we can be of assistance in any way on further deliberations, task forces or committees.
17 May 2012 International Internal Audit Standards Board Via e-mail: Lily.Bi@theiia.org Re: Definition of Internal Auditing Ms. Lily Bi, CIA, CISA, CGEIT Director, Standards and Guidance The Institute
More information2/5/2013. Session Objectives. Higher Education Headlines. Getting Started with Data Analytics. Higher Education Headlines.
+ Getting Started with Data Analytics Prepared for the UCOP Auditor s Symposium January 30, 2013 and February 14, 2013 Session Objectives 2 Higher Education Headlines New IIA Guidance Visual Risk IQ s
More informationPreventing Healthcare Fraud through Predictive Modeling. Category: Improving State Operations
Preventing Healthcare Fraud through Predictive Modeling Category: Improving State Operations Commonwealth of Massachusetts Executive Office of Health and Human Services Project initiated: July 2012 Project
More informationDear Honorable Members of the Health information Technology (HIT) Policy Committee:
Office of the National Coordinator for Health Information Technology 200 Independence Avenue, S.W. Suite 729D Washington, D.C. 20201 Attention: HIT Policy Committee Meaningful Use Comments RE: DEFINITION
More informationBest Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA
Best Practices for Protecting Sensitive Data in an Oracle Applications Environment Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar control panel by clicking on
More informationOne Patient, One Record: How Allina completes an award-winning EHR with enterprise content management
Healthcare Enterprise Spotlight Brochure Allina Hospitals & Clinics One Patient, One Record: How Allina completes an award-winning EHR with enterprise content management More than 20,000 users access content
More informationHCCA Audio Conference 2015 OIG Work Plan Part B Physicians and Non-physician Providers November 20, 2014
HCCA Audio Conference 2015 OIG Work Plan Part B Physicians and Non-physician Providers November 20, 2014 1 OIG Overview Mission To protect the integrity of HHS programs and the health and welfare of the
More informationPresenters. How to Maximize Technology to Improve Care and Reduce Cost 9/17/2015
How to Maximize Technology to Improve Care and Reduce Cost Presenters Justin Miller Director of Synergy Jordan Health services Dallas, TX jmiller@jhsi.com Justine Garcia Director of Software Solutions
More informationS24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma
S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma Governance, Risk, Compliance (GRC) Automation Siamak Razmazma Siamak.razmazma@protiviti.com September 2009 Agenda Introduction to
More informationFinancial Management TRANSACTION CONTROL AND APPROVAL
Financial Management In today s complex, global, and regulated environment, organizations face numerous challenges in trying to meet deadlines, comply with local regulations and multiple reporting requirements,
More informationForensic Audit and Automated Oversight Federal Audit Executive Council September 24, 2009
Forensic Audit and Automated Oversight Federal Audit Executive Council September 24, 2009 Dr. Brett Baker, CPA, CISA Assistant Inspector General for Audit U.S. Department of Commerce OIG Overview Forensic
More informationApplication Testing: Not Just for IT Auditors. Insert Logo Here
Application Testing: Not Just for IT Auditors Huntington Ingalls Industries Who We Are Over a century designing, building, overhauling and repairing ships for the U.S. Navy, the U.S. Coast Guard and world
More informationRISK ADVISORY SERVICES CONSTRUCTION AUDIT SERVICES
RISK ADVISORY SERVICES CONSTRUCTION AUDIT SERVICES AS ECONOMIC AND FINANCIAL CHALLENGES WEIGH ON, ORGANIZATIONS FIND IT INCREASINGLY DIFFICULT TO LOCATE ENOUGH MONETARY SUPPORT TO HELP FACILITATE THE CONSTRUCTION
More informationFraud and Abuse. Current Trends and Enforcement Activities
Fraud and Abuse Current Trends and Enforcement Activities Agenda Background Overview of Key Fraud and Abuse Laws Enforcement Recent Significant Cases and Trends Areas of Focus and Challenges for 2014 Identifying
More informationData Analytics - Current Market Landscape & Trends
www.pwc.com Top Healthcare Risks: How Information Technologies & Controls Can Help Mitigate Organizational Risk ISACA Los Angeles Chapter November 17, 2015 Introductions Jack Flaherty Director Health Industries
More informationAHIA HCCA Auditing & Monitoring Focus Group Defining the Key Roles and Responsibilities Corporate Compliance and Internal Audit.
and Requirement: May be required if the organization must comply with Sarbanes-Oxley. Otherwise, is implemented as an organizational governance/business decision and best practice. Purpose: Provide independent
More informationMicrosoft Confidential
Brock Phillips, CPA, CFE, CCEP Forensic Accounting Sr. Manager Financial Integrity Unit Microsoft Audit Group Lou DeCola, CPA, CIA, CFE Forensic Accounting Sr. Manager Financial Integrity Unit Microsoft
More informationALERT LOGIC FOR HIPAA COMPLIANCE
SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare
More informationQi Liu Rutgers Business School ISACA New York 2013
Qi Liu Rutgers Business School ISACA New York 2013 1 What is Audit Analytics The use of data analysis technology in Auditing. Audit analytics is the process of identifying, gathering, validating, analyzing,
More informationOfficial Audit Report Issued July 27, 2015
Official Audit Report Issued July 27, 2015 (MassHealth) Review of Radiology Claims Submitted by Baystate Mary Lane Hospital For the period January 1, 2013 through December 31, 2014 State House Room 230
More informationHillside Medical Office
EHR Case Study Hillside Medical Office Hillside Medical Partners with Pulse to Quickly Achieve Meaningful Use pulseinc.com Pulse Complete EHR 8 board-certified physicians. 40 employees. Over 65 years of
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationCA Technologies Healthcare security solutions:
CA Technologies Healthcare security solutions: Protecting your organization, patients, and information agility made possible Healthcare industry imperatives Security, Privacy, and Compliance HITECH/HIPAA
More informationComptroller of Maryland Information Technology Division Annapolis Data Center Operations
Audit Report Comptroller of Maryland Information Technology Division Annapolis Data Center Operations March 2015 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY
More informationInnovative Projects: Big Data Revisited (An ACHE Qualified Education (Cat II), 1.0 Hour CEU)
2015 ACHE-SETC Conference on Healthcare Leadership Innovative Projects: Big Data Revisited (An ACHE Qualified Education (Cat II), 1.0 Hour CEU) Jessie L. Tucker III, Ph.D., FACHE Harris Health Executive
More informationData Management Practices for Intelligent Asset Management in a Public Water Utility
Data Management Practices for Intelligent Asset Management in a Public Water Utility Author: Rod van Buskirk, Ph.D. Introduction Concerned about potential failure of aging infrastructure, water and wastewater
More informationOpen Platform. Clinical Portal. Provider Mobile. Orion Health. Rhapsody Integration Engine. RAD LAB PAYER Rx
Open Platform Provider Mobile Clinical Portal Engage Portal Allegro PRIVACY EMR Connect Amadeus Big Data Engine Data Processing Pipeline PAYER CLINICAL CONSUMER CUSTOM Open APIs EMPI TERMINOLOGY SERVICES
More informationCase Study Success with a. into a Corporate Integrity Agreement (CIA)
Case Study Success with a Corporate Integrity Agreement (CIA) More than 100 affiliated physician practices and healthcare facilities Operations in multiple states More than 2,000 Covered Persons under
More information