UNIVERSITY OF MISSISSIPPI MEDICAL CENTER. Internal Control Plan

Transcription

1 UNIVERSITY OF MISSISSIPPI MEDICAL CENTER Internal Control Plan December 2012

2 TABLE OF CONTENTS Introduction 3 Control Environment 4 Mission Governance Organizational Structure Strategic Planning Process Compliance Program Personnel Internal Audit Internal Control Officer Financial Statements Vice Chancellor s Statement of Support for Internal Controls Risk Assessment 9 Control Activities 10 Information and Communication 11 Monitoring 13 Appendix 14 2

3 Introduction This is the internal control plan for the University of Mississippi Medical Center (UMMC). This plan is prepared in accordance with the requirements of the State of Mississippi Department of Finance and Administration, Office of Fiscal Management (DFA-OFM). The purpose of this plan is to provide assurance that assets are safeguarded, that applicable statutes, rules and regulations are being followed and that objectives of management are being met. This plan is formatted in accordance with guidelines recommended by the DFA-OFM and therefore is divided into the following five sections: Control environment: This section describes the overall attitude, awareness and actions of management regarding the internal control system and its importance to the institution. This section describes the institution s mission, governance and organizational structure, strategic planning process, compliance program, personnel policies and auditing function. Also included in this section is the Vice Chancellor s statement of support for internal controls. Risk Assessment: This section lists the revenue and expenditure transaction cycles pertinent to the institution s fiscal operations and the approach to assessing risks in these areas. This section also references the most recent risk assessment performed. Control Activities: This section documents the control activities of significant revenue and expenditure transaction cycles. Internal control questionnaires used to document these control activities are also referenced in this section. Information and communication: This section describes the various information and communication activities used to identify, capture and communicate relevant financial and non-financial information in a form and timeframe that enables employees to carry out their responsibilities. Monitoring: This section describes the process for monitoring the functioning of the internal control system, including the procedures for responding to audit findings and recommendations. 3

4 Control Environment The University of Mississippi Medical Center (UMMC) is the health sciences campus of The University of Mississippi. UMMC was created by law in 1950 by the Mississippi Legislature, and opened on July 1, UMMC functions as a separately funded, semi-autonomous unit responsible to the Chancellor of the University of Mississippi and through him, to the Board of Trustees of State Institutions of Higher Learning (IHL Board). The IHL Board governs all state universities in Mississippi. The chief executive officer of UMMC is the Vice Chancellor for Health Affairs. Following is a description of UMMC s internal control environment, including a description of the institution s mission, governance structure, organizational structure, strategic planning process, compliance program, personnel policies and internal audit function. A statement of support of internal controls by the Vice Chancellor for Health Affairs is also included. Mission UMMC s comprehensive mission statement can be found on page two of the UMMC Five-Year Strategic Plan located at: This comprehensive mission statement includes UMMC s vision, mission, operating principles and statement of purpose. Governance Structure The IHL Board maintains legal authority and operating control over UMMC as the academic health sciences campus of the University of Mississippi, as granted by the Mississippi State Constitution of 1890 and the Mississippi Code of 1972, The IHL Board delegates management and control of UMMC to the Institutional Executive Officer (IEO) in accordance with IHL Board Policies and Bylaws section The IEO for UMMC is the Vice Chancellor for Health Affairs. The Vice Chancellor is charged with implementing IHL Board policies and the administration and operation of UMMC and for keeping its expenditures strictly in compliance with the budgetary authorizations of the IHL Board and within the limitations provided therein. 4

5 Organizational Structure UMMC is required by the IHL Board to maintain an organizational chart identifying academic positions down to the department head level, and non-academic positions down to two levels below the Vice Chancellor for Health Affairs. A copy of this organizational chart can be found on the Internal Control Office website: Strategic Planning Process Each year UMMC publishes a Five-Year Strategic Plan that includes its vision, mission, operating principles and statement of purpose. The Plan also includes UMMC s goals, significant external factors that may affect performance and internal management systems utilized to evaluate performance. A copy of the Five Year Strategic Plan can be found on the UMMC website at: Compliance Program UMMC has implemented a compliance program to develop effective internal controls that promote adherence to applicable federal and state laws; program requirements of federal, state, and private health plans; and institutional ethical business policies. The implementation of the compliance program significantly advances the prevention of fraud, waste and mismanagement while furthering UMMC s mission of providing education, research and patient services. The compliance program applies to the entire UMMC work-force, including all UMMC employees, physicians, students, sub-contractors and volunteers. A copy of the UMMC Compliance Plan can be found at: Overall responsibility for implementing and managing the compliance program is delegated by the Vice Chancellor for Health Affairs to the UMMC Compliance Committee. The Compliance Committee includes representatives from all areas of UMMC. The Compliance Committee has delegated limited authority to several sub-committees to carry out compliance activities and has delegated the day-to-day operations to the Office of Integrity and Compliance. Following is a list of the compliance sub-committees covering each of the areas of compliance: Hospital Compliance responsible for overseeing compliance efforts and monitoring the billing processes of the University Hospitals and Clinics. Physician Practice Plan Compliance responsible for physician based compliance activities. This includes internal coding and billing audits of Medicare compliance for all physician based departments. Research Compliance responsible for monitoring research activities to ensure compliance with federal, state and institutional regulations. This includes audits of IRB record keeping, research billing and documentation of investigational drug administration. 5

6 Nursing, HRP, Dental Schools and Graduate Studies Practice Plan Compliance responsible for monitoring and auditing the documentation, coding and billing activities of the Nursing, Dental, Health Related Professions and Graduate schools. Health Insurance Portability and Accountability Act Compliance responsible for conducing audits to ensure information remains confidential. Clinical Documentation Compliance responsible for reviewing, analyzing and seeking clarification of physician medical record documentation to ensure accuracy in coding, decrease risk of fraud and optimize third party reimbursement. Holmes County Compliance extension of the Hospital compliance subcommittee responsible for audits performed to ensure that the Lexington Hospital abides by federal and state regulations and all third party payer requirements. University Rehabilitation Compliance - responsible for auditing clinical documentation on a retrospective bases to ensure medical necessity of inpatient rehabilitation admissions. Also responsible for developing and maintaining accurate measures to evaluate appropriateness of admission and initiate improvement efforts when opportunities are identified. University Services Compliance responsible for the monitoring of Human Resources, Internal Audit, Campus Police, Physical Facilities, Information Services, Property Control, Purchasing, Receiving and Postal Services, and Academic Information Services. The Office of Integrity and Compliance consists of 20 staff members who carry out the day to day compliance activities for the oversight compliance sub-committees above. All new employees are required to receive compliance education and training before they begin their work at UMMC as a part of new employee orientation. A part of this compliance education and training is to introduce the compliance program. In addition, all employees are required to complete annual web-based compliance training offered in October and November of each year. Failure to complete this training by November 30 th results in disciplinary action. Annual compliance training requires employees to review presentations on the following topics and pass a test of knowledge on these topics as a condition of employment: Compliance Code of Conduct HIPPA Information Security Harassment Conflicts of Interest Declaring Conflicts of Interest Annual compliance training also requires each individual to report any conflicts of interest. Personnel 6

7 UMMC maintains a sound internal control environment by hiring qualified, competent individuals; ensuring these individuals are properly trained; ensuring employees know their responsibilities; and providing employees with the authority to perform the tasks they are assigned. UMMC maintains a Faculty and Staff Handbook which can be found on the UMMC website at: This handbook, along with other important policies and standards of conduct are communicated to all new employees during new employee orientation. Hiring of employees It s the policy of UMMC to maintain a safe, healthy, and secure environment for its students, faculty, staff and patients. UMMC attempts to employ only those applicants who are materially free of faulty personal history and behavior through the utilization of background investigations. Accordingly, background investigations are conducted on each prospective employee to include previous employment, education, licensing and certifications, criminal, credit, and personal references. In addition, faculty and residents must successfully complete a drug screen. Employee Performance evaluations Employees are evaluated after the first 90 days of employment and again each year thereafter. Employee Training One of the purposes of employee evaluations is to identify areas where additional training is needed. UMMC allows paid leave for its employees to attend training, conferences, seminars and any other professional development activities deemed necessary to perform their work proficiently. Many departments have in-service training programs to help their employees qualify for better jobs. Internal Audit The Office of Internal Audit reports directly to the IHL Board. The mission statement, statement of objectives, services provided, and policies and procedures of the Office of Internal Audit can be found on the UMMC website at: A listing of internal audit staff and their qualifications are also listed on the webpage. Following is the mission/statement of objectives: The Internal Audit department shall provide objective and professional evaluations of the University of Mississippi Medical Center activities to assist administration in determining that university policies and procedures are followed in accordance with stated objectives as well as determining that UMMC is in compliance with public laws and regulations. The Internal Audit department will assist administration in improving operating efficiency and strengthening internal controls. The department shall evaluate and appraise the organization's system of internal controls to ensure that all information is properly, promptly and accurately processed and that university 7

8 assets are properly safeguarded. The scope of activities shall include reviews of accounting, administrative and operational controls. The internal audit activity shall contribute to the institution's governance process by evaluating the processes through which values and goals are established, the accomplishment of goals is monitored, accountability is ensured, and values are preserved. The Internal Audit department will perform special studies as requested by administration. The department will supplement the work of the State Department of Audit and other external auditors and coordinate efforts with those groups. In carrying out this mission, the Internal Audit department will be given access to all records, personnel, and physical properties relevant to the performance of audits. Any instances in which records, personnel, or physical properties relevant to an audit are not made available will be reported to the Vice Chancellor. In order to fulfill its responsibilities, the Internal Audit department should be independent; therefore, the department will report to the Vice Chancellor. Because objectivity is essential to the audit function, the Internal Audit department's responsibilities are staff and advisory. The department has no authority or responsibility over the activities they audit; these remain with line management. The department will report deficiencies noted during their reviews and follow up with appropriate personnel to ensure that necessary corrective actions are taken. These communications will be to those individuals who can ensure that the results are given due consideration. The Director of Internal Audit will report to the Vice Chancellor any matters of significance that require that level of attention. Internal audits will be performed in accordance with UMMC policies, Standards for the Professional Practice of Internal Auditing as issued by the Institute of Internal Auditors, and sound business practices. Internal Control Officer UMMC has appointed an Internal Control Officer responsible for coordinating UMMC s effort of evaluating internal controls through use of risk assessments. Other functions include reviewing State and independent audit findings and recommendations of internal controls and supporting UMMC departments in the improvement of internal control activities. The Internal Control Officer is not a member of the Office of Internal Audit. The Internal Audit Department is responsible for examining the adequacy and effectiveness of UMMC s internal controls and make recommendations where control improvements are needed. Financial Statements Each year, an independent audit is conducted on the financial statements of the aggregate component units of the State of Mississippi Institutions of Higher Learning System. UMMC is one of those component units. This audit is conducted in accordance with auditing standards generally 8

9 accepted in the United States, and the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States. The IHL Audited Financial Statements includes: Management s Discussion and Analysis (management letter); statement of net assets; statement of revenues, expenses and changes in net assets; and statement of cash flows. Vice Chancellor s Statement of Support for Internal Controls The Vice Chancellor s statement of support for internal controls can be found in Appendix A of this internal control plan. Risk Assessment In accordance with DFA guidance, UMMC performs and annual risk assessment of fiscal transactions cycles pertinent to its operations to determine those areas with the highest risk or most vulnerable to fraud, waste and mismanagement. Following are the transaction cycles that have been identified: Revenue cycles o Tuition and fees o Patient revenue o Auxiliary operations o Sales and services of educational activities o Grants and contracts o Gifts o Investment income Expenditure cycles o Payroll o Purchasing and disbursements o Financial-aid Cost Allocations Human resources Property control Cash and investments management Budget management Debt management Financial reporting Risk ranking factors are applied to each transaction cycle to identify those with the greatest risk. Following are the risk ranking factors prescribed by DFA and the weighting applied to each in assessing risk for each transaction cycle: Materiality (40%) Magnitude of dollars relative to the institution as a whole associated with that type of transaction Impact of Ineffective Operations (20%) Impact of poor quality, untimely service, inaccurate data or other adverse activity 9

10 Sources of Input (10%) the number of different sources inputting data into the area s information system Degree of Automation (10%) the degree to which the area relies on automated processing of information and changes in automated systems. Known problems (10%) Known internal internal control weaknesses such as separation of duties or adverse prior audit findings. Results of Prior Audits (10%) deficiencies and internal control comments included in prior financial and compliance audits. For each transaction cycle a rating from 1 to 5 is assigned to each of the above risk factors where 1 is essentially no risk, 2 is little risk, 3 is average risk, 4 is high risk and 5 is maximum risk. The ratings assigned are then weighted by the percentages shown above to determine an overall measurement of risk for each transaction cycle. A rating of low, average or high risk is assigned to the transaction cycle. These risk assessments are updated on an annual basis. In addition, internal control questionnaires were developed from those provided by the DFA-OFM to further assess areas of greater risk. The results of the initial risk assessment and internal control questionnaires can be found in Appendix B and C of this plan. Control Activities Control activities are policies or procedures implemented to mitigate risk. In accordance with DFA guidance, we focused on significant fiscal processes for assessing control activities. Accordingly, the following transaction cycles were identified and determined to be the most significant and have the highest level of risk for fraud, waste and mismanagement based on the results of the risk assessment performed: Student tuition and fees Patient revenue Grants and contracts Payroll Purchasing and Disbursements Property Control Financial aid Control activities are classified into one of the following eight categories: 10

11 Authorization provide reasonable assurance that all transactions are within the limits set by policy or that exceptions to policy have been granted by the appropriate officials. Review and approval encompass a variety of computer and manual controls that provide reasonable assurance that all accounting information has been correctly captured Reconciliation provide reasonable assurance of the accuracy of financial records through periodic comparison of source documents to data recorded in the accounting system. Physical security over assets provide reasonable assurance that assets are safeguarded and protected from loss or damage due to accident, natural disaster, negligence, or intentional acts of fraud, theft, or abuse. Segregation of duties reduce risk of error and fraud by requiring that more than one person completes a particular fiscal process Education, training and coaching reduce the risk of error and inefficiency in operations by ensuring that personnel have the proper education and training to perform duties effectively. Performance planning and evaluation establish key performance indicators for the agency that may be used to identify unexpected results or unusual trends in data, which could indicate situations that require further investigation and/or corrective action. This includes reviews of actual performance versus budget, forecasts, and prior periods. Control activities are is linked to one of the following five control objectives: Strategic provide reasonable assurance that program goals and objectives are met Operational make the most effective and efficient use of fiscal resources and other assets Reporting provide reasonable assurance of the integrity and reliability of financial reporting Compliance enhance compliance with applicable laws and regulations Stewardship safeguard assets or reduce fraud, waste, and abuse in the use of assets Control activities are documented in Appendix D of this plan. This format for documenting control activities is an adjunct to such documentation as may exist in policies and procedure manuals and other guides. Given the number of transaction cycles, documenting internal control activities in this format for all areas of the institution will be a significant undertaking for the institution and will be accomplished by the internal control office during the course of their normal schedule and will be undertaken with a view toward the overall risks associated with each cycle as identified in the Risk Assessment section of the plan. Future internal control plans will include assessments and control activities of newly documented cycles and updates to previously documented cycles. Information and Communication 11

12 Information and communication is the identification, capture, exchange of information in a form and time frame that enable people to carry out their responsibilities, and are essential to effecting control. Information systems produce reports containing operational, financial, and compliance-related information that management utilized to manage and control the organization. Formal information and communication systems include sophisticated computer technology to staff meetings to provide input and feedback data relative to operations, financial reporting, and compliance objectives. Informal information and communication systems include conversations with customers, suppliers, regulators and employees that provide critical information needed to identify risks and opportunities. Following is a list of information and communication activities employed by UMMC: Information system applications to process transactions for all transaction cycles. See Appendix E for a list of these information system applications. Adequate source documentation to support amounts and items reported Recordkeeping system is established to ensure that accounting records and documentation retained for the time period required by applicable requirements; such as provisions of laws, regulations, contracts or grant agreements applicable to specific programs. Reports provided timely to managers for review and appropriate action. Reconciliations and reviews that ensure accuracy of reports Established internal and external communication channels including but not limited to: o Cabinet meetings o Staff meetings o Compliance meetings o Monthly, quarterly and annual external reporting (e.g., IHL and State Auditor) Employees duties and responsibilities communicated Channels of communication for people to report suspected improprieties established, such as the compliance hot line. This internal control plan is communicated and can be found on the UMMC Internal Control Office website: Financial administration policies and procedures which address internal control issues include the following and can be found on the UMMC Comptroller s website Budget Travel Accounts Payable Financial reporting Grants and contracts Student accounting and cashier operations Financial aid processing Payroll processing booklet Property Control 12

13 Red flags rule Tax reporting Monitoring Monitoring is the process that assesses the quality of internal control performance overtime. Management s role in monitoring the internal control system is critical to its effectiveness. Following are monitoring activities that take place at UMMC: Management review of internal and external reports Audit testing performed by the Office of Internal Audit and the Office of Integrity and Compliance for compliance with Federal, State and IHL System requirements. Management reviews of internal and external audit results and corrective action plans. Follow up on audit findings to determine cause and corrective action necessary Annual risk assessments performed by the internal control officer Management focuses their monitoring activities on high-risk areas. Internal control systems are monitored during the course of internal audits, are routinely subject to assessment by external audit entities, and also in connection with audits performed by institution internal auditors including, but not limited to, the periodic review of transactions or basic sampling techniques to provide a reasonable level of confidence that controls are functioning. In addition, once every year, UMMC s Executive Officer (Vice Chancellor for Health Affairs) and the Chief Financial Officer certify to the Department of Finance and Administration that the institution s internal controls have been evaluated and any material weaknesses have been corrected. Plans to correct weaknesses will also be communicated. 13

14

15 APPENDI B Risk Assessment (Updated December 2012) Risk Ranking Factors and Weighting Impact of Ineffective Sources of Degree of Known Prior Materiality Operations Input Automation Problems Audits Overall Transaction Cycles 40% 20% 10% 10% 10% 10% Risk Revenue Cycles: Student Accounting Average Patient Revenue Average Auxiliary operations Low Sales of educational activities Low Grants and Contracts Average Gifts Low Investment Income Low Disbursement Cycles: Payroll Average Accounts Payable Average Construction payments Low Financial Aid Average Cost Allocations: Service Area allocation Low Indirect cost rates Low Purchasing/Supply Chain Average Property Control High Cash/Investment Management Low Budget Management Low Debt Management Low Financial Reporting Low Low Average High

16 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 1 - Integrity and Ethical Values 1.1 The Code of Conduct and other policies regarding acceptable business practice, conflicts of interest, and standards of ethical behavior are comprehensive and relevant and address matters of significance. 1.2 Employees understand acceptable and unacceptable behavior as defined by the institution's code of conduct and know what to do when they encounter improper behavior 1.3 Management frequently and clearly communicates the importance of integrity and ethical behavior. 1.4 Management demonstrates a commitment to integrity and ethical behavior by example. 1.5 Employees are generally inclined to do the "right thing" when faced with pressures to cut corners with regard to policies and procedures. 1.6 Management addresses and resolves violations of behavioral and ethical standards consistently, timely and equitably in accordance with the institution's code of conduct. 1.7 Consequences of violating the code of conduct is an effective deterrent to unethical behavior 1.8 Management prohibits exceptions to policies and procedures, except where specific guidance has been provided. 1.9 Performance targets are reasonable and realistic and do not create undue pressure to achieve short-term results. 1.1 Ethics are included in criteria used to evaluate individual performance Institution has adequate fidelity/surety bond coverage for key administrative and accounting personnel UMMC identifies related employees and asserts that no conflict of interest exists. Related employees have job assignment that minimize opportunities for collusion UMMC has a process to identify and prevent significant related-party transactions 2 - Management's Philosophy 2.1 Institution has a written mission, philosophy or code of conduct, or at a minimum, the Vice Chancellor provides a statement that confirms his or her support of internal controls. 2.2 The mission statement clarifies functional goals or objectives and provides insight into management's beliefs, attitudes and operating style. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Section 1 - Control Environment Additional Comments UMMC Code of Conduct, Conflict of Interest policy and compliance plan clearly outline what is considered to be ethical behavior and acceptable and unacceptable business practices. UMMC employees are required to complete annual compliance training on-line annually. This includes testing of knowledge on ethics and proper behavior. UMMC provides an environment in which ethical behavior is expected. Expectations for ethical behavior and what is considered ethical behavior is covered in the institution's compliance plan (code of conduct). These are required to be read by all employees upon initial orientation, and continuously on an annual basis. Employees are tested on their knowledge of these principles. Due to the agency's commitment to the Code of Ethics, employee's are generally inclined to do the "right thing". When violations occur, they are referred to the Office of Integrity and Compliance for resolution so that they can be handled in a consistently, timely, and equitable manner. UMMC's workforce is informed that failure to comply with the requirements of the compliance program, which includes the code of conduct (ethics) may result in disciplinary action up to and including termination. This along with UMMC's commitment to its code of conduct is an effective deterrent to unethical behavior. Management seeks enforcement of policies and procedures. Violations are addressed immediately. UMMC addresses current performance objectives in its Five-Year Strategic Plan, which is updated annually. The plan lists performance effectiveness objectives for each major division of the institution (schools and hospital). These are agreed upon between executive administration and the divisions, thus representing reasonable and realistic goals for achievement as perceived by both parties. Ethical behavior is a critical component of an individual, department or division's successful performance. The Principals of UMMC's Code of Conduct are taught to every employee and re-introduced to them through annual compliance training. While "Is the employee ethical?" is not included as a criteria included in the employee annual evaluations, it is understood, it serves as a foundation upon which each of the criteria are measured. Agency is an agency of the State of Mississippi which is afforded protection under the Tort Claims Act. Agency's conflict of interest policy not only covers the employee but also extends to family members. All employees must self certify annually that no conflict of interest exists. Employees are required to report any business relationships with vendors, contractors and other third parties UMMC does business with. Every employee completes a statement to this effect annually during mandatory compliance training and testing. UMMC's mission statement and statement of purpose is included in its Five-Year Strategic Plan. UMMC's Code of Conduct is included in the UMMC Compliance Plan. In addition, UMMC's Executive Officer (Vice Chancellor for Health Affairs) has written a memorandum expressing his support of the importance of internal controls, which is a part of our Internal Control Plan UMMC's Five-Year Strategic Plan, published in August of 2012, includes goals and performance objectives for each of its divisions.

17 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 2.3 Executive management has provided staff with an understanding and awareness of the benefits of effective internal controls. 2.4 The mission statement mentions safeguarding State's assets and ensuring the proper use of State resources. 2.5 The institution maintains a written personnel policies or standard operating procedures in addition to those published by State Personnel Board (PSB). 3 - Organizational Structure 3.1 The institution's organizational structure is appropriate to carry out its mission and manage its activities 3.2 Management treats each division as an integral part of the institution's overall operations 3.3 The current organizational structure facilitates the flow of information both up and down divisions and across divisions and functions. 3.4 Reporting relationships provide managers with the information appropriate to their responsibility and authority 3.5 Managers have ready access to senior management in addressing significant issues. 3.6 The organizational structure in each division provides adequate supervisory and management oversight 3.7 Management periodically evaluates the organizational structure in light of changes in the scope, nature or extent of operations 3.8 The agency has the appropriate number of people and resources allocated to key functions and activities. 3.9 Employees do not work excessive overtime and do not fulfill the responsibility of more than one employee The assignment of authority and responsibility within the institution is expressed in the form of an organizational chart The university internal auditor reports directly to the board or commission. 4 - Management's Commitment to Professional & Technical Competence 4.1 Job descriptions (and other documents that define key position duties and responsibilities) are current, accurate and understandable. 4.2 There is a mechanism in place to keep the job descriptions current, accurate and understandable. 4.3 Job knowledge/skill requirements realistically match the organization and position's needs. 4.4 Management has the specialized knowledge, experience, and training required to perform their duties and does not rely extensively on technical specialists or outside consultants. 4.5 Employees are properly trained and are capable of performing jobs within each division. 4.6 Employees are committed to excellence in performing their jobs. 4.7 Individual performance targets focus on both the long and short-term and address a broad spectrum of criteria (e.g., quality, productivity, leadership, teamwork and self- 5 - Assignment of Authority and Responsibility 5.1 Management designates who is responsible for committing to financial or contractual obligations through a formal delegation of authority. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments The need for internal controls over institutional (State) assets is addressed throughout the institution's compliance plan, code of conduct, mission and philosophy. These are communicated during orientation and annually in compliance training and testing. The mission statement does not mention safeguarding state resources, but the Vice Chancellor's affirmation of internal controls includes statements accordingly Institutional policies and procedures are maintained on the institutions policy directory at: my@umc.edu The IHL Board requires UMMC to keep current organizational charts on file with the Board Office. These identify management down to department level. The criticality and purpose of each division is expressed in the UMMC Five-Year Strategic Plan. All departments and programs report up to their division leadership and ultimately to the Vice Chancellor. Evaluating of organizational structure and its effectiveness is an ongoing process from top management down through the department This is determined at the department level, and any inadequate resources are addressed annually by department/division heads. Employees are not required to work overtime. Departmental managers must approve and excessive overtime is monitored UMMC maintains an organizational charge that defines the levels of authority and responsibility down to department heads, as required by the IHL Board. UMMC also maintains a current organizational chart on each of its division (e.g., school and Hospital) The UMMC Internal Auditor reports directly to the IHL Board of Trustees' Office of Internal Audit. Supervisors are responsible for reviewing job descriptions for each of their positions to make sure they are current, accurate and understood by the employee. This is done for new employees and annually during performance evaluations See answer for question #1. Experience and education qualifications of job applicants are screened by human resources as well as the hiring manager to match candidates' skills with positions and department's needs. Consultants are hired to assist management in the performance of functions they or other employees are not skilled or do not have the resources to perform, including but not limited to recruiting of high level management positions and implementation of electronic data Employees are hired based on qualifications for education and experience. Once hired, employees are trained on the job for specific duties and responsibilities. Institution maintains an environment that fosters a relatively high level of moral and a team concept that aids in the commitment to the institution's goals and objectives. Long and short-term goals and performance objectives for each division are written and published in the institution's Five-Year Strategic Plan. Assignment of authority is addressed in the UMMC Policy for Signature Authority, maintained by our Legal Department, which uses this to determine proper authority to obligate UMMC.

18 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 5.2 Specific limits are established for certain types of transactions and delegations are clearly communicated and understood by employees. 5.3 Job descriptions for personnel include specific references to control related responsibilities 5.4 Management accepts responsibility for information generated and on reported results. 5.5 Managers at all levels Within the institution are appropriately empowered to correct problems and implement improvements. 5.6 The current level of delegation of duties balances empowerment and getting the job done with management involvement and authority levels. 5.7 The university has formed an external audit committee or assigned an audit committee type function within the 5.8 The university governing board approves the minutes of all transactions of major importance. 5.9 Final minutes of institutions meetings are signed by the chairman and secretary. 6 - Human Resource Standards 6.1 Existing personnel policies and procedures facilitate recruiting and developing competent and trustworthy personnel necessary to achieve the agency's objectives. 6.2 New employees are made aware of their responsibilities and management's expectations. 6.3 Supervisory personnel meet periodically with employees to review job performance and discuss opportunities for improvement. 6.4 Performance appraisals adequately address internal control responsibilities and set forth criteria for integrity and ethical behavior. 6.5 Management takes the appropriate remedial action for departures from approved policies and procedures. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A 6.6 Recruitment and selection process for new employees require investigation of background and references. 6.7 Employees take periodic vacations and their work is performed by other employees. Section 2 - Risk Assessment 7 - Risk Assessment Tools 7.1 Formal or informal mechanisms exist to inform management of events that are considered risks (i.e., events that may adversely affect the achievement of agency-wide or division objectives. 7.2 Management assesses inherent risk for each event or combination of events that represent a risk, consider both likelihood and impact, and develops a risk response. 7.3 Once a risk response is developed for each risk, management considers residual risk. 7.4 Management uses an appropriate blend of quantitative or qualitative techniques across the various divisions/functions such that sufficient consistency exists to assess risk agency- 7.5 The process used to analyze risks is clearly understood and includes estimating the significance or risks and assessing the likelihood of their occurrence. 8 - Risk Response 8.1 The process used to analyze risks is clearly understood and includes determining steps needed to mitigate risks. Additional Comments The IHL Board Policy established certain limits requiring IHL Board approval (e.g., land acquisitions over $100,000 and contracts over $250,000). These and other delegations of authority are addressed in the UMMC Policy for Signature Authority. UMMC has an internal audit staff which reports directly to the institution's governing board (IHL Board). See comments for question no. 2 above. Minutes of the institution's governing board (IHL Board) are signed by appropriate Officers and are published on the IHL Board Office Website. The institution has an existing posting policy which outlines how the department heads work in conjunction with Compensation to ensure the requirements are set before the posting and hiring process begins. This process is indicated during new employee orientation and through the efforts of each supervisor within each department. Evaluations are performed within the first 90 days of employment and annually for employees through the manager/employment section in Lawson. This is up to each department to outline and monitor. These issues are addressed and vetted through established processes in collaboration with management and the respective HR Business Partner and/or our Employee Relations staff. These are performed through established procedures through our background division in HR. Every FTE has access to vacation/personal time off and each department is responsible for the coverage during these absences. UMMC considers the findings of external and internal audits when identifying risks. These are reported to management and are immediately resolved. In addition, an internal process of risk assessment is coordinated by the institution's Internal Control Officer through the use of risk assessments and internal control questionnaires. Identified and documented through risk self-assessments and internal control questionnaires. See comments in 7.2 above See comments in 7.2 above See comments in 7.2 above UMMC considers the findings of external and internal audits when identifying risks. These are reported to management and are immediately resolved. In addition, an internal process of risk assessment is coordinated by the institution's Internal Control Officer through the use of risk assessments and internal control questionnaires.

19 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Additional Comments 8.2 In determining risk response, management considers the See comments in 8.1 above effects of potential responses on risk likelihood and impact because a response may affect the likelihood and impact 8.3 Management considers the relative costs and benefits of See comments in 8.1 above alternative risk response options 8.4 When considering cost-benefit relationships, management See comments in 8.1 above looks at risks as interrelated and pools the agency's risk reduction and risk sharing responses. 8.5 UMMC's risk response considerations are not limited solely to See comments in 8.1 above reducing identified risks, but also include consideration of new opportunities. 8.6 Once management has selected a response, management See comments in 8.1 above determines whether an implementation plan is needed. 8.7 If an implementation plan is needed, management establishes See comments in 8.1 above the necessary control activities to ensure the risk response is carried out. 8.8 The institution evaluates risk from an institution-wide See comments in 8.1 above 9 - System Risk Assessment Risk assessments are performed and documented regularly and Risk assessments are performed only annually at this time, rather 9.1 whenever systems, facilities or other conditions change. than when systems, facilities or other conditions change. 9.2 Risk assessments consider data sensitivity and integrity. Final risk determinations and managerial approvals are Annual risk assessments and internal control certifications are kept 9.3 documented and kept on file. on file with the ICO. Section 3 - Control Activities 10 - Fiscal Processes 10.1 Appropriate policies and procedures have been developed and These policies have been made available on the UMMC Intranet. implemented for each major fiscal process Appropriate and timely actions are taken on exceptions to policies and procedures Policies and procedures identify how processes are to be performed and monitored and who is responsible for carrying them out Control activities described in policy and procedure manuals are actually applied the way they are intended to be applied and clearly relate to designated risks Management clearly assigns responsibilities for training and monitoring of internal controls Controls are in place to provide reasonable assurance that management decisions are properly carried out Supervisory personnel with appropriate responsibilities, organizational experience, and knowledge of the organization's affairs periodically review and document the functioning and overall effectiveness of controls Appropriate criteria are established to evaluate controls 10.9 Responsibilities have been assigned in a manner that precludes any individual from processing data transactions in their entirety or from maintaining records from transactions in which the individual participated Effective procedures have been established for the routine verification of the accuracy of data when it is entered, processed, generated, distributed, or transferred Individuals have appropriately segregated responsibility for control over assets and data and the processing of transactions Effective contingency plans have been developed and document3ed to deal with service interruptions if they occur Periodic tests of contingency and disaster recovery plans take place to make sure they are current, operational, and effective. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Training on and monitoring of internal controls is not assigned to any one employee. Employees are trained on internal controls as a part of their initial on the job training. Internal controls are monitored by accounting supervisors as well as by reports on internal audits. No periodic formal training on internal controls exist. These duties have been assigned to the institution's internal control officer. Internal controls are evaluated as a part of the annual independent audit of the institution as a part of the independent audit on the IHL System. Other than this, an internal control plan describing the assessment of risks and internal controls to medicate those risks is currently under development. Duties and responsibilities have been segregated and access security is in place to prohibit this. document matching of purchase orders, invoices and receiving reports exist to verify accuracy of data and to prohibit clerical errors. See questionnaire on segregation of duties Back up generators and backup and recovery of data plans in place by the institution's physical facilities and the division of information systems. The Division of Information Systems tests back up and recovery of data in information systems.

20 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Appropriate controls are implemented with the implementation of new information systems Accounting Administration 11.1 Institution has adequate detailed accounting policies and procedures 11.2 Accounting policies and procedures are updated timely 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments Currently designing new electronic data system which will span HR, benefits, grants and contracts, purchasing, supply chain, accounting, payroll, DIS, and others areas. Development includes integrating internal controls. Policies are updated periodically and published on the accounting website accessible to all employees. Updated policies and procedures are sent to the institution's internal control officer for updating and publishing Policies and procedures are made available to appropriate personnel Published on the institutions intranet, available for all employees Principal accounting officer has adequate authority over accounting personnel and records. CFO and Controller has control over these Medical Center encourages employees to obtain certifications CFO, Controller, Assistant Controllers and other accounting in their functional areas. personnel maintain CPA certificates with continuing education paid by the institution. Internal Auditors maintain certifications as well Medical Center encourages employees to attend training Accounting management attends governmental auditing and courses or seminars for continuing education in their accounting continuing education and professional development 12 - Journal Entries 12.1 The preparation and approval of journal entries are segregated Journal entries are prepared and approved by different individuals 12.2 Journal entries are adequately explained and supported Journal entries include description and back-up documentation 12.3 Supporting documentation is reviewed to ensure journal entry is coded correctly Authorized individuals approve and sign all journal entries 12.5 Written journal entry processing procedures are maintained. Various individuals are authorized to approve journal entries 12.6 Cash receipt and disbursement function is segregated from journal e entry function 13 - General Ledger 13.1 Access to g/l and related records is restricted to those who are assigned g/l responsibilities Responsibilities for maintaining g/l and custody of assets are segregated Segregation of Duties 14.1 Incompatible duties have been identified and policies implemented to segregate those duties Access controls have been established to enforce segregation of duties The agency exercises control over personnel activities through the use of formal operating procedures, supervision and 15 - Security Management Program 15.1 The institution has developed a plan that clearly describes the institution-wide security program and policies and procedures that support it Senior management has established a structure to implement and manage the security program throughout the agency, and security responsibilities are clearly defined Effective security related personnel policies have been implemented 15.4 Management monitors the security program's effectiveness and periodically assesses the appropriateness of security and compliance with them If weaknesses in the security program are identified, corrective actions are promptly and effectively implemented and tested, and they are continually monitored Information technology policies and procedures are in accordance with ITS policies, standards and guidelines Access Control There are separation of duties from purchasing, receiving and payment of bills and inspection and tagging of equipment items. Controls are in place to insure separation of duties. The buyer in purchasing places the order, receiving issues a receiving report and A/P processes the payment. In our A/P system (Lawson) the system uses a 3 way match or 4 way match if equipment is involved before payment is released to the vendor. Accounts Payable personnel follow up on all unmatched invoices and orders outstanding. The outstanding purchase order register is delivered via an LBI dashboard report in Lawson to all of the department heads for their review of their access outstanding to systems orders. is controlled centrally and approved by appropriate personnel All personnel activities are processed through and approved by the institutions human resources department. The security program is new at UMMC and some of the responsibilities are still being defined. The security program is new at UMMC and some of the responsibilities are still being defined. The security program is new at UMMC and some of the responsibilities are still being defined. The security service continues to identify security weaknesses and addresses those as they are discovered.