The University of Texas MD Anderson Cancer Center Internal Audit Annual Report for FY2015

Transcription

1 Purpose of the Annual Report The purpose of the internal audit annual report is to provide information on the assurance services consulting services, and other activities of the internal audit function. In addition, the annual report assists oversight agencies in their planning and coordination efforts. Table of Contents II. I. Compliance with Texas Government Code, Section : Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet Website Compliance with the Benefits Proportionality Audit Requirements for Higher Education Institutions III. Internal Audit Plan for Fiscal Year 2015 IV. Consulting Services and Nonaudit Services Completed V. External Quality Assurance Review (Peer Review) VI. Internal Audit Plan for Fiscal Year 2016 VII. External Audit Services Procured in Fiscal Year 2015 VIII. Reporting Suspected Fraud and Abuse

2 I. Compliance with Texas Government Code, Section : Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet Website The Fiscal Year 2016 audit plan, as approved by the Institutional Audit Committee, will be posted on the MD Anderson external website as part of the Fiscal Year 2015 SAO Annual Report. The Fiscal Year 2015 SAO Annual Report, including summaries of reports, will be posted on the MD Anderson external website within 30 days of approval by the President but not later than November 1, 2015, as required. II. Compliance with the Benefits Proportionality Audit Requirements for Higher Education Institutions At the request of the Governor, an internal audit of the proportionality of higher education benefits process was performed during fiscal year A consistent audit methodology has been deployed across the UT System that assessed the reporting process and accuracy of benefits funding information provided to the State Comptroller as applicable under Rider 8, page III-39, the General Appropriations Act (84 th Legislature, Conference Committee Report). An audit of the benefits proportionality process will also be conducted during fiscal year 2016 and will comply with Rider 8, page III-39, the General Appropriations Act (84 th Legislature, Conference Committee Report). The audit will be complete by February 28, III. Internal Audit Plan for Fiscal Year 2015 The following matrix details the status of the Fiscal Year 2015 Audit Plan: Project No. Project Title Report Date Project Status Financial Audits Presidential Housing, Travel, and Entertainment 4/10/2015 Complete Executive Travel and Entertainment 6/24/2015 Complete FY2014 Financial Statement Audit (year-end) Report issued by Deloitte at UT System level Complete FY15 Financial Statement Audit (interim) Report issued by Deloitte at UT System level Complete Physicians Referral Service (PRS) Practice Plan Pending In Progress Segregation of Duties and Account Reconciliations 10/28/2014 Complete Page 2 of 20

3 Project No. Project Title Report Date Project Status Texas Economic Development Agreement Consulting Project Verbal Comments Complete provided to Management Clinical Services Spot Agreements 9/28/2015 Complete Collection of Patient Co-Payments Pending In Progress Travel and Entertainment-Development Office N/A Postponed to FY Construction Services 9/1/2015 Complete Cancer Network Contractual Billing Consulting Project Verbal Comments Complete provided to Management Treasury Services Cash Count 4/8/2015 Complete Operational Audits Physician Credentialing 8/27/2015 Complete Regional Care Centers - Risk Assessment 8/31/2015 Complete Departmental Review - Dermatology 1/16/2015 Complete Departmental Review - Gynecologic Oncology 6/17/2015 Complete Departmental Review - Children's Art Project 5/5/2015 Complete Consulting Projects Anti-Fraud Initiative Consulting Project 1 Verbal Comments st Phase Complete provided to Management General Consultation with Management N/A Complete Institutional Committee Participation N/A Complete Management Involvement on Co-Sourced Construction Projects N/A Complete Electronic Health Record (Epic) Consulting Project Verbal Comments Complete provided to Management ICD-10 7/15/2015 Complete Dining Services Cashier Operations 8/18/2015 Complete Denials Management Post-Implementation Review 11/17/2014 Complete Compliance Reviews Benefits Funding Proportionality 11/25/2014 Complete Conflicts of Interest Management Plan Review N/A Cancelled Dependent Eligibility 4/29/2015 Complete Recharge/Service Centers 8/31/2015 Complete Information Technology Audits Deloitte Financial Audit Support Report issued by Deloitte Complete at UT System level Texas Administrative Code (TAC) 202 Pending In Progress Velos / Click Commerce N/A Cancelled Incident Response 9/14/2015 Complete Tier One Application Review - Radiology Information System (RIS) or 9/1/2015 Tier Two Application Review - Pinnacle Complete Page 3 of 20

4 Project No. Project Title Report Date Project Status Oracle Database Cluster 9/1/2015 Complete Disaster Recovery 9/14/2015 Complete Data Governance 9/11/2015 Complete ICD-10 7/15/2015 Complete Electronic Health Record (Epic) Financial Review Pending In Progress Protection of Research Data 12/4/2014 Complete Box.com 5/1/2015 Complete Other IT Projects - IT Follow-Up N/A Complete - Knowledge Sharing and/or Training Documentation Projects N/A Complete - IT Liaison Activities N/A Complete - IT Risk Assessment FY 16 N/A Complete - Financial and Operational Audit Assistance (IT) N/A Complete - Administrative Activities N/A Complete Follow-Up Audits & Follow-up Audits (Quarterly Reporting and Validation) N/A Complete Projects - Internal Quality Assurance Activities N/A Complete - UT System Coordination N/A Complete - Internal Audit Committee Preparation / Participation N/A Complete - Institutional Risk Assessment and Work Plan Development N/A Complete - Professional Organization / Association Participation N/A Complete - Reserve for Just-In-Time Auditing/Advisory Services Consulting Project Verbal Comments Complete provided to Management - Reserve for Investigations Consulting Project Verbal Comments Complete provided to Management Health Information Management (HIM) Investigation Consulting Project Verbal Comments Complete provided to Management Memo Concerns Consulting Project Verbal Comments Complete provided to Management Non-Federal Clinical Trial Residual Funds 2/25/2015 Complete Division of Internal Medicine 11/12/2014 Complete Charge Capture Diagnostic Imaging Complete Department Review - Head and Neck Surgery 1/30/2015 Complete PACU - Prescription Review 1/16/2015 Complete Audit / Project cancelled Audit / Project added to Plan Page 4 of 20

5 The following matrix provides a summary of the weaknesses and action taken by management for projects on the Fiscal Year 2015 Audit Plan, as required by Texas Government Code, Section : Report No. Report Date /10/2015 Presidential Housing, Travel and Entertainment Expenses /24/15 Audit of Executive Officers Travel and Business Entertainment Expenditures /28/2014 Segregation of Duties and Account Reconciliations Name of Report Recommendations Summary of Action Taken The Chief Business Officer should ensure that review and approval of travel and entertainment expenses for the president and spouse occur and that the approval is documented. Management should ensure prior registration with the Office of State-Federal Relations (OSFR) for trips to Washington, D.C. Management should also monitor to ensure airfare is allocated to departmental accounts in a timely manner. The institution appears to be in compliance with UTS Controls are in place to comply with the approved Monitoring Plan and ensure that appropriate segregation of duties exists /27/2015 Physician Credentialing Internal Audit recommended improvements related to the expiration of physicians credentials and the completeness of the credentialing database. Management agreed to enhance controls in the recommended areas. According to management, the Concur Travel and Expense system has been enhanced to enable the reporting for trips that require OSFR registration. Management plans to review the reports quarterly to determine compliance. In addition, an airfare allocation process has been approved and implementation is expected within the next few months. N/A Management agreed to enhance controls in the recommended areas. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented UT System Audit conducted this audit, with MD Anderson Internal Audit acting as a liaison. UT System plans to follow up on the recommendation during fiscal year In Progress N/A Incomplete Full Implementation is expected by 5/30/2016.

6 Report No. Report Date /16/15 Departmental Review - Dermatology /17/2015 Departmental Review - Gynecologic Oncology /5/2015 Departmental Review - Children's Art Project Benefits Funding Proportionality Name of Report Recommendations Summary of Action Taken Controls over leave management are in place. We recommended enhanced controls over key financial, administrative, and compliance activities. Controls over asset management and encryption activities are in place. We recommended enhanced controls over key financial, administrative, and compliance activities. We recommended enhanced controls over key financial and administrative activities. Internal Audit recommended that management address the net overpayment to MD Anderson of $134,536. In addition, formal procedures related to the preparation of the APS 011 should be developed Dependent Eligibility Internal Audit recommended that management obtain documentation to support a status change and addition of dependent grandchildren Recharge/Service Centers We recommended that management develop an oversight function to ensure Service Center compliance with Institutional Policy and OMB Circular A-21. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Management appropriately addressed the overpayment, and detailed procedures were developed and communicated to all responsible parties. Management agreed to improve documentation processes. A Service Center Oversight Committee will be established. Processes will be developed and implemented to provide oversight and monitoring of Service Center activities. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented In Progress Incomplete Full Implementation is expected by 3/1/2016. Incomplete Full Implementation is expected by 4/30/2016. Fully Implemented Fully Implemented Incomplete Full Implementation is expected by 8/31/2016. Page 6 of 20

7 Report No. Report Date /25/2015 Non-Federal Clinical Trial Residual Funds /10/2014 Charge Capture Diagnostic Imaging /30/2015 Department Review - Head and Neck Surgery /28/2015 Clinical Services Spot Agreements Name of Report Recommendations Summary of Action Taken We recommended improved processes to ensure non-federal projects are closed out timely, residual funds are returned to the respective sponsors timely, and a tracking system is implemented to monitor the status of closeout requests. We recommended improved process to ensure all charges captured have been billed to the patient. We recommended enhanced controls in the areas of leave management, financial and grant monitoring, system access, procurement cards and clinical research billing. We recommended that management improve processes and controls for: Collecting contracted amounts for medical services Managing accounts receivable balances Ensuring spot agreement data is accurate Obtaining pre-authorization for same day or next day services Management agreed to enhance controls over non-federal clinical trial residual funds. Management agreed to improve the process over charge capture reconciliations to ensure all charges are billed. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Incomplete/Ongoing Substantially Implemented Incomplete/Ongoing Incomplete Full Implementation is expected by 9/30/2016. Page 7 of 20

8 Report No. Report Date Name of Report Recommendations Summary of Action Taken /14/2015 Incident Response We recommended overall recommendations to ensure the long-term effectiveness of the incident response program. Specifically, we recommended a formal process to update the operating manual, improved documentation of incidents and actions taken, and regular meetings of the post-incident response team /1/2015 Pinnacle We recommended formal policies and procedures be established over the problem and incident management process, along with the implementation of periodic user access reviews /1/2015 Oracle Database Cluster Information is excepted from public disclosure /14/2015 Disaster Recovery Information is excepted from public disclosure /11/2015 Data Governance Information is excepted from public disclosure /4/2014 Protection of Research Data Information is excepted from public disclosure /1/2015 Box.com Information is excepted from public disclosure. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Incomplete Full Implementation is expected by 8/31/2016. Incomplete Full Implementation is expected by 1/1/2016. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Page 8 of 20

9 IV. Consulting Services and Nonaudit Services Completed Project No. Project Title Report Date Project Objective Texas Economic Development Agreement Consulting Verbal Comments provided to Management To review the reporting methodology and schedules for the annual compliance verification of job creation for the Texas Economic Development Agreement. Services / Observations / Results / Recommendations The methodologies appeared consistent with previous submissions. Nothing came to our attention that would indicate any material misstatements or errors Cancer Network Contractual Billing Construction Services Treasury Services Cash Count Regional Care Centers Risk Assessment Consulting Verbal Comments provided to Management Internal Audit has served as a member of the Cancer Network Partners workgroup, providing consultation throughout the process. 9/1/2015 To identify manual construction processes that could benefit from automated controls. 4/8/2015 The objective was to determine if cashier drawers and vaults contained the appropriate amount of cash. 8/31/2015 To identify key financial, operational, compliance, and contractual risks and related controls within the Regional Care Centers. The deliverable was a risk assessment identifying control gaps and management action plans. Ongoing feedback is provided to the workgroup. While processes appear effective, opportunities exist to enhance efficiencies in Facilities Management and Supply Chain Management. In addition, management should consider ways to enhance the solicitation and contracting process for construction activities by leveraging information technology systems solutions currently available at MD Anderson. An unannounced cash count was performed at the request of management. Insignificant exceptions were found. Management took immediate action to address the issues identified. The results of the control selfassessments identified opportunities to improve controls over resource management, patient care, information technology, and research activities. Management plans to implement controls in these areas by March 1, Page 9 of 20

10 Project No. Project Title Report Date Project Objective Electronic Health Record (Epic) & Consulting Verbal Comments provided to Management To identify and monitor key risks and controls in the Epic application throughout the implementation process, providing feedback to management along the way. ICD-10 7/15/2015 To determine the institution s readiness for the federally mandated conversion to ICD- 10 on October 1, Dining Services Review Memo Concerns Investigation Verbal Comments provided to Management Health Information Management (HIM) Investigation 08/18/2015 The project objective was to review Dining Services use of the econnect software and to review overall cash handling process. Investigation Verbal Comments provided to Management To follow-up on allegations from a hotline call. To follow-up on allegations from a hotline call. Services / Observations / Results / Recommendations Key risks and controls were identified and discussed with management for remediation throughout the implementation of Epic. Internal Audit concluded the institution was on target for the successful implementation of ICD-10. However, we did recommend improved awareness and communication strategies, along with incentives to improve the accuracy of provider documentation. Internal Audit reviewed the cash handling process and recommended improvements to ensure the econnect software is being fully utilized to ensure the efficiency and effectiveness of cash processes. Recommendations were also made to enhance monitoring over cashier processes and ensure cash audits are random and independent. Internal Audit investigated the concerns and presented the results to the Institutional Compliance Department for final resolution. Data analysis was performed, and the results were presented to Institutional Compliance for final resolution Denials Management Post Implementation Review 11/17/2014 The project objective was to validate whether controls surrounding the Denials Management application are working as intended. Internal Audit reviewed the denials management process and recommended improvements to ensure appeal deadlines, standard reports, and key performance metrics are used to measure the success of appeal efforts. Internal Audit recommended that Management continue its strategic efforts in fully implementing a comprehensive denials prevention program, including the efficient use of the system to report key performance metrics. Page 10 of 20

11 Project No. Project Title Report Date Project Objective Division of Internal 11/12/2014 To determine if opportunities Medicine existed to enhance revenue in the supply charge capture process. Services / Observations / Results / Recommendations Insignificant exceptions were found. Management took immediate action to address the issues identified Post-Anesthesia Care Unit (PACU) Prescription Process Review 1/16/2015 To assess the processes and controls related to prescriptions written for postsurgery outpatients. Management improved processes and controls related to blank prescription forms and tracking of patient prescriptions, as validated by Internal Audit. Page 11 of 20

12 V. External Quality Assurance Review (Peer Review) Page 12 of 20

13 VI. Internal Audit Plan for Fiscal Year 2016 The University of Texas MD Anderson Cancer Center Page 13 of 20

14 Page 14 of 20

15 Page 15 of 20

16 Page 16 of 20

17 Page 17 of 20

18 Additional high risks not included in the FY 2016 Work Plan are: Timely patient access to services Updating of patient records Research protocol billing and coding Documentation to support hiring decisions Adherence to institutional badging process Maintenance of DRG-exempt status Business continuity Billing and reimbursement Privacy and Information security regulated activities and work force training Regulated research activities Operational efficiencies Quality and performance metrics Our risk assessment methodology included interviews with and/or questionnaires to over 75 individuals in the institution. Identified risks were organized into institution-wide auditable units. For each identified risk, impact and probability were assessed. Our work plan was developed from the highest risk areas in the institution that are not already being addressed by other mitigation strategies. Page 18 of 20

19 VII. External Audit Services Procured in Fiscal Year 2015 Service Opinion on financial statements of UT MD Anderson Cancer Center Opinion on financial statements of UT MD Anderson Physicians Network Opinion on financial statements of UT MD Anderson Services Corporation Information Technology Internal Audit Co-Sourcing Electronic Health Record Consulting Construction Internal Audit Co-Sourcing Deloitte Deloitte Deloitte PwC PwC Protiviti Provider Page 19 of 20

20 VIII. Reporting Suspected Fraud and Abuse Page 20 of 20