Continuous Auditing and Monitoring Leveraging Your Data for Compliance

Transcription

1 Continuous Auditing and Monitoring Leveraging Your Data for Compliance A Phyllis Patrick & Associates LLC White Paper April 2014 Gail Hormats, B.S., M.B.A., C.I.A., C.I.S.A., C.R.M.A., C.A.D.A. Automated Continuous Testing and Monitoring Ad-hoc Testing and Monitoring Manual Testing and Monitoring

2 Executive Summary Data analysis solutions, including automated continuous auditing and monitoring approaches, can enable information security and privacy compliance. This is a new trend and one that we predict will not only leverage the resources of information security and privacy programs, but will evolve the programs to a higher level of credibility and sustainability through the use of analytic tools and reporting. In this paper, we will explain how continuous auditing and monitoring (CAM) can provide ongoing assurance for security, privacy, compliance and audit in your organization. We will describe some of the key tools and types of testing that will benefit your organization. CAM is a process or methodology used to test transactions based upon prescribed criteria, identify anomalies, and provide written assurance via the reporting process simultaneously with or shortly after the review. CAM employs computer aided audit techniques (CAATs) to mine data to check whether an organization s security, privacy, financial, clinical, or other controls are working to ensure regulatory compliance or to prevent fraud, waste, abuse, or errors. The deployment of these tools provides the capability for data to be checked in near real-time and the results shared with those having a need to know. One of the most common CAAT applications is ACL Analytics (ACL). ACL is a data mining and analytic application developed by ACL Services, Inc. (Vancouver, CN). Coupled with Visual Basic for Applications and Excel, ACL provides a platform for creating routines that can be scheduled to run automatically on a pre-set schedule. These routines can range from simple, such as testing applications for authorized access or dormancy, to complex analytics that verify meaningful use calculations. Other possibilities include routines that allow management to monitor compliance with level of care regulations related to an Electronic Medical Record or to identify possible invoice duplicates before they are paid. Routines can be designed such that Security, Privacy, Audit or Compliance Departments receive responses from management as a result of automated routines. Routines are designed to be a turnkey solution requiring minimal or no intervention on the part of Security, Privacy, Compliance or Audit staff. Phyllis A. Patrick & Associates LLC 2

3 Table of Contents What Is Continuous Auditing and Monitoring... 4 Data Analytics... 5 Success Factors... 6 Management Agreement... 6 CAAT Tools... 6 Data Availability... 6 Examples of CAM Routines... 8 Development of a CAM Routine... 9 Planning... 9 Developing Data Understanding... 9 Script and Output Report Development Moving to Production Summary Appendix A Sources Appendix B About the Author Phyllis A. Patrick & Associates LLC 3

4 What Is Continuous Auditing and Monitoring? The Institute of Internal Auditors defines Internal Audit as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations... bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Audit is the application of a methodical process to gathering and analyzing processes to ensure that controls exist to mitigate risk. Audit is generally the responsibility of the Internal Audit Department. Merriam Webster defines monitor as to watch, keep track of, or check usually for a special purpose. 1 The Environmental Protection Agency (EPA) defines monitoring as measurement data or other information for assessing performance against a standard or status with respect to a specific requirement. 2 Thus, monitoring is the routine collection or review of data to ensure that operations are functioning properly. Monitoring is a responsibility of operational management, which generally includes Security, Privacy and Compliance departments. Merriam-Webster defines continuous as continuing without stopping: happening or existing without a break or interruption; marked by uninterrupted extension in space, time, or sequence 1 In an automated, continuous auditing and monitoring (CAM) process, however, continuous can better be defined as done repetitively, on a pre-defined schedule. It is continuous, in the sense that, compared to a traditional audit or review which may be done annually or less frequently, CAMs occur routinely on a set schedule. CAM is used to test transactions based upon prescribed criteria, identify anomalies, and provide written assurance via the reporting process simultaneously with or shortly after the review. CAM has also been defined as the automated and frequent analyses of data through the use of computer assisted audit tools (CAATs) and other audit techniques. CAM employs CAATs to check whether an organization s data is processed correctly and determines whether internal controls are working to prevent errors and fraud. As noted above, deployment of these tools provides the capability for controls to be checked in near real-time and the results shared with those having a need to know. Use of these tools also allows testing of complete populations not just sampling. Putting these tools in place provides assurance regarding the integrity of information at given points in time and provides constant checking for issues, errors or fraud. CAM may be used to audit controls or it may be used to strengthen compliance monitoring. Phyllis A. Patrick & Associates LLC 4

5 Data Analytics According to the Institute of Internal Auditors, Data analysis is the process of identifying, gathering, validating, analyzing, and interpreting various forms of data within an organization to further the purpose and mission... 3 ISACA indicates that data analytics allow enterprises to make better business decisions and increase competitive advantage. 4 In the security and privacy arena, data analytics can provide assurance that data integrity is maintained and that the date is appropriately protected. Data analytics can also help to ensure that employees are complying with regulations and that the information is properly reported. Data analysis technologies are computer programs the reviewer or auditor uses to process data of significance in order to improve the effectiveness and efficiency of the review process. When data analysis is being used, the overall objective and scope of a review does not change. Data analytics can also be used to develop controls to ensure that a process is functioning as designed. For example, data analytics can be used to create alerts if employees access patient data outside of job needs that is, an alert concerning a potential patient privacy breach and/or violation of an organization s Minimum Necessary Policy. The use of data analytic tools ranges in maturity from ad-hoc to a vigorous continuous (or at least repetitive) monitoring. A capability or maturity model describes process components that are believed to lead to better outputs and better outcomes. A low level of maturity implies a lower probability of success in consistently meeting an objective while a higher level of maturity implies a higher probability of success. 5 ACL Figure 1: Audit Analytic Capability Model Source: ACL Services, LTD. The Audit Analytic Capability Model (AACM) in Figure 1 shows the stages of CAM development. At the basic Data Analysis level (1), analytics are typically ad-hoc and mostly used during a single audit for simple summarizations of data. At the Applied Analytics level (2), analytics are still ad-hoc but more comprehensive, and integrated into the audit process. At the Managed Analytic level (3), analytics are a core part of the audit process. Data analyses may occur near real-time, are maintained in a central repository, and are often scripted. Although an individual generally initiates testing, analysis at this level is repeatable and sustainable. Phyllis A. Patrick & Associates LLC 5

6 At the Continuous Auditing level (4), suites of tests are in production and run in an automated, or near automated fashion. Testing is now real-time or near real-time. This increases the ability of Security, Privacy, Compliance, and Audit Departments to more effectively and efficiently identify and share opportunities for improvement (OFI) with management. The Continuous Monitoring level (5) moves automated analytics away from the Audit Department and into management s responsibility. The analytics at this stage are used by management to continuously or near continuously monitor a process. Together, continuous auditing and continuous monitoring provide management with continuous assurance that processes security, privacy, and business controls are functioning as designed. This assures that fraud, waste, and abuse are likely to be identified and corrected, and that the organization is complying with required laws and regulations. Success Factors A number of factors must be in place for a CAM routine to be successfully implemented. The three key factors are management agreement, CAAT tools, and data availability. Management Agreement A successful CAM routine requires management agreement. A CAM routine will identify conditions that need a response, e.g., a possible breach will need to be investigated, a user s access may need to be terminated, or revenue may need to be returned to a payer. Additionally, business processes may need to be modified or changed based on the results of the CAM process. CAAT Tools Many healthcare organizations use ACL. ACL permits data analysis without changing the original data and while tracking each step in the analysis (maintaining an audit log). ACL has a scripting language that allows the development of programs to facilitate repetitive or near continuous testing. Visual Basic for Applications and the use of a job scheduler extends the ability of ACL to create a completely automated CAM. Other CAAT tools that can be used include IDEA, a data analytic tool similar to ACL, and Excel or any other spreadsheet application. As data sets become more complex (what is referred to as big data), more elaborate data analytic tools are required. These include, but are not limited to, SAS (Statistical Analysis System), HADOOP (big data strings), and NoSQL (representing different database technologies). Data Availability The CAM process relies on obtaining and analyzing data from various sources, including computer applications, spreadsheets, lists, and even Adobe files. Key applications used in many CAM routines are defined in Figure 2 below. Data may be in the form of a stand-alone file, an ODBC connection into the application s database, or a direct link into the application s database. Phyllis A. Patrick & Associates LLC 6

7 Figure 2: Common Applications Used in CAM Routines APPLICATION 1. Electronic Medical Record PURPOSE Contains clinical information, including physician orders. Information can be used for many CAM routines including but not limited to meaningful use validation, PHI mapping, and revenue recovery. Examples include EPIC, Cerner, and Meditech. 2. Data Loss Prevention Used to detect potential data breach or ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use, in-motion, and at-rest. Can be used in conjunction with PHI mapping and CAM routines to strengthen safeguards and minimize data leakage risks, due to workforce error. Examples include Cisco, Symantec, and McAfee. 3. Physician Billing System Usually includes a combined Provider Patient Registration, Scheduling, Accounts Receivable, and Billing System. An example is IDX. 4. Facility Billing System Usually is a combined Master Patient Index, Hospital Patient Registration and Accounts Receivable System. Two examples are SMS and Meditech. 5. Reimbursement Results 6. Badge/Security Identification Contains hospital paid claims data used in billing reviews (i.e. RAC); generally is the 835 reimbursement file data or an application that aggregates this information such as The Advisory Board Company s Revenue Integrity Compass. Used to assign and track physical access to the organization s property; may or may not be the application that actually prints the badges. An example is Premisys. 7. Time Application Employee time capture. One of the most commonly used is KRONOS. 8. Enterprise Resource Management System (ERM) The major financial application(s) used to manage the organization. Generally consists of General Ledger, Asset Management, Purchasing, and Accounts Payable modules. Examples include Lawson, Oracle Financials, and Meditech. 9. HRMIS Human Resources Information Management System (including employee data, payroll and benefits. Examples include Oracle HRMIS and PeopleSoft. 10. Research or Project Application(s) that contain research or project related information such as special purpose fund budgets or construction budgets. Phyllis A. Patrick & Associates LLC 7

8 Examples of CAM Routines Following are examples of CAM routines, organized by review focus: Security and Privacy, Compliance, and Audit. This list is a starting point for determining how you can use data analytics and CAM tools to meet auditing and monitoring objectives throughout an organization. Information security and privacy officers, internal auditors, compliance officers, quality officers, safety officers, and other functional areas can leverage the value of these tools and processes to identify potential issues and analyze data in new and creative ways while improving programs and reporting results. Security and Privacy Meaningful Use - Validate meaningful use attestation calculations, determining accuracy of payments and requests for incentive monies from CMS and state Medicaid agencies. PHI Mapping - Identify where protected health information (PHI) resides in systems, on devices, in network drives, and other areas. Use information to develop strategies for minimizing data leakage. Logical Security Access Testing - Test additions, transfers, and terminations of users. Test dormancy, last login, and unapproved access. Business Associate Agreements (BAA) - Assist in developing and testing BAA Inventories and determining high-risk vendors. Data Breach - Develop tests and alerts to identify possible data breaches. This is particularly useful to test applications other than the electronic medical record, i.e., interfacing systems that provide lab, radiology, and other diagnostic results. Compliance Revenue Recovery and Protection - Compare group practice and facility billing for missing revenue either by the hospital or physician s group practice (usually organization based) and identify mismatched data that may lead to compliance concerns. These types of CAM routines are particularly effective in areas such as Surgery, Interventional Radiology, Cardiac Catheterization, Electrophysiology Laboratory, and other high-dollar clinical areas. Outcomes Reporting - Compare clinician documentation and use electronic health record (EHR) modules to determine potential over-coding, cloning, errors, and other issues related to EHR integrity. Level of Care - Compare EHR and patient accounting systems (daily and quarterly) to ensure level of care is billed appropriately. The value is captured by using a quarterly look back comparing the daily accounts to the actual reimbursement received. Exclusions - Test personnel inclusion on Federal and State exclusion lists. This routine can be fully automated if employee and physician social security numbers (SSN) are available for comparison to the exclusion lists. If only names and addresses are available, a final manual check must be made by comparing the SSN of the hit to the employee or physician SSN. Phyllis A. Patrick & Associates LLC 8

9 Physician Contracting - Validate that payments to and from physicians do not violate Stark and Anti-Kickback Laws, including lease payment testing. 72-hour Rule Testing - Provide assurance that all charges that fall within the 72-hour rule are rolled into a single bill. Human Resources (HR) - Test for compliance with labor regulations and an organization s policies including minimum wages and employees paid as vendors. Audit Overtime - Develop tests to ensure excess overtime has not been charged. Pension Validation - Test that pension payments have been properly calculated. General Ledger Analyze the trial balance roll-forward and anomalous transactions. Accounts Receivable - Test the accounts receivable aging. Accounts Payable - Test possible upcoming duplicates and provide a look back to identify any already paid duplicates. Vendor Master File (VMF) - Test the VMF data integrity including but not limited to dormant and duplicate vendors and missing data. Development of a CAM Routine The continuous audit approach used to develop a CAM routine consists of five major stages: Planning Understanding process / data Developing scripts Developing reports Implementing routine into production Each phase is important and plays a key role in continuous auditing and monitoring. Planning The planning phase involves developing a general understanding of the process being considered for CAM and identifying potential testing routines. During the planning phase the scope and objectives of the CAM routine are documented. Approximately 5% of the project time is spent in planning. Developing Data Understanding In developing data understanding, the CAM developer works with the subject matter experts and Information Systems Departments to identify the specific data needed and to determine how it is stored. During this phase, one or more sample data files are produced, and the automated extraction schedule and storage location are defined. If sensitive data is involved (e.g. protected health information or employee social security numbers), protective measures such as limited access shared drives, are established. This phase represents about 30% of the project. Phyllis A. Patrick & Associates LLC 9

10 Script and Output Report Development The script and output report development phases are intertwined. During these phases, data analytics are programmed and results validated with subject matter experts. The final format of the output report and any required management response(s) are defined and developed. Together, these two phases comprise about 50% of the project. Moving to Production The last phase is the move to production. During this phase, instructions for maintaining the CAM routine are developed and shared with the responsible parties. Also, if required, the developer creates the code needed for ensuring the routine runs on the agreed schedule. This phase encompasses 15% of the project. Figure 3 shows the process flow of a continuous audit or monitoring project from start to completion depicted by stage. Click on Figure 3 below to see a larger version. Figure 3: Continuous Audit and Monitoring Process Flow Source: Gail Hormats, C.I.A., C.I.S.A., A.C.D.A. and Feline O Gorman, C.P.A., A.C.D.A., Case Study: Continuous Audit Recovers Lost Cardiac Catheterization Laboratory Revenue, New Perspectives, Association of Healthcare Internal Auditors, Fall Phyllis A. Patrick & Associates LLC 10

11 Summary This white paper explains automated continuous auditing and monitoring (CAM) and describes how it can be used to facilitate security and privacy compliance, as well as other compliance and audit functions. As noted earlier, there are five stages of maturity in the development of using data analytics for ongoing auditing and monitoring. Together, the two most mature stages provide continuous assurance that processes are functioning as designed. A five-stage process (planning, understanding data, developing scripts, developing output reports, and moving CAMs to production) provides the methodology for developing automated CAM routines. While CAM routines and CAAT tools have been used in internal and financial functions for many years, use of these tools and techniques to achieve data analytics objectives is new for security, privacy, and related functions such as, meaningful use, PHI mapping, data integrity in EHRs and other systems, and vendor risk assessment. We are confident that these tools will provide the key to improving and sustaining security and privacy programs and related functions by providing compliance measures, new reporting capabilities, and an effective adjunct to an organization s risk analysis and risk mitigation programs. Phyllis A. Patrick & Associates LLC 11

12 Appendix A Sources Environmental Protection Agency, Technology Transfer Network Clearinghouse for Inventories & Emissions Factors 3 Altus J. Lambrechts, C.I.S.A., C.R.I.S.C., Jacques E. Lourens, C.I.A., C.I.S.A., C.G.E.I.T., CRISC, Peter B. Millar, and Donald E. Sparks, C.I.A., C.I.S.A., The Institute of Internal Auditors Global Technology Audit Guide (GTAG ) 16 : Data Analysis Technologies, August Generating Value from Big Data Analytics, ISACA, IPPF Practice Guide Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements, The Institute of Internal Auditors, July The ACL Audit Analytic Capability Model, ACL, Gail Hormats C.I.A., C.I.S.A., A.C.D.A. and Feline O Gorman C.P.A., Case Study: Continuous Audit Recovers Lost Cardiac Catheterization Laboratory Revenue, New Perspectives, Association of Healthcare Internal Auditors, Fall Gerard (Rod) Brennan, Ph.D., Continuous Auditing Comes of Age, ISACA, David Coderre, Royal Canadian Mounted Police (RCMP), The Institute of Internal Auditors Global Technology Audit Guide 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment, July Practice Advisory : Continuous Assurance, The Institute of Internal Auditors, June Appendix B About the Author Gail Hormats, B.S., M.B.A., C.I.A., C.I.S.A., C.R.M.A., C.A.D.A. Ms. Hormats served as Project Leader (Audit Services), as Manager of Audit Services, and most recently, as Manager of Audit and Compliance at Baystate Health. In her roles at Baystate Heath, she developed and managed the Continuous Audit and Monitoring Program. The program averaged direct recoveries or revenue protection of approximately $7.5 million annually. Prior to working for Baystate Health, Ms. Hormats was the Associate Director of IT Audit for the University of Massachusetts where she introduced Computer Aided Audit Techniques using ACL. Ms. Hormats has held audit positions at Boston Medical Center, John Hancock Financial Services, Boston Children s Hospital and the University of Massachusetts Medical Center. Ms. Hormats is a member of the Institute of Internal Auditors, the Association of Healthcare Internal Auditors, and ISACA. She has served as the Chair, Technology Committee for the Association of Internal Auditors and program coordinator for ISACA. Phyllis A. Patrick & Associates LLC 12

13 Phyllis A. Patrick & Associates LLC partners with Gail Hormats to provide this service. Ms. Hormats is passionate about the use of data and data analytics to foster robust information security and privacy programs, and to identify and reduce risks associated with confidential information its creation, use, storage, and maintenance. Office: Mail: Phyllis A. Patrick & Associates LLC 13