How to Conduct Fraud & Internal Audit Enterprise Risk Assessments At Your Organization

Transcription

1 How to Conduct Fraud & Internal Audit Enterprise Risk Assessments At Your Organization September 1, 2009 Bruce Kincaid, MBA, CIA, CISA Danette Eibl, CPA Internal Audit Staff Rockford Health System Rockford, IL Association of Healthcare Internal Auditors 1

2 Internal Audit Disclosure This presentation is provided as information for your consideration as you decide your strategy for assessing and attempting to maintain an internal audit risk assessment and/or fraud assessment for your health care entity. All information contained in this power point presentation, ti related handouts and discussion i are presented as is for your consideration. Association of Healthcare Internal Auditors 2

3 Presentation Objectives Understanding of ERM (Enterprise Risk Management) How to conduct an IA (Internal Audit) risk assessment How to conduct a fraud risk assessment using AICPA (American Institute t of Certified Public Accountants) guidance and SAS (Statement of Auditing Standards) 99 How to use this session s IA and fraud audit aids Association of Healthcare Internal Auditors 3

4 Introduction How to undertake an IA or fraud risk assessment depends on: Mission of your organization Business form of your organization Desire of management External pressures, forces and factors IA department size and organizational status Association of Healthcare Internal Auditors 4

5 Mission of Your Organization Most health care (HC) organizations have a Vision and Mission Statement (V&MS) The V&MS defines or implies your organization s mission to: Provide HC services to a Category of patient Category of treatment Local community Region State - Nation Association of Healthcare Internal Auditors 5

6 Mission of Your Organization The V&MS defines or implies your organization s mission to: Be in and Stay in the HC business Stay current with technology Provide quality of life for Owners and Employees Generate Profits or Surpluses Association of Healthcare Internal Auditors 6

7 Mission of Your Organization The V&MS defines or implies your organization s mission to: Be competitive in the HC business Manage business risk Status Quo Essentially, Maintain current risks Grow in the market place, Maintain current risks and Identify and manage new risks. Association of Healthcare Internal Auditors 7

8 Business Form of Your Organization HC business forms vary Change is in the air: Outpatient services (Physician Practices/Clinics/ Surgery Centers/Rehab Facilities) For profit Not for profit Inpatient Services (Hospitals/SNF s/ltcf) s/ltcf) For profit Not for profit Not for profit Faith Based Public entity Unique partnerships Association of Healthcare Internal Auditors 8

9 Desire of Management The desire of management reflects two interests: Governance interest Service for the community s good (Conservative) Service for the shareholder s good (Aggressive) Management s interest Service for the community Grow present HC services and New Venture Growth Service for shareholders Maximize earnings per share New Venture Growth and Eye on the future Association of Healthcare Internal Auditors 9

10 External Pressures, Forces and Factors (EPF&F s) EPF&F s are a BIG motivator for HC Change (growth - renewal or expansion) Risk management (present operations) and Future risk management (new venture growth) Today s main EPF&F s are: HC system access and cost Obama health care reform Association of Healthcare Internal Auditors 10

11 External Pressures, Forces and Factors (EPF&F s) Consumerism Quality measures - Pay for Performance Leap Frog - Red Flag Government interference/intervention Declining reimbursement Recovery Audits (RAC/MAC/MIC) Technology Electronic Health Record (EHR) - Cyber Espionage (HIPAA compromise) Association of Healthcare Internal Auditors 11

12 IA Department Size and Organizational Status Size makes a difference: One to five auditors Six to 15 auditors 15 or more auditors Organizational status makes a difference: Limited independence Part of Finance Reports to CFO Right hand accounting/internal/management controls go-to-person Association of Healthcare Internal Auditors 12

13 IA Department Size and Organizational Status Independent Operationally reports to Board Via the Audit Committee Administratively reports to The CEO/CFO/Administrator Autonomous Operationally reports to Board Via the Audit Committee Senior Vice Present & CAE (Chief Audit Executive) Corporate headquarters audit staff Association of Healthcare Internal Auditors 13

14 Begin With the End In Mind Before you begin an IA or fraud risk assessment you need to know where your entity is at: Mission of your organization Business form of your organization Desire of management External pressures, forces and factors IA department size and organizational status Will it add value? To whom? Pick audits? Show some IA balance or broad coverage Association of Healthcare Internal Auditors 14

15 Fraud and IA Risk Assessments Presentation Design One to five auditors: Limited operating budget Everyone is either a nurse or internal auditor > Five auditors: Expanded operating budget Expanded supervision Acquire an ERM IT risk assessment program CCH TeamMate Five auditors - $15K Paisley GRC on Demand for IA Five auditors - $12K Association of Healthcare Internal Auditors 15

16 Typical < Five Auditor IA Department Board of Directors Rockford Health System ASC Needs Audit Sub Committee (ASC) Electronic PDF File Secure FTP Management's Needs ASC Charter IAP C harter D istribute Final IA Report to ASC Members IA P Enterprise Risk Assessment IAP Fraud Enterprise Risk Assessment D Y N A M I C M O N I T O R I N G Internal Audit Staff 2 FTE s w ith ACL Annual Internal Audit Plan Information Technology (IT) Audit Staff 2.5 FTE s Approved Audit Audit Fieldwork D istribute Final IA Report to Management IA R ep ort Findings Recommendations Management Responses Compliance Needs IT Strategic Plan System Change & E volu tion Identify H arm ful Effects Formulate Findings & Recommendations Develop IA Report With Auditee Association of Healthcare Internal Auditors 16

17 Internal Audit Program 1 st Priority Annual Audit Plan Core Concept for Systems Evolution (300+ applications):.internal Audit is to participate up front in the RHS management process and project implementations by ensuring that effective internal controls are engineered into these processes..internal Audit will participate as a consultant when management is considering i significant ifi change and will audit existing processes based on risk and resource concentration. Association of Healthcare Internal Auditors 17

18 Why Perform An IA Risk Assessment? HC world has changed bed hospital 5,000 employees 78 IT applications Average two IT applications/critical staff bed hospital 3,200 employees 300+ IT applications Average five IT applications/critical iti l staff Average CS time spend using IT applications in 2009 about 70%! Association of Healthcare Internal Auditors 18

19 Why Perform An IA Risk Assessment (RA)? 1999 verses today: In 1999, 78 IT applications The IA could be safe and responsive Simple pick of A priority audits Today, 300+ IT applications There are few simple picks anymore The IA risk assessment we are training you on today let s you: Identify key processes and risk rank them Association of Healthcare Internal Auditors 19

20 Why Perform An IA Risk Assessment (RA)? Provides more formal structure to the audit selection process Audit critical risks Match staff ability to audit assignments Provides a risk driven structured approach for you, management and your audit committee It s free, but as your staff grows you may wish to acquire a RA service software application. Association of Healthcare Internal Auditors 20

21 Enterprise Risk Management (ERM) Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows: Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across theenterprise, designed d to identify potential ti events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Source: Enterprise Risk Management Integrated Framework EXECUTIVE SUMMARY, September 2004, Committee of Sponsoring Organizations of the Treadway Commission i (COSO) Association of Healthcare Internal Auditors 21

22 Enterprise Risk Management (ERM) Key Points to Consider From the IIA as of June 2008 Enterprise Risk Management Enterprise risk management requires an entity to take a portfolio view of risk. Management considers how individual risks interrelate. Management develops a portfolio view from two perspectives: p Business unit level Entity level Association of Healthcare Internal Auditors 22

23 Enterprise Risk Management (ERM) Key Points to Consider From the IIA as of June 2008 Risk Assessment (RA) RA is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed. Allows an entity to understand the extent to which potential events might impact objectives. Assesses risks from two perspectives: Likelihood Impact Is used to assess risks and is also normally used to measure the related objectives. Association of Healthcare Internal Auditors 23

24 Enterprise Risk Management (ERM) Key Points to Consider From the IIA as of June 2008 Internal Auditors (IA s) IA s play an important role in monitoring ERM, but DO NOT have primary responsibility for implementation or maintenance. IA s assist management and the Board or Audit Committee in the RA/ERM process by: Monitoring Evaluating Examining Reporting Recommending improvements Association of Healthcare Internal Auditors 24

25 Enterprise Risk Management (ERM) Key Points to Consider From the IIA as of June 2008 IA s can add value by: Implementing a risk-based approach to planning and executing the internal audit process. Ensuring that internal audit s resources are directed at those areas most important to the organization. Challenging the basis of management s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies. Association of Healthcare Internal Auditors 25

26 Enterprise Risk Management (ERM) Key Points to Consider From the IIA as of June 2008 IIA Standards 2010.A1 The internal audit activity s plan of engagements should be based on a risk assessment, undertaken at least annually A1 Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization s governance, operations, and information systems A1 When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment Source: Extracted by Anna L. Cuson, CPA, Senior Internal Auditor, Corporate Compliance & Integrity, Self Regional Healthcare, Greenwood, SC while preparing her entity s enterprise risk assessment, 2008 Association of Healthcare Internal Auditors 26

27 Rockford Health Systems (RHS) View of ERM ERM is the process by which an organization identifies and manages business risk within the company. ERM consists of two main components, new ventures and present operations. The RHS IAP RA deals with present operations. The IAP RA was developed with the knowledge and presence of the following specific RHS risk management programs: Association of Healthcare Internal Auditors 27

28 RHS View of ERM Compliance Program (Legal Compliance/Resource Protection) HIPAA (Health Information Portability and Accountability Act) Compliance Program (Legal Compliance/Resource Protection) IT (Information Technology) Security Program (Asset/Resource Protection) Physical Security Program (Asset/Resource Protection) Facilities Management Program (Planned Preventative Maintenance) Bio-Medical Engineering Program (Planned Preventative Maintenance) Quality Management Program (Healthcare Outcomes) Case Management/Utilization Review (Healthcare Outcomes) Risk Management (Corporate Insurance Program) Association of Healthcare Internal Auditors 28

29 RHS View of ERM COSO s ERM Risk Appetite. The RHS view: How rich is your appetite? How much do you want to dine on at one time? Components of Risk Management (aka The Risk Menu Choices. Risk can be minimized or managed by the use of: Management or internal controls (controlling risk), Commercial insurance (insurance against loss), or Assumption of risk/self insurance (absorption of loss) Association of Healthcare Internal Auditors 29

30 RHS IAP Structured Approach If you wish to define your IA program based on a logical assessment of business risk this is the method we offer for consideration today. RHS and Self Regional IA conducted an ERM reference search. Initial Meeting. To conduct an initial IAP risk assessment you need to hold an announcement/organizing meeting. Presentation Item D-4-2 provides you this information You will need to up date it to today and For use by yyour department. Association of Healthcare Internal Auditors 30

31 RHS IAP Structured Approach Second Meeting. You need to verify that your existing risk management programs are In place pace Functioning as intended. Presentation Item D-4-3 provides you a starting inventory of programs You will need to up date it to today and For use by your department. Your RA Model. You need to define your risk assessment methodology Best done with the assistance of Your CFO and Preapproval of your Audit Committee (at least the Chair) Association of Healthcare Internal Auditors 31

32 RHS IAP Structured Approach The RA Method. RHS IA searched AuditNet t and other available audit libraries to find a model. Not much available Did find an IAP RA method developed by a bank Decided to build on this model Presentation Item D-4-4 is the RHS RA model We will now lead you through a review and discussion of this model so You can understand it and Adapt if for use by your department Presentation Handout One Let s review Association of Healthcare Internal Auditors 32

33 RHS IAP Structured Approach The model consists of narrative documentation to be followed when populating p the RA Excel workbook, Presentation Item D-4-5. The spreadsheet ranks your risks so you can determine High Medium Low risks by Process (Description) for your entity Association of Healthcare Internal Auditors 33

34 RHS IAP Structured Approach Risk Ranking elements are: Management Control Environment - 15% Organizational Structure/Change/Growth 15% Financial Exposure 20% Reporting 15% Compliance 15% Fraud Potential 15% Business Continuity 5% Presentation Handout One. Please refer to this aid which has been provided to you. Review of risk ranking elements Sample risk assessment Association of Healthcare Internal Auditors 34

35 RHS IAP Structured Approach Populating the RA Excel workbook Used to report your assessment results The auditor s project steps: Map the workbook to show your organization s Major to minor business unit s Define key processes and/or descriptions Interview management to Define key processes and/or descriptions Conduct initial RA with management Association of Healthcare Internal Auditors 35

36 RHS IAP Structured Approach Develop IA and management openness and Joint OWNERSHIP NO SURPRISES Be sensitive You are taking line management to a place they have never been before! Future Years Roll forward the RA process Update during the audit year Association of Healthcare Internal Auditors 36

37 RHS Initial Fraud Definition Fraud is a power word. Can not perform an initial IAP RA without defining fraud. Few health care entities have a Working definition Frequently thought to be an accountant s term For the RHS IAP RA Adopted d the Federal government s approach Unstopped WASTE leads to ABUSE leads to FRAUD Defined a fraud range >$10K to >$100K Association of Healthcare Internal Auditors 37

38 How to Conduct an IA Enterprise RA at Your Organization Closing discussion. Defined ERM Discussed the IAP RA process Need and how to do it Empowered you with a working IAP RA model Performed a sample risk assessment Reviewed Presentation Items that you may wish to customize for your use Association of Healthcare Internal Auditors 38

39 Fraud and IAP Risk Assessments Ten minute break Association of Healthcare Internal Auditors 39

40 How to Conduct a Fraud Enterprise RA at Your Organization Our external auditors D&T liked the IAP RA model To our surprise they came back the following year and Recommended we conduct a formal fraud assessment Measure and test existing fraud controls Our thinking Looking for a best practice model Easier to comply pythen rebut Tokenism was a thought! Atta boys for fraud seldom occur Then the economy fell apart Higher risk of fraud! Association of Healthcare Internal Auditors 40

41 Fraud Enterprise Risk Assessment (FERA) Discuss the FERA for HC entities Purpose Preparation and sample Expand the previous fraud definition Fraud questionnaires Communication with management How to share final product with Management and The Audit Committee Association of Healthcare Internal Auditors 41

42 FERA and Other Industries Health care entities are highly regulated Numerous HHS voluntary compliance programs Laboratory Physician Practices Hospitals Home Health Agencies Except for banking, government contractors and manufacturing (EPA) most other industries lack formal compliance programs Therefore the Statement on Auditing Standards (SAS) 99, Considerations of Fraud in a Financial Statement Audit has special significance for financial auditors Association of Healthcare Internal Auditors 42

43 Planning the RHS FERA D&T recommended we conduct the initial FERA as outlined in the Management Antifraud Programs and Controls Guidance to Help and Deter Fraud (aka The Guide) by the Fraud Task Force of the AICPA Auditing Standards Board We reviewed SAS 99 and the guide a 19 page document The guide is located at: We decided to use the guide to lead us to document our FERA results Association of Healthcare Internal Auditors 43

44 Conducting the FERA During the actual assessment of fraud risk, we evolved to using both Statement on Auditing Standards (SAS) 99, Considerations of Fraud in a Financial Statement Audit and The guide It takes time to gain comfort assessing fraud risk It takes time to conduct the initial FERA 500 IA hours Association of Healthcare Internal Auditors 44

45 Obtaining AICPA Permission If you decide to use the Management Antifraud Programs and Controls Guidance to Help and Deter Fraud as your FERA road map. Obtain AICPA permission in advance from: Thomas A. Robinson, J.D. Manager, Rights & Permissions AICPA Phone: Association of Healthcare Internal Auditors 45

46 Expanded Fraud Definition Fraud can range from minor employee theft and unproductive behavior to misappropriation of assets and fraudulent financial reporting. Materiality AICPA s range is low to high dollars. Raising the organization s awareness minimizes fraud. Association of Healthcare Internal Auditors 46

47 Expanded Fraud Definition Difficult to totally eliminate fraud but can detect over time. Fraud risk can be reduced through a combination of prevention, deterrence, and detection measures. Unstopped WASTE leads to ABUSE leads to FRAUD. An unchecked waste of assets or business resources today will become future fraud. Association of Healthcare Internal Auditors 47

48 Expanded Fraud Definition Need a line management fraud awareness starting gpoint Management concern should begin when a wasteful practice >$1K is identified Move to correct the poor practice (prevention control) IA becomes immediately concerned with Identified waste, abuse of resources or theft >$10K (control breakdown) Not in business to lose it or give it away! Association of Healthcare Internal Auditors 48

49 Conducting the FERA Use a two fold approach Survey management Formal fraud assessment questionnaire Tailored to IA s pre assessment knowledge of the manager s position Standard questions and Unique questions Identify, document and assess existing fraud controls Follow the guide Document results Association of Healthcare Internal Auditors 49

50 Conducting the FERA Following the guide to identify, document and assess existing fraud controls is a Complex assessment process Having the IAP RA helped Having a though knowledge of entity processes REALLY helped Extensive interviews of key managers helped Using the guide to document the FEFA was Easy and Through Association of Healthcare Internal Auditors 50

51 Conducting the FERA Presentation Item D-4-6 consists of three sample questionnaires Can be used to start building your fraud questionnaire e Presentation Handout Two Let s review Preparing Your Fraud Questionnaires Share the definition iti of fraud Written Verbal Include some standard questions Are you aware of a fraud in your area? How do you think a fraud could occur in your area? Association of Healthcare Internal Auditors 51

52 Conducting the FERA Prepare individual questions for different people and departments Begin the interview process with senior management As time allows, focus on other management staff Continue annually to include key personnel such as accounting, purchasing, and human resources Association of Healthcare Internal Auditors 52

53 Conducting the FERA What are fraud controls? Preventative controls Deterrent controls Detective controls Can a control be two types YES What HC programs and systems encompass your fraud controls? Joint Commission - Compliance HIPAA - Human Resources & Finance Association of Healthcare Internal Auditors 53

54 Conducting the FERA Review Presentation Handout Two Using the guide requires you to document your fraud controls in the following areas CREATING A CULTURE OF HONESTY AND HIGH ETHICS Setting the Tone at the Top IA Assessment - Review of Top Management s Actions Code of conduct Actions show honesty and equality Conflict of interest disclosure process Association of Healthcare Internal Auditors 54

55 Conducting the FERA Creating a Positive Workplace Environment IA Assessment Evidence of Employment opportunities Reward system for goals met Training programs Career development Compliance Helpline li number is visible ibl and publicized Association of Healthcare Internal Auditors 55

56 Conducting the FERA Hiring and Promoting Appropriate Employees IA Assessment Evidence of Employee background investigations - new hires, changes to a position of trust and volunteers Personal references, education and past employment verified Annual evaluation of compliance with the company s values and code of conduct Contractor formal credentialing procedure Association of Healthcare Internal Auditors 56

57 Conducting the FERA Training IA Assessment - Evidence that New Employee Orientation/Compliance Training Annual Compliance Training Professional Ethics and Fraud Prevention Standards for Critical Work Groups Confirmation IA Assessment Evidence that Employees abide to follow the» Standards of Conduct» Company Confidentiality Association of Healthcare Internal Auditors 57

58 Conducting the FERA Discipline IA Assessment Evidence of Fraud investigations Progressive discipline for violators Strengthening of needed controls Reinforcement of company values EVALUATING ANTIFRAUD PROCESSES AND CONTROLS Association of Healthcare Internal Auditors 58

59 Conducting the FERA Identifying and Measuring Fraud Risks IA Assessment Evidence that The company has a heightened fraud awareness and An appropriate fraud risk management programs Mitigating Fraud Risks IA Assessment Evidence of appropriate Separation of duties and Supervisory oversight of key financial and accounting processes Association of Healthcare Internal Auditors 59

60 Conducting the FERA Implementing and Monitoring Appropriate Internal Controls IA Assessment Evidence that appropriate fraud deterrent controls End of Month Close Process IT Program Change Control IA Program DEVELOPING AN APPROPRIATE OVERSIGHT PROCESS Audit Committee or Board of Directors IA Assessment - Evidence of Active involvement and oversight Audit Committee Charter Member competency Association of Healthcare Internal Auditors 60

61 Conducting the FERA Management IA Assessment Evidence of Responsibility Annual Management Representation Letter Oversight of senior management business travel Internal Auditors IA Observation Declaration of Adequately funded IA program Independence Properly functioning IA program Association of Healthcare Internal Auditors 61

62 Conducting the FERA Independent Auditors IA Observation Declaration of Free and open dialog with the Audit Committee Annual fraud inquiry to» Audit Committee» Management Have the Independent Auditors complete a fraud questionnaire for you Certified Fraud Examiners (CFE s) IA Observation Declaration of Have or use CFE s of Fraud consultants, when appropriate Association of Healthcare Internal Auditors 62

63 Reporting Your FERA Results Presentation Item D-4-7 is a sample FERA report Prepared using the guide Can be used to start writing your FERA results When conducting your FA you will have Findings and recommendations Present and discuss changes with management include Management responses and Completion dates Handle as a regular audit or consulting report Prepare a formal written report First annual FERA report Annual updated FERA report Present written FERA report to the Audit Committee With management responses and actions Association of Healthcare Internal Auditors 63

64 Fraud Enterprise Risk Assessment (FERA) Discuss the FERA for HC entities Purpose Preparation and sample Expand the previous fraud definition Fraud questionnaires Communication with management How to share final product with Management and The Audit Committee Association of Healthcare Internal Auditors 64

65 Acknowledgements We wish to express our appreciation to Thomas A. Robinson, J.D., AICPA Adam Burt, Thomson Reuters, GRC On Demand for IA, Sales Staff, CCH TeamMate, For their support to prepare this presentation Association of Healthcare Internal Auditors 65

66 In Summary We have given you an Understanding of ERM (Enterprise Risk Management) How to conduct an IA (Internal Audit) risk assessment How to conduct a fraud risk assessment using AICPA guidance The Guide and SAS 99 How to use this sessions IA and fraud audit items to conduct similar assessments For your organization Association of Healthcare Internal Auditors 66

67 General Discussion Questions and Answers Contact Information Bruce Kincaid, MBA, CIA, CISA Danette Eibl, CPA Director, Internal Audit Manager, Internal Audit Rockford Health System Rockford Health System Phone: , 5176 Phone: Audit Thought When its not in the book, you are the Book Thank you and Have a great day!