Siemens Medical Solutions USA, Inc. INVISION ACO and RCO Services

Transcription

1 Siemens Medical Solutions USA, Inc. INVISION ACO and RCO Services Independent Service Auditor s Report on s Placed in Operation and Tests of Operating Effectiveness For the Period of April 1, 2008, to September 30, 2008

2 TABLE OF CONTENTS SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 1 SECTION 2 DESCRIPTION OF CONTROLS PLACED IN OPERATION... 4 OVERVIEW OF OPERATIONS... 5 Company Background... 5 Description of Other Services Provided... 5 CONTROL ENVIRONMENT... 6 Integrity and Ethical Values... 6 Commitment to Competence... 6 Senior Executive and Audit Committee Participation... 7 Management s Philosophy and Operating Style... 7 Organizational Structure and Assignment of Authority And Responsibility... 7 Human Resource Policies and Practices... 9 RISK ASSESSMENT CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES MONITORING INFORMATION AND COMMUNICATION SYSTEMS Information Systems Communication Systems COMPLEMENTARY CONTROLS AT USER ORGANIZATIONS SECTION 3 TESTING MATRICES PHYSICAL SECURITY ENVIRONMENTAL SECURITY COMPUTER OPERATIONS INFORMATION SECURITY APPLICATION CHANGE CONTROL DATA COMMUNICATIONS PATIENT ACCOUNTING GENERAL LEDGER ACCOUNTS PAYABLE HUMAN RESOURCES (PAYROLL) SECTION 4 OTHER INFORMATION PROVIDED BY MANAGEMENT REGULATORY AND COMPLIANCE STRATEGIC SUPPORT OF DISASTER RECOVERY MANAGEMENT S RESPONSE TO TESTING EXCEPTIONS Siemens Medical Solutions USA, Inc. Proprietary and Confidential i

3 SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT Siemens Medical Solutions USA, Inc. 1

4 INDEPENDENT SERVICE AUDITOR S REPORT To Siemens Medical Solutions USA, Inc.: We have examined the accompanying description of controls related to the INVISION ACO and RCO services of Siemens Medical Solutions USA, Inc. ( Siemens or the service organization ) performed at the Malvern, Pennsylvania, facility. Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of Siemens controls that may be relevant to a user organization s internal control as it relates to an audit of financial statements; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily, and user organizations applied the controls contemplated in the design of Siemens controls; and (3) such controls had been placed in operation as of September 30, The control objectives were specified by the management of Siemens. Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion. In our opinion, the accompanying description of the aforementioned INVISION ACO and RCO services presents fairly, in all material respects, the relevant aspects of Siemens controls that had been placed in operation as of September 30, Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls were complied with satisfactorily and user organizations applied the controls contemplated in the design of Siemens controls. In addition to the procedures we considered necessary to render our opinion as expressed in the previous paragraph, we applied tests to specific controls, listed in Section 3 (the Testing Matrices ), to obtain evidence about their effectiveness in meeting the control objectives, described in the Testing Matrices, during the period from April 1, 2008, to September 30, The specific controls and the nature, timing, extent, and results of the tests are listed in the Testing Matrices. This information has been provided to user organizations of Siemens and to their auditors to be taken into consideration, along with information about the internal control at user organizations, when making assessments of control risk for user organizations. In our opinion, the controls that were tested, as described in the Testing Matrices, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in the Testing Matrices were achieved during the period from April 1, 2008, to September 30, However, the scope of our engagement did not include tests to determine whether control objectives not listed in the Testing Matrices were achieved; accordingly, we express no opinion on the achievement of control objectives not included in the Testing Matrices. The relative effectiveness and significance of specific controls at Siemens and their effect on assessments of control risk at user organizations are dependent on their interaction with the controls and other factors present at individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at individual user organizations. The description of controls at Siemens is as of September 30, 2008, and information about tests of the operating effectiveness of specific controls covers the period from April 1, 2008, to September 30, Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at Siemens is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes made to the system or controls, or the failure to make needed changes to the system or controls, may alter the validity of such conclusions. Siemens Medical Solutions USA, Inc. 2

5 The information in Section 4 is presented by Siemens to provide additional information and is not a part of Siemens description of controls that may be relevant to a user organization s internal control as it relates to an audit of financial statements. Such information has not been subjected to the procedures applied in the examination of the description of the INVISION ACO and RCO services, and accordingly, we express no opinion on it. This report is intended solely for use by the management of Siemens, its user organizations, and the independent auditors of its user organizations. November 7, 2008 Siemens Medical Solutions USA, Inc. 3

6 SECTION 2 DESCRIPTION OF CONTROLS PLACED IN OPERATION Siemens Medical Solutions USA, Inc. Proprietary and Confidential 4

7 OVERVIEW OF OPERATIONS Company Background Siemens Medical Solutions of Siemens AG (Siemens) (NYSE: SI), with headquarters in Malvern, Pennsylvania and Erlangen, Germany, is one of the largest suppliers to the healthcare industry in the world. The company is known for bringing together innovative medical technologies, healthcare information systems, consulting, and support services to help customers achieve tangible, sustainable, clinical, and financial outcomes. In 2007, Siemens finalized the acquisition on Bayer Diagnostics as well as Dade Behring Holdings, Inc., making Siemens Medical Solutions Diagnostics the largest clinical diagnostics company in the world. As the world s first full-service diagnostics company, Siemens is committed to addressing the complex challenges facing the healthcare industry, today and tomorrow. Siemens Medical Solutions employs approximately 15,000 people in the United States and 48,000 people worldwide in over 130 countries and is a key business unit of Siemens AG (Munich, Germany, NYSE: SI), a leading global electronics and engineering company. Siemens Medical Solutions reported 2007 fiscal year revenue of billion EURO. From imaging systems for diagnosis, to therapy equipment for treatment, to patient monitors and hearing instruments and beyond, Siemens innovations contribute to the health and well-being of people across the globe, while improving operational efficiencies and optimizing workflow in hospitals, clinics, and doctors offices. Siemens also offers a variety of data management solutions for customers and is currently a leading Application Service Provider in the healthcare industry. Also headquartered in Malvern, the healthcare information technology (IT) division of Siemens Medical Solutions is Siemens Medical Solutions USA (Siemens Health Services). The contributions of this division have been widely recognized among industry leaders. Holding the leadership position in healthcare IT for over 35 years, Siemens Health Services is committed to helping health organizations achieve proven outcomes and improve quality of care, financial performance, and strategic position through innovative, workflow-based solutions. The group operates one of the health industry s largest processing environments including the Siemens Health Services Information Systems Center (ISC) and Health Information Network for application hosting, E-commerce, enterprise systems management, and managed Internet and infrastructure services. As a leading Application Service Provider (ASP) in healthcare, the company operates health applications for over 1,000 health providers with connections to over 500,000 customer workstations, and processes 157 million transactions each day. Description of Other Services Provided Siemens Health Services products are offered to healthcare facilities of all types (urban, teaching, suburban, rural, specialty, proprietary hospital companies, not-for-profit multi-entity groups, and integrated health networks). These products include a full range of software systems that use diverse computing and networking technologies including remote processing, distributed processing systems, and onsite systems. Siemens Health Services also provides professional services related to its information processing systems business. Domestically, Siemens Health Services markets its products and provides installation services and ongoing technical and educational support with a field staff working from branch offices. The Siemens Health Services Corporate Headquarters and ISC are based in Chester County, Pennsylvania, residing on a 116-acre campus. The Siemens Health Services customer service staff, applications specialists, and communications and computer operations personnel who assist customers in their day-to-day use of Siemens Health Services products are located at the Corporate Headquarters. System designers and programmers, who work to enhance existing programs and develop additional data processing products, are also located at the Corporate Headquarters. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 5

8 INVISION Financials INVISION Financials is a cost-effective billing and receivables management solution that presents clear, concise patient accounting information. Access to patient accounting information can be gained through a Web-enabled browser enabling online access across the enterprise. INVISION Financials helps streamline your patient accounting processes by improving the way you look at and analyze data. Relevant information is captured on main screens with one-click access to supporting data. All patient accounting information can be selected by the appropriate patient view from a single top-level navigator area. The information screens reside at the same level and are accessible from one navigation point; no pathways are hidden from your view. And by offering online access across the enterprise, INVISION Financials helps the patient accounting team communicate and collaborate. INVISION Financials is complemented by and integrated with other Siemens Patient Financial Service solutions including INVISION Contract Management. This full suite of solutions supports a variety of care settings with insurance processing, billing, claims, and collection solutions. CONTROL ENVIRONMENT Integrity and Ethical Values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of Siemens control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior is the product of Siemens ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct. Specific control activities that Siemens has implemented in this area are described below. Management maintains documented standards of performance and conduct that communicate entity values and behavioral standards. Management requires employees to sign a series of acknowledgment forms indicating that they have been given access to the company policies and understand their responsibility for adhering to the policies and procedures. Management requires that employees sign a confidentiality statement agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties. Management performs background checks for employment candidates as a component of the hiring process. Management performs drug screenings for employment candidates as a component of the hiring process. Commitment to Competence Siemens management defines competence as the knowledge and skills necessary to accomplish tasks that define employees roles and responsibilities. Siemens commitment to competence includes management s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge. Siemens has an internal education department responsible for educating Siemens employees on Siemens products and new technologies. Siemens employees also attend industry trade shows, conferences, seminars, and external education classes. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 6

9 Siemens tuition reimbursement programs encourage employees to continue their educational development. Specific control activities that Siemens has implemented in this area are described below. Management considers the competence levels for particular jobs and translates required skills and knowledge levels into written position requirements. Management maintains processes to assess job candidates to determine whether the candidates possess the requisite level of competence to hold positions. Management provides training sessions to employees in the Hosting and Support Services departments (EHS and CSC) to maintain and advance the skill level of personnel. Senior Executive and Audit Committee Participation Siemens control consciousness is influenced significantly by the participation of Siemens senior executives and audit committee. Specific control activities that Siemens has implemented in this area are described below. The senior executive team (SET) oversees the health services (HS) management activities and meets on a monthly basis to discuss matters pertinent to the HS operations. Management utilizes internal audits to assess the effectiveness of internal controls and management s compliance with organizational objectives. Management s Philosophy and Operating Style Siemens management philosophy and operating style encompasses a broad range of characteristics. Such characteristics include management s approach to taking and monitoring business risks; and management s attitudes toward information processing, accounting functions and personnel. A written set of accounting policies and procedures has been developed and updated when needed. Frequent analysis and review is performed on all financial reporting. Internal leadership meetings are held to discuss current operations and forecast projects. There are also management meetings among the various operational business units. Specific control activities that Siemens has implemented in this area are described below. Management is periodically briefed on regulatory and industry changes affecting services provided. Management requires employees to complete online compliance training. Enterprise hosting services (EHS) senior management meetings are held on a monthly basis to discuss operational issues. Additionally, EHS managers meet weekly to discuss operational and training issues. Management has implemented a compliance hotline for worldwide employees to contact regarding questions related to compliance. Organizational Structure and Assignment of Authority and Responsibility Siemens organizational structure provides the framework within which its activities for achieving entitywide objectives are planned, executed, controlled, and monitored. Siemens management believes that establishing a relevant organizational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. Siemens has developed an organizational structure suited to its needs. This organizational structure is based, in part, on its size and the nature of its activities. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 7

10 Siemens assignment of authority and responsibility activities include factors such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that all personnel understand the entity s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Specific control activities that Siemens has implemented in this area are described below. Management utilizes organizational charts to communicate key areas of authority, responsibility and lines of reporting to personnel. Management establishes segregation of duties for key areas of authority, job responsibilities and lines of reporting. The Siemens Health Services organizational control structure (see Figures 1 and 2 below) is divided into four primary areas as it relates to the INVISION ACO and RCO product lines: Global Services (GS) is responsible for Enterprise Hosting Solutions (including Systems Administration & Operations) and the Customer Service Center. Foundation Enterprise Systems (FES) is responsible for application development and support, software management, and application quality control. Business Administration is responsible for Siemens Health Services accounting and finance, and legal, functions. Health Services Human Resources reports into a Siemens Health Services Human Resources organization, but is matrixed to the President and CEO of Health Services. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 8

11 Figure 1 Siemens Health Services Organization Chart (Malvern, Pennsylvania) Figure 2 Siemens AG (Germany) Organization Chart Human Resource Policies and Practices Siemens human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Siemens employs a number of policies and procedures to standardize the hiring process and employee performance and conduct. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 9

12 Siemens uses a third party vendor to verify information listed on the Siemens Application for Employment. Specific control activities that Siemens has implemented in this area are described below. Management completes annual performance evaluations for employees. Management has established employee termination procedures to guide personnel in the termination process. RISK ASSESSMENT Siemens management has placed into operation a risk assessment process to identify and manage risks that could affect the organization's ability to provide reliable transaction processing for user organizations. This process requires management to identify significant risks in their areas of responsibility and to implement appropriate measures to address those risks. Risks that are considered during management s risk assessment activities include consideration of the following events: Changes in operating environment New personnel New or revamped information systems Rapid growth New technology New business models, products, or activities Corporate restructurings Expanded operations New accounting pronouncements Management s recognition of risks that could affect the organization s ability to provide reliable transaction processing for its user organizations is generally implicit, rather than explicit. Management s involvement in the daily operations allows them to learn about risks related to transaction processing through direct personal involvement with employees and outside parties, thus reducing the need for formalized and structured risk assessment processes. CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES Siemens control objectives and related control activities are included in Section 3 (the Testing Matrices ) of this report in order to eliminate the redundancy that would result from listing them in this section and repeating them in the Testing Matrices. Although the control objectives and related control activities are included in the Testing Matrices, they are, nevertheless, an integral part of the description of controls. The description of the service auditor s tests of operating effectiveness and the results of those tests are also presented in the Testing Matrices, adjacent to the service organization s description of controls. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the service auditor and should be considered information provided by the service auditor. Note: The scope of this service auditor s report is limited to the INVISION ACO services (also known as the Auxiliary Computing Option ) and the INVISION RCO (also known as the Remote Computing Option and Application ). The following control objectives relate to RCO services only: Computer Operations, Information Security, Application Change and Data Communications. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 10

13 MONITORING Monitoring is generally performed through active hands-on management, including the monthly management meeting to discuss operational issues, key performance statistics such as daily sales volume, customer service call volume and response rate, chargeback ratios, etc. Members of executive management, including the chief executive officer and chief operating officer/president, visit satellite offices on a regular basis and hold Town Hall Meetings to convey an open culture, discuss issues with employees, and to ensure businesses are operating at management s expectation. Executive management is hands on, and extremely active in the business. Siemens monitors business units and other auditable entities throughout the organization utilizing a risk-based approach in the selection of its audit population to ensure that enterprise-wide risks are prioritized and addressed in order of significance. Results from these audits are documented in formal communications to executive management and other relevant parties. INFORMATION AND COMMUNICATION SYSTEMS Information Systems The healthcare information systems Siemens offers gives customers flexibility when setting up and configuring their computing alternatives. Customers select their transaction processing options and activate related audit trails. Similarly, each customer has the ability to verify the accuracy of transaction processing activity through the use of control reports or other audit trails. The ISC serves as the central processing site for Siemens Health Services. The ISC is a 94,000 square foot facility housing servers, online disk storage (DASD), tape management, tape library, production, and distribution. Office space in the ISC is dedicated to ISC support personnel. The ISC and its support areas are responsible for all data processing. The physical construction of the building is designed to provide the security and integrity of a 24 hour per day, 365 days per year processing operation. The building is made of precast and poured concrete with firewalls separating computer operations to minimize potential fire damage through containment. Exterior emergency exit doors are made of steel and designed to prohibit outside access. All exterior doors are secured and monitored by an electronic alarm system and surveillance cameras. The main entrance to the ISC is equipped with a cardkey reader and a biometric palm scanner to restrict access to authorized personnel. Additional cardkey readers are installed throughout the building to provide access to restricted areas by authorized personnel. The only exterior windows are located in the second floor offices, cafeteria, and first floor reception area. The ISC is equipped with redundant environmental control systems to provide for continuous, uninterrupted operation. The following is a description of the functional and support areas of the organizations that participate in the development, operations, and support of the INVISION product: Systems Management and Operations. This group ensures that all processing is performed for customers 24 hours/day, seven days/week. This includes supporting all Siemens Health Services product lines that run in the ISC as well as all environments required for development and support of these products. Operations are also responsible for ensuring the integrity of the Data Storage Facility, and for printing and distributing patient statements, reports, and CD-ROM. o Change Administration. As a subgroup within Systems Management and Operations, this group is responsible for reviewing all change requests for approval and performs updates to source and executable program libraries upon authorization and approval. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 11

14 Business Recovery Services and Security. o o Business Recovery Services. As a subgroup within Business Recovery Services and Security, this group is responsible for the business recovery planning process for ISCbased Siemens Health Services products. Security. As a subgroup within Business Recovery Services and Security, Security consists of two groups, the Security Analysts and the Security Admins. The Security Analysts are responsible for coordinating company-wide standards and guidelines for Information Security safeguards pertaining to data residing in the ISC. They provide support for the review, counsel, education, and communication of computer security administration procedures. Information Security implements and maintains Security software products. The Security Admins administer security rights and privileges in accordance with the standards and guidelines developed by the Security Analysts. Systems and R&D. This group is responsible for the installation, maintenance, and support of the operating systems, network, and all other third party software. The Systems and R&D groups maintain high availability and performance for the ISC by providing appropriate hardware and software products. The Systems and R&D groups consist of the following: o o o Storage & Backup Technologies. This group is responsible for the storage subsystem and for backup technologies. zseries Systems and Networking. This group is responsible for the administration of CICS systems. This includes systems maintenance, availability, performance, support, and related software development. Infrastructure. This group is responsible for providing the third party software products to run as the infrastructure for the hosted products in the ISC. Network Support Center. This group is responsible for the support of Siemens Health Services customer data network and Siemens Health Services data and voice networks. Foundation Enterprise Systems. This group is responsible for developing and implementing new applications and maintaining and enhancing current applications. Within this group are the General Ledger, Patient Accounting, Human Resources (Payroll), Accounts Payable, and Online Architectural Software Groups. Siemens does not record, process, summarize, or report the financial transactions of our user organizations. Additionally, Siemens does not maintain accountability for any client assets, liabilities, or equity. Communication Systems Siemens Health Services has implemented various methods of communication to help ensure that significant events are communicated in a timely manner and that employees understand their roles and responsibilities regarding transaction processing and controls. These methods include orientation and training programs for newly hired employees and the use of electronic and voice mail messages to communicate time-sensitive messages. Siemens Health Services managers also hold regular staff meetings to communicate these matters. Employees are responsible for communicating significant issues in a timely manner to an appropriate higher level within the organization or through the Compliance Hotline. Siemens Health Services has also implemented various methods of communication to notify user organizations of the role and responsibilities of Siemens Health Services in processing their transactions and to notify customers of significant concerns in a timely manner. These methods include onsite training, periodic newsletters, product announcements, and a Relationship Manager who maintains contact with customers to inform them of new issues and developments. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 12

15 Customer questions and problems communicated to Customer Service Representatives are logged and tracked until resolved; and the resolution is reported to the user organizations. COMPLEMENTARY CONTROLS AT USER ORGANIZATIONS Siemens services are designed with the assumption that certain controls will be implemented by user organizations. Such controls are called complementary user organization controls. It is not feasible for all of the control objectives related to Siemens services to be solely achieved by Siemens control procedures. Accordingly, user organizations, in conjunction with the services, should establish their own internal controls or procedures to complement those of Siemens. The following complementary user organization controls should be implemented by user organizations to provide additional assurance that the control objectives described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user organizations locations, users auditors should exercise judgment in selecting and reviewing these complementary user organization controls. Complementary User Organization s: 1. User organizations are responsible for informing Siemens of any regulatory issues that may affect the services provided by Siemens to the user organization. 2. User organizations are responsible for understanding and complying with their contractual obligations to Siemens. 3. User organizations are responsible for maintaining their own system(s) of record. 4. User organizations are responsible for notifying Siemens, in a timely manner, when changes are made to technical, billing or administrative contact information. 5. User organizations are responsible for developing their own disaster recovery and business continuity plans that address their inability to access or utilize Siemens services. 6. User organizations are responsible for defining the communications method utilized to connect to Siemens systems (e.g., direct connections, over public networks, etc.). 7. User organizations are responsible for ensuring that user ids and passwords are assigned to only authorized individuals and that the roles assigned to the user account are appropriate. Each user should have a unique ID to ensure adequate accountability. 8. User organizations are responsible for ensuring that users have appropriate access within the application. 9. User organizations are responsible for maintaining sufficient documentation to support existing user access capabilities. 10. User organizations are responsible for ensuring the confidentiality of any user IDs and passwords assigned to them for use with Siemens systems. 11. User organizations are responsible for changing the default passwords associated with the standard IDs provided with the system. 12. User organizations are responsible for ensuring that Siemens is notified of any required user account maintenance in a timely manner. 13. User organizations are responsible for immediately notifying Siemens of any actual or suspected information security breaches, including compromised user accounts. 14. User organizations are responsible for determining whether Siemens security infrastructure is appropriate for its needs and for notifying the service organization of any requested modifications. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 13

16 15. User organizations are responsible for reviewing all client reports generated via the OAS reporting tools, or from other environments not included within the scope of this review, to ensure the completeness and accuracy of information processed. 16. User organizations are responsible for ensuring that access to the various OAS Builders is restricted to only appropriate personnel. 17. User organizations are responsible for establishing standards, procedures, and controls for using each of the OAS builders to help ensure that the builders are used in accordance with management s control objectives. 18. User organizations are responsible for regularly reviewing OAS logs to ensure that only authorized Siemens Health Services account representatives are using the SMSMAS ID within their system, that all use is appropriate and authorized, and that there are no unauthorized access attempts. 19. User organizations are responsible for ensuring that access is restricted to the VSAM transfer utility by removing the menu option from user profiles or by creating an access rule that only allows certain users to use the tool. 20. User organizations are responsible for producing and reviewing all automated balancing reports (ABS) and reconcile daily processing activities to source documentation and/or input control totals. 21. User organizations are responsible for producing and reviewing the transaction control and error (TCE) report to identify transaction errors and processing rejects on a daily basis. Appropriate procedures should be implemented to ensure the timely correction of these items. 22. User organizations are responsible for ensuring that their employees are adequately trained to use Siemens Health Services applications. 23. User organizations are responsible for understanding all application control features, system options, and reporting capabilities of the Siemens Health Services Patient Accounting, General Ledger, Accounts Payable, Human Resources (Payroll), and OAS applications and ensure that application parameters, log files, and reporting options are set in a manner that promotes adequate control and are set in accordance with management s control objectives. 24. User organizations are responsible for checking the customer memo Intranet site daily to receive customer memo information. 25. User organizations are responsible for reviewing the transmittal summary reports to ensure that the payroll totals were accurate and matched the payroll day end processing report totals. 26. User organizations are responsible for submitting accurate and complete payroll data. 27. User organizations are responsible for implementing appropriate controls to ensure that the W-2 master files are complete and accurate for tax reporting purposes. 28. User organizations are responsible for determining that parameters within the General Ledger application, which permit debits to equal (not equal) credits for all entries, have been properly set in accordance with management s objectives. 29. User organizations are responsible for ensuring that the General Ledger Master File and the various conversion tables for interfacing products are error free. This includes reviewing and disposing of information submitted from Accounts Payable, Human Resources (Payroll), or other applications to the General Ledger default account numbers to ensure that information is accurately recorded. It is the user organization s responsibility to properly address and dispose of all noted errors. 30. User organizations are responsible for ensuring that all appropriate General Ledger and Statistical account numbers have been included in the appropriate report lines. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 14

17 31. User organizations are responsible for reviewing their GC or general queue daily for error, balancing and reconciliation reports. 32. User organizations are responsible for reviewing the Accounts Payable Register (AP-REG) for Accounts Payable Data Collection, Accounts Payable Online Invoice File Maintenance Report (APPOMAR), the Balance Report (APBAL) to reconcile the ending balances, and the Accounts Payable Update-Error List Report (APREGER) for transmissions errors. 33. User organizations are responsible for ensuring that AP related invoices are entered into the system at the individual invoice level rather than summary form to provide an appropriate level of accountability over invoice activity. 34. User organizations are responsible for ensuring that appropriate physical security controls, with respect to Accounts Payable and Human Resources (Payroll) check printing activities, are in place to promote an adequate physical security environment over check stock, signature plates, and check printing areas, and adequate segregation of duties over check printing activities. 35. User organizations are responsible for ensuring that the AP related option is activated to enable checking for duplicate voucher numbers. 36. User organizations are responsible for ensuring that the AP 1099 master files are complete and accurate for tax reporting purposes. 37. User organizations are responsible for ensuring that the electronic AP information forwarded by Siemens Health Services to the IRS or relevant third parties, such as financial institutions, is complete and accurate and reconciles to their 1099 records. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 15

18 SECTION 3 TESTING MATRICES Siemens Medical Solutions USA, Inc. Proprietary and Confidential 16

19 MATRIX 1 Objective Specified : PHYSICAL SECURITY activities provide reasonable assurance that business premises and information systems are protected from unauthorized access, damage and interference. 1.1 Management maintains Information Service Center (ISC) physical security policies and procedures that define requirements for access, authentication and monitoring. 1.2 Security personnel monitor access to the ISC facility 24 hours per day. 1.3 Surveillance cameras monitor and record activity at entrances and throughout the ISC. 1.4 ISC visitors are required to register with security personnel and provide valid government issued identification before gaining access to the facility. Inspected the ISC physical security policies to determine that ISC physical security policies and procedures defined requirements for access and authentication. Inspected the CCTV Monitoring Facilities Policies and Procedures to determine that policies and procedures defined requirements for monitoring. Inspected the ISC surveillance monitoring procedures and security personnel work schedules to determine that security personnel monitored access to the ISC facility 24 hours per day. Observed ISC surveillance cameras to determine that surveillance cameras monitored and recorded activity at entrances and throughout the ISC. Observed visitor procedures to determine that ISC visitors registered with security personnel and provided valid government issued identification before gaining access to the facility. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 17

20 MATRIX 1 Objective Specified : PHYSICAL SECURITY activities provide reasonable assurance that business premises and information systems are protected from unauthorized access, damage and interference. 1.4 (Cont.) Inspected the electronic ISC visitor log to determine that visitors registered with security personnel when accessing the facility during the review period. 1.5 Visitors to the ISC are required to be escorted by an employee assigned to the ISC. 1.6 The ability to perform tours of the ISC is restricted to the following personnel: Senior director of information technology Director of information technology Operations analyst (5) 1.7 Vendor access to the ISC is restricted to vendors listed on an authorized vendor list. Observed visitor access procedures to determine that visitors to the ISC were escorted by an employee assigned to the ISC. Inspected the authorized tour guide list to determine that the ability to perform tours of the ISC was restricted to the following personnel: Senior director of information technology Director of information technology Operations analyst (5) Inspected tour logs for a nonstatistical sample of tours performed during the review period to determine that each tour sampled was performed by an authorized tour guide. Inquired of the IT director regarding vendor access to determine that vendor access to the ISC was restricted to an authorized vendor list. Inspected a nonstatistical sample of vendors from the data center badge access list and compared to the authorized vendor access list to determine that vendor badge access holders were listed on the authorized vendor list. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 18