How To Audit A University Of Texas

Transcription

1 Purpose of the Annual Report: To provide information on the benefits and effectiveness of the internal audit function. In addition, the annual report assists central oversight agencies in their planning and coordination efforts. Table of Contents I. Compliance with House Bill 16: Posting the Internal Audit Plan, Internal Audit Report and Other Audit Information on Internet Web site II. Planned Work Related to the Proportionality of Higher Education Benefits.2 III. IV. Internal Audit Plan for Fiscal Year Consulting Services and Non-audit Services Completed V. External Quality Assurance Review (Peer Review)....7 VI. VII. VIII. Internal Audit Plan for Fiscal Year External Audit Services Procured in Fiscal Year Reporting Suspected Fraud and Abuse

2 Purpose of the Annual Internal Audit Report: To provide information on the assurance services, consulting services, and other activities of the internal audit function. In addition, the annual internal audit report assists oversight agencies in their planning and coordination efforts. I. Compliance with House Bill 16: Posting the Internal Audit Plan, Internal Audit Report, and Other Audit Information on Internet Web site The Internal Audit plan and Internal Annual Report is contained within the Reports to the State section of UTHealth s web site as required by HB 16. An updated report is provided to the web developer in the Office of Institutional Advancement via . The web developer then posts the information no later than one day prior to the due date for submission to the appropriate reporting state agencies. II. Planned Work Related to the Proportionality of Higher Education Benefits Our audit of Benefits Proportionality by Fund for UTHealth as requested by Governor Rick Perry is nearing completion. The scope of our audit includes benefits funding proportionality reporting for appropriation year (AY) Our audit methodology includes review of source information obtained from UTHealth s internal accounting system and the State s Uniform Statewide Accounting System (USAS). In addition, we are reviewing the benefits proportionality reporting process with relevant staff as well as validating the accuracy of information and proportional funding calculations reported to the State Comptroller on the Benefits Proportionality by Fund Report (APS 011). We are also testing to verify the eligibility of employee benefits paid with appropriated funds. The audit is being conducted in accordance with the guidelines set forth in The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. This report will be updated when our audit is finalized. Page 2 of 24

3 III. Internal Audit Plan for Fiscal Year 2014 Audit Number FY 2014 Audit Plan Audit/Project Report Date Description Audit Status Recommendation(s) Mgmt Response Implementation Status Financial Audits Description Financial Statements FY 2013 Assurance Work Financial Statements FY 2014 Assurance Work Assist State Auditor's Office and other state and/or federal auditors Report issued by D&T at UT System level Report issued by D&T at UT System level No Report Issued Controls and transaction testing, analytical review, and other procedures to provide defined level of assurance on financial statements. Interim work for FY 2013 financial statement audit. Provide fieldwork assistance to the State Auditor s Office and other state or federal auditors; assist UTHealth with responding to requests and recommendations. Complete N/A N/A N/A Complete N/A N/A N/A Complete N/A N/A N/A Page 3 of 24

4 Presidential Travel and Entertainment Report issued at the UT System level Coordination of effort and assistance to UT System during their audit of presidential travel Review of Payroll Process 08/05/2014 Review of payroll expenditures to ensure they are correct and authorized. This audit will be performed concurrent with a review of IT controls in the payroll system Executive Travel and Entertainment 11/12/2013 Complete N/A N/A N/A Complete 1.0 We recommend Compensation Services establish processes to ensure overtime exceptions to HOOP 154 are adequately documented and approved, advance written approval of overtime is formally documented, and annual reviews of overtime programs are performed when required. 2.0 We recommend Administrative Computing and Payroll work together to prioritize and develop needed reports and views. Compensation Services will define the process and determine the most appropriate methods to ensure overtime exceptions are adequately documented and approved in accordance with HOOP 154. Administrative Technology and Payroll will work together to define, develop and implement the Timesheet audit report(s) needed to monitor timesheet changes, submissions, and approvals Periodic review of official function and travel in FY Complete No Recommendations N/A N/A Not Yet Due Not Yet Due Operational Audits Confirm Review and Validation 10/29/2013 Review of compliance with UTS 142.1, which requires the development of a monitoring plan for the segregation of duties and reconciliation of Complete No Recommendations N/A N/A Page 4 of 24

5 accounts Unfunded Research No Report Issued Change In Management School of Public Health, Brownsville No Report Issued Review of costs for research not funded by grants or contracts. Audit the operations of the School of Public Health- Brownsville Complete N/A N/A N/A Complete N/A N/A N/A Revenue Cycle Review No Report Issued Review of UTP Employee Reimbursement Process Review of revenue cycle for selected clinical departments. A detailed review from point of service through final adjudication of bill. Performed in conjunction with medical billing compliance. 08/12/2014 Review of employee reimbursements at UTP. Complete N/A N/A N/A Complete 3.0 We recommend UTP develop and establish a comprehensive set of policies and procedures covering expense reimbursements. Since UTHealth has already established policies and procedures based upon industry best practice and the Medical School employee reimbursement team is already familiar with those policies, we believe it would be efficient to adopt and enforce those policies for use by UTP employees. 4.0 We recommend UTP review their employee expense reimbursement processes. The practice of allowing employees to cover normal business UT Physicians will have a comprehensive set of policies and procedures covering expense reimbursement approved by the UTP Board. We agree. UT Physicians will work with procurement on adopting policies Not Yet Due Not Yet Due Page 5 of 24

6 expenditures using personal funds and then seek reimbursement should be discontinued. UTP should work with procurement to that can be incorporated to the purchases made to support the clinical practice including the acquisition needs in the field Environmental Health and Safety Dental School Student Clinic 02/04/2014 Operational review of EH&S program. Operational review of non-dsrdp practice income. Complete No Recommendations N/A N/A In progress N/A N/A N/A Carryforward Audits Clinic & Departmental Cash Controls Review 9/30/2013 Surprise counts and controls review of cash and change funds for selected clinics and departments. Complete We recommend UT Physicians develop and issue an updated cash handling manual. In addition, all fund custodians should be required to receive cash handling training. Recent process improvement activities with joint participation between UTP, McKesson and UTH have resulted in new UTP/UTH all cash handling processes and procedures expected to be implemented by December 31, 2013 and positively impact all cash controls at the clinics. Fully Implemented Compliance with IACUC Regulations 1/24/2014 Review of compliance with Institutional Animal Care and Use Committee (IACUC) regulations. Complete 1.0 We recommend the Occupational Health Program policy be revised so that it is clearer to participants as to whether enrollment is optional or The Director of Employee Health Services will be responsible for revising the latest Fully Implemented Page 6 of 24

7 Compliance w/regent s Rules for Highly Compensated Individuals 10/17/2013 Review compliance with Regent's Rules for documenting and determining the reasonableness of compensation for highly compensated Complete required. The policy should also be clear regarding the requirement (if any) for the individual to participate in medical surveillance. We recommend that a check for adequacy of benchmarking data be added to the new hire process. When situations arise in which we pay higher than the benchmarking average, a clear explanation should version of the Animal Occupational Health Policy. The new version will clarify that the occupational health program is available to all employees and that while enrollment and participation is strongly encouraged, employees may decline to enroll. Each identified individual is required to complete a signed acknowledgement of the program. The new language will also clarify that the level of participation required is linked to the animal species involved. The revised policy, including language requested by Audit Services and any additional programmatic updates, was reviewed and approved at the Safety Council Meeting. Management agrees with the recommendation. For highly compensated individuals (defined as individuals with Fully Implemented Page 7 of 24

8 HIPAA AP Easy 10/18/2013 Review institutional compliance with HIPAA security standards. personnel. be documented. compensation greater than or equal to $500,000) for which we are required to submit the HCR ( High Compensation Request ) template prior to the of Complete 1.0 We recommend that the application owner assess the training needs of the system custodian and ensure the custodian obtains appropriate training on network administration and on AP Easy application administration. 2.0 We recommend that the system owner and custodian work with IT Risk Management to develop processes and procedures to obtain and review AP Easy application logs. 3.0 We recommend that the system owner develop and implement a process for periodic review of user accounts for AP Easy and related applications in Pathology. 4.0 We recommend that the system owner work with the HIPAA Compliance Office to identify all required Business Associate Agreements, and obtain any additional required agreements. The custodian will train with AP Easy via web or on site, and training will be documented for this purpose. The Director of Management Operations will document meetings with Risk Management to determine any additional needs for the logs and the proper protocols. The Custodian will have a schedule to review user activity at monthly intervals. The Director of Management Operations will request BAAs from existing associates (McKesson) and meet with the Sr. Legal Officer, to determine BAA needs, and request Fully Implemented Fully Implemented Fully Implemented Fully Implemented Page 8 of 24

9 Web Applications Audit 11/12/2013 Review controls in place to ensure the confidentiality, integrity, and availability of information processed through selected web applications. Complete 1.0 We recommend Information Technology, Information Security, Web Communications, the applicable schools, and departments work together to create, implement, and maintain a web application security policy or policies to address (at a minimum) the following: Establish oversight of the web application development and security process, which defines the responsibility of Central IT, Information Security, Web Communications, and developers/developing departments as applicable. Implement and maintain a web application inventory process; Develop a process that would create, implement, and maintain a centralized and complete list of web developers; Secure in house and vendor developed web applications; Follow UTHealth s System Design Life Cycle policy or developing an appropriate SDLC for web applications; Establish adequate segregation of such needed BAAs from business associates. The responsible parties will assemble and charge a leadership team from Information Technology, Information Technology Security, Web Communications and the web developers group to develop a Web Applications Developer s Standards, Policy & Procedures Guide which will include a definition of the terms web application and web developer. The Web Developer s Group will be formalized as the authority for maintaining and promoting the standards, policies and procedures in the Guide. An inventory of web applications and web developers will be completed. A process to keep the information up to date will be developed, Fully Implemented Page 9 of 24

10 duties; Create a web application scanning policy that includes: frequency and type of scans, vulnerability mitigation, a record of application scans, and a risked based scan monitoring process; documented and implemented. Establish security reviews/approval by Information Security and Web Communications; Establish accessibility reviews/approval by Web Communications; and Include applicable State and Federal guidelines and regulations. 2.0 Information Security and the Office of the CIO should assess resources currently assigned to deploy the web application firewall and decide if the application is being deployed at an acceptable rate to cover the institution s major web application risks. Information Technology Security and the office of the CIO will require the use of web application firewall as a matter of policy to protect the institution s major web applications that provide access to patient data. The policy will be included in the Web Applications Developer s Standards, Policy & Procedures Guide. Resources to deploy the web application Fully Implemented Page 10 of 24

11 ICD Update 8/5/2014 Monitor the process to prepare for the conversion to the ICD-10 coding standards. firewall will be assessed and adjusted accordingly by the implementation date. Complete No Recommendations N/A N/A Compliance Audits Texas Higher Education Coordinating Board Residency Program Medical Service Research and Development Plan (MSRDP) Dental Service Research and Development Plan (DSRDP) Cash Controls - Nonclinical Areas Evaluation of Tenured Faculty 01/06/2014 Provide opinion on revenue and expenditure reporting on annual financial reports. 08/05/2014 Annual required audit of Medical School Practice Plan. Annual required audit of Dental School Practice Plan. Review of compliance with UTS 166 in non-clinical areas receiving cash payments. 05/19/2014 Review of compliance with Regents' Rule Complete No Recommendations N/A N/A Complete No Recommendations N/A N/A In progress N/A N/A N/A In progress N/A N/A N/A Complete 1.0 We recommend that the MS establish processes to ensure the six year post-tenure comprehensive faculty reviews are completed in the fiscal year scheduled. We will adjust our process and schedules and will work with the departments/faculty to ensure that they know which faculty is to be reviewed and when they will be reviewed, as well as notified. Not Yet Due Page 11 of 24

12 2.0 We recommend that the MS establish processes to ensure all department chairs are scheduled to receive the six year posttenure comprehensive faculty review when due. The MS should include all department chairs past due in the next posttenure review, if possible. We are taking steps to correct this situation and will work with the Dean and his staff to complete past due department chair reviews in the next group due. Not Yet Due Information Technology Audits HCM - Integrated Audit 08/05/2014 Review of IT controls in the payroll system. This audit will be performed concurrent with the review of the payroll processes noted above Campus Solutions - Post Implementation Review Institutional Use of Cloud Computing Assist SAO - IT Requests No Report Issued Review of Campus Solutions to determine the extent to which the project met its objectives. Review of Institutional use of cloud computing and the measures in place to maintain security. Provide assistance to the State Auditor's Office and other state or federal auditors; assist UTHealth with responding to requests and recommendations. Complete Performed in conjunction with Review of Payroll Process. See # above Performed in conjunction with Review of Payroll Process. See # above In Progress N/A N/A N/A In progress N/A N/A N/A Complete N/A N/A N/A Performed in conjunction with Review of Payroll Process. See # above Follow-up Audits Follow-up on Open Recommendations Reports issued Quarterly follow-up review on open Complete N/A N/A N/A Page 12 of 24

13 quarterly recommendations. The following audits were canceled from the FY2014 UTHealth Auditing and Advisory Services annual audit plan: Carryforward Clinical Trials Billing (50 hours): This audit is a carry forward audit from FY At the time the FY 2014 audit plan was developed, it was anticipated the audit would be conducted in FY However, from meeting with members of management it was agreed, since the process was going under significant revision, it which would make performing an audit in FY 2014 ineffective. This audit is on the FY 2015 audit plan and will be performed late in calendar year Clinic Compliance with IT Policies (300 hours): Clinic compliance with IT policies will be performed as part of the FY 2015 audit of the Practice Acquisition Process. Accounts Receivable Processing/Cost of Collections (500 hours): After meeting with executive management we identified that the risks related to this audit were changing, with an audit no longer warranted. Follow up on Deloitte Security Assessment (200 hours): Many aspects of the Deloitte information security assessment are not yet fully funded. IV. Consulting Services and Non-audit Services Completed Report No. Name of Project SPH Grant Expenditures High-Level Consulting Report Date Engagement/Non-audit Service Objective(s) 07/29/2014 To determine whether grant expenditures are in accordance with grant conditions Observations/ Results and Recommendations Report was sent to the department and communicated to the Audit Committee. Mgmt. Response Implementation Status Page 13 of 24

14 THECB- Nursing Shortage Reduction Program 02/28/2014. As required by the Family Practice Residency Program between the THECB and UTHealth, provide assurance that expenditures reported on the Family Practice Residency Annual Financial Report are reasonable. We recommend that future years' program awards be separated by NSRP program and by award year as required by the program guidelines. We will work with necessary departments to separate new NSRP funding awards in fiscal year 2014 going forward by award and fiscal year. If it is not possible to create separate accounts, we will keep all expenditures separated and clearly document which Not Yet Due V. External Quality Assurance Review (Peer Review) Page 14 of 24

15 The University of Texas Health Science Center at Houston (UTHealth) Internal Audit Annual Report for 2014 Page 15 of 24

16 VI. Internal Audit Plan for Fiscal Year 2015 FY 2015 Audit Plan Budgeted % of Audit/Project Hours Total Description Financial Financial Statements FY2014 Assurance Work 160 Controls and transaction testing, analytical review, and other procedures assigned as part of the financial statements assurance audit Financial Statements FY2015 Assurance Work 175 Interim work for FY 2015 financial statement audit. ARP/ATP 100 Advanced Research Program and Advanced Technology Program Biannual Audit Assist State auditor's Office and other State and/or Federal Auditors 150 Provide assistance to the State Auditor's Office and other State or Federal auditors. Presidential Travel and Entertainment 50 Audit performed by the System Audit Office, hours are to provide coordination and assistance Executive Travel and Entertainment 200 Periodic review of official function and travel expenses in FY Financial Subtotal 835 7% Operational Confirm Review and Validation 60 Review for compliance with UTS Review controls over the buycard Buycard Program Review program Practice Acquisition Process 350 Review operational controls, performed as integrated audit Student Housing Management 200 To assess the billing, collection and cash control processes in student housing Preparedness from Internal Threats 400 Review processes to identify and respond to internal threats to IT and facilities Page 16 of 24

17 Change in Management 400 Operational review of UTHealth entities, schools, departments, or divisions with changes in key management, based on an assessment of risk Training 300 An assessment and inventory of training resources UTP Governance 300 Will be designed to meet Institute of Internal Auditing Standard Governance Clinical Trials Billing 300 Review of clinical trials billing practices Carry Forward 300 Compliance Operational Subtotal % Emergency Preparedness Plan 400 Access adequacy of processes and policies developed to respond to emergency events. Required every three years by HB 1831 Medical School Practice Plan (MSRDP) 300 Assess compliance with MSRDP process or bylaws. Will be performed based on risk Dental School Practice Plan (DSRDP) 300 DSRDP audit to assess efficiency and effectiveness of operations at the pediatric dental clinic Delivery System Reform Incentive Payment (DSRIP) 400 To review the processes and supporting documentation available to evaluate compliance with DSRIP program guidelines PCI/DSS 150 To assess process developed to comply with the payment card industry security standards council requirements. Title IX Compliance 400 Compliance with HOOP policies designed to comply with Title IX of the Education Amendment of 1972 Page 17 of 24

18 Carry Forward 100 Compliance Subtotal % Information Technology Exchange System 500 System 300 Review of institutional compliance with Texas Administrative Code 202 TAC 202. Required every 2 years 300 Review of process to request exemption from encryption requirements Exemption from Security Policy Disaster Recovery Capabilities 350 Disaster recovery of the infrastructure Yardi System- Integrated Audit 250 Student Housing System General Controls 300 Data Center Controls Practice Acquisition Process -Integrated Audit 250 System integration and security PCI/DSS - Integrated Audit 250 To assess IT and IS processes developed to comply with the payment card industry security standards council requirements. Carryforward 400 Information Technology Subtotal % Follow-up 400 Follow-up Subtotal 400 3% Projects Internal Audit Committee 300 UT System Requests 200 Institutional Committees 160 Participation in Professional Associations 80 Audit Status/Staff Meetings 300 Page 18 of 24

19 Training Provided by Auditing and Advisory 100 Services FY2016 Audit Plan 150 Internal Audit Annual Report 30 UT System Supported Initiatives 150 External Quality Assessment follow-up 137 TeamMate and Idea Upgrade/Fixes 100 Projects Subtotal % Reserve Reserve for audits of emerging risks 700 Reserve hours to address in a timely basis emerging risks identified during the fiscal year Investigations 300 Consulting/Management Requests 600 Reserve Subtotal % Total Hours % Risk Explanation/Mitigation Internal Audit Action Meaningful Use Monitored by Compliance One of five high risk areas to be considered as a replacement audit based upon changes in institutional risk or completion of the audit plan Compensation & productivity measures Management and Human Resources One of five high risk areas to be considered as a replacement audit based upon changes in institutional risk or completion of the audit plan Page 19 of 24

20 New technology and infrastructure support requirements outstripping IT resources PeopleSoft FMS Unauthorized release of PHI Ineffective communications between faculty, administration and staff Excessive reliance on limited number of clinical partners (MHH) for operational revenue Institution not adequately prepared for decreases in research funding Budget cuts caused controls to deteriorate to an unacceptable level PeopleSoft HCM Centricity Business Management and Information Technology Undergoing upgrade. Monitored by Executive Management and Information Technology Management, Compliance and Information Security Management Audit of the Annual Operating Agreement performed by PwC in FY Monitored by Clinical Business Affairs Monitored by Strategic Planning, A&AS provided data analysis assistance in FY 14 Management Management and Information Technology Management and Information Technology One of five high risk areas to be considered as a replacement audit based upon changes in institutional risk or completion of the audit plan One of five high risk areas to be considered as a replacement audit based upon changes in institutional risk or completion of the audit plan One of five high risk areas to be considered as a replacement audit based upon changes in institutional risk or completion of the audit plan Part of FY14 audit plan Audit of HCM on FY 14 audit plan Page 20 of 24

21 Allscripts Identify Management IdM IRB approval not obtained for protocols as required by federal regulations Inadequate guidance and education to ensure IRB is functioning as intended Inadequate review of protocol and informed consent Time & Effort Reporting Loss of research data Foreign national's use of export technology Lack of equity for faculty Undergoing Upgrade. Management and information technology Management and Information Technology Management and CPHS. For FY 14 an upgrade of software which includes two-factor authentication Management and CPHS Management and CPHS Included in the A-133 audit conducted by the State Auditor's Office Management and Information Technology Management and Information Technology Management and Compensation Risk audited during FY Resulted reported to Audit Committee Page 21 of 24

22 ADA Reasonable Accommodation Process Protected information is not adequately protected from outside release or viewing Inconsistent tenure and promotion criteria Annual reports not provided to donor Outsourced billing company not fulfilling the terms of the contract Charges not captured completely, timely, or accurately Insufficient documentations to support the charge Online scheduling Management of the release of PHI Students at HCPC do not take confidentiality Seriously Management and Human Resources Management and Information Technology Risk being audited during FY Evaluation of Tenured Faculty Management and Development Management and Revenue Cycle Management Management Healthcare Billing and Compliance Management Healthcare Billing and Compliance Scheduling monitored by UTP management Management and HIPAA Compliance Office Issue being addressed through Institutional Compliance Results scheduled to be Reported to Audit Committee in FY 14 Audit work performed in specific departments during FY13 and FY14 Audit work performed in specific departments during FY13 and FY14 Audit work performed in specific departments during FY13 and FY14 Page 22 of 24

23 Default or cloned documentation scripts in electronic records Medical records unavailable, incomplete or not safeguarded Patients are admitted rather than observed causing findings in Medicare Recovery Audits Lack of meaningful posttenure review process Lack of conformity to P&P Recovery Audits (RACs) Monitored by Medical Billing Compliance through MD Audits and training to providers Management & HIPAA Compliance Office Management and Compliance Risk being audited during FY Evaluation of Tenured Faculty Risk monitored by management and Institutional Compliance Monitored by Medical Billing Compliance Some aspects of this risk will be addressed as part of the FY2015 planned audit of practice acquisitions Results scheduled to be Reported to Audit Committee in FY 14 Our risk assessment methodology included interviews and questionnaires to update the. The identified risks were organized into institution-wide areas such as financial management, human resources management, and purchasing/warehousing. We developed detailed risk assessments of high-risk areas of research, information technology, and patient care. For each identified risk, probability and impact were determine using three to seven factors such as regulatory environment and frequency of identification in responses for the financial/operational risks and scope of process and age of system for IT risks. Page 23 of 24

24 VII. External Audit Services Procured in Fiscal Year 2014 Service Provider A-133 Audit of CPRIT Funds Deloitte Certified Public Accountants External Quality Assessment (EQA) Financial Statement - HCPC Opinion on financial statements of UT Physicians (501a Corporation supporting UTHealth) Opinion on financial statements of UT System Medical Foundation (a Corporation supporting UTHealth) PricewaterhouseCooper LLP (PwC) BKD, LLP Blazek & Vetterling LLP Certified Public Accountants Blazek & Vetterling LLP Certified Public Accountants VIII. Reporting Suspected Fraud and Abuse UTHealth s home page contains a link to information on how to report suspected fraud, waste, and abuse. The information has a link to the State Auditor s fraud reporting website and its hotline number, as well as information on the various ways to report suspected fraud internally. Institutional policies and procedures address the requirement to report fraud and the Standard of Conduct Guide, applicable to all employees, also addresses the reporting of fraud. The intranet sites of the departments of Institutional Compliance and Auditing & Advisory Services contain information and links for reporting suspected fraud. Page 24 of 24