Purpose of the Annual Report The purpose of the internal audit annual report is to provide information on the assurance services consulting services, and other activities of the internal audit function. In addition, the annual report assists oversight agencies in their planning and coordination efforts. Table of Contents II. I. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet Website Compliance with the Benefits Proportionality Audit Requirements for Higher Education Institutions III. Internal Audit Plan for Fiscal Year 2015 IV. Consulting Services and Nonaudit Services Completed V. External Quality Assurance Review (Peer Review) VI. Internal Audit Plan for Fiscal Year 2016 VII. External Audit Services Procured in Fiscal Year 2015 VIII. Reporting Suspected Fraud and Abuse
I. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet Website The Fiscal Year 2016 audit plan, as approved by the Institutional Audit Committee, will be posted on the MD Anderson external website as part of the Fiscal Year 2015 SAO Annual Report. The Fiscal Year 2015 SAO Annual Report, including summaries of reports, will be posted on the MD Anderson external website within 30 days of approval by the President but not later than November 1, 2015, as required. II. Compliance with the Benefits Proportionality Audit Requirements for Higher Education Institutions At the request of the Governor, an internal audit of the proportionality of higher education benefits process was performed during fiscal year 2015. A consistent audit methodology has been deployed across the UT System that assessed the reporting process and accuracy of benefits funding information provided to the State Comptroller as applicable under Rider 8, page III-39, the General Appropriations Act (84 th Legislature, Conference Committee Report). An audit of the benefits proportionality process will also be conducted during fiscal year 2016 and will comply with Rider 8, page III-39, the General Appropriations Act (84 th Legislature, Conference Committee Report). The audit will be complete by February 28, 2016. III. Internal Audit Plan for Fiscal Year 2015 The following matrix details the status of the Fiscal Year 2015 Audit Plan: Project No. Project Title Report Date Project Status Financial Audits 15-100 Presidential Housing, Travel, and Entertainment 4/10/2015 Complete 15-101 Executive Travel and Entertainment 6/24/2015 Complete 15-102 FY2014 Financial Statement Audit (year-end) Report issued by Deloitte at UT System level Complete 15-103 FY15 Financial Statement Audit (interim) Report issued by Deloitte at UT System level Complete 15-104 Physicians Referral Service (PRS) Practice Plan Pending In Progress 15-105 Segregation of Duties and Account Reconciliations 10/28/2014 Complete Page 2 of 20
Project No. Project Title Report Date Project Status 15-106 Texas Economic Development Agreement Consulting Project Verbal Comments Complete provided to Management 15-107 Clinical Services Spot Agreements 9/28/2015 Complete 15-108 Collection of Patient Co-Payments Pending In Progress 15-109 Travel and Entertainment-Development Office N/A Postponed to FY16 15-111 Construction Services 9/1/2015 Complete 15-110 Cancer Network Contractual Billing Consulting Project Verbal Comments Complete provided to Management 15-112 Treasury Services Cash Count 4/8/2015 Complete Operational Audits 15-200 Physician Credentialing 8/27/2015 Complete 15-201 Regional Care Centers - Risk Assessment 8/31/2015 Complete 15-202 Departmental Review - Dermatology 1/16/2015 Complete 15-203 Departmental Review - Gynecologic Oncology 6/17/2015 Complete 15-204 Departmental Review - Children's Art Project 5/5/2015 Complete Consulting Projects 15-205 Anti-Fraud Initiative Consulting Project 1 Verbal Comments st Phase Complete provided to Management 15-220 General Consultation with Management N/A Complete 15-221 Institutional Committee Participation N/A Complete 15-222 Management Involvement on Co-Sourced Construction Projects N/A Complete 15-206 Electronic Health Record (Epic) Consulting Project Verbal Comments Complete provided to Management 15-207 ICD-10 7/15/2015 Complete 15-230 Dining Services Cashier Operations 8/18/2015 Complete 14-200 Denials Management Post-Implementation Review 11/17/2014 Complete Compliance Reviews 15-300 Benefits Funding Proportionality 11/25/2014 Complete 15-301 Conflicts of Interest Management Plan Review N/A Cancelled 15-302 Dependent Eligibility 4/29/2015 Complete 15-303 Recharge/Service Centers 8/31/2015 Complete Information Technology Audits 15-400 Deloitte Financial Audit Support Report issued by Deloitte Complete at UT System level 15-401 Texas Administrative Code (TAC) 202 Pending In Progress 15-402 Velos / Click Commerce N/A Cancelled 15-403 Incident Response 9/14/2015 Complete 15-404 Tier One Application Review - Radiology Information System (RIS) or 9/1/2015 Tier Two Application Review - Pinnacle Complete Page 3 of 20
Project No. Project Title Report Date Project Status 15-405 Oracle Database Cluster 9/1/2015 Complete 15-406 Disaster Recovery 9/14/2015 Complete 15-407 Data Governance 9/11/2015 Complete 15-408 ICD-10 7/15/2015 Complete 15-409 Electronic Health Record (Epic) Financial Review Pending In Progress 14-405 Protection of Research Data 12/4/2014 Complete 14-407 Box.com 5/1/2015 Complete Other IT Projects - IT Follow-Up N/A Complete - Knowledge Sharing and/or Training Documentation Projects N/A Complete - IT Liaison Activities N/A Complete - IT Risk Assessment FY 16 N/A Complete - Financial and Operational Audit Assistance (IT) N/A Complete - Administrative Activities N/A Complete Follow-Up Audits 15-500 & Follow-up Audits (Quarterly Reporting and Validation) 15-501 N/A Complete Projects - Internal Quality Assurance Activities N/A Complete - UT System Coordination N/A Complete - Internal Audit Committee Preparation / Participation N/A Complete - Institutional Risk Assessment and Work Plan Development N/A Complete - Professional Organization / Association Participation N/A Complete - Reserve for Just-In-Time Auditing/Advisory Services Consulting Project Verbal Comments Complete provided to Management - Reserve for Investigations Consulting Project Verbal Comments Complete provided to Management 15-242 Health Information Management (HIM) Investigation Consulting Project Verbal Comments Complete provided to Management 15-240 Memo Concerns Consulting Project Verbal Comments Complete provided to Management 14-303 Non-Federal Clinical Trial Residual Funds 2/25/2015 Complete 14-201 Division of Internal Medicine 11/12/2014 Complete 14-110 Charge Capture Diagnostic Imaging Complete 14-212 Department Review - Head and Neck Surgery 1/30/2015 Complete 14-251 PACU - Prescription Review 1/16/2015 Complete Audit / Project cancelled Audit / Project added to Plan Page 4 of 20
The following matrix provides a summary of the weaknesses and action taken by management for projects on the Fiscal Year 2015 Audit Plan, as required by Texas Government Code, Section 2102.015: Report No. Report Date 2015-100 4/10/2015 Presidential Housing, Travel and Entertainment Expenses 2015-101 6/24/15 Audit of Executive Officers Travel and Business Entertainment Expenditures 2015-105 10/28/2014 Segregation of Duties and Account Reconciliations Name of Report Recommendations Summary of Action Taken The Chief Business Officer should ensure that review and approval of travel and entertainment expenses for the president and spouse occur and that the approval is documented. Management should ensure prior registration with the Office of State-Federal Relations (OSFR) for trips to Washington, D.C. Management should also monitor to ensure airfare is allocated to departmental accounts in a timely manner. The institution appears to be in compliance with UTS 142.1. Controls are in place to comply with the approved Monitoring Plan and ensure that appropriate segregation of duties exists. 2015-200 8/27/2015 Physician Credentialing Internal Audit recommended improvements related to the expiration of physicians credentials and the completeness of the credentialing database. Management agreed to enhance controls in the recommended areas. According to management, the Concur Travel and Expense system has been enhanced to enable the reporting for trips that require OSFR registration. Management plans to review the reports quarterly to determine compliance. In addition, an airfare allocation process has been approved and implementation is expected within the next few months. N/A Management agreed to enhance controls in the recommended areas. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented UT System Audit conducted this audit, with MD Anderson Internal Audit acting as a liaison. UT System plans to follow up on the recommendation during fiscal year 2016. In Progress N/A Incomplete Full Implementation is expected by 5/30/2016.
Report No. Report Date 2015-202 1/16/15 Departmental Review - Dermatology 2015-203 6/17/2015 Departmental Review - Gynecologic Oncology 2015-204 5/5/2015 Departmental Review - Children's Art Project 2015-300 11-25-2014 Benefits Funding Proportionality Name of Report Recommendations Summary of Action Taken Controls over leave management are in place. We recommended enhanced controls over key financial, administrative, and compliance activities. Controls over asset management and encryption activities are in place. We recommended enhanced controls over key financial, administrative, and compliance activities. We recommended enhanced controls over key financial and administrative activities. Internal Audit recommended that management address the net overpayment to MD Anderson of $134,536. In addition, formal procedures related to the preparation of the APS 011 should be developed. 2015-302 04-29-2015 Dependent Eligibility Internal Audit recommended that management obtain documentation to support a status change and addition of dependent grandchildren. 2015-303 8-31-2015 Recharge/Service Centers We recommended that management develop an oversight function to ensure Service Center compliance with Institutional Policy and OMB Circular A-21. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Management appropriately addressed the overpayment, and detailed procedures were developed and communicated to all responsible parties. Management agreed to improve documentation processes. A Service Center Oversight Committee will be established. Processes will be developed and implemented to provide oversight and monitoring of Service Center activities. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented In Progress Incomplete Full Implementation is expected by 3/1/2016. Incomplete Full Implementation is expected by 4/30/2016. Fully Implemented Fully Implemented Incomplete Full Implementation is expected by 8/31/2016. Page 6 of 20
Report No. Report Date 2014-303 2/25/2015 Non-Federal Clinical Trial Residual Funds 2014-110 9/10/2014 Charge Capture Diagnostic Imaging 2014-212 1/30/2015 Department Review - Head and Neck Surgery 2015-107 9/28/2015 Clinical Services Spot Agreements Name of Report Recommendations Summary of Action Taken We recommended improved processes to ensure non-federal projects are closed out timely, residual funds are returned to the respective sponsors timely, and a tracking system is implemented to monitor the status of closeout requests. We recommended improved process to ensure all charges captured have been billed to the patient. We recommended enhanced controls in the areas of leave management, financial and grant monitoring, system access, procurement cards and clinical research billing. We recommended that management improve processes and controls for: Collecting contracted amounts for medical services Managing accounts receivable balances Ensuring spot agreement data is accurate Obtaining pre-authorization for same day or next day services Management agreed to enhance controls over non-federal clinical trial residual funds. Management agreed to improve the process over charge capture reconciliations to ensure all charges are billed. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Incomplete/Ongoing Substantially Implemented Incomplete/Ongoing Incomplete Full Implementation is expected by 9/30/2016. Page 7 of 20
Report No. Report Date Name of Report Recommendations Summary of Action Taken 2015-403 9/14/2015 Incident Response We recommended overall recommendations to ensure the long-term effectiveness of the incident response program. Specifically, we recommended a formal process to update the operating manual, improved documentation of incidents and actions taken, and regular meetings of the post-incident response team. 2015-404 9/1/2015 Pinnacle We recommended formal policies and procedures be established over the problem and incident management process, along with the implementation of periodic user access reviews. 2015-405 9/1/2015 Oracle Database Cluster Information is excepted from public disclosure. 2015-406 9/14/2015 Disaster Recovery Information is excepted from public disclosure. 2015-407 9/11/2015 Data Governance Information is excepted from public disclosure. 2014-405 12/4/2014 Protection of Research Data Information is excepted from public disclosure. 2014-407 5/1/2015 Box.com Information is excepted from public disclosure. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Incomplete Full Implementation is expected by 8/31/2016. Incomplete Full Implementation is expected by 1/1/2016. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Information is excepted from public disclosure. Page 8 of 20
IV. Consulting Services and Nonaudit Services Completed Project No. Project Title Report Date Project Objective 2015-106 Texas Economic Development Agreement Consulting Verbal Comments provided to Management To review the reporting methodology and schedules for the annual compliance verification of job creation for the Texas Economic Development Agreement. Services / Observations / Results / Recommendations The methodologies appeared consistent with previous submissions. Nothing came to our attention that would indicate any material misstatements or errors. 2015-110 Cancer Network Contractual Billing 2015-111 Construction Services 2015-112 Treasury Services Cash Count 2015-201 Regional Care Centers Risk Assessment Consulting Verbal Comments provided to Management Internal Audit has served as a member of the Cancer Network Partners workgroup, providing consultation throughout the process. 9/1/2015 To identify manual construction processes that could benefit from automated controls. 4/8/2015 The objective was to determine if cashier drawers and vaults contained the appropriate amount of cash. 8/31/2015 To identify key financial, operational, compliance, and contractual risks and related controls within the Regional Care Centers. The deliverable was a risk assessment identifying control gaps and management action plans. Ongoing feedback is provided to the workgroup. While processes appear effective, opportunities exist to enhance efficiencies in Facilities Management and Supply Chain Management. In addition, management should consider ways to enhance the solicitation and contracting process for construction activities by leveraging information technology systems solutions currently available at MD Anderson. An unannounced cash count was performed at the request of management. Insignificant exceptions were found. Management took immediate action to address the issues identified. The results of the control selfassessments identified opportunities to improve controls over resource management, patient care, information technology, and research activities. Management plans to implement controls in these areas by March 1, 2016. Page 9 of 20
Project No. Project Title Report Date Project Objective 2015-206 Electronic Health Record (Epic) 2015-207 & 2015-408 Consulting Verbal Comments provided to Management To identify and monitor key risks and controls in the Epic application throughout the implementation process, providing feedback to management along the way. ICD-10 7/15/2015 To determine the institution s readiness for the federally mandated conversion to ICD- 10 on October 1, 2015. 2015-230 Dining Services Review 2015-240 Memo Concerns Investigation Verbal Comments provided to Management 2015-241 Health Information Management (HIM) Investigation 08/18/2015 The project objective was to review Dining Services use of the econnect software and to review overall cash handling process. Investigation Verbal Comments provided to Management To follow-up on allegations from a hotline call. To follow-up on allegations from a hotline call. Services / Observations / Results / Recommendations Key risks and controls were identified and discussed with management for remediation throughout the implementation of Epic. Internal Audit concluded the institution was on target for the successful implementation of ICD-10. However, we did recommend improved awareness and communication strategies, along with incentives to improve the accuracy of provider documentation. Internal Audit reviewed the cash handling process and recommended improvements to ensure the econnect software is being fully utilized to ensure the efficiency and effectiveness of cash processes. Recommendations were also made to enhance monitoring over cashier processes and ensure cash audits are random and independent. Internal Audit investigated the concerns and presented the results to the Institutional Compliance Department for final resolution. Data analysis was performed, and the results were presented to Institutional Compliance for final resolution. 2014-200 Denials Management Post Implementation Review 11/17/2014 The project objective was to validate whether controls surrounding the Denials Management application are working as intended. Internal Audit reviewed the denials management process and recommended improvements to ensure appeal deadlines, standard reports, and key performance metrics are used to measure the success of appeal efforts. Internal Audit recommended that Management continue its strategic efforts in fully implementing a comprehensive denials prevention program, including the efficient use of the system to report key performance metrics. Page 10 of 20
Project No. Project Title Report Date Project Objective 2014-201 Division of Internal 11/12/2014 To determine if opportunities Medicine existed to enhance revenue in the supply charge capture process. Services / Observations / Results / Recommendations Insignificant exceptions were found. Management took immediate action to address the issues identified. 2014-251 Post-Anesthesia Care Unit (PACU) Prescription Process Review 1/16/2015 To assess the processes and controls related to prescriptions written for postsurgery outpatients. Management improved processes and controls related to blank prescription forms and tracking of patient prescriptions, as validated by Internal Audit. Page 11 of 20
V. External Quality Assurance Review (Peer Review) Page 12 of 20
VI. Internal Audit Plan for Fiscal Year 2016 The University of Texas MD Anderson Cancer Center Page 13 of 20
Page 14 of 20
Page 15 of 20
Page 16 of 20
Page 17 of 20
Additional high risks not included in the FY 2016 Work Plan are: Timely patient access to services Updating of patient records Research protocol billing and coding Documentation to support hiring decisions Adherence to institutional badging process Maintenance of DRG-exempt status Business continuity Billing and reimbursement Privacy and Information security regulated activities and work force training Regulated research activities Operational efficiencies Quality and performance metrics Our risk assessment methodology included interviews with and/or questionnaires to over 75 individuals in the institution. Identified risks were organized into institution-wide auditable units. For each identified risk, impact and probability were assessed. Our work plan was developed from the highest risk areas in the institution that are not already being addressed by other mitigation strategies. Page 18 of 20
VII. External Audit Services Procured in Fiscal Year 2015 Service Opinion on financial statements of UT MD Anderson Cancer Center Opinion on financial statements of UT MD Anderson Physicians Network Opinion on financial statements of UT MD Anderson Services Corporation Information Technology Internal Audit Co-Sourcing Electronic Health Record Consulting Construction Internal Audit Co-Sourcing Deloitte Deloitte Deloitte PwC PwC Protiviti Provider Page 19 of 20
VIII. Reporting Suspected Fraud and Abuse Page 20 of 20