Top Priorities for Internal Audit in Healthcare · PDF fileTop Priorities for Internal Audit in ... Billing Intercompany/interbusiness unit sales and transfer pricing ... (EDI ) analysis
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
2012 Internal Audit Capabilities and Needs Survey – Healthcare POV
Today’s PresentersSusan Haseley is a Managing Director and the Global Industry Leader for Protiviti's Healthcare and Life Sciences practice and also serves as the Dallas Office Market Leader. Susan has over 25 years of experience in providing risk consulting, internal audit and technology consulting services. Susan received her b h l ' d i I f ti S t f Ohi U i it d MBA fbachelor's degree in Information Systems from Ohio University and an MBA from the University of Dallas. She holds the Certified Internal Auditor (CIA), the Certified Information Systems Auditor (CISA), the Project Management Professional (PMP) certifications and is trained as a Six Sigma Green Belt. Susan is a member of the Institute of Internal Auditors (IIA), Information Systems Audit and Control ( ), yAssociation (lSACA), and the Association of Healthcare Internal Auditors (AHIA). She also is a member of AHIP, HFMA, HCCA.
Alex Robison is a Managing Director and serves as Protiviti’s Western Region Healthcare Practice Leader and the firm’s National Healthcare Industry Revenue Assurance and Compliance practice leader. He has more than 15 years professional experience in providing operational, financial, information technology and regulatory consulting and internal audit services to the healthcare industry. Prior to entering consulting, Alex worked for a large multi-regional healthcare system responsible for integrating Managed Care HMO protocols with federally regulated Medicare guidelines for healthcare delivery. Alex is also a Certified Healthcare Compliance professional (CHC) and holds a master’s degree
Certified Healthcare Compliance professional (CHC) and holds a master s degree in Healthcare Administration (MHA).
Today’s Presenters – Cont.
Mike Fabrizius is Vice President of Audit Services for the Carolinas HealthCare System. He is a CIA, CPA and MBA. He has been active in the Association of Healthcare Internal Auditors (AHIA) in a variety of volunteer positions, including Chairman of the Board of Directors in 2011. Carolinas HealthCare System provides a full spectrum of healthcare and wellness programs throughout North and South Carolina. Its network of more than 650 care locations includes academic medical centers, hospitals, healthcare pavilions, physician practices, surgical and
Michael Fabrizius@carolinashealthcare org
centers, hospitals, healthcare pavilions, physician practices, surgical and rehabilitation centers, home health agencies, nursing homes and hospice and palliative care.
a wide range of challengesa wide range of challenges
IntroductionAb t th SAbout the Survey
• For internal auditing professionals to • For internal auditing professionals to g pachieve all of this – and more – a strong level of competency in key areas is required
g pachieve all of this – and more – a strong level of competency in key areas is required
• The purpose of this survey, sixth in the series, was to continue to assess:
• The purpose of this survey, sixth in the series, was to continue to assess:
– How internal auditors perceive their present capabilities
– Where they currently see need for
– How internal auditors perceive their present capabilities
• Circled items are consistent top five items by company size
Use of Technology Ad i i t ti th A dit PAdministrating the Audit Process
• More than one out of three organizations – 35 percent – are not utilizing any sort of software application to administrate their audit processespp p
– 37 percent of those who do so, are using basic word processing or spreadsheet software
– Just one in four of those who are not using technology plan to implement oneJust one in four of those who are not using technology plan to implement one within the next 12 months
– While more large companies tend to use a software application as part of their audit processes, nearly one in five (18 percent) do not
• Most respondents – 87 percent – noted that the tool they use delivers significant or moderate value to the audit process
• Is the internal audit function partnering effectively with the CIO and IT department to assure that IT assets are managed and controlled appropriately? Are you aware of any
I th ffi i t i l t th it li i d ti f
assure that IT assets are managed and controlled appropriately? Are you aware of any gaps in the IT asset management process that should be addressed? Does the audit team have relevant and appropriate experience to handle technical matters?
• Is there a sufficient process in place to assess the security policies and practices of vendors that work with your organization? Does the organization have confidence that vendors’ access controls and privacy standards exceed or are on par with its own? Are vendor access controls terminated when vendor relationships end?
• Does the internal audit function have appropriate technology tools to audit effectively business processes such as expense management, purchase orders, suppliers and accounts receivable, among other areas?
• How are internal auditors leveraging technology to prevent, detect, monitor and investigate fraud?
• Have all significant classes of mobile devices been considered?
General Technical Knowledge Overallg
General Technical KnowledgeA E l t dAreas Evaluated
Social media applications GTAG 14 - Auditing User-developed Applications
Cloud computing Practice Guide - Auditing the Control Environment
GTAG 13 - Fraud Prevention and Detection in an Automated World GTAG 5 - Managing and Auditing Privacy Risks
Fraud risk management COBIT
GTAG 16 - Data Analysis Technologies GTAG 9 - Identity and Access Management
ISO 31000 (risk management) GTAG 12 - Auditing IT Projects
Practice Guide - Assessing the Adequacy of Risk Management
Practice Guide - Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing
Practice Guide - Measuring Internal Audit Effectiveness and Efficiency Six sigma
International Financial Reporting Standards (IFRS) GTAG 11 - Developing the IT Audit Plan
The Guide to the Assessment of IT Risk (GAIT) GTAG 2 - Change and Patch Management Controls
GTAG 6 - Managing and Auditing IT Vulnerabilities GTAG 1 - Understanding IT Controls
GTAG 15 - Information Security Governance GTAG 4 - Management of IT Auditing
GTAG 3 - Continuous Auditing GTAG 7 - IT Outsourcing
ISO 27000 (information security) GTAG 10 Business Continuity Management
ISO 27000 (information security) GTAG 10 - Business Continuity Management
IT governance GTAG 8 - Auditing Application Controls
General Technical KnowledgeA E l t dAreas EvaluatedReporting on Controls at a Service Organization – SSAE 16 / AU 324 (replaces SAS 70) Fair value accounting
Practice Advisory 2050-3 - Relying on the Work of Other Assurance Providers FASB Accounting Standards CodificationTMAssurance Providers
COSO Enterprise Risk Management Framework Tax laws (in your applicable region/ country)
ISO 9000 (quality management and quality assurance) Corporate governance standards (or local country equivalent)
Evaluating executive compensation risk of Regulation S-K U.S. GAAP (or local country equivalent)
Recently Enacted IIA Standard (effective January 1, 2009) - Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1) Foreign Corrupt Practices Act (FCPA)
AU S ti 322 Th A dit ’ C id ti f th I t lBoard risk oversight (SEC Item 407(h) of Regulation S-K) AU Section 322 – The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements
Recently Enacted IIA Standard (effective January 1, 2009) -Overall Opinions (Standard 2450) COSO Internal Control Framework
Practice Advisory 1312-3 - Independence of External Assessment T i h P i S Stock-based compensationTeam in the Private Sector Stock based compensation
Country-specific Enterprise Risk Management Framework Standards for the Professional Practice of Internal Auditing (IIA Standards)
Practice Advisory 1312-4 - Independence of the External Assessment Team in the Public Sector UK Bribery Act
General Technical KnowledgeS tt Di KScatter Diagram Key
1 Social media applications 16 GTAG 14 - Auditing User-developed Applications
2 Cloud computing 17 Practice Guide: Auditing the Control Environment
3 GTAG 13 - Fraud Prevention and Detection in an Automated World 18 GTAG 5 - Managing and Auditing Privacy Risks
4 Fraud risk management 19 COBIT
5 GTAG 16 - Data Analysis Technologies 20 GTAG 9 - Identity and Access Managementy g y g
6 ISO 31000 (risk management) 21 GTAG 12 - Auditing IT Projects
7 Practice Guide - Assessing the Adequacy of Risk Management 22Practice Guide - Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing
8 Practice Guide - Measuring Internal Audit Effectiveness and Efficiency 23 Six sigma
9 International Financial Reporting Standards (IFRS) 24 GTAG 11 - Developing the IT Audit Plan
10 The Guide to the Assessment of IT Risk (GAIT) 25 GTAG 2 - Change and Patch Management Controls
11 GTAG 6 - Managing and Auditing IT Vulnerabilities 26 GTAG 1 - Understanding IT Controls
12 GTAG 15 - Information Security Governance 27 GTAG 4 - Management of IT Auditing
14 ISO 27000 (information security) 29 GTAG 10 - Business Continuity Management
15 IT governance 30 GTAG 8 - Auditing Application Controls
General Technical KnowledgeS tt Di KScatter Diagram Key
31 Reporting on Controls at a Service Organization – SSAE 16 / AU 324 (replaces SAS 70) 45 Fair value accounting
Practice Advisory 2050-3 - Relying on the Work of Other S S C f TM32 Practice Advisory 2050 3 Relying on the Work of Other Assurance Providers 46 FASB Accounting Standards CodificationTM
33 COSO Enterprise Risk Management Framework 47 Tax laws (in your applicable region/ country)
34 ISO 9000 (quality management and quality assurance) 48 Corporate governance standards (or local country equivalent)
Recently Enacted IIA Standards (effective January 1 2009) - Revenue Arrangements with Multiple Deliverables (EITF 08-135 Recently Enacted IIA Standards (effective January 1, 2009) -Functional Reporting Interpretation (Standard 1110) 49 Revenue Arrangements with Multiple Deliverables (EITF 08-1
(ASU 2009-13))
36 Evaluating executive compensation risk of Regulation S-K 50 U.S. GAAP (or local country equivalent)
37Recently Enacted IIA Standard (effective January 1, 2009) -Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1)
51 Foreign Corrupt Practices Act (FCPA))
38 Board risk oversight (SEC Item 407(h) of Regulation S-K) 52 AU Section 322 – The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements
39 Recently Enacted IIA Standard (effective January 1, 2009) -Overall Opinions (Standard 2450) 53 COSO Internal Control Framework
40 Practice Advisory 1312-3 - Independence of External 54 St k b d ti40 y pAssessment Team in the Private Sector 54 Stock-based compensation
41 Country-specific Enterprise Risk Management Framework 55 Standards for the Professional Practice of Internal Auditing (IIA Standards)
42 Practice Advisory 1312-4 - Independence of the External Assessment Team in the Public Sector 56 UK Bribery Act
4 The Guide to the Assessment of IT Risk (GAIT) Fraud risk management Country-specific enterprise risk
management framework
Fraud risk management ISO 31000 (risk management) ISO 9000 (quality management and quality assurance)
5
g ( g ) quality assurance)
IT governance GTAG 16 - Data Analysis Technologies
Board risk oversight (SEC Item 407(h) of Regulation S-K)
Practice Guide - Assessing the Adequacy of Risk Management Practice Guide - Assessing the 0 ( ) o egu at o S )dequacy o s a age e t Practice Guide - Assessing the
Adequacy of Risk ManagementPractice Guide - Measuring Internal Audit Effectiveness and Efficiency