The University of Texas MD Anderson Cancer Center Internal Audit Annual Report for FY2016

Transcription

1 Purpose of the Annual Report Table of Contents I. Compliance with Texas Government Code, Section : Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet Website II. Internal Audit Plan for Fiscal Year 2016 Compliance with the Benefits Proportionality Audit Requirements for Higher Education Institutions. Compliance with the Purchasing and Contracting Requirements for Higher Education Institutions. III. Consulting Services and Nonaudit Services Completed IV. External Quality Assurance Review (Peer Review) V. Internal Audit Plan for Fiscal Year 2017 VI. External Audit Services Procured in Fiscal Year 2016 VII. Reporting Suspected Fraud and Abuse Page 1 of 22

2 I. Compliance with Texas Government Code, Section : Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet Website The Fiscal Year 2017 audit plan, as approved by the Institutional Audit Committee, will be posted on the MD Anderson external website as part of the Fiscal Year 2016 SAO Annual Report. The Fiscal Year 2016 SAO Annual Report, including summaries of reports, will be posted on the MD Anderson external website within 30 days of approval by the President but not later than November 1, 2016, as required. The following matrix provides a summary of the weaknesses and action taken by management for projects on the Fiscal Year 2016 Audit Plan, as required by Texas Government Code, Section : Report No. Report Date /23/2015 Nocturnal Program Review Name of Report Recommendations Summary of Action Taken We recommended enhanced controls over: Professional charge capture and reconciliation Compliance with requirements for verbal provider orders Standard operating procedures Management agreed to enhance controls in the recommended areas. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Incomplete/Ongoing Full Implementation is expected by March 1, /28/2015 Segregation of Duties and Account Reconciliations Management should enhance controls and processes to ensure segregation of duties and sensitive access remediations are closed timely and reconciliations of federally funded accounts are performed. Management agreed to enhance controls in the recommended areas. Incomplete/Ongoing Full Implementation is expected by December 15, Page 2 of 22

3 Report No. Report Date Name of Report Recommendations Summary of Action Taken /26/2016 Procurement Review Management should enhance controls and processes surrounding accuracy of contract information, documentation of approvals for contracts and exclusive acquisition forms, compliance with the emergency purchase policy, and monitoring of unauthorized purchases. Furthermore, the Institutional Contract Management Handbook should be finalized /19/2016 Travel and Entertainment Development Office /31/2016 Facilities Service Vendor Audit Management should consider revising the Development Office travel and business entertainment policy to be more closely aligned with the Institution s travel policy when possible, and provide training to all staff, including administrative staff, to ensure travel documentation complies with Travel and Entertainment Guidelines. Management should review the department s guidelines for possible inconsistencies and operational inefficiencies. Recommendations related to the following process and control areas were noted: - Existence of Formal Contract Agreements - Monitoring of Contract Spend - Consistent Invoice Approval - Validation of Service Vendor Measurements - Discretion with Respect to PO Fund Application - Detailed Review of Invoiced Rates Management agreed to enhance controls and processes over the areas noted in the report and finalize the Institutional Contract Management Handbook. Management has agreed to revise the Development Office s Travel and Entertainment Guidelines, and to educate travelers and travel preparers on the revised guidelines. Management plans to perform annual review of the departmental guidelines to ensure alignment with institutional policy. Management agreed to enhance controls in the recommended areas. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Incomplete/Ongoing Full Implementation is expected by October 16, Incomplete/ongoing Incomplete/Ongoing Full Implementation is expected by August 31, Page 3 of 22

4 Report No. Report Date /23/2016 Review of Executive Officers Travel and Business Entertainment Expenditures Name of Report Recommendations Summary of Action Taken We recommended improvements related to: Resolution of personal expenses using the state-issued travel card Adequate supporting documentation related to foreign travel and entertainment expenses Management agreed to enhance controls in the recommended areas. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Fully implemented /23/2016 Onboarding of Visiting Scientists /15/2016 Departmental Review Thoracic Surgery /15/2016 Division of Surgery Review We identified opportunities for improvement in the following areas: Conducting criminal background checks Verifying educational background Ensuring compliance with required training Establishing guidance for departmental oversight Executing legal agreements We recommended enhanced controls over leave management, travel, procurement cards, and system access. We recommended enhanced controls over system access, segregation of duties within the service center, updating the billing rates and monitoring net income for the service center, and strengthening asset management. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Incomplete/Ongoing Incomplete/ongoing Full implementation is expected by December 31, Incomplete/ongoing Full implementation is expected by December 31, Page 4 of 22

5 Report No. Report Date /31/2016 Departmental Review Smithville /30/2016 Division of Radiation Oncology Charge Capture Assessment /30/2016 Division of Diagnostic Imaging Charge Capture Assessment Name of Report Recommendations Summary of Action Taken We recommended enhanced controls over monitoring program income and service center billing rates, enforcement of material transfer agreements (MTAs), monitoring and resolving deficit accounts, monitoring correction requests for over-commitment of effort, accurately recording faculty extramural leave, reviewing and approving grant reconciliations and employee leave in Kronos. We recommended that Radiation Oncology improve processes to ensure charges are posted to the patient accounts as appropriate. We further recommended that controls should be strengthened for re-billing charges to ensure when a charge is deleted, re-billing occurs as appropriate. We recommended that Diagnostic Imaging strengthen controls to ensure that charges are posted to patient accounts or research protocol accounts as appropriate. We further recommended that controls be strengthened to ensure when a charge is deleted, the action is appropriate /24/2016 Excepted from public disclosure Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended area. Management agreed to enhance controls in the recommended area. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Incomplete/Ongoing Full Implementation is expected by December 31, Incomplete/Ongoing Incomplete/Ongoing Full Implementation is expected by January 31, /19/2016 Excepted from public disclosure /31/2016 Excepted from public disclosure /30/2016 Excepted from public disclosure Page 5 of 22

6 Report No. Report Date Name of Report Recommendations Summary of Action Taken /5/2016 Cybersecurity NIST Information is excepted from public disclosure Information is excepted from public disclosure Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Information is excepted from public disclosure /5/2016 Data Loss Prevention (Information Security) Information is excepted from public disclosure Information is excepted from public disclosure Information is excepted from public disclosure /31/2016 Patch Management Information is excepted from public disclosure Information is excepted from public disclosure Information is excepted from public disclosure /31/2016 Excepted from public disclosure Page 6 of 22

7 II. Internal Audit Plan for Fiscal Year 2016 The following matrix details the status of the Fiscal Year 2016 Audit Plan: Project No. Project Title Report Date Project Status Financial Audits FY15 Financial Statement Audit (year-end) Report issued by Deloitte at UT System Complete level FY16 Financial Statement Audit (interim) Report issued by Deloitte at UT System Complete level Physicians Referral Service Practice Plan N/A Project Served as the PRS Audit Segregation of Duties and Account Reconciliations 10/28/2015 Complete Economic Development Agreement Consulting Project Verbal Comments Complete provided to Management Purchasing Review 8/26/2016 Complete Risk-Based Audits Charge Capture Division of Pathology and Laboratory Medicine Pending In Progress Travel and Entertainment Development Office 5/19/2016 Complete Construction Activities - Facilities Service Vendor Audit 8/31/2016 Complete Travel and Business Entertainment Expense Review 8/31/2016 Complete Operational Audits UT System Requested / Externally Requested Audits Presidential Housing, Travel, and Entertainment 5/13/2016 Complete Executive Travel and Entertainment 6/23/2016 Complete Risk-Based Audits Security Clearance for Contractors Consulting Project Verbal comments Complete provided to management Onboarding of Visiting Scientists 6/23/2016 Complete Departmental Review Thoracic Surgery 1/15/2016 Complete Division of Surgery Review 3/15/2016 Complete Departmental Review - Smithville 8/31/2016 Complete Dining Services Cash Handling N/A Cancelled Anti-Fraud Initiative 8/31/2016 Complete Medical Device Maintenance and Security Assessment Pending In Progress Page 7 of 22

8 Project No. Project Title Report Date Management Requested Audits Project Status - General Consultation with Management N/A Complete - Institutional Committee Participation N/A Complete - Management Involvement on Co-sourced Construction Projects N/A Complete Consulting Projects Division of Pharmacy Business Operations Review Pending In Progress Division of Radiation Oncology Charge Capture Assessment 8/30/2016 Complete EHR OneConnect (EPIC) Consulting Project Verbal comments provided to management Complete Division of Diagnostic Imaging Charge Capture Assessment 8/30/16 Complete Compliance Reviews Excepted from public disclosure Information Technology Audits UT System Requested / Externally Requested Audits Deloitte Financial Audit Support Report issued by Deloitte at UT System level Risk-Based Audits / Consulting Projects Complete Cerner Millennium Helix Implementation Pending In Progress Post ICD-10 Audit EPIC Integration Pending In Progress Cybersecurity / NIST 7/5/2016 Complete Data Loss Prevention (Information Security) 7/5/2016 Complete Patch Management 8/31/2016 Complete EPIC Post Implementation Work N/A Merged with Clinical Devices Pending In Progress Excepted from public disclosure Management Requested Audits OneConnect Program Expenditure Process Assessment 11/23/2015 Complete Other IT Projects - IT Follow-up N/A Complete - Knowledge Sharing and/or Training Documentation Projects N/A Complete - IT Liaison Activities N/A Complete Page 8 of 22

9 Project No. Project Title Report Date Project Status - IT Risk Assessment - FY 17 N/A Complete - Financial and Operational Audit Assistance N/A Complete - Administrative Activities N/A Complete Follow-Up Audits - Follow-up Audits (Quarterly Reporting and Validation) N/A Complete Projects Development - Operations - Internal Quality Assurance Activities N/A Complete - Internal Audit Committee Preparation/Participation N/A Complete - Institutional Risk Assessment & Work Plan Development N/A Complete - TeamMate Software Upgrade N/A Complete - All-Hazards Risk Leadership Council N/A Complete Development Initiatives & Education - UT System Coordination N/A Complete - Professional Organization/Association Participation N/A Complete Carry Forward Nocturnal Programs 11/23/2015 Complete Collection of Patient Co-Payments 7/5/2016 Complete Clinical Services Spot Agreements 9/28/2015 Complete Investigations - Various investigations Consulting Projects Verbal Comments provided to management Complete Audit / Project cancelled Audit / Project added to Plan Page 9 of 22

10 Compliance with the Benefits Proportionality Audit Requirements for Higher Education Institutions: At the request of the Governor, an internal audit of the proportionality of higher education benefits process was performed during fiscal year A consistent audit methodology has been deployed across the UT System that assessed the reporting process and accuracy of benefits funding information provided to the State Comptroller as applicable under Rider 8, page III-41, the General Appropriations Act (84 th Legislature, Conference Committee Report). An audit of the benefits proportionality process will also be conducted during fiscal year 2017 and will comply with Rider 8, page III-41, the General Appropriations Act (84 th Legislature, Conference Committee Report). The audit will be complete by February 28, Compliance with the Purchasing and Contracting Requirements for Higher Education Institutions: Senate Bill 20 (84 th Legislative Session) made several modifications and additions to Texas Government Code (TGC) and Texas Education Code (TEC) related to purchasing and contracting. Effective September 1, 2015, TEC requires that, The chief auditor of an institution of higher education shall annually assess whether the institution has adopted the rules and policies required by this section and shall submit a report of findings to the state auditor. The MD Anderson Cancer Center Internal Audit Department conducted this required assessment for fiscal year 2016, and found the following: Based on review of current institutional policy and the UT System Board of Regents Rules and Regulations, MD Anderson Cancer Center has generally adopted all of the rules and policies required by TEC Review and revision of institutional and System policy is an ongoing process. These rules and policies will continue to be assessed annually to ensure continued compliance with TEC Page 10 of 22

11 III. Consulting Services and Nonaudit Services Completed Project No. Project Title Report Date Project Objective Texas Economic Development Agreement Presidential Housing, Travel and Entertainment Security Clearance for Contractors Anti-Fraud Initiative EHR OneConnect (EPIC) - Various investigations Consulting Verbal Comments provided to Management Consulting Assisted University of Texas System Audit Office Consulting Verbal Comments provided to Management Consulting Verbal Comments provided to Management Consulting Verbal Comments provided to Management N/A To review the reporting methodology and schedules for the annual compliance verification of job creation for the Texas Economic Development Agreement. To assist/coordinate audits by UT System to determine if travel and entertainment activities and expenditures of the President and his spouse are conducted in accordance with UT System and MDACC policy. To determine whether appropriate security clearance (Criminal background checks, badging, access, etc.) has been consistently provided for contracted services and independent contractors in accordance with contract provisions. Utilize external consultants to identify potential fraudulent activity. Follow-up on reports from consultants, and report results to management. To consult with management and coordinate with consultants regarding the design and implementation of the electronic health record. To conduct investigations as necessary. Services / Observations / Results / Recommendations The methodologies appeared consistent with previous submissions. Nothing came to our attention that would indicate the Annual Compliance Verification was materially misstated. Internal Audit assisted The University of Texas System Audit Office (UT System) by providing documentation from institutional systems for review. Any recommendations for improvement were made by UT System. A consistent process was developed for conducting criminal background checks for all contractors entering the institution. An external vendor performed forensic data mining analysis of accounts payable, vendor, and patient accounting information. Internal Audit conducted a detailed review of the results and did not identify any improprieties or errors that warranted further review. No recommendations were made by Internal Audit as a result of this review. The EHR Risk Oversight Council identified financial compliance, and information security controls risks throughout the OneConnect implementation and monitored the status of remediation efforts. Verbal updates were provided to management throughout the project. Information was provided to appropriate levels of management. Page 11 of 22

12 IV. External Quality Assurance Review (Peer Review) Page 12 of 22

13 V. Internal Audit Plan for Fiscal Year 2017 The University of Texas MD Anderson Cancer Center FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description Risk Based Audits Charge Capture - Division of Anesthesiology and Critical Care Charge Capture - Regional Care Centers 700 To conduct a charge capture audit of select areas within the Division to determine if services provided were captured and recorded appropriately. Sustainability - Charge Capture 700 To ensure that charge capture for professional services at community hospitals is accurately captured and recorded. Sustainability - Charge Capture Nursing Charge Capture 750 To ensure that charge capture for nursing services is accurately captured and recorded. Sustainability - Charge Capture Denials Management 650 To conduct an assessment to determine the root cause of denials and assist management with identifying possible solutions to reduce future denials. People We Serve - Patient Registration 650 Excepted from public disclosure Payroll Review 600 To assess the governance structure and key controls over payroll processes to include employee set-up, payroll adjustments and corrections, reconciliations, interfaces, tax compliance, accuracy of the payroll calculation, and any other related processes. Systems That Support - Payroll Division of Pediatrics Review 700 To provide a general assessment of the financial, administrative, and compliance controls within the selected division. People Who Serve, Science That Enables, Systems That Support Departmental Review - Infectious Diseases, Infection Control & Employee Health 600 To provide a general assessment of the financial, administrative, and compliance controls within the selected department. People Who Serve, Science That Enables, Systems That Support Page 13 of 22

14 FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description 450 Excepted from public disclosure 600 Excepted from public disclosure Physicians Referral Service (PRS) Practice Plan 450 To conduct the annual financial review of the PRS Practice Plan, as required by UTS 155. The scope of this project will be consistent for all applicable UT System components and will be determined by UT System. Systems That Support - Expenses/Accounts Payable Information Technology Audits PeopleSoft 9.2 Upgrade 300 Perform a post-implementation review for the PeopleSoft 9.2 upgrade to determine if project objectives were successfully met, gain an understanding on the effectiveness and efficiency of project management practices, effectiveness of the integration with EPIC, and to determine vulnerabilities for the application from the following perspectives: operating effectiveness, ITGC's, security, reporting, and compliance. Systems That Support 400 Excepted from public disclosure Asset Management 400 Evaluate the Asset Management Process from procurement, commissioning, inventory, and decommissioning for assets including laptops, ipads, iphones, servers, medical devices/workstations, and applications (including cloud/software as a service). Systems That Support System Portfolio and Roadmap for System Retirement 350 Assess the application portfolio and supporting organizational costs/headcounts as well as the status on specific systems identified as replaced by recent implementations to determine plan for and progress for decommissioning. Evaluate the roadmap for retiring and decommissioning legacy systems replaced by recent implementations such as Epic, PeopleSoft, etc. Consider the cost to the institution and assess risks (security, integrity, data availability, support, etc.) risks to the institution for continuing to maintain legacy systems. Systems That Support Page 14 of 22

15 FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description Epic - Post Implementation and Governance Process 350 Perform a post-implementation review for Epic to evaluate functionality (charge capture, interfaces, etc.) optimization, and vulnerabilities for the application from the following perspectives: operating effectiveness, ITGC's, security, and compliance. Evaluate governance process post go-live for addressing issues and optimizing the system. Systems That Support Pharmacy System Assessment 300 Perform a post-implementation review for Willow/Epic to evaluate functionality (charge capture, interfaces, etc.) and assess the controls in place post go live related to the pharmacy applications from the following perspectives: operating effectiveness, ITGC's, security, and compliance. Systems That Support Management Involvement on 150 To oversee/facilitate audits of IT activities. Co-Sourced IT Projects Construction Activities 500 To conduct a review of key construction activities and/or processes. Reviews will be co-sourced, utilizing staff with construction expertise. Systems That Support - Facilities Management Management Involvement on 50 To oversee/facilitate audits of construction activities. Co-Sourced Construction Projects Carry-Forward Audits Charge Capture - Pathology and Laboratory Medicine 350 To conduct a charge capture audit of select areas within the Division to determine if services provided were captured and recorded appropriately. This will be an integrated audit with the IT Internal Auditors. Risk Based Audits Subtotal 10,000 50% Sustainability - Charge Capture Required Based Audits (Externally and Internally) FY 2017 Financial Statement Audit (year-end) 325 To assist Deloitte with testing relating to the External Financial Statement Audit. Systems That Support - Financial Reporting Page 15 of 22

16 FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description FY 2017 Financial Statement Audit (interim) Deloitte Financial Audit Support - IT Texas Administrative Code (TAC) To assist Deloitte with testing relating to the External Financial Statement Audit. Systems That Support - Financial Reporting 160 Perform IT general controls procedures as requested by MDACC to support the Deloitte Financial Audit of MDACC. Systems That Support - Financial Reporting 350 To evaluate controls and processes at MD Anderson for compliance with TAC 202 regulatory requirements. Systems That Support Segregation of Duties and Account Reconciliations Economic Development Agreement Presidential Housing, Travel, and Entertainment Executive Travel and Entertainment Required Audits Subtotal 1,860 9% 250 To review the institution's Monitoring Plan and departmental subcertifications and validate the assertions made by management regarding segregation of duties and account reconciliations, as required by UTS Systems That Support - Financial Reporting 100 To review the reporting methodology and schedules prepared for the annual compliance verification of job creation targets associated with the Economic Development Agreement between MDACC, UT HSC- Houston, and the State of Texas. Systems That Support - Corporate Compliance 50 To assist/coordinate audits by UT System to determine if travel and entertainment activities and expenditures of the President and his spouse are conducted in accordance with UT System and MDACC policy. Systems That Support - Expenses/Accounts Payable 300 To perform audits to determine if travel and entertainment activities and expenditures of executive management are conducted in accordance with UT System and MDACC policy. Systems That Support - Expenses/Accounts Payable Page 16 of 22

17 FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description Consulting Projects Employee and Faculty Criminal Background Checks 500 Internal Audit will partner with key stakeholders to ensure a background check is conducted for all employees, including faculty, as part of the on-boarding process. People Who Serve - Personnel Management 350 Excepted from public disclosure Strategic Industry Ventures 250 Internal Audit will partner with key process owners to identify opportunities to mitigate significant business risks during the contracting process for strategic industry ventures. This effort will include, but not be limited to, collaboration with Strategic Industry Ventures, Institutional Compliance, Legal, Research Administration, and Clinical Research Administration. Science That Enables - Research Administration 200 Excepted from public disclosure General Consultation with 150 To consult with management on various high-risk topics. Management Institutional Committee 225 To participate, in a consulting role, on committees within the institution. Participation All-Hazards Risk Leadership Council 120 Consulting Projects Subtotal 1,795 9% Follow-Up Quarterly Reporting / Monitoring 250 Activities Validation Activities 500 IT Follow-up Validation Activities 250 Follow-Up Subtotal 1,000 9% Page 17 of 22

18 FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description Reserve Reserve for Just-In-Time Reserve will be used to respond to management s requests in high-risk areas, as well as to address Auditing/Advisory Services changing risks in our environment throughout the year. Reserve for Investigations 400 Reserve will be used to respond to any investigative requests throughout the year. IT Reserve Just-In-Time Auditing/Advisory Services 100 Reserve Just-In-Time Auditing/Advisory Services will be used to respond to management and Internal Audit s requests for assessments in emerging high-risk areas related to IT. IT Financial and Operational Audit Assistance 100 Participation in limited scope activities with the Internal Audit team. Reserve Subtotal 2,050 10% Development - Operations Internal / External Quality Assurance Activities 400 To conduct on-going reviews of audits/projects for compliance with the International Institute of Internal Auditors (IIA) standards. In addition, to prepare for an External Quality Assurance Review Internal Audit Committee 182 To prepare audit committee packets and participate in quarterly meetings. Preparation / Participation Institutional Risk Assessment and 350 To update the comprehensive risk assessment and Work Plan Work Plan Development Audit Strategic Planning 550 To perform strategic planning and manage the overall audit activity. IT Risk Assessment Fy Updating of the IT risk assessment and audit plan. IT Administrative Activities 150 Development Operations Subtotal 1,882 9% Development - Initiatives & Education UT System Coordination 500 To participate in UT System initiatives. Professional Organization / Association Participation Training / Continuing Professional Education 100 To participate in the IIA Houston Chapter Annual Conference 818 Page 18 of 22

19 FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description IT Knowledge Sharing and/or 80 Sharing thought leadership, perspective, and bringing in technical resources to assist where needed Training Documentation Projects IT Liaison Activities 80 Participation in staff meetings, the UT InfoSec, IT Leaders meetings, etc. Development Initiatives & % Education Subtotal TOTAL HOURS 20, % Page 19 of 22

20 Additional high risks not included in the FY 2017 Work Plan are found in the following areas: Timely patient access to services Updating of patient records Research protocol billing and coding Documentation to support hiring decisions Adherence to institutional badging process Maintenance of DRG-exempt status Business continuity Billing and reimbursement Privacy and Information security regulated activities and work force training Regulated research activities Operational efficiencies Quality and performance metrics Our risk assessment methodology included interviews with and/or questionnaires with various levels of management in the institution. Identified risks were organized into institution-wide auditable units. For each identified risk, impact and probability were assessed. Our work plan was developed from the highest risk areas in the institution that are not already being addressed by other mitigation strategies. Page 20 of 22

21 VI. External Audit Services Procured in Fiscal Year 2016 Service Opinion on financial statements of UT MD Anderson Cancer Center Opinion on financial statements of UT MD Anderson Physicians Network Opinion on financial statements of UT MD Anderson Services Corporation Information Technology Internal Audit Co-Sourcing Electronic Health Record Consulting Construction Internal Audit Co-Sourcing Construction Internal Audit Co-Sourcing Deloitte Deloitte Deloitte PwC PwC Protiviti Townsend Provider Page 21 of 22

22 VII. Reporting Suspected Fraud and Abuse Page 22 of 22