Using the Fraud Risk Framework In Audits: CMS Example

Transcription

1 Using the Fraud Risk Framework In Audits: CMS Example Applying the Framework GAO-18-88: CMS Example (11:00 11:45) CMS context Risk profile Commit Assess Design and Implement Evaluate and Adapt GAO forum on data analytics (a how-to guide) (11:45 12:00) Identify objectives & align analytics program Inventory (tech, staff, data) Know your data (quality, access) Demonstrate value (visualization, identify fraud) Page 1

2 Introduction Fraud represents an insidious risk to the integrity of government programs and erodes vital public trust Public sector executives and managers must take a strategic approach to counter fraud risks and develop effective measures to manage these risks Operationalizing GAO s Fraud Risk Framework to drive this change in the public sector Build on themes and concepts introduced earlier today, with a recent GAO report that used the Fraud Framework to assess a large federal entity s management of fraud risks Page 2

3 Applicability of GAO s Fraud-Risk Framework Page 3

4 Definitions Fraud Involves obtaining something of value through willful misrepresentation as determined through a judicial or other adjudicative system Fraud Risk Is a function of probability and consequence of a risk occurring wherein incentive, opportunity, and rationalization to commit a fraudulent act are present Improper Payment A payment made in response to a beneficiary or provider claim that should not have been made or was made in the wrong amount (fraud is a subset of these payments) Page 4

5 GAO CMS Needs to Fully Align its Antifraud Efforts with the Fraud Risk Framework Page 5

6 Why Examine Centers For Medicare and Medicaid Services? 4 programs 1.1 trillion in annual outlays < Medicare and Medicaid o 129 million covered o 1 trillion outlays (2016) Complex, state-run (Medicaid), high dollar, high risk program = susceptible to fraud Page 6

7 Most Common Health-Care Fraud Schemes (U.S.) (GAO ) Top schemes based on 739 cases resolved in % more than one scheme (61% two to four schemes) Most common scheme: Billing services or supplies not provided (43%) medically-unnecessary services (25%) Other common schemes: Falsifying records to support a scheme (25%) Paying kickbacks (bribes) to scheme participants (21%) Fraudulently obtaining controlled substances or misbranding prescription drugs (21%) Extent of complicity Service providers complicit in 62% of cases Beneficiaries complicit in 14% of cases Page 7

8 Recap of GAO s Fraud Risk Framework Page 8

9 Overarching Themes Strategic, risk-based approach to managing fraud risks and developing effective antifraud controls Emphasis on prevention (proactive approach to avoid pay and chase) Attention to structures and environmental factors that influence efforts to mitigate fraud risks Ongoing monitoring and feedback Page 9

10 Commit CMS Has Shown Commitment to Combating Fraud by Creating an Organizational Structure and Taking Steps to Establish a Culture Conducive to Fraud Risk Management CMS s Organizational Structure Includes a Dedicated Entity for Program-Integrity and Antifraud Efforts CMS Has Taken Steps to Create a Culture Conducive to Fraud Risk Management but Could Enhance Antifraud Training for Employees Page 10

11 Commit: Demonstrating Structure CMS Program Integrity Conceptual Model LP1. Designated entity designs and oversees fraud risk management activities LP2. Designated entity manages FR assessment, awareness and antifraud activities Page 11

12 Commit: Demonstrating Culture Involving All Levels in Setting Antifraud Tone LP1. Demonstrate senior level commitment LP2. Involve all levels of the agency in setting an antifraud tone Page 12

13 Recommendation 1: (Commit; Culture) The Administrator of CMS should provide fraudawareness training relevant to risks facing CMS programs and require new hires to undergo such training and all employees to undergo training on a recurring basis. Page 13

14 Assess CMS Has Taken Steps to Identify Program Fraud Risks but Has Not Conducted a Fraud Risk Assessment for Medicare or Medicaid CMS Has Taken Steps to Identify Some Fraud Risks for Medicare and Medicaid CMS Has Not Conducted a Fraud Risk Assessment for Medicare or Medicaid Page 14

15 Assess: Plan Regular, Tailored, Risk Assessments LP1: Tailor to the program LP2: Conduct at regular intervals and when program or environment changes LP3: Identify tools, methods, and sources for gathering information about fraud risks LP4: Involve stakeholders Page 15

16 Assess: Identify and Assess Risks to Determine the Program s Fraud Risk Profile LP1: Identify inherent fraud risks LP2: Assess likelihood and impact LP3: Determine fraud risk tolerance LP4: Examine suitability of existing controls and prioritize residual risks LP5: Document the fraud risk profile Page 16

17 Recommendation 2: (Assess; Fraud Risk Assessment & Risk Profile) The Administrator of CMS should conduct fraud risk assessments for Medicare and Medicaid to include respective fraud risk profiles and plans for regularly updating the assessments and profiles. Page 17

18 Design and Implement CMS Has Not Developed a Risk-Based Antifraud Strategy for Medicare and Medicaid, Which Would Include Plans for Monitoring and Evaluation CMS Has Not Developed a Risk-Based Antifraud Strategy Page 18

19 This image cannot currently be displayed. Design and Implement: Antifraud Strategy LP1: Use the fraud risk profile to allocate resources LP2: Develop, document, and communicate an antifraud strategy LP3: Establish roles and responsibilities LP4: communicate the role of the OIG to investigate potential fraud LP5: Create timelines for implementing fraud risk management activities LP6: Demonstrate links LP7: Link antifraud efforts to other risk management activities Page 19

20 Design & Implement: Control Activities to Prevent and Detect Fraud LP1: Focus on fraud prevention LP2: Consider the benefits and costs of control activities LP3: Design and implement control activities to prevent and detect fraud Page 20

21 Design & Implement: Plan for Response to Fraud LP1: Develop a plan to respond to identified instances of fraud LP2: Refer instances of potential fraud to the appropriate parties (OIG, DOJ) Page 21

22 Design & Implement: Relationships with Stakeholders LP1: Establish collaborative relationships with internal and external stakeholders LP2: Collaborate and communicate with the OIG LP3: Create incentives for employees to manage risks and report fraud CMS LP4: Provide guidance and other support to help external parties carry out fraud risk management activities Page 22

23 Recommendation 3: (Design & Implement; ) The Administrator of CMS should, using the results of the fraud risk assessments for Medicare and Medicaid, create, document, implement, and communicate an antifraud strategy that is aligned with and responsive to regularly assessed fraud risks. This strategy should include an approach for monitoring and evaluation. Page 23

24 Evaluate and Adapt CMS Has Not Developed a Risk-Based Antifraud Strategy for Medicare and Medicaid, Which Would Include Plans for Monitoring and Evaluation CMS Has Established Monitoring and Evaluation Mechanisms That Could Inform a Risk-Based Antifraud Strategy for Medicare and Medicaid Page 24

25 Evaluate and Adapt: Risk Based Monitoring and Evaluation LP1: Monitor and evaluate effectiveness LP2: Collect and analyze data LP3: risk-based approach to monitoring LP4: Engage stakeholders Page 25

26 Evaluate and Adapt: Measuring Outcomes LP1: Measure outcomes LP2: In the absence of sufficient data, assess how well managers follow recommended leading practices Page 26

27 Evaluate and Adapt: Adapt and Communicate Results LP1: Use results of evaluation LP2: use identified instances of fraud and fraud trends LP3: use results of investigations and prosecutions LP4: communicate results Page 27

28 Recommendation 3: (Evaluate & Adapt; ) The Administrator of CMS should, using the results of the fraud risk assessments for Medicare and Medicaid, create, document, implement, and communicate an antifraud strategy that is aligned with and responsive to regularly assessed fraud risks. This strategy should include an approach for monitoring and evaluation. Page 28

29 Questions? Page 29