Success in Joint Ventures: Sustained Compliance and Audit Oversight

Transcription

1 Success in Joint Ventures: Sustained Compliance and Audit Oversight Gene DeLaddy, CIA Senior Vice President, Chief Compliance & Privacy Officer, Chief Audit Executive Dave Pyland, CPA Director, Internal Audit Carolinas HealthCare System 2011 AHIA Annual Conference

2 Carolinas HealthCare System Introductions Company Profile Joint Ventures Joint Ventures Presentation Objectives Identify and Understand Assess and Audit Monitor and Follow-Up Outline 2011 AHIA Annual Conference

3 Gene DeLaddy, CIA Senior Vice President, Chief Compliance and Privacy Officer, Chief Audit Executive, Carolinas HealthCare System Dave Pyland, CPA Director, Internal Audit, Carolinas HealthCare System Introductions

4 Chief Compliance Officer Chief Privacy Officer Chief Audit Executive Facility Complianc e Physician Complianc e Corporate Privacy Audit Services Corporate Compliance Department

5 Net Revenues of $6.5 billion at 12/31/10* 33 Affiliated Hospitals in NC and SC 1,700 Physicians & 48,000 Employees 500 Care Locations & 6,300 Licensed Beds 14 Joint Ventures *Total includes Primary Enterprise, Other Component Units, and CHS Managed Entities Carolinas HealthCare System

6 Management Services Agreement Vendor Business Associate Agreement Joint Venture Operating Agreement Professional Services Agreement Vendor Service Level Agreement Legal Structure and Business Purpose

7 Elements: Name of JV Identification of Parties Allocation of Profits & Losses Board Roles & Responsibilities Basis of Accounting JV Operating Agreement

8 Elements: Assignment of Manager Compliance Responsibilities Service Level Agreements Manager Compensation Obligations of Owners JV Management Services Agreement

9 CHS is involved in 14 corporate joint ventures in the following areas: Multi-Specialty Ambulatory Surgical Centers 3 Specialty Ambulatory Surgical Centers 2 Imaging Centers 3 Radiation Therapy 1 Real Estate 2 Third Party Administrators 1 Urgent Care Centers 2 CHS Corporate Joint Ventures

10 CHS Ownership Percentages Compliance Program Responsibilities Less Than 50% Other CHS 50% or More CHS Corporate Joint Ventures

11 Business Opportunities: Shared Responsibility One party provides location and equipment while other parties provide capital and technical expertise. Market Expansion: Shared Ideas Partnering with regional hospitals helps build relationships. Partnering with competitors to share new opportunities. Why Joint Ventures?

12 Management You are the majority partner but others may manage the JV. Partners may be competitors, public entities (SOX), or physicians. No audits of the JV have been conducted. JV services provided may be on the Annual OIG Work Plan. Joint Venture Risks

13 Senior Management Endorsement can be beneficial. If possible, ensure that the JV is on your Company s IT Network. Consider implementing a committee to oversee the JV. Tips for JV Success

14 CHS JV Internal Audit Assessment Program

15 AUDIT AGAINST Joint Venture Operating Agreement Management Services Agreement/ Professional Services Agreement BOD Meetings Financial Oversight Compliance/Privacy Oversight Service Level Performance Accuracy of Compensation Refer to Handout for Summary Governance Program Governance Audit Assessment

16 Business Process: JV Name: Prepared By: John Doe Date: 9/9/2011 Reviewed By: General Control Objectives: 1. Authorization: 2. Meetings: Policies and procedures; and other key plans are formally reviewed and approved by the Board on a periodic basis. Board meetings are formalized and in compliance with the JV Agreement. Green Utilize green shading and type in "Green" to indicate the existence of internal controls that substantially conform to stated Internal Control (IC) Expectations. the last 15 months Yellow Utilize yellow shading and type in "Yellow" to indicate areas where internal controls exist in part, but need improvement to conform to stated IC Expectations. Red Utilize red shading and type in "Red" to indicate areas where controls may exist but are significantly deficient in meeting stated IC Expectations. Functional Area Test Step Test Results Auditor Date Score W/P Reference Governance Governance Generic Healthcare Jane Doe 1. Review the JV Agreement to determine the required frequency of Board meetings. Obtain the Board meeting minutes for review and validate that the CHS representatives on the Board are attending. 2. Review a sample of JV Board Meeting Minutes to determine if the meeting minutes are being formally reviewed and approved on a timely basis. 3. Determine if the JV Board is formally reviewing and approving the following on an annual basis: Budget; Compliance Risk Assessment; Policies and Procedures; and Vendor Listing. Information about the Assessment Tool Purpose: An assessment of the internal controls surrounding the Governance control environment of the JV. While the assessment tool is not inclusive of all internal control considerations, it can help identify areas that require corrective action through implementation of internal controls or refinement of existing internal control procedures. Scoring Key: JV BOD has not met in General Control Objectives for Governance : * Board meets as required per the JV Agreement and formally reviews and approved meeting minutes timely. * Board provides oversight on the planning, monitoring and evaluation of JV activities. Monthly financials and check disbursement registers are not submitted to the full BOD via Potential Risks for Governance: * Inadequate Board oversight and monitoring of JV operations. * Unauthorized, material transactions occurring and going undetected. Per inquiry with the JV Administrator, the JV BOD has not met in the last 15 months. Tester notes that per the JV Operating Agreement, the BOD is required to meet on an annual basis. Observation noted. Per tester inquiry with the JV Administrator and tester review of BOD s, the 2011 annual budget was nor formally reviewed and approved by the BOD until March 30, Tester notes that per the JV Operating Agreement, the BOD is required to review and approve the annual budget no later than two months prior to the start of the fiscal year 01/01/XX). Observation noted. Tester also notes that per review of the JV Policies and Procedures, the JV BOD has not formally reviewed and approved them since Per the JV Operating agreement, the BOD is required to review and approve the Policies & Procedures on an annual basis. Observation noted. Date: 2011 annual budget not formally reviewed and approved by the BOD until March 30, 2011 Policies and Procedures not reviewed by JV BOD since 2000 JV Administrator has unlimited expenditure/ disbursement authority 4. Determine if the JV Board is reviewing and approving the following on a monthly basis: financials and check disbursement register. 5. Determine if BOD is reviewing the MSA and the PSA for compliance and reasonableness. Green 0 Yellow 0 Red 4 Per tester inquiry with JV Administrator and the Business Manager, the monthly financials and the check disbursement registers are not being not being submitted o the full BOD via . Observations noted as the JV Administrator has unlimited expenditure/disbursement authority. Per tester inquiry with the JV Administrator, the BOD has not formally reviewed the MSA and the PSA since In addition, tester notes that the JV Administrator and the JV Business Manager are not reviewing the service level agreements for compliance. Observations noted. MSA and PSA not reviewed by BOD John Doe since 09/09/ Red N/A SLAs not reviewed for compliance

17 Inquire About the Existence of and Test the Following: Hotline Compliance Items Privacy Items Stark Monitoring/Testing Conflict of Interest Statements Designated Privacy Official Business Associate Agreements Notice of Privacy Practices Refer to Handout for Summary Compliance/ Privacy Program Compliance/Privacy Assessment

18 Business Process: JV Name: Prepared By: Reviewed By: Compliance/Privacy Information about the Assessment Tool Purpose: An assessment of the internal controls surrounding the Compliance control environment of the JV. While the assessment tool is not inclusive of all internal control considerations, it can help identify areas that require corrective action through implementation of internal controls or refinement of existing internal control procedures. General Control Objectives: No Conflict of Interest Statements completed 1. Regulatory Compliance: Policies and procedures; and internal controls in place to reasonably ensure regulatory compliance. Green Utilize green shading and type in "Green" to indicate the existence of internal controls that substantially conform to stated Internal Control (IC) Expectations. Scoring Key: Yellow Utilize yellow shading and type in "Yellow" to indicate areas where internal controls exist in part, but need improvement to conform to stated IC Expectations. by employees Red Utilize red shading and type in "Red" to indicate areas where controls may exist but are significantly deficient in meeting stated IC Expectations. General Control Objectives for Compliance : Compliance Risks: * The JV is compliant with regulatory requirements. * Non-compliance with Regulatory requirements. Date: Date: No Stark testing conducted Functional Area Test Step Test Results Auditor Date Score W/P Reference Compliance/Privacy 1. Inquire if all employees are completing Conflicts of Interest Statements on an annual basis. Test a sample for validation. Per tester inquiry with the JV Administrator, Conflicts of Interest Statements are not being completed by JV employees. Observation noted. No compliance hotline 2. Inquire if the JV conducts periodic Stark testing to reasonably ensure compliance with the Stark Regulations. Review for reasonableness. 3. Inquire if the JV is performing periodic vendor sanction screenings for all vendors, employees, physicians and referring physicians. Test for validation. 4. Inquire if prescription pads are secured and can only be accessed by authorized personnel. In addition, examine prescription pads for reasonableness. Per tester inquiry with the JV Administrator, periodic Stark Testing is not conducted. Observation noted. No current Business Associate Agreements with vendors Compliance/Privacy 5. Obtain a detailed listing of the most recent Accounts Receivable aging. Upon review of the A/R aging, determine if there are any aged Medicare credit balances. Also inquire of the JV completes Quarterly Credit Balance Reports to Medicare. External financial 5. Inquire if the JV utilizes a Compliance Hotline. statement audits, but no internal billing audits 6. Inquire if the JV has current Business Associate Agreements (BAA's) in place for all vendors that can access protected health information (PHI). Review a sample for reasonableness. 7. Inquire if the JV performs billing system audits. Review for reasonableness. 8. Inquire of the JV has a designated Privacy Officer. Per tester inquiry with the JV Administrator, the JV does not have a Compliance Hotline. Observation noted. Per tester inquiry with the JV Administrator, the JV does not have current BAA's in place with applicable vendors. Observation noted. Per tester inquiry with the JV Administrator, although the JV has annual external financial statement audits, no billing audit shave been conducted,. Observation noted. Per tester inquiry with the JV Administrator, the JV does not have a designated Privacy Officer. Observation noted. No designated Privacy Officer; outdated Notice of Privacy Practices 9. Inspect the JV's web site and review the Notice of Privacy Practices for reasonableness. Per tester review of the JV web site, the Notice of Privacy Practices has not been updated since Observation noted. 10. Perform a brief walkthrough of the front office area to determine if patient data is being secured at all times. Green Yellow Red

19 Inquire about the existence of and test these items. General Ledger Close Financial Reporting Variance Analysis Monitoring Refer to Handout for Summary Financial Program Financial Audit Assessment

20 Business Process: JV Name: Prepared By: Reviewed By: 1. To ensure that the internal controls over financial reporting (ICOFR) for the JV are reasonably controlled with appropriate internal controls. Green Scoring Key: Yellow Red General Control Objectives for Financial: * Journal entries are authorized and reviewed/approved by appropriate personnel. * Balance Sheet accounts are reconciled and reviewed by appropriate personnel. * Financial period closes misclassification are well controlled. and * Monthly variance analyses are occurring. Functional Area Test Step Test Results Auditor Date Score W/P Reference Financial 1. Inquire with Accounting if a monthly closing checklist is maintained and completed to ensure all closing steps are completed each month. Also inquire if a period-ending journal entry control log is utilized to ensure that all necessary journal entries are recorded. Review checklists for reasonableness. 2. Inquire with Accounting if balance sheet accounts are reconciled each month. Judgmentally select a sample to test for validation, completeness and accuracy. Information about the Assessment Tool Purpose: An assessment of the internal controls surrounding the Operational control environment of the JV. While the assessment tool is not inclusive of all internal control considerations, it can help identify areas that require corrective action through implementation of internal controls or refinement of existing internal control procedures. General Control Objectives: Financial Balance Sheets out of balance; Utilize green shading and type in "Green" to indicate the existence of internal controls that substantially conform to stated Internal Control (IC) Expectations. Utilize yellow shading and type in "Yellow" to indicate areas where internal controls exist in part, but need improvement to conform to stated IC Expectations. Utilize red shading and type in "Red" to indicate areas where controls may exist but are significantly deficient in meeting stated IC Expectations. Indication of omission of necessary accruals Financial Risks: * Unauthorized transactions occur and go undetected. * Balance sheet accounts are not reconciled. * Financials are not complete and accurate. Date: Date: No annual budget prepared Green Yellow Red 3. Obtain monthly financials and review for reasonableness. 25% of patient balances greater than 150 days 4. Inquire with Accounting and with Administrator if Monthly Actual to Budget Variance Analyses are conducted. Review a sample of analyses for reasonableness. 5. Inquire if the JV has more than $250,000 in cash accounts at the same banking institution. 6. Obtain the most recent Accounts Receivable Aging and review for reasonableness. Large Dollar Items: Administrator 7. Obtain the most recent Accounts Payable only Aging and review for reasonableness. authorized approver/signer of checks; 8. Obtain the most recent unlimited check disbursement register and review for reasonableness. disbursement authority Per tester review of the monthly financials, an observation is noted as a sample of four months indicated that the balance sheet is out of balance. Tester also notes that the balances sheets reviewed indicated balance sheet misclassifications and the omission of necessary accruals. Additional observations noted. Per tester inquiry with the JV Business Manager, an annual budget is not prepared. Observation noted. Per tester review of the AR Aging, approximately 25% of patient account balances were greater than 150 days. Observation noted. Per tester review of the AP Aging, monies due to the JV from the JV Partner were greater than 180 days. Observation noted. Per tester review of the check disbursement register, a sampling of large dollar items indicated that the Administrator was the only authorized approver and signer of the checks. Tester review of the Policies and inquiry with the Administrator indicated that the Administrator has unlimited disbursement authority. Observation noted. AP Aging: Monies due from JV Partner greater than 180 days

21 Inquire about the existence of and test these items. Charge Capture Cash Management Refer to Handout for Summary Operational Program Billings & Collections Operational Audit Assessment

22 Business Process: JV Name: Prepared By: Reviewed By: Operations Information about the Assessment Tool Date: Date: Purpose: An assessment of the internal controls surrounding the Operational control environment of the JV. While the assessment tool is not inclusive of all internal control considerations, it can help identify areas that require corrective action through implementation of internal controls or refinement of existing internal control procedures. General Control Objectives: 1. To ensure that the JV day-to-day operations are reasonably controlled with appropriate internal controls. Scoring Key: Green Yellow Red Utilize green shading and type in "Green" to indicate the existence of internal controls that substantially conform to stated Internal Control (IC) Expectations. Utilize yellow shading and type in "Yellow" to indicate areas where internal controls exist in part, but need improvement to conform to stated IC Expectations. Utilize red shading and type in "Red" to indicate areas where controls may exist but are significantly deficient in meeting stated IC Expectations. Same employee can receive and post payments General Control Objectives for Operations: * Cash is appropriately controlled. * Duties are appropriately segregated. * Safety/environmental tours are conducted periodically. Functional Area Test Step Test Results Auditor Date Score W/P Reference Operations 1. Inquire if the JV utilizes a Cash Management Policy. Select a sample of items for testing. 2. Inquire if the JV utilizes a bank lock box or a post office box for receipts. If not, inquire about the process surrounding the payment receipts. Operational Risks: * Cash not adequately safe-guarded. * Inappropriate Segregation of Duties increases the risk of unauthorized transactions occurring. * Non-compliance with environmental and safety guidelines. Deposits made twice a month; average amount: $30, Inquire if the duties for receiving payments and posting payments are segregated. Observe the process for validation. 4. Inquire if the receipt of payments function and the deposit function are appropriately segregated. Observe and test a sample of batches for validation. Employees share same 5. Inquire if deposits are made on a daily basis. Test a sample for reasonableness. change fund drawer Operations (segregation of duties issue) 6. Inquire if the JV utilizes a petty cash drawer and a change fund drawer. If so, inquire if the drawers are maintained separately by appropriate personnel. Test for reasonableness. 7. Inquire if the JV has the following in place: a) Acknowledgement of Receipt forms for Custodians b) Responsibility Logs/Transfer of Custody forms for Custodians c) Semi-annual audits of the drawer d) Secure area to maintain monies during business hours e) Secure area to maintain monies during non-business hours Per tester inquiry of the JV employees and the JV Business Manager, the same employee can receive payments and post payments. Observation noted due to segregation of duties issue. Per tester inquiry of the JV employees and the JV Business Manager, deposits are made only twice a month. The average amount deposited is $30,000. Observation noted. Per tester inquiry of JV personnel and the JV Business Manager, employees share the same change fund drawer, which represents a segregation of duties issue. Observation noted. Same employee can order goods and receive and/or pay for those goods 8. Inquire if the JV utilizes Purchase Orders. Also inquire if a three way match between the PO, the receiving lists and the invoices are being conducted by appropriate personnel. Test for reasonableness. Per tester inquiry of JV personnel and the JV Business Manager, the same employee that orders goods can also receive the goods and pay for the good. This represents a segregation of duties issue. Observation noted. 9. Perform a brief walkthrough of the Switch Room area. 10. Inquire if environmental/safety tours are periodically conducted. Test for reasonableness. Green Yellow Red

23 Inquire about the existence of and test these items. Protection of Patient Data General/Application Controls Business Continuity Planning/Disaster Recovery Refer to Handout for Summary IT Program Operational IT Assessment

24 Business Process: JV Name: Prepared By: Reviewed By: Information Technology Information about the Assessment Tool Date: Date: Purpose: An assessment of the internal controls surrounding the Compliance control environment of the JV. While the assessment tool is not inclusive of all internal control considerations, it can help identify areas that require corrective action through implementation of internal controls or refinement of existing internal control procedures. General Control Objectives: 1. Regulatory Compliance: Policies and procedures; and internal controls in place to reasonably ensure regulatory compliance. Green Utilize green shading and type in "Green" to indicate the existence of internal controls that substantially conform to stated Internal Control (IC) Expectations. Scoring Key: Yellow Utilize yellow shading and type in "Yellow" to indicate areas where internal controls exist in part, but need improvement to conform to stated IC Expectations. Red Utilize red shading and type in "Red" to indicate areas where controls may exist but are significantly deficient in meeting stated IC Expectations. General Control Objectives for Information Services: Potential Risks for Information Services: * Access to data files is appropriately restricted to authorized users and programs. * Information in master files is accessed and/or manipulated by unauthorized personnel. * Critical data and program Employees applications are secure. utilize shared * Unauthorized transactions or data are entered through inappropriate authorized user access. * Physical security of critical computer hardware and servers is ensured. * Critical data is lost or unrecoverable. * Business recovery and resumption is assured. * Business resumption is impeded when data processing cannot be continued in a timely manner. IDs Test Step Functional Area Test Results Auditor Date Score W/P Reference Information Technology 1. Inquire if the JV utilizes an electronic medical record system (EMR). 2. Inquire if the JV utilizes formalized IT Policies. Test a sample for compliance. 3. Inquire if the JV has experienced any key performance failures or breaches lately; if there have been any significant problems or recent deficiencies. Inquire if logging occurs. Review for reasonableness. 4. Inquire if there have been any significant changes during the year at the JV. Also inquire if there are any planned IT upgrades or initiatives in the short term/long term. Review for reasonableness. 5. Obtain a listing of all users and review for shared or generic ID's. Per tester review of assigned User ID's, shared ID's are being utilized by three employees. Observation noted. Backups are not transported offsite or restored; Primary server located in unsecured location Information Technology 6. Inquire about the use of role based access functionality. Confirm access is granted based on a least privilege model and all employees have the minimum access required to perform their responsibilities. No 7. formalized Ensure there is a process to add and Business update access to the systems. Verify controls are in place to require proper approval before access is granted. Continuity Plan 8. Verify that antivirus software is installed on the servers and all connected workstations. 9. Inquire if data is transmitted outside the JV network? Are proper controls in place to secure that data during transport? Per tester inquiry with the JV Administrator, backups are not transported offsite nor are they periodically restored. Observations noted. Tester also notes that the primary server is stored in an unsecured location on the floor. Additional observation noted. Information Technology 10. Can users access systems remotely? Is remote access restricted and secured (i.e. requiring authentication or content encryption)? 11. Verify backup media secure at all times? Verify backup media transported to a secure offsite location? Who has access to retrieve data? 12. Inquire if the JV utilizes your entity's Applications and is on the entity's network. 13. Inquire if the JV has a formalized business continuity plan (BCP) and if it is periodically tested. Review for reasonableness. Per tester inquiry with the JV Administrator and with IT Support, currently, the JV does not have a formalized Business Continuity Plan (BCP) in place. Observation noted. Network and billing system passwords contain 3 characters 14. inquire if the JV has current Business Associate Agreements (BAA's) in place with IT Vendors. Also inquire if the JV has Service Level Agreements (SLA's) n place with IT Vendors. Inquire if the SLA's re periodically reviewed. Review for reasonableness. 15. Perform a brief walkthrough of the server room for reasonableness of security and controls. 16. Inquire if the JV maintains an IT asset listing. Review for reasonableness. 17. Inquire about the password parameters for the JV systems. Review for reasonableness. Per tester inquiry with the JV Administrator and tester inspection of the password parameters, network and billing system passwords are three characters. Observation noted. Green Yellow

25 Management/Administrator? Who is your audit report issued to and who will drive corrective actions? Board? Partners? Corporate Accounting? Functional clinical areas? A combination of the above? Audit Reporting

26 Elements: Determine/Review Appropriate Compliance Metrics (Planned) Obtain & Analyze Monthly Financials Obtain & Review BOD Meeting Minutes Follow-Up on Audit Issues Perform Risk Assessment for Future Audits CHS Compliance & IA Monitoring

27 Conclusion & Q&A Senior Management Can Offer Additional Support Recognize Risk Factors of Diverse JV s Understand & Monitor Your JV s

28 Save the Date: August 26-29, st Annual Conference in Philadelphia Pennsylvania 2011 AHIA Annual Conference -