PREPARING A RISK BASED AUDIT WORK PROGRAM

Size: px

Start display at page:

Download "PREPARING A RISK BASED AUDIT WORK PROGRAM"

Dorcas Haynes
5 years ago
Views:

1 1 PREPARING A RISK BASED AUDIT WORK PROGRAM BAILEY JORDAN PARTNER, GRC PRACTICE LEADER GRANT THORNTON, LLP DAVID TYLER PRINCIPAL, HEALTH CARE ADVISORY GRANT THORNTON, LLP AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois

COSO Framework 2 17 Principles - Each principle, assigned to one of the 5 components, must be present and functioning in an organization for it to have

Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Risk 6.

Identifies and assesses significant change Control Activities Information & Communication Monitoring Activities 10. Selects and develops control activities 11.

2 COSO Framework 2 17 Principles - Each principle, assigned to one of the 5 components, must be present and functioning in an organization for it to have effective internal control. Control Environment 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Risk 6. Specifies suitable objectives Assessment 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and assesses significant change Control Activities Information & Communication Monitoring Activities 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies

3 Control Environment 3 Has executive-level management set the tone at the top for employee conduct within a sound risk management and control structure? Is your organization's policies and procedures well documented and adhered to? Are there monitoring mechanisms in place to ensure adherence to policies and procedures? How well do your information systems support your business needs?

4 Control Environment (Continued) 4 What are the key performance indicators used to manage your business? Use application, and aggressiveness of accounting principles? Materiality both in terms of quantitative (dollars) and qualitative (internal control) factors? Other issues or risks that require a substantial Other issues or risks that require a substantial portion of management's time and attention?

5 Risk Assessment Sources 5 What past problems could indicate future risk? Are risks driven by external factors? Which ones? Are risks driven by internal factors? Which processes? Economy Regulation Technology Shareholders Politics Stability Structure Resources Innovation Incentives

6 Risk Assessment Measuring 6 How big are your organization's risks? What is the impact to capital, earnings, cash flow, key performance indicators, and reputation? What is the likelihood of possible future outcomes that give rise to your risks to occur? Likeli ihood Low Critical Impact

7 Primary Risk Factors 7 Materiality of Amounts Large dollars/transactions High transaction volume Impact on ratios/covenants Process Complexity Limited internal skills Multiple data handoffs Highly-technical in nature Adjustment History Pi Prior accounting errors Valuation adjustments Propensity for Change Improve business processes Enhance controls Related accounting

8 Corporate Governance Process 8 Risk Assess sment Processes Revenue Expenses Payroll Production Treasury Reporting Risks Strategic Budgeting Capacity Operational Liquidity Continuity Reporting Data capture Consolidation Estimates Compliance Integrity Regulations Information Technology Preventative vs. Detective Automated vs. Manual Link to COSO Related Assertions Completeness & accuracy Authorization Existence & occurrence Cut-off Internal Audit Controls & Tools Rights & obligations Valuation Presentation & Disclosure Safeguarding Assets

9 Project Plan & Execution 9 Phase I Phase II Phase III Phase IV Entity-level risk assessment & Process & control assessment & Design & execute tests of critical controls project planning documentation over reporting & disclosures On-going internal audit compliance; Enterprise risk management Evaluate & assess Gather existing Identify controls for Continuous entity-wide risks documentation & testing improvement Identify processes information Design control tests Update risk requiring internal Analyze process risks Execute/document assessments audit consideration & controls tests of controls Create multi-year Create audit plan Identify potential Identify issues & audit plans & define scope risks/opportunities create action plans On-going testing & Identify project Enhance policies Report findings audit activities team members Obtain management Follow-up on agreed Broaden scope to buy-in action plans cover other risks Coordinate with External Auditors & Business Advisors

10 Internal Audit Steps 10 Understand & Document 1 Understand the Business & its Environment Consider Management Assessment Process Determine Scope for Understand & Document Internal Controls Evaluate Design Effectiveness Confirm Correctness & Perform Walkthroughs Environment Controls Walkthroughs Analyze & Test 2 Identify Key Activity-Level Controls Determine Strategy for Key Controls Perform Evaluate & Report 3 Evaluate Findings Communicate Findings Report

11 Current healthcare business climate 11 Pressures throughout the healthcare industry from financial market instability to increased regulation and reform place increased stress on the provider sector. ACO - PCMH Capital market volatility continues Health reform is both a friend and a foe Competition tightening i Tougher regulatory environment Pending price compression Medicare reimbursement reductions Payers under unprecedented financial strain State budget crises impact Medicaid rates Pace of consolidation quickening Increased Transparency Significant IT Initiatives Forecasting accuracy is critical HIE and HIX Financial impact of risk and compliance Diminished ability to pass on cost increases Physician integration - profitably Ability to address clinical effectiveness

12 Improve strategic value of audits 12 Incorporate ERM Link audit plan to key operational events (i.e., system conversion, ICD-10, etc.) Link audit plan to strategic plan Incorporate PMO and IA plan Do not be married to the GL Involve the business owner Link audit feedback to future business planning Report back on plan vs. actual (i.e., joint venture activity, it IT initiatives, iti etc.)

13 Example risk based audit topics 13 Accuracy of financial budget to actual historic and forward looking IT Project Management outcomes ICD-10 roll out plan System conversion management (EPIC, Cerner, etc.) Strategic relationship evaluation criteria Physician employment performance measurement Security breach action plan Financial performance metrics/ratios Revenue cycle/revenue integrity

14 Understand your Business 14 Understand & Document 1 Understand the Business & its Environment Consider Management Assessment Process Determine Scope for Understand & Document Internal Controls Evaluate Design Effectiveness Confirm Correctness & Perform Walkthroughs Environment Controls Walkthroughs Boundary Events Transaction initiated Services provided Transaction recorded Transaction completed (receiving or paying) Internal Events Data input Data transfer Data processing Output Discretionary Events Data input Assumptions made Perform calculations Output Report Events Internal Reports & General Ledger Consolidate Adjustments made Statement & disclosure preparation

15 Consider Management Assessment 15 Understand & Document 1 Understand the Business & its Environment Consider Management Assessment Process Determine Scope for Understand & Document Internal Controls Evaluate Design Effectiveness Confirm Correctness & Perform Walkthroughs Environment Controls Walkthroughs Be acquainted with management's actions Obtain management's documentation Questionnaires/interviews i i to evaluate the sufficiency i of work Evaluate the results of their work If internal audit results differ from those of management, a deficiency is likely to exist in management's process

16 Determine the Scope 16 Understand & Document 1 Understand the Business & its Environment Consider Management Assessment Process Determine Scope for Understand & Document Internal Controls Evaluate Design Effectiveness Confirm Correctness & Perform Walkthroughs Environment Controls Walkthroughs Scope Drivers Materiality of amounts Degree of inherent control failure risk Criticality of related assertions Prior failure Strategic value Always In-Scope Significant accounts Entity-level & key controls Important locations Locations with specific risks Locations posing collective risks Significant Accounts Revenues (Care, Caid, Commercial) Inventories Capital assets Expenses Payroll Investments Financing Key Controls Identified as more internal control risk Detective & preventive controls More extensive testing Tested by auditors

17 Document Internal Controls 17 Understand & Document 1 Understand the Business & its Environment Consider Management Assessment Process Determine Scope for Understand & Document Internal Controls Evaluate Design Effectiveness Confirm Correctness & Perform Walkthroughs Environment Controls Walkthroughs General controls provide a reliable operating environment & provide a basis for reliance on application controls Application controls directly support financial reporting IT general controls (ITGCs) IT control environment Program development Program changes Computer operations Access to programs and data IT general controls tests over a period of time; application controls test a point in time

18 Evaluate Design Effectiveness 18 Understand & Document 1 Understand the Business & its Environment Consider Management Assessment Process Determine Scope for Understand & Document Internal Controls Evaluate Design Effectiveness Confirm Correctness & Perform Walkthroughs Environment Controls Walkthroughs Locate deficiencies Missing controls Missing control objectives Control weaknesses may be a deficiency Incompatible duties Control weaknesses may Undocumented controls aggregate to become a Inappropriate mix of controls deficiency or significant Automated controls within weak deficiency general control environments Missing security access controls Duplicative controls

19 Performing Walkthroughs 19 Understand & Document 1 Understand the Business & its Environment Consider Management Assessment Process Determine Scope for Understand & Document Internal Controls Evaluate Design Effectiveness Confirm Correctness & Perform Walkthroughs Environment Controls Walkthroughs Walkthroughs should be performed annually at a minimum Experienced auditors should perform or closely supervise inexperienced personnel performing each walkthrough Confirm correctness through walkthroughs in conjunction with other types of control testing Coordinate walkthroughs with timing of value to the business

20 Identify Key Activity-Level Controls 20 Analyze & Test 2 Identify Key Activity-Level Controls Determine Strategy for Key Controls Perform Process Importance Material errors may occur Higher volume increases error potential Greater complexity Significant judgment Fraud potential Related-party transactions Recent changes Recent failures Control Objectives Completeness & accuracy Authorization Integrity Safeguarding Reconciliation Budgetary Nature of the Control Risk that control is ineffective Automated & manual Preventative & detective Operational

21 Actual client top ranked risks High Significance, High Likelihood Revenue Revenue - Billing PFS Implementation (revenue delays) Entity Level Physician Alignment Corporate Strategy Marketplace Consolidation Human Resources Physician Recruiting Legal Physician Peer Review Regulatory ICD 10 Operations Specialty Medical Coverage ER (staffing, flow thru, cost) Process Improvement (policies, procedures, record security classification/retention, t etc.) Information Technology IT Infrastructure IT Security

22 Actual client selected audits High Significance, High Likelihood Revenue Revenue - Billing PFS Implementation (revenue delays) Entity Level Physician Alignment Corporate Strategy Marketplace Consolidation Human Resources Physician Recruiting Legal Physician Peer Review Regulatory ICD 10 Operations Specialty Medical Coverage ER (staffing, flow thru, cost) Process Improvement (HR policies, record security classification/retention, t etc.) Information Technology IT Infrastructure IT Security (recent HIPPA breach)

23 Strategy for Key Controls 23 Analyze & Test 2 Identify Key Activity-Level Controls Determine Strategy for Key Controls Perform Using Work of Others Third-party & external auditors Evaluate their competence Relied upon for low-risk controls Auditor's own work must provide principal evidence Nature of Inquiry Observation Sampling Reporformance CAATs Inquiry alone is not sufficient Reperform to verify control is effective Timing of Year-end testing required Intermediate testing prevents rushed testing at year-end Extent of More testing for Manual controls Frequent operation Controls related to multiple assertions Less testing for Automated controls Controls over few assertions

24 Perform 24 Analyze & Test 2 Identify Key Activity-Level Controls Determine Strategy for Key Controls Perform Undocumented manual controls tested by inquiry & observation Documented manual controls also use inquiry and observation, but also sampling and reperformance Sampling work performed should cover control performance by review of documentation and correctness by reperformance Automated controls tested by inquiry, observation, & CAATs

25 Drive true value to your business 25 25

26 Questions/Closing 26 26