FY 2013 Internal Audit Annual Report

Transcription

1 FY 2013 Internal Audit Annual Report

2 Purpose of the Internal Audit Annual Report: To provide information on the assurance services, consulting services, and other activities of the internal audit function. In addition, the annual internal audit report assists oversight agencies in their planning and coordination efforts. Table of Contents I. Compliance with House Bill II. Internal Audit Plan for Fiscal Year III. Consulting Services and Nonaudit Services Completed... 7 IV. External Quality Assurance Review (Peer Review)... 8 V. Internal Audit Plan for Fiscal Year VI. External Audit Services Procured in Fiscal Year VII. Reporting Suspected Fraud and Abuse

3 I. Compliance with House Bill 16: Posting the Internal Audit Plan, Internal Audit Report, and Other Audit Information on Internet Web site The purpose of House Bill 16 (83 rd Legislature, Regular Session), signed into effect on June 14, 2013, was to amend Texas Government Code 2102 by adding section The newly added section includes requirements for state agencies and higher education institutions to post on their Internet websites their approved fiscal year audit plans and annual audit reports within 30 days of the date the plan or report is approved. To comply with the provisions of HB 16, UT Health Northeast s Internal Audit Office will begin posting approved annual audit plans to the institution s external Internet website in addition to the annual audit reports already made available on the site. The Internal Audit Office will implement procedures to ensure the annual audit plans and annual audit reports are posted within 30 days of the date approved as required. Both the plan and report will be posted in the Reports to the State section of UT Health Northeast s external website at Resources Reports to the State» UT Health Northeast. In addition, for the FY 2014 Audit Plan, HB 16 requires that a detailed summary of the weaknesses, deficiencies, wrongdoings, or other concerns raised by the audit plan or annual report, and a summary of actions taken to resolve any concerns, be posted on the entity s website. This requirement will be met via the FY 2014 internal audit annual report due in November 2014 based upon guidelines for these summaries that will be issued by the State Auditor s Office. 3

4 II. Internal Audit Plan for Fiscal Year 2013 FY 2013 Audit Plan Audit/Project Audit No. Budgeted Hours Actual Hours Status of Plan Financial FY 2012 Financial Statement Audit (final procedures) Presidential Travel and Entertainment Expenses Audit Executive Travel and Entertainment Expenses Audit FY 2013 Financial Statement Audit (interim procedures) Completed - Deloitte Issued Report 1/22/ Completed. Report Issued 11/28/ Completed. Report Issued 2/26/ Completed. No Deloitte report for interim. UTS Policy Testing N/A Completed. Memo Documented. Supply Inventory Recounts N/A Completed. Results communicated to Accounting Dept. for annual FS prep. Training Facilitated by Internal Audit N/A Completed. Facilitated both an initial internal control training module in Q1 and updated this module in Q3 for required mandatory annual training. Operational Revenue Cycle - Patient Access Systems and Processes Audit Financial Subtotal Completed. Report Issued 1/8/2013. Capital Equipment Operational Audit Completed. Report Issued 10/22/2013 (during FY 2014) Reserve Applied to Special Request - Review of Controls Over Supply Inventories Reserve Applied to Special Request - Office of Institutional Advancement Change in Management Audit Completed. Response Letter sent to the SAO Completed. Report Issued 9/27/2013 (during FY 2014) Other Special Requests N/A Completed. Misc. ad hoc requests. No formal reports. Institutional Committee or Meeting N/A Completed. Participation - Advisory Role Operational Subtotal 1,205 1,147.5 Compliance OMB Circular A-133 Research Cluster FYE 8/31/2012- assistance to the SAO Family Medicine Residency Program Grant Audit FYE 8/31/ Completed for FY 2012 final procedures and FY 2013 interim procedures. SAO Issued reports Completed. Report Issued 12/19/2012. MSRDP Faculty Practice Plan Audit Completed. Report Issued 3/4/2013. (Continued) 4

5 FY 2013 Audit Plan Audit/Project Audit No. Budgeted Hours Actual Hours Status of Plan Research Compliance Processes and Training - Consulting/Advisory Role 340B Drug Pricing Program - Consulting/Advisory Role Completed. Developed and presented live training sessions on two topics and served in an advisory role on a third topic Completed. No formal report. Pharmacy Dept. self-assessed. Investigations N/A Completed in an ad hoc assistance role as needed. No formal reports. Compliance Subtotal Information Technology Laptop Encryption & IT Inventory Audit Completed. Report Issued 5/31/2013. Information Technology Subtotal Follow-up Quarterly Follow-Up and Validation of Outstanding Audit Recommendations CATS reports Completed. Tracking grids presented at quarterly Audit Committee meetings. No formal reports. Follow-up Subtotal Projects Annual Risk Assessment & Audit Plan Preparation UT System & SAO Reports and Requests N/A Completed. Audit Plan Approved by Internal Audit Committee on 7/12/2013. N/A Completed. Internal Audit Committee N/A Completed. Annual Quality Assessment Activities & Systemwide QA Proposal Review Team Participation N/A Completed. Projects Subtotal Total Hours 2,910 3,

6 Summary of FY 2013 Mid-Year Audit Plan Changes FY 2013 Audit Plan Project Budgeted Audit/Project Number Hours Financial As originally approved (one engagement) Presidential Travel and Entertainment Expenses Audit As conducted (two engagements) Presidential Travel and Entertainment Expenses Audit Executive Travel and Entertainment Expenses Audit Operational Reserve as originally approved Reserve for Special Requests - Audits or Formal N/A 225 Consulting Reserve partially applied Review of Controls Over Supply Inventories Reserve partially applied Change in Management Audit - Office of the Vice President for Institutional Advancement Information Technology As originally approved (encryption scoped in as one aspect of engagement) Electronic Health Records - HIPAA Security Rule Audit As conducted (UTS requested focused laptop encryption audit and added IT inventory) Laptop Encryption & IT Inventory Audit Projects As originally approved Annual Quality Assessment Activities N/A 60 As proposed Annual Quality Assessment Activities & Systemwide QA Proposal Review Team Participation N/A 60 6

7 III. Consulting Services and Non-audit Services Completed Report Date No formal report No formal report No formal report No formal report Report Title High-Level Objective Results 340B Drug Pricing Program Consulting/Advisory Role Internal Control and Research Compliance Training Provided by Internal Audit Institutional Committee or Meeting Participation Advisory Role Investigations To assist the institution s Pharmacy Department with its self-assessment of control measures, policies, procedures, and records that demonstrate compliance with section 340B of the Public Health Service Act, as amended by the Patient Protection and Affordable Care Act. Prepare training presentations and provide live training sessions concerning internal controls over purchases and expenditures, and research compliance topics. Contribute to institutional governance by participating in an advisory role on a several committees. Review allegations of abuse, misappropriation, or fraud as needed. Pharmacy Department queries, reports, policies, and procedures were updated to meet newly issued regulatory guidance. Internal Audit assisted with research, data testing, collaborating with subject matter experts, and policy and procedure review. Facilitated both an initial internal control training module in Q1 and updated this module in Q3 for incorporation into mandatory annual training. Also developed and presented live training sessions on two research compliance topics and served in an advisory role on presentation of a third topic. Internal Audit served in an advisory capacity on a number of standing and ad hoc committees during the year and completed various action items assigned during the committee meetings. Internal Audit provided assistance in evaluation or analyses as needed. 7

8 IV. External Quality Assurance Review (Peer Review) 8

9 9

10 10

11 V. Internal Audit Plan for Fiscal Year 2014 Audit Universe and Risk Assessment Methodology The audit universe is an objective assessment of auditable activities within the institution. The universe was originally developed in coordination with the UT System Audit Office, UT System Health Institutions, UT Health Northeast management, and Internal Audit Committee members. The universe is updated each year via a collaborative process with institutional employees and UT System leaders, as well as by reviewing the institutional strategic plan; relying on results of prior engagements and reports from internal and external monitoring functions; and reviewing committee meeting minutes and other information available to the Office of Internal Audit. The audit universe is divided into the following seven areas: Financial Operational Compliance Information Technology Follow-Up Projects Reserve The UT System Audit Office identified projects requested by UT System Administration leadership and the Board of Regents. The UT Health Northeast Office of Internal Audit identified externally required audits by reviewing requirements of programs and interviewing key management, and risk-based engagements based on risk assessments performed using the Enterprise Risk Management model. The UT System Audit Office and the UT Health Northeast Office of Internal Audit identified other projects. The Enterprise Risk Management (ERM) model was used to develop the risk assessment for all areas within the institution. Using the ERM model, a risk footprint was developed. The UT Health Northeast tier 1 risk footprint includes the following thirteen activities: Patient Care, Financial and Asset Management, Business Operations, Education, Research, Governance and Leadership, Information Technology, Plant Operation and Maintenance, Human Resource Management, Purchasing, Institutional Functions and Auxiliary Departments, Institutional Advancement, and Institutional Compliance Program. These thirteen (tier 1) activities were evaluated more extensively at tier 2. For FY 2014 audit planning purposes, risk assessments have been completed at the tier 2 level for Patient Care, Research, Information Technology, Business Operations, and Education. The following ERM methodology was used in classifying risks and evaluating the potential impact to the organization and probability of occurrence: 11

12 Determination of Impact Impact is the effect of the risk on the achievement of goals. Impact was measured as high, medium or low. Factors considered included: Health or safety consequences Potential financial loss (asset loss, expense, or revenue impairment) Fines or other civil sanctions Criminal penalties Strategic importance Negative public or political relations Loss to reputation that may affect future state funding, grants, or donations Sensitivity of data associated with the process or activity High Impact If the risk happens, the institution will probably not achieve its objective or to do so will require major damage control and expense. Medium Impact If the risk happens, the institution will have to do extra work or will be inefficient, but still may achieve its goals and objectives. Low Impact If the risk happens, the institution will be aware of it, but it will have little or no effect on operations or achievement of goals and objectives. Probability Probability is the likelihood of the risk happening. Probability was measured as high, medium, or low. Factors considered included: Quality of existing controls/expectation that controls will mitigate risk Management and employee competence Public awareness, interest, or exposure that affects or provokes occurrence Complexity of systems or operations Changes in management or employee turnover Regulatory oversight that reduces likelihood of occurrence Recent degree of change, or stability, in process or activity Susceptibility of process or activity to human error Susceptibility of process, activity, or data to equipment or technology failure Susceptibility of process, related assets, or data to fraud or override High Probability The risk will happen frequently or often. Medium Probability The risk will happen infrequently. It is likely to happen, but not often. Low Probability The risk will seldom happen. It is unlikely it will happen at all. 12

13 In addition to using the ERM model, we interviewed Audit Committee members and key management to identify areas of higher risk and concern within the institution. Mandatory audits, projects, reserve for special requests, and audit resources were also considered when preparing the plan. High Risks Not Covered High risk areas identified but not included in the FY 2014 audit plan include certain risks in the following categories: Financial and Asset Management Patient Care Institutional Functions and Auxiliary Departments Human Resource Management Education Business Operations Plant Operation and Maintenance Research Purchasing Institutional Compliance Program For high risk areas identified, ongoing institutional mitigating controls and monitoring processes are in place to reduce risk. For some of the risks identified internal or external audits or reviews have been performed within the past two years. Approved FY 2014 Audit Plan The UT Health Northeast Internal Audit Committee approved the FY 2014 Audit Plan on July 12, Project FY 2014 Audit Plan Budgeted % of No. Audit/Project Hours Total Financial FY 2013 Financial Statement Audit 75 (final procedures) Presidential Travel and Entertainment Expenses Audit Executives' Travel and Entertainment Expenses Audit FY 2014 Financial Statement Audit 80 (interim procedures) UTS Policy Testing Supply Inventory Recounts 16 Financial Subtotal % (Continued) 13

14 Project FY 2014 Audit Plan Budgeted % of No. Audit/Project Hours Total Operational Pharmacy Audit Patient Revenue Cycle Audit 350 Operational Subtotal % Compliance Family Medicine Residency Program Grant Audit FYE 75 8/31/ MSRDP Faculty Practice Plan Audit Consulting - Meaningful Use Assessment and Compliance Committee - Advisory Role 40 Compliance Subtotal % Information Technology TAC Online Banking and PeopleSoft Financial System Audit Electronic Health Records Audit - HIPAA Security Rule 250 Information Technology Subtotal % 400 CATS Reports Follow-up Quarterly Follow-Up and Validation of Outstanding Audit Recommendations 150 Follow-up Subtotal 150 5% Projects Training Provided by Internal Audit 40 Project Management Collaboration and Oversight 20 Institutional Committees/Workgroups - Advisory Role 36 Annual Risk Assessment & Audit Plan Preparation 140 UT System & SAO Reports & Requests 40 Internal Audit Committee Preparation/Participation 100 Annual Quality Assessment Activities 30 External Quality Assessment 80 Automated Audit Tools 40 Projects Subtotal % Reserve Reserve for TBD Engagements 270 Reserve Subtotal 270 9% Total Hours 3, % 14

15 VI. External Audit Services Procured in Fiscal Year 2013 UT Health Northeast acquired an external financial audit of the East Texas Quality Care Network (ETQCN) for the fiscal years ended August 31, 2012 and ETQCN is a tax exempt and certified nonprofit health care corporation affiliated with UT Health Northeast. The audit was performed by Henry & Peters, P. C., a firm located in Tyler, Texas. The audit was completed in FY 2013 and the report was dated October 5, The SAO delegated authority to UT Health Northeast to contract for these audit services. The University of Texas System acquired a financial audit of the UT Health Northeast financial statements from Deloitte & Touche, LLP for the fiscal year ended August 31, The audit was completed in FY 2013 and the report was dated January 22, The SAO delegated authority to UT System to contract for these audit services as an addendum to a System-wide agreement. VII. Reporting Suspected Fraud and Abuse UT Health Northeast has taken the following actions to implement the requirements of: Section 7.09 Fraud Reporting, General Appropriations Act (83rd Legislature, Conference Committee Report), Article IX. The institution s website includes the State Auditor s Office fraud hotline information and a link to the State Auditor s website for fraud reporting. The information is linked from the institution s home page via a link entitled, How to Report Fraud, Waste, and Abuse. The institution has also included information on how to report suspected fraud involving state funds to the State Auditor s Office in its Compliance and Ethics Hotline Reporting Policy in the Institutional Handbook of Operating Procedures (IHOP). Texas Government Code Section , Coordination of Investigations: UT System has implemented UTS Policy 118, Section 24, which outlines the reporting requirements of Texas Government Code This policy is applicable to all UT System institutions, including UT Health Northeast. The policy states that if funds received from the state are lost, misappropriated, misused, or other unlawful conduct has occurred in relation to the entity, the Chief Administrative Officer shall report the reason and basis for the alleged fraud to the state auditor as required by Texas Government Code The UT Health Northeast President is knowledgeable about the policy requirements and his reporting responsibilities to the state auditor. 15