INTERNAL CONTROLS AUDITOR JOHN BYRD, SENIOR AUDITOR TONYA CARRIGAN, SENIOR AUDITOR

Transcription

1 1 INTERNAL CONTROLS FOR THE BEGINNING AUDITOR JOHN BYRD, SENIOR AUDITOR TONYA CARRIGAN, SENIOR AUDITOR UF HEALTH SHANDS HOSPITAL AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois

2 Two Academic Medical Centers with Level 1 Trauma Centers UF Health Shands Hospital UF Health Jacksonville Hospitals UF Health Shands Cancer Hospital UF Health Shands Children s Hospital UF Health Rehab Hospital UF Health Shands Psychiatric Hospital UF faculty physicians provide outpatient care in more than 80 UF Clinics

3 3 Audit Services Provides Audit Services to all Shands Hospitals Provide approximately 2,200 Hours Annually to the External Audit Department 1 Director IT Audit Manager 6 Senior Auditors 1 Staff Auditor

4 4 Better Known for:

5 5 Presentation ti Objectives: Explain the relationship between risk and control Provide an understanding di of internal controls Explain the importance of implementing an internal control framework Learn to identify internal controls within processes Examine and understand d common controls

6 Adding Value 6 Internal Auditors Can Add Value by: Reviewing Critical Control Environments and Risk Management Providing Advice on Control System Improvement and Design Implementing Risk-Based Audit Approach Directing Audit Resources to Most Important Areas of the Organization

7 7 Objectives and Risk Objective: All businesses have an objective In healthcare it is usually to Deliver Quality Patient Care Risks: Enterprise Risk Management ERM Framework for management to identify risk

8 8 Internal Controls to the Rescue

9 9 Internal Controls COSO Definition It Internal control is broadly defined d as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1. Effectiveness and efficiency of operations. 2. Reliability of financial reporting. 3. Compliance with applicable laws and regulations.

10 10 Internal controls include: Definition Continued Promoting efficient and effective operations Safeguarding organizational resources Increasing reliability of information Rd Reducing surprises and unexpected outcomes Assuring compliance with policies, procedures and applicable laws and regulations

11 11 Control Framework Established process for the application and testing of an organization s control environment

12 12 COSO and COBIT COSO Committee of Sponsoring Organizations of the Treadway Commission Jointly Sponsored by: Five Organizations Including the IIA The Institute t of Internal Auditors COBIT COBIT 5 is the latest edition of ISACAs ISACA s globally accepted framework Provides framework for IT Control Testing

13 COSO Framework 13 New Frame work introduced in 2013 Control Environment Risk Assessment Control Activities Information and Communication The COSO Cube Monitoring Activities COSO Executive Summary

14 Control Environment 14 Sets the Tone for an organization Provides Structure Management s philosophy, assigned responsibilities COSO Executive Summary

15 15 Control Environment Examples Examples: Tone at the Top Internal Control Policy Compliance Program Code of Conduct

16 16 Risk Assessment Established objectives linked at different levels Identification of relevant risk to the achievement of the objectives Special risk are those specific to an industry COSO Executive Summary

17 17 Risk Assessment Mechanism to Identify Risk Control Self Assessments Meetings with Management Risk Matrix ERM Enterprise Risk Management COSO Executive Summary

18 18 Control Activities Policies and Procedures that help mitigate risk and assist management in meeting their hi objectives Heart and Soul of control testing

19 19 Control Activities Examples Examples: Approvals/Authorizations Reconciliations Segregations of Duties Verifications Security of Assets

20 Information and 20 Communication Necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives Communication is the continual process of providing, sharing, and obtaining necessary information COSO Executive Summary

21 21 Examples: Information and Communication Present properly the transactions and related disclosures in the financial statements Provide and communicate relevant and accurate information to enable decision making

22 COBIT 22 Based on 5 Principles Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management ISACA.org

23 TYPES of CONTROLS 23 Preventative Designed to prevent errors or irregularities Approvals Segregation of Duties (SOD) Detective Designed to detect errors or irregularities Reconciliations Cash Counts

24 TYPES of CONTROLS 24 Corrective Designed to correct errors or irregularities Insurance Policy Compensating For inadequate control environment Management Review

25 25 Limitations of Controls Existence of the inherent limitations it ti No Absolute Assurance Cost/Benefit Human element Collusion Judgment Management M t Override Breakdowns

26 26 Identifying i Controls and Controls by Area

27 27 Key and Non-Key Key Controls Significant controls within the business process, which if operating correctly will both ensure and give assurance that the organization is achieving its key business objectives [1] Provide reasonable assurance over the reliability of financial i reporting and the preparation of the financial i statements (ICFR) Non-Key Still Important Key Controls, The Solution for Sarbanes-Oxley Internal Control Compliance by James Brady Vorhies, CIA,CISA,CPA Institute of Internal Auditors Research Foundation

28 28 Considerations When Identifying Controls Where are the points in the flow of transactions where errors can occur? Who performs the control? Does the control depend on IT? What could go wrong?

29 29 Tools Risk Assessments Narratives Walk-Throughs Flow Charts

30 30 Risk Assessments Internal Control Self Assessments Meetings with Management Risk Identified from Other Audits Known Rik Risk within ihi the Id Industry

31 31 Narratives Narratives Describes a Process From Beginning to End Details Significant ifi Steps within the Process Identifies Key and Non-Key Controls Helps to Identify Gaps Ongoing and Updated on an Annual Basis

32 32 Walk-Throughs Walk-Throughs Begins at Initiation of Major Class of Transactions Walk-Through One Transaction Question Personnel on Important Processing Controls Identify Exceptions to the Identified Process

33 33 Flow Charts Flow Charts Use Basic Type of Flow Chart Functional Atiiti Activities It Interactt Process Sequence and Relationships Keep it Simple Map the Important Processes Identify Key Controls Use Software for Assistance eg: Visio

34 34 Significant Areas ITGC General IT Controls Revenue Ancillary Pharmacy Operating Rooms Labs

35 35 Expenditures Payroll Accounts Payable Fixed Assets Inventory T reasury Financial Reporting Quality and Governance Significant Areas

36 36 ITGC General IT Controls ITGC General IT Controls Segregation of Duties Application Controls Access Controls Privileged Accounts Disaster Recovery Management

37 37 Patient Revenue Patient Revenue A/R Reconciliations Valuation of Bad Debt/Contractuals Medical Records/Coding di Billing Charge Capture

38 38 Expenditures Expenditures Accounts payable Purchasing Purchasing cards

39 HR and Payroll 39 HR and Payroll Hiring Payroll Processing Training i Pension Other

40 40 Fixed Assets Fixed Assets Acquisition Depreciation Fixed Asset Reconciliation Monthly reconciliation to detail Other

41 41 Inventory Acquisition Consignment Perpetual Records Other Inventory

42 Financial Reporting 42 Financial Reporting Balance Sheet Account Reconciliations New G/L Accounts and Cost Centers Monthly Financial Statement Review Journal Entries

43 43 Treasury Treasury Wire Transfers Investments Cash collections Other

44 Pharmacy 44 Pharmacy Policies and procedures SOD Monitoring of Controlled Substances ADC Inventory Formulary

45 45 OR/Surgery OR/Surgery Policies and procedure over: Start and Stop Times Vendor Access Room Scheduling Preference Cards Patient Identification and Safety Completion of the Charge List

46 46 Other Ancillary Labs/Radiology/Cardiology Charge Capture Reconciliation Policies and procedures PFS/Admissions Plii Policies and Procedures Proper Financial Class Assignment on Admission Pre-Certs and Authorizations Billing Edits Denial Tracking

47 47 Quality and Governance Policies and Procedures SOD Quality and Governance Prevention of Readmissions Incident Reporting Disaster Drills Regulation Compliance

48 52 TIPS Beware of Reliance on System Controls Always Maintain Healthy Skepticism Trust but Verify Know Your Business Balance Your Control Count Think Critically Remember the IIA Code of Ethics

49 53 Thank You UF Health Shands Hospital John Byrd, Senior Auditor Tonya Carrigan, Senior Auditor

50 Save the Date September 21-24, rd Annual Conference Austin, Texas 54