The University of Texas MD Anderson Cancer Center Internal Audit Annual Report for FY2016

Similar documents
The University of Texas MD Anderson Cancer Center Internal Audit Annual Report for FY 2017

FY 2013 Internal Audit Annual Report

The University of Texas at San Antonio. Internal Audit Annual Report For Fiscal Year As required by the Texas Internal Auditing Act

The University of Texas Southwestern Medical Center Internal Audit Annual Report for Fiscal Year 2012

The University of Texas System Administration System Audit Office Annual Audit Report Fiscal Year 2013

The University of Texas Health Science Center at Houston (UTHealth) Internal Audit Annual Report for 2017

Stephen F. Austin State University

Fiscal Year 2014 FISCAL YEAR OCTO OBER 28, 2014 OFFICE BOX 19112

Fiscal Year 2014 Internal Audit Annual Report

The University of Texas Health Science Center at Houston (UTHealth) Internal Audit Annual Report for 2018

FY 2016 Annual Audit Report

2010 Joint Chairmen s Report. UMB Progress to Address Audit Findings. (R30B/R75T), pages 133/ Release of Restricted Funds

Internal Audit Annual Report Fiscal Year 2015

Texas Workforce Commission

UT Dallas Annual Internal Audit Report FY 2012

Fiscal Year 2018 Internal Audit Annual Report

Financial Resources: Control of finances The institution exercises appropriate control over all its financial resources.

The University of Texas System Administration System Audit Office Annual Audit Report Fiscal Year 2016

Chapter 2 IWK Health Centre: Financial Management Controls and Governance

Washington State University Office of Internal Audit FY 2015 Audit Plan

Audit of Core Management Controls. Internal Audit Sector

The University of Texas at Tyler. Procurement and Travel Card Audit

Ambulance Contract Billing Report October 12, 2016 KEY CONTROL FINDING RECOMMENDATION STATUS The City should:

ROSWELL PARK CANCER INSTITUTE CORPORATION INTERNAL CONTROLS OVER PROCUREMENT AND REVENUES. Report 2005-S-15 OFFICE OF THE NEW YORK STATE COMPTROLLER

BOARD OF REGENTS AUDIT/COMPLIANCE AND INVESTMENT COMMITTEE 3 STATE OF IOWA OCTOBER 24-25, 2012 INTERNAL AUDIT REPORTS ISSUED

BOARD OF REGENTS OF THE UNIVERSITY OF WISCONSIN SYSTEM

Audit Committee Presentation FY2011 Audit Plan (annual risk assessment) August 16, 2010

BOARD OF REGENTS AUDIT/COMPLIANCE AND INVESTMENT COMMITTEE 2 STATE OF IOWA April 25, 2012 INTERNAL AUDIT REPORTS ISSUED

BOARD OF REGENTS AUDIT/COMPLIANCE AND INVESTMENT COMMITTEE 2 STATE OF IOWA February 7, 2012 INTERNAL AUDIT REPORTS ISSUED

PRIVY COUNCIL OFFICE. Audit of PCO s Accounts Payable Function. Final Report

BOARD OF GOVERNORS STATE UNIVERSITY SYSTEM OF FLORIDA. Final Report of the Task Force on FAMU Finance and Operational Control Issues

Assessment of the Design Effectiveness of Entity Level Controls. Office of the Chief Audit Executive

Internal Audit Report. Post Implementation Review PeopleSoft Accounts Payable TxDOT Internal Audit Division

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Communication Report No

Fiscal Oversight Fundamentals

Company LOGO C B T. An Educational Computer Based Training Program

The definition of a deficiency is also set forth in the attached Appendix I.

Office of Internal Audit

5/24/2018 BOARD OF REGENTS OF THE UNIVERSITY OF WISCONSIN SYSTEM. I.6. Joint Meeting of the Business and Finance and Audit Committees

Fiscal Year 2017 Internal Audit Annual Report

PEORIA COUNTY, ILLINOIS

K-State Athletics, Inc. Report on Internal Controls related to the Contracting, Travel, and Expenditure processes.

BOARD OF REGENTS AUDIT/COMPLIANCE AND INVESTMENT COMMITTEE 3 STATE OF IOWA FEBRUARY 6-7, 2013 INTERNAL AUDIT REPORTS ISSUED

Cancer Prevention and Research Institute of Texas

UTPA FY2013 Financial Audit

The Rye Ambulatory Surgery Center, LLC Compliance Plan

STEPHEN F. AUSTIN STATE UNIVERSITY FISCAL YEAR 2013 ANNUAL AUDIT REPORT TABLE OF CONTENTS

The University of Texas at San Antonio 2014 External Quality Assessment of the Auditing and Consulting Services Office

Internal Audit Report. Contract Administration: 601CT Contracts TxDOT Internal Audit Division

County of Sutter. Management Letter. June 30, 2012

Lawrence Berkeley National Lab. Observations from Audit Procedures October 17, 2005

UNIVERSITY OF CALIFORNIA, DAVIS AUDIT AND MANAGEMENT ADVISORYSERVICES

INTERNAL CONTROLS AUDITOR JOHN BYRD, SENIOR AUDITOR TONYA CARRIGAN, SENIOR AUDITOR

W207: How should you leverage internal audit? October 26, 2016

INTERNAL CONTROLS REVIEW PROGRESS REPORT Yellow highlighted items have been completed/validated since last report in August 2016

3/16/2016. How to Implement a Monitoring Program Presented by: Kelly Nueske April 2016 OBJECTIVES AGENDA

Procurement Card Continuous Auditing

ACTION Agenda Item I ANNUAL AUDIT REPORT December 6, 2002

INTERNAL CONTROLS REVIEW PROGRESS REPORT Highlighted items have been completed since last report in January 2016

This Questionnaire/Guide is intended to assist you in decision making, as well as in day-to-day operations. Best Regards,

Los Alamos National Lab. Observations from Audit Procedures June 30, 2005

INTERNAL CONTROLS REVIEW PROGRESS REPORT Yellow highlighted items have been updated since last report in October 2017

BOARD OF REGENTS AUDIT/COMPLIANCE AND INVESTMENT COMMITTEE 2 STATE OF IOWA September 9, 2015 INTERNAL AUDIT REPORTS ISSUED

Financial Controls Checklist

ADMINISTRATIVE INTERNAL AUDIT Board of Trustees Approval: 03/10/2004 CHAPTER 1 Date of Last Cabinet Review: 04/07/2017 POLICY 3.

INTERNAL CONTROLS REVIEW PROGRESS REPORT

INTERNAL CONTROLS REVIEW PROGRESS REPORT Yellow highlighted items have been updated since last report in October 2016

Bank Account Creation, Management, and Oversight at University of Wisconsin-Stevens Point. Office of Internal Audit

GAIT FOR BUSINESS AND IT RISK

3.6.2 Internal Audit Charter Adopted by the Board: November 12, 2013

College of Engineering and Computer Science Dean's Office

Job Family Matrix. Develop, forecast, and administer complex budgets Verify budget, identify, analyze and resolve discrepancies

Northern Oklahoma College Tonkawa, Oklahoma

Office of the President TO MEMBERS OF THE COMPLIANCE AND AUDIT COMMITTEE: INFORMATION ITEM. For Meeting of November 15, 2017

Major Computer Systems & Upgrades. DWP-NC MOU Committee Meeting August 4, 2018

Final Report. Project (b)

Internal Audit Annual Report

Office of Financial Services June 30, 2017

The definition of a deficiency is also set forth in the attached Appendix I.

Internal Audit Work Plan

Telemedicine. SCOPE PERIOD The scope period was all telemedicine initiatives and applications as of April 26, 2018.

Position Description: Operations Coordinator

Internal Control Questionnaire and Assessment

FRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS

BOARD OF REGENTS AUDIT/COMPLIANCE AND INVESTMENT COMMITTEE 2 STATE OF IOWA August 2-3, 2012 INTERNAL AUDIT REPORTS ISSUED

UC MERCED INTERNAL AUDIT ANNUAL REPORT. Fiscal Year in Review

Asbury Park Board of Education

Policy Analysis: Internal Controls #1.11 1/2009

Corporate Governance Update. SOX 404 and Internal Controls

GUIDELINES. Corporate Compliance. Kenneth D. Gibbs President & Chief Executive. Martin A. Cammer Senior Vice President & Corporate Compliance Officer

FUNCTION: To Protect and Enhance the Nonprofit Organization s Capacity to Serve the Community.

INFORMATION TECHNOLOGY Administrative Policies and Procedures Last Updated 2/7/2013

Leveraging Internal Audit and Corporate Compliance for Effective Risk Management

Corporate Responsibility and Internal Audit Programs

The University of Texas System Administration System Audit Office Annual Audit Report Fiscal Year 2017

Director s Draft Report

SUPPLY CHAIN MANAGEMENT POLICY

Assets Management Audit

SOX106. Accounts Payable and Sarbanes-Oxley; Strengthening your Internal Controls- 10 hours. Objectives

Transcription:

Purpose of the Annual Report Table of Contents I. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet Website II. Internal Audit Plan for Fiscal Year 2016 Compliance with the Benefits Proportionality Audit Requirements for Higher Education Institutions. Compliance with the Purchasing and Contracting Requirements for Higher Education Institutions. III. Consulting Services and Nonaudit Services Completed IV. External Quality Assurance Review (Peer Review) V. Internal Audit Plan for Fiscal Year 2017 VI. External Audit Services Procured in Fiscal Year 2016 VII. Reporting Suspected Fraud and Abuse Page 1 of 22

I. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on Internet Website The Fiscal Year 2017 audit plan, as approved by the Institutional Audit Committee, will be posted on the MD Anderson external website as part of the Fiscal Year 2016 SAO Annual Report. The Fiscal Year 2016 SAO Annual Report, including summaries of reports, will be posted on the MD Anderson external website within 30 days of approval by the President but not later than November 1, 2016, as required. The following matrix provides a summary of the weaknesses and action taken by management for projects on the Fiscal Year 2016 Audit Plan, as required by Texas Government Code, Section 2102.015: Report No. Report Date 2015-104 11/23/2015 Nocturnal Program Review Name of Report Recommendations Summary of Action Taken We recommended enhanced controls over: Professional charge capture and reconciliation Compliance with requirements for verbal provider orders Standard operating procedures Management agreed to enhance controls in the recommended areas. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Incomplete/Ongoing Full Implementation is expected by March 1, 2017. 2016-103 10/28/2015 Segregation of Duties and Account Reconciliations Management should enhance controls and processes to ensure segregation of duties and sensitive access remediations are closed timely and reconciliations of federally funded accounts are performed. Management agreed to enhance controls in the recommended areas. Incomplete/Ongoing Full Implementation is expected by December 15, 2016. Page 2 of 22

Report No. Report Date Name of Report Recommendations Summary of Action Taken 2016-105 8/26/2016 Procurement Review Management should enhance controls and processes surrounding accuracy of contract information, documentation of approvals for contracts and exclusive acquisition forms, compliance with the emergency purchase policy, and monitoring of unauthorized purchases. Furthermore, the Institutional Contract Management Handbook should be finalized. 2016-107 5/19/2016 Travel and Entertainment Development Office 2016-108 8/31/2016 Facilities Service Vendor Audit Management should consider revising the Development Office travel and business entertainment policy to be more closely aligned with the Institution s travel policy when possible, and provide training to all staff, including administrative staff, to ensure travel documentation complies with Travel and Entertainment Guidelines. Management should review the department s guidelines for possible inconsistencies and operational inefficiencies. Recommendations related to the following process and control areas were noted: - Existence of Formal Contract Agreements - Monitoring of Contract Spend - Consistent Invoice Approval - Validation of Service Vendor Measurements - Discretion with Respect to PO Fund Application - Detailed Review of Invoiced Rates Management agreed to enhance controls and processes over the areas noted in the report and finalize the Institutional Contract Management Handbook. Management has agreed to revise the Development Office s Travel and Entertainment Guidelines, and to educate travelers and travel preparers on the revised guidelines. Management plans to perform annual review of the departmental guidelines to ensure alignment with institutional policy. Management agreed to enhance controls in the recommended areas. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Incomplete/Ongoing Full Implementation is expected by October 16, 2016. Incomplete/ongoing Incomplete/Ongoing Full Implementation is expected by August 31, 2017. Page 3 of 22

Report No. Report Date 2016-201 6/23/2016 Review of Executive Officers Travel and Business Entertainment Expenditures Name of Report Recommendations Summary of Action Taken We recommended improvements related to: Resolution of personal expenses using the state-issued travel card Adequate supporting documentation related to foreign travel and entertainment expenses Management agreed to enhance controls in the recommended areas. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Fully implemented 2016-203 06/23/2016 Onboarding of Visiting Scientists 2016-204 1/15/2016 Departmental Review Thoracic Surgery 2016-205 3/15/2016 Division of Surgery Review We identified opportunities for improvement in the following areas: Conducting criminal background checks Verifying educational background Ensuring compliance with required training Establishing guidance for departmental oversight Executing legal agreements We recommended enhanced controls over leave management, travel, procurement cards, and system access. We recommended enhanced controls over system access, segregation of duties within the service center, updating the billing rates and monitoring net income for the service center, and strengthening asset management. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended areas. Incomplete/Ongoing Incomplete/ongoing Full implementation is expected by December 31, 2016. Incomplete/ongoing Full implementation is expected by December 31, 2016. Page 4 of 22

Report No. Report Date 2016-206 8/31/2016 Departmental Review Smithville 2016-210 8/30/2016 Division of Radiation Oncology Charge Capture Assessment 2016-212 8/30/2016 Division of Diagnostic Imaging Charge Capture Assessment Name of Report Recommendations Summary of Action Taken We recommended enhanced controls over monitoring program income and service center billing rates, enforcement of material transfer agreements (MTAs), monitoring and resolving deficit accounts, monitoring correction requests for over-commitment of effort, accurately recording faculty extramural leave, reviewing and approving grant reconciliations and employee leave in Kronos. We recommended that Radiation Oncology improve processes to ensure charges are posted to the patient accounts as appropriate. We further recommended that controls should be strengthened for re-billing charges to ensure when a charge is deleted, re-billing occurs as appropriate. We recommended that Diagnostic Imaging strengthen controls to ensure that charges are posted to patient accounts or research protocol accounts as appropriate. We further recommended that controls be strengthened to ensure when a charge is deleted, the action is appropriate. 2016-300 2/24/2016 Excepted from public disclosure Management agreed to enhance controls in the recommended areas. Management agreed to enhance controls in the recommended area. Management agreed to enhance controls in the recommended area. Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Incomplete/Ongoing Full Implementation is expected by December 31, 2016. Incomplete/Ongoing Incomplete/Ongoing Full Implementation is expected by January 31, 2017. 2016-301 02/19/2016 Excepted from public disclosure 2016-303 8/31/2016 Excepted from public disclosure 2016-304 8/30/2016 Excepted from public disclosure Page 5 of 22

Report No. Report Date Name of Report Recommendations Summary of Action Taken 2016-403 7/5/2016 Cybersecurity NIST Information is excepted from public disclosure Information is excepted from public disclosure Progress: Fully Implemented Substantially Implemented Incomplete/Ongoing Not Implemented Information is excepted from public disclosure 2016-404 7/5/2016 Data Loss Prevention (Information Security) Information is excepted from public disclosure Information is excepted from public disclosure Information is excepted from public disclosure 2016-405 8/31/2016 Patch Management Information is excepted from public disclosure Information is excepted from public disclosure Information is excepted from public disclosure 2016-408 8/31/2016 Excepted from public disclosure Page 6 of 22

II. Internal Audit Plan for Fiscal Year 2016 The following matrix details the status of the Fiscal Year 2016 Audit Plan: Project No. Project Title Report Date Project Status Financial Audits 16-100 FY15 Financial Statement Audit (year-end) Report issued by Deloitte at UT System Complete level 16-101 FY16 Financial Statement Audit (interim) Report issued by Deloitte at UT System Complete level 16-102 Physicians Referral Service Practice Plan N/A Project 16-303 Served as the PRS Audit 16-103 Segregation of Duties and Account Reconciliations 10/28/2015 Complete 16-104 Economic Development Agreement Consulting Project Verbal Comments Complete provided to Management 16-105 Purchasing Review 8/26/2016 Complete Risk-Based Audits 16-106 Charge Capture Division of Pathology and Laboratory Medicine Pending In Progress 16-107 Travel and Entertainment Development Office 5/19/2016 Complete 16-108 Construction Activities - Facilities Service Vendor Audit 8/31/2016 Complete 16-903 Travel and Business Entertainment Expense Review 8/31/2016 Complete Operational Audits UT System Requested / Externally Requested Audits 16-200 Presidential Housing, Travel, and Entertainment 5/13/2016 Complete 16-201 Executive Travel and Entertainment 6/23/2016 Complete Risk-Based Audits 16-202 Security Clearance for Contractors Consulting Project Verbal comments Complete provided to management 16-203 Onboarding of Visiting Scientists 6/23/2016 Complete 16-204 Departmental Review Thoracic Surgery 1/15/2016 Complete 16-205 Division of Surgery Review 3/15/2016 Complete 16-206 Departmental Review - Smithville 8/31/2016 Complete 16-207 Dining Services Cash Handling N/A Cancelled 16-208 Anti-Fraud Initiative 8/31/2016 Complete 16-306 Medical Device Maintenance and Security Assessment Pending In Progress Page 7 of 22

Project No. Project Title Report Date Management Requested Audits Project Status - General Consultation with Management N/A Complete - Institutional Committee Participation N/A Complete - Management Involvement on Co-sourced Construction Projects N/A Complete Consulting Projects 16-209 Division of Pharmacy Business Operations Review Pending In Progress 16-210 Division of Radiation Oncology Charge Capture Assessment 8/30/2016 Complete 16-211 EHR OneConnect (EPIC) Consulting Project Verbal comments provided to management Complete 16-212 Division of Diagnostic Imaging Charge Capture Assessment 8/30/16 Complete Compliance Reviews Excepted from public disclosure Information Technology Audits UT System Requested / Externally Requested Audits 16-400 Deloitte Financial Audit Support Report issued by Deloitte at UT System level Risk-Based Audits / Consulting Projects Complete 16-401 Cerner Millennium Helix Implementation Pending In Progress 16-402 Post ICD-10 Audit EPIC Integration Pending In Progress 16-403 Cybersecurity / NIST 7/5/2016 Complete 16-404 Data Loss Prevention (Information Security) 7/5/2016 Complete 16-405 Patch Management 8/31/2016 Complete 16-406 EPIC Post Implementation Work N/A Merged with 16-401 16-407 Clinical Devices Pending In Progress 16-408 Excepted from public disclosure Management Requested Audits 15-409 OneConnect Program Expenditure Process Assessment 11/23/2015 Complete Other IT Projects - IT Follow-up N/A Complete - Knowledge Sharing and/or Training Documentation Projects N/A Complete - IT Liaison Activities N/A Complete Page 8 of 22

Project No. Project Title Report Date Project Status - IT Risk Assessment - FY 17 N/A Complete - Financial and Operational Audit Assistance N/A Complete - Administrative Activities N/A Complete Follow-Up Audits - Follow-up Audits (Quarterly Reporting and Validation) N/A Complete Projects Development - Operations - Internal Quality Assurance Activities N/A Complete - Internal Audit Committee Preparation/Participation N/A Complete - Institutional Risk Assessment & Work Plan Development N/A Complete - TeamMate Software Upgrade N/A Complete - All-Hazards Risk Leadership Council N/A Complete Development Initiatives & Education - UT System Coordination N/A Complete - Professional Organization/Association Participation N/A Complete Carry Forward 15-104 Nocturnal Programs 11/23/2015 Complete 15-108 Collection of Patient Co-Payments 7/5/2016 Complete 15-107 Clinical Services Spot Agreements 9/28/2015 Complete Investigations - Various investigations Consulting Projects Verbal Comments provided to management Complete Audit / Project cancelled Audit / Project added to Plan Page 9 of 22

Compliance with the Benefits Proportionality Audit Requirements for Higher Education Institutions: At the request of the Governor, an internal audit of the proportionality of higher education benefits process was performed during fiscal year 2016. A consistent audit methodology has been deployed across the UT System that assessed the reporting process and accuracy of benefits funding information provided to the State Comptroller as applicable under Rider 8, page III-41, the General Appropriations Act (84 th Legislature, Conference Committee Report). An audit of the benefits proportionality process will also be conducted during fiscal year 2017 and will comply with Rider 8, page III-41, the General Appropriations Act (84 th Legislature, Conference Committee Report). The audit will be complete by February 28, 2017. Compliance with the Purchasing and Contracting Requirements for Higher Education Institutions: Senate Bill 20 (84 th Legislative Session) made several modifications and additions to Texas Government Code (TGC) and Texas Education Code (TEC) related to purchasing and contracting. Effective September 1, 2015, TEC 51.9337 requires that, The chief auditor of an institution of higher education shall annually assess whether the institution has adopted the rules and policies required by this section and shall submit a report of findings to the state auditor. The MD Anderson Cancer Center Internal Audit Department conducted this required assessment for fiscal year 2016, and found the following: Based on review of current institutional policy and the UT System Board of Regents Rules and Regulations, MD Anderson Cancer Center has generally adopted all of the rules and policies required by TEC 51.9337. Review and revision of institutional and System policy is an ongoing process. These rules and policies will continue to be assessed annually to ensure continued compliance with TEC 51.9337. Page 10 of 22

III. Consulting Services and Nonaudit Services Completed Project No. Project Title Report Date Project Objective 2016-104 Texas Economic Development Agreement 2016-200 Presidential Housing, Travel and Entertainment 2016-202 Security Clearance for Contractors 2016-208 Anti-Fraud Initiative 2016-211 EHR OneConnect (EPIC) - Various investigations Consulting Verbal Comments provided to Management Consulting Assisted University of Texas System Audit Office Consulting Verbal Comments provided to Management Consulting Verbal Comments provided to Management Consulting Verbal Comments provided to Management N/A To review the reporting methodology and schedules for the annual compliance verification of job creation for the Texas Economic Development Agreement. To assist/coordinate audits by UT System to determine if travel and entertainment activities and expenditures of the President and his spouse are conducted in accordance with UT System and MDACC policy. To determine whether appropriate security clearance (Criminal background checks, badging, access, etc.) has been consistently provided for contracted services and independent contractors in accordance with contract provisions. Utilize external consultants to identify potential fraudulent activity. Follow-up on reports from consultants, and report results to management. To consult with management and coordinate with consultants regarding the design and implementation of the electronic health record. To conduct investigations as necessary. Services / Observations / Results / Recommendations The methodologies appeared consistent with previous submissions. Nothing came to our attention that would indicate the Annual Compliance Verification was materially misstated. Internal Audit assisted The University of Texas System Audit Office (UT System) by providing documentation from institutional systems for review. Any recommendations for improvement were made by UT System. A consistent process was developed for conducting criminal background checks for all contractors entering the institution. An external vendor performed forensic data mining analysis of accounts payable, vendor, and patient accounting information. Internal Audit conducted a detailed review of the results and did not identify any improprieties or errors that warranted further review. No recommendations were made by Internal Audit as a result of this review. The EHR Risk Oversight Council identified financial compliance, and information security controls risks throughout the OneConnect implementation and monitored the status of remediation efforts. Verbal updates were provided to management throughout the project. Information was provided to appropriate levels of management. Page 11 of 22

IV. External Quality Assurance Review (Peer Review) Page 12 of 22

V. Internal Audit Plan for Fiscal Year 2017 The University of Texas MD Anderson Cancer Center FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description Risk Based Audits Charge Capture - Division of Anesthesiology and Critical Care Charge Capture - Regional Care Centers 700 To conduct a charge capture audit of select areas within the Division to determine if services provided were captured and recorded appropriately. Sustainability - Charge Capture 700 To ensure that charge capture for professional services at community hospitals is accurately captured and recorded. Sustainability - Charge Capture Nursing Charge Capture 750 To ensure that charge capture for nursing services is accurately captured and recorded. Sustainability - Charge Capture Denials Management 650 To conduct an assessment to determine the root cause of denials and assist management with identifying possible solutions to reduce future denials. People We Serve - Patient Registration 650 Excepted from public disclosure Payroll Review 600 To assess the governance structure and key controls over payroll processes to include employee set-up, payroll adjustments and corrections, reconciliations, interfaces, tax compliance, accuracy of the payroll calculation, and any other related processes. Systems That Support - Payroll Division of Pediatrics Review 700 To provide a general assessment of the financial, administrative, and compliance controls within the selected division. People Who Serve, Science That Enables, Systems That Support Departmental Review - Infectious Diseases, Infection Control & Employee Health 600 To provide a general assessment of the financial, administrative, and compliance controls within the selected department. People Who Serve, Science That Enables, Systems That Support Page 13 of 22

FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description 450 Excepted from public disclosure 600 Excepted from public disclosure Physicians Referral Service (PRS) Practice Plan 450 To conduct the annual financial review of the PRS Practice Plan, as required by UTS 155. The scope of this project will be consistent for all applicable UT System components and will be determined by UT System. Systems That Support - Expenses/Accounts Payable Information Technology Audits PeopleSoft 9.2 Upgrade 300 Perform a post-implementation review for the PeopleSoft 9.2 upgrade to determine if project objectives were successfully met, gain an understanding on the effectiveness and efficiency of project management practices, effectiveness of the integration with EPIC, and to determine vulnerabilities for the application from the following perspectives: operating effectiveness, ITGC's, security, reporting, and compliance. Systems That Support 400 Excepted from public disclosure Asset Management 400 Evaluate the Asset Management Process from procurement, commissioning, inventory, and decommissioning for assets including laptops, ipads, iphones, servers, medical devices/workstations, and applications (including cloud/software as a service). Systems That Support System Portfolio and Roadmap for System Retirement 350 Assess the application portfolio and supporting organizational costs/headcounts as well as the status on specific systems identified as replaced by recent implementations to determine plan for and progress for decommissioning. Evaluate the roadmap for retiring and decommissioning legacy systems replaced by recent implementations such as Epic, PeopleSoft, etc. Consider the cost to the institution and assess risks (security, integrity, data availability, support, etc.) risks to the institution for continuing to maintain legacy systems. Systems That Support Page 14 of 22

FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description Epic - Post Implementation and Governance Process 350 Perform a post-implementation review for Epic to evaluate functionality (charge capture, interfaces, etc.) optimization, and vulnerabilities for the application from the following perspectives: operating effectiveness, ITGC's, security, and compliance. Evaluate governance process post go-live for addressing issues and optimizing the system. Systems That Support Pharmacy System Assessment 300 Perform a post-implementation review for Willow/Epic to evaluate functionality (charge capture, interfaces, etc.) and assess the controls in place post go live related to the pharmacy applications from the following perspectives: operating effectiveness, ITGC's, security, and compliance. Systems That Support Management Involvement on 150 To oversee/facilitate audits of IT activities. Co-Sourced IT Projects Construction Activities 500 To conduct a review of key construction activities and/or processes. Reviews will be co-sourced, utilizing staff with construction expertise. Systems That Support - Facilities Management Management Involvement on 50 To oversee/facilitate audits of construction activities. Co-Sourced Construction Projects Carry-Forward Audits Charge Capture - Pathology and Laboratory Medicine 350 To conduct a charge capture audit of select areas within the Division to determine if services provided were captured and recorded appropriately. This will be an integrated audit with the IT Internal Auditors. Risk Based Audits Subtotal 10,000 50% Sustainability - Charge Capture Required Based Audits (Externally and Internally) FY 2017 Financial Statement Audit (year-end) 325 To assist Deloitte with testing relating to the External Financial Statement Audit. Systems That Support - Financial Reporting Page 15 of 22

FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description FY 2017 Financial Statement Audit (interim) Deloitte Financial Audit Support - IT Texas Administrative Code (TAC) 202 325 To assist Deloitte with testing relating to the External Financial Statement Audit. Systems That Support - Financial Reporting 160 Perform IT general controls procedures as requested by MDACC to support the Deloitte Financial Audit of MDACC. Systems That Support - Financial Reporting 350 To evaluate controls and processes at MD Anderson for compliance with TAC 202 regulatory requirements. Systems That Support Segregation of Duties and Account Reconciliations Economic Development Agreement Presidential Housing, Travel, and Entertainment Executive Travel and Entertainment Required Audits Subtotal 1,860 9% 250 To review the institution's Monitoring Plan and departmental subcertifications and validate the assertions made by management regarding segregation of duties and account reconciliations, as required by UTS 142.1. Systems That Support - Financial Reporting 100 To review the reporting methodology and schedules prepared for the annual compliance verification of job creation targets associated with the Economic Development Agreement between MDACC, UT HSC- Houston, and the State of Texas. Systems That Support - Corporate Compliance 50 To assist/coordinate audits by UT System to determine if travel and entertainment activities and expenditures of the President and his spouse are conducted in accordance with UT System and MDACC policy. Systems That Support - Expenses/Accounts Payable 300 To perform audits to determine if travel and entertainment activities and expenditures of executive management are conducted in accordance with UT System and MDACC policy. Systems That Support - Expenses/Accounts Payable Page 16 of 22

FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description Consulting Projects Employee and Faculty Criminal Background Checks 500 Internal Audit will partner with key stakeholders to ensure a background check is conducted for all employees, including faculty, as part of the on-boarding process. People Who Serve - Personnel Management 350 Excepted from public disclosure Strategic Industry Ventures 250 Internal Audit will partner with key process owners to identify opportunities to mitigate significant business risks during the contracting process for strategic industry ventures. This effort will include, but not be limited to, collaboration with Strategic Industry Ventures, Institutional Compliance, Legal, Research Administration, and Clinical Research Administration. Science That Enables - Research Administration 200 Excepted from public disclosure General Consultation with 150 To consult with management on various high-risk topics. Management Institutional Committee 225 To participate, in a consulting role, on committees within the institution. Participation All-Hazards Risk Leadership Council 120 Consulting Projects Subtotal 1,795 9% Follow-Up Quarterly Reporting / Monitoring 250 Activities Validation Activities 500 IT Follow-up Validation Activities 250 Follow-Up Subtotal 1,000 9% Page 17 of 22

FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description Reserve Reserve for Just-In-Time 1.450 Reserve will be used to respond to management s requests in high-risk areas, as well as to address Auditing/Advisory Services changing risks in our environment throughout the year. Reserve for Investigations 400 Reserve will be used to respond to any investigative requests throughout the year. IT Reserve Just-In-Time Auditing/Advisory Services 100 Reserve Just-In-Time Auditing/Advisory Services will be used to respond to management and Internal Audit s requests for assessments in emerging high-risk areas related to IT. IT Financial and Operational Audit Assistance 100 Participation in limited scope activities with the Internal Audit team. Reserve Subtotal 2,050 10% Development - Operations Internal / External Quality Assurance Activities 400 To conduct on-going reviews of audits/projects for compliance with the International Institute of Internal Auditors (IIA) standards. In addition, to prepare for an External Quality Assurance Review Internal Audit Committee 182 To prepare audit committee packets and participate in quarterly meetings. Preparation / Participation Institutional Risk Assessment and 350 To update the comprehensive risk assessment and Work Plan Work Plan Development Audit Strategic Planning 550 To perform strategic planning and manage the overall audit activity. IT Risk Assessment Fy17 250 Updating of the IT risk assessment and audit plan. IT Administrative Activities 150 Development Operations Subtotal 1,882 9% Development - Initiatives & Education UT System Coordination 500 To participate in UT System initiatives. Professional Organization / Association Participation Training / Continuing Professional Education 100 To participate in the IIA Houston Chapter Annual Conference 818 Page 18 of 22

FY 2017 Audit Plan Audit/Project Budgeted Hours % of Total Description IT Knowledge Sharing and/or 80 Sharing thought leadership, perspective, and bringing in technical resources to assist where needed Training Documentation Projects IT Liaison Activities 80 Participation in staff meetings, the UT InfoSec, IT Leaders meetings, etc. Development Initiatives & 1.578 8% Education Subtotal TOTAL HOURS 20,165 100% Page 19 of 22

Additional high risks not included in the FY 2017 Work Plan are found in the following areas: Timely patient access to services Updating of patient records Research protocol billing and coding Documentation to support hiring decisions Adherence to institutional badging process Maintenance of DRG-exempt status Business continuity Billing and reimbursement Privacy and Information security regulated activities and work force training Regulated research activities Operational efficiencies Quality and performance metrics Our risk assessment methodology included interviews with and/or questionnaires with various levels of management in the institution. Identified risks were organized into institution-wide auditable units. For each identified risk, impact and probability were assessed. Our work plan was developed from the highest risk areas in the institution that are not already being addressed by other mitigation strategies. Page 20 of 22

VI. External Audit Services Procured in Fiscal Year 2016 Service Opinion on financial statements of UT MD Anderson Cancer Center Opinion on financial statements of UT MD Anderson Physicians Network Opinion on financial statements of UT MD Anderson Services Corporation Information Technology Internal Audit Co-Sourcing Electronic Health Record Consulting Construction Internal Audit Co-Sourcing Construction Internal Audit Co-Sourcing Deloitte Deloitte Deloitte PwC PwC Protiviti Townsend Provider Page 21 of 22

VII. Reporting Suspected Fraud and Abuse Page 22 of 22

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback