1 INTERNAL CONTROLS FOR THE BEGINNING AUDITOR JOHN BYRD, SENIOR AUDITOR TONYA CARRIGAN, SENIOR AUDITOR UF HEALTH SHANDS HOSPITAL AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org
Two Academic Medical Centers with Level 1 Trauma Centers UF Health Shands Hospital UF Health Jacksonville Hospitals UF Health Shands Cancer Hospital UF Health Shands Children s Hospital UF Health Rehab Hospital UF Health Shands Psychiatric Hospital UF faculty physicians provide outpatient care in more than 80 UF Clinics
3 Audit Services Provides Audit Services to all Shands Hospitals Provide approximately 2,200 Hours Annually to the External Audit Department 1 Director IT Audit Manager 6 Senior Auditors 1 Staff Auditor
4 Better Known for:
5 Presentation ti Objectives: Explain the relationship between risk and control Provide an understanding di of internal controls Explain the importance of implementing an internal control framework Learn to identify internal controls within processes Examine and understand d common controls
Adding Value 6 Internal Auditors Can Add Value by: Reviewing Critical Control Environments and Risk Management Providing Advice on Control System Improvement and Design Implementing Risk-Based Audit Approach Directing Audit Resources to Most Important Areas of the Organization
7 Objectives and Risk Objective: All businesses have an objective In healthcare it is usually to Deliver Quality Patient Care Risks: Enterprise Risk Management ERM Framework for management to identify risk
8 Internal Controls to the Rescue
9 Internal Controls COSO Definition It Internal control is broadly defined d as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1. Effectiveness and efficiency of operations. 2. Reliability of financial reporting. 3. Compliance with applicable laws and regulations.
10 Internal controls include: Definition Continued Promoting efficient and effective operations Safeguarding organizational resources Increasing reliability of information Rd Reducing surprises and unexpected outcomes Assuring compliance with policies, procedures and applicable laws and regulations
11 Control Framework Established process for the application and testing of an organization s control environment
12 COSO and COBIT COSO Committee of Sponsoring Organizations of the Treadway Commission Jointly Sponsored by: Five Organizations Including the IIA The Institute t of Internal Auditors COBIT COBIT 5 is the latest edition of ISACAs ISACA s globally accepted framework Provides framework for IT Control Testing
COSO Framework 13 New Frame work introduced in 2013 Control Environment Risk Assessment Control Activities Information and Communication The COSO Cube Monitoring Activities COSO Executive Summary
Control Environment 14 Sets the Tone for an organization Provides Structure Management s philosophy, assigned responsibilities COSO Executive Summary
15 Control Environment Examples Examples: Tone at the Top Internal Control Policy Compliance Program Code of Conduct
16 Risk Assessment Established objectives linked at different levels Identification of relevant risk to the achievement of the objectives Special risk are those specific to an industry COSO Executive Summary
17 Risk Assessment Mechanism to Identify Risk Control Self Assessments Meetings with Management Risk Matrix ERM Enterprise Risk Management COSO Executive Summary
18 Control Activities Policies and Procedures that help mitigate risk and assist management in meeting their hi objectives Heart and Soul of control testing
19 Control Activities Examples Examples: Approvals/Authorizations Reconciliations Segregations of Duties Verifications Security of Assets
Information and 20 Communication Necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives Communication is the continual process of providing, sharing, and obtaining necessary information COSO Executive Summary
21 Examples: Information and Communication Present properly the transactions and related disclosures in the financial statements Provide and communicate relevant and accurate information to enable decision making
COBIT 22 Based on 5 Principles Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management http://www.isaca.org ISACA.org
TYPES of CONTROLS 23 Preventative Designed to prevent errors or irregularities Approvals Segregation of Duties (SOD) Detective Designed to detect errors or irregularities Reconciliations Cash Counts
TYPES of CONTROLS 24 Corrective Designed to correct errors or irregularities Insurance Policy Compensating For inadequate control environment Management Review
25 Limitations of Controls Existence of the inherent limitations it ti No Absolute Assurance Cost/Benefit Human element Collusion Judgment Management M t Override Breakdowns
26 Identifying i Controls and Controls by Area
27 Key and Non-Key Key Controls Significant controls within the business process, which if operating correctly will both ensure and give assurance that the organization is achieving its key business objectives [1] Provide reasonable assurance over the reliability of financial i reporting and the preparation of the financial i statements (ICFR) Non-Key Still Important Key Controls, The Solution for Sarbanes-Oxley Internal Control Compliance by James Brady Vorhies, CIA,CISA,CPA Institute of Internal Auditors Research Foundation
28 Considerations When Identifying Controls Where are the points in the flow of transactions where errors can occur? Who performs the control? Does the control depend on IT? What could go wrong?
29 Tools Risk Assessments Narratives Walk-Throughs Flow Charts
30 Risk Assessments Internal Control Self Assessments Meetings with Management Risk Identified from Other Audits Known Rik Risk within ihi the Id Industry
31 Narratives Narratives Describes a Process From Beginning to End Details Significant ifi Steps within the Process Identifies Key and Non-Key Controls Helps to Identify Gaps Ongoing and Updated on an Annual Basis
32 Walk-Throughs Walk-Throughs Begins at Initiation of Major Class of Transactions Walk-Through One Transaction Question Personnel on Important Processing Controls Identify Exceptions to the Identified Process
33 Flow Charts Flow Charts Use Basic Type of Flow Chart Functional Atiiti Activities It Interactt Process Sequence and Relationships Keep it Simple Map the Important Processes Identify Key Controls Use Software for Assistance eg: Visio
34 Significant Areas ITGC General IT Controls Revenue Ancillary Pharmacy Operating Rooms Labs
35 Expenditures Payroll Accounts Payable Fixed Assets Inventory T reasury Financial Reporting Quality and Governance Significant Areas
36 ITGC General IT Controls ITGC General IT Controls Segregation of Duties Application Controls Access Controls Privileged Accounts Disaster Recovery Management
37 Patient Revenue Patient Revenue A/R Reconciliations Valuation of Bad Debt/Contractuals Medical Records/Coding di Billing Charge Capture
38 Expenditures Expenditures Accounts payable Purchasing Purchasing cards
HR and Payroll 39 HR and Payroll Hiring Payroll Processing Training i Pension Other
40 Fixed Assets Fixed Assets Acquisition Depreciation Fixed Asset Reconciliation Monthly reconciliation to detail Other
41 Inventory Acquisition Consignment Perpetual Records Other Inventory
Financial Reporting 42 Financial Reporting Balance Sheet Account Reconciliations New G/L Accounts and Cost Centers Monthly Financial Statement Review Journal Entries
43 Treasury Treasury Wire Transfers Investments Cash collections Other
Pharmacy 44 Pharmacy Policies and procedures SOD Monitoring of Controlled Substances ADC Inventory Formulary
45 OR/Surgery OR/Surgery Policies and procedure over: Start and Stop Times Vendor Access Room Scheduling Preference Cards Patient Identification and Safety Completion of the Charge List
46 Other Ancillary Labs/Radiology/Cardiology Charge Capture Reconciliation Policies and procedures PFS/Admissions Plii Policies and Procedures Proper Financial Class Assignment on Admission Pre-Certs and Authorizations Billing Edits Denial Tracking
47 Quality and Governance Policies and Procedures SOD Quality and Governance Prevention of Readmissions Incident Reporting Disaster Drills Regulation Compliance
52 TIPS Beware of Reliance on System Controls Always Maintain Healthy Skepticism Trust but Verify Know Your Business Balance Your Control Count Think Critically Remember the IIA Code of Ethics
53 Thank You UF Health Shands Hospital John Byrd, Senior Auditor byrdjh@shands.ufl.edu Tonya Carrigan, Senior Auditor carrit@shands.ufl.edu
Save the Date September 21-24, 2014 33 rd Annual Conference Austin, Texas 54