HCCA AUDIT & COMPLIANCE COMMITTEE CONFERENCE EXTERNAL AUDIT AND THE AUDIT COMMITTEE CHRIS IDEKER, CPA CHRISIDEKER@ALVAREZANDMARSAL.COM February 25 th, 2013 QUESTIONS TO BE ADDRESSED The involvement and interest of the board and the external auditor depends on the answer to certain questions. Who does compliance report to? What falls under compliance s charter? Who performs the functions of compliance? 1 1
QUESTIONS TO BE ADDRESSED Once we have answered those questions, we can address these questions. What should be the content of a board report? What are good questions board members should ask? What interest does external audit have in compliance? What interest does the external auditor have in health care fraud? Should audits/investigations be done by the GC, compliance or internal audit? What about attorney-client privilege and the auditor? What are some considerations for board interaction? 2 WHO DOES COMPLIANCE REPORT TO? Different organizations have different views. The OIG-HHS has views. What is the right answer? - The OIG view Compliance should not report to the General Counsel- concern over aggressive use of privilege v. need for legal expertise Compliance should not report to the CFO- Really? Who do you think approves the compliance budget? - The CCO s access to the board: Compliance committee? Audit committee? Frequency? - Rational solution Risk based Skill based Avoid silos 3 2
WHAT FALLS UNDER COMPLIANCE S CHARTER? Is the charter narrow and defined or does it say air condition the world? Medicare fraud (billing, physician arrangements, kickbacks, etc.) Patient safety Health information privacy Labor and employment issues Financial accounting Tax compliance Securities compliance Non-financial information accuracy Anything some nut complains about on the hotline 4 WHO PERFORMS THE FUNCTIONS OF COMPLIANCE? Depending on the breadth of the compliance charter, many organizational roles may perform compliance functions. GC Compliance Internal audit Quality assurance Operations 5 3
WHAT SHOULD BE THE CONTENT OF A BOARD REPORT? Depending on the breadth of the compliance charter, many organizational roles may perform compliance functions. Business judgment rule act in good faith; act in the best interests of the corporation; act on an informed basis; not be wasteful; not involve self-interest Risk driven- prioritize considering criminal/financial exposure and enforcement risk Control specific- What processes and controls are in place to mitigate the risks? Not too detailed- they govern, they don t manage Be careful of flying monkeys Seek feedback- these people are successful and knowledgeable 6 WHAT SHOULD BE THE CONTENT OF A BOARD REPORT? No specific legal guidance. Substantive, emphasizing risks and controls, but keep it high-level. Business judgment rule act in good faith; act in the best interests of the corporation; act on an informed basis; not be wasteful; not involve self-interest Risk driven- prioritize considering criminal/financial exposure and enforcement risk Control specific- What processes and controls are in place to mitigate the risks? Not too detailed- they govern, they don t manage Be careful of flying monkeys Seek feedback- these people are successful and knowledgeable 7 4
WHAT ARE GOOD QUESTIONS BOARD MEMBERS SHOULD ASK? A well-educated board will ask good questions. Make sure they cover these areas. Resources- Sufficiency of budget. Adequacy of resources from a people, process and technology view Obstacles- What is keeping you from reducing legal risk? Contemplated risks of new ventures- often the compliance officer is left out of these discussions. Experts- does the board need outside help? Consider: Complexity of issue Need for independent view Need for independent legal advice Any allegations of misconduct? CIA considerations Private session- with the compliance officer, external audit, IRO 8 HOW MUCH SHOULD YOU SPEND ON COMPLIANCE? A simple formula to help with CFO discussions [{Inherent risk of fraud occurrence * (likelihood of detection * cost of fraud)} * reduction of fraud risk from compliance efforts] = nominal expected benefit from compliance. Discount the nominal expected benefit from compliance for the time value of money and the uncertainty that estimates will be wrong and you have the net present value of the expected value of compliance. NPV of expected value of compliance* NPV of compliance expenditures The above equation should yield a result which is equal to or greater than 1+ the hurdle rate for the organization. *The above does not include the qualitative value of not going to jail 9 5
GREAT RESOURCE THE HEALTH CARE DIRECTOR S COMPLIANCE DUTIES: A Continued Focus of Attention and Enforcement http://www.mwe.com/info/pubs/healthcare%20directorscompliance.pdf 10 WHAT INTEREST DOES EXTERNAL AUDIT HAVE IN COMPLIANCE? The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. AU section 110 Disclaimer- there is a significant amount of judgment involved in planning an audit. The following discussion may not apply to your audit or auditor. PCAOB (Public Company Accounting Oversight Board) - focus on fraud, concerned about undetected frauds. Dependent on what falls within the scope of compliance Often auditors will want to review the hotline logs- looking mostly for problems, but also activity. May want to review compliance committee minutes, both at the board and operating level. The auditor may not understand what compliance does or how it should look. May interview the compliance officer May ask the compliance officer to sign the management representation letter. 11 6
WHAT INTEREST DOES THE EXTERNAL AUDITOR HAVE IN HEALTH CARE FRAUD? What is the financial statement effect of the fraud? Is it direct or indirect? Auditors are tasked with a proactive responsibility to design their audit to contemplate direct but not indirect financial statement fraud. AU 317- Generally, these laws and regulations relate more to an entity's operating aspects than to its financial and accounting aspects, and their financial statement effect is indirect. certain illegal acts have a direct and material effect on the determination of financial statement amounts. Other illegal acts may be regarded as having material but indirect effects on financial statements. The auditor should be aware of the possibility that such illegal acts may have occurred. If specific information comes to the auditor's attention that provides evidence concerning the existence of possible illegal acts that could have a material indirect effect on the financial statements, the auditor should apply audit procedures specifically directed to ascertaining whether an illegal act has occurred. However, because of the characteristics of illegal acts explained above, an audit made in accordance with generally accepted auditing standards provides no assurance that illegal acts will be detected or that any contingent liabilities that may result will be disclosed. 12 HOW MIGHT THE EXTERNAL AUDITOR REACT TO AN ALLEGATION OF HEALTH CARE FRAUD? Is the allegation specific and credible? Are there pervasive implications? Could it involve senior management? The auditor may be satisfied with a management representation and a legal letter from outside counsel. The auditor may perform extended procedures using a specialist. Inside or outside of the firm Could be a coder or industry specialist Could be a forensic accountant The auditor may request a meeting with outside counsel for an explanation. The auditor may request an internal investigation. 13 7
THE AUDITOR MAY REQUEST AN INTERNAL INVESTIGATION. Who hires the attorney? What issues are addressed? Is there a report? And about that privilege Who hires the attorney? The company The audit committee or special committee What law firm? Regular counsel Health care counsel Criminal defense counsel Independent or not? Attorney-client privilege The auditor respects the privilege; but, Vigorous assertion can lead to a scope limitation and no opinion. How a client reacts to an allegation is often more important than the allegation itself! 14 STAY TUNED The PCAOB is carefully studying the issue of Fraud and failure of auditors to detect. It is highly likely that there will be significant developments in the next 24 months 15 8
CONCLUSION Board interface and auditor interest is dependent on the scope of Compliance responsibilities The Board should be adequately informed of risks and controls and be reasonably informed of adequacy of risks. Auditors are concerned about effectiveness of compliance controls, but focused on direct impact on financial statements. Once an health care fraud allegation is surfaced, the auditor s interest and involvement potentially increases. 16 9