Skills for the New Healthcare Internal Auditor

1
Skills for the New Healthcare Internal Auditor
2
Training Objectives

• Discover or verify underlying business needs
  driving a project
• Identify key stakeholders and contacts for their
  project
• Determine project scope and objectives
• Identify the elements of a audit program
• Use appropriate audit tools to complete a project
• Structure and conduct fieldwork
• Discuss findings and recommendations with key
  stakeholders at an exit conference
• Understand elements of project wrap up

3
Project Management

• The nicest thing about not planning is that
  failure comes as a complete surprise and is not
  preceded by a period of worry and depression.
• John Preston, Boston College

4
Project Management

• If you dont know where youre going, you may
  not get there.
• Forrest Gump

5
Overview of Audit Process

• Auditee Selection
• Audit Planning
• Preliminary Survey
• Internal Control Review
• Detail Testing
• Audit Results/Findings and Recommendations
• Results Reporting
• Closing/Exit Conference
• Issue Follow-up

6
Emergency Department Overview

• Presented by
• Kelly Nueske

7
4 Phases of ED

• Entry/Triage
• Diagnostic
• Treatment
• Disposition

8
Triage Phase

• Emergent arrivals typically by pass triage
• Non emergent arrivals are assessed by a Triage
  Nurse
• Ask a series of questions related to present
  complaint
• Assess patient
• Prioritize/rank on 1 5 scale

9
Triage Phase

• Prioritization is dynamic
• Adjustments made after each patient is assessed
• Ranking system determines who sees the resources
  first
• Registration typically occurs after triage
• Only place in healthcare you cant refuse to
  treat

10
Diagnostic Phase

• Provider reviews triage information
• Gathers more detail exams patient
• Waiting period while data is collected i.e. lab
  tests, radiology exams
• May order more tests after initial set reviewed
• Working diagnosis is determined by provider

11
Treatment Phase

• Provider determines follow up care or treatment
• Inpatient admission
• Transfer to another facility
• Follow up with primary care provider

12
Disposition Phase

• Written plan of care is created by provider
• Nurse reviews plan of care educational
  materials with patient
• Discharge instructions provided in writing to
  patient

13
Health Unit Coordinator

• Maintains log for EMTALA requirements
• Time in
• Time out
• Patient name
• Chief complaint
• Treating provider
• Discharge disposition

14
Health Unit Coordinator

• Enters orders
• Telephone management i.e. similar to air traffic
  controller
• Places calls for orders consults
• Monitor activities to ensure they happen
• Follow up on test results
• Prompt people to keep things moving

15
Charge Specialist

• Three main components to ED charging facility
  billing
• Level charge acuity system
• Procedure charge
• Supply charges
• Professional billing could include EM level
  and/or procedure code
• Monitors charge tickets to ensure there is one
  for each patient on the log

16
Charge Nurse

• Assures patient flow through ED
• Removes barriers to flow
• Looks at equity of assignments among staff
• Provides transfer report to next shift

17
Divert Status

• Divert is when the ED is closed to ambulance
  services
• Determined jointly by charge nurse lead
  physician
• Some cities/metro areas allow subcategories i.e.
  OB, Trauma, Mental Health
• If more than 2 EDs on divert, typically everyone
  goes off. This is determined based on the city
  agreement.
• Cause generally by inpatient staffing shortage,
  not ED staffing shortage.

18
ED Staffing

• Will not see traditional Day, Evening, Night
  shifts
• Staff stagger start every couple hours
• Weekday heaviest patient flow typically 11am
  11pm
• Weekend heaviest patient flow typically 9am
  5pm and 7pm 2am

19
Department Readiness

• See a larger level of supplies and pharmaceutical
  agents in ED
• Try to be prepared for 80 90 of what presents
  in the ED
• Closets partners are registration, radiology,
  pharmacy, lab with horizontal or vertical access
  to surgical suites

20
Trauma Designation

• American College of Surgeons assigns trauma level
  based on application
• Level 1 teaching/research focused facility
• Level 2 same as 1 without teaching/research
• Level 3 5 defined at state level. Can deal
  with most walk in trauma, stabilize and transfer
  to another facility
• Currently 4 6 states dont have trauma
  designation.

21
Other ED Services

• Sometimes used for scheduled procedures. More
  typical in smaller facilities/rural communities.
• Fast Track used to treat level 4 5 rated
  patients. Method to avoid these patients
  constantly being moved to bottom of priority
  list.
• Urgent Care is different than fast track.

22

• Questions

23
Developing a Risk Assessment Approach

• Presented by
• Debi Weatherford

24
Annual Risk Assessment

• Key deliverables
• Completed risk assessment
• Company risk profile
• Annual audit plan for audit committee approval

25
Annual Audit Plan Objectives

• Focus on high risk activities.
• Focus significant financial and operational
  impact/risk.
• Provide coverage of regulatory compliance risks.
• Provide coverage of information technology risks.
• Provide proactive coverage of emerging areas.

26
Conducting the Annual Risk Assessment

• Interviews
• Senior management
• Members of the Audit Committee
• Risk factors to consider (see questionnaires)
• Review of past results
• Other

27
Potential Audit Areas

• Business units or departments
• Transactions
• Trans-departmental processes
• Specific programs and service lines
• Information systems
• Other

28
Business Models and Risk Frameworks

• Healthcare business model
• COSO Internal Control Framework
• COSO-Enterprise Risk Management Framework
• Risk Framework from ASHRM

29
Strategic Analysis - Enterprise Level Business
Model
30
Enterprise Risk Management

• Key elements of ERM
• Interrelationships and interdependencies among
  risks.
• Managing risks within and across business units.
• Identify and seize opportunities inherent in
  future events.

31
Enterprise Risk Management

• Other key elements of ERM
• Considers risk in the formulation of strategy.
• Applies at every level and unit of an entity.
• Facilitates communication via common risk
  language.
• Portfolio view of risks throughout the enterprise.

32
Risk Domains

• Strategic
• Operational
• Financial
• Human Capital
• Legal and Regulatory
• Technology
• Governance

33
Risk-Based Audit Planning Structure
CORPORATE OBJECTIVES
NOT NECESSARILY LINEAR
Typically, outlined during the Strategic Analysis
- interviews with C level executives. These
corporate planks are the foundation of the Risk
Assessment effort.
The strategies/initiatives constitute the action
plans for the execution of the Corporate
Objectives. Strategies/Initiatives are generally
developed at the Business Unit level. The
strategies/initiatives are embedded in processes.
STRATEGIES / INITIATIVES
Risks could occur at the strategic level or at
the process level. Risks at the strategic level
typically manifest themselves at the process
level.
PROCESSES - CORE RESOURCE MANAGEMENT
Processes support the Corporate Objectives
strategies/initiatives are executed at the
process level. There are objectives at the
process level.
Gross Risks are best described as threats or
impediments to the accomplishment of the
Corporate Objectives or the Process Objectives.
Risks are rated based on a pre-determined risk
descriptors or risk intervals for Magnitude of
Impact and Probability of Occurrence.
GROSS RISKS
Controls are managements response to the risk or
impediments to the achievement of objectives.
Controls or responses mitigate risks - impact or
the probability of the risk. The effectiveness
of the control is determined by the type of
control for example preventive vs. detective.
CONTROLS
In a Risk Assessment, controls are evaluated
based on managements perception rather than an
independent assessment.
RESIDUAL RISKS
Depending on the effectiveness of the control or
response, the impact and/or probability of the
risk is affected. The risks are re-evaluated in
the context of the controls in place. These
re-evaluated risks constitute the Residual Risks.

PRESENTATIONS DELIVERABLES
Presentations and deliverables tailored to
management.
34
Residual Risk

• Residual Risk is defined as
• Residual Risk
• Is the organizations unmanaged vulnerability
• Is key to optimizing control structure
• Provides focused audit efforts
• Identifies areas/processes that are broken
• Helps make invisible risks visible
• Provides valuable insight to stakeholders

Controls
Total Risk- (Effective Process) Residual Risk
35
Strategic Analysis Risk Matrix (Residual)
Likelihood of
Occurrence
S
S
H
H
H
A
Almost
A1
Certain
H
Likely
M
H
S
S
B
L
H
S
M
Moderate
H
C
D
L
H
S
L
M
Unlikely
B1
C1
D1
L
L
M
S
S
Remote
Insignificant
Minor
Moderate
Major
Catastrophic
TRAP
Magnitude of Impact
36
Aligning Controls with Risk Appetite
Risk Appetite
Insufficient Risk
Insufficient Risk
Appropriate Risk
High
Insufficient Risk
Appropriate Risk
Excessive Risk
Medium
Appropriate Risk
Excessive Risk
Excessive Risk
Low
High
Medium
Low
Level of Revised Risk
based on your appetite for risk
37
Risk Profile - Strategic Risk Matrix
Example Heat Map Based on Risk Assessment
Almost Certain





HIPAA
Billing, Credit Balances
Research
Pharmacy
Medical Education
Hotline
Risk Management
Credentialing and Licensure
FLSA (Overtime)
Experimental Drugs, Devices
Co-pays, Deductibles
Labor
Taxes
Environmental
Remote
Insignificant
Catastrophic
Magnitude of Impact
38
Risk Profile - Multiple Business Units
39
Identifying Audit Customers

• Key stakeholders
• Inside the audited function
• Outside the audited function
• Governance
• Other

40
Risk Assessment in an Audit Project

• Assessing risk in the current state research
  customers business
• Targeting limited audit resources

41
Questions Directions Review and get familiar
with the preliminary survey documents for this
case study. You will have a couple hours to gain
an understanding of your customers environment.
42
Developing Audit Programs Questionnaires

• Presented by
• Ted Walters

43
Role of Audit Program

• What is to be done
• When it is to be done
• How it is to be done
• Who will do it
• How long it will take
• Link between preliminary survey and fieldwork

44
Audit Program Objective

• IIAs Standards for the Professional Practice of
  Internal Auditing (SPPIA) 2200 states that
  internal auditors should develop and record a
  plan for each engagement.
• SPPIA 2210 states that the audit objectives
  should address the risks, controls and governance
  processes associated with the activities under
  review.
• The auditor should identify and assess risk
  relevant to the activity under review. The audit
  objective(s) should reflect the results of the
  risk assessment.
• The auditor should consider the probability of
  significant errors, irregularities, noncompliance
  and other exposures when developing the
  engagement objectives.
• Source IIA Standards for the Professional
  Practice of Internal Auditing

45
Internal Control Review Preliminary Survey

• Conduct analytical procedures analyses
• Complete internal control matrix
• Complete internal control risk assessment
  analysis
• Complete internal control questionnaires
• Conduct documentation or process walk-throughs
• Conduct probe testing
• Complete information systems control review

46
Audit Program Development

• The internal auditor should identify sufficient,
  reliable, relevant and useful information to
  achieve the audits objectives.
• Audit results and conclusions should be based on
  appropriate analyses and evaluations.
• Audit findings and recommendations should be
  supported by sufficient, competent, relevant and
  useful information documented in the auditors
  working papers.
• The auditors is responsible for planning and
  conducting the audit.
• The audit program is your road map for the audit.

47
Audit Program Development

• The audit program should include
• Documenting the procedures and information used
  by the auditor during the audit.
• State the audit objective
• State the scope and degree of testing to achieve
  the audit objectives
• Identify technical aspects, risks, processes and
  transactions that should be examined.
• State the nature and extent of the testing
  required.
• Develop audit program prior to the start of the
  audit and modify during the course of the audit,
  as necessary.

48
Testing Techniques

• Defining the testing objective
• Identifying the type of testing that will achieve
  the objective
• Determining the sequencing of the test
• Defining or identifying the standards or criteria
• Identifying the testing population
• Determining the sampling methodology
• Examining the samples

49
Sampling Methods

• Unless 100 testing occurs, sampling will draw
  reasonably accurate inferences from the sample to
  the total population. Sample methods include
• Random number sampling
• Interval sampling
• Stratified random sampling
• Cluster sampling
• Haphazard sampling
• Judgment sampling
• Statistical Sampling is using one of the above
  methods to reduce risk that the sample selected
  is not representative of the total population.
• Probe Sampling is used when little or no errors
  are expected.

50
Sample Size

• Sample size is based on
• Population size all the items an auditor
  concludes on
• Sampling Risk/Confidence Level level of
  risk/confidence that the sample is representative
  of the entire population
• Maximum Tolerable Error Rate maximum error
  accepted
• Precision Rate the range of allowable error
  expected in the sample

51
Testing Attributes

• Attributes are controls, procedures, practices or
  regulations that are expected to occur.
• For example if a diagnosis code of X is
  required for medical necessity, then X is the
  attribute to be tested for. Another example is
  if all expenses of 5,000 are to be signed by the
  CFO, the attribute is the presence of the CFO
  signature on expenses.

52
Audit Questionnaires

• Develop questionnaires which investigate
  organizational, operational, personnel, and
  management controls.
• Designed for Yes/No answers to establish
  reliability and integrity of information
  compliance with PPs, laws and regulations
  safeguarding assets and efficiencies and
  effectiveness of resource uses
• Internet searches (www.cms.gov FI website CCH
  subscription service www.oig.hhs.gov/publications
  /workplan )
• AHIA library (www.ahia.org)
• Develop questions using departments policies and
  procedures

53
Questions Directions Your team is to develop
an audit program for two audit objectives. Once
the audit programs are done, develop an interview
questionnaire for a health unit coordinator/unit
clerk and a registration clerk.
54
Report Writing

• Presented by
• Mark Eddy

55
Potential Audience

• Board Members
• Executive
• Front-line Management
• External Auditor (public or government)
• General Public or Media

56
Elements of an Audit Report

• Table of Contents
• Executive Summary
• Scope Objectives
• Background Information
• Detailed Recommendations
• Appendix Exhibits

57
4 Phases of Writing

• Planning
• Outline Issues
• Evaluate Information
• Drafting
• Detailed Recommendations
• Executive Summary
• Editing
• Organization
• Readability
• Mechanics
• Formatting

58
5 Elements of Writing

• Approach
• Tone Presentation Method
• Development
• Logical Sequential Presentation
• Correctness
• Grammar, Spelling, and Punctuation
• Clarity
• Choice of Words Presentation of Main Idea
• Style
• Active vs. Passive Voice

59
Preparing to Write

• Eliminate distractions
• Mentally prepare
• Schedule time
• Use tools (grammar check, spell check, etc.)
• Write 1st draft quickly
• Proofread 2nd and 3rd drafts
• Take a step back and look at the big picture

60
5 Elements of a Recommendation

• Condition
• What is the problem/issue? What is happening?
• Effect
• Why should the reader care? What is the impact?
• Cause - focus on Root Cause
• Why did the condition happen?
• Criteria
• How do you know it is a problem? What should
  happen?
• Recommendation
• How do we solve the condition? How can we prevent
  recurrence?

61
Recommendation Structure

• Approach
• Deductive or Inductive
• Tone
• Positive words
• Active voice
• Management ownership
• Recommendation Title
• Action Oriented
• Level of Detail
• Avoid more than 2 paragraphs

62
Executive Summary

• Identify most important issues
• Describe significance
• Include managements response or corrective
  action
• May want to summarize number of recommendations
  by general categories

63
Editing

• Organization
• Big picture to detail and flow of information
• Readability
• Clear and concise
• What is the Fog Index?
• Grammar Punctuation
• Nothing is more distracting than poor grammar and
  punctuation

64
Report Format

• Table Style
• Paragraph Style
• Bullet Style

65
Questions Directions Your team is to create a
list of issues/findings using the information
gathered in the two interviews. Group the issues
into like categories to formulate
recommendations. Each team is to write a minimum
of five recommendations using the indirect
approach and the five elements of a
recommendation (condition, cause, effect,
criteria, and recommendation). Next, your team
is to develop exit conference materials to
communicate the recommendations.
66
Wrap Up

• Questions
• Verbal Feedback
• Complete Evaluation Forms
• Thanks!!