changes in the international standards for the professional practice of internal auditing &...
TRANSCRIPT
Changes in the International Standards for the Professional Practice of Internal Auditing & Implications for Healthcare Organizations
AHIA Northwest Regional Seminar
May 7, 2010
Exaltant TM
Grant Baumgartner
Chief Consulting Officer
Phone: 206-999-3663
ProtivitiTM
Keith Kawashima
Managing Director
Phone: 408-808-3222
2
Summary of ChangesSummary of Changes
• Effective January 1, 2009, the Institute of Internal Auditors (IIA) made changes to the International Standards for the Professional Practice of Internal Auditing (Standards):
Changed from “should” to “must” throughout Changed from “should” to “must” throughout most of the most of the StandardsStandards
Added six new Added six new StandardsStandards
Added new verbiage to existing Added new verbiage to existing StandardsStandards
Interpretations added that were previously Interpretations added that were previously part of the Practice Advisoriespart of the Practice Advisories
3
Summary of ChangesSummary of Changes
• Areas Affected:
– IT Governance
– Fraud Risk Management
– Communication with the Board
– Ethics Programs
– Technology Based Audit and Other Data Analysis Techniques
– Limitation and Adequacy of Resources
– Records Retention
– Quality Assurance Reviews
– Modifications to the IA Charter
– Prohibition on Managing Risk
– Conducted in Conformance with The Standards
4
Actions Required by Internal Audit LeadershipActions Required by Internal Audit Leadership
• Discuss changes with Management and Audit Committees
• Develop gap analysis
• Disclose incremental required actions to be taken
5
IT GovernanceIT Governance
Assess IT governance and determine appropriate reporting
Potentially increase IT auditing to adequately report on IT Governance
Perform enhanced IT risk assessment
Use IT Subject Matter Experts (SMEs) or outside resources as needed and re-evaluate capability of existing resources
Consider adopting the ITGI Five Elements of IT Governance to review the IT organization’s governance framework
2110.A2 – The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.
NEW Standard
6
IT Governance – Implementation GuidanceIT Governance – Implementation Guidance
• Consider the following factors:
– Longevity and relative maturity of existing IT governance program
– Adopted governance or delivery frameworks (ITGI, Val IT, ITIL, ISO, etc.)
– IT, Business and Board stakeholder input about IT investments and projects
• The ITGI Five Elements of IT Governance is useful from a scoping perspective:
Risk Management
Strategic Alignment
Value Delivery
Resource Management
Performance Metrics
· Align IT with Business· Add value to products
and services· Increase managerial
effectiveness· Assist in competitive
positioning
· Meeting business requirements
· On time / budget· Time to market· Integrity and accuracy
of information
· Determining appetite for risk
· Determining risk exposures
· Identifying cost efficiencies
· Optimizing knowledge· Optimizing IT
resources (employees, applications, hardware)
· Identification of IT education, training and development
· Information Technology ROI
· Board and Executive awareness
· Operational and strategic metrics
Medical devices Medical Devices
Medical Devices Medical Devices
ER Rx
Image. OR
Healthcare IT EnvironmentHealthcare IT Environment
7
Core Systems:
GL, Materials, HR & Payroll, A/P,
Patient Accounts, Clinical, EHR
PDA
PDA
PDA
PDA
PDA
PDA PDA
PDA
WLAN
WLAN
www
www
Healthcare IT EnvironmentHealthcare IT Environment
• Must support the organization’s strategies and objectives
– Accountable Care Organizations
– Medical Homes
– Co-ops
– Insurance Exchanges
– Capitation
– Claims
– Other Contracting and Reporting
8
9
Discussion Questions Discussion Questions IT GovernanceIT Governance
Has your organization performed an IT Governance assessment?
How did you approach this effort?
If not, how do you intend to comply with the Standard?
10
Perform a fraud risk assessment and evaluate fraud risk management program by:
Assisting management in performing one
Leveraging an existing assessment performed as part of SOX or
Performing an independent assessment
Utilize outside resources as needed
Utilize data analysis and continuous auditing and monitoring to enhance detection
Determine style and scope of reporting
Coordinate with legal counsel as appropriate
Fraud Risk ManagementFraud Risk Management
2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
NEW Standard
Healthcare Fraud Risk ManagementHealthcare Fraud Risk Management
• Coding
• Charging
• Procurement
• Expense reporting
• Time keeping
• Cash locations
• Credit card locations
• Self-funded insurance
• Electronic transactions
• Financial, utilization and clinic outcomes reporting
11
12
Discussion QuestionsDiscussion QuestionsFraud Risk ManagementFraud Risk Management
Has your IA function conducted a Fraud Risk Assessment?
- Examples
Discrete Fraud Risk Assessment project
Identification of fraud-related risks/controls during audit projects
Other
- Who was involved in the effort?
- Lessons learned
What have been your challenges in conducting fraud risk assessments?
How do you support fraud prevention and detection activities with training and awareness programs for Management and employees?
13
Discussion QuestionsDiscussion QuestionsFraud Risk ManagementFraud Risk Management
• Whose responsibility is it to monitor fraud risk within your operations on a daily, on-going basis (i.e., “continuous monitoring”)?
• How are “computer-assisted audit techniques” or electronic data analysis used to help identify potential fraud risk within financial or operational processes?
• What is the role of your Board of Directors in fraud risk governance?
14
• Increasing the Chief Audit Executive’s visibility with the Board
• Implement the Standards communications requirements with the Board
• Evaluate if reporting style and approach should be revised and enhanced
• Coordinate with legal counsel on reporting guidelines
Communication with the BoardCommunication with the Board
1111 – Direct Interaction with the BoardThe chief audit executive must communicate and interact directly with the board.
NEW Standard
15
Discussion QuestionsDiscussion QuestionsCommunication with the BoardCommunication with the Board
• Does your IA function have any plans to change their current level of interaction with the Board or AC?
• In the current economic climate, have there been changes in requests from the Board?
– Frequency?
– Level of information?
• Does your IA function plan to change the type of reporting?
16© 2010 Protiviti Inc. An Equal Opportunity Employer.