Changes in the International Standards for the Professional Practice of Internal Auditing & Implications for Healthcare Organizations

AHIA Northwest Regional Seminar

May 7, 2010

Exaltant TM

Grant Baumgartner

Chief Consulting Officer 

Phone: 206-999-3663

grant.baumgartner@exaltant.com

ProtivitiTM

Keith Kawashima

Managing Director 

Phone: 408-808-3222

keith.kawashima@protiviti.com

2

Summary of ChangesSummary of Changes

• Effective January 1, 2009, the Institute of Internal Auditors (IIA) made changes to the International Standards for the Professional Practice of Internal Auditing (Standards):

Changed from “should” to “must” throughout Changed from “should” to “must” throughout most of the most of the StandardsStandards

Added six new Added six new StandardsStandards

Added new verbiage to existing Added new verbiage to existing StandardsStandards

Interpretations added that were previously Interpretations added that were previously part of the Practice Advisoriespart of the Practice Advisories

3

Summary of ChangesSummary of Changes

• Areas Affected:

– IT Governance

– Fraud Risk Management

– Communication with the Board

– Ethics Programs

– Technology Based Audit and Other Data Analysis Techniques

– Limitation and Adequacy of Resources

– Records Retention

– Quality Assurance Reviews

– Modifications to the IA Charter

– Prohibition on Managing Risk

– Conducted in Conformance with The Standards

4

Actions Required by Internal Audit LeadershipActions Required by Internal Audit Leadership

• Discuss changes with Management and Audit Committees

• Develop gap analysis

• Disclose incremental required actions to be taken

5

IT GovernanceIT Governance

Assess IT governance and determine appropriate reporting

Potentially increase IT auditing to adequately report on IT Governance

Perform enhanced IT risk assessment

Use IT Subject Matter Experts (SMEs) or outside resources as needed and re-evaluate capability of existing resources

Consider adopting the ITGI Five Elements of IT Governance to review the IT organization’s governance framework

2110.A2 – The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.

NEW Standard

6

IT Governance – Implementation GuidanceIT Governance – Implementation Guidance

• Consider the following factors:

– Longevity and relative maturity of existing IT governance program

– Adopted governance or delivery frameworks (ITGI, Val IT, ITIL, ISO, etc.)

– IT, Business and Board stakeholder input about IT investments and projects

• The ITGI Five Elements of IT Governance is useful from a scoping perspective:

Risk Management

Strategic Alignment

Value Delivery

Resource Management

Performance Metrics

· Align IT with Business· Add value to products

and services· Increase managerial

effectiveness· Assist in competitive

positioning

· Meeting business requirements

· On time / budget· Time to market· Integrity and accuracy

of information

· Determining appetite for risk

· Determining risk exposures

· Identifying cost efficiencies

· Optimizing knowledge· Optimizing IT

resources (employees, applications, hardware)

· Identification of IT education, training and development

· Information Technology ROI

· Board and Executive awareness

· Operational and strategic metrics

Medical devices Medical Devices

Medical Devices Medical Devices

ER Rx

Image. OR

Healthcare IT EnvironmentHealthcare IT Environment

7

Core Systems:

GL, Materials, HR & Payroll, A/P,

Patient Accounts, Clinical, EHR

PDA

PDA

PDA

PDA

PDA

PDA PDA

PDA

WLAN

WLAN

www

www

Healthcare IT EnvironmentHealthcare IT Environment

• Must support the organization’s strategies and objectives

– Accountable Care Organizations

– Medical Homes

– Co-ops

– Insurance Exchanges

– Capitation

– Claims

– Other Contracting and Reporting

8

9

Discussion Questions Discussion Questions IT GovernanceIT Governance

Has your organization performed an IT Governance assessment?

How did you approach this effort?

If not, how do you intend to comply with the Standard?

10

Perform a fraud risk assessment and evaluate fraud risk management program by:

Assisting management in performing one

Leveraging an existing assessment performed as part of SOX or

Performing an independent assessment

Utilize outside resources as needed

Utilize data analysis and continuous auditing and monitoring to enhance detection

Determine style and scope of reporting

Coordinate with legal counsel as appropriate

Fraud Risk ManagementFraud Risk Management

2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

NEW Standard

Healthcare Fraud Risk ManagementHealthcare Fraud Risk Management

• Coding

• Charging

• Procurement

• Expense reporting

• Time keeping

• Cash locations

• Credit card locations

• Self-funded insurance

• Electronic transactions

• Financial, utilization and clinic outcomes reporting

11

12

Discussion QuestionsDiscussion QuestionsFraud Risk ManagementFraud Risk Management

Has your IA function conducted a Fraud Risk Assessment?

- Examples

Discrete Fraud Risk Assessment project

Identification of fraud-related risks/controls during audit projects

Other

- Who was involved in the effort?

- Lessons learned

What have been your challenges in conducting fraud risk assessments?

How do you support fraud prevention and detection activities with training and awareness programs for Management and employees?

13

Discussion QuestionsDiscussion QuestionsFraud Risk ManagementFraud Risk Management

• Whose responsibility is it to monitor fraud risk within your operations on a daily, on-going basis (i.e., “continuous monitoring”)?

• How are “computer-assisted audit techniques” or electronic data analysis used to help identify potential fraud risk within financial or operational processes?

• What is the role of your Board of Directors in fraud risk governance?

14

• Increasing the Chief Audit Executive’s visibility with the Board

• Implement the Standards communications requirements with the Board

• Evaluate if reporting style and approach should be revised and enhanced

• Coordinate with legal counsel on reporting guidelines

Communication with the BoardCommunication with the Board

1111 – Direct Interaction with the BoardThe chief audit executive must communicate and interact directly with the board.

NEW Standard

15

Discussion QuestionsDiscussion QuestionsCommunication with the BoardCommunication with the Board

• Does your IA function have any plans to change their current level of interaction with the Board or AC?

• In the current economic climate, have there been changes in requests from the Board?

– Frequency?

– Level of information?

• Does your IA function plan to change the type of reporting?

16© 2010 Protiviti Inc. An Equal Opportunity Employer.