risk assessments and internal controls- audit and compliance committee conference 2011
DESCRIPTION
This presentation will discuss: the nature of risk in a health care organization and risk factors, the purpose of internal controls and how to balance internal controls in a health care organization, the principles of risk management and enterprise risk management.TRANSCRIPT
© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 1
HCCA Audit & Compliance Committee Academy
Risk Assessment and Internal Controls
Kelly Nueske, RN, CPA, CMA, CIA
Managing Director
Enterprise Risk Services ~ Internal Audit & Compliance
Agenda
Risk Internal Controls Risk Assessment Enterprise Risk Management
© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 2
Nature of Risk
R = risk is relative because perception of downside and upside risk is individual, and that applies to people and organizations.
I = risk is intuitive because we learn with experience and time.
S = risk is significant because everything we do has positive and negative consequences.
K = risk is kinetic because it changes relative to situations, events, time and space.
© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 3
Nature of Risk
Risk is universal Risk is not properly identified and managed by most
organizations, including governments Need a common risk vocabulary Need improved risk management methodologies Risks are diverse & inherent to the business
operations If non-clinical risks are not managed they are just as
hazardous as clinical risks
Internal Risks
Policies and Procedures– Internal controls
Contracting– Vendor Relationships
– Physician Relationships Financial Reporting
– Financial Statements
– Tax Returns
– Cost Reports
– Investor Reporting
– Credit Risk
– Liquidity Risk Crisis Management Program
– Business Continuity Plan
Human Resource Management– Hiring & Terminations
– Employee Relations Governance
– CEO Succession Clinical Practices
– Quality
– Core measures
– Evidence Based Information Technology
– Security
– Disruptions Document Management
External Risks
Office of the Inspector General
CMS State Health Department OSHA EPA Investors CCAC
Litigators Past Employees HIPAA IRS Auditors Competition
What About the Unknown?
What Affects Risk?
Organizational culture and ethics Financial pressures Technology Competition Business strategy i.e. joint ventures, mergers,
acquisitions State and Federal Laws Accreditation
Change = Risk
© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 8
COSO
COSO [Committee of Sponsoring Organizations of the Treadway Commission] is a voluntary private sector organization that encompasses five professions formed in 1985– American Accounting Association– American Institute of CPAs– Financial Executives International– Institute of Internal Auditors– Institute of Management Accountants
What is Internal Controls?
COSO Definition– Internal control is a process, effected by an entity’s board of
directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories
» Effectiveness and efficiency of operations» Reliability of financial reporting» Compliance with applicable laws and regulations
COSO Internal Control Framework
1. Control EnvironmentThe organizational culture that influences ethical behavior, workplace integrity, risk and compliance consciousness of its personnel.
2. Risk AssessmentThe process of identifying risks that threaten the institution’s achievement of objectives.
3. Information and Communication SystemsThe process for providing the right information to the right people at the right time for them to effectively carry out their responsibilities.
4. MonitoringThe management process in place to verify controls are working as intended and identify anomalies.
5. Control ActivitiesThe activities established to support compliance requirements and risk responses selected by management are carried out.
Internal Controls “Can” and “Cannot”
Internal Controls can:– Promote reliable internal and external financial reporting– Help safeguard assets– Promote compliance with laws and regulations– Help a company achieve its performance and profitability
targets
Internal Controls cannot:– Guarantee the reliability of financial reporting and
compliance with laws and regulations– Guarantee a company’s survival or success
Types of Controls Preventative Controls
– Designed to prevent errors or irregularities before they have occurred.– Examples:
» Regular balancing and reconciling are completed by an individual independent of the transactions processed through the account.
» Passwords and physical safeguards are established to restrict access to appropriate personnel.» Authorization and limits are established to ensure the appropriate oversight of significant
transactions Detective Controls
– Designed to detect errors or irregularities after they have occurred– Examples:
» Exception reports are reviewed and cleared by persons with appropriate authority. » Systems maintenance reports are reviewed to ensure changes are completed properly and
authorized.» Documentation reviews are completed to ensure files are complete.
Directive Controls– Explain “how to do” something or a process– Examples:
» Policies and Procedures
Risk Assessment vs Enterprise Risk Management
Risk Assessment– The identification, measurement and prioritization of likely relevant
events or risks that may have a material consequence on an organization’s ability to achieve its objectives.
– Typically performed by Internal Audit, Compliance and Risk Management annually.
Enterprise Risk Management– A process, effected by an entity’s board of directors, management and
other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
– An organizational approach to managing risk that is owned by Management.
© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 14
What is Risk Assessment?
Peformed annually Process includes:
– Interviews– Documentation review– Employee surveys
Final deliverable– Internal Audit workplan– Compliance workplan
© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 15
What is Enterprise Risk Management?
Holistic approach to identifying risk – more than regulatory compliance, financial, medical liability, patient safety, general liability or SOX
Creates a portfolio view of risks
Identifies interrelationships and interdependencies among risks
Offers ability to manage risks within and across business units
What is Enterprise Risk Management?
Improves organization’s ability to identify and seize opportunities – competitive edge
Considers risk in the formulation of business strategy
Method to achieve business objectives
Involves all levels of management
Process to identify, analyze, mitigate/manage, measure and communicate risks across organization
Who is responsible for ERM? Everyone! Board of directors provide guidance, direction and
monitoring Audit Committee, Risk Committee or full board receive
“dashboard” on risk and establish risk tolerance CEO has ultimate ownership and sets tone for ERM
process Each level of management stays informed and takes
ownership of risks at their level Chief Risk Officer, if one exists, is facilitator and
challenger of process Risk Management Team comprised of CEO, CFO,
COO, CRO, CIO, CNO, CMO, etc to oversee and support process
Risk Domains
Operational– Core business including systems and processes. Example: outpatient
care Financial
– Ability to earn, raise or access capital. Example: bonds Human
– Recruiting, retention and managing workforce. Example: worker’s compensation
Strategic– Ability to grow and expand. Example: joint ventures
Legal/Regulatory– Statutory, regulatory compliance, licensure, accreditation. Example:
HIPAA, OSHA, JC Technology
– Biomedical & information technologies. Example: CPOE
COSO Internal Control Framework (Original)
COSO ERM Integrated Framework
Sample Risk Assessment Results
Risk Area/Project Name Assign Risk Domain: TotalPoints
Revenue Cycle Financial 655
Billing Compliance Regulatory 655
Privacy and Security Regulatory 655
Grants and Research Financial 625
Competition Strategic 625
Investments Financial 610
Business Continuity Plan Operational 560
Mental Health Access Operational 560
Core Measures Operational 525
Cash Controls Financial 525
Human Resources Operations Human 520
Accounts Payable Financial 495
Governance (Committee Charters) Governance 475
Credit Balances Regulatory 465
Computer Operations Technology 445
Wireless Network Technology 445
Sample Risk Assessment Heat Map
+Risk+ Risk
+ Risk
+ Risk
+ Risk
+Risk+ Risk
+ Risk
+ Risk
+ Risk
+ Risk
+ Risk
+ Risk
+ Risk
Something to Remember
Risk management and risk assessment are not an exact science. There is no one size fits all approach.– The process is unique to your organization.– They are only one component of audit plan development.– They include many variables.– Scoring of individual risk factors and risk by several people
will like result in disagreement.– The results should feel right, especially in terms of how risk
is viewed overall and what rises as significant versus not so significant.
– Audit and Compliance Committee members should not get caught up in the details.
Questions to Ask
Is our executive management excited and passionate about their work?
Do they believe in and fulfill their responsibilities in a manner that embraces mission and vision?
For high risks, like a major system install, do we have someone with passion for leading the project and are they in the risk position to lead?
Does the risk management and risk assessment approach make sense for our organization?
Are we satisfied with the results of the risk assessment?
Questions to Ask
What other factors are used in developing the annual compliance and audit work plans?
How are the risks not included in those plans being addressed?
What risks are addressed by the board or its committees?
What risks are managed by operations and management?
Is management talking to the committee about risk and controls or is it a topic only understood by Internal Audit?
Questions to Ask
Who is responsible for ensuring compliance? How do we know they are meeting the responsibility? What major gaps do we currently have to fill and what
are our plans to do so? How concerned should we be about the gaps in the
short and long run? What do we want to see and what should we see? How and when will an issue be resolved?
Conclusion
Leaders…..– Understand the risks most pertinent to their organization– Manage the risks in an integrated fashion– Prioritize risk management efforts around:
» Risks having the biggest potential impact and,» Are most likely to occur
Contact Information:
Kelly Nueske, RN, CPA, CMA, CIA
Managing Director
Enterprise Risk Services ~ Internal Audit & Compliance
715.338.5566