• No results found

How to Conduct Fraud & Internal Audit Enterprise Risk Assessments At Your Organization

N/A
N/A
Protected

Academic year: 2021

Share "How to Conduct Fraud & Internal Audit Enterprise Risk Assessments At Your Organization"

Copied!
67
0
0

Loading.... (view fulltext now)

Full text

(1)

How to Conduct Fraud & Internal Audit Enterprise Risk Assessments At Your Organizationg

September 1, 2009

Bruce Kincaid, MBA, CIA, CISA Danette Eibl, CPA,

Internal Audit Staff

Rockford Health System Rockford, IL

(2)

Internal Audit Disclosure

• This presentation is provided

as information for

your consideration

as you decide your strategy

y

y

y

gy

for assessing and attempting to maintain an

internal audit risk assessment and/or fraud

t f

h

lth

tit

assessment for your health care entity.

• All information contained in this power point

t ti

l t d h

d

t

d di

i

presentation, related handouts and discussion

are presented

as is

for your consideration.

(3)

Presentation Objectives

• Understanding of ERM (Enterprise Risk Management) • How to conduct an IA (Internal Audit) risk assessment • How to conduct a fraud risk assessment using

AICPA (A i I tit t f C tifi d P bli – AICPA (American Institute of Certified Public

Accountants) guidance and

– SAS (Statement of Auditing Standards) 99SAS (Statement of Auditing Standards) 99

(4)

Introduction

• How to undertake an IA or fraud risk

assessment depends on:

assessment depends on:

– Mission of your organization

Business form of your organization

– Business form of your organization

– Desire of management

External pressures forces and factors

– External pressures, forces and factors

– IA department size and organizational status

(5)

Mission of Your Organization

• Most health care (HC) organizations have a

– Vision and Mission Statement (V&MS)

• The V&MS defines or

implies

your organization’s

mission to:

P id HC i t – Provide HC services to a • Category of patient • Category of treatmentg y • Local community • Region • State - Nation • State - Nation
(6)

Mission of Your Organization

• The V&MS defines or

implies

your organization’s

mission to:

– Be in and Stay in the HC business

• Stay current with technology

P id li f lif f – Provide quality of life for

• Owners and • Employeesp y

– Generate

• Profits or S l

Association of Healthcare Internal Auditors        6

(7)

Mission of Your Organization

• The V&MS defines or

implies

your organization’s

mission to:

– Be competitive in the HC business

– Manage business risk

• Status Quo – Essentially, – Maintain current risks G i th k t l

• Grow in the market place,

– Maintain current risks and

– Identify and manage new risks – Identify and manage new risks.

(8)

Business Form of Your

Business Form of Your

Organization

• HC business forms vary – Change is in the air:

– Outpatient services (Physician Practices/Clinics/ S C t /R h b F iliti )

Surgery Centers/Rehab Facilities) • For profit – Not for profit

– Inpatient Services (Hospitals/SNF’s/LTCF)Inpatient Services (Hospitals/SNF s/LTCF) • For profit

• Not for profit

• Not for profit – Faith Based

• Public entity

Unique partnerships

Association of Healthcare Internal Auditors        8

(9)

Desire of Management

The desire of management reflects t o interests

• The desire of management reflects two interests:

– Governance interest

• Service for the community’s good (Conservative)Service for the community s good (Conservative) • Service for the shareholder’s good (Aggressive) – Management’s interest

• Service for the community

– Grow present HC services and – New Venture Growth

• Service for shareholders

– Maximize earnings per share – New Venture Growth and

(10)

External Pressures Forces and

External Pressures, Forces and

Factors (EPF&F’s)

• EPF&F’s are a

BIG

motivator for HC

– Change (growth - renewal or expansion)

g (g

p

)

– Risk management (present operations) and

– Future risk management (new venture

g

(

growth)

• Today’s main EPF&F’s are:

oday s

a

& s a e

– HC system access and cost

• Obama health care reform

(11)

External Pressures Forces and

External Pressures, Forces and

Factors (EPF&F’s)

– Consumerism

• Quality measures - Pay for Performance • Leap Frog - Red Flag

– Government interference/intervention

• Declining reimbursement – Recovery Audits (RAC/MAC/MIC)

Technology

– Technology

• Electronic Health Record (EHR) - Cyber Espionage (HIPAA compromise) p g ( p )

(12)

IA Department Size and

IA Department Size and

Organizational Status

• Size makes a difference:

• Size makes a difference:

– One to five auditors

– Six to 15 auditors – 15 or more auditors

• Organizational status makes a difference:

– Limited independence • Part of Finance

R t t CFO • Reports to CFO

• Right hand accounting/internal/management controls go-to-person

(13)

IA Department Size and

IA Department Size and

Organizational Status

Independent

– Independent

• Operationally reports to Board – Via the Audit CommitteeVia the Audit Committee

• Administratively reports to – The CEO/CFO/Administrator

– Autonomous

• Operationally reports to Board – Via the Audit Committee

• Senior Vice Present & CAE (Chief Audit Executive) • Corporate headquarters audit staff

(14)

Begin With the End In Mind

• Before you begin an IA or fraud risk assessment

you need to know where your entity is at:

– Mission of your organization

– Business form of your organization Desire of management

– Desire of management

– External pressures, forces and factors

– IA department size and organizational status

• Will it add value? To whom? Pick audits?

• Show some IA balance or broad coverage

(15)

Fraud and IA Risk Assessments

Fraud and IA Risk Assessments

Presentation Design

• One to five auditors:

– Limited operating budgetp g g

– Everyone is either a nurse or internal auditor

• > Five auditors:

– Expanded operating budget – Expanded supervision

– Acquire an ERM IT risk assessment program

• CCH TeamMate – Five auditors - $15K

(16)

Typical < Five Auditor IA Department

Typical < Five Auditor IA Department

B o a r d o f D ir e c t o r s R o c k f o r d H e a lt h S y s t e m A u d it S u b C o m m it t e e ( A S C ) A S C N e e d s E le c t r o n ic P D F F ile S e c u r e F T P I n t e r n a l A u d it S t a f f 2 F T E ’s w it h A C L A S C C h a r t e r I A P C h a r t e r M a n a g e m e n t 's N e e d s I n f o r m a t io n T e c h n o lo g y ( I T ) A u d it S t a f f D is t r ib u t e F in a l I A R e p o r t t o A S C M e m b e r s 2 F T E s w it h A C L A n n u a l I n t e r n a l A u d it P la n A p p r o v e d A u d it I A R e p o r t I A P E n t e r p r is e R is k A s s e s s m e n t 2 . 5 F T E ’s D Y N A M I C M O N D is t r ib u t e F in a l I A R e p o r t t o M a n a g e m e n t p F in d in g s R e c o m m e n d a t io n s M a n a g e m e n t R e s p o n s e s I A P F r a u d E n t e r p r is e R is k A s s e s s m e n t I T S t r a t e g ic P la n S y s t e m C h a n g e & E l t i N I T O R I N G A u d it F ie ld w o r k

Association of Healthcare Internal Auditors        16 & E v o lu t io n I d e n t if y H a r m f u l E f f e c t s F o r m u la t e F in d in g s & R e c o m m e n d a t io n s D e v e lo p I A R e p o r t W it h A u d it e e C o m p lia n c e N e e d s

(17)

Internal Audit Program 1

st

Priority

• Annual Audit Plan Core Concept for Systems Evolution (300+ applications):

– “….Internal Audit is to participate up front in the RHS management process and project implementations by ensuring that effective internal controls are

ensuring that effective internal controls are engineered into these processes.”

– “….Internal Audit will participate as a consultant when t i id i i ifi t h d

management is considering significant change and will audit existing processes based on risk and

(18)

Why Perform An IA Risk

Why Perform An IA Risk

Assessment ?

• HC world has changed

– 1999 – 541 bed hospital – 5,000 employeesp , p y • 78 IT applications –

• Average two IT applications/critical staff – 2009 – 397 bed hospital – 3,200 employees

• 300+ IT applications –

A fi IT li ti / iti l t ff • Average five IT applications/critical staff

– Average CS time spend using IT applications

in 2009

about 70%!

Association of Healthcare Internal Auditors        18

(19)

Why Perform An IA Risk

Why Perform An IA Risk

Assessment (RA) ?

• 1999 verses today:

– In 1999, 78 IT applications

• The IA could be safe and responsive – Simple pick of “A” priority audits

Today 300+ IT applications – Today, 300+ IT applications

• There are few simple picks anymore

• The IA risk assessment we are training you on

• The IA risk assessment we are training you on

today let’s you:

(20)

Why Perform An IA Risk

Why Perform An IA Risk

Assessment (RA) ?

• Provides more formal structure to the audit selection process

• Audit critical risks

• Match staff ability to audit assignments

• Provides a risk driven structured approach for you, management and your audit committee

• It’s free

but

• It s free,

but

– as your staff grows you may wish to acquire a RA service software application.

(21)

Enterprise Risk Management (ERM)

”Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows:

Enterprise risk management is a process, effected by an entity’s board of directors, management and

other personnel, applied in strategy setting and across th t i d i d t id tif t ti l t

the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance

regarding the achievement of entity objectives ” regarding the achievement of entity objectives.

Source: “Enterprise Risk Management – Integrated Framework” EXECUTIVE

SUMMARY, September 2004, Committee of Sponsoring Organizations of the T d C i i (COSO)

(22)

Enterprise Risk Management (ERM)p g ( ) Key Points to Consider From the IIA

as of June 2008

• Enterprise Risk Management

– Enterprise risk management requires an entity to take p g q y a portfolio view of risk.

– Management considers how individual risks interrelate

interrelate.

– Management develops a portfolio view from two perspectives:

p p

• Business unit level • Entity level

(23)

Enterprise Risk Management (ERM)p g ( ) Key Points to Consider From the IIA

as of June 2008

• Risk Assessment (RA)

– RA is the identification and analysis of risks to the hi t f b i bj ti It f b i achievement of business objectives. It forms a basis for determining how risks should be managed.

– Allows an entity to understand the extent to which y potential events might impact objectives.

– Assesses risks from two perspectives: • Likelihood

• Likelihood • Impact

– Is used to assess risks and is also normally used to measure the related objectives

(24)

Enterprise Risk Management (ERM)p g ( ) Key Points to Consider From the IIA

as of June 2008

• Internal Auditors (IA’s)

– IA’s play an important role in monitoring ERM, b t DO NOT h i ibilit f

but DO NOT have primary responsibility for implementation or maintenance.

– IA’s assist management and the Board or Audit g Committee in the RA/ERM process by:

• Monitoring • Evaluatingg • Examining • Reporting

• Recommending improvements

Association of Healthcare Internal Auditors        24

(25)

Enterprise Risk Management (ERM)p g ( ) Key Points to Consider From the IIA

as of June 2008

• IA’s can add value by:

– Implementing a risk-based approach to planning and p g pp p g executing the internal audit process.

– Ensuring that internal audit’s resources are directed at those areas most important to the organization

those areas most important to the organization. – Challenging the basis of management’s risk

assessments and evaluating the adequacy and g q y effectiveness of risk treatment strategies.

(26)

Enterprise Risk Management (ERM)p g ( ) Key Points to Consider From the IIA

as of June 2008

• IIA Standards

– 2010.A1 – The internal audit activity’s plan of engagements should be

based on a risk assessment, undertaken at least annually.

2120 A1 B d th lt f th i k t th i t l

– 2120.A1 – Based on the results of the risk assessment, the internal

audit activity should evaluate the adequacy and effectiveness of

controls encompassing the organization’s governance, operations, and information systems.

2210 A1 When planning the engagement the internal auditor should

– 2210.A1 – When planning the engagement, the internal auditor should

identify and assess risks relevant to the activity under review. The

engagement objectives should reflect the results of the risk assessment.

---S

Source: Extracted by Anna L. Cuson, CPA, Senior Internal Auditor, Corporate Compliance &

Integrity, Self Regional Healthcare, Greenwood, SC while preparing her entity’s enterprise risk assessment, 2008

(27)

Rockford Health Systems (RHS)

Rockford Health Systems (RHS)

View of ERM

• ERM is the process by which an organization

identifies and manages business risk within the

g

company. ERM consists of two main components,

new ventures

and

present operations.

• The RHS IAP RA deals with

present operations.

• The IAP RA was developed with the knowledge

and presence of the following specific RHS risk

management programs:

(28)

RHS View of ERM

• Compliance Program (Legal Compliance/Resource Protection) • HIPAA (Health Information Portability and Accountability Act)

Compliance Program (Legal Compliance/Resource Protection) • IT (Information Technology) Security Program (Asset/Resource

Protection)

• Physical Security Program (Asset/Resource Protection) • Facilities Management Program (Planned Preventative • Facilities Management Program (Planned Preventative

Maintenance)

• Bio-Medical Engineering Program (Planned Preventative Maintenance)

• Quality Management Program (Healthcare Outcomes)

• Case Management/Utilization Review (Healthcare Outcomes) • Risk Management (Corporate Insurance Program)

(29)

RHS View of ERM

• COSO’s ERM Risk Appetite. The RHS view: – How rich is your appetite?

– How much do you want to dine on at one time?

• Components of Risk Management (

aka “The

Risk Menu Choices.”

Risk can be minimized or

managed by the use of:

M t i t l t l ( t lli i k)

– Management or internal controls (controlling risk),

– Commercial insurance (insurance against loss), or

– Assumption of risk/self insurance (absorption of loss)

(30)

RHS IAP Structured Approach

• If you wish to define your IA program based on a logical assessment of business risk this is the method we offer f id ti t d

for consideration today.

• RHS and Self Regional IA conducted an ERM reference search.

search.

• Initial Meeting. To conduct an initial IAP risk assessment you need to hold an announcement/organizing meeting.

– Presentation Item D-4-2 provides you this information – You will need to up date it to today and

– For use by your department.

Association of Healthcare Internal Auditors        30

(31)

RHS IAP Structured Approach

• Second Meeting. You need to verify that your existing risk management programs are

– In placep ace

– Functioning as intended.

– Presentation Item D-4-3 provides you a starting inventory of programs

Y ill d t d t it t t d d – You will need to up date it to today and – For use by your department.

• Your RA Model. You need to define your risk assessment methodology

methodology

– Best done with the assistance of

• Your CFO and

(32)

RHS IAP Structured Approach

Th RA M th d RHS IA

h d A ditN t

d

• The RA Method. RHS IA searched AuditNet and

other available audit libraries to find a model.

– Not much available

– Did find an IAP RA method developed by a bank – Decided to build on this model

– Presentation Item D-4-4 is the RHS RA model

• We will now lead you through a review and

discussion of this model so

You can understand it and – You can understand it and

– Adapt if for use by your department

• Presentation Handout One – Let’s review

(33)

RHS IAP Structured Approach

• The model consists of narrative documentation

to be followed when populating the RA Excel

p p

g

workbook,

Presentation Item D-4-5

.

• The spreadsheet ranks your risks so you can

determine

– High – Medium – Low risks by

(34)

RHS IAP Structured Approach

• Risk Ranking elements are:

– Management Control Environment - 15%

– Organizational Structure/Change/Growth – 15% – Financial Exposure – 20%

– Reporting – 15% – Compliance – 15% – Fraud Potential – 15%Fraud Potential 15% – Business Continuity – 5%

• Presentation Handout One. Please refer to this aid which has been provided to you.

R i f i k ki l t – Review of risk ranking elements – Sample risk assessment

(35)

RHS IAP Structured Approach

• Populating the RA Excel workbook

• Populating the RA Excel workbook

– Used to report your assessment results

• The auditor’s project steps:

• The auditor s project steps:

– Map the workbook to show your organization’s • Major to minor business unit’s

• Define key processes and/or descriptions

• Interview management to

– Define key processes and/or descriptions – Conduct initial RA with management

(36)

RHS IAP Structured Approach

Develop – Develop

• IA and management openness and

• Joint OWNERSHIP – NO SURPRISES

• Be sensitive

• You are taking line management to a place they h b b f !

have never been before!

• Future Years

R ll f d th RA

– Roll forward the RA process – Update during the audit year

(37)

RHS Initial Fraud Definition

• Fraud is a power word.

• Can not perform an initial IAP RA without defining fraud. • Few health care entities have a

– Working definition

– Frequently thought to be an accountant’s term • For the RHS IAP RA

Ad t d th F d l t’ h – Adopted the Federal government’s approach

– Unstopped WASTE leads to ABUSE leads to FRAUD

Defined a fraud range >$10K to >$100K

(38)

How to Conduct an IA Enterprise RA

How to Conduct an IA Enterprise RA

at Your Organization

• Closing discussion.

– Defined ERM

Defined ERM

– Discussed the IAP RA process

• Need and how to do itNeed and how to do it

– Empowered you with a working IAP RA model

– Performed a sample risk assessment

Performed a sample risk assessment

– Reviewed Presentation Items that you may

wish to customize for your use

Association of Healthcare Internal Auditors        38

(39)

Fraud and IAP Risk

Fraud and IAP Risk

Assessments

(40)

How to Conduct a

Fraud

Enterprise

How to Conduct a

Fraud

Enterprise

RA at Your Organization

• Our external auditors D&T liked the IAP RA model

• To our surprise they came back the following year and Recommended we conduct a formal fraud

– Recommended we conduct a formal fraud assessment

– Measure and test existing fraud controls

O

thi ki

• Our thinking

– Looking for a best practice model – Easier to comply then rebutp y

• Tokenism was a thought!

• Atta boys for fraud seldom occur

• Then the economy fell apart

Association of Healthcare Internal Auditors        40

Then the economy fell apart

(41)

Fraud Enterprise Risk

Fraud Enterprise Risk

Assessment (FERA)

• Discuss the FERA for HC entities

• Discuss the FERA for HC entities

– Purpose

P

ti

d

l

– Preparation and sample

– Expand the previous fraud definition

– Fraud questionnaires

– Communication with management

– How to share final product with

• Management and Th A di C i

(42)

FERA and Other Industries

• Health care entities are highly regulated • Health care entities are highly regulated

– Numerous HHS voluntary compliance programs • Laboratory

• Physician Practices • Hospitals

• Home Health Agencies

• Except for banking, government contractors and

manufacturing (EPA) most other industries lack formal compliance programsp p g

• Therefore the Statement on Auditing Standards (SAS) 99, Considerations of Fraud in a Financial Statement Audit has special significance for financial auditors

Association of Healthcare Internal Auditors        42

(43)

Planning the RHS FERA

• D&T recommended we conduct the initial FERA as outlined in the “Management Antifraud Programs and Controls – Guidance to Help and Deter Fraud” (aka The

Controls – Guidance to Help and Deter Fraud (aka The Guide) by the Fraud Task Force of the AICPA Auditing Standards Board

• We reviewed SAS 99 and the guide a 19 page document • We reviewed SAS 99 and the guide – a 19 page document • The guide is located at: https://publication.cpa2biz.com

• We decided to use the guide to lead us to document our FERA lt

(44)

Conducting the FERA

• During the actual assessment of fraud risk, we

evolved to using both

g

– Statement on Auditing Standards (SAS) 99,

Considerations of Fraud in a Financial Statement Audit and

Audit and – The guide

• It takes time to gain comfort assessing fraud risk

• It takes time to gain comfort assessing fraud risk

• It takes time to conduct the initial FERA

– 500 IA hours

Association of Healthcare Internal Auditors        44

(45)

Obtaining AICPA Permission

• If you decide to use the

“Management Antifraud

Programs and Controls – Guidance to Help and

Deter Fraud”

as your FERA road map

Deter Fraud

as your FERA road map.

• Obtain AICPA permission in advance from:

p

Thomas A. Robinson, J.D.

Manager Rights & Permissions Manager, Rights & Permissions AICPA

Email: trobinson@aicpa.org

Phone: 919 402 4031 Phone: 919-402-4031

(46)

Expanded Fraud Definition

• Fraud can range from

– minor employee theft and unproductive behavior tominor employee theft and unproductive behavior to – misappropriation of assets and

– fraudulent financial reporting.

• Materiality – AICPA’s range is low to high dollars.

• Raising the organization’s awareness minimizes

g

g

fraud.

(47)

Expanded Fraud Definition

• Difficult to totally eliminate fraud but can detect

over time.

• Fraud risk can be reduced through a combination

of

prevention, deterrence,

and

detection

measures

measures.

• Unstopped

WASTE

leads to

ABUSE

leads to

FRAUD.

• An unchecked waste of assets or business

resources today will become future fraud.

(48)

Expanded Fraud Definition

• Need a line management fraud awareness

starting point

g p

– Management concern should begin when a wasteful practice >$1K is identified

M t t th ti ( ti t l) • Move to correct the poor practice (prevention control) – IA becomes immediately concerned with

• Identified waste, abuse of resources or theft >$10K (control , $ ( breakdown)

• Not in business to lose it or give it away!

(49)

Conducting the FERA

• Use a two fold approach • Survey management

– Formal fraud assessment questionnaire

• Tailored to IA’s pre assessment knowledge of the manager’s position

• Standard questions and • Unique questions

• Identify, document and assess existing fraud controlsIdentify, document and assess existing fraud controls – Follow the guide

(50)

Conducting the FERA

• Following the guide to identify, document and

assess existing fraud controls is a

– Complex assessment process

– Having the IAP RA helped

Having a though knowledge of entity processes – Having a though knowledge of entity processes

REALLY helped

– Extensive interviews of key managers helped – Using the guide to document the FEFA was

• Easy and • Through

Association of Healthcare Internal Auditors        50

(51)

Conducting the FERA

• Presentation Item D-4-6 consists of three sample questionnaires

– Can be used to start building your fraud questionnaireCa be used o s a bu d g you aud ques o a e

• Presentation Handout Two – Let’s review

• Preparing Your Fraud Questionnaires

Sh th d fi iti f f d – Share the definition of fraud

• Written • Verbal

Include some standard questions – Include some standard questions

• “Are you aware of a fraud in your area?”

• “How do you think a fraud could occur in your area?”

(52)

Conducting the FERA

– Prepare individual questions for different

people and departments

– Begin the interview process with senior

management

A ti

ll

f

th

t

– As time allows, focus on other management

staff

– Continue annually to include key personnel

Continue annually to include key personnel

such as accounting, purchasing, and human

resources

(53)

Conducting the FERA

Wh t

f

d

t l

?

• What are

fraud controls

?

– Preventative controls

– DeterrentDeterrent controlscontrols

– Detective controls

• Can a control be two types –

yp

YES

• What HC programs and systems encompass

your fraud controls?

– Joint Commission - Compliance

(54)

Conducting the FERA

• Review Presentation Handout Two

• Using the guide requires you to document your fraud

controls in the following areas

• CREATING A CULTURE OF HONESTY AND HIGH ETHICS

ETHICS

– Setting the Tone at the Top

• IA Assessment - Review of Top Management’s Actions

– Code of conduct

– Actions show honesty and equality – Conflict of interest disclosure process

(55)

Conducting the FERA

– Creating a Positive Workplace Environment

• IA Assessment – Evidence of – Employment opportunities – Reward system for goals met – Training programs

– Career development

C li H l li b i i ibl d – Compliance Helpline number is visible and

(56)

Conducting the FERA

– Hiring and Promoting Appropriate Employees

• IA Assessment – Evidence of

– Employee background investigations - new hires, changes to a position of trust and

volunteers volunteers

– Personal references, education and past employment verifiedp y

– Annual evaluation of compliance with the company’s values and code of conduct

Association of Healthcare Internal Auditors        56

(57)

Conducting the FERA

– Training

• IA Assessment - Evidence that

– New Employee Orientation/Compliance Training – Annual Compliance Training

– Professional Ethics and Fraud Prevention Standards for Critical Work Groups

– Confirmation

• IA Assessment – Evidence that • IA Assessment – Evidence that

– Employees abide to follow the » Standards of Conduct

» Company Confidentiality » Company Confidentiality

(58)

Conducting the FERA

– Discipline

• IA Assessment – Evidence of – Fraud investigations

– Progressive discipline for violators Strengthening of needed controls – Strengthening of needed controls – Reinforcement of company values

• EVALUATING ANTIFRAUD PROCESSES AND

CONTROLS

(59)

Conducting the FERA

– Identifying and Measuring Fraud Risks

• IA Assessment – Evidence that

– The company has a heightened “fraud awareness” and – An appropriate fraud risk management programs

Miti

ti

F

d Ri k

– Mitigating Fraud Risks

• IA Assessment – Evidence of appropriate – Separation of duties and

– Separation of duties and

– Supervisory oversight of key financial and accounting processes

(60)

Conducting the FERA

– Implementing and Monitoring Appropriate Internal Controls

• IA Assessment – Evidence that appropriate fraud deterrent controls

– End of Month Close Process – IT Program Change Control – IA Program

• DEVELOPING AN APPROPRIATE OVERSIGHT PROCESS

– Audit Committee or Board of Directors

• IA Assessment - Evidence of

– Active involvement and oversight – Audit Committee Charter

– Member competency

(61)

Conducting the FERA

– Management

• IA Assessment – Evidence of

– Responsibility – Annual Management Representation Letter

– Oversight of senior management business travelOversight of senior management business travel

– Internal Auditors

• IA Observation – Declaration of – Adequately funded IA program – Independence

Properly functioning IA program – Properly functioning IA program

(62)

Conducting the FERA

– Independent Auditors

• IA Observation – Declaration of

Free and open dialog with the Audit Committee – Free and open dialog with the Audit Committee – Annual fraud inquiry to

» Audit Committee » ManagementManagement

– Have the Independent Auditors complete a fraud questionnaire for you

– Certified Fraud Examiners (CFE’s)( ) • IA Observation – Declaration of

– Have or use CFE’s of

– Fraud consultants, when appropriate

(63)

Reporting Your FERA Results

P i I D 4 i l FERA

• Presentation Item D-4-7 is a sample FERA report

– Prepared using the guide

– Can be used to start writing your FERA results

When conducting your FA you will have • When conducting your FA you will have

– Findings and recommendations

– Present and discuss changes with management include

• Management responses and • Management responses and • Completion dates

– Handle as a regular audit or consulting report • Prepare a formal written reportPrepare a formal written report

– First annual FERA report

– Annual updated FERA report

(64)

Fraud Enterprise Risk

Fraud Enterprise Risk

Assessment (FERA)

• Discuss the FERA for HC entities

• Discuss the FERA for HC entities

– Purpose

P

ti

d

l

– Preparation and sample

– Expand the previous fraud definition

– Fraud questionnaires

– Communication with management

– How to share final product with

• Management and Th A di C i

Association of Healthcare Internal Auditors        64

(65)

Acknowledgements

• We wish to express our appreciation to

– Thomas A. Robinson, J.D., AICPA, ,

– Adam Burt, Thomson Reuters, GRC On Demand for IA, www.paisley.com

– Sales Staff, CCH TeamMate, www.tax.cchgroup.com

(66)

In Summary

• We have given you an

– Understanding of ERM (Enterprise Risk Management) – How to conduct an IA (Internal Audit) risk assessment – How to conduct a fraud risk assessment using

AICPA guidance “The Guide” and • AICPA guidance The Guide and • SAS 99

– How to use this sessions IA and fraud audit items toHow to use this sessions IA and fraud audit items to conduct similar assessments

• For your organization

(67)

General Discussion

Q estions and Ans ers

• Questions and Answers

• Contact Information

Bruce Kincaid MBA CIA CISA Danette Eibl CPA Bruce Kincaid, MBA, CIA, CISA Danette Eibl, CPA

Director, Internal Audit Manager, Internal Audit Rockford Health System Rockford Health System Phone: 815 971 5176 Phone: 815 971 5725 Phone: 815-971-5176, Phone: 815-971-5725 Email: bkincaid@rhsnet.org Email: deibl@rhsnet.org

• Audit Thought “When its not in the book, you are the Book”

References

Related documents

It is noted from Table (3) that there are apparent differences between the arithmetic averages of the degree of the application of the directors of public secondary schools

Compared to bilateral contracting between donors and implementers, donors that vertically integrate and do their own implementation offer the highest quality housing as rated

4) Of the 40 articles that addressed the problem of multiple hypothesis testing, ten applied statistical correction (25%), twenty-one pre-specified a primary outcome which was

To implement the study, a survey instrument was created and submitted to Taiwanese hospitality fi rms, namely hotels and restaurants, to identify contribut- ing factors in

Haynes re-works Sirk’s Christmas tree scene, placing it much earlier in the film.. As they are first falling in love, Carol drives Therese out of the city to her home in

Jewish orphanage directory, the Hebrew National Orphan Home Alumni website hosts a number of resources relevant to orphan research, including a database of orphans and foundlings

The expression pat- terns of AmSesTPS1 and AmGuaiS1 throughout the time course after drill wounding were monitored and com- pared between S1 and S2 samples, both were from