ROSWELL PARK CANCER INSTITUTE CORPORATION
AUDIT COMMITTEE
OF THE BOARD OF DIRECTORS
A meeting of the Audit Committee of the Board of Directors of Roswell Park Cancer Institute Corporation was held on Wednesday, April 8, 2015 at 8:30 a.m. in the Patrick Lee Conference Room, 8th Floor, Main Hospital Building of the Institute.
Present: Hugh M. Russ, III, Esq., Chairman
Candace S. Johnson, PhD, President & CEO
Anne Gioia (Telephonically)
Frank Ewing, Esq. Gail Mitchell, Esq.
Sylvia Tokasz (Telephonically)
Excused: Michael L. Joseph, Chairman of the Board Present by
Invitation: Eugene Cullen, VP Internal Audit and Advisory Services (IAAS) Betsy Doty, Administrator to Board of Directors
James Farnham, Senior Associate Auditor (IAAS) Victor Filadora, PhD, Chief Clinical Operations Officer Anne Gross, Associate Auditor (IAAS)
Marianne Hanley, Esq., Corporate Compliance Officer Deborah Kassirer, Manager (IAAS)
Gregory McDonald, Chief Financial Officer
Michael Sexton, Esq., Chief Institute Operations Officer, General Counsel David Taber, Assistant Vice President, Finance Department
Mr. Russ opened the meeting and thanked all for attending. He indicated that the meeting will involve review of an HER audit that reveals a significant number of remediation requirements remaining. He said the goal of the Audit Committee is not to look back and place blame, but is to improve processes and look forward. Mr. Russ further noted that per discussion with Mr. Cullen and senior management, appropriate steps to remedy many of the noted issues are already
underway.
Minutes:
A motion to approve the November 6, 2014 minutes was made by Ms. Tokasz, seconded by Ms. Mitchell and unanimously approved.
Status Report:
Ms. Kassirer gave an Internal Audit and Advisory Services Status Report on the audit plans for the fiscal years 2013-2015 (see Tab 2). Ms. Kassirer then noted that as management has made the decision to pull back on the full implementation of Meaningful Use for calendar year 2015,
IAAS will be meeting with Dr. Boris Kuvshi off in the spring to determine next steps for audit #15-3 Meaningful Use Stage 2. She also noted that audit #15-10 IT Governance and IT Strategy is being replaced with a new audit entitled IT Strategy and Plan as part of the proposed FY2016 audit plan being presented later in this meeting for approval. She then noted that #14-4
HIPAA/HITECH and Data Governance Audit will continue to be postponed as the NYS Office of
State Comptroller has just finished a Security Audit over Electronic Personal Health Information. The IAAS plan is to continue to postpone this HIPAA privacy and security audit until IAAS has had an opportunity to evaluate the OSC audit results; once completed IAAS will reevaluate the necessity and/or scope of audit # 14-4 in order to not duplicate audit activities already performed by OSC. Lastly, she indicated that tire majority of the audit remediation activities are satisfactory.
IAAS Risk Assessment:
Mr. Cullen stated that IAAS has completed its Annual Enterprise Risk Management Survey (see Tab 3A). He stated that the objective of this survey was to gather data on management s understanding of the Institute's internal controls and compliance program, department risk management and clinical perspective of the electronic health record system. The survey was sent to 310 department managers, supervisors, physicians and executives responsible for key functions and risk management for the institute, and resulted in a 67% response rate. Mr. Cullen noted that this survey is utilized to develop the FY2016-2018 internal audit work plan.
Mr. Cullen noted that the survey results highlighted matters of potential concern surrounding EHR satisfaction and clinical and research strategies. As the EHR is a critical application used for care and treatment of patients, Mr. Cullen noted that the results of the survey indicate that risks exist with the current use and functionality of the EHR, and that these risks will be further discussed later in the meeting when the EHR Performance Audit is presented. It was also noted that IAAS recommends, as a result of the survey, that management should communicate the relative success or failure in meeting organizational objectives included the strategic roadmap so that organization and department goals can be aligned in the future.
FY2016 Audit Plan;
A motion was made by Ms. Mitchell to approve the FY16 Audit Plan, which was seconded by Ms. Anne Gioia, and was unanimously approved.
Internal Audit:
Ms. Kassirer spoke on the Clinical Science Center ( CSC ) Construction Audit located on Tab 4A. The objective was to evaluate the effectiveness of managemenfs existing controls and processes related to capital construction projects. The scope of the assessment included a high-level evaluation of the effectiveness of processes and procedures deployed to deliver capital projects, focusing on internal controls ove contract administration and project management oversight, scope and change management and cost management. As reported in the Executive Summary and Risk Evaluation section of the report, the overall capital p oject construction controls appear to be effective and provide reasonable assurance that the project is properly managed and that an adequate control framework is in place and functional. IAAS will also periodically meet with the project team to inquire on the status, and any associated risks, of the next phases of the CSC project prior to completion.
A motion ivas made by Ms. Tokasz to approve the Clinical Science Center Construction Audit, which was seconded b Mr. Ewing and was unanimously approved.
A motion to move the meeting into executive session was made by Ms. Mitchell for a
discussion of a specific Clinical Trial/protocol billing audit and the Electronic Health Record
Performance Audit, which was seconded by Mr. Eiving and unanimously approved.
Ms. Gross gave an overview of the Clinical/Trial Protocol Billing Audit findings and ecommendations located on Tab 4B. The focus of the audit was to evaluate procedures related to proper billing of clinical trial services. Ms. Gross noted that the processes that the Institute has in place provide reasonable assurance that clinical trial bills are processed in accordance with CMS guidelines. It was recommended and management accepted a performance improvement action to develop compliance matrix of institutional, award specific and Federal wide administ ative terms and conditions. This matrix will be evaluated annually and any risk matters will be reported to the associated PI and leadership and corrective action plans, if needed, will be implemented.
A motion was made by Ms. Mitchell to approve the Clinical Trial/Protocol Billing Audit,
which was seconded by Ms. Tokasz and ivas unanimously approved.
Mr. Cullen began discussions on the Electronic Health Record Performance Audit (see Tab
4C) and indicated that this was a follow up to the 2011 Electronic Health Record (EHR)
implementation audit. Results of this audit were intended to provide objective analysis to evaluate the effectiveness of the Electronic Health Record system and assist management and those charged with governance and ove sight with information to improve performance, reduce cost, facilitate decision making and improve accountability. Mr. Cullen reported on lAAS s key findings and associated recommendations to improve EHR functionality and provide reasonable assurance that the EHR meets the objectives of improving quality, safety and efficiency. IAAS is recommending that the Institute develop a plan and commit to completing implementation and optimizing functionality with the appropriate resources in a reasonable timeframe. Mr. Kerlin responded to the recommendations and indicated that they have recently hired a new CMIO, who previously worked at Allscripts and is a physician, to be placed in charge of this project and monitor emediation of all IAAS recommendations. Dr. Johnson indicated that the CMIO is not solely responsible for EHR changes, but that EHR support starts at the top and that everyone needs to work together to get EHR changes accomplished.
A motion was made by Ms. Mitchell to approve the Electronic Health Record Performance Audit, which ivas seconded by Mr. Ewing and was unanimously approved.
A motion was made by Ms. Mitchell to return to Open Session, which ivas seconded by Mr. Ewing and unanimously approved.
Projects:
Mr. Cullen commented on the Evaluation of the Implementation over the Picis Pre-Op Manager Module (see Tab 5A) and noted that this audit was requested by the CEO to evaluate the cause of a module implementation failure and to determine if the Picis project team had effectively
planned the project. The PICIS applications replaced the Surgical Information Systems (SIS)
application. A summary of lAAS s findings and recommendations was given to management and reviewed with the Audit Committee. IAAS will follow up with management on the recom endation for project management changes and improvement to the plan.
Mr. Farnham reported on the results of the second quarterly Financial Statement Internal Controls Audit presented on Tab 5B. Mr. Farnham noted that during this cycle, IAAS conducted an interactive review with key management and staff having responsibilities for the management of the Fixed Assets and Cost Report processes Mr. Farnham commented that IAAS did not identify any deficiencies in the controls tested surrounding IT applications.
overall rating assigned to these processes was deemed to be effective.
Ms. Gross spoke next on the follow up on overdue audit recommendations as listed on Tab 5C. IAAS continues to work with the business owners, and progress has been made. Ms. Gross acknowledged the tenacity of the IT Security team efforts led by Andrea Kuettel to successfully remediate many of their open audit items.
Non-Audit Services:
Mr. McDonald gave an update on the Non-Audit Services on Tab 6 and noted that this was just an update and no action was required.
Administrative:
Mr. Sexton noted that the next item on the agenda was the annual review of the Audit Committee Charter located at Tab 7A. Mr. Sexton noted that there were no proposed changes to the charter from the previous year.
A motion by Ms. Mitchell ivas made to approve the Audit Committee Charter which ivas seconded by Mr. Ewing and unanimously approved.
Mr. McDonald indicated that the Assessment of Effectiveness of Internal Controls Certification memo for the year ended March 31, 2015 is part of the reporting package sent to the NYS Authority Budget Office and Office of die State Comptroller each year to comply with the
various reporting requirements of Public Authorities Law, General Municipal Law and OSC Regulations. Mr. McDonald noted that the ABO reporting package will be presented in its entirety at the June Board meeting. The Certification memo is included in the Audit Committee package for reference only, and no approval was needed at this time.
Ms. Gross discussed the New York State Authorities Budget Office (ABO) publication, Board Meetings: Best Practice Guide for Public Authorities", dated January 2015 . IAAS performed a review and gap analysis of RPCI Board of Directors practice to key issues noted within the guide (see tab 7C). The ABO Guide and gap analysis were discussed by Mr. Sexton at a Board of Directors Executive Committee meeting.
Educational Materials:
Mr. Cullen indicated that there were educational materials in the packet for informational purposes only (see Tabs 8A and 8B).
There being no furthe business, a motion ivas made by Ms. Mitchell, seconded by Ms. Tokasz, to adjourn the meeting which was unanimously approved.
Respectfully submitted.
Michael B. Sexton Secretary
