External Audit and the Audit Committee- Audit and Compliance Committee Conference 2011

1

External Audit & the Audit Committee

Audit & Compliance Committee Conference

Health Care Compliance Association

February 8th, 2011

External Audit & the Audit Committee

Audit & Compliance Committee Conference

Health Care Compliance Association

February 8th, 2011

A D V I S O R Y

2

Agenda

Overview of the Risk Environment

The Role of the Audit Committee

The Role of the External Auditor

The Current Regulatory Environment

Ensuring Support of the Compliance Function

Overview of Healthcare Fraud & Abuse

Overview of the Compliance Function


Overview of the Risk Environment








2

3

An Overview of the Risk EnvironmentTop Ten Cited Risks – KPMG Enterprise Risk Survey - 2010

Insufficient Reimbursement

Aligning Hospital & Physician Incentives

Readiness for Clinical Automation

Continued Economic Downturn

Continuing Operational Performance Improvements

Increased Regulatory Enforcement

Unfunded Mandates

Rebuilding the Organizational Balance Sheet

Increased Cost of Capital

Significant Reduction in Employer Provided Insurance

Insufficient Reimbursement

Aligning Hospital & Physician Incentives

Readiness for Clinical Automation

Continued Economic Downturn

Continuing Operational Performance Improvements

Increased Regulatory Enforcement

Unfunded Mandates

Rebuilding the Organizational Balance Sheet

Increased Cost of Capital

Significant Reduction in Employer Provided Insurance

3

4

The Role of the Audit / Compliance Committee

Ensure Appropriate Oversight of Risk

Risk Identification

Sufficient Understanding of Risk

Risk Ranking & Prioritization

Risk Mitigation

Corrective Action Planning

Ensure Appropriate Oversight of Risk

Risk Identification

Sufficient Understanding of Risk

Risk Ranking & Prioritization

Risk Mitigation

Corrective Action Planning

4

5


Forming and expressing an opinion about whether the financial statements that have been prepared by management with the oversight of the Audit Committee are presented fairly, in all material respects, in conformity with generally accepted accounting principles

Communicating to the Audit Committee in writing all significant deficiencies and material weaknesses in internal control identified in the audit and reporting to management all deficiencies noted during the audit

Conducting the audit in accordance with professional standards

Complying with the rules and regulations of the Code of Professional Conduct of the American Institute of Certified Public Accountants, and the ethical standards of relevant CPA societies, relevant state boards of accountancy, the SEC (or other regulators), and the PCAOB

Planning and performing the audit with an attitude of professional skepticism

Communicating all required information, including significant matters, to management and the Audit Committee

Forming and expressing an opinion about whether the financial statements that have been prepared by management with the oversight of the Audit Committee are presented fairly, in all material respects, in conformity with generally accepted accounting principles

Communicating to the Audit Committee in writing all significant deficiencies and material weaknesses in internal control identified in the audit and reporting to management all deficiencies noted during the audit

Conducting the audit in accordance with professional standards

Complying with the rules and regulations of the Code of Professional Conduct of the American Institute of Certified Public Accountants, and the ethical standards of relevant CPA societies, relevant state boards of accountancy, the SEC (or other regulators), and the PCAOB

Planning and performing the audit with an attitude of professional skepticism

Communicating all required information, including significant matters, to management and the Audit Committee

5

6


Regulatory environment – highest scrutiny ever

Mandatory Compliance Programs in NY State

Organization must certify in writing that an effective compliance program exists

Changes to the Federal Sentencing Guidelines

PPACA contained 32 new fraud and abuse provisions

Enforcement efforts strengthened and coordinated

Regulatory environment – highest scrutiny ever

Mandatory Compliance Programs in NY State

Organization must certify in writing that an effective compliance program exists

Changes to the Federal Sentencing Guidelines

PPACA contained 32 new fraud and abuse provisions

Enforcement efforts strengthened and coordinated

6

7

New York State OMIG’s Mandatory Compliance Program Requirement

Providers required by law to have mandatory compliance program

Required by law to certify in writing that program is effective

OMIG recommends that executive other than Compliance Officer sign certification

Scope of programs defined broader than typical to include:

- Billing and Payments

- Medical Necessity and Quality of Care

- Governance

- Mandatory Reporting

- Credentialing

- All other risks that are known or should have been known

OMIG will be auditing programs to assess effectiveness

OMIG and NY Commissioner of Health have authority to determine the adequacy of programs

Exclusion from Medicaid is possible if program is deemed ineffective

Providers required by law to have mandatory compliance program

Required by law to certify in writing that program is effective

OMIG recommends that executive other than Compliance Officer sign certification

Scope of programs defined broader than typical to include:

- Billing and Payments

- Medical Necessity and Quality of Care

- Governance

- Mandatory Reporting

- Credentialing

- All other risks that are known or should have been known

OMIG will be auditing programs to assess effectiveness

OMIG and NY Commissioner of Health have authority to determine the adequacy of programs

Exclusion from Medicaid is possible if program is deemed ineffective

7

8

Overview of Compliance Program

A compliance officer and compliance committee

Written Standards – Compliance Policies, etc.

Training & Education

Auditing & Monitoring

Lines of Communication for Reporting

Disclosure Program to Report Misconduct

Enforcement of Disciplinary Standards

Risk Assessment








Risk Assessment

8

Fraud & Abuse Provisions associated with Healthcare Reform

• Patient Protection and Affordable Care Act as amended by the Healthcare and Education and Reconciliation Act ( Healthcare Reform Law )

– 32 sections related to HC fraud and abuse and program integrity• Provisions establish fundamental expectations for regulatory compliance,

transparency and quality of care• New enforcement provisions that could greatly increase potential legal exposure• Overpayments and FCA liability – Section 6402 of the HCRL – identified

overpayments must be identified and repaid within 60 Days – retention beyond 60 days constitutes an obligation under the FCA.

– Will require robust auditing and refund processing structures• RACs – Expanded to Medicare Part D and Medicare Advantage Plans

9

Recent Amendments to the Federal Sentencing Guidelines

The Guidelines are the basis used to determine monetary penalties– Under the Federal Sentencing Guidelines, an effective compliance and

ethics program enables the company to qualify for a reduction in its culpability score. Depending on other factors, this often results in a significantly lower penalty to be imposed on the corporation.

– For a company to qualify as having an effective program, the person with operational responsibility for the compliance program must have direct reporting obligations to the board (or a committee of the board)

– The requirement of having “direct reporting obligations” means that the responsible person has express authority to communicate personally to the board or an appropriate committee (a) promptly on any matter involving criminal conduct or potential criminal conduct and (b) no less than annually on the implementation and effectiveness of the compliance and ethics program.

– HC reform directed the Sentencing Commission to increase the federal sentencing guidelines for healthcare fraud offenses by 20-50% for crimes in excess of $1M

10

KPMG Healthcare’s Point-of-View

There has never been more scrutiny from federal or state government agencies on healthcare spending in order to identify and mitigate fraud, waste and abuse

There has never been more scrutiny from consumers on how their healthcare dollars are being spent

Attorney General Eric Holder and Health and Human Services Secretary Kathleen Sebelius call on all state attorneys general to create outreach programs this summer to educate seniors on Medicare fraud prevention and protection.

HHS & DOJ Regional Fraud Prevention Summits

All U.S. Attorney offices have been asked to plan regular health care fraud task force meetings to better inform the public

There has never been a more important time for CEO’s and Boards of Directors to take steps to ensure they have effective compliance programs in place

11

Board Involvement in Compliance

On April 1, 2010 the Health Care Compliance Association (HCCA) released an interview it conducted with New York State Medicaid Inspector General James G. Sheehan. In it Sheehan underscores the importance of health care board members' knowledge of and involvement in the oversight of compliance and ethics programs.

-Inspector General Sheehan warns that, "The members of the board in a non-profit organization have a fiduciary and legal duty to determine that systems and procedures are in place to provide reasonable assurance of compliance with governing law. The exposure for the organization without such systems and procedures can be substantial, including both economic recoveries and exclusion from Medicare and Medicaid - even where the problem was an imprudent acquisition or a failure of oversight rather than intentional conduct."

12

13










13

14


Key vulnerability regarding Medicare / Medicaid reimbursement and the potential for fraud / waste or abuse in the form of claims that should not have been submitted for reimbursement or do not have the proper documentation to support the claim.

Other types of fraud, waste or abuse can impact the overall integrity of the healthcare entity cost report, which could again impact state or Federal reimbursements

Healthcare vulnerable to non Medicare / Medicaid fraud or abuse

Theft, embezzlement of cash, procurement fraud

Key anti-fraud control elements that should be in place in healthcare entities are inherent in a well designed compliance program.

Key vulnerability regarding Medicare / Medicaid reimbursement and the potential for fraud / waste or abuse in the form of claims that should not have been submitted for reimbursement or do not have the proper documentation to support the claim.

Other types of fraud, waste or abuse can impact the overall integrity of the healthcare entity cost report, which could again impact state or Federal reimbursements

Healthcare vulnerable to non Medicare / Medicaid fraud or abuse

Theft, embezzlement of cash, procurement fraud

Key anti-fraud control elements that should be in place in healthcare entities are inherent in a well designed compliance program.

14

15

Specific Examples – Excluded Providers

A Massachusetts-based behavioral health care provider entered into a civil settlement agreement with the Government.The organization caused claims to be submitted to federal health care programs for services performed by two individuals who had been excluded from Medicare and Medicaid.Department of Health and Human Services, Office of the Inspector General (HHS-OIG) excludes an individual or entity from federal health care programs, no program payments may be made for items or services furnished by that excluded individual or entity. The organization failed to check the HHS-OIG online exclusion database before hiring the two individuals. The individuals are no longer employed by the organization.

A Massachusetts-based behavioral health care provider entered into a civil settlement agreement with the Government.The organization caused claims to be submitted to federal health care programs for services performed by two individuals who had been excluded from Medicare and Medicaid.Department of Health and Human Services, Office of the Inspector General (HHS-OIG) excludes an individual or entity from federal health care programs, no program payments may be made for items or services furnished by that excluded individual or entity. The organization failed to check the HHS-OIG online exclusion database before hiring the two individuals. The individuals are no longer employed by the organization.

15

16

Specific Examples – False Claims Act – Medically Unnecessary Services

An organization providing physical therapy services, has entered into a settlement with the United States and the State of Tennessee to pay over $1.8 million resolving allegations that it improperly billed the Medicare and TennCare/Medicaid programs for physical therapy services in violation of federal and state laws and regulations, U.S. Attorney Russ Dedrick announced today. The organization provides physical therapy services to Medicare and TennCare/Medicaid patients in East Tennessee. The organization violated the federal False Claims Act and the Tennessee Medicaid False Claims Act by submitting claims to the TennCare program for physical therapy that were not reimbursable. Specifically, the governments' claim was that between 2001 and 2006, the organization submitted claims representing that it had provided therapeutic exercise for TennCare patients when medical records indicated that the patients had instead received aquatic therapy, a service subject to reimbursement restrictions. The United States also alleged that the organization submitted claims through the Medicare program for physical therapy services which did not qualify for payment or were not medically necessary.

An organization providing physical therapy services, has entered into a settlement with the United States and the State of Tennessee to pay over $1.8 million resolving allegations that it improperly billed the Medicare and TennCare/Medicaid programs for physical therapy services in violation of federal and state laws and regulations, U.S. Attorney Russ Dedrick announced today. The organization provides physical therapy services to Medicare and TennCare/Medicaid patients in East Tennessee. The organization violated the federal False Claims Act and the Tennessee Medicaid False Claims Act by submitting claims to the TennCare program for physical therapy that were not reimbursable. Specifically, the governments' claim was that between 2001 and 2006, the organization submitted claims representing that it had provided therapeutic exercise for TennCare patients when medical records indicated that the patients had instead received aquatic therapy, a service subject to reimbursement restrictions. The United States also alleged that the organization submitted claims through the Medicare program for physical therapy services which did not qualify for payment or were not medically necessary.

16

17

Overview of Compliance Program








Risk Assessment








Risk Assessment

17

18

Compliance Program Effectiveness

Brief Overview of the Seven Element Structure

The Role of the Compliance Officer

The Role of Leadership and the Audit Committee

The Role of Accountable Managers

Program Indicators of Effectiveness by Element

Organizational Indicators of Effectiveness – Tone at the Top

“Evidencing” Effectiveness

The Role of Dash Boards

The Role of Metrics

Brief Overview of the Seven Element Structure

The Role of the Compliance Officer

The Role of Leadership and the Audit Committee

The Role of Accountable Managers

Program Indicators of Effectiveness by Element

Organizational Indicators of Effectiveness – Tone at the Top

“Evidencing” Effectiveness

The Role of Dash Boards

The Role of Metrics

18

Evidencing Program Effectiveness

Compliance Program Assessment Process

System & Department Level Gap Analysis to Identify Strengths &

Opportunities for Improvement & Actionable Recommendations

• Document Review

• Interviews

• Observations – Culture

• Select Testing

19

By Key Program Elements:

• Infrastructure

• Written Standards

• Education & Training

• Lines of Communication

• Enforcement of Standards

• Auditing & Monitoring

• Response to Detected Offenses

• Risk Assessment

Providing an Assessment:

• Against Industry Standards

• Against Observed Leading Practices

Identify Key Departmental Outcomes and Metrics That are

or Should be Utilized to Evidence Effectiveness

For example, the extent to which:

• HIM has a department specific compliance plan that addresses coding reviews (coding reviews)

• Physician arrangements are actively monitored

• Exit interviews effectively identify compliance concerns that are followed up on resulting in improved compliance outcomes

• The Conflict of Interest Process goes beyond the identification of potential issues and provides beneficial guidance to improve compliance outcomes.

• The Cost Reporting Processes Anticipate and Mitigate Compliance Issues (bad debt, credit balances, unrestricted grants, etc.)

Setting the Foundation for Establishing Compliance

Program Work Plan Priorities

Allowing for the progression of :

• Department specific compliance program objectives and infrastructure in order to align system goals

• Pro-activate self assessment at the department and system level

• A consistent process and format for the identification and mitigation of risks, in order to understand the system risk profile

• Reporting the status of departmental or system monitoring plans

• Reporting the status of departmental or system corrective action plans

• Identification of opportunities to incorporate data analytics into departmental and system monitoring activities

• The development and utilization of compliance dashboards to track, trend and benchmark key compliance indicators

20

Increasing Awareness by the Audit Team

Maintain Professional SkepticismAsk the second and third level questions around controls

Understand Nature of Compliance ProgramControls around billing and reimbursement

Controls around fraud and abuse

Controls related to Hotline policies and procedures

Understand the depth of Departmental Auditing and Monitoring requirements

Department specific controls to mitigate compliance risks

Department specific controls to mitigate fraud and abuse

Department specific training needs and plans

Maintain Professional SkepticismAsk the second and third level questions around controls

Understand Nature of Compliance ProgramControls around billing and reimbursement

Controls around fraud and abuse

Controls related to Hotline policies and procedures

Understand the depth of Departmental Auditing and Monitoring requirements

Department specific controls to mitigate compliance risks

Department specific controls to mitigate fraud and abuse

Department specific training needs and plans

20

21

Typical Management Interviewees

Chief Compliance Officer

Chief Operating Officer

General Counsel

Chair of the Board Audit Committee

Head of Internal Audit

Head of Human Resources

Head of Investigations

Chief Executive Officer

Chief Compliance Officer

Chief Operating Officer

General Counsel

Chair of the Board Audit Committee

Head of Internal Audit

Head of Human Resources

Head of Investigations

Chief Executive Officer

21

22

Questions or Comments?

22

23

Presenter Information

James Martell, CPAPartner, KPMG

345 Park AvenueNew York, NY 10054

[email protected]

23

External Audit and the Audit Committee- Audit and Compliance Committee Conference 2011

Education

Transcript of External Audit and the Audit Committee- Audit and Compliance Committee Conference 2011