LEADERSHIP PERSPECTIVES FROM THE CHIEF AUDIT...
Transcript of LEADERSHIP PERSPECTIVES FROM THE CHIEF AUDIT...
LEADERSHIP PERSPECTIVES
FROM THE
CHIEF AUDIT EXECUTIVE
AHIA 33rd Annual Conference – September 21-24, 2014 – Austin, Texas
www.ahia.org
1
PANEL MEMBERS: MICHAEL SOMICH, DUKE UNIVERSITY
SHEILA LIMMROTH, DCH HEALTH SYSTEM
DEBORAH RADKE, JOHNS HOPKINS INSTITUTIONS
MICHAEL FABRIZIUS, CAROLINAS HEALTHCARE SYSTEM
Michael Fabrizius
VP Audit Services
Carolinas Healthcare System
10 Beliefs About the
Future of Internal Auditing 2
Carolinas HealthCare System (CHS)
Second largest public, healthcare system in the nation
Largest healthcare system in the Southeast
40 hospitals, 11 nursing homes and over 900 outpatient
service locations
Over 2,300 employed physicians and nearly 400
residents delivering care in over 500 sites
Net operating revenue: $8 billion
AA-rated since 1983
3
Breadth of CHS
Summary of System
• 60,000 employees
• >900 care locations
• Nearly 7,500 licensed beds
• 11 long-term care facilities
• 12 home health agencies
• 9 hospice providers
• 8 freestanding EDs
• One of 5 academic medical centers
in the state of North Carolina
Key Statistics • 10.5 million patient encounters
• Over 6.2 million physician visits
• 281,393 inpatient discharges
• 573,323 adjusted discharges
• 1,079,393 ED visits
Rehabilitation Hospitals
LiveWELL Carolinas
Primary Care Practices
Health Clinics
Urgent Care Centers
Hospitals
Behavioral Health
Nursing Homes
Home Health
Continuum of Care
Emergency Care Centers
Ambulatory Surgery Centers
Hospice & Palliative Care
Specialty Care Practices
4
CHS Audit Services Overview
30 FTEs
32 professional certifications
15 advanced degrees
4.8 years tenure with CHS
• 6.8 for management
• 4.2 for staff
Conducting operational, financial, technology and
compliance audits
5
Why? 6
“I look to the future because that is
where I am going to spend the rest
of my life.”
George Burns, American comedian, award-winning actor
and best-selling writer (1896-1996)
10 Beliefs About The Future Of
Healthcare Internal Auditing
1. Greater value will be expected by our stakeholders
2. Our mission, value proposition and vision must be defined and communicated.
3. Audit work will need to be aligned with expectations and needs.
4. New and innovative services and approaches will be required.
5. Opportunities will grow faster than resources.
6. Talent and expertise requirements will be redefined.
7. Skillful use of data will become routine.
8. Audit customer relationships must be actively cultivated.
9. The service delivery model will be very responsive.
10. Integration with other risk management activities will be expected.
7
Perception Risks That IA Faces:
Don’t understand the business
Not aligned with organizational strategies
Focused on the irrelevant and unimportant
Incapable of identifying useful solutions
Poor communicators
Inflexible framework of service delivery
Viewed as “corporate overhead” and “necessary evil”
8
1. Greater Value Will Be Expected By Our
Stakeholders
PwC survey results:
“More than half (55%) of senior management…(does)
not believe internal audit adds significant value to their
organization.”
“Nearly 30% of board members believe internal audit
adds less than significant value.”
Just 65% of CAEs believe that their function is
performing well.
9
Source: “2014 State of the Internal Audit Profession Study – Higher
performance by design: A blueprint for change”, PwC
1. Greater Value Will Be Expected By Our
Stakeholders
IA Performance Gap?
Variations based on stakeholders’ expectations of:
Focus:
o Assurance and value protection
o Business risk insights and risk mitigation
o Strategic focus and value creation
Identity:
o Cop
o Detective
o Consultant and advisor
10
1. Greater Value Will Be Expected By Our
Stakeholders – Responding
Deliver cost-effective services
Promote quality improvement and innovation
Help facilitate solutions
Drive for “higher demand” by increasing customer satisfaction and demonstrating value
Plan for more value-enhancing work that identifies:
o Revenue enhancements
o Cost savings or reductions
Identify issues management may not be aware of
Anything that helps management be successful!
11
2. Our Mission, Value Proposition And Vision
Must Be Defined And Communicated
Need to provide a coherent description of IA Mission based on IIA IPPF
Value proposition to explain how IA solves stakeholders’ problems or improves their situation
Vision to declare goals for midterm or long term future
Possibilities range from: Reporter of conditions to Proactive role in root cause and solutions
Control assurance to Value added services
Providing assurance services to Trusted advisor/consultant
Very independent (“stand-offish”) to Very engaged
Does your mission, value proposition and vision reconcile to stakeholder expectations?
12
3. Audit Work Will Need To Be Aligned With
Expectations And Needs
Developing the annual plan
Dialogue and interviews
Consider key strategies – system implementation, etc.
Other inputs - strategic plan, ERM, other risk management
Coordination with business units for audits
Define expectations
Share scoping of audits
Obtaining (and providing) regular feedback
13
4. New And Innovative Services And
Approaches Will Be Required
Our new world of healthcare:
The ability to cut costs is being eclipsed by revenue pressures.
The hospital of the future is not a hospital.
Expect significant declines in bed days per thousand
Covered lives will become the most commonly used measure of market share.
Lower costs sites of care are being developed and integrated.
Fixed payments are replacing fee-for-service.
Providers are adding health plans.
Money losing services are being consolidated or eliminated.
14
4. New And Innovative Services And
Approaches Will Be Required
Increase focus to help the “bottom-line”
Be prepared for rapid expansion in non-traditional
growth areas
Keep your idea pipe line filled
R&D new audit areas, with new techniques
Headlines need to be addressed
Look for outside sources
15
5. Opportunities Will Grow Faster Than
Resources
While RIFs in IA are less frequent than in other functions, they can happen
When hiring freezes, and non-staff budget reductions happen:
Increase use of technology
Simplify, streamline and standardize IA processes
Use a more risk-based approach
Remove audits with lower significance from the Plan; focus resources on more significant areas
Regular benchmarking is important
16
6. Talent And Expertise Requirements Will Be
Redefined
Matching the staffing model with requirements
implied by risks and stakeholder expectations
Importance of recruiting, hiring and retention
processes
Skills need to continually improve
Knowledge transfer and retention
17
6. Talent And Expertise Requirements Will Be
Redefined
Managing the Team:
What you can’t control:
Salaries and benefits, FTE count
Office location and amenities
Overall organizational culture
What you can control:
Department culture, and your leadership style and effectiveness
Mix of core staff and SMEs
Leveraging external resources
Continual learning and development
Staff performance feedback
18
7. Skillful Use Of Data Will Become Routine
Technology as an efficiency and effectiveness enabler
Efficient analysis on a greater scale
Repeatable and sustainable
Earlier detection of fraud, errors and non-compliance
Increased coverage
IA needs to:
Obtain tools
Develop skills and knowledge
Leverage organization’s significant systems and data repositories
19
8. Audit Customer Relationships Must Be
Actively Cultivated
Moving from satisfaction to loyalty
Internal auditors need more than technical knowledge and skills
Hiring
Training
Applying the guiding principles of your “patient experience” program
Enduring relationships built on reliability and trust
Teammate experience will be consistent with external customer experience
Necessary behaviors require standardization, discipline, technique and practice
20
9. The Service Delivery Model Will Be Very
Responsive
Innovative thinking to remake internal audit to better meet the needs of the business
IA’s processes, structure, organization and governance must change to keep up with the business.
Re-engineer for cost, quality, speed and service
Define your customer service standards
Communicating
Demonstrating professionalism
Supporting management
Establishing and meeting commitments
21
10. Integration With Other Risk
Management Activities Will Be Expected
Facilitate collaboration across various compliance groups
Understand how IA is aligned with coverage by compliance groups
Coordinate:
Annual plan development
Areas of primary responsibilities and ongoing activities
Evaluating issues
Handoffs
Audit the effectiveness of other risk management activities
22
Discussion
Thoughts on the “Ten Beliefs”
True or False?
If True,
Where do we currently have gaps?
What preparation and plans are needed?
What barriers and hurdles exist?
Q&A
23
IA Department of the Future 24
A model internal audit organization is one
that is interested in providing value, has
customer focus, utilizes new approaches, is
interested in improving its productivity and
that of its company, conducts audits in
emerging areas, works in new and
innovative ways, and utilizes technology.
– The Institute of Internal Auditors
Michael Somich
Executive Director of Internal Audits
Duke University
ERM and Internal Audit 25
Duke University and
Duke University Health System
Revenue
Duke University – $2.2 billion
Duke University Health System – $2.4 billion
Government sponsored research – $580 Million – 80% School of Medicine
6,500 Undergraduate Students; 8,100 Graduate Students
35,500 Employees: 8,300 Campus; 27,200 Duke Medicine
Investments - $9.7 billion
Does business in more than 125 countries
School of Medicine in Singapore; campus in China opens Fall 2014
26
ERM and Internal Audit
Minimum best practice – Audit Committee Charter
Risk management process is the responsibility of the Audit Committee
Define what that means
Annual review of the process
Annual review of the results of the process
Presentation of strategic risks by owners
Receive report on the performance of the other steps of the process
27
ERM and Internal Audit
Role of Internal Audit – One extreme
Evaluator of the adequacy of the process
If formal, evaluate
The process for gaps
The effectiveness of the process
Whether the process was followed
If informal
Identify gaps
Make recommendations to formalize and improve
28
ERM and Internal Audit
Role of Internal Audit – The other extreme
CAE is designer and facilitator of the process
Multi-year process
Identify owners of risk versus managers of risk
Develop strategic risk heat map
Qualitative or quantitative
How many risks?
29
ERM and Internal Audit
Operating risks
Category definition
Inventory method
Reporting of risks up
What is reported
To whom
Next steps
Mitigation strategy gap analysis
Recommend changes in strategy
Financial risks – same as
operating risks
Compliance risks
How is this integrated with
the risk management process?
Is the compliance program
broad enough to include all
compliance risks, not just
billing?
30
Role of Internal Audit – The other extreme (cont’d)
ERM and Internal Audit
Role of Internal Audit
Could be anywhere on the continuum between
the two extremes
Facilitator and consultant
Never an owner of the risk
Never an owner of the process
31
Sheila Limmroth
Corporate Director of Internal Audit & Compliance
DCH Health System
Internal Audit Relationship with Compliance
Auditing Compliance Effectiveness 32
DCH Health System
33
3 Hospitals:
DCH Regional Medical Center (583-
beds)
Northport Medical Center (204-beds)
Fayette Medical Center (61-bed rural
hospital with a 122-bed nursing home
on site)
Public, not-for-profit health system
90 years of service to West Alabama
DCH Regional Medical Center and
Northport Medical Center are
classified as a “sole community
hospital.”
First hospital in Alabama to offer a
bloodless medicine & surgery service
Academic Medical Center
affiliated with The University of
Alabama
Inpatient Rehabilitation Facility
Inpatient Psychiatric Facility
Home Health
Durable Medical Equipment
Cancer Center (certified member
of MD Anderson Cancer Network)
Net operating Revenue:
$16,549,957
Employees: 4,500
33
DCH Health System
Internal Audit & Compliance Department 6 FTEs
3 professional certifications
Co-source compliance audits with a specialized vendor
Outsource IT audits
Conduct operational, financial, and compliance audits
Responsible for internal audit, compliance, and HIPAA privacy
Combined years of service for 6 FTEs: 53 years in the department
34
Know Your Compliance Department
Staff size and experience
Highlights strengths and weaknesses
Reporting Structure
Best Practice is functionally to the Board and
administratively to the CEO
Compliance Committees
Policies and procedures
Does Compliance have a Charter?
Does Compliance have the same level of authority as Internal
Audit?
35
Recognize Your Similarities
Responsible for governance, including Board
reporting
Serve on multiple inter-disciplinary teams
Access across the facility to records, policies,
and employees
Drivers of change across disciplines
36
Recognize Your Similarities
Ability to hire external resources when necessary
Add value to the organization through cost-
savings
Internal controls are part of processes
Assess risks across the organization
Preparation of an audit plan
Front-end input relative to IT system
implementations
37
Recognize Your Differences
Internal Audit is independent. Compliance will assist with operations. Policies and processes
Hotline
Internal Audit performs formal and objective audits. Compliance coordinates monitoring within departments.
Internal Audit examines risk from a broad perspective. Compliance is focused on a regulatory perspective. Joint Commission
OIG Work Plan
HIPAA/HITECH Act
Stark and Anti-Kickback
38
Recognize Your Differences
Internal Audit may train a segment of the employee population based on an audit finding. Compliance is involved in training all employees.
HIPAA Privacy Training
Compliance Awareness Training
Internal Audit’s annual audit plan is based on risk assessment/tolerance for the universe. Compliance’s annual audit plan is based upon regulatory requirements, risks, and OIG Work Plan.
39
Make Similarities Work for You
Use your similarities and collaborate
Risk assessment process
Audit plan development
Special projects, audits, investigations
Use of technology
Use of vendors
40
OIG’s 7 Elements And Compliance
Effectiveness
Use the Office of Inspector General’s (OIG)
compliance program guidance to assess the
compliance function.
Identify areas for improvement regarding the
compliance program practices.
41
Core Elements of an Effective
Compliance Program
Written Policies and Procedures
Includes Standards of Conduct
Linked to laws and regulations
Tone at the top
Policies written to reduce criminal conduct
42
Core Elements of an Effective
Compliance Program
Oversight (Designating a Compliance Officer)
CCO’s relationship with Senior Leadership and the Board
Agendas that suggest Compliance Committee meets regularly
Tracking methodologies for monitoring
43
Core Elements of an Effective
Compliance Program
Education and Training Compliance on-boarding process for new
employees
Documented education for the compliance department
Ongoing training as part of staff competencies
Sanctions for employees who do not complete training
Departments aware of OIG risks for their areas of responsibility through compliance education
44
Core Elements of an Effective
Compliance Program
Monitoring and Auditing Board-approved Audit Plan exists
Benchmarks for monitoring activities in high-risk areas/scorecard maintained
Audit reports with recommendations and follow-up
Access to external resources/budget
45
Core Elements of an Effective
Compliance Program
Reporting and Investigation Publicized anonymous hotline
Documentation to indicate disposition of hotline calls
Policy on handling hotline calls
Documentation of investigations
Hotline calls and investigations reported to Board
46
Core Elements of an Effective
Compliance Program
Enforcement and Discipline Human Resources maintain policies to support
Compliance function
Misconduct promptly communicated to Senior Leadership and Board
Sanctions applied consistently
47
Core Elements of an Effective
Compliance Program
Response and Prevention Investigation methodology documented
Policies related to prevention developed
Policies conveyed to personnel
Voluntary Disclosure/refunds documented
48
Compliance Facts
OIG at a Glance: FY2012
Expected recoveries:
$6.9 billion in total investigative and audit receivables
were reported.
Program Exclusions:
3,131 individuals and organizations were excluded
from participation in Federal health care programs.
49
Questions
Are you aligned with your Compliance
Department?
Do you know the compliance risks within your
facility?
Are you auditing the compliance function?
50
Deborah Radke
Director, Healthcare and Operational Audits
Johns Hopkins Institutions
Quality Assurance Reviews 51
Johns Hopkins Institutions
52
Hospital, 2 Academic (Baltimore, MD) & 4 Community
(1 D.C., 1 FL, 2 MD) with ~2700 beds (1600 & 1100,
respectively)
School of Medicine Physicians, 2450+ full-time &
1290+ part-time faculty
4 suburban healthcare and surgery centers
Johns Hopkins Community Physicians, 38 primary and
specialty care practices
Johns Hopkins Home Care Group, full-service provider
Home Care, DME, Infusion Therapy, Outpatient
Pharmacies
Johns Hopkins HealthCare, managed care plans
covering 320,000 people in three unique populations
Johns Hopkins Medicine International, hospital
management, healthcare consulting, clinical
education through strategic alliances and affiliations
in North America, Latin America, Europe, the Middle
East
Revenue - $6.5 Billion Employees – 41,000
Based in Baltimore, MD with facilities and education
programs elsewhere in MD, D.C., and in certain
foreign locations
Nearly 20,000 full-time and part-time students
enrolled throughout nine academic divisions
1st among U.S. universities in receipt of federal
research and development funds with $2.8 Billion
Revenue - $4.8 Billion (School of Medicine clinical
services $.5 Billion)
Employees – 20,000 (School of Medicine ~9500)
52
Office of Hopkins Internal Audits
Coverage
Johns Hopkins Health System
Johns Hopkins University
Focus
Operational
Information Technology
Enterprise Risk Management
32 FTEs
26 Operational Auditors
5 IT Auditors
1 Investigator
53
Coverage and Focus Resources
Conformance with the IIA International Standards for Professional Practice of Internal Auditing
1000. Purpose, Authority, and Responsibility 2200. Engagement Planning
1100. Independence and Objectivity 2300. Performing the Engagement
1200. Proficiency and Due Professional Care 2400. Communicating Results
1300. Quality Assurance and Improvement Program 2500. Monitoring Progress
2000. Managing the Internal Audit Activity 2600. Resolution of Sr. Management's Acceptance of Risks
2100. Nature of Work IIA Code of Ethics
Assess effectiveness in providing assurance/consulting services and the potential for adding value to the
organization’s board of directors, senior executives and other interested parties
Opinion on compliance
Generally Conforms Partially Conforms Does Not Conform
Opportunities for improvement in performance and of services
54
The IIA Standards require an external review of the internal audit activity
by a qualified independent reviewer every five years
ASSESSMENT
Quality Assurance Reviews
OUTCOME
QAR Opinion on Compliance 55
Generally Conforms
• Internal audit function has a charter, policies, and processes that are in accordance with the Standards/Code of Ethics, with some opportunities for improvement.
Partially Conforms
• Making good-faith effort to comply, but have significant opportunities for improvement; however, these deficiencies did not preclude the internal audit function from performing its responsibilities in an acceptable manner
• Some deficiencies may be beyond the control of IA function and may result in recommendations to organizational senior management or the board
Does Not Conform
• Not making a “good faith” effort to comply with, or is failing to achieve many/all of the objectives of the Standards/Code of Ethics; deficiencies are so significant as to seriously impair or preclude the internal audit function from performing adequately in all or in significant areas of its responsibilities
• Significant opportunities for improvement, including actions by organizational senior management or the board
Quality Assurance Reviews
Performs an effective role in the organization's overall control environment
Focuses the right people on the right issues
Is appropriately risk oriented
Uses technology effectively
Provides value-added results
Adheres to appropriate internal audit standards and industry practices
Infrastructure
Staff experience
Performance relative to business goals and applicable standards
Efficiency, productivity, and impact of internal audit on the organization
Leveraging leading internal audit "best practices"
56
HELPS DETERMINE IF INTERNAL AUDIT STRATEGIC ASSESSMENT EVALUATING
Quality Assurance Reviews
Examine work methods, policies and procedures, and a representative sample of work papers to determine level of compliance with IIA Standards
Internal audit charter
Risk assessment methodology
Annual audit plans
Departmental policies and procedures
Staff training plans and qualifications
Reports to the Trustees/Audit Committee
57
SELF-ASSESSMENT, by Internal Audit Function
Quality Assurance Reviews 58
EXTERNAL ASSESSMENT, by Independent Team of Experts
GOVERNANCE
Purpose and Mandate
PEOPLE
Resourcing
Competency Development
Sustaining People Excellence
INFRASTRUCTURE AND OPERATIONS
Methodology
Tools and Technology
Knowledge Management
Operations
Quality
Quality Assurance Reviews
Overall approach can be flexible and customized to meet specific concerns
Validation of internal audit self-assessment for completeness
Review compliance with IIA standards
Appropriateness of key internal audit documentation
Customer satisfaction survey and/or interview key stakeholders
Audit Committee Members, Senior Management, IA Personnel, External Auditors
Compare activities to “best practices”
Identify opportunities for enhancing efficiency and effectiveness
Provide better value to organization
Increase perception of internal audit within the organization
59
EXTERNAL ASSESSMENT, by Independent Team of Experts
Quality Assurance Reviews 60
BASIC
Only limited activities
exist for
performance factor
EVOLVING
Some parts of
performance factor exist,
application is inconsistent
and requires further
development
ESTABLISHED
Performance factor is
defined in more detail
and consistently applied
ADVANCED
Performance factor is
defined in great detail
and consistently applied
– effective and efficient
performance representing
leading practices
EXTERNAL ASSESSMENT, by Independent Team of Experts
GOVERNANCE Purpose and Mandate
PEOPLE Resourcing
Competency Development
Sustaining People Excellence
INFRASTRUCTURE AND OPERATIONS Methodology
Tools and Technology
Knowledge Management
Operations
Quality
61
Save the Date
August 30 - September 2, 2015
34th Annual Conference
Portland, Oregon