Upload
vuongque
View
236
Download
5
Embed Size (px)
Citation preview
An Overview:COSO's Guidance on Monitoring gInternal Control Systems
September 2009September 2009
COSO Monitoring Guidance
Table of Contents
I. Overview
II. Objectives
III A Model for MonitoringIII. A Model for Monitoring
IV. Value Proposition
© Grant Thornton LLP. All rights reserved.
I. Overview
• The Committee of Sponsoring Organizations of the TreadwayC i i (COSO) l d G id M it i I t lCommissions (COSO) released Guidance on Monitoring Internal Control Systems in January 2009
• The guidance is designed to help organizations in compliance with their SOX 404 and other regulatory requirements
• Grant Thornton LLP was selected as the lead in the development of the guidancedevelopment of the guidance
© Grant Thornton LLP. All rights reserved.
II. Objectives
COSO Monitoring Guidance Objectives
• Help organizations improve the effectiveness and efficiency of their internal control systems
• Organizations with effective internal control systems monitor the• Organizations with effective internal control systems monitor the effectiveness of those systems over time. COSO guidance helps organizations recognize and maximize the use of effective monitoring and to improve monitoring in areas where necessary
• Provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control processesincorporated into an organization s internal control processes
• The guidance specifically shows how organizations can apply the general concepts of monitoring and provides a variety of
© Grant Thornton LLP. All rights reserved.
monitoring examples from real life circumstances
II. Objectives (continued)
Why did COSO highlight Monitoring?
• Many organizations were not utilizing the monitoring component and had implemented inefficient year-end evaluations to support their conclusions
• Business structures and processes have become increasingly complex, leading to redundancies and inefficiencies
• Sarbanes-Oxley’s initial implementation focused more on detailedSarbanes Oxley s initial implementation focused more on detailed process-level controls instead of on company-level monitoring controls
• Allows the use of a common language and methodology to identify, measure prioritize and manage riskmeasure, prioritize, and manage risk
• Establishes a framework and process to improve the focus and efficiency of governance and link risks to strategy and decision-making
• Allows diverse risks to be evaluated as to the likelihood of occurring
© Grant Thornton LLP. All rights reserved.
• Allows diverse risks to be evaluated as to the likelihood of occurring and potential magnitude of impact
II. Objectives (continued)
Benefits of a Monitoring Component
• A properly designed and executed monitoring component:– Evaluates important controls over meaningful risks to the organization’s
objectives,– Identifies and corrects control deficiencies before they materially affect the
achievement of the organization’s objectives,– Often use information technology to enhance monitoring through the use of
control monitoring tools and process management toolscontrol monitoring tools and process management tools,– Improves the effectiveness and efficiency of internal control operation and the
compliance function,– Provides persuasive information that internal control operated effectively at a p p y
point in time or during a particular period,– Enables the external party to more effectively and efficiently support its own
conclusions, and
© Grant Thornton LLP. All rights reserved.
– Improve the external party’s ability to understand and evaluate internal control.
II. Objectives (continued)
Three legs to the "404-improvement" stool
COSO'
Value to companiesthrough improved
f it i
Value to auditorsthrough ability to focus
d it iCOSO'sGuidance onMonitoring
use of monitoring on good monitoring controls
SEC's PCAOB'sGuidance(for mgmt)
AS5(for auditors)
Separate but
© Grant Thornton LLP. All rights reserved.
consistent
II. Objectives (continued)
Let's look at a simple example of the concept.
Assume:– a reconciliation control is deemed important to financial reporting– the supervisor of the area performs an appropriately detailedthe supervisor of the area performs an appropriately detailed
review of the reconciliation each time it is prepared• The supervisor's review accomplishes two things:
T ll hi h h th th t l i ki– Tells him or her whether the control is working– Encourages continued effective operation of the control
© Grant Thornton LLP. All rights reserved.
II. Objectives (continued)
How do we often deal with this risk in today's 404 environment?
Management's 404 Process
Auditor's 404 Audit Process
6. Test the Review
6. Test the Review
4. Test the Review
4. Test the Review 2. Review2. Review
ReconciliationReconciliation
3. Test the R
3. Test the R
5. Test the R
5. Test the R
© Grant Thornton LLP. All rights reserved.
1. PerformReconciliation
1. PerformReconciliation
Recon.Recon. Recon.Recon.
II. Objectives (continued)
How might it be done better in a large organization?
Management's Auditor'sManagement's Monitoring Process
Auditor's 404 Audit Process
4a. Possibly 4a. Possibly 3. Test the
Review3. Test the
Review
yUse the Work of Others
yUse the Work of Others
2. ReviewReconciliation
2. ReviewReconciliation
1. Perform1. Perform
or
4b. Testthe Review
4b. Testthe Review
Any further testing of the reconciliation will start with lessons learned
© Grant Thornton LLP. All rights reserved.
ReconciliationReconciliationwith lessons learned from testing the reconciliation review
II. Objectives (continued)
How might it be done better in a small organization?
Management's Monitoring Process
Auditor's 404 Audit Process
If th ili tiIf the reconciliation review is performed at the senior-mgmt level,
2. ReviewReconciliation
2. ReviewReconciliation
3. Test the Review
3. Test the Review
g ,no further evaluation may be necessary
1. Perform1. Perform
Again, any further testing influenced by results from testing
© Grant Thornton LLP. All rights reserved.
ReconciliationReconciliation the reconciliation review
II. Objectives (continued)
Issues facing the Healthcare Industry
Outsourced Billing
functions
Revenue Capture & Recovery Competing
Technologies
Stricter Accreditation Requirements
Advent of the Electronic
Health Record
Foreign Competition
Compliance with State and
Federal mandates
Healthcare Facility
Changing Payer
Requirements
Increase in Self pay,
Medicaid and Charity Care
patients
© Grant Thornton LLP. All rights reserved.
patients
II. Objectives (continued)
Industry issues causing stress across the Revenue Cycle
Revenue Cycle Risk Level:1 (Highest) to 5 (Lowest)
1. Clinical documentation
2. Coding
3. Billing and Accounts Receivable
4. Denials Management
5. Scheduling and Registration
© Grant Thornton LLP. All rights reserved.
II. Objectives (continued) Highlight of highest risk areas:Highlight of highest risk areas:Clinical Documentation and Coding
Common issues:• Documentation drives revenue, yet varies year to year • Clinicians - lack of detail in capturing patient acuity levelC c a s ac o deta captu g pat e t acu ty e e• Failure to capture all reimbursable complications results
in poor revenue recognition and suffocates cash flow
Monitor & Control example:• Case managers do reviews with clinicians to ensure
proper protocols are followed and documentationproper protocols are followed and documentation requirements are met
• External review of percentage of coding errorsAudit accuracy of coding and educate based on
© Grant Thornton LLP. All rights reserved.
– Audit accuracy of coding and educate based on results
II. Objectives (continued)
Billing and Accounts Receivable (A/R)
Common issues:Common issues:• Duplicate Billing• Billed to wrong insurance• Failing to submit all required (or accurate) information• Increase in Days Unbilled and Days in A/R
Monitor & Control examples:• Develop metrics for billers and audit for compliance (i.e.
billing turnaround time documentation requests followbilling turnaround time, documentation requests, follow up with payer)
• Implement and monitor quarterly or annual training attendance to ensure billers are kept up to date
© Grant Thornton LLP. All rights reserved.
attendance to ensure billers are kept up to date • Invest in electronic billing software to perform edit
checks
II. Objectives (continued)
Denials Management
Common Iss esCommon Issues:• Incorrectly posting of denials and zero payments
• "contractual adjustments" verse true denials • Insufficient review of aggregate denials and lack of follow up with
respective departments • Technical errors
Monitor & Control examples:Monitor & Control examples:• Understand real reason for denials
– Monitor training for Business office personnel on the standard definitions of denial categories and how to apply them de t o s o de a catego es a d o to app y t e
• Create Denials Management workgroup to perform root-cause analysis of all denials
• Develop yearly audit plan to ensure denial mapping codes are applied correctly and new payers are accounted for
© Grant Thornton LLP. All rights reserved.
correctly and new payers are accounted for
II. Objectives (continued)
Importance of Revenue Monitoring
• Revenue cycle serves as an engine and is the pulse of your healthcare entity’s financial health– Monitoring enables the organization to map the process
to meaningful risks and rationalize the testing to meet organizational objectives This rationalization will helporganizational objectives. This rationalization will help eliminate and/or automate some of the steps to reduce costs and achieve better results
– Gaining efficiencies within the revenue cycle is instrumental towards helping the healthcare organization focus on the entity’s mission and values and achieving
© Grant Thornton LLP. All rights reserved.
focus on the entity s mission and values and achieving long term success
III. A Model for Monitoring
© Grant Thornton LLP. All rights reserved.
III. A Model for Monitoring (continued)
Establishing a foundation for monitoring
• Tone from the top• Role of management and the board• Role of management and the board• Right people in monitoring roles• Baseline understanding of internal control• Baseline understanding of internal control
effectiveness
Let's focus for a minute on the role of management and the board, and the baseline
d t di f i t l t l ff ti
© Grant Thornton LLP. All rights reserved.
understanding of internal control effectiveness
Understand and prioritizerisks to organizational
objectives
Develop and implementcost-effective procedures to evaluate that objectivesto evaluate that persuasive information
Implement Prioritize
Risks
pMonitoring
EffectiveMonitoring
IdentifyInformation Identify
C lIdentify information that will persuasively i di h h h
Identify keycontrols across the
internal control systemh dd h
Controls
© Grant Thornton LLP. All rights reserved.
indicate whether theinternal control systemis operating effectively
that address thoseprioritized risks
III. A Model for Monitoring (continued)
1. Risk-based approach
Identify and Prioritize Risks
Understand the Internal Control System
Meaningful RiskMeaningful Risk
Identify Key Controls
Identify Persuasive
Key ControlsKey ControlsPersuasive Information
Develop Monitoring
Persuasive InfoPersuasive Info
© Grant Thornton LLP. All rights reserved.
III. A Model for Monitoring (continued)
2. Understand internal controls and identify key controls
• Understand how the internal control system manages meaningful risksg g
• Identify those controls that are "key"– Their failure might be material and undetectedTheir failure might be material and undetected– Their operation might catch other weaknesses
before they can become materialbe o e t ey ca beco e ate a
© Grant Thornton LLP. All rights reserved.
III. A Model for Monitoring (continued)
Two important questions
• What information should the company evaluate?– Direct– Direct– Indirect
• What procedures should it employ?• What procedures should it employ?– Ongoing monitoring
Separate evaluations– Separate evaluations
Let's start with the difference between
© Grant Thornton LLP. All rights reserved.
direct and indirect information
III. A Model for Monitoring (continued)
3. Identify persuasive information (with a focus here on relevance)
• Two types of relevant information:– Direct — Clearly substantiates the RelevantRelevant
operation of controls and is most relevant
– Indirect — All other information
Need Timely
Info
Need Reliable
InfoRelevant,Reliable &
Timely
Need Timely
Info
Need Reliable
InfoRelevant,Reliable &
Timely– Indirect — All other information that relates to the operation of controls and is less relevant than direct information
TimelyReliable Need Relevant
Info
Timely
TimelyReliable Need Relevant
Info
Timely
than direct information• Indirect information can help
identify when controls fail, but
© Grant Thornton LLP. All rights reserved.
does not provide absolute support that controls operated effectively
III. A Model for Monitoring (continued)
Proper balance of direct vs. indirect is risk dependent
I di t I ft Inf
o
t Inf
o
A Indirect Info
Dire
ct
Dire
ctA
Indirect Info
ect I
nfo
ect I
nfo
andB
Dire
DireDirect Info
Direct InfoC
© Grant Thornton LLP. All rights reserved.
Direct InfoC
III. A Model for Monitoring (continued)
Some factors to consider regarding use of direct vs. indirect information
• Risk significance• Length of time since control was last evaluated• Length of time since control was last evaluated
through direct information• Controls that operate in areas with a high degreeControls that operate in areas with a high degree
of change in people, processes or technology versus controls operating in stable areas
• The relative persuasiveness of the indirect information
© Grant Thornton LLP. All rights reserved.
• The effectiveness of the follow-up process
III. A Model for Monitoring (continued)
4. Implement monitoring procedures
• The auditor's normal audit techniques– Inquiry– Inquiry– Observation
InspectionCompanies can perform all of these,– Inspection
– ConfirmationRecalculation
perform all of these, too. The only question is how often and by whom– Recalculation
– Re-performanceA l ti l d
whom.
© Grant Thornton LLP. All rights reserved.
– Analytical procedures
III. A Model for Monitoring (continued)
Deciding between ongoing monitoring and separate evaluations
"An entity that perceives a need for frequent separate evaluations should focus on ways to enhance its ongoing monitoring activities and, thereby, to emphasize 'building in' versus 'adding on' controls."
O i it i
, y, p g g-1992 COSO Framework,Chapter 6
• Ongoing monitoring– Often closer to operation of controls– Offers earliest opportunity to identify weaknessesOffers earliest opportunity to identify weaknesses
• Separate evaluations– Often more objective
© Grant Thornton LLP. All rights reserved.
j– Can revalidate results of ongoing monitoring
III. A Model for Monitoring (continued)
Putting it all together
• Typically most • Typically most
Direct
• Can enhance • Can enhance
Indirect
persuasive • Especially valuable in
high-risk areas
persuasive • Especially valuable in
high-risk areas
monitoring efficiency • Provides support to
direct info
monitoring efficiency • Provides support to
direct info
Ongoingmonitoring
gg
• Primarily used to• Primarily used to • Typically least• Typically leastPrimarily used to revalidate conclusions reached through ongoing monitoring
Primarily used to revalidate conclusions reached through ongoing monitoring
Typically least persuasive
• Can help scope other SE procedures
Typically least persuasive
• Can help scope other SE procedures
Separateevaluation
© Grant Thornton LLP. All rights reserved.
g g gg g g SE proceduresSE procedures
IV. Value Proposition
• Regardless of an organization’s size, structure or industry, more efficient monitoring…
proactively identifies risks and enables organizations to improve their– proactively identifies risks and enables organizations to improve their control systems to address these risks,
– reduces inefficient year-end testing, helps to improve the reliability of financial statements– helps to improve the reliability of financial statements,
– reduces recurring compliance expenses,– increases the efficiency of your internal audit department, and
d di ti t b i– decreases disruption to your business
• …all of which, helps organizations save resources and money, thus iti l i ti th b tt li
© Grant Thornton LLP. All rights reserved.
positively impacting the bottom line.
Questions/comments
© Grant Thornton LLP. All rights reserved.