COSO's Guidance on Monitoring Internal Control Systems · COSO's Guidance on Monitoring Internal Control ... released Guidance on Monitoring Internal Control Systems ... in poor revenue

An Overview:COSO's Guidance on Monitoring gInternal Control Systems

September 2009September 2009

COSO Monitoring Guidance

Table of Contents

I. Overview

II. Objectives

III A Model for MonitoringIII. A Model for Monitoring

IV. Value Proposition

© Grant Thornton LLP. All rights reserved.

I. Overview

• The Committee of Sponsoring Organizations of the TreadwayC i i (COSO) l d G id M it i I t lCommissions (COSO) released Guidance on Monitoring Internal Control Systems in January 2009

• The guidance is designed to help organizations in compliance with their SOX 404 and other regulatory requirements

• Grant Thornton LLP was selected as the lead in the development of the guidancedevelopment of the guidance


II. Objectives

COSO Monitoring Guidance Objectives

• Help organizations improve the effectiveness and efficiency of their internal control systems

• Organizations with effective internal control systems monitor the• Organizations with effective internal control systems monitor the effectiveness of those systems over time. COSO guidance helps organizations recognize and maximize the use of effective monitoring and to improve monitoring in areas where necessary

• Provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control processesincorporated into an organization s internal control processes

• The guidance specifically shows how organizations can apply the general concepts of monitoring and provides a variety of


monitoring examples from real life circumstances

II. Objectives (continued)

Why did COSO highlight Monitoring?

• Many organizations were not utilizing the monitoring component and had implemented inefficient year-end evaluations to support their conclusions

• Business structures and processes have become increasingly complex, leading to redundancies and inefficiencies

• Sarbanes-Oxley’s initial implementation focused more on detailedSarbanes Oxley s initial implementation focused more on detailed process-level controls instead of on company-level monitoring controls

• Allows the use of a common language and methodology to identify, measure prioritize and manage riskmeasure, prioritize, and manage risk

• Establishes a framework and process to improve the focus and efficiency of governance and link risks to strategy and decision-making

• Allows diverse risks to be evaluated as to the likelihood of occurring


• Allows diverse risks to be evaluated as to the likelihood of occurring and potential magnitude of impact


Benefits of a Monitoring Component

• A properly designed and executed monitoring component:– Evaluates important controls over meaningful risks to the organization’s

objectives,– Identifies and corrects control deficiencies before they materially affect the

achievement of the organization’s objectives,– Often use information technology to enhance monitoring through the use of

control monitoring tools and process management toolscontrol monitoring tools and process management tools,– Improves the effectiveness and efficiency of internal control operation and the

compliance function,– Provides persuasive information that internal control operated effectively at a p p y

point in time or during a particular period,– Enables the external party to more effectively and efficiently support its own

conclusions, and


– Improve the external party’s ability to understand and evaluate internal control.


Three legs to the "404-improvement" stool

COSO'

Value to companiesthrough improved

f it i

Value to auditorsthrough ability to focus

d it iCOSO'sGuidance onMonitoring

use of monitoring on good monitoring controls

SEC's PCAOB'sGuidance(for mgmt)

AS5(for auditors)

Separate but


consistent


Let's look at a simple example of the concept.

Assume:– a reconciliation control is deemed important to financial reporting– the supervisor of the area performs an appropriately detailedthe supervisor of the area performs an appropriately detailed

review of the reconciliation each time it is prepared• The supervisor's review accomplishes two things:

T ll hi h h th th t l i ki– Tells him or her whether the control is working– Encourages continued effective operation of the control



How do we often deal with this risk in today's 404 environment?

Management's 404 Process

Auditor's 404 Audit Process

6. Test the Review

6. Test the Review

4. Test the Review

4. Test the Review 2. Review2. Review

ReconciliationReconciliation

3. Test the R

3. Test the R

5. Test the R

5. Test the R


1. PerformReconciliation

1. PerformReconciliation

Recon.Recon. Recon.Recon.


How might it be done better in a large organization?

Management's Auditor'sManagement's Monitoring Process


4a. Possibly 4a. Possibly 3. Test the

Review3. Test the

Review

yUse the Work of Others

yUse the Work of Others

2. ReviewReconciliation


1. Perform1. Perform

or

4b. Testthe Review

4b. Testthe Review

Any further testing of the reconciliation will start with lessons learned


ReconciliationReconciliationwith lessons learned from testing the reconciliation review


How might it be done better in a small organization?

Management's Monitoring Process


If th ili tiIf the reconciliation review is performed at the senior-mgmt level,



3. Test the Review

3. Test the Review

g ,no further evaluation may be necessary

1. Perform1. Perform

Again, any further testing influenced by results from testing


ReconciliationReconciliation the reconciliation review


Issues facing the Healthcare Industry

Outsourced Billing

functions

Revenue Capture & Recovery Competing

Technologies

Stricter Accreditation Requirements

Advent of the Electronic

Health Record

Foreign Competition

Compliance with State and

Federal mandates

Healthcare Facility

Changing Payer

Requirements

Increase in Self pay,

Medicaid and Charity Care

patients


patients


Industry issues causing stress across the Revenue Cycle

Revenue Cycle Risk Level:1 (Highest) to 5 (Lowest)

1. Clinical documentation

2. Coding

3. Billing and Accounts Receivable

4. Denials Management

5. Scheduling and Registration


II. Objectives (continued) Highlight of highest risk areas:Highlight of highest risk areas:Clinical Documentation and Coding

Common issues:• Documentation drives revenue, yet varies year to year • Clinicians - lack of detail in capturing patient acuity levelC c a s ac o deta captu g pat e t acu ty e e• Failure to capture all reimbursable complications results

in poor revenue recognition and suffocates cash flow

Monitor & Control example:• Case managers do reviews with clinicians to ensure

proper protocols are followed and documentationproper protocols are followed and documentation requirements are met

• External review of percentage of coding errorsAudit accuracy of coding and educate based on


– Audit accuracy of coding and educate based on results


Billing and Accounts Receivable (A/R)

Common issues:Common issues:• Duplicate Billing• Billed to wrong insurance• Failing to submit all required (or accurate) information• Increase in Days Unbilled and Days in A/R

Monitor & Control examples:• Develop metrics for billers and audit for compliance (i.e.

billing turnaround time documentation requests followbilling turnaround time, documentation requests, follow up with payer)

• Implement and monitor quarterly or annual training attendance to ensure billers are kept up to date


attendance to ensure billers are kept up to date • Invest in electronic billing software to perform edit

checks


Denials Management

Common Iss esCommon Issues:• Incorrectly posting of denials and zero payments

• "contractual adjustments" verse true denials • Insufficient review of aggregate denials and lack of follow up with

respective departments • Technical errors

Monitor & Control examples:Monitor & Control examples:• Understand real reason for denials

– Monitor training for Business office personnel on the standard definitions of denial categories and how to apply them de t o s o de a catego es a d o to app y t e

• Create Denials Management workgroup to perform root-cause analysis of all denials

• Develop yearly audit plan to ensure denial mapping codes are applied correctly and new payers are accounted for


correctly and new payers are accounted for


Importance of Revenue Monitoring

• Revenue cycle serves as an engine and is the pulse of your healthcare entity’s financial health– Monitoring enables the organization to map the process

to meaningful risks and rationalize the testing to meet organizational objectives This rationalization will helporganizational objectives. This rationalization will help eliminate and/or automate some of the steps to reduce costs and achieve better results

– Gaining efficiencies within the revenue cycle is instrumental towards helping the healthcare organization focus on the entity’s mission and values and achieving


focus on the entity s mission and values and achieving long term success

III. A Model for Monitoring


III. A Model for Monitoring (continued)

Establishing a foundation for monitoring

• Tone from the top• Role of management and the board• Role of management and the board• Right people in monitoring roles• Baseline understanding of internal control• Baseline understanding of internal control

effectiveness

Let's focus for a minute on the role of management and the board, and the baseline

d t di f i t l t l ff ti


understanding of internal control effectiveness

Understand and prioritizerisks to organizational

objectives

Develop and implementcost-effective procedures to evaluate that objectivesto evaluate that persuasive information

Implement Prioritize

Risks

pMonitoring

EffectiveMonitoring

IdentifyInformation Identify

C lIdentify information that will persuasively i di h h h

Identify keycontrols across the

internal control systemh dd h

Controls


indicate whether theinternal control systemis operating effectively

that address thoseprioritized risks


1. Risk-based approach

Identify and Prioritize Risks

Understand the Internal Control System

Meaningful RiskMeaningful Risk

Identify Key Controls

Identify Persuasive

Key ControlsKey ControlsPersuasive Information

Develop Monitoring

Persuasive InfoPersuasive Info



2. Understand internal controls and identify key controls

• Understand how the internal control system manages meaningful risksg g

• Identify those controls that are "key"– Their failure might be material and undetectedTheir failure might be material and undetected– Their operation might catch other weaknesses

before they can become materialbe o e t ey ca beco e ate a



Two important questions

• What information should the company evaluate?– Direct– Direct– Indirect

• What procedures should it employ?• What procedures should it employ?– Ongoing monitoring

Separate evaluations– Separate evaluations

Let's start with the difference between


direct and indirect information


3. Identify persuasive information (with a focus here on relevance)

• Two types of relevant information:– Direct — Clearly substantiates the RelevantRelevant

operation of controls and is most relevant

– Indirect — All other information

Need Timely

Info

Need Reliable

InfoRelevant,Reliable &

Timely

Need Timely

Info

Need Reliable

InfoRelevant,Reliable &

Timely– Indirect — All other information that relates to the operation of controls and is less relevant than direct information

TimelyReliable Need Relevant

Info

Timely

TimelyReliable Need Relevant

Info

Timely

than direct information• Indirect information can help

identify when controls fail, but


does not provide absolute support that controls operated effectively


Proper balance of direct vs. indirect is risk dependent

I di t I ft Inf

o

t Inf

o

A Indirect Info

Dire

ct

Dire

ctA

Indirect Info

ect I

nfo

ect I

nfo

andB

Dire

DireDirect Info

Direct InfoC


Direct InfoC


Some factors to consider regarding use of direct vs. indirect information

• Risk significance• Length of time since control was last evaluated• Length of time since control was last evaluated

through direct information• Controls that operate in areas with a high degreeControls that operate in areas with a high degree

of change in people, processes or technology versus controls operating in stable areas

• The relative persuasiveness of the indirect information


• The effectiveness of the follow-up process


4. Implement monitoring procedures

• The auditor's normal audit techniques– Inquiry– Inquiry– Observation

InspectionCompanies can perform all of these,– Inspection

– ConfirmationRecalculation

perform all of these, too. The only question is how often and by whom– Recalculation

– Re-performanceA l ti l d

whom.


– Analytical procedures


Deciding between ongoing monitoring and separate evaluations

"An entity that perceives a need for frequent separate evaluations should focus on ways to enhance its ongoing monitoring activities and, thereby, to emphasize 'building in' versus 'adding on' controls."

O i it i

, y, p g g-1992 COSO Framework,Chapter 6

• Ongoing monitoring– Often closer to operation of controls– Offers earliest opportunity to identify weaknessesOffers earliest opportunity to identify weaknesses

• Separate evaluations– Often more objective


j– Can revalidate results of ongoing monitoring


Putting it all together

• Typically most • Typically most

Direct

• Can enhance • Can enhance

Indirect

persuasive • Especially valuable in

high-risk areas

persuasive • Especially valuable in

high-risk areas

monitoring efficiency • Provides support to

direct info

monitoring efficiency • Provides support to

direct info

Ongoingmonitoring

gg

• Primarily used to• Primarily used to • Typically least• Typically leastPrimarily used to revalidate conclusions reached through ongoing monitoring

Primarily used to revalidate conclusions reached through ongoing monitoring

Typically least persuasive

• Can help scope other SE procedures

Typically least persuasive

• Can help scope other SE procedures

Separateevaluation


g g gg g g SE proceduresSE procedures

IV. Value Proposition

• Regardless of an organization’s size, structure or industry, more efficient monitoring…

proactively identifies risks and enables organizations to improve their– proactively identifies risks and enables organizations to improve their control systems to address these risks,

– reduces inefficient year-end testing, helps to improve the reliability of financial statements– helps to improve the reliability of financial statements,

– reduces recurring compliance expenses,– increases the efficiency of your internal audit department, and

d di ti t b i– decreases disruption to your business

• …all of which, helps organizations save resources and money, thus iti l i ti th b tt li


positively impacting the bottom line.

Questions/comments


Documents

COSO's Guidance on Monitoring Internal Control Systems · COSO's Guidance on Monitoring Internal Control ... released Guidance on Monitoring Internal Control Systems ... in poor revenue