Fiscal Year 2018 Annual Internal Audit Report - hhs.texas.gov · The Fiscal Year 2018 Annual Internal Audit Report for the Texas Health and Human Services (HHS) Internal Audit is

Fiscal Year 2018

Annual Internal Audit Report October 2018

MISSION

Internal Audit provides independent and objective assurance and consulting services designed to protect and enhance Health and Human Services (HHS)

programs and operations through a systematic, disciplined approach to evaluating

the effectiveness of risk management, internal control, and governance processes. We strive to provide insightful, proactive, timely, and innovative advice and

recommendations to help HHS improve the health and safety of Texans.

2018 Team Members (as of 8/31/2018)

Frederick Appiah Tressie Landry, CIA Susie Belseth, CGAP Demetrio Leyva, CIA, CFE

Jean-Jacques Bouillet, CFE Edward Maldonado, CIA, CGAP

Sarah Cason, CIA, CISA Stanton Martin Christopher Chan, CISA Nick Martinez, CGAP

Ariel DeLotte Danielle McClinton Michelle Esquivel, CPA Andrea Morales, CIA, CFE

Armando Fierro Mickey Organ, CIA Diana Gonzalez Josh Pannell, CIA, CGAP Amanda Harris Stephen Randall, CISA

Selena Hiett Bobak Reihani John Isle, CIA, CRMA, CFE Chanda Riddick, CIA

Cameosha Jones, CGAP Erin Sanchez, CIA Nicole Kludt, CIA, CGAP, CFE Faiyaz Suleman

Will Koenig, CIA, CGAP, CRMA, CFE John Waukechon

Haylie Kwon, CPA, CIA

Management Team

Nicole Guerrero, CIA, CGAP, Chief Deputy Internal Audit Director

Teresa Menchaca, CIA, CISA, Deputy Internal Audit Director

Audit Managers

Sonya Etheridge, CPA, CIA, CISA, CFE

Jose Garcia, CPA, CIA

Rachelle Wood, CIA, CISA

Internal Audit Director

Karin Hill, CIA, CGAP, CRMA

Annual Internal Audit Report

HHS Internal Audit i

Introduction The Fiscal Year 2018 Annual Internal Audit Report for the Texas Health and Human

Services (HHS) Internal Audit is provided in accordance with the Texas Internal Auditing Act requirements for internal auditors to prepare and distribute an annual report of activities and complies with the guidelines set forth by the State Auditor’s

Office.

HHS Internal Audit completed audit work and provided management with information and analyses to assist in initiating improvements to operations and to strengthen internal controls. In addition to audit work, Internal Audit provided

advice and assistance on governance, risk management, and controls, and management actively engages HHS Internal Audit as they continue to work toward

more effective and efficient processes in the agency.

https://statutes.capitol.texas.gov/Docs/GV/pdf/GV.2102.pdf

https://statutes.capitol.texas.gov/Docs/GV/pdf/GV.2102.pdf

HHS Annual Internal Audit Report

HHS Internal Audit i

Table of Contents

Section I

Compliance with Texas Government Code, Section 2102.015: Posting the Internal

Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web Site .................................................................................................... 1

Section II

Internal Audit Plan for Fiscal Year 2018 .......................................................... 2

Explanation of Deviations from 2018 Internal Audit Plan .................................. 3

Section III

Consulting Services Completed ..................................................................... 4

Section IV

External Quality Assurance Review ................................................................ 6

Section V

Internal Audit Plan for Fiscal Year 2019 .......................................................... 7

Risk Assessment Methodology .................................................................... 10

Section VI

External Audit Services Procured in Fiscal Year 2018 ..................................... 12

Section VII

Reporting Suspected Fraud and Abuse ......................................................... 13


HHS Internal Audit 1

Section I

Compliance with Texas Government Code, Section 2102.015:

Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web Site

Texas Health and Human Services posts the approved audit plan (as well as

subsequent amendments) and the Annual Audit Report to the Reports and Presentations page of the HHS public home page within 30 days of approval as

required by statute.



Section II

Internal Audit Plan for Fiscal Year 2018

Report Number Audit/Project Name Report Date

17-02-026 Claims Administrator Contract Oversight 10/24/2017

17-02-010 Vendor Drug Program 11/7/2017

17-02-013 Contract Monitoring of Local Mental Health Authorities

10/25/2017

17-02-030 Reporting Process for Reports Containing TIERS

Data (renamed TIERS Accuracy)

12/18/2017

17-01-029 HHS System Business Continuity and Disaster Recovery

1/3/2018

17-02-018 Foster Grandparent Program 1/22/2018

18-01-006 Privacy Program 6/28/2018

18-01-015 Accounts Payable Processes 4/20/2018

18-01-014 Allegations of Mistreatment of Minors 8/20/2018

18-01-018 Early Childhood Intervention 6/5/2018

18-01-008 Human Resources Hiring Processes 4/25/2018

18-01-007 HHS System Software Licenses 2/22/2018

18-01-016 Contract Audit – TMHP Contract In Progress Est. Completion

October 2018

18-01-019 Payments to Rural Hospitals In Progress Est. Completion

October 2018

18-01-017 Petty Cash 5/21/2018

18-02-009 Department of State Health Services: Vital Statistics Section: Billings and Collections

4/20/2018

18-02-009 Department of State Health Services: Vital

Statistics Section: Printing Plates

3/9/2018

18-01-021 MSS – Financial Audit Contracts In Progress -Est. Completion

October 2018



Report Number Audit/Project Name Report Date

18-01-025 Trust Funds In Progress - Est. Completion

September 2018

18-01-020 General and Application Controls for Selected

Maximus Applications

In Progress - Est.

Completion October 2018

18-02-022 Department of State Health Services: Texas

Center for Infectious Disease

In Progress - Est.

Completion October 2018

18-01-023 HHS PCS Procurement Processes 7/5/2018

18-02-026 Department of State Health Services: Oral

Health Surveillance Program

In Progress - Est.

Completion December 2018

18-03-001 Quarterly Verifications

First Quarter Second Quarter Third Quarter

Fourth Quarter

December 2017 March 2018 July 2018

September 2018

System Access Controls – Terminated Employees

Will be included in Fiscal Year 2019

Audit Plan

Contract Audit (Contract to be selected at a later time)

Will be included in Fiscal Year 2019

Audit Plan

Explanation of Deviations from 2018 Internal Audit Plan As noted below in Section V. Internal Audit Plan for Fiscal Year 2019, the HHS Internal Audit risk assessment process is a perpetual process. As a result, the audit

plan may change quarterly due to more frequent identification of, and response to, shifts in risk.



Section III

Consulting Services Completed

Internal Audit staff presented on the audit process, risk assessment, and control frameworks at staff meetings and leadership academies as requested by

management. In addition, the HHS Internal Audit completed the following consulting services during fiscal year 2018:

Report Number Project Name Completion Date

18-04-010 HHS Information Technology Governance December 20, 2017

18-04-012 APS Provider Investigations January 10, 2018

18-04-011 Learning Resource Network February 2, 2018

18-00-000

Management Assistance

DSHS Labor Account Codes Enterprise Information Security

Standards and Guidelines (ISSG) Revision Work Group

January 10, 2018 February 1, 2018

HHS Information Technology Governance

Internal Audit staff attended committee meetings and participate in discussions as

non-voting members to provide objective information, references or sources of laws, rules, regulations or best practices that have bearing on the refresh of IT

Governance. A report was not issued for this project.

DSHS Labor Account Codes

The DSHS Finance Division requested an independent review of a SharePoint option to document the supervisors’ review of employees’ task profiles prior to approving timesheets and task profiles. The SharePoint option was viable with a modification

to the initial email communication to supervisors to prevent the supervisor from approving timesheets and task profiles of assigned employees without reviewing

the detailed task profiles.

Learning Resource Network

This consulting engagement was requested by the Deputy Executive Commissioner of System Support Services. HHS Internal Audit collaborated with University of Texas students to identify opportunities for the Learning Resource Network (LRN) to

increase its visibility to other employees within the Health and Human Services (HHS) and document and evaluate processes used by the LRN to prioritize the

training that is offered. During the evaluation of the LRN’s visibility of the LRN and processes, the team identified strengths and potential areas for improvement.



Adult Protective Services Provider Investigation

This consulting engagement was requested by Health and Human Services Commission (HHSC) Deputy Executive Commissioner for Regulatory Services. HHS Internal Audit collaborated with University of Texas students to develop flowcharts

of processes currently in place for conducting provider investigations. This included comparing processes to policy; identifying similarities and differences between

processes; and identifying controls and possible bottlenecks.

Enterprise Information Security Standards and Guidelines (ISSG) Revision Work Group

HHS Internal Audit attended work group meetings as non-voting members and provided advice and guidance as appropriate. A report was not issued for this

project.



Section IV

External Quality Assurance Review The HHS Internal Audit External Quality Assurance Review was completed in August 2016, by David MacCabe, LLC, a state contracted vendor. The opinion that was

reported was as follows:

Based on the information received and evaluated during this external

QAR, it is the opinion of the reviewer that the internal audit activity at the Texas Health and Human Services Commission generally conforms to the IIA Standards, the Government Auditing Standards,

and the Texas Internal Auditing Act. This opinion, representing the best possible evaluation, means that policies, procedures, and an

internal audit charter are in place, and that the practices that are followed provide reasonable assurance that the audit work conducted

is in compliance with the requirements of the applicable professional standards and the Texas Internal Auditing Act.



Section V

Internal Audit Plan for Fiscal Year 2019

The audit plan below includes 20 total audits (7 carried over from fiscal year 18) and will be added to throughout the year based on risk and agency needs. In

addition, Internal Audit staff will conduct verification work on recommendations reported by management as implemented and address management requests as

possible. The Fiscal Year 2019 Internal Audit Plan was approved by the Acting Executive Commissioner on September 24, 2018.

Health and Human Services Commission Audit/Project

Contract Audit – TMHP Contract (18-01-016)*

Payments to Rural Hospitals (18-01-019)*

General and Application Controls for Selected Maximus Applications (18-01-020)

MSS – Financial Audit Contracts (18-01-021)*

Trust Funds (18-01-025)

State Hospital Revenue

Office of Inspector General – Internal Affairs

Child Care Licensing

Health Record Data

Background Checks

Information Technology – Project Management Office

Construction

Contract Management (Contract Audit from fiscal year 2018)*

System of Contract Operation and Reporting (SCOR)/CAPPS Financial System*

Information Technology Contract Process*

Department of State Health Services Audit/Project

Texas Center for Infectious Disease (18-02-022)*

Oral Health Surveillance Program (18-02-026)

Maternal and Child Health Grant Management

Consumer Protection – Surveillance

Accounts Receivable



Projects with a “*” indicate projects that will address contract management and

other requirements. None of the projects included in the Fiscal Year 2019 Internal Audit Plan specifically address benefits proportionality, expenditure transfers,

capital budget controls, or any other limitation or restriction in the General Appropriations Act.

The following business processes were ranked as "high risk" but not included in the Fiscal Year 2019 Internal Audit Plan either due to recent audit activity,

management priorities, or resource limitations:

Health and Human Services Commission

Business Area Auditable Unit

Program and Services MSS-Medicaid and CHIP Services Department:

Quality and Improvement Program

Program and Services Health and Specialty Care System: Facility Support Services

Program and Services Health and Specialty Care System: State Supported

Living Centers

Program and Services MSS-Health Developmental and Independence Services: Health and Developmental Services


Health Plan Monitoring and Contract Services

Chief Operating Officer Procurement and Contracting Services: Procurement Operations

Program and Services MSS: Office of eHealth Coordination


Financial Reporting and Audit Coordination

Chief Policy Officer Regulatory Services: Health Care Quality

Chief Deputy Executive Commissioner

Financial Services-Chief Financial Officer: Accounting/Fiscal Management

Chief Operating Officer IT-Chief Information Officer: IT Operations

Chief Policy Officer Regulatory Services: Adult Protective Services Investigations


Program Enrollment and Support



Health and Human Services Commission


Program and Services MSS-Intellectual or Developmental Disabilities and

Behavioral Health Services Department: Behavioral Health Services

Chief Policy Officer Regulatory Services: Long-Term Care Regulatory

Chief Operating Officer Procurement and Contracting Services: Contract

Administration and Management

Chief Counsel Appeals

Department of State Health Services


Public Health Regional and Local Health Services: Operations

Business Support

Public Health Regional and Local Health Services: Texas Center for Infectious Disease

Public Health Laboratory and Infectious Disease Services:

Infectious Disease Prevention

Public Health Consumer Protection: Meat Safety Assurance

Public Health Community Health Improvement: Vital Statistics

Program Operations Contract Management

Public Health Community Health Improvement: Public Health Screening and Services Coordination

Public Health Laboratory and Infectious Disease Services:

Laboratory Services

Public Health Laboratory and Infectious Disease Services: TB/HIV/STD

Public Health Consumer Protection: EMS/Trauma Systems

Public Health Community Health Improvement: Environmental

Epidemiology and Disease Registries

Public Health Consumer Protection: Compliance

Public Health Regional and Local Health Services: Health Emergency Preparedness and Response

Public Health Consumer Protection: Policy, Standards, and

Quality Assurance



Risk Assessment Methodology

HHS Internal Audit is implementing a perpetual risk assessment process that will allow for better identification of, and response to, shifts in risk. The four major

components of this risk assessment process are described below:

1. Define the audit universe. Develop a comprehensive list of "auditable units" (i.e., program areas/units, activities, processes, etc.) to be considered

for annual planning. This includes an ongoing review of organizational charts across the HHS System beginning from transformation on September 1,

2017 and beyond, the agency's annual report, and the Health and Human Services Commission and Department of State Health Services Strategic Plans. Criteria for selecting “auditable units” includes: level of contribution to

HHS Goals and Strategies, the magnitude of impact on the organization, the level of importance to justify the cost of control, and the efficiency in

minimizing auditable units when possible.

2. Select and weight risk factors. Risk factors are specific and identifiable

sources of uncertainty or potential negative consequences. Risk is inherent to every auditable unit - what varies among units is the degree or level of risk.

Level of risk is determined by the extent of impact to the agency as a whole, should the specific risk occur. Risk factors are selected by consideration of

current issues by the Director of Internal Audit. Risk Factors used as part of the Risk Assessment include:

Strategic Risk Factors

Operations Risk Factors Regulatory Risk Factors

Susceptibility and Exposure Risk Factors Texas Administrative Code, Section 202 (TAC 202) risks are assessed (when

applicable) within the Operations, Regulatory, and Susceptibility and Exposure factors and taken into account within individual project risk

assessments. Additionally, a TAC 202 Audit was conducted by HHS Internal Audit in fiscal year 2017.

In addition, HHS Internal Audit sent a survey to Management requesting

input on five additional risk factors based on the COSO Internal Control Framework:

Control Environment Assessing Risk Control Activities

Information and Communication Monitoring Activities



3. Prioritize auditable units to assess overall risk level.

Score: HHS Internal Audit scored each factor based on the level of

potential impact to the organization, as well as level of likelihood of the risk occurring using a 5-point scale: low risk levels received 1

point, medium-low - 2 points, medium risk levels - 3 points, medium-high - 4 points, and high risk levels - 5 points. For example, the Medicaid & CHIP Program Enrollment & Support unit would score a 5

on the Strategic risk factor for impact, while Veterans Services would score a 2 on the same risk factor. Management’s scoring of the 5

additional risk factors was included in the Risk Assessment scoring.

Additional Points: Areas identified as of interest or concern by executive management team members or the Director of Internal

Audit received additional points at the discretion of the scoring team.

Rank: Calculate based on the sum of all scores (HHS Internal Audit and Management Survey) and rank all units relative to one another. Identify high, medium-high, medium, medium-low, and low risk areas.

4. Monitoring and Updating Risk Assessment. Information is gained and

added to the risk assessment tool through routine meetings with agency management, information learned during audit work, external reports and notifications, and other sources that identify risks. Risks are perpetually

monitored and the risk assessment is updated as often as needed, to address the most current risks at HHS. The audit plan is monitored and assessed

routinely and amendments are proposed as appropriate.



Section VI

External Audit Services Procured in Fiscal Year 2018

Document Processing Services (DPS) Financial Audit

Data Broker Services Audit

Disproportionate Share Hospital and Uncompensated Care Audit Services

Medicaid Managed Care Capitation Rates

Managed Care Organization (MCO) - Financial Audits

Texas Medicaid & Healthcare Partnership (TMHP) Cost Report Review Process

Medical Transportation Program - Financial Statistical Reports (FSR)

TMHP SOC-1

Electronic Health Record (EHR) Incentives

NorthgateArinso Retrospective Cost Settlement Audit

Recovery Audits (RAC audits)

Delivery System Reform Incentive Payments (DSRIP)

Eligibility Support Services (ESS) program, Children’s Health Insurance Program (CHIP), and Enrollment Broker Retrospective Cost Settlement Audits

MCO Performance Audits

Medicaid and CHIP Services (MCS) - Vendor Drug Program HIPAA Audit



Section VII

Reporting Suspected Fraud and Abuse

The HHS Internet and Intranet, HHS Circular C-027, and HHS System Fraud Prevention and Awareness training, provide information on how to report suspected

fraud, waste, and abuse. Employees must report suspected fraud, waste, or abuse in health and human services programs to the HHS Inspector General and the

Texas State Auditor’s Office (SAO).

To our knowledge, these reports are being made in accordance with Section 7.09, Fraud Reporting, in the General Appropriations Act and Texas Government Code,

Section 321.022.

http://www.lbb.state.tx.us/Documents/GAA/General_Appropriations_Act_2018-2019.pdf

https://statutes.capitol.texas.gov/Docs/GV/htm/GV.321.htm#321.022

https://statutes.capitol.texas.gov/Docs/GV/htm/GV.321.htm#321.022