Click here to load reader
Upload
vucong
View
212
Download
0
Embed Size (px)
Citation preview
Fiscal Year 2018
Annual Internal Audit Report October 2018
MISSION
Internal Audit provides independent and objective assurance and consulting services designed to protect and enhance Health and Human Services (HHS)
programs and operations through a systematic, disciplined approach to evaluating
the effectiveness of risk management, internal control, and governance processes. We strive to provide insightful, proactive, timely, and innovative advice and
recommendations to help HHS improve the health and safety of Texans.
2018 Team Members (as of 8/31/2018)
Frederick Appiah Tressie Landry, CIA Susie Belseth, CGAP Demetrio Leyva, CIA, CFE
Jean-Jacques Bouillet, CFE Edward Maldonado, CIA, CGAP
Sarah Cason, CIA, CISA Stanton Martin Christopher Chan, CISA Nick Martinez, CGAP
Ariel DeLotte Danielle McClinton Michelle Esquivel, CPA Andrea Morales, CIA, CFE
Armando Fierro Mickey Organ, CIA Diana Gonzalez Josh Pannell, CIA, CGAP Amanda Harris Stephen Randall, CISA
Selena Hiett Bobak Reihani John Isle, CIA, CRMA, CFE Chanda Riddick, CIA
Cameosha Jones, CGAP Erin Sanchez, CIA Nicole Kludt, CIA, CGAP, CFE Faiyaz Suleman
Will Koenig, CIA, CGAP, CRMA, CFE John Waukechon
Haylie Kwon, CPA, CIA
Management Team
Nicole Guerrero, CIA, CGAP, Chief Deputy Internal Audit Director
Teresa Menchaca, CIA, CISA, Deputy Internal Audit Director
Audit Managers
Sonya Etheridge, CPA, CIA, CISA, CFE
Jose Garcia, CPA, CIA
Rachelle Wood, CIA, CISA
Internal Audit Director
Karin Hill, CIA, CGAP, CRMA
Annual Internal Audit Report
HHS Internal Audit i
Introduction The Fiscal Year 2018 Annual Internal Audit Report for the Texas Health and Human
Services (HHS) Internal Audit is provided in accordance with the Texas Internal Auditing Act requirements for internal auditors to prepare and distribute an annual report of activities and complies with the guidelines set forth by the State Auditor’s
Office.
HHS Internal Audit completed audit work and provided management with information and analyses to assist in initiating improvements to operations and to strengthen internal controls. In addition to audit work, Internal Audit provided
advice and assistance on governance, risk management, and controls, and management actively engages HHS Internal Audit as they continue to work toward
more effective and efficient processes in the agency.
HHS Annual Internal Audit Report
HHS Internal Audit i
Table of Contents
Section I
Compliance with Texas Government Code, Section 2102.015: Posting the Internal
Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web Site .................................................................................................... 1
Section II
Internal Audit Plan for Fiscal Year 2018 .......................................................... 2
Explanation of Deviations from 2018 Internal Audit Plan .................................. 3
Section III
Consulting Services Completed ..................................................................... 4
Section IV
External Quality Assurance Review ................................................................ 6
Section V
Internal Audit Plan for Fiscal Year 2019 .......................................................... 7
Risk Assessment Methodology .................................................................... 10
Section VI
External Audit Services Procured in Fiscal Year 2018 ..................................... 12
Section VII
Reporting Suspected Fraud and Abuse ......................................................... 13
HHS Annual Internal Audit Report
HHS Internal Audit 1
Section I
Compliance with Texas Government Code, Section 2102.015:
Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web Site
Texas Health and Human Services posts the approved audit plan (as well as
subsequent amendments) and the Annual Audit Report to the Reports and Presentations page of the HHS public home page within 30 days of approval as
required by statute.
HHS Annual Internal Audit Report
HHS Internal Audit 2
Section II
Internal Audit Plan for Fiscal Year 2018
Report Number Audit/Project Name Report Date
17-02-026 Claims Administrator Contract Oversight 10/24/2017
17-02-010 Vendor Drug Program 11/7/2017
17-02-013 Contract Monitoring of Local Mental Health Authorities
10/25/2017
17-02-030 Reporting Process for Reports Containing TIERS
Data (renamed TIERS Accuracy)
12/18/2017
17-01-029 HHS System Business Continuity and Disaster Recovery
1/3/2018
17-02-018 Foster Grandparent Program 1/22/2018
18-01-006 Privacy Program 6/28/2018
18-01-015 Accounts Payable Processes 4/20/2018
18-01-014 Allegations of Mistreatment of Minors 8/20/2018
18-01-018 Early Childhood Intervention 6/5/2018
18-01-008 Human Resources Hiring Processes 4/25/2018
18-01-007 HHS System Software Licenses 2/22/2018
18-01-016 Contract Audit – TMHP Contract In Progress Est. Completion
October 2018
18-01-019 Payments to Rural Hospitals In Progress Est. Completion
October 2018
18-01-017 Petty Cash 5/21/2018
18-02-009 Department of State Health Services: Vital Statistics Section: Billings and Collections
4/20/2018
18-02-009 Department of State Health Services: Vital
Statistics Section: Printing Plates
3/9/2018
18-01-021 MSS – Financial Audit Contracts In Progress -Est. Completion
October 2018
HHS Annual Internal Audit Report
HHS Internal Audit 3
Report Number Audit/Project Name Report Date
18-01-025 Trust Funds In Progress - Est. Completion
September 2018
18-01-020 General and Application Controls for Selected
Maximus Applications
In Progress - Est.
Completion October 2018
18-02-022 Department of State Health Services: Texas
Center for Infectious Disease
In Progress - Est.
Completion October 2018
18-01-023 HHS PCS Procurement Processes 7/5/2018
18-02-026 Department of State Health Services: Oral
Health Surveillance Program
In Progress - Est.
Completion December 2018
18-03-001 Quarterly Verifications
First Quarter Second Quarter Third Quarter
Fourth Quarter
December 2017 March 2018 July 2018
September 2018
System Access Controls – Terminated Employees
Will be included in Fiscal Year 2019
Audit Plan
Contract Audit (Contract to be selected at a later time)
Will be included in Fiscal Year 2019
Audit Plan
Explanation of Deviations from 2018 Internal Audit Plan As noted below in Section V. Internal Audit Plan for Fiscal Year 2019, the HHS Internal Audit risk assessment process is a perpetual process. As a result, the audit
plan may change quarterly due to more frequent identification of, and response to, shifts in risk.
HHS Annual Internal Audit Report
HHS Internal Audit 4
Section III
Consulting Services Completed
Internal Audit staff presented on the audit process, risk assessment, and control frameworks at staff meetings and leadership academies as requested by
management. In addition, the HHS Internal Audit completed the following consulting services during fiscal year 2018:
Report Number Project Name Completion Date
18-04-010 HHS Information Technology Governance December 20, 2017
18-04-012 APS Provider Investigations January 10, 2018
18-04-011 Learning Resource Network February 2, 2018
18-00-000
Management Assistance
DSHS Labor Account Codes Enterprise Information Security
Standards and Guidelines (ISSG) Revision Work Group
January 10, 2018 February 1, 2018
HHS Information Technology Governance
Internal Audit staff attended committee meetings and participate in discussions as
non-voting members to provide objective information, references or sources of laws, rules, regulations or best practices that have bearing on the refresh of IT
Governance. A report was not issued for this project.
DSHS Labor Account Codes
The DSHS Finance Division requested an independent review of a SharePoint option to document the supervisors’ review of employees’ task profiles prior to approving timesheets and task profiles. The SharePoint option was viable with a modification
to the initial email communication to supervisors to prevent the supervisor from approving timesheets and task profiles of assigned employees without reviewing
the detailed task profiles.
Learning Resource Network
This consulting engagement was requested by the Deputy Executive Commissioner of System Support Services. HHS Internal Audit collaborated with University of Texas students to identify opportunities for the Learning Resource Network (LRN) to
increase its visibility to other employees within the Health and Human Services (HHS) and document and evaluate processes used by the LRN to prioritize the
training that is offered. During the evaluation of the LRN’s visibility of the LRN and processes, the team identified strengths and potential areas for improvement.
HHS Annual Internal Audit Report
HHS Internal Audit 5
Adult Protective Services Provider Investigation
This consulting engagement was requested by Health and Human Services Commission (HHSC) Deputy Executive Commissioner for Regulatory Services. HHS Internal Audit collaborated with University of Texas students to develop flowcharts
of processes currently in place for conducting provider investigations. This included comparing processes to policy; identifying similarities and differences between
processes; and identifying controls and possible bottlenecks.
Enterprise Information Security Standards and Guidelines (ISSG) Revision Work Group
HHS Internal Audit attended work group meetings as non-voting members and provided advice and guidance as appropriate. A report was not issued for this
project.
HHS Annual Internal Audit Report
HHS Internal Audit 6
Section IV
External Quality Assurance Review The HHS Internal Audit External Quality Assurance Review was completed in August 2016, by David MacCabe, LLC, a state contracted vendor. The opinion that was
reported was as follows:
Based on the information received and evaluated during this external
QAR, it is the opinion of the reviewer that the internal audit activity at the Texas Health and Human Services Commission generally conforms to the IIA Standards, the Government Auditing Standards,
and the Texas Internal Auditing Act. This opinion, representing the best possible evaluation, means that policies, procedures, and an
internal audit charter are in place, and that the practices that are followed provide reasonable assurance that the audit work conducted
is in compliance with the requirements of the applicable professional standards and the Texas Internal Auditing Act.
HHS Annual Internal Audit Report
HHS Internal Audit 7
Section V
Internal Audit Plan for Fiscal Year 2019
The audit plan below includes 20 total audits (7 carried over from fiscal year 18) and will be added to throughout the year based on risk and agency needs. In
addition, Internal Audit staff will conduct verification work on recommendations reported by management as implemented and address management requests as
possible. The Fiscal Year 2019 Internal Audit Plan was approved by the Acting Executive Commissioner on September 24, 2018.
Health and Human Services Commission Audit/Project
Contract Audit – TMHP Contract (18-01-016)*
Payments to Rural Hospitals (18-01-019)*
General and Application Controls for Selected Maximus Applications (18-01-020)
MSS – Financial Audit Contracts (18-01-021)*
Trust Funds (18-01-025)
State Hospital Revenue
Office of Inspector General – Internal Affairs
Child Care Licensing
Health Record Data
Background Checks
Information Technology – Project Management Office
Construction
Contract Management (Contract Audit from fiscal year 2018)*
System of Contract Operation and Reporting (SCOR)/CAPPS Financial System*
Information Technology Contract Process*
Department of State Health Services Audit/Project
Texas Center for Infectious Disease (18-02-022)*
Oral Health Surveillance Program (18-02-026)
Maternal and Child Health Grant Management
Consumer Protection – Surveillance
Accounts Receivable
HHS Annual Internal Audit Report
HHS Internal Audit 8
Projects with a “*” indicate projects that will address contract management and
other requirements. None of the projects included in the Fiscal Year 2019 Internal Audit Plan specifically address benefits proportionality, expenditure transfers,
capital budget controls, or any other limitation or restriction in the General Appropriations Act.
The following business processes were ranked as "high risk" but not included in the Fiscal Year 2019 Internal Audit Plan either due to recent audit activity,
management priorities, or resource limitations:
Health and Human Services Commission
Business Area Auditable Unit
Program and Services MSS-Medicaid and CHIP Services Department:
Quality and Improvement Program
Program and Services Health and Specialty Care System: Facility Support Services
Program and Services Health and Specialty Care System: State Supported
Living Centers
Program and Services MSS-Health Developmental and Independence Services: Health and Developmental Services
Program and Services MSS-Medicaid and CHIP Services Department:
Health Plan Monitoring and Contract Services
Chief Operating Officer Procurement and Contracting Services: Procurement Operations
Program and Services MSS: Office of eHealth Coordination
Program and Services MSS-Medicaid and CHIP Services Department:
Financial Reporting and Audit Coordination
Chief Policy Officer Regulatory Services: Health Care Quality
Chief Deputy Executive Commissioner
Financial Services-Chief Financial Officer: Accounting/Fiscal Management
Chief Operating Officer IT-Chief Information Officer: IT Operations
Chief Policy Officer Regulatory Services: Adult Protective Services Investigations
Program and Services MSS-Medicaid and CHIP Services Department:
Program Enrollment and Support
HHS Annual Internal Audit Report
HHS Internal Audit 9
Health and Human Services Commission
Business Area Auditable Unit
Program and Services MSS-Intellectual or Developmental Disabilities and
Behavioral Health Services Department: Behavioral Health Services
Chief Policy Officer Regulatory Services: Long-Term Care Regulatory
Chief Operating Officer Procurement and Contracting Services: Contract
Administration and Management
Chief Counsel Appeals
Department of State Health Services
Business Area Auditable Unit
Public Health Regional and Local Health Services: Operations
Business Support
Public Health Regional and Local Health Services: Texas Center for Infectious Disease
Public Health Laboratory and Infectious Disease Services:
Infectious Disease Prevention
Public Health Consumer Protection: Meat Safety Assurance
Public Health Community Health Improvement: Vital Statistics
Program Operations Contract Management
Public Health Community Health Improvement: Public Health Screening and Services Coordination
Public Health Laboratory and Infectious Disease Services:
Laboratory Services
Public Health Laboratory and Infectious Disease Services: TB/HIV/STD
Public Health Consumer Protection: EMS/Trauma Systems
Public Health Community Health Improvement: Environmental
Epidemiology and Disease Registries
Public Health Consumer Protection: Compliance
Public Health Regional and Local Health Services: Health Emergency Preparedness and Response
Public Health Consumer Protection: Policy, Standards, and
Quality Assurance
HHS Annual Internal Audit Report
HHS Internal Audit 10
Risk Assessment Methodology
HHS Internal Audit is implementing a perpetual risk assessment process that will allow for better identification of, and response to, shifts in risk. The four major
components of this risk assessment process are described below:
1. Define the audit universe. Develop a comprehensive list of "auditable units" (i.e., program areas/units, activities, processes, etc.) to be considered
for annual planning. This includes an ongoing review of organizational charts across the HHS System beginning from transformation on September 1,
2017 and beyond, the agency's annual report, and the Health and Human Services Commission and Department of State Health Services Strategic Plans. Criteria for selecting “auditable units” includes: level of contribution to
HHS Goals and Strategies, the magnitude of impact on the organization, the level of importance to justify the cost of control, and the efficiency in
minimizing auditable units when possible.
2. Select and weight risk factors. Risk factors are specific and identifiable
sources of uncertainty or potential negative consequences. Risk is inherent to every auditable unit - what varies among units is the degree or level of risk.
Level of risk is determined by the extent of impact to the agency as a whole, should the specific risk occur. Risk factors are selected by consideration of
current issues by the Director of Internal Audit. Risk Factors used as part of the Risk Assessment include:
Strategic Risk Factors
Operations Risk Factors Regulatory Risk Factors
Susceptibility and Exposure Risk Factors Texas Administrative Code, Section 202 (TAC 202) risks are assessed (when
applicable) within the Operations, Regulatory, and Susceptibility and Exposure factors and taken into account within individual project risk
assessments. Additionally, a TAC 202 Audit was conducted by HHS Internal Audit in fiscal year 2017.
In addition, HHS Internal Audit sent a survey to Management requesting
input on five additional risk factors based on the COSO Internal Control Framework:
Control Environment Assessing Risk Control Activities
Information and Communication Monitoring Activities
HHS Annual Internal Audit Report
HHS Internal Audit 11
3. Prioritize auditable units to assess overall risk level.
Score: HHS Internal Audit scored each factor based on the level of
potential impact to the organization, as well as level of likelihood of the risk occurring using a 5-point scale: low risk levels received 1
point, medium-low - 2 points, medium risk levels - 3 points, medium-high - 4 points, and high risk levels - 5 points. For example, the Medicaid & CHIP Program Enrollment & Support unit would score a 5
on the Strategic risk factor for impact, while Veterans Services would score a 2 on the same risk factor. Management’s scoring of the 5
additional risk factors was included in the Risk Assessment scoring.
Additional Points: Areas identified as of interest or concern by executive management team members or the Director of Internal
Audit received additional points at the discretion of the scoring team.
Rank: Calculate based on the sum of all scores (HHS Internal Audit and Management Survey) and rank all units relative to one another. Identify high, medium-high, medium, medium-low, and low risk areas.
4. Monitoring and Updating Risk Assessment. Information is gained and
added to the risk assessment tool through routine meetings with agency management, information learned during audit work, external reports and notifications, and other sources that identify risks. Risks are perpetually
monitored and the risk assessment is updated as often as needed, to address the most current risks at HHS. The audit plan is monitored and assessed
routinely and amendments are proposed as appropriate.
HHS Annual Internal Audit Report
HHS Internal Audit 12
Section VI
External Audit Services Procured in Fiscal Year 2018
Document Processing Services (DPS) Financial Audit
Data Broker Services Audit
Disproportionate Share Hospital and Uncompensated Care Audit Services
Medicaid Managed Care Capitation Rates
Managed Care Organization (MCO) - Financial Audits
Texas Medicaid & Healthcare Partnership (TMHP) Cost Report Review Process
Medical Transportation Program - Financial Statistical Reports (FSR)
TMHP SOC-1
Electronic Health Record (EHR) Incentives
NorthgateArinso Retrospective Cost Settlement Audit
Recovery Audits (RAC audits)
Delivery System Reform Incentive Payments (DSRIP)
Eligibility Support Services (ESS) program, Children’s Health Insurance Program (CHIP), and Enrollment Broker Retrospective Cost Settlement Audits
MCO Performance Audits
Medicaid and CHIP Services (MCS) - Vendor Drug Program HIPAA Audit
HHS Annual Internal Audit Report
HHS Internal Audit 13
Section VII
Reporting Suspected Fraud and Abuse
The HHS Internet and Intranet, HHS Circular C-027, and HHS System Fraud Prevention and Awareness training, provide information on how to report suspected
fraud, waste, and abuse. Employees must report suspected fraud, waste, or abuse in health and human services programs to the HHS Inspector General and the
Texas State Auditor’s Office (SAO).
To our knowledge, these reports are being made in accordance with Section 7.09, Fraud Reporting, in the General Appropriations Act and Texas Government Code,
Section 321.022.