Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)

7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)

1/45

Click to edit Master subtitle style

Trust Your MotherBut Cut the Deck

Applying COSO Guidance on MonitoringInternal Control Systems to Local Hospitals


2/45

Incoming Fire

n Senator Grassley

n Fewer Insured Patients

n Tighter Credit Markets

n Investment Lossesn Recovery Audit

Contractors (RAC)

n 990 Reporting

n Internal Control Lettersfrom Auditors


3/45

One Constant in Life

Change


4/45

Proactive or Reactive

n Recognizing problems before they occur

n Having a plan to answer those problems


5/45

But Im Too Busy

n Tyranny of the Urgentq We only see the present


6/45

Double Vision A Good Thing

n Seeing the present

n Seeing the future


7/45

Overview of COSO Documents


8/45

COSO (ERM)

n Enterprise RiskManagement Integrated Framework(2004)

q Strategicq Operations

q Reporting

q Compliance


9/45

COSO Internal Control Integrated Framework (1992)

1. Risk Assessment

2. Control Environment

3. Control Activities

4. Information and Communication

5. Monitoring


10/45

New COSO Guidance

n Guidance on Monitoring Internal ControlSystems (2009)

n Issued January, 2009


11/45

Internal Control Reports

n Many hospitals provide no internal controlreports to the board or to management

n Hear no evil, see no evil


12/45

Internal Control Reports

n Most hospitals have no internal audit staff

n Hospitals that do have internal audit staff often

use them to perform special projects (i.e.revenue enhancement) rather than to examinethe accounting system


13/45

Compare

Time creatingmonthly accountingreports

Time creatingmonthly internalcontrol/system

reports


14/45

Thats What My Auditor Does

n Opinion states fairly stated: Numbers

n No opinion on working properly: Process


15/45

Why Little Attention toControls?n More comfortable with numbers than

processes

n Easier for board members to understandnumbers than processes

n Smaller hospitals may not have theexpertise or manpower to review theaccounting system


16/45

Typical Internal Report

n Denials by Category

n Net Accounts Receivable Days

n Gross Accounts Receivable Days

n Total Patient Cash Collectedn %Third Party A/R >90 Days

n Days from Discharge to Billing

n Contract Accounts Receivablen Self Pay Account Receivable


17/45

Imagine This Internal Report

n IT is not appropriately documenting changecontrol

n Third party collection agency receives cash

payments on bad debt accounts; noreconciling report is provided to hospital

n One HR person controls the master pay ratefile; no one reviews the changes


18/45

Nasty SAS 115 Letter

n Often more discussion between theexternal auditor and the hospitalabout internal control letters thanthe audited numbers

n Why?


19/45

True or False?

n The accounting system is a reflection on theCFO and Accounting Staff


20/45

So?n When fraud occurs or systems fail and

you are in charge, who will the boardor legal authorities look to?

n

Trust Your Mother, But Cut the Deck


21/45

Chutzpah Defense

n Deaf, Dumb and Blind Defense

n Dog Ate My Homework Defense

n The Hey Im just the CFO Defense

n The Aw Shucks Defense


22/45

What Can I Do?

n Plan your work, work your plan.


23/45

How Do You Eat an Elephant?

One bite at a time


24/45

Board Support

n Develop controls monitoring asa normal month to monthoperation

n Secure financial support forimplementing your plan

n

Create an internal audit charter


25/45

Stakeholders

n Potential relevantparties:q Compliance Committee

q Internal Auditors

q External Auditors

q Audit Committee

q Information Technology

q Accounts Payable Staff

q Payroll Staff


26/45

Stakeholders

n Consider meeting jointly with stakeholders todetermine information that will be needed

n Can internal audit perform tests that lendthemselves to your external auditors needs?


27/45

COSO Monitoring Process

1. Establish a Foundation

2. Design and Implement

3. Assess and Report


28/45

Establish a Foundation

n Map your processes

q This may be the most difficult part


29/45


n Scalable Documentationq Based on:

n Size

n Complexityn One size does not fit all

n A checklist is a tool, not an end result


30/45


n Dont forget about:q Outsourced accounting functions

n E.g. Payroll

q Related entitiesn E.g. Nursing Home, Physician Billing


31/45


32/45

Design and Execute

n What if I cant afford an FTE?

q Consider contracting with an outside auditor

q Consider a quarterly or semi-annual internal auditplan as opposed to a monthly audit plan


33/45

Design and Execute

n Can my external auditor be my contractinternal auditor?

It Depends


34/45

Design and Execute

n AICPA states: To perform internal auditassistance for a client and maintainindependence, your firm may not actor

appear to actas a member of the client'smanagement. For example, you and your firmmay not:q make decisions on the client's behalf, or

q report to the clients governing body.


35/45

Design and Execute

n The Institute of Internal Auditors positionis that total outsourcing of internal auditing tothe hospitals external auditor impairs the

independence of the external auditor.


36/45

Design and Execute

n Who should the internal auditor report to?

q No perfect method, however consider:

n Independence: consider having internal auditreport directly to the audit committee

n Practicality: consider having internal auditreport jointly to the CEO/CFO and the auditcommittee


37/45

Design and Execute

n Annual internal audit program (approved byboard)

n Consider how compliance and accountingcomplement one another


38/45

Design and Execute

1. Prioritize risk

2. Identify controls

3. Identify information

4. Implement monitoring


39/45

Design and Execute

n Entropy

q Systems will naturally declinewithout attention to changes


40/45

Design and Execute

n Annual Brainstormq See what has changed

n 990 reportingn RAC implementation

n OIG Work Plann New Managed Care contractsn Alternative Investmentsn Swapsn Banking relationshipsn Demand for Community

Benefits


41/45

Assess and Report

n Board Members

n Management

n External Auditors


42/45

Assess and Report

n Some organizations prioritize controlissues by severity along acontinuum:

q High

q Medium

q Low


43/45

Assess and Report

n Consider the effect of compensating controls

q A control weakness in one area may be completely

offset by a related control

q Can the transaction error or fraud occur withoutbeing detected in a timely manner?

COSO G id M it i


44/45

COSO Guidance on MonitoringInternal Control Systems

n Purchase from COSO

n Web Site: URL:http://www.coso.org/


45/45

Contact

n Call Charles Hall at 478-330-5248.

n Email: [email protected]

n Blog: cpa-scribo.com
mailto:[email protected]:[email protected]