7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
1/45
Click to edit Master subtitle style
Trust Your MotherBut Cut the Deck
Applying COSO Guidance on MonitoringInternal Control Systems to Local Hospitals
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
2/45
Incoming Fire
n Senator Grassley
n Fewer Insured Patients
n Tighter Credit Markets
n Investment Lossesn Recovery Audit
Contractors (RAC)
n 990 Reporting
n Internal Control Lettersfrom Auditors
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
3/45
One Constant in Life
Change
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
4/45
Proactive or Reactive
n Recognizing problems before they occur
n Having a plan to answer those problems
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
5/45
But Im Too Busy
n Tyranny of the Urgentq We only see the present
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
6/45
Double Vision A Good Thing
n Seeing the present
n Seeing the future
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
7/45
Overview of COSO Documents
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
8/45
COSO (ERM)
n Enterprise RiskManagement Integrated Framework(2004)
q Strategicq Operations
q Reporting
q Compliance
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
9/45
COSO Internal Control Integrated Framework (1992)
1. Risk Assessment
2. Control Environment
3. Control Activities
4. Information and Communication
5. Monitoring
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
10/45
New COSO Guidance
n Guidance on Monitoring Internal ControlSystems (2009)
n Issued January, 2009
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
11/45
Internal Control Reports
n Many hospitals provide no internal controlreports to the board or to management
n Hear no evil, see no evil
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
12/45
Internal Control Reports
n Most hospitals have no internal audit staff
n Hospitals that do have internal audit staff often
use them to perform special projects (i.e.revenue enhancement) rather than to examinethe accounting system
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
13/45
Compare
Time creatingmonthly accountingreports
Time creatingmonthly internalcontrol/system
reports
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
14/45
Thats What My Auditor Does
n Opinion states fairly stated: Numbers
n No opinion on working properly: Process
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
15/45
Why Little Attention toControls?n More comfortable with numbers than
processes
n Easier for board members to understandnumbers than processes
n Smaller hospitals may not have theexpertise or manpower to review theaccounting system
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
16/45
Typical Internal Report
n Denials by Category
n Net Accounts Receivable Days
n Gross Accounts Receivable Days
n Total Patient Cash Collectedn %Third Party A/R >90 Days
n Days from Discharge to Billing
n Contract Accounts Receivablen Self Pay Account Receivable
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
17/45
Imagine This Internal Report
n IT is not appropriately documenting changecontrol
n Third party collection agency receives cash
payments on bad debt accounts; noreconciling report is provided to hospital
n One HR person controls the master pay ratefile; no one reviews the changes
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
18/45
Nasty SAS 115 Letter
n Often more discussion between theexternal auditor and the hospitalabout internal control letters thanthe audited numbers
n Why?
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
19/45
True or False?
n The accounting system is a reflection on theCFO and Accounting Staff
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
20/45
So?n When fraud occurs or systems fail and
you are in charge, who will the boardor legal authorities look to?
n
Trust Your Mother, But Cut the Deck
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
21/45
Chutzpah Defense
n Deaf, Dumb and Blind Defense
n Dog Ate My Homework Defense
n The Hey Im just the CFO Defense
n The Aw Shucks Defense
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
22/45
What Can I Do?
n Plan your work, work your plan.
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
23/45
How Do You Eat an Elephant?
One bite at a time
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
24/45
Board Support
n Develop controls monitoring asa normal month to monthoperation
n Secure financial support forimplementing your plan
n
Create an internal audit charter
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
25/45
Stakeholders
n Potential relevantparties:q Compliance Committee
q Internal Auditors
q External Auditors
q Audit Committee
q Information Technology
q Accounts Payable Staff
q Payroll Staff
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
26/45
Stakeholders
n Consider meeting jointly with stakeholders todetermine information that will be needed
n Can internal audit perform tests that lendthemselves to your external auditors needs?
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
27/45
COSO Monitoring Process
1. Establish a Foundation
2. Design and Implement
3. Assess and Report
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
28/45
Establish a Foundation
n Map your processes
q This may be the most difficult part
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
29/45
Establish a Foundation
n Scalable Documentationq Based on:
n Size
n Complexityn One size does not fit all
n A checklist is a tool, not an end result
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
30/45
Establish a Foundation
n Dont forget about:q Outsourced accounting functions
n E.g. Payroll
q Related entitiesn E.g. Nursing Home, Physician Billing
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
31/45
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
32/45
Design and Execute
n What if I cant afford an FTE?
q Consider contracting with an outside auditor
q Consider a quarterly or semi-annual internal auditplan as opposed to a monthly audit plan
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
33/45
Design and Execute
n Can my external auditor be my contractinternal auditor?
It Depends
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
34/45
Design and Execute
n AICPA states: To perform internal auditassistance for a client and maintainindependence, your firm may not actor
appear to actas a member of the client'smanagement. For example, you and your firmmay not:q make decisions on the client's behalf, or
q report to the clients governing body.
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
35/45
Design and Execute
n The Institute of Internal Auditors positionis that total outsourcing of internal auditing tothe hospitals external auditor impairs the
independence of the external auditor.
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
36/45
Design and Execute
n Who should the internal auditor report to?
q No perfect method, however consider:
n Independence: consider having internal auditreport directly to the audit committee
n Practicality: consider having internal auditreport jointly to the CEO/CFO and the auditcommittee
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
37/45
Design and Execute
n Annual internal audit program (approved byboard)
n Consider how compliance and accountingcomplement one another
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
38/45
Design and Execute
1. Prioritize risk
2. Identify controls
3. Identify information
4. Implement monitoring
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
39/45
Design and Execute
n Entropy
q Systems will naturally declinewithout attention to changes
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
40/45
Design and Execute
n Annual Brainstormq See what has changed
n 990 reportingn RAC implementation
n OIG Work Plann New Managed Care contractsn Alternative Investmentsn Swapsn Banking relationshipsn Demand for Community
Benefits
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
41/45
Assess and Report
n Board Members
n Management
n External Auditors
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
42/45
Assess and Report
n Some organizations prioritize controlissues by severity along acontinuum:
q High
q Medium
q Low
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
43/45
Assess and Report
n Consider the effect of compensating controls
q A control weakness in one area may be completely
offset by a related control
q Can the transaction error or fraud occur withoutbeing detected in a timely manner?
COSO G id M it i
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
44/45
COSO Guidance on MonitoringInternal Control Systems
n Purchase from COSO
n Web Site: URL:http://www.coso.org/
7/31/2019 Trust Your Mother but Cut the Deck (Internal Controls in Local Hospitals)
45/45
Contact
n Call Charles Hall at 478-330-5248.
n Email: [email protected]
n Blog: cpa-scribo.com
mailto:[email protected]:[email protected]Top Related