Internal Audit – Adding Value AHIA NW Regional Seminar May 7, 2010

September 7, Introductions  Legacy Health >6 hospital system in Portland metro region  Management Audit Services (MAS) >4 person department with broad responsibilities  Joyce L. Lang >16 years as IA director, 9 in healthcare

September 7, Background  Audit Committee Chair’s request – find out how others “add value”  Surveyed a sample of healthcare CAEs  No definitive answer  Recurring themes – revenue enhancement/ cost savings audits, balanced scorecards

September 7, Purpose Share information collected and provide specific examples of >Revenue enhancement/cost savings audits >Balanced Scorecards Share MAS “new approach” Provide opportunity for peer-to-peer exchange So you can take away ideas to formulate your own definition of “Adding Value”.

September 7, Revenue Enhancement and Cost Savings Audits  Source >Queried CAEs who responded to survey for descriptions of specific audits >Discussion topic at CAE Roundtable in LA  Types >Revenue Enhancement = Charges >Cost Savings = Purchasing, Contracts, Labor and Construction

September 7, Revenue Enhancement Audits - Handout Audit TopicDollars Implantable devices$400K/yr, net Pharmaceuticals  Clinic purchases & immunizations *  Administration charges *  Not charged *  Retail Pharmacies – Adjudicated prices $100K/yr 1% - $66K $4.5 million $180K

September 7, Revenue Enhancement Audits - Handout Audit TopicDollars Radiology – Contrast *$18K/yr Infusion  Charging *  Missing orders, missing start & stop times * $100K/yr $2 million

September 7, Cost Savings Audits - Handout Audit TopicDollars Purchasing  Pricing of supplies under GPO *  Bulk purchasing of high cost items *  Duplicate payments * $200K $400K/yr $150K recovered Contracts  Outsourced collection  Performance terms $38K $71K recovered

September 7, Cost Savings Audits - Handout Audit TopicDollars Labor – Abuse of 7/8 minute rule *2 free days Construction  Job cost billing  General conditions – not allowable  Work reduction cost adjustment  Change orders $714K $194K $361K $170K

September 7, Revenue Enhancement and Cost Savings Audits Your successes and ideas?

September 7, Balanced Scorecard - Definition A strategy-focused approach to performance measurement that includes non-financial and financial performance measures that are derived from the organization’s strategy and vision. Generally includes objectives and performance measures in the following dimensions: >Financial >Customer >Internal processes >Learning, innovation, and growth

September 7, Balanced Scorecard for IA A Balanced Scorecard Framework for Internal Auditing by Mark L. Frigo, Ph.D., CPA, CMA The Institute of Internal Auditors Research Foundation, 2002 Four dimensions: >Board/Audit Committee >Management and Auditees >Internal Processes >Innovation and Capabilities

September 7, Balanced Scorecard for IA Performance Metrics should: >Be driven by the internal auditing department’s mission and strategy >Include customer measures, internal process measures, and capability and innovation measures >Include leading indicators (performance drivers) as well as lagging indicators (outcome measures) Leading – Training hours per auditor Lagging – Customer satisfaction survey

September 7, Balanced Scorecards - Dimensions Framework  Board/Audit Committee  Management and Auditees  Internal Processes  Innovation and Capabilities Examples - Handout  Customer Satisfaction, Internal and External Customers  Quality & Volume, Performance, Quality  Workforce Satisfaction, Associate Engagement, Innovation & Learning  Financial Performance, Cost/Efficiency, Stewardship

September 7, Balanced Scorecards - Handout  Consistent – Project satisfaction survey results, work plan completion  Other surveys – Organization satisfaction, employee engagement  Observations – >Timeliness of reports – Customer satisfaction or performance? >CAATs/data mining – People or performance?

September 7, Balanced Scorecards Your observations and comments – >Anything missing? >What measures are essential to you? >What should you be measuring but haven’t? >Frequency of measuring and reporting?

September 7, Integrating the IIA Standards 2100 – Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.

September 7, Integrating the IIA Standards 2110 – Governance The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives… 2110.A1 …must evaluate…organization’s ethics-related objectives, programs, and activities 2110.A2 …must evaluate…information technology governance of the organization…

September 7, Integrating the IIA Standards 2120 – Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes A1 …must evaluate risk exposures… regarding (information, E&E, assets, compliance) 2120.A2 …must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk

September 7, Integrating the IIA Standards 2130 – Control The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement A1 …must evaluate the adequacy and effectiveness of controls in responding to risks… regarding (information, E&E, assets, compliance)

September 7, Integrating the IIA Standards Internal auditing is an independent, objective assurance and consulting activity. New MAS Charter in February 2010  Scope of Work outlines 5 “assurance” responsibilities – the “musts” in the Standards  Core Audit Program - >Frequency-Based Audits - 36 topics (e.g., charges for patient care, purchasing, IT); annual to 5-year cycle; frequency reflects risk >Ad Hoc Audits – Specific high risks (e.g., system implementations, major construction project costs, OIG topics)

September 7, Assurance Activity #1 Standards – MAS Charter Evaluate risk exposures and the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations and information systems regarding the: >Reliability and integrity of financial and operational information >Effectiveness and efficiency of operations >Safeguarding of assets >Compliance with laws, regulations and contracts. MAS Work Plan Selected audit projects from Core Audit Program catalog of topics

September 7, Assurance Activity #2 Standards – MAS Charter Evaluate the effectiveness and contribute to the improvement of risk management processes. MAS Work Plan  Catalog the external and internal risks to business objectives  Assess impact and likelihood of each risk’s occurrence  Identify who is responsible for the risk’s management and how the risk is managed and monitored  Evaluate the effectiveness of risk management activities.

September 7, Assurance Activity #3 Standards – MAS Charter Assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: >Appropriate ethics and values >Effective organizational performance management and accountability >Communication of risk and control information to the appropriate areas >Coordination and communication of information between the Board, management and auditors. 1. MAS Work Plan Governance process addressed through an assessment of the 10 elements of the “Internal Environment”, a section of COSO ERM

September 7, Assurance Activity #4 Standards – MAS Charter Assess whether IT Governance of the organization sustains and supports objectives and strategies. MAS Work Plan  Catalog attributes of IT Governance and develop a plan for assessing effective implementation of each component  Complete an assessment of at least one component this year and work with IT on improvements, if needed.

September 7, Assurance Activity #5 Standards – MAS Charter Evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. MAS Work Plan  “Managing the Business Risk of Fraud: A Practical Guide” - 5 principles for boards/management to consider in protecting the organization from fraud  Use this tool to outline an on-going assessment program and perform initial assessment.

September 7, Integrating the IIA Standards Questions ? Discussion ?

September 7, Thank You ! Joyce L. Lang, CPA, CIA Director, Management Audit Services Legacy Health 815 NE Davis St. Portland, OR