Corporate Responsibility and Internal Audit Programs
Transcript of Corporate Responsibility and Internal Audit Programs
HCCA 2004 Compliance Institute
Corporate Responsibility and Internal Audit
Programs
Urton Anderson, CIA, CGAP, CCSA
HCCA 2004 Compliance Institute
Objectives
l Learn how an effective IA function adds value to the organization
l Understand the three fundamental processes underlying corporate responsibility and IA’s role in each
l Learn how to use IA effectively and efficiently in the design and oversight of compliance control systems
HCCA 2004 Compliance Institute
Session Plan
l What is IA? A ”New “ Definitionl Adding Value with IAl The Role of IA in the Governance Processl The Role of IA in the Risk Management
Processl The Role of IA in the Control Process – The
effective and efficient use of IA in compliance control systems
HCCA 2004 Compliance Institute
Definition of Internal Auditing
Internal auditing is an independent , objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
HCCA 2004 Compliance Institute
IA Customers
Auditee
Audit Committee
Senior Management
Financial Management
External Auditors
Regulators
Vendors
Suppliers
HCCA 2004 Compliance Institute
Add- Value
Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services
Glossary to IIA Standards
HCCA 2004 Compliance Institute
What does the customer want?
Audit Committee/Boardl Safeguarding Assetsl Compliance with Laws and
Regulationsl Reliability of Data
QUALITY OF INFORMATION
Operating Managementl Effectiveness and
Efficiency of Operations l Achievement of
Organizational Objectives
CHANGE AGENT
HCCA 2004 Compliance Institute
Corporate Governance Problem
• Corporate form of business organization is very fragile
• Adam Smith – very skeptical of corporate concept– East India Company– Never able to solve contracting problem– Throughout its history shareholders never
made money but agents made fortunes
HCCA 2004 Compliance Institute
What is corporate governance?
The process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) values are preserved.
HCCA 2004 Compliance Institute
Parties in the Governance Process
l Oversight group – board and committees of the board
l Stewardship group – executive management• Dual role of stewardship of resources allocated by board
and accountability of results of operations
l Performance group – operating and support management and staff
l Assurance group – internal and external auditing functions.
HCCA 2004 Compliance Institute
NYSE Corporate Governance Rules 303A.07(d)
(d) Each listed company must have an internal audit function.Commentary: Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control. A company may choose to outsource this function to a third party service provider other than its independent auditor.
HCCA 2004 Compliance Institute
IA’s Role
The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:• Promoting appropriate ethics and values within the
organization.• Ensuring effective organizational performance
management and accountability.• Effectively communicating risk and control information
to appropriate areas of the organization.• Effectively coordinating the activities of and
communicating information among the board, external and internal auditors and management.
IIA 2130
HCCA 2004 Compliance Institute
IA’s RoleTwo aspects:
1.Assistance in the risk assessment process
2.Evaluation of the risk management process
HCCA 2004 Compliance Institute
5 Key Objectives of Risk Management Process
1. Risks arising from business strategies and activities are identified and prioritized.
2. Management and the board have determined the level of risks acceptable to the organization, including the acceptance of risks designed to accomplish the organization’s strategic plans.
3. Risk mitigation activities are designed and implemented to reduce, or otherwise manage, risk at levels that were determined to be acceptable to management and the board.
4. Ongoing monitoring activities are conducted to periodically reassess risk and the effectiveness of controls to manage risk.
5. The board and management receive periodic reports of the results of the risk management processes. The corporate governance processes of the organization should provide periodic communication of risks, risk strategies, and controls to stakeholders.
HCCA 2004 Compliance Institute
The Role of IA in the Control Process – The effective and efficient use of IA in compliance control systems
HCCA 2004 Compliance Institute
Monitoring
1. The Role of Monitoring and Oversight Controls
2. Examples of Monitoring and Oversight Controls in Compliance Systems
3. Designing Monitoring/Oversight Controls for Effective and Efficient Assurance
4. Providing Assurance of Compliance
HCCA 2004 Compliance Institute
Monitoring in Internal Control
l Monitoring Function - Actions taken by management and others to assess the quality of internal control system performance over time
HCCA 2004 Compliance Institute
The Monitoring Function
l Monitoring Controls• Investigation of unusual items
l Oversight Controls• Customer surveys and complaint analysis
l Internal Auditing Controls• Traditional internal audit
HCCA 2004 Compliance Institute
Compliance Examples
l Monitoring – UT Southwestern• Patient Satisfaction Survey – reviewed daily
and any potential issues distributed to appropriate parties for prompt attention
l Oversight - UT El Paso• NCAA Eligibility – faculty representatives
have begun to spot-check individual records.
HCCA 2004 Compliance Institute
Compliance Examples
l Internal Auditing Control – UT Tyler• Peer review of health and safety program
l Internal Auditing Control – UT Houston• Office of Institutional Compliance conducted
review of Medical School’s monitoring plan for physician billing process. Review included verifying and validating chart abstraction process
HCCA 2004 Compliance Institute
Compliance Examples - UTHPATIENT DOS POS CPT PHYSICIAN R
EC
OR
D LE
GIB
LE
TP/ A
TTEN
DIN
G N
OTE
IN C
HA
RT
TP / A
TTEN
DIN
G S
IGN
ATU
RE IN
CH
AR
T
TP / A
TTEN
DIN
G P
AR
TICIP
ATIO
N D
OC
UM
EN
TED
IN C
HA
RT
SUM
MARY O
F KEY C
OM
PO
NENTS
DO
CUM
ENTE
D
RESID
EN
T NO
TE IN
CH
AR
T
PR
OC
ED
UR
ES D
OC
UM
EN
TED
AC
CO
RD
ING
LY
MED
ICA
L NEC
ESSITY
DO
CU
MEN
TED
ICD
.9 CO
DED
TO
HIG
HEST L
EVEL O
F S
PEC
IFIC
ITY /
SU
PPO
RTE
D IN
DO
CU
MEN
TATIO
N
AG
REE W
ITH A
UD
ITOR
'S FIN
DIN
GS
CO
MM
EN
TS
HCCA 2004 Compliance Institute
Designing Effective Monitoring Functionsl Monitoring is a way to evaluate effectiveness, efficiency
and consistency of operational controlsl Benefits of monitoring is process improvement,
identification of new risk, assurancel Monitoring (especially internal audit control) should not be
the operating control
HCCA 2004 Compliance Institute
Providing Assurance
l Monitoring Controls need to be auditable• Responsibility for monitoring assigned• Plan in place• verifiable (documented)
l Goal is to do internal audit of monitoring and oversight controls with little time on operational
HCCA 2004 Compliance Institute
Providing Assurance – Audit Criterial Documented evidence of actions taken when monitoring
controls identify failurel Instances of non-compliance documented and dealt with
appropriatelyl Instances of non-compliance reported to Compliance
committee or Chief Administrative Officerl Documented training related to risk been provided to all
employeesl Documented training provided in each case of failure of
operating controls or non-compliancel Periodic reporting to compliance officer and committee
HCCA 2004 Compliance Institute
Effective Assurance of Monitoring Plan
l Compliance Officer reviews monitoring plan
l External Review• Peer• Commercial
l IA performs inspection of monitoring plan (determines if it can be audited)
l IA performs audit of plan
HCCA 2004 Compliance Institute
Questions?
Urton AndersonRed McCombs School of BusinessThe University of Texas at Austin(512)[email protected]