external audit and the audit committee- audit and compliance committee conference 2011
DESCRIPTION
This presentation covers the following topics: gaining the confidence and trust of the audit committee, ensuring the Audit Committee is appropriately educated to understand the current risk environment,making sure the compliance program and compliance issues receive appropriate attention.TRANSCRIPT
1
External Audit & the Audit Committee
Audit & Compliance Committee Conference
Health Care Compliance Association
February 8th, 2011
External Audit & the Audit Committee
Audit & Compliance Committee Conference
Health Care Compliance Association
February 8th, 2011
A D V I S O R Y
2
Agenda
Overview of the Risk Environment
The Role of the Audit Committee
The Role of the External Auditor
The Current Regulatory Environment
Ensuring Support of the Compliance Function
Overview of Healthcare Fraud & Abuse
Overview of the Compliance Function
The Role of the Audit Committee
Overview of the Risk Environment
The Role of the Audit Committee
The Role of the External Auditor
The Current Regulatory Environment
Ensuring Support of the Compliance Function
Overview of Healthcare Fraud & Abuse
Overview of the Compliance Function
The Role of the Audit Committee
2
3
An Overview of the Risk EnvironmentTop Ten Cited Risks – KPMG Enterprise Risk Survey - 2010
Insufficient Reimbursement
Aligning Hospital & Physician Incentives
Readiness for Clinical Automation
Continued Economic Downturn
Continuing Operational Performance Improvements
Increased Regulatory Enforcement
Unfunded Mandates
Rebuilding the Organizational Balance Sheet
Increased Cost of Capital
Significant Reduction in Employer Provided Insurance
Insufficient Reimbursement
Aligning Hospital & Physician Incentives
Readiness for Clinical Automation
Continued Economic Downturn
Continuing Operational Performance Improvements
Increased Regulatory Enforcement
Unfunded Mandates
Rebuilding the Organizational Balance Sheet
Increased Cost of Capital
Significant Reduction in Employer Provided Insurance
3
4
The Role of the Audit / Compliance Committee
Ensure Appropriate Oversight of Risk
Risk Identification
Sufficient Understanding of Risk
Risk Ranking & Prioritization
Risk Mitigation
Corrective Action Planning
Ensure Appropriate Oversight of Risk
Risk Identification
Sufficient Understanding of Risk
Risk Ranking & Prioritization
Risk Mitigation
Corrective Action Planning
4
5
The Role of the External Auditor
Forming and expressing an opinion about whether the financial statements that have been prepared by management with the oversight of the Audit Committee are presented fairly, in all material respects, in conformity with generally accepted accounting principles
Communicating to the Audit Committee in writing all significant deficiencies and material weaknesses in internal control identified in the audit and reporting to management all deficiencies noted during the audit
Conducting the audit in accordance with professional standards
Complying with the rules and regulations of the Code of Professional Conduct of the American Institute of Certified Public Accountants, and the ethical standards of relevant CPA societies, relevant state boards of accountancy, the SEC (or other regulators), and the PCAOB
Planning and performing the audit with an attitude of professional skepticism
Communicating all required information, including significant matters, to management and the Audit Committee
Forming and expressing an opinion about whether the financial statements that have been prepared by management with the oversight of the Audit Committee are presented fairly, in all material respects, in conformity with generally accepted accounting principles
Communicating to the Audit Committee in writing all significant deficiencies and material weaknesses in internal control identified in the audit and reporting to management all deficiencies noted during the audit
Conducting the audit in accordance with professional standards
Complying with the rules and regulations of the Code of Professional Conduct of the American Institute of Certified Public Accountants, and the ethical standards of relevant CPA societies, relevant state boards of accountancy, the SEC (or other regulators), and the PCAOB
Planning and performing the audit with an attitude of professional skepticism
Communicating all required information, including significant matters, to management and the Audit Committee
5
6
The Current Regulatory Environment
Regulatory environment – highest scrutiny ever
Mandatory Compliance Programs in NY State
Organization must certify in writing that an effective compliance program exists
Changes to the Federal Sentencing Guidelines
PPACA contained 32 new fraud and abuse provisions
Enforcement efforts strengthened and coordinated
Regulatory environment – highest scrutiny ever
Mandatory Compliance Programs in NY State
Organization must certify in writing that an effective compliance program exists
Changes to the Federal Sentencing Guidelines
PPACA contained 32 new fraud and abuse provisions
Enforcement efforts strengthened and coordinated
6
7
New York State OMIG’s Mandatory Compliance Program Requirement
Providers required by law to have mandatory compliance program
Required by law to certify in writing that program is effective
OMIG recommends that executive other than Compliance Officer sign certification
Scope of programs defined broader than typical to include:
- Billing and Payments
- Medical Necessity and Quality of Care
- Governance
- Mandatory Reporting
- Credentialing
- All other risks that are known or should have been known
OMIG will be auditing programs to assess effectiveness
OMIG and NY Commissioner of Health have authority to determine the adequacy of programs
Exclusion from Medicaid is possible if program is deemed ineffective
Providers required by law to have mandatory compliance program
Required by law to certify in writing that program is effective
OMIG recommends that executive other than Compliance Officer sign certification
Scope of programs defined broader than typical to include:
- Billing and Payments
- Medical Necessity and Quality of Care
- Governance
- Mandatory Reporting
- Credentialing
- All other risks that are known or should have been known
OMIG will be auditing programs to assess effectiveness
OMIG and NY Commissioner of Health have authority to determine the adequacy of programs
Exclusion from Medicaid is possible if program is deemed ineffective
7
8
Overview of Compliance Program
A compliance officer and compliance committee
Written Standards – Compliance Policies, etc.
Training & Education
Auditing & Monitoring
Lines of Communication for Reporting
Disclosure Program to Report Misconduct
Enforcement of Disciplinary Standards
Risk Assessment
A compliance officer and compliance committee
Written Standards – Compliance Policies, etc.
Training & Education
Auditing & Monitoring
Lines of Communication for Reporting
Disclosure Program to Report Misconduct
Enforcement of Disciplinary Standards
Risk Assessment
8
Fraud & Abuse Provisions associated with Healthcare Reform
• Patient Protection and Affordable Care Act as amended by the Healthcare and Education and Reconciliation Act ( Healthcare Reform Law )
– 32 sections related to HC fraud and abuse and program integrity• Provisions establish fundamental expectations for regulatory compliance,
transparency and quality of care• New enforcement provisions that could greatly increase potential legal exposure• Overpayments and FCA liability – Section 6402 of the HCRL – identified
overpayments must be identified and repaid within 60 Days – retention beyond 60 days constitutes an obligation under the FCA.
– Will require robust auditing and refund processing structures• RACs – Expanded to Medicare Part D and Medicare Advantage Plans
9
Recent Amendments to the Federal Sentencing Guidelines
The Guidelines are the basis used to determine monetary penalties– Under the Federal Sentencing Guidelines, an effective compliance and
ethics program enables the company to qualify for a reduction in its culpability score. Depending on other factors, this often results in a significantly lower penalty to be imposed on the corporation.
– For a company to qualify as having an effective program, the person with operational responsibility for the compliance program must have direct reporting obligations to the board (or a committee of the board)
– The requirement of having “direct reporting obligations” means that the responsible person has express authority to communicate personally to the board or an appropriate committee (a) promptly on any matter involving criminal conduct or potential criminal conduct and (b) no less than annually on the implementation and effectiveness of the compliance and ethics program.
– HC reform directed the Sentencing Commission to increase the federal sentencing guidelines for healthcare fraud offenses by 20-50% for crimes in excess of $1M
10
KPMG Healthcare’s Point-of-View
There has never been more scrutiny from federal or state government agencies on healthcare spending in order to identify and mitigate fraud, waste and abuse
There has never been more scrutiny from consumers on how their healthcare dollars are being spent
Attorney General Eric Holder and Health and Human Services Secretary Kathleen Sebelius call on all state attorneys general to create outreach programs this summer to educate seniors on Medicare fraud prevention and protection.
HHS & DOJ Regional Fraud Prevention Summits
All U.S. Attorney offices have been asked to plan regular health care fraud task force meetings to better inform the public
There has never been a more important time for CEO’s and Boards of Directors to take steps to ensure they have effective compliance programs in place
11
Board Involvement in Compliance
On April 1, 2010 the Health Care Compliance Association (HCCA) released an interview it conducted with New York State Medicaid Inspector General James G. Sheehan. In it Sheehan underscores the importance of health care board members' knowledge of and involvement in the oversight of compliance and ethics programs.
-Inspector General Sheehan warns that, "The members of the board in a non-profit organization have a fiduciary and legal duty to determine that systems and procedures are in place to provide reasonable assurance of compliance with governing law. The exposure for the organization without such systems and procedures can be substantial, including both economic recoveries and exclusion from Medicare and Medicaid - even where the problem was an imprudent acquisition or a failure of oversight rather than intentional conduct."
12
13
Ensuring Support of the Compliance Function
Ensuring Support of the Compliance Function
Overview of Healthcare Fraud & Abuse
Overview of the Compliance Function
The Role of the Audit Committee
Ensuring Support of the Compliance Function
Overview of Healthcare Fraud & Abuse
Overview of the Compliance Function
The Role of the Audit Committee
13
14
Overview of Healthcare Fraud & Abuse
Key vulnerability regarding Medicare / Medicaid reimbursement and the potential for fraud / waste or abuse in the form of claims that should not have been submitted for reimbursement or do not have the proper documentation to support the claim.
Other types of fraud, waste or abuse can impact the overall integrity of the healthcare entity cost report, which could again impact state or Federal reimbursements
Healthcare vulnerable to non Medicare / Medicaid fraud or abuse
Theft, embezzlement of cash, procurement fraud
Key anti-fraud control elements that should be in place in healthcare entities are inherent in a well designed compliance program.
Key vulnerability regarding Medicare / Medicaid reimbursement and the potential for fraud / waste or abuse in the form of claims that should not have been submitted for reimbursement or do not have the proper documentation to support the claim.
Other types of fraud, waste or abuse can impact the overall integrity of the healthcare entity cost report, which could again impact state or Federal reimbursements
Healthcare vulnerable to non Medicare / Medicaid fraud or abuse
Theft, embezzlement of cash, procurement fraud
Key anti-fraud control elements that should be in place in healthcare entities are inherent in a well designed compliance program.
14
15
Specific Examples – Excluded Providers
A Massachusetts-based behavioral health care provider entered into a civil settlement agreement with the Government.The organization caused claims to be submitted to federal health care programs for services performed by two individuals who had been excluded from Medicare and Medicaid.Department of Health and Human Services, Office of the Inspector General (HHS-OIG) excludes an individual or entity from federal health care programs, no program payments may be made for items or services furnished by that excluded individual or entity. The organization failed to check the HHS-OIG online exclusion database before hiring the two individuals. The individuals are no longer employed by the organization.
A Massachusetts-based behavioral health care provider entered into a civil settlement agreement with the Government.The organization caused claims to be submitted to federal health care programs for services performed by two individuals who had been excluded from Medicare and Medicaid.Department of Health and Human Services, Office of the Inspector General (HHS-OIG) excludes an individual or entity from federal health care programs, no program payments may be made for items or services furnished by that excluded individual or entity. The organization failed to check the HHS-OIG online exclusion database before hiring the two individuals. The individuals are no longer employed by the organization.
15
16
Specific Examples – False Claims Act – Medically Unnecessary Services
An organization providing physical therapy services, has entered into a settlement with the United States and the State of Tennessee to pay over $1.8 million resolving allegations that it improperly billed the Medicare and TennCare/Medicaid programs for physical therapy services in violation of federal and state laws and regulations, U.S. Attorney Russ Dedrick announced today. The organization provides physical therapy services to Medicare and TennCare/Medicaid patients in East Tennessee. The organization violated the federal False Claims Act and the Tennessee Medicaid False Claims Act by submitting claims to the TennCare program for physical therapy that were not reimbursable. Specifically, the governments' claim was that between 2001 and 2006, the organization submitted claims representing that it had provided therapeutic exercise for TennCare patients when medical records indicated that the patients had instead received aquatic therapy, a service subject to reimbursement restrictions. The United States also alleged that the organization submitted claims through the Medicare program for physical therapy services which did not qualify for payment or were not medically necessary.
An organization providing physical therapy services, has entered into a settlement with the United States and the State of Tennessee to pay over $1.8 million resolving allegations that it improperly billed the Medicare and TennCare/Medicaid programs for physical therapy services in violation of federal and state laws and regulations, U.S. Attorney Russ Dedrick announced today. The organization provides physical therapy services to Medicare and TennCare/Medicaid patients in East Tennessee. The organization violated the federal False Claims Act and the Tennessee Medicaid False Claims Act by submitting claims to the TennCare program for physical therapy that were not reimbursable. Specifically, the governments' claim was that between 2001 and 2006, the organization submitted claims representing that it had provided therapeutic exercise for TennCare patients when medical records indicated that the patients had instead received aquatic therapy, a service subject to reimbursement restrictions. The United States also alleged that the organization submitted claims through the Medicare program for physical therapy services which did not qualify for payment or were not medically necessary.
16
17
Overview of Compliance Program
A compliance officer and compliance committee
Written Standards – Compliance Policies, etc.
Training & Education
Auditing & Monitoring
Lines of Communication for Reporting
Disclosure Program to Report Misconduct
Enforcement of Disciplinary Standards
Risk Assessment
A compliance officer and compliance committee
Written Standards – Compliance Policies, etc.
Training & Education
Auditing & Monitoring
Lines of Communication for Reporting
Disclosure Program to Report Misconduct
Enforcement of Disciplinary Standards
Risk Assessment
17
18
Compliance Program Effectiveness
Brief Overview of the Seven Element Structure
The Role of the Compliance Officer
The Role of Leadership and the Audit Committee
The Role of Accountable Managers
Program Indicators of Effectiveness by Element
Organizational Indicators of Effectiveness – Tone at the Top
“Evidencing” Effectiveness
The Role of Dash Boards
The Role of Metrics
Brief Overview of the Seven Element Structure
The Role of the Compliance Officer
The Role of Leadership and the Audit Committee
The Role of Accountable Managers
Program Indicators of Effectiveness by Element
Organizational Indicators of Effectiveness – Tone at the Top
“Evidencing” Effectiveness
The Role of Dash Boards
The Role of Metrics
18
Evidencing Program Effectiveness
Compliance Program Assessment Process
System & Department Level Gap Analysis to Identify Strengths &
Opportunities for Improvement & Actionable Recommendations
• Document Review
• Interviews
• Observations – Culture
• Select Testing
19
By Key Program Elements:
• Infrastructure
• Written Standards
• Education & Training
• Lines of Communication
• Enforcement of Standards
• Auditing & Monitoring
• Response to Detected Offenses
• Risk Assessment
Providing an Assessment:
• Against Industry Standards
• Against Observed Leading Practices
Identify Key Departmental Outcomes and Metrics That are
or Should be Utilized to Evidence Effectiveness
For example, the extent to which:
• HIM has a department specific compliance plan that addresses coding reviews (coding reviews)
• Physician arrangements are actively monitored
• Exit interviews effectively identify compliance concerns that are followed up on resulting in improved compliance outcomes
• The Conflict of Interest Process goes beyond the identification of potential issues and provides beneficial guidance to improve compliance outcomes.
• The Cost Reporting Processes Anticipate and Mitigate Compliance Issues (bad debt, credit balances, unrestricted grants, etc.)
Setting the Foundation for Establishing Compliance
Program Work Plan Priorities
Allowing for the progression of :
• Department specific compliance program objectives and infrastructure in order to align system goals
• Pro-activate self assessment at the department and system level
• A consistent process and format for the identification and mitigation of risks, in order to understand the system risk profile
• Reporting the status of departmental or system monitoring plans
• Reporting the status of departmental or system corrective action plans
• Identification of opportunities to incorporate data analytics into departmental and system monitoring activities
• The development and utilization of compliance dashboards to track, trend and benchmark key compliance indicators
20
Increasing Awareness by the Audit Team
Maintain Professional SkepticismAsk the second and third level questions around controls
Understand Nature of Compliance ProgramControls around billing and reimbursement
Controls around fraud and abuse
Controls related to Hotline policies and procedures
Understand the depth of Departmental Auditing and Monitoring requirements
Department specific controls to mitigate compliance risks
Department specific controls to mitigate fraud and abuse
Department specific training needs and plans
Maintain Professional SkepticismAsk the second and third level questions around controls
Understand Nature of Compliance ProgramControls around billing and reimbursement
Controls around fraud and abuse
Controls related to Hotline policies and procedures
Understand the depth of Departmental Auditing and Monitoring requirements
Department specific controls to mitigate compliance risks
Department specific controls to mitigate fraud and abuse
Department specific training needs and plans
20
21
Typical Management Interviewees
Chief Compliance Officer
Chief Operating Officer
General Counsel
Chair of the Board Audit Committee
Head of Internal Audit
Head of Human Resources
Head of Investigations
Chief Executive Officer
Chief Compliance Officer
Chief Operating Officer
General Counsel
Chair of the Board Audit Committee
Head of Internal Audit
Head of Human Resources
Head of Investigations
Chief Executive Officer
21
22
Questions or Comments?
22
23
Presenter Information
James Martell, CPAPartner, KPMG
345 Park AvenueNew York, NY 10054
23